Free CyberArk CPC-CDE-RECERT Practice Exam with Questions & Answers | Set: 3

The Identity Connector communicates with the CyberArk Identity tenant using outbound HTTPS (TCP 443). CyberArk states the connector’s internet connections are outbound and use TCP 80/443 (with 443 being the standard requirement).

For AD/LDAP authentication using LDAPS, the connector host must be able to reach the Domain Controller on TCP 636 (LDAPS).

Why the others are incorrect:

The Identity Connector design is outbound; you do not open inbound 443 from the tenant to the connector host (so D is wrong).

LDAPS traffic is between the connector host and the domain controller, not the CyberArk tenant directly to your DC (so C and E are wrong).

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

CyberArk states that a Safe can be deleted only after its contents are deleted permanently, and (critically) objects are only deleted permanently after their retention/versions retention has passed. In the Privilege Cloud Safe management documentation, it notes that accounts are deleted permanently only after their retention period has passed, which is why deletion can be blocked by “non-expired” objects.

The underlying Vault/PACLI behavior is also explicit: “It is only possible to delete a Safe after the version retention period has expired for all files contained in the Safe.”

So, beyond deleting the content, the version retention period must have expired for all files → B.

To properly arrange the steps for failing over to a passive Central Policy Manager (CPM) in CyberArk, the sequence should be as follows:

Validate that the active CPM's services are stopped and set to manual.Before enabling the passive CPM, ensure that the services on the active CPM are stopped. This prevents any conflicts or data corruption by making sure that only one CPM is active at a time. Setting the services to manual ensures they do not restart automatically, which is crucial during a failover scenario.

On the passive CPM, confirm details in the Vault.ini configuration file, reset the password to the CPM user, and recreate the credential file.This step involves making sure the passive CPM has the correct configuration to seamlessly take over operations. Adjustments in the Vault.ini file may be necessary to ensure it is pointing to the correct Vault and network settings. Resetting the password and recreating the credential file are critical to secure the login and authentication process for the newly active CPM.

Enable the CPM services on the passive CPM.Once the passive CPM is correctly configured and ready, enable its services to begin handling the tasks and responsibilities of the primary CPM. This action effectively switches the role from passive to active, enabling the passive CPM to function as the new operational manager.

Review logs to confirm the passive CPM services are running as expected.Finally, review the system and application logs to confirm that the now-active CPM is operating correctly and that all services have started without errors. This step is vital for verifying that the failover process was successful and that the system is stable.

Following this ordered sequence ensures a smooth transition of roles from the active CPM to the passive CPM, minimizing downtime and potential disruptions in the privileged access management operations.

The error message "CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated" suggests an issue with configuration parameters. The likely cause is:

The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform (Option C). This parameter must accurately reflect all safes where the reconciliation account operates to ensure proper management and access by the Central Policy Manager (CPM). If the safe containing the reconciliation account is not listed, the CPM cannot perform its tasks, leading to this error.

https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Security/PSM-hardening-configuration.htm?Highlight=disable%20support%20for%20browsers

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_harden.htm#HardenInDomaindeployments

CyberArk explicitly states that you must move PSM application users (PSMConnect/PSMAdminConnect) to domain users on Windows 2019/2022 when:

you are using RDS CAL per-user licensing, and

you want to extend PSM sessions beyond one hour.

CyberArk’s PSM hardening procedure for In Domain deployments explicitly recommends linking the hardening GPO to a dedicated OU and ensuring the CyberArk servers are located under that OU so the hardening GPO does not affect any other server.

This directly matches D.