The interview question that trips up 70% of candidates
Senior PAM interview: "With PSM in place, where does the privileged password go, and what network route does the user have to the target?"
Wrong answers: "PSM shows the password in a vault popup", "the user RDPs directly and PSM just logs it". Right answer: the user gets no password and no direct route. The user's RDP client terminates at the PSM server. PSM (via the PSMGW user) fetches the target credential from the Vault over TCP 1858, injects it into the connection component on the PSM box itself, and the user sees only the resulting session screen. That is the entire security model: no-credential-exposure + no-direct-path. Nail this and you have already passed the PSM section of PAM-DEF.
🏛 The government-office counter analogy
In a sarkari office you cannot walk into the officer's cabin and pull a file off the rack yourself. You submit your request at the counter. The peon retrieves the file from the rack, places it on the officer's desk, and you speak through the glass partition. You never touched the rack, never saw the filing system, and the register logs your visit. PSM is that counter. You raise a request in PVWA, PSM fetches the credential from the Vault rack over port 1858, injects it into the session, and you interact only with the screen — never the password, never a direct path to the server. The session recording is the register entry, and unlike a paper register, it is video.
4 things you'll be tested on before we begin
The user's RDP/SSH client terminates at PSM, never the target. There is no network route from the operator's machine to production. So what: compromise the laptop, you still can't reach the server.
PSM fetches the password/SSH key from the Vault server-side and types it into the connection for you. So what: the human never sees, copies or stores the secret — phishing the operator yields nothing.
Every session is recorded as AVI video + keystroke text, uploaded by PSMApp to the PSMRecordings Safe on disconnect. So what: the auditor gets tamper-proof video, not just a login line.
An auditor can shadow a running session via PSMAdminConnect and suspend or kill it. So what: a rogue export is stopped mid-flight, not discovered next morning.
① PSM — the RDP jump proxy where the password vanishes
PSM runs on Windows Server with Remote Desktop Services licensing. Users reach it over TCP 3389 (native RDP) or TCP 443 (the HTML5 Gateway, Apache Guacamole under the hood). The connection terminates at PSM. From there, a connection component — PSM-RDP, PSM-SSH, PSM-SQLPlus, AWS-CloudConsole and others — defines how PSM launches the app and injects the credential.
Sneha, a PAM engineer at a Mumbai private bank, must give a 50-person vendor team 3 days of access to production Windows servers. Direct RDP with a shared admin password would mean 50 people holding the secret forever. Instead she puts the accounts behind PSM. Vendors connect to 172.16.40.12:3389 (the PSM server), PSM injects the admin credential server-side, and on day 4 access simply expires — no password rotation needed on the vendor side, because they never held it.
Isolation architecture — the DMZ jump vs the flat-network shortcut
The whole point collapses if the operator's subnet can still route to production. In a hardened design, PSM sits in a jump tier; firewall rules permit operators → PSM and PSM → targets, but not operators → targets. Compare that to the flat-network anti-pattern, where everyone can RDP/SSH straight to production and PSM is optional.
Recreated for clarity🏛️ The exact screen you'll use — PVWA → Accounts → [account] → Connect. Your console matches this layout.
② PSMP — the SSH proxy for Unix/Linux, with the four-@ string
PSM is Windows-based. For Unix/Linux SSH, CyberArk ships PSMP, installed on Red Hat or Ubuntu and listening on port 22. You connect with a transparent connection string whose @ delimiters separate Vault user, target account, target host and the PSMP proxy. PSMP pulls the password or SSH key from the Vault invisibly and logs you in — you never type or see it.
Karthik, an SRE at a Pune fintech, needs root on db-prod-01.corp.local. He never asks for the password. He runs one SSH command through PSMP at psmp.corp.local. PSMP authenticates to the target with the Vault-stored key, and the banner reminds him the session is recorded.
ssh adm_karthik@root@db-prod-01.corp.local@psmp.corp.local
CyberArk Privileged Session Manager SSH Proxy You are connecting to: db-prod-01.corp.local as root This session is being recorded. Last login: Fri May 30 23:11:04 2025 from 10.10.5.22 [root@db-prod-01 ~]#
In the PSMP string adm_karthik@root@db-prod-01.corp.local@psmp.corp.local, what does the first field represent?
root) is the account you want on the target. The password is never in the string — PSMP fetches it from the Vault.Pause & Predict Karthik runs PSMP on Red Hat / Ubuntu listening on port 22. If PSM is Windows-only, why can't he just point his SSH client at the PSM server instead of standing up a separate PSMP box?
