Central Credential Provider

This topic describes an overview of the Central Credential Provider. It also discusses the Central Credential Provider's general architecture and the technology platform that it shares with other CyberArk products.


The Central Credential Provider consists of the Credential Provider for Windows that is installed on an IIS server and the Central Credential Provider web service, used by calling scripts/applications to retrieve credentials during run-time.

Passwords that are stored in the CyberArk Digital Vault can be retrieved to the Central Credential Provider, where they can be accessed by authorized remote applications using web service calls. If these passwords are managed automatically by the CPM, the Vault makes sure that the passwords in the Central Credential Provider are constantly synchronized with the corresponding passwords in the Vault.

Applications that require credentials to access a remote device or to run another application remotely can request the relevant credentials from the Central Credential Provider using the Central Credential Provider web service.

The Central Credential Provider maintains a secure cache that contains passwords required by requesting applications, together with all the access control details that will permit each application to receive the specific password that it requested and no other. These applications must be defined in the Vault and must have relevant access permissions in the Safe where the passwords are stored. For information about defining the applications in the Vault, see Manage applications.

In addition, the Central Credential Provider checks that the application details in the Vault match certain application characteristics. If the application details meet all these criteria, such as Windows Domain OS user or the address of the machine where the application runs, the Central Credential Provider retrieves the requested password and passes it on to the application. The Central Credential Provider constantly refreshes its cache from the Vault, so that it always contains accurate information, regardless of when passwords were last changed on remote devices.

The Central Credential Provider maintains audit logs that track access to passwords, so that there is complete accountability for each password request by every application, and monitoring logs that register Central Credential Provider activity and status.

General Architecture

The Central Credential Provider can be implemented in a distributed environment, as described in the diagram above.The main region houses the Vault and a load balanced Central Credential Provider, which request passwords as needed on behalf of applications.

Each remote region, e.g. Singapore and US, include load balanced Central Credential Providers which request passwords from the Vault in the main region on behalf of applications in their regions. The Central Credential Providers securely cache the requested password on behalf of each region.

The Central Credential Provider secure cache eliminates the need to access the Vault for every password request and raises the level of performance. Furthermore, the Central Credential Provider secure cache provides high availability and business continuity, when load balanced, regardless of Vault availability.

The Shared Technology Platform

The CyberArk Shared Technology Platform™ serves as the basis for the CyberArk Privileged Access Security Solution and allows customers to deploy a single infrastructure and expand the solution to meet expanding business requirements.  Seamless integration of products built on the platform provides organizations with lower cost of ownership, simplified deployment and expansion, unified management, and centralized policy management and reporting.

The CyberArk Privileged Access Security Solution is built on a common platform, The CyberArk Shared Technology Platform.  The consolidated platform delivers a single management interface, centralized policy creation and management, a discovery engine for provisioning new accounts, enterprise-class scalability and reliability, and a secure Digital Vault®. The individual products in the CyberArk Privileged Access Security Solution integrate with the consolidated platform, enabling organizations to centralize and streamline management.

Organizations can leverage the CyberArk Shared Technology Platform whether they are deploying multiple products for a comprehensive solution, or a standalone product. The platform is designed to easily integrate into any IT environment, whether on-premises or in the cloud.

Components of the platform used in the Central Credential Provider solutions include the following:

Digital Vault

The Digital Vault, also referred to as the Password Vault, is the secure location where your passwords and sensitive data can be stored. The Vault is designed to be installed on a dedicated computer, for complete data isolation. It is packed with state‑of‑the‑art security technology, and is already configured and ready‑to‑use upon installation. This means that the security system does not require any security expertise or complicated configuration to operate at peak capacity.

The Vault tracks access to every password that it stores, and provides a central repository for detailed auditing information.


The Central Policy Manager (CPM) is a revolutionary password management component that enforces the enterprise policy. It enables organizations to automatically change and verify accounts, and reconcile them if necessary, on remote machines and store the new accounts in the Vault, with no human intervention, according to the organizational policy.

The CPM generates new random passwords and replaces existing passwords on remote machines. The new passwords are then stored in privileged accounts in the Vault where they benefit from all accessibility, audit and security features of the Privileged Access Security solution.

The CPM can also notify the Central Credential Provider of an upcoming password change so that the password can be synchronized on the Vault, the CPM and the Central Credential Provider simultaneously.


The Password Vault Web Access (PVWA) is a fully featured web interface that provides a single console for requesting, accessing and managing privileged accounts throughout the enterprise by end users, applications, and administrators.

Simple wizards enable users to define new privileged accounts and applications, and the PVWA's intuitive interface enables users to configure the dependencies between them, as well as enterprise policies that control and manage the privileged accounts used by the defined applications, including access control, workflows, compliance, account management, monitoring, and auditing.

A powerful search mechanism enables users to find privileged accounts and sensitive files with minimum effort, while automatically produced lists of frequently used accounts and recently used accounts facilitate speedy access and auditing.

For more information about the Central Credential Provider, see: