Pass Guaranteed Quiz 2026 Realistic Verified Free CPC-CDE-RECERT Exam Dumps
Free CyberArk Certification CPC-CDE-RECERT Ultimate Study Guide (Updated 101 Questions)
NEW QUESTION # 42
What is a requirement for increasing the redundancy of PSMs?
- A. CPM must be in all data centers.
- B. Use a load balancer.
- C. Install the Vault in an HA cluster.
- D. Set it by adding parameters to the basic_PSM.ini configuration file.
Answer: B
Explanation:
CyberArk's Privilege Cloud guidance for PSM high availability explicitly ties multiple PSM instances to high availability and load balancing implementations, i.e., redundancy is achieved by deploying multiple PSMs and placing them behind a load balancer.
NEW QUESTION # 43
During CPM hardening, which locally created users are granted Logon as a Service rights in the local group policy? (Choose 2.)
- A. ScannerUser
- B. PluginManagerUser
- C. PasswordManagerUser
- D. CPMServiceAccount
- E. PasswordManager
Answer: A,C
Explanation:
https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task- descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings
NEW QUESTION # 44
Which users are Privilege Cloud Standard built-in users? (Choose 2.)
- A. saascorps
- B. PASReporterUser
- C. NASCorp
- D. remoteAccessAppUser
- E. CyberArkAdmin
Answer: A,D
Explanation:
https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-app-users.
htm
NEW QUESTION # 45
Following the installation of the PSM for SSH server, which additional tasks should be performed? (Choose
2.)
- A. Delete the vault.ini you used during installation.
- B. Delete the user.cred file used during installation.
- C. Delete the psmpparms file you used during installation.
- D. Package all installation log files for upload to CyberArk.
Answer: A,B
Explanation:
https://docs.cyberark.com/pam-self-hosted/14.0/en/content/pas%20inst/following-installation-of-psmp.htm
NEW QUESTION # 46
Which ports do the CyberArk Identity Connector require to be opened to support using Active Directory for LDAP authentication to Privileged Cloud Shared Services? (Choose two.)
- A. TCP 636 from the CyberArk Tenant to the domain controller
- B. TCP 636 from the domain controller to the CyberArk Tenant
- C. TCP 443 from the connector host to the CyberArk Tenant
- D. TCP 636 from the connector host to the domain controller
- E. TCP 443 from the CyberArk Tenant to the connector host
Answer: C,D
Explanation:
* The Identity Connector communicates with the CyberArk Identity tenant using outbound HTTPS (TCP 443). CyberArk states the connector's internet connections are outbound and use TCP 80/443 (with 443 being the standard requirement).
* For AD/LDAP authentication using LDAPS, the connector host must be able to reach the Domain Controller on TCP 636 (LDAPS).
Why the others are incorrect:
* The Identity Connector design is outbound; you do not open inbound 443 from the tenant to the connector host (so D is wrong).
* LDAPS traffic is between the connector host and the domain controller, not the CyberArk tenant directly to your DC (so C and E are wrong).
NEW QUESTION # 47
When performing "In Domain" hardening of a PSM server, which steps are recommended? (Choose two.)
- A. Import an INF file to the local machine.
- B. Apply advanced audit on the PSM server.
- C. Configure AppLocker rules to block running unknown executables.
- D. Apply GPO to the CyberArk PSM servers.
- E. Import CyberArk policy settings from the provided file into a new GPO.
Answer: D,E
Explanation:
https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_harden.
htm#HardenInDomaindeployments
NEW QUESTION # 48
When using Connector Management, how do you configure a DR CPM in Privilege Cloud shared services?
(Choose two.)
- A. When prompted to select the CPM mode, select Passive.
- B. Stop the CyberArk Password Manager service and set the startup type to Automatic.
- C. Stop the CyberArk Password Manager service and set the startup type to Manual.
- D. When prompted for the Vault administrator credentials on the installation windows, leave it blank and proceed.
- E. When prompted for the Vault IP address on the installation windows, leave it blank and proceed.
Answer: A,C
Explanation:
CyberArk's official DR CPM procedure for Privilege Cloud (shared services) describes two key actions in this flow:
* During installation (Connector Management): When prompted to select the CPM mode, choose Passive.
