Get Ready to Pass the CPC-CDE-RECERT exam with CyberArk Latest Practice Exam
Get Prepared for Your CPC-CDE-RECERT Exam With Actual CyberArk Study Guide!
NEW QUESTION # 52
When calling the PSM Health Check Webservice to assess the state of a PSM node, which response code does a healthy node return?
- A. 503 (OK)
- B. 500 (OK)
- C. 200 (OK)
- D. 404 (OK)
Answer: C
Explanation:
CyberArk documents that the health check service returns HTTP 200 (OK) when the PSM service is healthy, and returns 503 (Service unavailable) when it is not healthy (in code-based behavior).
NEW QUESTION # 53
Arrange the steps to failover to the passive CPM in the correct sequence.
Answer:
Explanation:
Explanation:
To properly arrange the steps for failing over to a passive Central Policy Manager (CPM) in CyberArk, the sequence should be as follows:
* Validate that the active CPM's services are stopped and set to manual.Before enabling the passive CPM, ensure that the services on the active CPM are stopped. This prevents any conflicts or data corruption by making sure that only one CPM is active at a time. Setting the services to manual ensures they do not restart automatically, which is crucial during a failover scenario.
* On the passive CPM, confirm details in the Vault.ini configuration file, reset the password to the CPM user, and recreate the credential file.This step involves making sure the passive CPM has the correct configuration to seamlessly take over operations. Adjustments in the Vault.ini file may be necessary to ensure it is pointing to the correct Vault and network settings. Resetting the password and recreating the credential file are critical to secure the login and authentication process for the newly active CPM.
* Enable the CPM services on the passive CPM.Once the passive CPM is correctly configured and ready, enable its services to begin handling the tasks and responsibilities of the primary CPM. This action effectively switches the role from passive to active, enabling the passive CPM to function as the new operational manager.
* Review logs to confirm the passive CPM services are running as expected.Finally, review the system and application logs to confirm that the now-active CPM is operating correctly and that all services have started without errors. This step is vital for verifying that the failover process was successful and that the system is stable.
Following this ordered sequence ensures a smooth transition of roles from the active CPM to the passive CPM, minimizing downtime and potential disruptions in the privileged access management operations.
NEW QUESTION # 54
What is a supported certificate format for retrieving the LDAPS certificate when not using the Cyberark provided LDAPS certificate tool?
- A. .p7b
- B. p7c
- C. p12
- D. .der
Answer: D
Explanation:
For retrieving the LDAPS certificate when not using the CyberArk provided LDAPS certificate tool, the supported certificate format is .der. The DER (Distinguished Encoding Rules) format is a binary form of a certificate rather than the ASCII PEM format. This format is widely supported across various systems for securing LDAP connections by providing a mechanism for LDAP servers to authenticate themselves to users.
This information can be verified by checking LDAP configuration guides and CyberArk's secure implementation documentation which outline supported certificate formats for LDAP integrations.
NEW QUESTION # 55
Which authentication methods does PSM for SSH support? (Choose 2.)
- A. OIDC
- B. SAML
- C. MFA Caching
- D. Client Authentication Certificate
- E. RADIUS
Answer: D,E
Explanation:
PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:
* RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.
* Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.
These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.
NEW QUESTION # 56
What is the default username for the PSM for SSH maintenance user?
- A. proxyusr
- B. psmpmaintenanceuser
- C. psmp_maintenance
- D. proxymng
Answer: D
Explanation:
https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/administrating-the-psmp.
htm#Createamaintenanceuser
NEW QUESTION # 57
How can a platform be configured to work with load-balanced PSMs?
- A. Include details of the PSMs with load balancing in the Basic_psm.ini file on each PSM server.
- B. Use the Privilege Cloud Portal to update the Session Management settings for the platform in the Master Policy.
- C. Create a new PSM definition that targets the load balancer IP address and assign to the platform.
- D. Remove all entries from configured PSM Servers except for the ID of the PSMs with load balancing.
