CAVaultManager
The CAVaultManager utility enables you to manage the Vault database.
Syntax
CAVaultManager has the following syntax:
|
Using the CAVault Manager Commands
|
This command will create a new Vault database.
|
This command secures the Vault database using the master password and the initial entropy file, then creates and stores an encrypted password in an emergency password file which enables access to the Vault database.
For example:
|
The above example will secure the Vault database, using the Master password mstrpwd123 and the initial entropy file stored in c:\rndbasefile.dat, then will create and encrypt an emergency password and store it in C:\VaultEmergency.pass.
This command secures the files that contain either the Radius or LDAP secret.
|
Example 1:
|
The above example will create a file called c:\RadiusSecret.txt that contains the encrypted Radius secret, VaultSecret.
Example 2:
|
The above example will open an existing file called c:\Program Files\ PrivateArk\Server\LDAP\Directories\ ActiveDirectory.ini that contains the encrypted LDAP secret, LDAPSecret. This command will secure the section called LDAPHost2 in the specified file by inserting the encrypted secret into the secured section.
|
To run this command:
|
|
The Vault Server application must NOT be active when you run this command. |
This command identifies corrupted Vault users for all authentication types with invalid user keys or with invalid database references.
|
The command returns two outputs:
- The number of users with invalid user keys.
- A list of users with invalid database references.
If there are any affected users, you are prompted to enter YES to delete these users.
CAVaultManager SecureEntropyFile [/RndBaseFileName <Filename>]
This command will create the Vault’s entropy file with the initial entropy file and secure it using the server key.
For example:
|
The above example will create the Vault’s entropy file with the initial entropy file stored in c:\rndbasefile.dat and then secure it with the server key.
|
This command must be performed only by CyberArk support. This command is only supported in a Primary-DR architecture, and must be executed on the Primary Vault. |
This command configures the Vault for optimal performance, by optimizing the database structure and reclaiming unused database space.
This command creates a folder in D:\PrivateArk\Safes\Metadata OptimizeDB Backups especially for backup files that are created when this command is run. The name of the backup file is comprised of the date and time of the backup.
|
As all the backup files are saved in this folder, which is not cleared automatically, make sure that you clear this folder regularly. |
Although this command creates its own backup, before running this command, perform a full backup of the Vault database.
-
Shut down the Vault server.
-
In the PrivateArk\Server\Database\Conf folder, backup the my.ini configuration file.
-
Open the my.ini configuration file and make the following changes:
innodb_flush_log_at_trx_commit=0 # Default is 1Comment log-bin=mysql-bin
-
In HA implementations only, in the Cluster Administration Utility, set the PrivateArk Database resource to offline, and manually start this service.
-
Run the following command:
CAVaultManager.exe OptimizeDB
This command does not require any parameters.
-
Change the settings in the my.ini configuration file back to how they were before you changed them in step 3. Use the backup file that you created in step 2 for reference.
-
Restart the PrivateArk Database service in order to apply the initial values.
-
In HA implementations only, in the Cluster Administration Utility, set the PrivateArk Database resource to online.
-
Restart the Vault machine.
|
This command will upgrade the Vault database in future versions of the CyberArk Vault.
|
This command will delete all the information from the Vault database.
|
This information cannot be retrieved after it has been deleted. |
|
This command recovers the password that is used to access the Vault database. It uses the password specified in the emergency password file to retrieve the emergency database password which enables access to the Vault database, then generates a new database password and stores it in the file specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini. The new password can either be specified by the user or a random password can be generated.
For example:
|
The above example will retrieve the emergency password stored in C:\VaultEmergency.pass then generate a new random database password and store it in the password file specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini.
|
The above example will retrieve the emergency password stored in C:\VaultEmergency.pass then encrypt the new specified password, NewDBPwd, and store it in the password file specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini.
|
This command carries out an integrity check on the LDAP configuration files and will check the connection with the LDAP component, and will display a detailed status report.
The /ConfOnly parameter will carry out an integrity check on the LDAP configuration files only, but will not check the connection status to the LDAP component.
|
This command synchronizes the Vault database after the backup files have been transferred to the Vault from backup data. It can synchronize only files or quotas in specific Safes, in the entire Vault or according to a Safe pattern. This command can either simulate synchronization or carry it out with or without confirmation from the user.
