DBParm.ini

Batch auto-clear Safe history. This can be set to Enable, Interval in hours or days, FromHour, ToHour

Acceptable values: Yes/No, Number[d], 0-24, 0-24

Default value: Yes,1,1,2

Batch auto-clear user history. This can be set to Enable, Interval in hours or days, FromHour, ToHour

Acceptable values: Yes/No, Number[d], 0-24, 0-24

Default value: Yes,1,3,4

The number of Safe history records to clear in a single operation.

Acceptable values: Number

Default value: 200000

The maximum recommended number of objects to store in a single Safe. If the number of objects in the Safe exceeds this value, a warning message will be written in the ITAlog.

Acceptable values: Number

Default value: 300000

This parameter was deprecated in v7.1.6 and is no longer supported.

Acceptable values: -

Default value: -

Days between Clear Safe and User Log message.

Acceptable values: Number greater than zero.

Default value: 30

Days between download pictures message.

Acceptable values: Number greater than zero / ‘Never’ to disable picture download

Default value: 30

Emergency station IP address.

Acceptable values: IP address

Default value: None

Enable Logon/Users list of pre-defined Users.

Acceptable values: All / None / Auditor / Operator / Auditor, Operator

Default value: All

A warning will be issued when Safes directory has less than threshold free space in MB.

Acceptable values: Number greater than zero.

Default value: 100

Size in bytes of buffer for cache of staging area in file retrieve.

Acceptable values: Number greater than zero.

Default value: 2000000

The way the Vault unifies groups permissions.

Acceptable values: DenyOverrides/FirstApplicable

Default value: DenyOverrides

Days to keep records of ITALOG.log.

Acceptable values: Number greater than zero.

Default value: 7

Maximum number of files to put in the Staging Area.

Acceptable values: Number greater than zero or zero for unlimited.

Default value: 0

Number of permitted access violations in authentication in the ‘All’ network area after which the network area is suspended for a user.

Acceptable values: Number greater than zero.

Default value: 5

The minimum time in minutes that a user needs to wait after being suspended for exceeding the maximum number of login violations before the user is no longer suspended. This is automatically managed by the system. After the specified number of minutes, users can logon again successfully.

Acceptable values: Number

Default value: -1

Whether a detailed message or a general message is displayed when a user is suspended for exceeding the maximum number of login violations.

• No – A message will be displayed that specifies that the user was suspended.

• Yes – A general message will be displayed that specifies an authentication failure, but without any other details. These details are written in the log file.

Acceptable values: Yes/No

Default value: No

The minimum client version that will be able to work with the Vault. Use the following format: x.x.x.x

Acceptable values: Version number

Default value:

Clean Vault = 11.5.0.0

Upgrade Vault = No

The public network’s IP address of the other server within the MSCS cluster.

Acceptable values: IP address

Default value: None

The private network’s IP address of the other server within the MSCS cluster.

Acceptable values: IP address

Default value: None

The predefined groups that can be removed from Safes.

Acceptable values: All / None / Auditors / Operators / Auditor, Operator

Default value: None

The predefined users that can be removed from Safes.

Acceptable values: All / None / Auditors / Operators / Auditor, Operator

Default value: None

The interval in seconds between a file access and the watch dog barking.

Acceptable values: Number equal to or greater than five.

Default value: 10

Server staging area path.

Acceptable values: Path

Default value: None

The number of parallel transactions that the Server can perform. The second number is optional and indicates the number of tasks dedicated to lightweight transactions.

Acceptable values: Number [,Number]

Default value: 20,1

If the total number is less than 20, one is dedicated to lightweight transactions, If the total is more than 20, two are dedicated.

Indicates which file types are accepted in a virus free Safe in this Vault.

Acceptable values: DOC, DOT, XLS, XLT, EPS, BMP, GIF, TGA, TIF, TIFF, LOG, TXT, PAL

Default value: TXT

The suffixes that are considered by the Virus-free Safe as acceptable in addition to the file types specified in the AllowedVirusSafeFile Types parameter.