@ transparent string, pulls the password or SSH key from the Vault over 1858, and logs Karthik in — so he never types or sees the secret.③ Session recording — the auditor's evidence chain
Every PSM/PSMP session is recorded twice: AVI video of the screen and a text log of keystrokes/commands, plus searchable metadata (who, source IP, target account, duration, commands). Recordings stage in a local temp folder on the PSM server during the session, then on disconnect the PSMApp user uploads them to the PSMRecordings Safe in the Vault, encrypted and compressed. Files over 2 GB split into parts named session_id.vid.part_N. Plan for roughly 70 KB/min for text-only console sessions and 200 KB/min for GUI/RDP video.
Priya, a compliance manager at a Hyderabad NBFC, faces an RBI IS audit. The auditor wants video of every production-Oracle privileged login last quarter — 47 DBA sessions, in a tamper-proof format. Priya opens PVWA Recordings, filters by Safe (PSMRecordings-OracleProd), date range and protocol (PSM-SQLPlus). All 47 appear with full metadata. She exports the list as CSV and gives the auditor read-only PVWA access scoped to that Safe; he replays three high-risk sessions in the browser and confirms the keystroke log matches the video. Audit closes with no findings.
A financial-services firm ran PSM for 18 months without reviewing the PSMRecordings Safe quota. A long Oracle DBA session produced a 6-part AVI totalling 12 GB. When the Safe hit its Vault quota, ITATS426E fired silently — the session completed but no recording uploaded. The gap surfaced only during a PCI-DSS audit when the auditor asked for that exact video. Fix: alert on the PSM temp-folder disk, set Vault Safe quota alerts, and forward PSMSR072E / PSMSV002E to SIEM. Silent recording loss is a compliance landmine.
Pause & Predict — before you read on
Tap to reveal
In a local temp folder on the PSM server. It is only uploaded to the Vault's PSMRecordings Safe on disconnect, by PSMApp. That is why local disk filling up causes silent upload failure even when the Vault quota is fine.
Tap to reveal
It was split into parts at the 2 GB boundary — session_id.vid.part_1, part_2, part_3. Pre-14.4 environments needed the PSM codec on the auditor's workstation to replay later parts. Document this or the auditor cannot independently replay.
Tap to reveal
PSMApp. Different from PSMGW (fetches the credential), PSMConnect (creates the local RDP desktop) and PSMAdminConnect (used by auditors to shadow live sessions). Knowing which internal user does what is core PAM-DEF material.
Pause & Predict Your PSMRecordings Safe hits its Vault quota mid-session and throws ITATS426E. The operator's session still completes normally and they notice nothing. What exactly was lost, and why is that the most dangerous part?
ITATS426E / PSMSR072E / PSMSV002E to your SIEM.④ Live monitoring, suspend & terminate — kill a rogue in real time
Authorized auditors in the CyberArk_Auditors group connect via PSMAdminConnect to shadow a live session as a silent observer. From there they can suspend (freeze the operator's input) or terminate (kill it outright). To enable this you must set AllowPSMNotifications=Yes and list the operators in the Terminating / Suspending Live Sessions groups. PTA can also auto-terminate on high-risk patterns — touching authorized_keys or sudoers on Unix, or launching AD management consoles on Windows.
Arjun, an L2 SOC analyst at a Chennai IT-services firm managing 200+ banking-client servers, gets a PTA alert at 01:17 AM: a DBA account that normally works 9-6 is mass-exporting the CUSTOMER_DATA table and spooling rows to \\fileserver\exports. Risk score 85/100. Arjun opens PVWA → Monitoring → Active Sessions, clicks Monitor to shadow it via PSMAdminConnect, and watches a SQL*Plus window spooling PII in real time. He clicks Terminate Session at 01:47 — only 40,000 of 900,000 rows had been exported. The AVI, keystroke log, source IP (10.45.12.88), Vault user, target account and every SQL command are preserved as tamper-proof evidence and handed to legal. Without PSM, the DBA would have hit the DB directly and the logs would show only a clean login.
