CAVaultManager

The CAVaultManager utility enables you to manage the Vault database.

Syntax

CAVaultManager has the following syntax:

 
CAVaultManager <command> [command parameters]

 

The usage is explained in the following table:

Parameter

Description

Mandatory

CreateDB

Creates the Vault database.

 

SecureDB

Secures the Vault database.

 

/MasterPassword

The password for the Master user.
This is a required parameter.

Yes

/RndBaseFileName

The path where the initial entropy file is saved.
This is a required parameter.

Yes

/DBEmergency PasswordFileName

The name of the file where the encrypted emergency password for database access is stored.
This is a required parameter.

Yes

SecureSecretFiles

Secures the Vault’s secret files.

 

/SecretType

The type of secret to secure. Options are LDAP, Radius, or HSM.

Yes

/Secret

The secret. It cannot begin with "/".

Yes

/SecuredFileName

The name of the file where the secured secret is stored.

No

/FileSectionName

Name of LDAP host section to secure within the file. Default is LDAP directory section.

No

SecureEntropyFile

Secures the Vault entropy file.

 

/RndBaseFileName

The path where the random number generator state is saved.
This is a required parameter.

Yes

OptimizeDB

Optimizes Vault performance.

 

UpgradeDB

Upgrades the Vault database.

 

DeleteDB

Deletes the Vault database.

 

RecoverDBPassword

Recovers the Vault database connection password.

 

/DBEmergency PasswordFileName

The name of the file where the encrypted emergency password for database access is stored.
This is a required parameter.

Yes

/DBNewPassword

The new password for database access.

No

LDAPVerify     

Verifies LDAP component configuration.

 

/ConfOnly

Verifies only LDAP configuration files.

No

/Verbose

Displays details of the LDAP verification checks.

No

RestoreDB      

Restores the Vault database.

 

/BackupPoolName 

The name of the backup set that the command refers to.

No

/NoSynchronize

Does not synchronize the restored external files with the restored metadata, as it may result in safes containing files that aren't actually there.

No

/Force

Synchronizes the existing and the restored databases without prompting the user for confirmation.

No

SynchronizeDB

Synchronizes the files in the Safes folder with the restored metadata.

 

/SafePattern

A Safe pattern indicating the Safes that will be synchronized with the restored data.

No

/FilesSyncOnly

Enables a synchronization between the files in the Restored Safes folder and the Safes folder.

No

/QuotaSyncOnly

Enables synchronization between the quotas in the Restored Safes folder and the Safes folder.

No

/Update

Updates the data in the Safes folder during the synchronization process.

No

/Force

Prevents the application from displaying a confirmation message to the user before completing the restore/synchronize process.

No

RecoverBackupFiles

Recovers the backup files and re-encrypts them with a new backup key.

 

/BackupPoolName

The name of the backup set that the command refers to.

No

DiagnoseDBReport

Compiles a diagnostics report for the CyberArk Vault database

 

/OutputFileName

The name of the report output file.

No

GenerateKeyOnHSM

Generates new encryption keys on the HSM.
This parameter is mandatory if the HSM key will be generated on the HSM device.

No

/ServerKey

Determines that server keys will be generated on the HSM device.
This parameter is mandatory if the HSM key will be generated on the HSM device.

No

LoadServerKeyToHSM

Uploads the Server key to the HSM and updates the relevant parameters in DBParm.ini.

 

/Pincode

The PIN code required to upload the Server key to the HSM.

No

/WrapKey

For use on HSM devices that require keys to be encrypted.

This will generate a new key pair. The public key will be used to encrypt the server key, and the private will decrypt it on the HSM device.

No

ReplaceLDAPDirectory

Changes references in directory maps, users and groups from the current external directory to a different one.

 

/CurrentLDAPDirectory
<old_directory>

The name of the external directory that these objects currently reference.

Yes

/NewLDAPDirectory
<new_directory>

The name of the new external directory that these objects will reference.

Yes

[/Update]

Indicates whether the directory maps, users and groups will be updated or this operation will be performed in simulation mode.

No

AppendFriendlyDomain
NameToGroup

Adds active directory domain names to names of groups that are provisioned in the Vault.

 

/Update

Indicates whether the active directory domain name will be added to names of groups that are provisioned in the Vault or this operation will be performed in simulation mode.

No

TerminateDBTransaction

Enables you to manually terminate transactions that have been running longer than a specified period of time.

 

/DBTransactionID

The unique transaction ID of the long transaction. This ID appears in the alert message that is written in the italog file when the transaction is identified by the MonitorLongTransactions parameter in DBParm.ini.

