CreateCredFile Utility

The Vault interfaces access the Vault with a user credential file that contains the user’s Vault username and encrypted logon information. This user credential file can be created for password, Token, PKI, or Radius authentication with a utility that is run from a command line prompt. It can also create a credentials file for authentication through a Proxy server.

User credential files can specify restrictions which increase their security level and ensure that they cannot be used by anyone who is not permitted to do so, nor from an unauthorized location. The updated CreateCredFile utility can enforce any of the following restrictions:

Specific application – The credentials file can only be used by a specific CyberArk application or module. This can be specified for Password, Token, or PKI authentication but not for Proxy authentication. For more details about specific applications, refer to CreateCredFile Utility.
Specific path – The credentials file can only be used by an executable located in a certain path.
IP address or hostname – The credentials file can only be used on the machine where it is created.
Operating System user – The credentials file can only be used by an application started by a specified Operating System user.

These restrictions are specified during the credentials file creation process.

Credential files that were created in versions prior to version 4.5 with the CreateAuthFile and CreateCredFile utilities can still be used. However, they do not contain the increased security restrictions that are included in the CreateCredFile utility that is released with this version.

Credentials files that are created with restrictions will not be supported by CyberArk components from previous versions.

Before creating or updating the user credential file, make sure that you are familiar with the user’s authentication details in the Vault as you will be required to provide logon credentials to generate the encrypted credentials file.

Credential file security

Credential files are protected using the following mechanisms:

1. The encrypted token (320-bit) is changed on a daily basis. This means that a credential file that was used today will not be usable tomorrow.
2. The encrypted token is encrypted using AES 256-bit key that comprises the following parts:
a. Random salt that is stored in the credential file (160-bit). This randomness assures that each credential file is encrypted with a unique key.
b. Environmental key material:
Client id – Ten characters that identify a specific component
OS user – The ID of the OS user who runs the component
IP address of the local machine
Application – The specific application or module that will use the credentials file.
c. The key is generated by a secure hash (SHA1) of the above key materials.
3. You can protect your credential files even more using the appropriate operating system permissions.

Specify applications

The following CyberArk applications can be specified in a user credentials file:

Application ID
Central Policy Manager CPM
Password Vault Web Access PVWA
Password Vault Web Access application user PVWAApp
OPM and Credential Provider AppPrv
Privileged Session Manager application user PSMApp
CyberArk Replicator/Restore/Prebackup CABACKUP
Disaster Recovery Vault DR
Event Notification Engine ENE
PrivateArk Client WINCLIENT, GUI
CyberArk CLI PACLI
CyberArk ActiveX API XAPI
CyberArk .Net API NAPI
Export Vault Data EVD
CyberArk Encryption Utility CACrypt

Create user credentials files

The CreateCredFile utility is located in the CyberArk\Utilities installation folder. It can be used to create a user credential file for password, RADIUS, Token, or PKI authentication with a utility that is run from a command line prompt.

It can also create a user credential file for authentication through a Proxy server.

The CreateCredFile utility uses the following syntax:

 

CreateCredFile <FileName> <command> [command parameters]