▶ Watch a rogue session get terminated, second by second
PTA alert → SOC shadows the live session → operator clicks Terminate → evidence preserved. Press Play.
ora_admin connects via PSM to Oracle prod. Normal working hours are 9-6 — this is anomalous. PSM starts recording AVI + keystrokes.SELECT * on CUSTOMER_DATA + spool to \\fileserver\exports. SOC dashboard fires "Suspicious activity in a privileged session".sessionGuid, clicks Monitor → shadows via PSMAdminConnect. He sees the SQL*Plus window spooling PII live. The operator is unaware he is watched.POST /API/LiveSessions/{guid}/Terminate). The RDP session on PSM is killed instantly. Spool file holds only 40,000 of 900,000 rows.PSMRecordings Safe. AVI + keystroke log + source IP 10.45.12.88 + account + every command = tamper-proof exhibit for legal and HR.curl -sk -X GET 'https://pvwa.corp.local/PasswordVault/API/LiveSessions?Limit=25' \ -H 'Authorization: eyJhbGciOiJSUzI1NiIs...' -H 'Content-Type: application/json' # grab sessionGuid, then: curl -sk -X POST \ 'https://pvwa.corp.local/PasswordVault/API/LiveSessions/a3f1b2c4-d5e6-7890-abcd-ef1234567890/Terminate' \ -H 'Authorization: eyJhbGciOiJSUzI1NiIs...' -H 'Content-Type: application/json'
{"LiveSessions":[{"sessionGuid":"a3f1b2c4-d5e6-7890-abcd-ef1234567890",
"User":"adm_ramesh","AccountUsername":"root","Protocol":"SSH",
"FromIP":"10.10.2.55","Duration":1847,"PSMServerID":"PSM-PROD-01"}],"Total":1}
HTTP/1.1 200 OK
{}You shadow a live session and want to preserve it for forensic investigation while stopping further damage — not destroy it. Which control?
Recreated for clarity📹 The exact screen you'll use — PVWA → Monitoring → Active Sessions. Your console matches this layout.
| User | Target | Protocol | Started | Duration | Actions |
|---|---|---|---|---|---|
| rahul.k | 10.20.4.10 | RDP | 14:32 | 00:12 | Suspend · Terminate |
| vendor-temp | 10.20.7.31 | SSH | 14:05 | 00:39 | Suspend · Terminate |
PSMRecordings Safe for the auditor.Pause & Predict Arjun spots a DBA mass-exporting CUSTOMER_DATA at 01:17 AM with a PTA risk score of 85/100. He shadows it via PSMAdminConnect, then clicks Terminate Session at 01:47. Beyond stopping the export, what does PSM give legal that a direct database login never could?
10.45.12.88), the Vault user, the target account and every SQL command — all uploaded to the PSMRecordings Safe. A direct DB login would have shown only a clean login line in the DB logs. PSM also let him terminate in real time (only 40,000 of 900,000 rows leaked) instead of discovering the breach the next morning.PTA detects a live SSH session editing /etc/sudoers on a production Linux box and the risk score crosses the threshold. With PTA auto-response configured, what happens without a human clicking anything?
sudoers / authorized_keys on Unix or launching AD consoles on Windows — with no human in the loop. (b) is wrong: manual click is one path, not the only one. (c) destroys evidence — the opposite of intent. (d) rebooting kills all sessions and loses staged recordings, so PTA never does that.Connection components & the Universal Connector — one model, any app
A connection component is the plug-in that tells PSM how to launch and authenticate a specific app. Built-ins cover PSM-RDP, PSM-SSH, PSM-SQLPlus (Oracle), PSM-WinSCP, PSM-WebApp, AWS-CloudConsole (via STS) and Azure-CloudConsole. For anything bespoke, the Universal Connector wraps an AutoIt-compiled EXE that automates the app's login while PSM records and monitors transparently. From v13.0, WebApp connectors inject TOTP via the &MfaCode& placeholder — the MFA secret lives in a linked Vault account, so the code is generated server-side with no user involvement.
Aditya, a PAM admin at a Bengaluru product company, must add a bespoke Java trading app to PSM across all 5 PSM servers. He does not log into each box. He uploads the compiled AutoIt EXE package to the PSMUniversalConnectors Safe in the Vault. Every PSM server auto-downloads and deploys it at the next configuration refresh. One upload, five servers, zero manual installs.
A large infrastructure team found that every SSH session via PSM hung at the splash screen for one specific engineer while everyone else was fine. Root cause: that engineer's PSMShadow profile on the PSM server had become corrupted (a known risk when PSM is rebooted mid-session). Each non-Windows connection gets its own shadow profile, so only that user broke. Fix: delete and recreate the corrupted PSMShadow profile from the PSM server's local user manager, and enable profile cleanup on disconnect.