Acceptable values: <known suffix>/ <suffix>, … (up to 10 entries)

Default value: None

Event codes to monitor.

Acceptable values: Number[-Number],…

Default value: None

Transaction to monitor.

Acceptable values: Transaction.Transaction…

Default value: None

Users to monitor.

Acceptable values: User,User,…

Default value: None

The file that contains an encrypted password to access the Vault database.

Acceptable values: Path

Default value: None

The location of the MySQL replication user’s password file.

Acceptable values: Full pathname

Default value: ReplicationUser.pass in the same folder as the file specified in the DatabaseConnectionPasswordFile parameter.

This parameter has been deprecated and is no longer supported.

Acceptable values: -

Default value: -

Schedules deletion of old backup files (exports, binary logs) from metadata, metadata backup, and restored safes directories.
This can be set to Enable, Interval in hours or days, FromHour, ToHour, when to delete files.
The default setting runs every day between 1 and 5, and deletes backup files older than a week.

Acceptable values: Yes/No/RestoreFolder/BackupFolder,Number,Number,Number,Number

Default value: Yes,24,1,5,7d

Points to the location of MySQL Binary logs (for incremental backups and DR)

Acceptable values: Valid path and filename template

Default value: %MetadataDir%\mysql-bin.*

The full path of the Backup key.

Acceptable values: Full pathname

Default value: None

Determines which Vault event notifications will be written.

Acceptable values:

NotifyOnNewRequest/NotifyOnConfirmRequest/ NotifyOnRejectRequest/

NotifyOnConfirmRequestByAll/NotifyOnDeleteRequest/ NotifyOnStoreObject

Default value: NotifyOnNewRequest/NotifyOnRejectRequest/ NotifyOnConfirmRequestByAll/NotifyOnDeleteRequest

Determines whether or not to monitor backup replication status, whether or not to send notifications when a replication is missed, when the first notification will be sent, when consecutive notifications will be sent, and how frequently the backup status will be checked.

Acceptable values: <Yes/No>,<Yes/No>,<number>,<number>,<number>

Default value: Yes,Yes,48,24,12

Determines whether or not to monitor DR replication status, whether or not to send notifications when a replication is missed, when the first notification will be sent, when consecutive notifications will be sent, and how frequently the DR status will be checked.

Acceptable values: <Yes/No>,<Yes/No>,<number>,<number>,<number>

Default value: Yes,Yes,2,24,30m

Specifies the number of days before the Vault license expires that notifications are sent.

Acceptable values: Number

Default value: 7

Specifies that predefined groups that will be added automatically to all Safes.

Acceptable values: ALL / NONE / predefined group (separated by comma)

Default value: After installation: Backup Users,DR Users,Operators,Auditors, Notification Engine After upgrade: Backup Users,DR Users,Operators,Auditors

The alert level of license usage percentage for exceeding license limitations.

Acceptable values: First threshold,second threshold (single alerts),third threshold  (constant alerts)

Default value: 85,90,99

Specifies the number of users logged onto the Vault concurrently.

Acceptable values: 3000-32000

Default value: 3000

Specifies a list of non-standard IP addresses of machines that the firewall will be opened to. For more information, contact your CyberArk representative.

Acceptable values: [ip range],Yes,[Port]:outbound/[TCP/UDP],[Port]:inbound/[TCP/UDP]

Default value: None

Server key path, or an indication that the key is stored on an HSM device.
If the key is stored on an HSM device,, this parameter specifies the value of the key generation version used to encrypt and decrypt the Vault data and metadata. This value is generated by the CAVaultManager command, and is specified in the command’s output.

Acceptable values: Path or HSM key generation if the key is stored on an HSM device

Default value: None

The path of the PKCS11 provider.

Acceptable values: Path

Default value: None

The full pathname of the file where the PIN code required to authenticate to the HSM device is stored.

Acceptable values: Path

Default value: None

A disclaimer that is displayed in the PrivateArk Administrative Client when users log onto the Vault.

Acceptable values: Path

Default value: None

The IP address(es) or hostname(s) of the Syslog servers where messages will be sent. Separate multiple values with commas.

