Central Credential Provider
This topic describes an overview of the Central Credential Provider. It also discusses the Central Credential Provider's general architecture and the technology platform that it shares with other CyberArk products.
The Central Credential Provider consists of the Credential Provider for Windows that is installed on an IIS server and the Central Credential Provider web service, used by calling scripts/applications to retrieve credentials during run-time.
Passwords that are stored in the CyberArk Digital Vault can be retrieved to the Central Credential Provider, where they can be accessed by authorized remote applications using web service calls. If these passwords are managed automatically by the CPM, the Vault makes sure that the passwords in the Central Credential Provider are constantly synchronized with the corresponding passwords in the Vault.
Applications that require credentials to access a remote device or to run another application remotely can request the relevant credentials from the Central Credential Provider using the Central Credential Provider web service.
The Central Credential Provider maintains a secure cache that contains passwords required by requesting applications, together with all the access control details that will permit each application to receive the specific password that it requested and no other. These applications must be defined in the Vault and must have relevant access permissions in the Safe where the passwords are stored. For information about defining the applications in the Vault, see Manage applications.
In addition, the Central Credential Provider checks that the application details in the Vault match certain application characteristics. If the application details meet all these criteria, such as Windows Domain OS user or the address of the machine where the application runs, the Central Credential Provider retrieves the requested password and passes it on to the application. The Central Credential Provider constantly refreshes its cache from the Vault, so that it always contains accurate information, regardless of when passwords were last changed on remote devices.
The Central Credential Provider maintains audit logs that track access to passwords, so that there is complete accountability for each password request by every application, and monitoring logs that register Central Credential Provider activity and status.
The Central Credential Provider can be implemented in a distributed environment, as described in the diagram above.The main region houses the Vault and a load balanced Central Credential Provider, which request passwords as needed on behalf of applications.
Each remote region, e.g. Singapore and US, include load balanced Central Credential Providers which request passwords from the Vault in the main region on behalf of applications in their regions. The Central Credential Providers securely cache the requested password on behalf of each region.
The Central Credential Provider secure cache eliminates the need to access the Vault for every password request and raises the level of performance. Furthermore, the Central Credential Provider secure cache provides high availability and business continuity, when load balanced, regardless of Vault availability.
The Shared Technology Platform
The CyberArk Shared Technology Platform™ serves as the basis for the CyberArk Privileged Access Security Solution and allows customers to deploy a single infrastructure and expand the solution to meet expanding business requirements. Seamless integration of products built on the platform provides organizations with lower cost of ownership, simplified deployment and expansion, unified management, and centralized policy management and reporting.
The CyberArk Privileged Access Security Solution is built on a common platform, The CyberArk Shared Technology Platform. The consolidated platform delivers a single management interface, centralized policy creation and management, a discovery engine for provisioning new accounts, enterprise-class scalability and reliability, and a secure Digital Vault®. The individual products in the CyberArk Privileged Access Security Solution integrate with the consolidated platform, enabling organizations to centralize and streamline management.
Organizations can leverage the CyberArk Shared Technology Platform whether they are deploying multiple products for a comprehensive solution, or a standalone product. The platform is designed to easily integrate into any IT environment, whether on-premises or in the cloud.
Components of the platform used in the Central Credential Provider solutions include the following:
For more information about the Central Credential Provider, see: