Digital Vault Server
|
CyberArk may choose not to provide maintenance and support services for the CyberArk Digital Vault Server with relation to any of the platforms and systems listed below which have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative. |
Minimum requirements
The Digital Vault server requires an Intel Pentium IV (or compatible) processor or later.
To ensure maximum protection for the sensitive data inside the Digital Vault Server, the server is designed to be installed on a dedicated computer in a clean environment with a supported .NET framework that does not have any additional software installed on it.
Supported platforms
The Digital Vault server is currently supported on the following platforms:
Windows Server 2019
Editions
|
If you are using the German or Japanese Edition, see Multi-language requirements. |
-
Standard English and Datacenter English Editions
-
German Edition
-
Japanese Edition
CyberArk Architectures
|
Distributed Vaults and Cloud deployments are not supported. |
-
Standalone Vault
-
Primary-DR
-
Cluster Vault
Windows Server 2016
Editions
|
If you are using the German or Japanese Edition, see Multi-language requirements. |
-
Standard English and Datacenter English Editions
-
German Edition
-
Japanese Edition
CyberArk Architectures
-
Standalone Vault
-
Primary-DR
-
Cluster Vault
-
Distributed Vaults
-
Cluster Distributed Vaults
-
Cloud deployment
Windows Server 2012R2
Editions
|
If you are using the German or Japanese Edition, see Multi-language requirements. |
-
Standard English Edition
-
German Edition
-
Japanese Edition
CyberArk Architectures
-
Standalone Vault
-
Primary-DR
-
Cluster Vault
-
Distributed Vaults
-
Cluster Distributed Vaults
Software requirements
- For servers running Windows Server 2012R2, you must install Windows update KB2919335
- Contact your CyberArk support representative for the most recent supported Windows Server service pack requirements.
- Microsoft Visual C++ Redistributable for Visual Studio 2015-2019
- .NET Framework 4.8 Runtime
|
Multi-language requirements
The Digital Vault server supports the following language requirements:
-
ASCII encoding
Unicode is not supported.
-
English and one additional language using the operating system Locale
Use only alpha-numeric characters in the following areas:
-
All installation paths
-
PKI and Radius authentication configuration
-
The following objects:
-
Users
-
Groups
-
Safes
-
Safe objects
-
Platform names
-
-
Vault utilities such as CAVaultManager and CACert
Certificate requirements
- The entire certificate chain (root, subordinate/intermediate, server) requires a Base-64 encoded X.509 SSL certificate
- Configuration of both the server authentication and client authentication Enhanced Key Usage values
- The following list of Signature Algorithm are not supported:
- RSASSA-PSS
- ECDSA
- To use Session Management in Distributed Vaults, Subordinate or Intermediate certificates cannot be used for the Vault
HSM requirements
- Key generation on HSM requires Network HSM, and all the Vaults in the environment must have access to the HSM server to retrieve the keys.
- When loading an existing key to HSM, you can use either a Network HSM or a local HSM on each Vault machine.
- The recovery private key (recprv.key) is required for this procedure.
- Backup the Vaults to prevent data loss if an issue occurs during data encryption.
- The HSM appliance must expose a client side PKCS#11 interface (a *.dll file). A 64bit DLL must be used.
- The HSM must have at least one slot that fulfills the following:
Slot flags:
Flag
Description
CKF_HW_SLOT
hardware slot
CKF_TOKEN_PRESENT
token is present in the slot
CKF_RNG
random number generation is supported
The slot mechanism must have the following flags:
Flag
Description
CKF_HW encryption is done in-hardware CKF_ENCRYPT has encryption capability CKF_DECRYPT has decryption capability CKF_GENERATE
mechanism supports key generation
- The HSM must support AES-256 encryption in ECB and CBC modes (this is part of the supported slot mechanisms).
- The following HSM functions are relevant for the CyberArk Vault.
|
Function |
Mandatory |
|---|---|
| C_GenerateKey | Yes |
| C_EncryptInit | Yes |
| C_Encrypt | Yes |
| C_UnwrapKey | Yes |
| C_FindObjectsInit | Yes |
| C_FindObjects | Yes |
| C_GetAttributeValue | Yes |
| C_FindObjectsFinal | Yes |
| C_DecryptInit | Yes |
| C_Decrypt | Yes |
| C_Logout | Yes |
| C_CloseSession | Yes |
| C_Finalize | Yes |
| C_OpenSession | Yes |
| C_Initialize | Yes |
| C_GetSlotList | Yes |
| C_GetSlotInfo | Yes |
| C_GetTokenInfo | Yes |
| C_GetMechanismInfo | Yes |
| C_Login | Yes |
| C_CreateObject | Yes |
| C_GenerateKeyPair | Yes |
| C_GetFunctionList | Yes |
| C_GenerateRandom | Yes |
| C_DestroyObject | No |
|
Contact your HSM vendor to verify that the HSM capabilities are aligned with the requirements. |
Supported LDAP directories
The Privileged Access Manager - Self-Hosted solution provides standard LDAP v3 support and has been tested and certified with the following directories.
|
Directory |
Platforms |
|---|---|
|
MS Active-Directory – Each of the following platforms is supported with its corresponding functional level: |
|
|
Sun One v5.2 |
|
|
IBM Tivoli Directory Server v6.0 |
|
|
Novell eDirectory v8.7.1 |
|
|
Oracle Internet Directory v10.1.4 |
|
This list may be updated frequently as additional directories are certified. Please contact CyberArk Customer Support for information about additional directories that are not mentioned in the list above.
Supported cipher suites
syslog servers
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
AES256-SHA256
AES128-SHA256
SMTP over TLS
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
AES256-SHA256
AES128-SHA256
Supported protocols
-
RDP Client v5.2 and higher (for installing the Digital Vault using RDP)
Supported performance configurations
Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.
Exceeding the supported configuration may result in degradation and instability of the Vault performance.
Secrets Manager components
To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.
Credential Providers /CCP
-
Maximum supported components per environment: 6K
-
Maximum supported accounts for each component user: 10K
The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.
Vault Synchronizer
-
Maximum supported components per environment: 10
-
Maximum supported accounts for each component user: 20K
Distributed Vaults compatibility
|
Client |
Compatible versions |
|---|---|
|
Credentials Provider |
9.7 or later |
|
ExportVaultData utility |
9.8 or later |
|
PAReplicate utility |
9.8 or later |
|
PVWA |
11.1 or later |
|
PSM |
11.1 or later |
|
PSMP |
11.1 or later |
All other clients can only run on a Primary Vault.
|
Client |
Compatible versions |
|---|---|
|
Credentials Provider |
9.7 or later |
|
ExportVaultData utility |
9.8 or later |
|
PAReplicate utility |
9.8 or later |
All other clients can only run on a Primary Vault.