Parameter Unix Command Specifies
Filename Filename The name of the user credential file to create or update, specifically user.cred.
Password Password Indicates that the credential file will be created with password authentication details.
/Username -username Sets the username in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/Password -password The password that will be encrypted in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/UseOSProtected
Storage 		  Use Operating System protected storage for credential file secret (Windows only).
Valid values are Machine, User and No.
By default, this parameter is set to No.
User   Use protected storage that is accessible only to the user who is logged on and invoked the CreateCredFile utility.
Machine   Use protected storage that is accessible only for the machine where the CreateCredFile utility was invoked.
None   Do not use operating system protected storage.
/DisableSyncPassword
ToDR 		-DisableSync PasswordToDR Whether or not passwords in user credential files will be replicated to all DR sites before they are replaced.
By default, this parameter is set to ‘No’, which makes sure that user credential files on all DR sites (if they exist) are synchronized with the Production Vault and that users will be able to continue working with the Vault seamlessly after a failover. If this parameter is changed to ‘Yes’, passwords will be replaced in credential files regardless of whether or not they have been replicated to all DR sites.
/ExternalAuth -externalauth The type of external authentication that will be used to authenticate users to the Vault.
Radius -radius Creates a user name-password credential file for use with RADIUS server.
LDAP -ldap Creates a user name-password credential file for use with an LDAP directory.
No -no This credential file will not be used with either a Radius server or an LDAP directory.
/AppType
<Application ID> 		-apptype
<application id> 		A unique application ID that specifies the application that will be able use this file.
/ExePath <Path> -exepath <path> The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH you can specify only the name of the executable. Otherwise, specify the complete path.
When you specify PVWA, specify the full path of the web server executable, e.g. c:\windows\system32\inetsrv\w3wp.exe.
/IpAddress -/ipaddress The IP address of the current machine. When this parameter is specified, the credentials file will specify the IP address of the current machine and will only authenticate the user to the Vault from the current machine.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/ClientHostname -/clienthostname The hostname of the current machine. When this parameter is specified, the credentials file will specify the hostname of the current machine and will only authenticate the user to the Vault from a machine with the specified hostname.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/OSUsername <Operating
System User name> 		-osusername <operating
system user name> 		The name of the Operating System user who will be able to use this file.Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in “domain_name\username” format.
When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”. The quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions -displayrestrictions When this parameter is specified, the generated credentials file will specify all the restrictions in a readable manner. This will enable users to understand the exact restrictions on the file.
Token   Creates a user credential file with a key stored on a token.
/Username   Sets the username in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/Password   The password that will be encrypted in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/DLLpath   Specifies the DLL file path used by the token device.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/PIN   Specifies the PIN code required by the token device.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/ExternalAuth   The type of external authentication that will be used to authenticate users to the Vault.
Radius   Creates a credential file for use with RADIUS server.
LDAP   Creates a credential file for use with an LDAP directory.
No   This credential file will not be used with either a Radius server or an LDAP directory.
/InitToken   Initializes the token device for use with CyberArk password authentication. This parameter must be specified the first time you use a token device to store a CyberArk password encryption key.
/AppType
<Application ID> 		  A unique application ID that specifies the application that will be able use this file.
/ExePath <Path>   The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH you can specify only the name of the executable. Otherwise, specify the complete path.
When you specify PVWA, specify the full path of the web server executable.
/IpAddress   The IP address of the current machine When this parameter is specified, the credentials file will specify the IP address of the current machine and will only authenticate the user to the Vault from the current machine.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/ClientHostname   The hostname of the current machine. When this parameter is specified, the credentials file will specify the hostname of the current machine and will only authenticate the user to the Vault from a machine with the specified hostname.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/OSUsername <Operating
System User name> 		  The name of the Operating System user who will be able to use this file.
Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in “domain_name\username” format.
When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”. The quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions   When this parameter is specified, the generated credentials file will specify all the restrictions in a readable manner. This will enable users to understand the exact restrictions on the file.
PKI   Creates a credential file based on a PKI certificate.
/CertIssuer   Personal certificate issuer.
/CertSerial   Personal certificate serial number.
/PIN   Specifies the PIN code required to access the certificate.
This parameter is required if the certificate is stored on a Token.
/AppType
<Application ID> 		  A unique application ID that specifies the application that will be able use this file.
/ExePath <Path>   The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH you can specify only the name of the executable. Otherwise, specify the complete path.
When you specify PVWA, specify the full path of the web server executable.
/IpAddress   The IP address of the current machine. When this parameter is specified, the credentials file will specify the IP address of the current machine and will only authenticate the user to the Vault from the current machine.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/ClientHostname   The hostname of the current machine. When this parameter is specified, the credentials file will specify the hostname of the current machine and will only authenticate the user to the Vault from a machine with the specified hostname.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/OSUsername <Operating
System User name> 		  The name of the Operating System user who will be able to use this file.
Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in “domain_name\username” format.
When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”. The quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions   When this parameter is specified, the generated credentials file will specify all the restrictions in a readable manner. This will enable users to understand the exact restrictions on the file.
PROXY   Creates a credential file based on PROXY authentication.
/ProxyUser   The name of the Proxy user.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/ProxyPassword   The password that will be decrypted in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.
/ProxyAuth Domain   The domain name of the Proxy user.
/ExePath <Path>   The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH you can specify only the name of the executable. Otherwise, specify the complete path.
When you specify PVWA, specify the full path of the web server executable.
/IpAddress   The IP address of the current machine. When this parameter is specified, the credentials file will specify the IP address of the current machine and will only authenticate the user to the Vault from the current machine.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/ClientHostname -/clienthostname The hostname of the current machine. When this parameter is specified, the credentials file will specify the hostname of the current machine and will only authenticate the user to the Vault from a machine with the specified hostname.
Note: Specify either the ‘IPAddress’ parameter or the ‘ClientHostName’ parameter. You cannot specify both.
/OSUsername <Operating
System User name> 		  The name of the Operating System user who will be able to use this file.Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in “domain_name\username” format.
When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”. The quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions   When this parameter is specified, the generated credentials file will specify all the restrictions in a readable manner. This will enable users to understand the exact restrictions on the file.
/?   Lists the available options.