No

RecoverReplicationPassword

Recovers the replication user’s password.

No

StartDBReplication

Begins the database replication. This command is issued from the DR site.

No

StopDBReplication

Stops the database replication. This command is issued from the DR site.

 

CollectLogs

Creates a folder on the Vault server machine and stores a set of Vault server log files in it.

No

[/OutputFolderName]

The full path of a folder where the Vault server log files will be saved.

No

ConfigureAsMaster

Configures the current Digital Vault as the Master Vault in a Distributed Vaults environment.

No

/MyIP

The IP address of the current machine. By default, this utility uses the first network card IP address.

No

/Silent

The utility does not issue any confirmation messages during configuration.

Yes

ConfigureAsSatellite

Configures the current Digital Vault as the Satellite Vault in a Distributed Vaults environment.

No

/MyIP

The IP address of the current machine. By default, this utility uses the first network card IP address.

No

/Silent

The utility does not issue any confirmation messages during configuration.

Yes

/ResetMasterAddress

Force the Read-Only Vault to obtain the IP address of the Replication Master Vault from Vault.ini. This command can used when the Vault was not included/available during Distributed Vaults setup.

No

UnSuspendUser

Activates a suspended user on the Master Vault.This task can either be performed using the CAVaultManager utility or the PrivateArk Administrative Client.

No

/UserName [username]

The name of the suspended user who will be reactivated.

No

GetGTID

Retrieves the last Global Transaction ID that was replicated from the Master Vault to the local Vault.

No

/All

Prints all available GTIDs of the local Vault.

No

Promote

Changes the role of the current Vault from Read-Only to Master and updates the rest of the Vaults in the deployment to replicate from it.

No

/Silent

The utility does not issue any confirmation messages during configuration.

No

/SkipVault [IP Address,...]

Allows the promotion process to proceed without attempting a connection to the specified Read-Only Vault. This command is useful when a Read-Only Vault is not responsive and may delay the promotion process as the process tries to connect to it to update the replication source.

No

/EnableTrace

The utility writes extended log information during command execution.

No

WaitForReplication

Waits until the slave SQL thread has executed transactions whose global transaction ID are contained in the given GTID.

No

/InputGTID

The Global Transaction ID to wait for.

Yes

/Timeout

The timeout in seconds that the Master Vault will wait until all of the transactions in the GTID set have been executed. The default value is 86400 seconds (1 day).

No

Create a database

 
CAVaultManager CreateDB 

This command will create a new Vault database.

Secure the Vault database

 
CAVaultManager SecureDB  /MasterPassword <Password> RndBaseFileName <Filename> /DBEmergencyPasswordFileName <Filename>

This command secures the Vault database using the master password and the initial entropy file, then creates and stores an encrypted password in an emergency password file which enables access to the Vault database.

For example:

 
CAVaultManager SecureDB /MasterPassword mstrpwd123 /RndBaseFileName C:\rndbasefile.dat /DBEmergencyPasswordFileName C:\VaultEmergency.pass

The above example will secure the Vault database, using the Master password mstrpwd123 and the initial entropy file stored in c:\rndbasefile.dat, then will create and encrypt an emergency password and store it in C:\VaultEmergency.pass.

Secure secret files

This command secures the files that contain either the Radius or LDAP secret.

 
CAVaultManager SecureSecretFiles 
[/SecretType <Type>] [/Secret <Secret>] [/SecuredFileName <Filename>]
[/FileSectionName <SectionName>]

Example 1:

 
CAVaultManager SecureSecretFiles /SecretType Radius /Secret VaultSecret /SecuredFileName c:\RadiusSecret.txt

The above example will create a file called c:\RadiusSecret.txt that contains the encrypted Radius secret, VaultSecret.

Example 2:

 
CAVaultManager SecureSecretFiles /SecretType LDAP /Secret LDAPSecret /SecuredFileName “c:\Program Files\ PrivateArk\Server\LDAP \Directories\ ActiveDirectory.ini” /FileSectionName LDAPHost2

The above example will open an existing file called c:\Program Files\ PrivateArk\Server\LDAP\Directories\ ActiveDirectory.ini that contains the encrypted LDAP secret, LDAPSecret. This command will secure the section called LDAPHost2 in the specified file by inserting the encrypted secret into the secured section.

Secure the Vault Entropy file

CAVaultManager SecureEntropyFile [/RndBaseFileName <Filename>]

This command will create the Vault’s entropy file with the initial entropy file and secure it using the server key.