If you specify the hostname, in the %WINDOWS%\System32\Drivers\Etc\hosts file, define the IP address and hostname of the syslog server to resolve the DNS name.

Acceptable values: IP address,IP address …

Default value: None

The port(s) used to connect to the Syslog server. Separate multiple values with commas.

Make sure that the order of the specified ports corresponds to the order of the specified IP addresses or hostnames and protocols.

Acceptable values: Number,number,...

Default value: 514

Specifies the Syslog protocol(s) that will be used to send audit logs. Separate multiple values with commas.

Make sure that the order of the specified protocols corresponds to the order of the specified IP addresses or hostnames and ports.

Acceptable values: TCP/UDP/TLS

Default value: UDP

The path of the root CA certificate that was signed in the syslog server certificate.

Acceptable values: Full path

Default value: Vault installation path

Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. For example, to specify messages 1,2,3,30 and 5-10, specify the following value: 1,2,3,5-10,30. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities.

Acceptable values: String

Default value: None

Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Separate multiple values with commas.

Acceptable values: Full pathname

Default value: None

Controls the format of the syslog message, and defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. Separate multiple values with commas.

Acceptable values:
No – Configure the system to work with the new syslog format RFC (5424).
Yes – Configure the system to work with the previous RFC format.

Default value: Yes

Whether or not to send monitoring messages by Syslog.

Acceptable values: Yes/No

Default value: No

The maximum number of syslog messages in the syslog queue, which will generate a threshold notification to ITALog.

Acceptable values: Number greater than 0

Default value: 10,000

The total number of parallel tasks that can be assigned when processing audits that are parsed from XML to the final syslog format.

Acceptable values: 1-600

Default value: <Number of configured servers>

The total number of audit messages allowed to queue for processing from XML to XSL format.

Messages that arrive when the queue is full are truncated, and aren't processed for syslog.

Acceptable values: Positive integers only

Default value: 0 (unlimited)

The total number of syslog messages allowed to queue to be sent to a single syslog server destination.

Messages that arrive when the queue is full are truncated, and aren't sent to the syslog server destination.

Acceptable values: Positive integers only

Default value: 0

How frequently “message queue full” warnings are displayed in the Server Console. This parameter affects both the SyslogProcessingMessagesLimit and SyslogServerMessagesLimit parameters.

The value is in seconds.

Acceptable values: Positive integers only. 0 = prints every messages. This value is not recommended.

Default value: 900 (15 minutes)

Defines how many concurrent Vault transactions are dedicated to specified Vault interface IDs.

Acceptable values: <Number of dedicated concurrent tasks><interface IDs>:<timeframe>

Default value: None

Defines the maximum number of concurrent Vault transactions that can be used for specified Vault interface IDs.

Acceptable values: <Number of concurrent tasks><interface IDs>:<timeframe>

Default value: 8(CPM,AIMApp,AppPrv):7-23,16(CPM,AIMApp,AppPrv):23-7,1(PTAApp)

Defines how many concurrent Vault transactions are dedicated to specified users.

Acceptable values: <Number of dedicated concurrent tasks><username
[,username]>:<timeframe>

Default value: None

Defines the maximum number of concurrent Vault transactions that can be used for specific users.

Acceptable values: <Number of concurrent tasks><username[,username]>:<timeframe>

Default value: None

Defines the timeout in minutes after which users need to re-authenticate to the Vault.

Acceptable values: Number

Default value: 30

A list of DB error codes that will force the Vault to shut down, if they occur. A list of the error codes that can be specified is listed in DBParm.ini.SAMPLE.

Acceptable values: List of error codes separated by commas.

Default value: None

The name of the group that is authorized to define and manage OPM commands at platform level.

Acceptable values: Group name

Default value: Vault Admins

The frequency in minutes that a monitoring process checks the firewall for rules that have been made directly, and not through DBParm.ini.

Acceptable values: Number > 0 or -1

Default value: 15

Defines policies that determine how long-running transactions are managed.