Answer: C
Explanation:
To configure a platform to work with load-balanced Privileged Session Managers (PSMs), you should:
* Create a new PSM definition that targets the load balancer IP address and assign it to the platform (Option B). This approach involves configuring the platform settings to direct session traffic through a load balancer that distributes the load across multiple PSM servers. This is effective in environments where high availability and fault tolerance are priorities.
Reference: CyberArk's setup guidelines for high-availability environments typically recommend configuring platforms to utilize load balancers to ensure continuous availability and optimal distribution of session management tasks.
NEW QUESTION # 58
You want to enforce Multi-Factor Authentication (MFA) for all Privilege Cloud Shared Services users and require them to set up an MFA factor. How should you accomplish this?
- A. Navigate to the Identity Administration Portal's Policies section and configure the authentication policies for CyberArk Identity, adding a new authentication rule that applies with an "identity cookie" as a filter.
- B. Navigate to the Identity Administration Portal's Policies section and configure the required authentication policies for CyberArk Identity.
- C. Navigate to the Identity Administration Portal's Policies section and set the user security policy for Privilege Cloud to an authentication profile that only allows Multiple Authentication Mechanisms.
- D. Only allow SAML as the authentication method, enforce MFA on the SAML Identity Provider (IdP), and ensure users set up MFA accordingly on the IdP.
Answer: B
Explanation:
In the Shared Services model, MFA enforcement is done in CyberArk Identity / Identity Administration using Core Services > Policies:
* To enforce MFA broadly, CyberArk documents configuring MFA for all users by enabling authentication policy controls and creating/assigning an authentication profile (the mechanisms
/challenges).
* To require users to set up MFA factors, CyberArk documents the setting under User Security Policies > User Account Settings where you specify the minimum number of authentication factors users must configure upon login.
Option B is the only choice that correctly points you to the right place and activity (Identity Administration Policies to configure authentication/MFA requirements and enrollment requirements).
NEW QUESTION # 59
You are working with a customer who needs to create a new Safe Design. The customer wants to define a specific role named "Simple User" giving access to the Connect button only. Which rights should be given to this role on the Safes? (Choose two.)
- A. Use Accounts
- B. View audit log
- C. Update account properties
- D. List accounts
- E. Create folders
Answer: A,D
Explanation:
CyberArk's Safe permission definitions state:
* List accounts allows the user to view the Accounts/Files list (so they can see the account to connect to).
* Use Accounts explicitly enables the user to log on through PSM by clicking the "Connect" /
"Connect with account" button from the Accounts List or Account Details.
Therefore, the minimum Safe rights to allow "Connect only" are List accounts (C) + Use Accounts (A).
NEW QUESTION # 60
You want to change the default PSM recordings folder path on the Privilege Cloud Connector Arrange the steps to accomplish this in the correct sequence.
Answer:
Explanation:
Explanation:
To correctly change the default PSM recordings folder path on the Privilege Cloud Connector, the sequence of steps should be:
* Create a corresponding folder in the new location.Before making changes to configuration files, ensure the new directory for PSM recordings is created. This is where all session recordings will be stored moving forward.
* In the Basic_psm.ini file, set RecordingsDirectory with the new path.Update the Basic_psm.ini file to reflect the new path for the recordings. This step is crucial as it directs the PSM to start using the newly created directory for all future session recordings.
* Restart the PSM service.After updating the path in the configuration file, restart the PSM service to apply the changes. This ensures that all new sessions are recorded in the new specified location.
* Run the PSMHardening script.Once the service is restarted and the new settings are in place, run the PSMHardening script. This script ensures that all security measures are re-applied to the new recordings directory, maintaining the security integrity of the session recordings.
Following these steps in the given order will successfully change the recording directory for PSM sessions on the Privilege Cloud Connector, ensuring a smooth transition to the new storage location with all necessary security measures intact.
NEW QUESTION # 61
During CPM hardening, which locally created users are granted Logon as a Service rights in the local group policy? (Choose 2.)