🤖 Ask the AI Tutor
Tap any question — instant context-aware answer.
Deeper questions → chat.techclick.in.
The 5 mistakes that cost L1/L2 candidates the interview
Sessions complete but recordings silently fail to upload (ITATS426E). Pre-size the Safe quota, alert on PSM temp-disk, forward PSMSR072E to SIEM.
Drift > tolerance and the Vault rejects the component on port 1858 (ITATS211E) — often days after a clean install. One NTP source for Vault and every component.
The Terminate button does nothing if AllowPSMNotifications=Yes isn't set and the operator isn't in the Terminating group. Configure it before the incident, not during.
Old bundled PuTTY + NIST P-521 ECDSA = recoverable private key. Upgrade PSMSSHClient to PuTTY 0.81+; prefer Ed25519/RSA.
Drift and broken parity. Upload AutoIt EXEs once to the PSMUniversalConnectors Safe; all PSM servers deploy them automatically at config refresh.
Lock it in — explain, choose a lane, teach a friend
In your own words: "Why can't an attacker who fully compromises an operator's laptop reach the production server or steal the privileged password through PSM?" Say it out loud before the quiz. If you can't, re-read section ① — the answer is no direct path + server-side credential injection.
Lane A — Builder: spin up a lab, install PSMP on RHEL (rpm -ivh CARKpsmp-14.2.0.x86_64.rpm → psmp_setup.sh --finalize), and connect with the four-@ string. Lane B — Auditor: practise the evidence workflow — filter PVWA Recordings by Safe/date/protocol and replay a session as a read-only auditor. Pick one and do it this week.
"PSM is the office counter: you never touch the file rack (the password) and you never enter the cabin (the server) — the counter does it for you, on camera, and security can pull you out mid-visit."
Re-open this lesson in 3 days and again in 10 days, and each time recall (without scrolling): the four-@ PSMP order, what ITATS426E and ITATS211E mean, and which internal user uploads recordings. Set a calendar nudge now — spacing is what moves this into long-term memory before your exam.
📝 Check your understanding — 10 questions, 70% to pass
Scenario-based, Bloom-tiered. Pick one answer each, then Submit. Your score saves to your profile.
Which TCP port does the CyberArk Digital Vault use for communication with PSM, PSMP, CPM and PVWA?
Priya needs root on db-prod-01.corp.local via PSMP using Vault username adm_priya through psmp.corp.local. Which command is correct?
Arjun must stop a running PSM session where a file export is in progress, without waiting for it to end. Which PVWA path and action?
Aditya must deploy a custom connector for a bespoke Java app across all 5 PSM servers without touching each box. What's the correct method?
After a PSM session ends, the recording is missing from PVWA and PSM logs show ITATS426E. Root cause and first two areas to investigate?
A PSMP server throws ITATS211E authorization errors three days after a clean install that worked initially, with no config changes. Most probable infrastructure root cause?
Trace the internal CyberArk users from when the operator clicks Connect in PVWA to when the recording lands in the Vault.
CVE-2024-31497 affects PuTTY bundled in PSM's PSMSSHClient. Under what conditions is a deployment vulnerable, and which key types are NOT affected?
A security architect proposes PSM with Dual Control for a 50-person vendor team needing 3 days on production Windows, versus shared direct RDP. Evaluate the key security properties PSM adds.
An IT director argues that since all Linux admins use SSH keys with no shared passwords, PSMP adds no value. Evaluate this argument.
Next up — CyberArk PVWA & Just-in-Time
Now sessions are isolated, recorded and killable. Next: the request → approve → checkout → checkin workflow in PVWA — Dual Control, exclusive access, and Just-in-Time so a credential exists only while it's needed.
Sources cited inline
- CyberArk PAM Self-Hosted — Privileged Session Manager (Introduction)
- CyberArk — Introduction to PSM for SSH (PSMP)
- CyberArk — Active Session Monitoring in PSM
- NVD — CVE-2024-31497 (PuTTY ECDSA P-521 nonce bias)
- SecApps Learning — PSM Session Management Complete Guide
- SecApps Learning — PSM for SSH Installation Guide 2026
- CyberArk PAM-DEF / PAM-SEN Exam Blueprint
- YuenX (2025) — CyberArk PAM & PSM Architecture