CPM installation requirements
This topic describes the requirements for installing CPM on a Windows Server.
PVWA must be installed before you can install CPM.
Make sure that you have installed the latest version of PVWA that works with your current CPM version. For more information about version compatibility between the PVWA and the CPM, see Vault, PVWA, and component version compatibility .
Enable a secure channel between the CPM and PVWA
If PVWA is configured to communicate through a secure channel (HTTPS), the CPM machine needs to trust the PVWA SSL certificate.
Import the CA certificate from the CA that issued the PVWA's SSL certificate to the CPM server.
Make sure that the CPM server can access the CRL Distribution Points referenced in the PVWA's certificate.
As the CPM is important in terms of availability and sensitive information handling, its security is imperative. Before installing CPM, make sure that your system complies with security requirements.
Use the strictest organizational policy that will enable the CPM to function properly, regarding physical access to the CPM machine, network access, access control, auditing, monitoring, active services and relevant up-to-date security patches.
The CPM machine should not have access to, or be accessible from, the Internet or any other unsecured network in the organization.
For more information, see Security Fundamentals.
Set up a clean Windows Server. The following Windows Server versions are supported:
Windows 2012 R2
The CPM must be installed on a different machine from the Vault.
Windows PowerShell version 5 or later must be installed.
The CPM uses a TCP connection to communicate with the CyberArk Vault. Therefore, any type of network protection on the machine where the CPM is installed must allow TCP communication with the Vault’s IP address. The default TCP port number for communication to the Vault is 1858
The CPM must also be able to communicate with the remote machine where passwords are changed. Specific network requirements differ according to the type of remote machine where the passwords will be changed (Windows Domain, Linux, Oracle, etc.).
The CPM Scanner also requires network access to the PVWA server in order to process scans and scan tasks.
Set user authorizations
The user performing the installation must have both Vault user authorizations and Safe ownership.
Vault user authorizations
During installation, Safes and a user are created to enable the CPM to work. In order to create the Safes and the user, the Vault user performing the installation must have the following authorizations in the Vault:
Reset Users’ Passwords
Manage Server File Categories
The user performing the installation must have ownership of the VaultInternal and Notification Engine Safes, and the following permissions:
Manage Safe Owners