CPC-CDE-RECERT CyberArk CDE-CPC Recertification Free Practice Exam Questions (2026 Updated)

In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer’s AD/LDAP. This aligns with C.

For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port 636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.

Why the other options are not correct for Shared Services:

A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.

B “Secure Tunnel required” is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.

E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.

In Privilege Cloud, each Safe controls its own retention policy for account/password objects. CyberArk documentation states that when retention is set by Number of days, the default retention is 7 days.

CyberArk’s official guidance for restricting a platform to specific Safes is to set the AllowedSafes platform parameter in the General section of the platform under Automatic Password Management.

AllowedSafes uses a regular expression to match Safe names, which is why a pattern such as (WINDEMEA)|(WINDEMEA_ADMIN) is used to allow exactly those two Safe names.

The correct statement about using the AllowedSafes platform parameter is that it prevents the Central Policy Manager (CPM) from scanning all safes, restricting it to scan only safes that match the AllowedSafes configuration. This parameter is crucial in large-scale deployments where efficiency and resource management are key. By specifying which safes the CPM should manage, unnecessary scanning of irrelevant safes is avoided, thus optimizing the CPM's performance and reducing the load on the CyberArk environment. This configuration can be found in the platform management section of the CyberArk documentation.

CyberArk’s “Before you install PSM for SSH (Standard)” prerequisites include:

Verify public access: “Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.” This directly supports C.

Create the PSM for SSH parameters file: The parameters file is required for the installation process, and the documentation specifies InstallCyberArkSSHD = Integrated as a mandatory parameter value. This supports A (with the corrected value “Integrated”).

Why the other options are not “installation prerequisites” as written:

B: CyberArk documents that after installation, the root user will not be able to authenticate remotely using a password (security behavior), not as a prerequisite step to perform before installation.

D: The docs mention you can use a different administrative/maintenance user, but it is not listed as a required prerequisite in the “Before you install” checklist.

E: Resetting the root password is not listed as a prerequisite in the Privilege Cloud “Before you install PSM for SSH (Standard)” documentation.

For a Privilege Session Manager (PSM) server, the network requirements primarily focus on its ability to interact with target systems securely and efficiently. The most accurate statement regarding these requirements is:

It must reach the target system using its native protocols (Option A). This is essential for the PSM to manage sessions effectively, as it needs to communicate using the protocols that the target systems are configured to accept, such as SSH for Linux servers or RDP for Windows servers.

In the Privilege Cloud Installer (Standard) procedure, the Connector installer explicitly prompts you to select which components you want to install: “CPM/PSM/Both.”

That means the installation package supports installing:

PSM (Windows connector)

CPM

Why the other options are not correct for this installer package:

C (Secure Tunnel) is treated as a separate component (downloaded as a Secure Tunnel Client Installer package), not one of the “CPM/PSM/Both” choices in the Connector installer step.

D (CCP) is not listed as an installable component in the Privilege Cloud Connector installer flow shown in the official procedure.

E (PSM for SSH) is selected/downloaded as a separate component to support UNIX/Linux, not installed via the Connector installer’s “CPM/PSM/Both” selection.

CyberArk’s Privilege Cloud SAML configuration documentation explicitly states: Privilege Cloud supports only one assertion and instructs you to ensure only one assertion is configured in the IdP.

CyberArk’s hardening guidance is explicitly organized by whether the servers are In Domain or Out of Domain (for example, PSM hardening guidelines and tasks reference both deployment types, and CPM has separate “hardening in domain” guidance). Therefore, the deployment criterion that drives the hardening method/package is In Domain vs Out of Domain.

For LDAP integration with CyberArk Privilege Cloud Standard, the correct statement is that only the Issuing CA certificate is required for certificate trust to your directory server. This setup simplifies the process of establishing a trusted connection between CyberArk and the LDAP server by necessitating only the certification of the issuing Certificate Authority (CA), rather than needing multiple certificates from different levels of the trust chain. This approach ensures that the SSL/TLS communication between CyberArk and the LDAP server is secured based on the trust of the issuing CA’s certificate.

The sshd_config file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the AllowGroups parameter within the sshd_config file to grant them the necessary permissions.

PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:

RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.

Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.

These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.

CyberArk defines MaxConcurrentConnections as: “The maximum number of connections that can be opened between the Central Policy Manager and the remote machine where the passwords are replaced.”

That is exactly option A.

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.

CyberArk’s official connector guidance (CyberArk Identity / Identity Administration—used with Privilege Cloud Shared Services for AD user authentication) says that for trusted domains in a single forest, you use this model when the domain controllers have a two-way, transitive trust relationship with the domain controller the connector is joined to.

It also clarifies that a single connector can be used for the entire domain tree or forest in that trusted-domain model, and authentication requests are handled according to AD trust relationships within the forest/tree.

https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/userauthmultdomain.htm

CyberArk’s Privilege Cloud Standard SAML configuration documentation states that, before using SAML, users must already be defined in Privilege Cloud and provides two supported methods:

Integrate with your LDAP server (recommended) → this provisions users into Privilege Cloud. (Answer A)

Create CyberArk users in Privilege Cloud with identical details as the users who will access via SAML. (Answer D)

The other options are not valid “user definition” methods for this requirement:

SIEM and Email system integrations don’t define users in Privilege Cloud.

E is not a supported/customer method in Privilege Cloud Standard documentation (and Privilege Cloud is a managed service; you don’t create users by directly manipulating the service database).

The basic network requirements to deploy a CyberArk Privilege Management Central Policy Manager (CPM) server include Port 1858 to the Privilege Cloud Vault service backend and Port 443 to the Privilege Cloud Portal. Port 1858 is necessary for communication with the CyberArk Vault, facilitating essential interactions like password retrieval and updates. Port 443 is required for secure web traffic to and from the Privilege Cloud Portal, ensuring that all management tasks performed through the web interface are secure and encrypted. These ports must be properly configured to allow for the efficient and secure operation of the CPM within the Privilege Cloud infrastructure.