The following instructions explain how to create a user credential file. The examples used in these instructions run the utility from the Utilities subfolder, and create a credential file called ‘user.cred’.

 

The text typed by the user appears in bold.

  1. At the command line prompt, run the CreateCredFile.exe utility. You must specify the username and password to the Vault. You can also specify whether or not Radius authentication will be used.

    For extended security on Windows systems, store the secret of the credential file in Windows protected storage by using the /UseOSProtectedStorage parameter. Use the following guidelines when protecting the secret in the Windows protected storage:

    • When the user who creates the credential file is the only user who will use it: Store the credential file secret in the user's Windows protected storage by specifying the /UseOSProtectedStorage User parameter. This ensures that only the user who created the credential file will be able to access its secret.

    • For CyberArk services or when the user that created the credential file is not the user that will use it: Store the credential file secret in the machine's Windows protected storage by specifying the /UseOSProtectedStorage Machine parameter. This ensures that the credential file secret will only be accessible from the machine where it was created.

     

    >createcredfile.exe user.cred Password /username Paul /password Pass /ExternalAuth radius

    /UseOSProtectedStorage Machine

    The above example shows that this credential file will be called ‘user.cred’, and will contain an encrypted password for the Vault user called ‘Paul’. The credential file's secret will be stored in the machine's Windows protected storage. The file can be used to log onto the file with Radius authentication.

    If you do not specify the command parameters, username, password, and radius, you are prompted for them now.  An example of this appears in the following example:

     

    Vault Username [mandatory] ==> Paul

    Vault Password (will be encrypted in credential file) ==> *******

    Radius server will be used for authentication (yes/no) [y] ==> yes

    The user’s credential file will now be created and saved in the current folder.

     

    Command ended successfully

Create the user credential file using a token

The Vault supports logon with a password that has been encrypted by a key on a USB token or a Smartcard. This password is stored in the user’s credential file, and is decrypted by the external token for logon.

Any PKCS#11 token can be used for this type of authentication, as long as it meets all of the following criteria:

The token must be a hardware token.
The token is accessible through the PKCS#11 interface.
Access to the token is only possible after supplying a PIN.
The token supports RSA with 1024 or 2048 bit key length.
The token must be able to perform encryption and key generation in hardware.

  1. Attach the token to the computer.

    • If you are using a USB token, place the token in the USB port.

    • If you are using a Smartcard, place the card in the Smartcard reader.

