Digital Vault Server

 

CyberArk may choose not to provide maintenance and support services for the CyberArk Digital Vault Server with relation to any of the platforms and systems listed below which have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative.

Minimum requirements

To ensure maximum protection for the sensitive data inside the Digital Vault server, the server is designed to be installed on a dedicated computer in a clean environment with the documented software prerequisites. No other software should be installed on the server machine.

Supported platforms

The Digital Vault server is currently supported on the following platforms:

Windows Server 2019

Editions

 

If you are using the German or Japanese Edition, see Multi-language requirements.

  • Standard English and Datacenter English Editions

  • German Edition

  • Japanese Edition

CyberArk Architectures

  • Standalone Vault

  • Primary-DR

  • Cluster Vault

  • Distributed Vaults

  • PAM - Self-Hosted cloud deployments

Windows Server 2016

Editions

 

If you are using the German or Japanese Edition, see Multi-language requirements.

  • Standard English and Datacenter English Editions

  • German Edition

  • Japanese Edition

CyberArk Architectures

  • Standalone Vault

  • Primary-DR

  • Cluster Vault

  • Distributed Vaults

  • Cluster Distributed Vaults

  • Cloud deployment

Software requirements

 

Multi-language requirements

The Digital Vault server supports the following language requirements:

  • ASCII encoding

     

    Unicode is not supported.

  • English and one additional language using the operating system Locale

Use only alpha-numeric characters in the following areas:

  • All installation paths

  • Radius authentication configuration

  • The following objects:

    • Users

    • Groups

    • Safes

    • Safe objects

    • Platform names

  • Vault utilities such as CAVaultManager and CACert

Certificate requirements

  • The entire certificate chain (root, subordinate/intermediate, server) requires a Base-64 encoded X.509 SSL certificate
  • The public key length of the certificate must be at least 4096
  • Configuration of both the server authentication and client authentication Enhanced Key Usage values
  • The following list of Signature Algorithm are not supported:
    • RSASSA-PSS
    • ECDSA
  • To use Session Management in Distributed Vaults, Subordinate or Intermediate certificates cannot be used for the Vault

HSM requirements

  • Key generation on HSM requires Network HSM, and all the Vaults in the environment must have access to the HSM server to retrieve the keys.
  • When loading an existing key to HSM, you can use either a Network HSM or a local HSM on each Vault machine.
  • The recovery private key (recprv.key) is required for this procedure.
  • Backup the Vaults to prevent data loss if an issue occurs during data encryption.
  • The HSM appliance must expose a client side PKCS#11 interface (a *.dll file). A 64bit DLL must be used.
  • The HSM must have at least one slot that fulfills the following:

    • Slot flags:

      Flag

      Description

      CKF_HW_SLOT

      hardware slot

      CKF_TOKEN_PRESENT

      token is present in the slot

      CKF_RNG

      random number generation is supported

    • The slot mechanism must have the following flags:

      Flag

      Description

      CKF_HW encryption is done in-hardware
      CKF_ENCRYPT has encryption capability
      CKF_DECRYPT has decryption capability

      CKF_GENERATE

      mechanism supports key generation

  • The HSM must support AES-256 encryption in ECB and CBC modes (this is part of the supported slot mechanisms).
  • The following HSM functions are relevant for the CyberArk Vault.

Function

Mandatory
C_GenerateKey Yes
C_EncryptInit Yes
C_Encrypt Yes
C_UnwrapKey Yes
C_FindObjectsInit Yes
C_FindObjects Yes
C_GetAttributeValue Yes
C_FindObjectsFinal Yes
C_DecryptInit Yes
C_Decrypt Yes
C_Logout Yes
C_CloseSession Yes
C_Finalize Yes
C_OpenSession Yes
C_Initialize Yes
C_GetSlotList Yes
C_GetSlotInfo Yes
C_GetTokenInfo Yes
C_GetMechanismInfo Yes
C_Login Yes
C_CreateObject Yes
C_GenerateKeyPair Yes
C_GetFunctionList Yes
C_GenerateRandom Yes
C_DestroyObject No
 

Contact your HSM vendor to verify that the HSM capabilities are aligned with the requirements.

Supported LDAP directories

The Privileged Access Manager - Self-Hosted solution provides standard LDAP v3 support and has been tested and certified with the following directories.

Directory

Platforms

MS Active-Directory – Each of the following platforms is supported with its corresponding functional level:
  • Windows Server 2012
  • Windows Server 2012R2
  • Windows Server 2016

Sun One v5.2

 

IBM Tivoli Directory Server v6.0

 

Novell eDirectory v8.7.1

 

Oracle Internet Directory v10.1.4

 

This list may be updated frequently as additional directories are certified. Please contact CyberArk Customer Support for information about additional directories that are not mentioned in the list above.

Supported cipher suites

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE_RSA_WITH_AES_128_GCM_SHA256

DHE_RSA_WITH_AES_256_GCM_SHA384

DHE_RSA_WITH_AES_128_GCM_SHA256

Supported protocols

  • RDP Client v5.2 and higher (for installing the Digital Vault using RDP)

Supported performance configurations

Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.

Exceeding the supported configuration may result in degradation and instability of the Vault performance.

Secrets Manager components

To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.

Credential Providers /CCP

  • Maximum supported components per environment: 6K

  • Maximum supported accounts for each component user: 10K

The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.

Vault Synchronizer

  • Maximum supported components per environment: 10

  • Maximum supported accounts for each component user: 20K

Supported performance configurations

Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.

Exceeding the supported configuration may result in degradation and instability of the Vault performance.

Secrets Manager components

To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.

Credential Providers /CCP

  • Maximum supported components per environment: 6K

  • Maximum supported accounts for each component user: 10K

The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.

Vault Synchronizer

  • Maximum supported components per environment: 10

  • Maximum supported accounts for each component user: 20K

Distributed Vaults compatibility

CyberArk clients on a Satellite Vault

The following CyberArk clients are supported on a Satellite Vault:

  • Credentials Provider

  • ExportVaultData utility

  • PAReplicate utility

  • PVWA

  • PSM

  • PSMP

All other clients can only run on a Primary Vault.

CyberArk clients on a Satellite Vault in a Cluster

The following CyberArk clients are supported on a Satellite Vault in a Cluster:

  • Credentials Provider

  • ExportVaultData utility

  • PAReplicate utility

All other clients can only run on a Primary Vault.