For example:
|
The above example will synchronize the backup files that were restored in the Vault (using the RestoreDB command) with the restored Metadata. This command will be carried out, rather than simulated, and will prompt the user for confirmation during the process.
|
This command uses the Vault’s Recovery Private Key to access all the backup files in the Restored Safes folder and re-encrypt them with a new backup key when the original backup key cannot be used.
For example:
|
The above example will recover the backup files from a Backup Pool called BkpSvr1, and re-encrypt them with a new accessible backup key.
|
This command compiles a diagnostics report for the Vault database.
|
Use this command only in response to a request from CyberArk support |
For example:
|
The above example will compile a diagnostics report of the Vault, and save the report in a text file called CompanyVaultDiagnostics stored in c:\.
|
This command changes references in directory maps, users and groups from a current directory to a different one.
For example:
|
The above example changes references in directory maps, users and groups that define how external users are managed in the Vault from Directory_1 to Directory_2.
Full List of CAVaultManager Commands
The usage is explained in the following table.
|
Command |
Parameter |
Description |
Mandatory |
|---|---|---|---|
|
SecureDB |
Secures the Vault database. |
|
|
|
CreateDB |
Creates the Vault database. |
|
|
|
|
/MasterPassword |
The password for the Master user. |
Yes |
|
|
/RndBaseFileName |
The path where the initial entropy file is saved. |
Yes |
|
|
/DBEmergency PasswordFileName |
The name of the file where the encrypted emergency password for database access is stored. |
Yes |
|
SecureSecretFiles |
Secures the Vault’s secret files. |
|
|
|
|
/SecretType |
The type of secret to secure. Options are LDAP, Radius, or HSM. |
Yes |
|
|
/Secret |
The secret. It cannot begin with "/", and can't contain the characters _, ^,+, or &. |
Yes |
|
|
/SecuredFileName |
The name of the file where the secured secret is stored. |
No |
|
|
/FileSectionName |
Name of LDAP host section to secure within the file. Default is LDAP directory section. |
No |
|
SecureEntropyFile |
Secures the Vault entropy file. |
|
|
|
|
/RndBaseFileName |
The path where the random number generator state is saved. |
Yes |
|
OptimizeDB |
Optimizes Vault performance. |
|
|
|
UpgradeDB |
Upgrades the Vault database. |
|
|
|
DeleteDB |
Deletes the Vault database. |
|
|
|
RecoverDBPassword |
Recovers the Vault database connection password. |
|
|
|
|
/DBEmergency PasswordFileName |
The name of the file where the encrypted emergency password for database access is stored. |
Yes |
|
|
/DBNewPassword |
The new password for database access. |
No |
|
LDAPVerify |
|
Verifies LDAP component configuration. |
|
|
|
/ConfOnly |
Verifies only LDAP configuration files. |
No |
|
|
/Verbose |
Displays details of the LDAP verification checks. |
No |
|
RestoreDB |
|
Restores the Vault database. |
|
|
|
/BackupPoolName |
The name of the backup set that the command refers to. |
No |
|
|
/NoSynchronize |
Does not synchronize the restored external files with the restored metadata, as it may result in safes containing files that aren't actually there. |
No |
|
|
/Force |
Synchronizes the existing and the restored databases without prompting the user for confirmation. |
No |
|
SynchronizeDB |
|
Synchronizes the files in the Safes folder with the restored metadata. |
|
|
|
/SafePattern |
A Safe pattern indicating the Safes that will be synchronized with the restored data. |
No |
|
|
/FilesSyncOnly |
Enables a synchronization between the files in the Restored Safes folder and the Safes folder. |
No |
|
|
/QuotaSyncOnly |
Enables synchronization between the quotas in the Restored Safes folder and the Safes folder. |
No |
|
|
/Update |
Updates the data in the Safes folder during the synchronization process. |
No |
|
|
/Force |
Prevents the application from displaying a confirmation message to the user before completing the restore/synchronize process. |
No |
|
RecoverBackupFiles |
|
Recovers the backup files and re-encrypts them with a new backup key. |
|
|
|
/BackupPoolName |
The name of the backup set that the command refers to. |
No |
|
DiagnoseDBReport |
|
Compiles a diagnostics report for the CyberArk Vault database |
|
|
|
/OutputFileName |
The name of the report output file. |
No |
|
GenerateKeyOnHSM |
|
Generates new encryption keys on the HSM. |
No |
|
|
/ServerKey |
Determines that server keys will be generated on the HSM device. |
No |
|
LoadServerKeyToHSM |
|
Uploads the Server key to the HSM and updates the relevant parameters in DBParm.ini. |
