Install the Central Credential Provider (CCP)

This section describes how to install and configure the CCP.

Installation and configuration comprises several stages before you can go on to use the CCP web services to retrieve passwords.

  1. Install the Credential Provider for Windows.

  2. Install the CCP Web Service.

  3. Deploy applications

 

  • PAM - Self-Hosted: You can install CCP on the same server as the PVWA. However, if you plan to harden the PVWA, install CCP after the hardening process.

  • Privilege Cloud: You can install CCP on the same machine as the Privilege Cloud Connector alongside CPM/PSM. This machine is a hardened machine. If you install the CCP on the Privilege Cloud Connector machine, we strongly recommend that your application uses IIS with Windows OS User authentication.

Installation

First you install the Credential Provider for Windows, and then the CCP web services.

Step 1: Prerequisites

  1. To authenticate applications using Windows domain users, the Central Credential Provider must be in the same domain as the requesting application machines. Alternatively, the requesting application domain must be trusted by the Central Credential Provider domain. For more information about authenticating applications with the Windows domain users, refer to Application authentication methods.

  2. During the Credential Provider installation, the following prerequisite is automatically installed:

    • Visual C++ 2019 Redistributable Package (x86 and x64)

  3. Make sure Windows has IIS 10 installed and supports IIS 6.0 compatibility mode.

    1. On the Windows IIS machine, open the Server Manager.

    2. In the Web Server (IIS), select Role Services.
    3. Verify that IIS 6 Management Compatibility and IIS 6 Management Compatibility > IIS 6 Metabase Compatibility (or IIS Metabase and IIS 6 configuration compatibility) are selected.

    4. Under Application Development, ensure that the following are installed:

      • .NET Extensibility 4.x (according to your .NET Framework). For details, see Verify .NET Framework version.

      • ASP

      • ASP.NET 4.x (according to your .NET Framework)

      • ISAPI Extensions

      • ISAPI Filters

  4. Prepare locations on the CCP machine from which to run the Credential Provider for Windows and CCP Web Services installations:

    1. Create a new folder called Central Credential Provider.

    2. In the Central Credential Provider, create the following subfolders:

      • Windows
      • Central Credential Provider Web Service

  5. If CCP is set behind a load balancer, set one of the following options:

    • Define the load balancer as a Transparent Proxy to preserve the source IP of the originator.

    • Set the load balancer to attach the X-Forwarded-For header to the routed packets with the specification of the original source IP. This should be done in CCP as well.
      These steps are necessary for better auditing and to get the actual IPs. For more information, see Load balancing the CCP.

  6. Install the Credential Provider for Windows as described in Install the Credential Provider on Windows.

    As a best practice, privileged users should always access the Credential Providers server through a PSM server so that their sessions can be recorded and monitored. It is not recommended to allow privileged users direct access to a Credential Provider server.

Step 2: Install the CCP web service

The CCP web service must be installed using the same installation packages as the Credential Provider.

  1. Copy the content from the installation package's \Central Credential Provider\Central Credential Provider Web Service folder into the local \Central Credential Provider\Central Credential Provider Web Service folder that you created above.

  2. Run the CCP installation:

    1. In the local Central Credential Provider\Central Credential Provider Web Service folder, double-click AIMWebService.msi.

    2. In the AIMWebService Setup window that opens, click Next to start the installation procedure.

    3. In the Select Installation Address page, accept the default location (C:\inetpub\wwwroot\AIMWebService) or provide the details for a different destination.

      Click Next.

    4. In the Confirm Installation window, click Next to start the installation.

    5. When the installation is finished, click Close to complete the Secrets Manager middle tier web service installation.

    On the CCP machine, open CMD as Administrator and run the following command:

      
     msiexec.exe  /i "<CCP Install Path>\AIMWebService.msi" /qn

If you installed CCP on a hardened PVWA, in the web.config file (C:\inetpub\wwwroot\web.config), change the httpRedirect parameter from enabled="true" to enabled="false".

The HTTP Redirect setting must be disabled when installing CCP on a hardened PVWA, so that the CCP can be called without redirecting to PVWA.

Continue with Post installation below.

Post installation

After installing the CCP web services, do the following post installation tasks.

In your browser, enter the following URL:

http://<your machine>/AIMWebService/V1.1/AIM.asmx

The AIMService window opens and displays the available CCP Web Service functions.

In the PVWA / / Privilege Cloud portal, define the internal application that the web service will use to access the Credential Provider.

For details, see Define the Central Credential Provider web service.

Define your applications in the Vault / Privilege Cloud and manage their passwords. After that, you can run the CCP web services to retrieve application passwords.

For more information, see Manage applications.

You can load balance the CCP for increased performance and availability. For more information, see Load balance the Central Credential Provider.

You can configure the CCP web service to work with several different security configurations and authentication methods concurrently.

For details, see Multiple security configurations and authentication methods for the Central Credential Provider web service.