  2. At the command line prompt, run the CreateCredFile.exe utility. You must specify the username and password to the Vault, the full path of the PKCS#11 dll file that will encrypt the password, and the PIN that is required by the token device. You can also specify

     

    >CreateCredFile.exe user.cred token /username Paul /password Pass /dllpath i:\windows\system32\eTpkcs11.dll

    /pin PinPass

    The above example shows that this credential file will be called ‘user.cred’, and will be created with a key that is stored on a token. ‘Paul’ is the user who will be specified in the credential file, together with Paul's password, asdf. The dll path used by the token device is specified, as well as the PIN that is required to access the token device.

    If you have not specified the username, password, dll path and password, you are prompted for it now.

     

    Vault Username [mandatory] ==> Paul

    Vault Password (will be encrypted in credential file) ==> *******

    Path of Token dll [mandatory] ==> i:\windows\system32\etpkcs11.dll

    Pin code required by the Token device ==> ********

    Radius server will be used for authentication (yes/no) [optional] ==> no

    Initialize the Token (yes/no) [optional] ==> no

  3. To initialize the token, type yes,

    or,

    If the token has already been initialized with the CreateCredFile utility, type no.

    The user credential file is now created and saved in the current folder.

     

    Command ended successfully

Create the user credential file for PKI authentication

The user can create a user credential file for logon with a PKI certificate. Before creating the credential file, the authentication certificate must be imported into the Microsoft Windows certificate store. For more details, refer to CreateCredFile Utility.

 

A PIN to access a PKI certificate can only be used in a Windows 2000 environment or later.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    CreateCredFile.exe user.cred PKI /certissuer CN=MyCompany_CA /certserial "1963f68d00000000017c" /Pin PinPass

    /AppType PACLI /ExePath "C:\Program Files\PrivateArk\Client\PACLI.exe" /IPAddress /OSUsername my_dom\Paul

    /DisplayRestrictions

    The above example shows that this credential file will be called ‘user.cred’, and will be created based on a PKI certificate. The certificate issuer for this credential file is MyCompany_CA and the certificate detail serial number is ‘1963f68d00000000017c’. The PIN required to access this certificate is ‘12341234’.

    If you do not specify the certificate issuer and serial number, the Select Certificate window appears to enable you to select the PKI certificate that will give the user access to the Vault.

     

    If a PIN is required to access the certificate, you must enter the PIN in the command line.

    pki (2)

  2. Select the PKI certificate to use, then click OK; the user’s credential file will now be created and saved in the current folder.

    The following message appears to confirm that the authentication file has been created successfully.

     

    Command ended successfully

Import a certificate for authentication

Authentication certificates can be used to authenticate to the Vault if the certificate has been imported into the Microsoft Windows certificate store.

The certificate store is divided into several locations to limit accessibility (for security reasons). The most common location for certificates is the “Current User” location. When importing certificates into Microsoft Windows, this is the default location into which the certificates are imported. The certificates in the “Current User” location are only accessible to the user that is currently logged on. One user will not be able to access certificates in another user’s “Current User” location.

Create the user credential file for proxy authentication

The Proxy user and password can be stored encrypted in a credentials file instead of being specified in the Vault parameter file.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    >createcredfile.exe user.cred Proxy /ProxyUser PUser /ProxyPassword Pass /ExePath "C:\Program Files\PrivateArk\Client\PACLI.exe" /IPAddress /OSUsername my_dom\Paul /DisplayRestrictions

    The above example will create a file called ‘user.cred’ and will enable the proxy user to log onto the Vault with proxy authentication. The credentials file will contain an encrypted proxy password for the proxy user called PUser.

    If you do not specify the name and password of the proxy user, you will be prompted for them.  An example of this appears in the following example:

     

    Proxy Username [mandatory] ==> PUser

    Proxy Password (will be encrypted in credential file) ==> ****

    Domain name of ProxyUser [optional] ==> MyCompany.com

    The user’s credential file will now be created and saved in the current folder.

     

    Command ended successfully
 
TruePrivileged Access Security11.5