|
|
|
/Pincode |
The PIN code required to upload the Server key to the HSM. |
No |
|
|
/WrapKey |
For use on HSM devices that require keys to be encrypted. This will generate a new key pair. The public key will be used to encrypt the server key, and the private will decrypt it on the HSM device. |
No |
|
ReplaceLDAPDirectory |
|
Changes references in directory maps, users and groups from the current external directory to a different one. |
|
|
|
/CurrentLDAPDirectory |
The name of the external directory that these objects currently reference. |
Yes |
|
|
/NewLDAPDirectory |
The name of the new external directory that these objects will reference. |
Yes |
|
|
[/Update] |
Indicates whether the directory maps, users and groups will be updated or this operation will be performed in simulation mode. |
No |
|
AppendFriendlyDomain |
|
Adds active directory domain names to names of groups that are provisioned in the Vault. |
|
|
|
/Update |
Indicates whether the active directory domain name will be added to names of groups that are provisioned in the Vault or this operation will be performed in simulation mode. |
No |
|
TerminateDBTransaction |
|
Enables you to manually terminate transactions that have been running longer than a specified period of time. |
|
|
|
/DBTransactionID |
The unique transaction ID of the long transaction. This ID appears in the alert message that is written in the italog file when the transaction is identified by the MonitorLongTransactions parameter in DBParm.ini. |
No |
|
RecoverReplicationPassword |
|
Recovers the replication user’s password. |
No |
|
StartDBReplication |
Begins the database replication. This command is issued from the DR site. |
No |
|
|
StopDBReplication |
Stops the database replication. This command is issued from the DR site. |
|
|
|
CollectLogs |
Creates a folder on the Vault server machine and stores a set of Vault server log files in it. |
No |
|
|
|
[/OutputFolderName] |
The full path of a folder where the Vault server log files will be saved. |
No |
|
ConfigureAsMaster |
Configures the current Digital Vault as the Master Vault in a Distributed Vaults environment. |
No |
|
|
|
/MyIP |
The IP address of the current machine. By default, this utility uses the first network card IP address. |
No |
|
|
/Silent |
The utility does not issue any confirmation messages during configuration. |
Yes |
|
ConfigureAsSatellite |
|
Configures the current Digital Vault as the Satellite Vault in a Distributed Vaults environment. |
No |
|
|
/MyIP |
The IP address of the current machine. By default, this utility uses the first network card IP address. |
No |
|
|
/Silent |
The utility does not issue any confirmation messages during configuration. |
Yes |
|
|
/ResetMasterAddress |
Force the Read-Only Vault to obtain the IP address of the Replication Master Vault from Vault.ini. This command can used when the Vault was not included/available during Distributed Vaults setup. |
No |
|
UnSuspendUser |
|
Activates a suspended user on the Master Vault.This task can either be performed using the CAVaultManager utility or the PrivateArk Administrative Client. |
No |
|
|
/UserName [username] |
The name of the suspended user who will be reactivated. |
No |
|
Promote |
|
Changes the role of the current Vault from Read-Only to Master and updates the rest of the Vaults in the deployment to replicate from it. |
No |
|
|
/Silent |
The utility does not issue any confirmation messages during configuration. |
No |
|
|
/SkipVault [IP Address,...] |
Allows the promotion process to proceed without attempting a connection to the specified Read-Only Vault. This command is useful when a Read-Only Vault is not responsive and may delay the promotion process as the process tries to connect to it to update the replication source. |
No |
|
|
/EnableTrace |
The utility writes extended log information during command execution. |
No |
|
WaitForReplication |
|
Waits until the slave SQL thread has executed transactions whose global transaction ID are contained in the given GTID. |
No |
|
|
/InputGTID |
The Global Transaction ID to wait for. |
Yes |
|
|
/Timeout |
The timeout in seconds that the Master Vault will wait until all of the transactions in the GTID set have been executed. The default value is 86400 seconds (1 day). |
No |
|
DeletePartialUsers |
|
Deletes corrupted Vault users for all authentication types with invalid user keys or with invalid database references. |
No |
|
ConcatCategory |
|
Verifies or recreates the data in the ConcatCategory table in the Vault database. |
|
|
|
/Verify |
Verifies the content of the ConcatCategory table. |
|
|
|
/Regenerate |
Regenerates the ConcatCategory table. |
|
