PVWA post-installation tasks

This topic describes tasks that you perform after you have installed PVWA.

Check the installation log files

Several log files are created during installation to monitor the installation process, and to verify that the PVWA was installed successfully.

Log files are created in the default Windows Temp folder.

 

The default folder may be different depending on the Windows OS installed on your machine.

Installation procedure and error log files

The following log files contain information about the installation procedure:

  • PVWAInstall.log

  • PVWAInstallEnv.log

  • PVWAInstallError.log

  • PVWAInstallErrorEnv.log

Connection and environment log files

Additional log files are created in the Env\Log subfolder of the PVWA configuration folder. The files below contain important information about the Vault connection configuration and the PVWA environment set up in the Vault.

Internal log files

Other log files that are used for internal purposes are created in the same folder during installation.

Check the user permissions on the web server

During PVWA installation, a set of folders are created on the web server in the default location, C:\CyberArk\Password Vault Web Access, or in the location that you specified during installation.

Check that the user permissions for these folders and the <Windows folder>\Temp folder are set according to the table below.

 

There may be inherited permissions not listed in the table below. We recommend removing these permissions for the relevant folders.

Folder User/Group Permission
CredFiles Administrators

Full control

Application pool’s dedicated user:
IIS AppPool\PasswordVaultWebAccessPool

Full control

VaultInfo Administrators

Full control

Application pool’s dedicated user:
IIS AppPool\PasswordVaultWebAccessPool

Full control

WebCharts Administrators

Full control

Application pool’s dedicated user:
IIS AppPool\PasswordVaultWebAccessPool

Full control

Internet Guest user1
(IIS_IUSR)

Read & Execute

<Windows folder>\Temp Administrators

Full control

Application pool’s dedicated user:
IIS AppPool\PasswordVaultWebAccessPool

Full control

Add restrictions to the protected credentials file

During installation, a credentials file is created to enable the PVWA user to log on to the Vault.

To enhance the security of the credentials file, use the CreateCredFile utility in the Env folder to create a protected credentials file. For more information, see User credential files.

Optional post-installation tasks

Authentication

By default, users can authenticate to the PVWA with CyberArk Password authentication. However, you can configure additional authentication methods to meet your organizational security and authentication standards. For more information, see Authenticate to Privileged Access Manager .

Replace self-signed certificate

As a part of the Prerequisites script, a self-signed certificate is created. We recommend that you replace this certificate with a trusted certificate after installation.

Specify multiple Vault IP addresses

For high availability implementations and Disaster Recovery, after installation you can specify more than one Vault IP address. When PVWA is running, if it cannot access the first Vault IP address, it automatically tries to access the next Vault IP address transparently, without human intervention.

To enter multiple Vault IP addresses:

  • In the Vault.ini file, in the Address parameter, enter each Vault IP address, separated by commas.

There is no limit to the number of IP addresses that you can specify.

Enable FIPS cryptography

After installation, FIPS cryptography is disabled by default. You can enable it in the registry by adding the AdvancedFIPSCryptography parameter to the web.config file.

  1. Go to the application folder, usually located in C:\inetpub\wwwroot\Passwordvault, and open the web.config file.

  2. Under <appsettings>, add the following key:

     
    <add key="AdvancedFIPSCryptography" value="yes" />
  3. Restart the IIS.