Digital Vault Server

 

CyberArk may choose not to provide maintenance and support services for the CyberArk Digital Vault Server with relation to any of the platforms and systems listed below which have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative.

Minimum requirements

To ensure maximum protection for the sensitive data inside the Digital Vault server, the server is designed to be installed on a dedicated computer in a clean environment with the documented software prerequisites. No other software should be installed on the server machine.

Supported platforms

The Digital Vault server is currently supported on the following platforms:

Windows Server 2019

Editions

 

If you are using the German or Japanese Edition, see Multi-language requirements.

  • Standard English and Datacenter English Editions

  • German Edition

  • Japanese Edition

CyberArk Architectures

  • Standalone Vault

  • Primary-DR

  • Cluster Vault

  • Distributed Vaults

  • PAM - Self-Hosted cloud deployments

Windows Server 2016

Editions

 

If you are using the German or Japanese Edition, see Multi-language requirements.

  • Standard English and Datacenter English Editions

  • German Edition

  • Japanese Edition

CyberArk Architectures

  • Standalone Vault

  • Primary-DR

  • Cluster Vault

  • Distributed Vaults

  • Cluster Distributed Vaults

  • Cloud deployment

Software requirements

 

Multi-language requirements

The Digital Vault server supports the following language requirements:

  • ASCII encoding

     

    Unicode is not supported.

  • English and one additional language using the operating system Locale

Use only alpha-numeric characters in the following areas:

  • All installation paths

  • Radius authentication configuration

  • The following objects:

    • Users

    • Groups

    • Safes

    • Safe objects

    • Platform names

  • Vault utilities such as CAVaultManager and CACert

Certificate requirements

  • The entire certificate chain (root, subordinate/intermediate, server) requires a Base-64 encoded X.509 SSL certificate
  • The public key length of the certificate must be at least 4096
  • Configuration of both the server authentication and client authentication Enhanced Key Usage values
  • The following list of Signature Algorithm are not supported:
    • RSASSA-PSS
    • ECDSA
  • To use Session Management in Distributed Vaults, Subordinate or Intermediate certificates cannot be used for the Vault

HSM requirements

Supported LDAP directories

The Privileged Access Manager - Self-Hosted solution provides standard LDAP v3 support and has been tested and certified with the following directories.

This list may be updated frequently as additional directories are certified. Please contact CyberArk Customer Support for information about additional directories that are not mentioned in the list above.

Supported cipher suites

Supported protocols

  • RDP Client v5.2 and higher (for installing the Digital Vault using RDP)

Supported performance configurations

Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.

Exceeding the supported configuration may result in degradation and instability of the Vault performance.

Secrets Manager components

To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.

Credential Providers /CCP

  • Maximum supported components per environment: 6K

  • Maximum supported accounts for each component user: 10K

The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.

Vault Synchronizer

  • Maximum supported components per environment: 10

  • Maximum supported accounts for each component user: 20K

Supported performance configurations

Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.

Exceeding the supported configuration may result in degradation and instability of the Vault performance.

Secrets Manager components

To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.

Credential Providers /CCP

  • Maximum supported components per environment: 6K

  • Maximum supported accounts for each component user: 10K

The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.

Vault Synchronizer

  • Maximum supported components per environment: 10

  • Maximum supported accounts for each component user: 20K

Distributed Vaults compatibility

CyberArk clients on a Satellite Vault

The following CyberArk clients are supported on a Satellite Vault:

  • Credentials Provider

  • ExportVaultData utility

  • PAReplicate utility

  • PVWA

  • PSM

  • PSMP

All other clients can only run on a Primary Vault.

CyberArk clients on a Satellite Vault in a Cluster

The following CyberArk clients are supported on a Satellite Vault in a Cluster:

  • Credentials Provider

  • ExportVaultData utility

  • PAReplicate utility

All other clients can only run on a Primary Vault.