Acceptable values: <UserType/QueryPattern>,<Message threshold>,
<Repeated message threshold>,<Terminate transaction threshold>

Default value: U“EPVUser”,120,600,-1

Defines thresholds for Vault transaction outputs in MB. Exceeding the lower threshold will result in a warning issued to the ITALog; exceeding the upper threshold will cause the transaction to fail.

Acceptable values: <Lower threshold<1>,<Upper threshold>2000>

Default value: 200,400

A series of values that define components to check for activity, whether or not notifications will be sent if the components are inactive, and the frequency of these notifications in minutes.

Acceptable values: <UserType>,<Yes/No>,<number>,<number>

Default value:

The number of minutes that will elapse between component activity checks specified in the Component Notification Threshold parameter. To cancel the component activity check, specify -1.

Acceptable values: Number

Default value: 1

Whether or not the BOM (Byte Order Mark) prefix will be sent at the beginning of SYSLOG messages.

Acceptable values: Yes/No

Default value: No

Determines the maximum size of a trace file archive folder, essentially determining how many trace files will be saved.

Acceptable values: Greater than 500MB or -1 to disable

Default value: 5120

The size in MB of the maximum size of the italog.log before rolling it to the Archive folder.

Acceptable values:

Minimum value: 50 (If a smaller value is specified the value is set to the minimum.)

Maximum value: 10% of the TraceArchiveMaxSize size (If a larger value is specified the value is set to the maximum.)

Default value: 150

Whether or not trace files will be flushed for every write to the trace. The default option (No) significantly improves performance, but can cause the trace to be incomplete in some very specific cases (when the Vault process crashes unexpectedly).

Acceptable values: Yes/No

Default value: No

The number of minutes a user session can be idle before it is logged off by the Vault.

Acceptable values: Number greater than 10.

Default value: 20

The types of users that have permission to perform content validation.

Acceptable values: User type,user type…

Default value: -

The names of the users who have permission to perform content validation.

Acceptable values: User name,user name…

Default value: -

The names of the groups that have permission to perform content validation.

Acceptable values: Group name,group name…

Default value: -

The number of days that audit records of user system events are kept.

Acceptable values: Number greater than 1.

Default value: 90

Whether or not a user will be allowed to find users in the Vault Users tree. If Yes is specified, only auditors and managers will be allowed to search the tree, and it will be hidden from users who are only Safe owners.

Acceptable values: Yes/No

Default value: No

The zero based HSM slot index that all HSM related utilities and the Vault itself will work with. By default, this parameter is omitted from dbparm.ini, and the first suitable HSM slot that is found is used.

Acceptable values: 0-63

Default value: -

Terminates the Vault when specific errors in the database occur.

Acceptable values: Error codes. Separate multiple error codes with a comma

Default value: 2003 (occurs when the MySQL client loses a connection to the Vault)

For authentication using OpenID, the length of time that the token is valid (after which it expires).

Acceptable values: Number of seconds

Default value: 300 seconds

For authentication using custom tokens, the length of time that the token is valid (after which it expires).

Acceptable values: Number of seconds

Default value: 300 seconds

A scheduled batch operation that controls the rotation of the signing keys (OpenID and custom).

Acceptable values: Enabled(Yes\No), Frequency (1- every day, 2 - every two days, 3 - every three days...), from hour (0-24), to hour (0-24)

Default value: Yes,1,0,24

The number of users concurrently logged on to the Vault by ClientID.

Acceptable values: Number of clients and ClientID

Default value:

Clean Vault = 6000(APPProv),10(Synchrnzr),1(CCP),1(DAP)

Upgrade Vault = No

The maximum number of data objects that can be used by Vault transaction queries.

Acceptable values: Number of Account data objects by ClientID

Default value: No

Specifies if a new table with categories is used by the FindFiles transaction search.

Acceptable values: Yes, No

Default value: Yes

IP address of the backup server.

Acceptable values: IP address,IP address,… (up to 10 IP addresses)

Default value: None

The ports that the server listens on.