For example:

 
CAVaultManager SecureEntropyFile /RndBaseFileName c:\rndbasefile.dat

The above example will create the Vault’s entropy file with the initial entropy file stored in c:\rndbasefile.dat and then secure it with the server key.

Optimize Vault performance

This command configures the Vault for optimal performance, by optimizing the database structure and reclaiming unused database space.

This command creates a folder in D:\PrivateArk\Safes\Metadata OptimizeDB Backups especially for backup file s that are created when this command is run. The name of the backup file is comprised of the date and time of the backup.

 

As all the backup files are saved in this folder, which is not cleared automatically, make sure that you clear this folder regularly.

Although this command creates its own backup, before running this command, perform a full backup of the Vault database.

Upgrade the Vault database

 
CAVaultManager UpgradeDB

This command will upgrade the Vault database in future versions of the CyberArk Vault.

Delete the Vault database

 
CAVaultManager DeleteDB

This command will delete all the information from the Vault database.

 

This information cannot be retrieved after it has been deleted.

Recover the database password

 
CAVaultManager RecoverDBPassword [/DBEmergencyPasswordFileName <Filename>] [/DBNewPassword <Password>]

This command recovers the password that is used to access the Vault database. It uses the password specified in the emergency password file to retrieve the emergency database password which enables access to the Vault database, then generates a new database password and stores it in the file specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini. The new password can either be specified by the user or a random password can be generated.

For example:

 
CAVaultManager RecoverDBPassword /DBEmergencyPasswordFileName C:\VaultEmergency.pass

The above example will retrieve the emergency password stored in C:\VaultEmergency.pass then generate a new random database password and store it in the password file specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini.

 
CAVaultManager RecoverDBPassword /DBEmergencyPasswordFileName C:\VaultEmergency.pass /DBNewPassword NewDBPwd

The above example will retrieve the emergency password stored in C:\VaultEmergency.pass then encrypt the new specified password, NewDBPwd, and store it in the password file specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini.

Verify LDAP configuration

 
CAVaultManager LDAPVerify /ConfOnly /Verbose

This command carries out an integrity check on the LDAP configuration files and will check the connection with the LDAP component, and will display a detailed status report.

The /ConfOnly parameter will carry out an integrity check on the LDAP configuration files only, but will not check the connection status to the LDAP component.

Synchronize the Vault database

 
CAVaultManager SynchronizeDB [/SafePattern <Pattern>] /FilesSyncOnly /QuotaSyncOnly /Update /Force

This command synchronizes the Vault database after the backup files have been transferred to the Vault from backup data. It can synchronize only files or quotas in specific Safes, in the entire Vault or according to a Safe pattern. This command can either simulate synchronization or carry it out with or without confirmation from the user.

For example:

 
CAVaultManager SynchronizeDB /FilesSyncOnly /Update 

The above example will synchronize the backup files that were restored in the Vault (using the RestoreDB command) with the restored Metadata. This command will be carried out, rather than simulated, and will prompt the user for confirmation during the process.

Recover Backup Files

 
CodeCAVaultManager RecoverBackupFiles [/BackupPoolName <BackupPoolName>]

This command uses the Vault’s Recovery Private Key to access all the backup files in the Restored Safes folder and re-encrypt them with a new backup key when the original backup key cannot be used.

For example:

 
CAVaultManager RecoverBackupFiles /BackupPoolName BkpSvr1 

The above example will recover the backup files from a Backup Pool called BkpSvr1, and re-encrypt them with a new accessible backup key.

Compile a diagnostics report for the Vault database

 
CAVaultManager DiagnoseDBReport [/OutputFileName <FileName>]

This command compiles a diagnostics report for the Vault database.

 

Use this command only in response to a request from CyberArk support

For example:

 
CAVaultManager DiagnoseDBReport /OutputFileName c:\CompanyVaultDiagnostics.txt 

The above example will compile a diagnostics report of the Vault, and save the report in a text file called CompanyVaultDiagnostics stored in c:\.

Replace the current LDAP directory

 
CAVaultManager ReplaceLDAPDirectory /CurrentLDAPDirectory <old_directory> /NewLDAPDirectory <new_directory> [/Update]

This command changes references in directory maps, users and groups from a current directory to a different one.

For example:

 
CAVaultManager ReplaceLDAPDirectory /CurrentLDAPDirectory Directory_1 /NewLDAPDirectory Directory_2

The above example changes references in directory maps, users and groups that define how external users are managed in the Vault from Directory_1 to Directory_2.

 
TruePrivileged Access Security11.1