Using CyberArk PVWA and PSM to manage SQL Server Management Studio connection is one of use cases in the project. Unfortunately, there was not much detailed documentation how we can get this job done.
I have searched CyberArk document site and found following two KBs are very helpful:
Eventually I have gone through those documents and guessed some steps to get this configuration working. I am trying to summarize those steps here for future reference:
First, you will need to have your PVWA, CPM, PSM and Vault server working properly. You already can use PSM to manage your remote RDP/SSH connections to target servers.
1. Download and Install SQL Server Management Studio (SSMS) on your PSM server.
a. Download link: https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15 . This is the latest version 18.04 download page. I have not tested this version yet. I am working on it to get it tested.
b. For version 17 and earlier, you can find it from https://docs.microsoft.com/en-us/sql/ssms/release-notes-ssms?view=sql-server-ver15#previous-ssms-releases. For example, version 17.91 download link is https://go.microsoft.com/fwlink/?linkid=2043154&clcid=0x409
c. Installation process is very straightforward. Click next , next , next, you should be able to get it done.
Note: For SSMS 18, there is a new connection component for it at Market Place: https://cyberark-customers.force.com/mplace/s/#a352J000000pQWkQAM-a392J000001h4KeQAI
2. PSM AppLocker Configuration
The steps for PSM AppLocker configuration is well documented at https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Optional-Setting-up-PSM-for-Databases-and-Virtualization.htm#_Ref292008898
Here is just a copy from the section relating to this step:
Note: You can find out file PSMConfigureAppLocker.xml at location: C:\Program Files (x86)\CyberArk\PSM\Hardening
C:\Windows\system32>CD "C:\Program Files (x86)\CyberArk\PSM\Hardening" C:\Program Files (x86)\CyberArk\PSM\Hardening>.\PSMConfigureAppLocker.ps1
3. Change PVWA Configuration for PSM Connection Component
Update the PSM-SQLServerMgmtStudio and PSMSQLServerMgmtStudio-Win connection components as follows:
- In the PVWA, click ADMINISTRATION to display the System Configuration page, then click Options; the main system configuration editor appears.
- Expand the Connection Components section, then expand the PSMSQLServerMgmtStudio connection component.
- For PSM-SQLServerMgmtStudio: In Target Settings, set the ClientApp parameter to the SQL Server Management Studio installation path on the PSM machine.
- For PSM-SQLServerMgmtStudio-Win: In Target Settings > Client Specific, set the ClientInstallationPath parameter value to the SQL Server Management Studio installation path on the PSM machine.
- For PSM-SQLServerMgmtStudio and PSM-SQLServerMgmtStudio-Win: In Target Settings > Client Specific, make sure that the WaitBeforeCmdlineParmsHide parameter value is set to 20000.
- Expand Target Settings, then select Lock Application Window.
- For PSM-SQLServerMgmtStudio: Right-click the MainWindowClass parameter and in the pop-up menu, select Revert to Default. This clears the MainWindowClass setting. For PSM-SQLServerMgmtStudio-Win: Set the parameter Enable to No.
4. Configure Safe, Platform and Account
4.1 Duplicate Built-in Microsoft SQL Server Platform template
4.2 Create a new safe or you can skip it to use your existing safe
4.3 Add a new account to use the new duplicated MS SQL Server platform. Most of settings are optional, you can add those information accordingly. Here is my example :