Practice Free CPC-CDE-RECERT CyberArk CDE-CPC Recertification Exam Questions Answers With Explanation

CyberArk documents that the health check service returns HTTP 200 (OK) when the PSM service is healthy, and returns 503 (Service unavailable) when it is not healthy (in code-based behavior).

CyberArk documents that due to RDS licensing enforcement in Windows 2019/2022, Per-user licensing is not supported for local users, and (when Per-user CALs are required) you should move the built-in PSM application users (PSMConnect / PSMAdminConnect) from local to domain users.

Therefore, to leverage existing Per-user RDS licensing on Windows 2019 PSM servers, you must migrate the local PSM users to domain users ? C.

CyberArk documents that the HTML5 gateway tunnels the session using a secure WebSocket over port 443, enabling users to access PSM sessions from a web browser (instead of requiring an RDP client connection from the endpoint).

In Privilege Cloud remote access for employees, CyberArk describes using Remote Access and HTML5 to enable secure remote access sessions through PSM “from any web browser,” eliminating the need for VPN clients.

Given the provided answer choices, A is the only option that matches the documented “tunneling” role of the HTML5 Gateway (even though the most precise phrasing in CyberArk docs is “tunnels the session between the end user and the PSM machine”).

Why the other options are incorrect:

B: Authentication is handled by Privilege Cloud/IdP mechanisms; the HTML5 gateway’s documented role is session tunneling, not being the primary authenticator.

C: CyberArk explicitly positions HTML5 remote access as eliminating the need for VPN clients (not providing VPN).

D: This is marketing language not reflected as the HTML5 gateway’s documented purpose.

After the successful scripted installation of the Privileged Session Manager (PSM), one of the post-installation tasks is to disable the screen saver for the PSM local users. This is done to ensure that the PSMConnect and PSMAdminConnect users, which are created during the installation process, do not have a screen saver activated that could interfere with the operation of the PSM.

CyberArk’s Privilege Cloud guidance for PSM high availability explicitly ties multiple PSM instances to high availability and load balancing implementations, i.e., redundancy is achieved by deploying multiple PSMs and placing them behind a load balancer.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-sys-req-networks.htm

In the directory lookup order for the CyberArk Privilege Cloud solution, the "CyberArk Cloud Directory" is always looked up first. This directory service is a part of the CyberArk Privilege Cloud infrastructure and is specifically designed to handle identity and access management within the cloud environment efficiently. It prioritizes the CyberArk Cloud Directory for authentication and identity resolution before consulting any external directory services.

CyberArk’s PSM hardening procedure for In Domain deployments explicitly recommends linking the hardening GPO to a dedicated OU and ensuring the CyberArk servers are located under that OU so the hardening GPO does not affect any other server.

This directly matches D.

On CyberArk Privilege Cloud, updating users' permissions on safes can be done through the Privilege Cloud Portal and the REST API. The Privilege Cloud Portal provides a user-friendly graphical interface where administrators can manage user permissions directly within the portal's safe management settings. Additionally, the REST API offers a programmable way to automate permission updates across safes, which is especially useful for bulk changes or integrating with other management tools. Both methods provide effective means to manage and customize access controls in a CyberArk environment, allowing for detailed permission settings per user on specific safes.

To allow a PSM Universal Connector executable to run on the PSM after the hardening process, you should update the PSMConfigureAppLocker.xml file. This file configures AppLocker, which is a feature that controls which apps and files users can run on a system. Including the necessary executable in the PSMConfigureAppLocker.xml ensures it is whitelisted by AppLocker policies, thus permitted to execute even under the hardened security settings of the PSM environment. References to this configuration can be found in the CyberArk Privilege Session Manager implementation documentation, specifically in sections detailing customization and security hardening of environment configurations.

CyberArk documents that automatic hardening can be bypassed by setting the Hardening parameter in the PSM for SSH parameters file. The PSM for SSH parameters file used during installation is the psmpparms file (created by copying psmpparms.sample and renaming it to psmpparms).

4->1->2->3

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-standard.htm

CyberArk’s Privilege Cloud SAML configuration documentation explicitly states: Privilege Cloud supports only one assertion and instructs you to ensure only one assertion is configured in the IdP.

In the Privilege Cloud Installer (Standard) procedure, the Connector installer explicitly prompts you to select which components you want to install: “CPM/PSM/Both.”

That means the installation package supports installing:

PSM (Windows connector)

CPM

Why the other options are not correct for this installer package:

C (Secure Tunnel) is treated as a separate component (downloaded as a Secure Tunnel Client Installer package), not one of the “CPM/PSM/Both” choices in the Connector installer step.

D (CCP) is not listed as an installable component in the Privilege Cloud Connector installer flow shown in the official procedure.

E (PSM for SSH) is selected/downloaded as a separate component to support UNIX/Linux, not installed via the Connector installer’s “CPM/PSM/Both” selection.