Acceptable values: port,…port

Default value: 1858

Communication default timeout in seconds.

Acceptable values: Number greater than zero.

Default value: 30

Bytes per single send.

Acceptable values: Number greater than zero.

Default value: 8760

Time in seconds to keep a socket in the socket pool.

Acceptable values: Number greater than zero.

Default value: 600

Enable Firewall intrusion detection and attempt to bypass security messages.

Acceptable values: Yes/No

Default value: No

Enable IGM debug messages.

Acceptable values: Component (level),..

Default value: PE(1),PERF(1)

The list of URLs to download the CRL from.

Acceptable values: URL,[URL…]

Default value: None

The location on the Vault where the CRL cache is stored.

Acceptable values: Path

Default value: None

The interval in hours between downloading the most recent CRL from the specified URL.

Acceptable values: Number greater than zero

Default value: None

Whether or not to activate CRL support.

Acceptable values: Yes/No

Default value: No

Server certificate file path.

Acceptable values: Path

Default value: None

Server Private Key file path.

Acceptable values: Path

Default value: None

Port of Ace server.

Acceptable values: None

Default value: Port,port (up to 4 ports)

Server asymmetric encryption algorithm.

Acceptable values: RSA-1024/RSA-2048

Default value: RSA-2048

The encryption method used by the Server.

Acceptable values: 3DES-PA16/AES-128/AES-256

Default value: AES-256

Server hash algorithm.

Acceptable values: SHA1

Default value: SHA1

Entropy file path.

Acceptable values: Path

Default value: None

Server random generation algorithm.

Acceptable values: PRNG-EAY

Default value: PRNG-EAY

Recovery private key path.

Acceptable values: Path

Default value: None

Recovery public key path.

Acceptable values: Path

Default value: None

The full pathname of the pkcs11.dll that is used to access the HSM device.

Acceptable values: Path

Default value: None

The full pathname of the file where the PIN code required to authenticate to the HSM device is stored.

Acceptable values: Path

Default value: None

Determines if and when the Vault’s External Directory Map will be synchronized with the External Directory.
This value also specifies the period cycle in hours, the possible start hour, and the possible end hour.

Acceptable values: Yes/No, Number,0-24, 0-24

Default value: Yes,1,23,24

The update policy to use during synchronization with the External Directory.

Acceptable values: UpdateAll/UpdateNone

Default value: UpdateAll

The deletion policy to use during synchronization with the External Directory.

Acceptable values: DeleteAll/DeleteNonExisting/DeleteNonMatched/DeleteNone

Default value: DeleteAll

Whether this Vault works in a Distributed Vaults mode or not.

Acceptable values:

• Yes – This Vault will work in a Distributed Vaults environment.

• No – This Vault will work in a Single Vault environment.

Default value: No

The local IP address of the local Vault (Master / Satellite). This IP is set by the ConfigureAsMaster and ConfigureAsSatellite commands.The default value that will be shown when executing the commands is the IP address of the first network card available on the local Vault machine (in some cases, several network cards are available).

Acceptable values: IP address

Default value: The IP address of the first network card in the local Vault machine.

Whether or not to disable the enforced delay on Vault startup when replication was not completed.

Acceptable values:

• Yes – Enables Vault startup, even if a replication of the Master Vault was not completed.

• No – Prevents Vault startup, unless a replication of the Master Vault was completed.

Default value: No

The number of minutes that is acceptable for the Satellite Vault’s database to lag behind the Master Vault’s database. The minimum value is two minutes.

Acceptable values: Number of minutes

Default value: 2

The interval in seconds between automatic synchronization between Satellite Vaults and the Master Vault. This synchronization includes audits.

Acceptable values: Number of seconds

Default value: 10

The maximum number of records that are used in a single SQL operation on the Master Vault when synchronizing information in a Satellite Vault with the Master Vault.

Acceptable values: Number

Default value: 100

The interval in seconds between periodic synchronization tasks performed by the Satellite Vault with in-memory changes that were performed on the Master Vault.

Acceptable values: Number of seconds greater than 10

Default value: 10