Vault Parameter File

The Vault.ini file contains all the information about the Vault that is accessed by CyberArk components. Each component that accesses the Vault requires a Vault.ini file of its own.

During installation, the Vault.ini file is copied to the installation folder.

 

  • The semicolon (;) and hash (#) characters indicate the beginning of a remark. However, if these characters appear between quotation marks (“”) or after an equals sign (=) they are considered to represent a parameter.

  • All parameters must be specified without spaces.

Vault parameters

Parameter

Description

Vault

The name of the Vault.

Acceptable values: String

Default value: None

Address

The IP address of the Vault. There is no limit to the number of IP addresses that you can specify.

 

Multiple Vault IP addresses is supported on the CPM, PVWA, OPM, PSM, and PSM for SSH.

Acceptable values:  IP address,IP address,IP address,...

Default value: None

Port

The Vault IP port.

Acceptable values:  Number

Default value: 1858

Timeout

The number of seconds to wait for a Vault to respond to a command before a timeout message is displayed.

Acceptable values:  Number

Default value: 30

SwitchVaultAddressTimeOut

The number of seconds that the Vault component tries to access additional Vault IP addresses after the initial timeout to the current Vault expires. The initial timeout is specified in the Timeout parameter.

 

This is relevant to the CPM, PVWA, OPM, and PSM.

Acceptable values:  Number of seconds

Default value: 3

AuthType

The type of authentication to be used to log on to the Vault.

Acceptable values:  PA_AUTH (Password), PKI_AUTH, LDAP, RADIUS

Default value:  PA_AUTH (Password)

VaultDN

The Distinguished Name of the Vault (PKI Authentication).

Acceptable values:  String

Default value:  None

ProxyType

The type of proxy through which the Vault is accessed.

Acceptable values:  HTTP, HTTPS, SOCKS4, SOCKS5

Default value:  None

ProxyAddress

The proxy server IP address. This is mandatory when using a proxy server.

Acceptable values:  IP address

Default value:  None

ProxyPort

The proxy server IP port.

Acceptable values:  Number

Default value:  8081

ProxyUser

The user for the proxy server if NTLM authentication is required.

Acceptable values:  User name

Default value:  None

ProxyPassword

The password for the proxy server if NTLM authentication is required.

Acceptable values:  Password

Default value:  None

ProxyAuthDomain

The domain for the proxy server if NTLM authentication is required.

Acceptable values:  Domain name

Default value:  NT_DOMAIN_NAME

BehindFirewall

If the Vault is accessed via a firewall.

Acceptable values:  Yes/No

Default value:  No

UseOnlyHTTP1

Use only HTTP 1.0 protocol. Valid either with proxy settings or with BEHINDFIREWALL.

Acceptable values:  Yes/No

Default value:  No

NumOfRecordsPerSend

The number of file records that require an acknowledgement from the Vault server.

Acceptable values:  Number

Maximum number is 4000.

Default value:  300

NumOfRecordsPerChunk

The number of file records to transfer together in a single TCP/IP send/receive operation.

Acceptable values:  Number

Maximum number is 4000. The value cannot be larger than the NumOfRecordsPerSend value.

Default value:  60

ReconnectPeriod

The number of seconds to wait before the sessions with the Vault is re-established.

Acceptable values:  Number

Default value:  1

EnhancedSSL

Whether or not to use an enhanced SSL-based connection (port 443 is required).

Acceptable values:  Yes/No

Default value:  No

PreAuthSecuredSession

Whether or not to enable a pre-authentication secured session.

Acceptable values:  Yes/No

Default value:  No

TrustSSC

Whether or not to trust self-signed certificates in pre-authentication secured sessions.

Acceptable values:  Yes/No

Default value:  No

ProxyCredentials

The name of a file that contains the proxy credentials. This parameter can be used to replace the ProxyUser and ProxyPassword parameters.

Acceptable values:  Full pathname

Default value:  None

CTLFileName

The path to the CTL file for Radius authentication.

Acceptable values:  Valid path to base64 CTL filee

Default value:  None

AllowSSCFor3PartyAuth

Whether or not self-signed certificates are allowed for third-party authentication (for example, RADIUS).

Acceptable values:  Yes/No

Default value:  No

CIFSGateway

The name of the CIFS Gateway.

Acceptable values:  String

Default value:  None

HTTPGatewayAddress

The URL of the HTTP Gateway.

Acceptable values:  URL

Default value:  URL

DistributedVaults

Whether or not CyberArk clients will work in Distributed Vaults mode, and will be able to send requests to one Vault in a list of available Vaults.

When this parameter is set to Yes, the Address parameter must specify an address that returns a DNS SRV record that indicates the Vault to which the client will send requests.

When this parameter is set to Static, the Address parameter must specify the IP/DNS address, using the following format: IP address,IP address,IP address,….

Acceptable values:  Yes, No, Static

Default value:  No

FailbackInterval

The number of seconds between client requests to check the SRV record.

Acceptable values:  Number of seconds

Default value:  1800 (30 minutes)

API parameter

Parameter

Description

Addresses

The URL of the PVWA. Separate multiple PVWAs with commas.

If the CPM was installed before the PVWA, a warning is written to the scanner logs and the URL of the PVWA must be updated manually after PVWA installation.

Acceptable values: URL

Default value: None