Recommendations for best performance

This topic describes recommendations for determining the number of accounts and implementing best caching options to optimize Credential Provider (CP) performance.

These recommendation are relevant for all CPs, namely Credential Provider, Central Credential Provider, and Application Server Credential Provider.

General recommendations

We recommend that queries be as specific as possible to improve performance; include as many parameters as you can. Always include the Safe name in a query; including the Safe name in the query reduces the number of Safes that the CP must scan in the Vault.
We recommend referring to the following resources, to ensure that you are using supported, compatible CyberArk components:
- End-of-Life Policy
- Credential Provider Compatibility
- Central Credential Provider for the Central Credential Provider
To consume the CP Application Password SDKs, always use dynamic links (rather than static links) . This will avoid the need to rebuild your application when an SDK upgrade is required. For more SDK best practices, see Application Password SDKs - best practices.

Credential Provider capacity

For optimal performance, use the following guidelines:

To reduce the load on the Vault / Privilege Cloud, always configure a caching mechanism.
Keep the total number of Safes accessed by the CP to a minimum.
Keep the number of accounts stored in each Safe to a minimum.
PAM - Self-Hosted:
- When using the CP cache mechanism, the total number of accounts that the CP fetches from the Vault should not exceed 10,000.
  
  Fetching more than 10,000 accounts increases memory consumption. You might experience some degradation in performance of the CP.
  
  A CP should not have permission to fetch more than 50,000 accounts from the Vault. Exceeding this limit will cause memory consumption issues and might cause the CP to become unstable.
- The number of CPs per Vault should not exceed 6,000.

Privilege Cloud: Limit the number of applications retrieving secrets from each CP to 500 applications.

Dual accounts

For highly critical applications, we recommend using dual accounts. Dual accounts ensure that there is always a valid credential available to an application, regardless of the password rotation requirements. This is especially recommended for high-load and highly critical applications. Dual accounts are supported with all CP solutions.

Configuration

For optimal performance, configure each CP as follows:

Recommendation	Configuration
Refresh the provider configuration settings every 24 hour	AutomaticParmsRefreshInterval=86400
Accept up to 40 concurrent requests from the SDK	MaxConcurrentRequests=40
Utilize a cache file and memory cache	CacheLevel=persistent
Refresh the cache every 25 minutes	CacheRefreshInterval=1500
Expire the cache after 1 year	VaultAccessInterval=31536000
Wait 3001 seconds before executing a password change. (We recommend that you wait more than 2 cache refresh intervals before executing a password change; if CacheRefreshInterval=1500, wait (1500*2) + 1 seconds.) For more information about how to configure this parameter, see Credential Provider (CP) configuration files. A password change block must be implemented on the application side to protect against account lockouts during a change.	ChangeNotificationPeriod=3001
Reduce the load on the Vault in the event of a failed password change	MaximumRetries=1 MinDelayBetweenRetries=30 See Privileged Account Management in the Privileged Access Security online help.

For more information about caching, see Caching and Credential Provider configuration.
For system requirements, see System Requirements.
For Credential Provider Performance Benchmark, see Credential Provider benchmark report.