CPC-CDE-RECERT Practice Questions

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task-descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings

PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:

RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.

Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.

These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.

In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer’s AD/LDAP. This aligns with C.

For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port 636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.

Why the other options are not correct for Shared Services:

A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.

B “Secure Tunnel required” is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.

E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.

AllowedSafes is a regular expression and is case sensitive.

The regex Win (with no anchors) will match any Safe name that contains the exact substring “Win” with the same case:

WindowsPasswords → starts with Win ✅

SQL-Win-SA → contains Win ✅

win-ssh-keys → contains win (lowercase) ❌ (case sensitive)

CXD-WIN-ADMINS → contains WIN (all caps) ❌

WiNdOwS_Accts → mixed case, does not contain the exact substring Win ❌

Therefore the correct choices are A and D.