How to integrate PowerProtect Data Manager with CyberArk

1. Background

CyberArk is a Privileged Access Management (PAM) solution which provides a centralized and secure approach to managing privileged accounts, which are often targeted by malicious actors.
By implementing a CyberArk solution, businesses can enforce strong authentication and access controls for privileged users. This reduces the risk of unauthorized access and potential security breaches.
 

2. How to integrate PowerProtect Data Manager with CyberArk

Steps 

1. SSH login PowerProtect Data Manager server with admin and switch to root user;
2. Add user "arkrecon" to group "support" (after this step, user "arkrecon" can be used for login):
   1. useradd arkrecon -g support
   2. passwd arkrecon
3. echo "arkrecon ALL=(ALL)NOPASSWD:/usr/bin/passwd,/usr/bin/passwd.unix,/usr/bin/chuser,/usr/bin/pwdadm,/sbin/pam_tally2" > /etc/sudoers.d/cyberark

After these steps, user "arkrecon" can be used for SSH login to the PowerProtect Data Manager server. It can also be used for managing passwords, and unlocking accounts like below:

After rebooting or PowerProtect Data Manager upgrading to a new version, the file /etc/sudoers.d/cyberark remains.
The user "arkrecon" can be used for SSH login and managing passwords and unlocking accounts.

3. Limitation and Reminders

1. The solution is applicable to the PowerProtect Data Manager stand-alone version. It is not applicable to ProtectProtect Data Manager Appliance for DM5500;
2. CyberArc settings backup or restore is not covered by the ServerDR process. CyberArc cannot continue to work from Server DR.
3. Customers should keep the root user’s password. Files under /etc/sudoers.d can only be read and edited by the root user.