Install the Distributed Vaults Components

After installing the Primary and Satellite Vaults in the Distributed Vaults environment, install the components that work in the environment.

To configure each component to work with the Satellite Vault, see After Installation - Components.


Perform the PVWA installation against the Primary Vault. For details, see Install PVWA.

In a Distributed Vaults environment, first install all PVWAs against the Primary Vault, and then configure those PVWAs that will work against the Satellite Vault, as described in Configure a list of prioritized Vaults in Distributed Vaults environment for CyberArk clients.

You must install PVWA and CPM according to the following order. First, install all PVWAs that will be connected to the Primary Vault, then all CPMs, and only then install all PVWAs that, after the installation against the Primary Vault, will be configured to work against the Satellite Vault.


If you install all PVWAs, whether they work against Primary Vault or Satellite Vault, before installing CPM, you must perform an additional step when configuring CPM. For details, see CPM.


Perform the CPM installation against the Primary Vault. For details, see Install CPM.



PSM must be installed against the Primary Vault. Upgrade and repair are supported against all Vaults.

For details on installing PSM, refer to Install PSM.

There is a new step in the PSM installation, which defines the API Gateway (PVWA) where PSM will send REST API calls. These calls enable PSM to connect to the target.


To configure API Gateway connection details automatically or manually:

  • The PSM machine must have trusted communication to the PVWA machine.

  • Port 443 between the PSM and PVWA machines must be open.

  • Automatic installation:

    In the automatic installation registration stage (for details, see PSM automatic installation) there are two new parameters:

    • - apigwhost - The PVWA host name
    • - apigwprotocol - The protocol (default value is https)

  • Manual installation:

    In the manual installation (for details, see PSM wizard installation) there is a new screen:

PSM for SSH Installation

For details on installing PSM for SSH, refer to Install PSM for SSH.


You must install and repair PSM for SSH using the Primary Vault. You can upgrade using any Vault.

AD Bridge is not supported in a Distributed Vaults environment.

To block the ADBridge environment creation and service deployment while installing PSM for SSH, uncomment the EnableADBridge parameter in the psmpparms configuration file and set it to EnableADBridge=No.

Other components

Install all other components as described in Install PAM.