* After installation (configuration step): Stop the CyberArk Password Manager service and set its startup type to Manual.
These map directly to answers C and A.
NEW QUESTION # 49
Which actions must be performed when manually hardening a SUSE server with PSM for SSH? (Choose two.)
- A. Validate that the psmpgwuser.cred file has correct permissions.
- B. Add the PSM for SSH gateway user to the passwd file.
- C. Update settings in the sshd_config file on the server.
- D. Remove all users and groups from the passwd file.
- E. Add the PSM gateway user to the wheel group.
Answer: A,C
Explanation:
CyberArk's hardening instructions for SUSE (manual hardening) explicitly require:
* Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).
* Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).
Those map directly to A and C.
NEW QUESTION # 50
You are configuring firewall rules between the Privilege Cloud components and the Privilege Cloud. Which firewall rules should be set up to allow connections?
- A. from the Privilege Cloud components to the CyberArk Privilege Cloud
C bi-directionally between the Privilege Cloud components and the CyberArk Privilege cloud - B. from the CyberArk Privilege Cloud to the Privilege Cloud components
- C. from the Privilege Cloud components to CyberArk.com
Answer: A
Explanation:
https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-sys-req- networks.htm
NEW QUESTION # 51
You want to enforce Multi-Factor Authentication (MFA) for all Privilege Cloud Shared Services users and require them to set up an MFA factor. How should you accomplish this?
- A. Navigate to the Identity Administration Portal's Policies section and set the user security policy for Privilege Cloud to an authentication profile that only allows Multiple Authentication Mechanisms.
- B. Navigate to the Identity Administration Portal's Policies section and configure the authentication policies for CyberArk Identity, adding a new authentication rule that applies with an "identity cookie" as a filter.
- C. Navigate to the Identity Administration Portal's Policies section and configure the required authentication policies for CyberArk Identity.
- D. Only allow SAML as the authentication method, enforce MFA on the SAML Identity Provider (IdP), and ensure users set up MFA accordingly on the IdP.
Answer: C
Explanation:
In the Shared Services model, MFA enforcement is done in CyberArk Identity / Identity Administration using Core Services > Policies:
* To enforce MFA broadly, CyberArk documents configuring MFA for all users by enabling authentication policy controls and creating/assigning an authentication profile (the mechanisms
/challenges).
* To require users to set up MFA factors, CyberArk documents the setting under User Security Policies > User Account Settings where you specify the minimum number of authentication factors users must configure upon login.
Option B is the only choice that correctly points you to the right place and activity (Identity Administration Policies to configure authentication/MFA requirements and enrollment requirements).
NEW QUESTION # 52
You are implementing LDAPS Integration for a standard Privilege Cloud environment.
Which information must be provided to the CyberArk Privilege Cloud support team through a Service Request? (Choose 2.)
- A. LDAP bind username and password used to authenticate to the directory to be integrated C Domain Base Context used to locate the users and groups in the Active Directory to be integrated
- B. remote port set during secure tunnel configuration for each domain controller to be integrated
- C. Fully Qualified Domain Name and IP Address of the domain controllers to be integrated
- D. LDAPS certificate chain for all domain controllers to be integrated
Answer: B,D
Explanation:
When implementing LDAPS Integration for a standard Privilege Cloud environment, certain information is crucial and must be provided to the CyberArk Privilege Cloud support team through a Service Request. The necessary details include:
* LDAPS certificate chain for all domain controllers to be integrated (Option A): This information is critical to establishing a trusted secure connection between the Privilege Cloud and the domain controllers using LDAP over SSL (LDAPS).
* Fully Qualified Domain Name and IP Address of the domain controllers to be integrated (Option D):
This information is essential for accurately identifying and configuring the network connections to each domain controller that will be integrated with the Privilege Cloud.
Reference: The process of setting up LDAPS integration typically requires detailed network and security information about the domain controllers to ensure secure and reliable connectivity. CyberArk support documentation and service request forms usually specify the need for these details.
NEW QUESTION # 53
Which statements are correct regarding LDAP integration in Privilege Cloud Shared Services? (Choose two.)
- A. The CA certificate that issued the LDAP server's Server Authentication certificate must be provided to CyberArk Support.
