CPC-CDE-RECERT Practice Questions

To correctly change the default PSM recordings folder path on the Privilege Cloud Connector, the sequence of steps should be:

Create a corresponding folder in the new location.Before making changes to configuration files, ensure the new directory for PSM recordings is created. This is where all session recordings will be stored moving forward.

In the Basic_psm.ini file, set RecordingsDirectory with the new path.Update the Basic_psm.ini file to reflect the new path for the recordings. This step is crucial as it directs the PSM to start using the newly created directory for all future session recordings.

Restart the PSM service.After updating the path in the configuration file, restart the PSM service to apply the changes. This ensures that all new sessions are recorded in the new specified location.

Run the PSMHardening script.Once the service is restarted and the new settings are in place, run the PSMHardening script. This script ensures that all security measures are re-applied to the new recordings directory, maintaining the security integrity of the session recordings.

Following these steps in the given order will successfully change the recording directory for PSM sessions on the Privilege Cloud Connector, ensuring a smooth transition to the new storage location with all necessary security measures intact.

From the error message provided, two likely scenarios could represent valid misconfigurations:

TCP Port 636 could be blocked by a network firewall, preventing communication between the CyberArk Identity Connector and the LDAP Server (A). This is a common issue where firewall settings prevent the secure communication port (typically 636 for LDAPS) from transmitting data between the server and the connector, thus blocking the connection attempt.

'Verify Server Certificate' is activated but the provided hostname is not listed as a Subject Alternative Name (SAN) in the LDAP server's certificate (C). This scenario occurs when SSL/TLS security measures are stringent, requiring that the hostname used to connect to the LDAP server must match one listed in the server's SSL certificate. If the hostname does not match, the connection will fail due to SSL certificate validation errors.

In the Privilege Cloud LDAP integration workflow, CyberArk lists the default maps (built-in directory maps) as:

Vault Admins

Safe managers

Auditors

Users

Since the question asks for the default roles in addition to Vault Admins and Auditors, the remaining two default map roles are Safe managers and Users, which correspond to A and D.

CyberArk’s official outbound traffic/network requirements explicitly list the two Privilege Cloud cloud-side endpoints that are required for Secure Tunnel communications (for REST/API calls over HTTPS/443):

Backend service management (Required for Secure Tunnel): https://console.privilegecloud.cyberark.com

Connector (Required for Secure Tunnel): https://connector- .privilegecloud.cyberark.com

These map directly to answer choices A (console) and B (connector-).

Note: Your options use the .cyberark.cloud domain, while CyberArk’s network requirements documentation shows these endpoints in the .cyberark.com domain for Privilege Cloud. The service roles (Console + Connector endpoint) are what Secure Tunnel must reach, and those are the two “Required for Secure Tunnel” services in the official requirements.

Why the other options are not selected (based on what’s “required for Secure Tunnel” in the official allowlist guidance):

C (backend-services…): Not listed in CyberArk’s published “Required for Secure Tunnel” FQDN allowlist entries (console + connector are).

D (telemetry…): Telemetry is a separate capability (dashboards / utilization tracking) and is not documented as the required Secure Tunnel service endpoint.

E (update…): Secure Tunnel upgrade/download processes are documented, but “update.*” is not listed as a required Secure Tunnel cloud endpoint in the outbound allowlist table.