- A. CPMServiceAccount
- B. PasswordManagerUser
- C. ScannerUser
- D. PluginManagerUser
- E. PasswordManager
Answer: B,C
Explanation:
https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task- descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings
NEW QUESTION # 62
When installing the first CPM within Privilege Cloud using the Connector Management Agent, what should you set the Installation Mode to in the CPM section?
- A. Default
- B. Passive
- C. Primary
- D. Active
Answer: D
Explanation:
When installing the first CyberArk Privilege Management (CPM) instance in the Privilege Cloud using the Connector Management Agent, the installation mode should be set to "Active". This configuration sets the CPM to be actively involved in password management and task processing without being in a standby or passive mode. Here are the step-by-step details:
* Download the Connector Management Agent: Obtain the installer from the CyberArk Marketplace or your installation kit.
* Run the Installer: Start the setup and select the CPM component to install.
* Choose Installation Mode: When prompted, select "Active" as the installation mode. This sets up the CPM as the primary node responsible for handling password management operations.
This setup ensures that the CPM is immediately active and capable of handling requests without waiting for manual intervention or failover.
Reference: CyberArk's official documentation provides guidance on setting up the CPM, where it specifies the modes and their purposes.
NEW QUESTION # 63
You have been tasked with deploying a Privilege Cloud PSM for SSH connector When the initial installation has successfully completed, you create and permission several maintenance users to be used for administering the connector.
Which configuration file must be updated to define these maintenance users?
- A. sshd.config
- B. psmpparms
- C. basic_psmpserver.conf
- D. sshd_config
Answer: D
Explanation:
The sshd_config file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the AllowGroups parameter within the sshd_config file to grant them the necessary permissions.
:
CyberArk documentation on the PSM for SSH environment1.
CyberArk Sentry guide on how to add maintenance users for SSH PSM
When deploying a Privilege Cloud PSM for SSH connector, the configuration file that must be updated to define maintenance users is "sshd_config". This file is used to configure options specific to the SSH daemon, which includes user permissions, authentication methods, and other security-related settings. To add and configure maintenance users for the PSM for SSH, you will need to modify this file to specify allowed users and their respective privileges.
Reference: The configuration of SSH-related components typically involves the "sshd_config" file, as outlined in SSH and PSM for SSH setup guides. This is a standard practice in systems that utilize SSH for secure communications and management.
NEW QUESTION # 64
The Secure Tunnel component of CyberArk Privilege Cloud connects to which services in the CyberArk Privilege Cloud? (Choose two.)
- A. https://telemetry.privilegecloud.cyberark.cloud
- B. https://update.privilegecloud.cyberark.cloud
- C. https://backend-services.privilegecloud.cyberark.cloud
- D. https://console.privilegecloud.cyberark.cloud
- E. https://connector-<subdomain>.privilegecloud.cyberark.cloud
Answer: D,E
Explanation:
CyberArk's official outbound traffic/network requirements explicitly list the two Privilege Cloud cloud- side endpoints that are required for Secure Tunnel communications (for REST/API calls over HTTPS/443):
* Backend service management (Required for Secure Tunnel): https://console.privilegecloud.
cyberark.com
* Connector (Required for Secure Tunnel): https://connector-<subdomain>.privilegecloud.cyberark.
com
These map directly to answer choices A (console) and B (connector-<subdomain>).
Note: Your options use the .cyberark.cloud domain, while CyberArk's network requirements documentation shows these endpoints in the .cyberark.com domain for Privilege Cloud. The service roles (Console + Connector endpoint) are what Secure Tunnel must reach, and those are the two "Required for Secure Tunnel" services in the official requirements.
Why the other options are not selected (based on what's "required for Secure Tunnel" in the official allowlist guidance):
* C (backend-services...): Not listed in CyberArk's published "Required for Secure Tunnel" FQDN allowlist entries (console + connector are).
* D (telemetry...): Telemetry is a separate capability (dashboards / utilization tracking) and is not documented as the required Secure Tunnel service endpoint.