- B. A Secure Tunnel installation is required to access the on-premises LDAP directory.
- C. The Privilege Cloud PAM leverages the directory services integration of CyberArk Identity.
- D. LDAP integration can be configured in the Privilege Cloud web interface under Administration > Configuration Options > LDAP Integration.
- E. The CA certificate that issued the LDAP server's Server Authentication certificate must be trusted on the machine running the CyberArk Identity Connector.
Answer: C,E
Explanation:
* In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer's AD/LDAP. This aligns with C.
* For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port
636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.
Why the other options are not correct for Shared Services:
* A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.
* B "Secure Tunnel required" is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.
* E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.
NEW QUESTION # 54
An end user (external user account) has been removed from the Users tab in CyberArk Identity Administration and tries to log in to the CyberArk Privilege Cloud portal using the correct credentials. What will happen?
- A. The end user will receive a "User does not exist" error message.
- B. After successful login, the end user will be able to log in, but will encounter a blank page.
- C. The end user will receive an "Unable to login. Contact your system administrator" error message.
- D. The end user will be able to log in and access the same set of functions as before.
Answer: C
Explanation:
Privilege Cloud (Shared Services) user access is governed by CyberArk Identity user existence and policy.
If the user account is removed, sign-in is blocked and the end-user experience is the standard "unable to sign in / contact administrator" style message, consistent with CyberArk's end-user troubleshooting guidance when sign-in is blocked by policy/account state.
(Options C and D do not align with Identity-based access control behavior; a removed Identity user should not be able to authenticate successfully.)
NEW QUESTION # 55
Which external-facing IP addresses need to be provided to CyberArk when configuring Privilege Cloud so that they can be allowlisted?
- A. All users that will be accessing Privilege Cloud
- B. Cloud Connectors and Secrets Manager (if installed)
- C. On-premises backup servers
- D. All users who are Administrators in Privilege Cloud
Answer: B
Explanation:
CyberArk's Privilege Cloud network requirements state that, to secure the service, CyberArk permits inbound traffic only from specific IP addresses and you must provide CyberArk Support with the public-facing IP addresses for communication between the Privilege Cloud service and the Connectors, including Secrets Manager-so they can add them to the CyberArk allowlist.
That statement maps directly to A.
NEW QUESTION # 56
Which authentication methods does PSM for SSH support? (Choose 2.)
- A. Client Authentication Certificate
- B. OIDC
- C. MFA Caching
- D. SAML
- E. RADIUS
Answer: A,E
Explanation:
PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:
* RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.
* Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.
These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.
NEW QUESTION # 57
Arrange the steps to install passive CPM using Connector Management in the correct sequence
Answer:
Explanation:
Explanation:
1-Run the Connector Management Connector installer
2-Install the CPM and PSM
3-When you are prompted to select the components to install, select CPM.
4-When you are prompted to select the CPM mode, select Passive.
https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install- config.htm
NEW QUESTION # 58
When installing the PSM and CPM components on the same Privilege Cloud Connector, what should you consider when hardening?
- A. They can only be installed on the same Privilege Cloud Connector when installed 'in Domain'.
- B. They can only be installed on the same Privilege Cloud Connector when installed 'out of Domain'.
- C. CPM settings override the PSM settings when referring to the same parameter
- D. PSM settings override the CPM settings when referring to the same parameter.
Answer: D
Explanation:
When installing the PSM and CPM components on the same Privilege Cloud Connector and considering the hardening process, it's important to note that PSM settings override the CPM settings when referring to the same parameter. This hierarchy is crucial in ensuring that the more stringent security settings required by PSM, which typically handles direct interaction with end-user sessions, take precedence over CPM settings.
This setup helps maintain robust security practices by applying the most restrictive configuration where conflicts occur.
NEW QUESTION # 59
......
Get to the Top with CPC-CDE-RECERT Practice Exam Questions: https://www.dumpsking.com/CPC-CDE-RECERT-testking-dumps.html
Use Real CPC-CDE-RECERT Dumps Free Sample Questions and Practice Test Engine: https://drive.google.com/open?id=1JNLEWNvuC5dBxGTWt6XJmxkEis9vLAgz
