Digital Vault Server
CyberArk may choose not to provide maintenance and support services for the CyberArk Digital Vault Server with relation to any of the platforms and systems listed below which have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative. |
Minimum requirements
To ensure maximum protection for the sensitive data inside the Digital Vault server, the server is designed to be installed on a dedicated computer in a clean environment with the documented software prerequisites. No other software should be installed on the server machine.
Supported platforms
The Digital Vault server is currently supported on the following platforms:
Windows Server 2019
Editions
If you are using the German or Japanese Edition, see Multi-language requirements. |
-
Standard English and Datacenter English Editions
-
German Edition
-
Japanese Edition
CyberArk Architectures
-
Standalone Vault
-
Primary-DR
-
Cluster Vault
-
Distributed Vaults
-
PAM - Self-Hosted cloud deployments
Windows Server 2016
Editions
If you are using the German or Japanese Edition, see Multi-language requirements. |
-
Standard English and Datacenter English Editions
-
German Edition
-
Japanese Edition
CyberArk Architectures
-
Standalone Vault
-
Primary-DR
-
Cluster Vault
-
Distributed Vaults
-
Cluster Distributed Vaults
-
Cloud deployment
Software requirements
- Update the Vault server with the latest security patches.
- Install Microsoft Visual C++ Redistributable for Visual Studio 2015-2022 32-bit and 64-bit versions.
- Install .NET Framework 4.8 Runtime
|
Multi-language requirements
The Digital Vault server supports the following language requirements:
-
ASCII encoding
Unicode is not supported.
-
English and one additional language using the operating system Locale
Use only alpha-numeric characters in the following areas:
-
All installation paths
-
Radius authentication configuration
-
The following objects:
-
Users
-
Groups
-
Safes
-
Safe objects
-
Platform names
-
-
Vault utilities such as CAVaultManager and CACert
Certificate requirements
- The entire certificate chain (root, subordinate/intermediate, server) requires a Base-64 encoded X.509 SSL certificate
- The public key length of the certificate must be at least 4096
- Configuration of both the server authentication and client authentication Enhanced Key Usage values
- The following list of Signature Algorithm are not supported:
- RSASSA-PSS
- ECDSA
- To use Session Management in Distributed Vaults, Subordinate or Intermediate certificates cannot be used for the Vault
HSM requirements
- Key generation on HSM requires Network HSM, and all the Vaults in the environment must have access to the HSM server to retrieve the keys.
- When loading an existing key to HSM, you can use either a Network HSM or a local HSM on each Vault machine.
- The recovery private key (recprv.key) is required for this procedure.
- Backup the Vaults to prevent data loss if an issue occurs during data encryption.
- The HSM appliance must expose a client side PKCS#11 interface (a *.dll file). A 64bit DLL must be used.
- The HSM must have at least one slot that fulfills the following:
Slot flags:
Flag
Description
CKF_HW_SLOT
hardware slot
CKF_TOKEN_PRESENT
token is present in the slot
CKF_RNG
random number generation is supported
The slot mechanism must have the following flags:
Flag
Description
CKF_HW encryption is done in-hardware CKF_ENCRYPT has encryption capability CKF_DECRYPT has decryption capability CKF_GENERATE
mechanism supports key generation
- The HSM must support AES-256 encryption in ECB and CBC modes (this is part of the supported slot mechanisms).
- The following HSM functions are relevant for the CyberArk Vault.
Function |
Mandatory |
---|---|
C_GenerateKey | Yes |
C_EncryptInit | Yes |
C_Encrypt | Yes |
C_UnwrapKey | Yes |
C_FindObjectsInit | Yes |
C_FindObjects | Yes |
C_GetAttributeValue | Yes |
C_FindObjectsFinal | Yes |
C_DecryptInit | Yes |
C_Decrypt | Yes |
C_Logout | Yes |
C_CloseSession | Yes |
C_Finalize | Yes |
C_OpenSession | Yes |
C_Initialize | Yes |
C_GetSlotList | Yes |
C_GetSlotInfo | Yes |
C_GetTokenInfo | Yes |
C_GetMechanismInfo | Yes |
C_Login | Yes |
C_CreateObject | Yes |
C_GenerateKeyPair | Yes |
C_GetFunctionList | Yes |
C_GenerateRandom | Yes |
C_DestroyObject | No |
Contact your HSM vendor to verify that the HSM capabilities are aligned with the requirements. |
Supported LDAP directories
The Privileged Access Manager - Self-Hosted solution provides standard LDAP v3 support and has been tested and certified with the following directories.
Directory |
Platforms |
---|---|
MS Active-Directory – Each of the following platforms is supported with its corresponding functional level: |
|
Sun One v5.2 |
|
IBM Tivoli Directory Server v6.0 |
|
Novell eDirectory v8.7.1 |
|
Oracle Internet Directory v10.1.4 |
|
This list may be updated frequently as additional directories are certified. Please contact CyberArk Customer Support for information about additional directories that are not mentioned in the list above.
Supported cipher suites
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_128_GCM_SHA256
DHE_RSA_WITH_AES_256_GCM_SHA384
DHE_RSA_WITH_AES_128_GCM_SHA256
Supported protocols
-
RDP Client v5.2 and higher (for installing the Digital Vault using RDP)
Supported performance configurations
Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.
Exceeding the supported configuration may result in degradation and instability of the Vault performance.
Secrets Manager components
To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.
Credential Providers /CCP
-
Maximum supported components per environment: 6K
-
Maximum supported accounts for each component user: 10K
The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.
Vault Synchronizer
-
Maximum supported components per environment: 10
-
Maximum supported accounts for each component user: 20K
Supported performance configurations
Below are the maximum number of supported components and the maximum number of accounts per component for Primary-DR and Distributed Vaults architectures.
Exceeding the supported configuration may result in degradation and instability of the Vault performance.
Secrets Manager components
To make sure that you are following security and deployment best practices, see Configuration considerations for Secrets Manager applications with the Vault.
Credential Providers /CCP
-
Maximum supported components per environment: 6K
-
Maximum supported accounts for each component user: 10K
The supported configuration requires cache capability to be enabled. Disabling the cache may result in degradation and instability of the Vault performance.
Vault Synchronizer
-
Maximum supported components per environment: 10
-
Maximum supported accounts for each component user: 20K
Distributed Vaults compatibility
CyberArk clients on a Satellite Vault
The following CyberArk clients are supported on a Satellite Vault:
-
Credentials Provider
-
ExportVaultData utility
-
PAReplicate utility
-
PVWA
-
PSM
-
PSMP
All other clients can only run on a Primary Vault.
CyberArk clients on a Satellite Vault in a Cluster
The following CyberArk clients are supported on a Satellite Vault in a Cluster:
-
Credentials Provider
-
ExportVaultData utility
-
PAReplicate utility
All other clients can only run on a Primary Vault.