* E (update...): Secure Tunnel upgrade/download processes are documented, but "update.*" is not listed as a required Secure Tunnel cloud endpoint in the outbound allowlist table.
NEW QUESTION # 65
An end user (external user account) has been removed from the Users tab in CyberArk Identity Administration and tries to log in to the CyberArk Privilege Cloud portal using the correct credentials. What will happen?
- A. The end user will be able to log in and access the same set of functions as before.
- B. After successful login, the end user will be able to log in, but will encounter a blank page.
- C. The end user will receive an "Unable to login. Contact your system administrator" error message.
- D. The end user will receive a "User does not exist" error message.
Answer: C
Explanation:
Privilege Cloud (Shared Services) user access is governed by CyberArk Identity user existence and policy.
If the user account is removed, sign-in is blocked and the end-user experience is the standard "unable to sign in / contact administrator" style message, consistent with CyberArk's end-user troubleshooting guidance when sign-in is blocked by policy/account state.
(Options C and D do not align with Identity-based access control behavior; a removed Identity user should not be able to authenticate successfully.)
NEW QUESTION # 66
Which ports do the CyberArk Identity Connector require to be opened to support using Active Directory for LDAP authentication to Privileged Cloud Shared Services? (Choose two.)
- A. TCP 443 from the CyberArk Tenant to the connector host
- B. TCP 636 from the domain controller to the CyberArk Tenant
- C. TCP 636 from the CyberArk Tenant to the domain controller
- D. TCP 443 from the connector host to the CyberArk Tenant
- E. TCP 636 from the connector host to the domain controller
Answer: D,E
Explanation:
* The Identity Connector communicates with the CyberArk Identity tenant using outbound HTTPS (TCP 443). CyberArk states the connector's internet connections are outbound and use TCP 80/443 (with 443 being the standard requirement).
* For AD/LDAP authentication using LDAPS, the connector host must be able to reach the Domain Controller on TCP 636 (LDAPS).
Why the others are incorrect:
* The Identity Connector design is outbound; you do not open inbound 443 from the tenant to the connector host (so D is wrong).
* LDAPS traffic is between the connector host and the domain controller, not the CyberArk tenant directly to your DC (so C and E are wrong).
NEW QUESTION # 67
What is the navigation path to add account search properties?
- A. Go to Policies > Master Policy
- B. Go to Administration > Configuration Options > Configurations > Accounts UI Preferences > Main > Toolbar actions
- C. Go to Administration > Configuration Options > Configurations > Search Properties
- D. Go to Administration > Configuration Options > Applications > Search Properties
Answer: C
Explanation:
CyberArk's Privilege Cloud procedure for adding account search properties states:
* In the Privilege Cloud Portal, go to Administration > Configuration Options
* Under Configurations, right-click Search Properties # Add Property
That is option B.
NEW QUESTION # 68
Which deployment criteria influences the CyberArk-provided hardening methods that need to be applied to CPM and PSM components?
- A. "In Domain" and "Out of Domain"
- B. "Windows" and "Linux"
- C. "Primary Privilege Cloud Connector" and "additional Privilege Cloud Connector"
- D. "On Premises" and "On Cloud"
Answer: A
Explanation:
CyberArk's hardening guidance is explicitly organized by whether the servers are In Domain or Out of Domain (for example, PSM hardening guidelines and tasks reference both deployment types, and CPM has separate "hardening in domain" guidance). Therefore, the deployment criterion that drives the hardening method/package is In Domain vs Out of Domain.
NEW QUESTION # 69
Which Safe(s) does the AllowedSafes=Win platform parameter configuration match? (Choose two.)
- A. SQL-Win-SA
- B. WindowsPasswords
- C. CXD-WIN-ADMINS
- D. WiNdOwS_Accts
- E. win-ssh-keys
Answer: A,B
NEW QUESTION # 70
......
Pass Your Next CPC-CDE-RECERT Certification Exam Easily & Hassle Free: https://www.prep4away.com/CyberArk-certification/braindumps.CPC-CDE-RECERT.ete.file.html