CyberArk CPC-CDE-RECERT CyberArk CDE-CPC Recertification Exam Practice Test

The Identity Connector communicates with the CyberArk Identity tenant using outbound HTTPS (TCP 443). CyberArk states the connector’s internet connections are outbound and use TCP 80/443 (with 443 being the standard requirement).

For AD/LDAP authentication using LDAPS, the connector host must be able to reach the Domain Controller on TCP 636 (LDAPS).

Why the others are incorrect:

The Identity Connector design is outbound; you do not open inbound 443 from the tenant to the connector host (so D is wrong).

LDAPS traffic is between the connector host and the domain controller, not the CyberArk tenant directly to your DC (so C and E are wrong).

When installing the first CyberArk Privilege Management (CPM) instance in the Privilege Cloud using the Connector Management Agent, the installation mode should be set to "Active". This configuration sets the CPM to be actively involved in password management and task processing without being in a standby or passive mode. Here are the step-by-step details:

Download the Connector Management Agent: Obtain the installer from the CyberArk Marketplace or your installation kit.

Run the Installer: Start the setup and select the CPM component to install.

Choose Installation Mode: When prompted, select "Active" as the installation mode. This sets up the CPM as the primary node responsible for handling password management operations.

This setup ensures that the CPM is immediately active and capable of handling requests without waiting for manual intervention or failover.

CyberArk states that LDAP users are provisioned using directory maps, and that a directory map determines whether a user account or group may be created in Privilege Cloud (and under which criteria/templates). That’s A.

CyberArk also states that an LDAP user’s account properties are updated by the directory map each time the user logs on (i.e., attributes refresh on login). That’s C.

Why the others are incorrect:

B: No custom Python script is required—Privilege Cloud uses built-in LDAP integration/directory mapping.

D: A Base Context / search base (e.g., DC=example,DC=com) is part of the required LDAP connection configuration.

E: The bind user does not have to be a domain admin; typical LDAP bind accounts are least-privileged for directory reads (domain admin is not a prerequisite in CyberArk’s integration flow).

PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:

RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.

Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.

These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.

When implementing LDAPS Integration for a standard Privilege Cloud environment, certain information is crucial and must be provided to the CyberArk Privilege Cloud support team through a Service Request. The necessary details include:

LDAPS certificate chain for all domain controllers to be integrated (Option A): This information is critical to establishing a trusted secure connection between the Privilege Cloud and the domain controllers using LDAP over SSL (LDAPS).

Fully Qualified Domain Name and IP Address of the domain controllers to be integrated (Option D): This information is essential for accurately identifying and configuring the network connections to each domain controller that will be integrated with the Privilege Cloud.

To configure a platform to work with load-balanced Privileged Session Managers (PSMs), you should:

Create a new PSM definition that targets the load balancer IP address and assign it to the platform (Option B). This approach involves configuring the platform settings to direct session traffic through a load balancer that distributes the load across multiple PSM servers. This is effective in environments where high availability and fault tolerance are priorities.

CyberArk documents that automatic hardening can be bypassed by setting the Hardening parameter in the PSM for SSH parameters file. The PSM for SSH parameters file used during installation is the psmpparms file (created by copying psmpparms.sample and renaming it to psmpparms).

For large implementations of CyberArk Privilege Cloud Connectors in AWS and Azure environments, each connector can handle between 31-60 concurrent RDP/SSH sessions. This capacity is specified in the CyberArk documentation concerning Privilege Cloud Connectors and their scalability options. It is designed to support a higher volume of concurrent sessions to meet the needs of larger enterprise environments, ensuring that multiple users can securely access resources without significant performance degradation.

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_harden.htm#HardenInDomaindeployments

When installing the Privileged Session Manager (PSM) on multiple servers, it is required that each PSM installation has the same path to the same recordings directory. This is necessary to ensure that session recordings are stored consistently across different PSM instances, which is important for high availability and load balancing implementations, as well as for maintaining a unified audit trail.

The error message "CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated" suggests an issue with configuration parameters. The likely cause is:

The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform (Option C). This parameter must accurately reflect all safes where the reconciliation account operates to ensure proper management and access by the Central Policy Manager (CPM). If the safe containing the reconciliation account is not listed, the CPM cannot perform its tasks, leading to this error.

CyberArk’s Safe creation documentation explains that when you choose “Save the last <number> account versions” (also shown as “Save latest account versions” in some UIs), the Safe retains the most recent password versions indefinitely by keeping a fixed number of versions and rolling off the oldest. It also states that by default, the last five password versions are stored.

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

The sshd_config file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the AllowGroups parameter within the sshd_config file to grant them the necessary permissions.

In the Privilege Cloud Installer (Standard) procedure, the Connector installer explicitly prompts you to select which components you want to install: “CPM/PSM/Both.”