CyberArk’s Connector Management prerequisites check defines the exact network connectivity rules that must pass before installation:

VaultConnectivity ? Connect to the Privilege Cloud backend on TCP 1858

TunnelConnectivity ? Connect to the Secure Tunnel on TCP 443

CustomerPortalConnectivity ? Connect to the service backend URL on TCP 443

This matches option A exactly.

When installing the PSM and CPM components on the same Privilege Cloud Connector and considering the hardening process, it's important to note that PSM settings override the CPM settings when referring to the same parameter. This hierarchy is crucial in ensuring that the more stringent security settings required by PSM, which typically handles direct interaction with end-user sessions, take precedence over CPM settings. This setup helps maintain robust security practices by applying the most restrictive configuration where conflicts occur.

CyberArk states that a Safe can be deleted only after its contents are deleted permanently, and (critically) objects are only deleted permanently after their retention/versions retention has passed. In the Privilege Cloud Safe management documentation, it notes that accounts are deleted permanently only after their retention period has passed, which is why deletion can be blocked by “non-expired” objects.

The underlying Vault/PACLI behavior is also explicit: “It is only possible to delete a Safe after the version retention period has expired for all files contained in the Safe.”

So, beyond deleting the content, the version retention period must have expired for all files ? B.

The correct description of the authentication differences between CyberArk Privilege Cloud and CyberArk PAM Self-Hosted is that CyberArk Privilege Cloud uses cloud-based methods, integrating with CyberArk Identity for Multi-Factor Authentication (MFA), and supports SAML and OIDC, while CyberArk PAM Self-Hosted relies on on-premises methods such as RADIUS and LDAP, but can adopt SAML or OIDC with additional setups. CyberArk Privilege Cloud is designed to leverage modern cloud-based authentication protocols to enhance security and ease of use, particularly in distributed and diverse IT environments. In contrast, CyberArk PAM Self-Hosted offers flexibility to use traditional on-premises authentication methods but also supports modern protocols if configured to do so.

In Privilege Cloud Shared Services, the System Health dashboard lists component categories that include CPM (and Accounts Discovery) and PSM (and PSM for SSH), along with Web Portal and Secrets Manager Credential Providers. Vault/PVWA/PTA are not listed as monitorable components on this page in the Privilege Cloud Shared Services System Health topic.

CyberArk documents that for upgrading Privilege Cloud connector components, there are two upgrade tools:

Connector Management installer (recommended)

Privilege Cloud installer (legacy)

That corresponds to B and C.

CyberArk states that LDAP users are provisioned using directory maps, and that a directory map determines whether a user account or group may be created in Privilege Cloud (and under which criteria/templates). That’s A.

CyberArk also states that an LDAP user’s account properties are updated by the directory map each time the user logs on (i.e., attributes refresh on login). That’s C.

Why the others are incorrect:

B: No custom Python script is required—Privilege Cloud uses built-in LDAP integration/directory mapping.

D: A Base Context / search base (e.g., DC=example,DC=com) is part of the required LDAP connection configuration.

E: The bind user does not have to be a domain admin; typical LDAP bind accounts are least-privileged for directory reads (domain admin is not a prerequisite in CyberArk’s integration flow).

To properly arrange the steps for failing over to a passive Central Policy Manager (CPM) in CyberArk, the sequence should be as follows:

Validate that the active CPM's services are stopped and set to manual.Before enabling the passive CPM, ensure that the services on the active CPM are stopped. This prevents any conflicts or data corruption by making sure that only one CPM is active at a time. Setting the services to manual ensures they do not restart automatically, which is crucial during a failover scenario.

On the passive CPM, confirm details in the Vault.ini configuration file, reset the password to the CPM user, and recreate the credential file.This step involves making sure the passive CPM has the correct configuration to seamlessly take over operations. Adjustments in the Vault.ini file may be necessary to ensure it is pointing to the correct Vault and network settings. Resetting the password and recreating the credential file are critical to secure the login and authentication process for the newly active CPM.

Enable the CPM services on the passive CPM.Once the passive CPM is correctly configured and ready, enable its services to begin handling the tasks and responsibilities of the primary CPM. This action effectively switches the role from passive to active, enabling the passive CPM to function as the new operational manager.

Review logs to confirm the passive CPM services are running as expected.Finally, review the system and application logs to confirm that the now-active CPM is operating correctly and that all services have started without errors. This step is vital for verifying that the failover process was successful and that the system is stable.

Following this ordered sequence ensures a smooth transition of roles from the active CPM to the passive CPM, minimizing downtime and potential disruptions in the privileged access management operations.

For a Privilege Session Manager (PSM) server, the network requirements primarily focus on its ability to interact with target systems securely and efficiently. The most accurate statement regarding these requirements is:

It must reach the target system using its native protocols (Option A). This is essential for the PSM to manage sessions effectively, as it needs to communicate using the protocols that the target systems are configured to accept, such as SSH for Linux servers or RDP for Windows servers.