That means the installation package supports installing:

PSM (Windows connector)

CPM

Why the other options are not correct for this installer package:

C (Secure Tunnel) is treated as a separate component (downloaded as a Secure Tunnel Client Installer package), not one of the “CPM/PSM/Both” choices in the Connector installer step.

D (CCP) is not listed as an installable component in the Privilege Cloud Connector installer flow shown in the official procedure.

E (PSM for SSH) is selected/downloaded as a separate component to support UNIX/Linux, not installed via the Connector installer’s “CPM/PSM/Both” selection.

https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/connector-install.htm

For a Privilege Session Manager (PSM) server, the network requirements primarily focus on its ability to interact with target systems securely and efficiently. The most accurate statement regarding these requirements is:

It must reach the target system using its native protocols (Option A). This is essential for the PSM to manage sessions effectively, as it needs to communicate using the protocols that the target systems are configured to accept, such as SSH for Linux servers or RDP for Windows servers.

AllowedSafes is a regular expression and is case sensitive.

The regex Win (with no anchors) will match any Safe name that contains the exact substring “Win” with the same case:

WindowsPasswords → starts with Win ✅

SQL-Win-SA → contains Win ✅

win-ssh-keys → contains win (lowercase) ❌ (case sensitive)

CXD-WIN-ADMINS → contains WIN (all caps) ❌

WiNdOwS_Accts → mixed case, does not contain the exact substring Win ❌

Therefore the correct choices are A and D.

Privilege Cloud (Shared Services) user access is governed by CyberArk Identity user existence and policy. If the user account is removed, sign-in is blocked and the end-user experience is the standard “unable to sign in / contact administrator” style message, consistent with CyberArk’s end-user troubleshooting guidance when sign-in is blocked by policy/account state.

(Options C and D do not align with Identity-based access control behavior; a removed Identity user should not be able to authenticate successfully.)

4->1->2->3

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-standard.htm

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task-descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings

CyberArk’s Privilege Cloud guidance for PSM high availability explicitly ties multiple PSM instances to high availability and load balancing implementations, i.e., redundancy is achieved by deploying multiple PSMs and placing them behind a load balancer.

CyberArk documents that the health check service returns HTTP 200 (OK) when the PSM service is healthy, and returns 503 (Service unavailable) when it is not healthy (in code-based behavior).

The default authentication profile to access CyberArk Identity is typically the Default New Device Login Profile. This profile is used to manage the authentication settings and security measures for devices accessing CyberArk services for the first time. It includes configurations such as authentication methods, security checks, and compliance requirements, ensuring that new devices meet the organization’s security standards before gaining access.

CyberArk recommends placing connector host machines geographically as close as possible to their targets to reduce latency and (practically) minimize WAN traffic between sites.

Since CPM password rotations/verifications occur between the CPM component and the target systems in the customer network, deploying CPM connectors in each data center (near those local targets) and organizing/segregating by region (for example via region-specific Safes/target scoping) is the design that best reduces cross–data-center traffic.

CyberArk’s “Before you install PSM for SSH (Standard)” prerequisites include:

Verify public access: “Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.” This directly supports C.

Create the PSM for SSH parameters file: The parameters file is required for the installation process, and the documentation specifies InstallCyberArkSSHD = Integrated as a mandatory parameter value. This supports A (with the corrected value “Integrated”).

Why the other options are not “installation prerequisites” as written:

B: CyberArk documents that after installation, the root user will not be able to authenticate remotely using a password (security behavior), not as a prerequisite step to perform before installation.

D: The docs mention you can use a different administrative/maintenance user, but it is not listed as a required prerequisite in the “Before you install” checklist.

E: Resetting the root password is not listed as a prerequisite in the Privilege Cloud “Before you install PSM for SSH (Standard)” documentation.

For LDAP integration with CyberArk Privilege Cloud Standard, the correct statement is that only the Issuing CA certificate is required for certificate trust to your directory server. This setup simplifies the process of establishing a trusted connection between CyberArk and the LDAP server by necessitating only the certification of the issuing Certificate Authority (CA), rather than needing multiple certificates from different levels of the trust chain. This approach ensures that the SSL/TLS communication between CyberArk and the LDAP server is secured based on the trust of the issuing CA’s certificate.

In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer’s AD/LDAP. This aligns with C.

For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port 636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.

Why the other options are not correct for Shared Services:

A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.

B “Secure Tunnel required” is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.

E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.

In a PSM Load Balanced Virtual Server Configuration, the default service ports/protocols used are RDP/3389 and HTTPS/443. RDP (Remote Desktop Protocol) typically uses port 3389 for remote desktop services, which is essential for PSM functionalities involving remote sessions. HTTPS, which utilizes port 443, is used for the PSM Health Check service to ensure secure and encrypted communication during the monitoring and health verification processes of the PSM services.