CreateCredFile Utility

The Vault interfaces access the Vault with a user credential file that contains the user’s Vault username and encrypted logon information. This user credential file can be created for password, Token, PKI, or Radius authentication with a utility that is run from a command line prompt. It can also create a credentials file for authentication through a Proxy server.

User credential files can specify restrictions which increase their security level and ensure that they cannot be used by anyone who is not permitted to do so, nor from an unauthorized location. The updated CreateCredFile utility can enforce any of the following restrictions:

Specific application – The credentials file can only be used by a specific CyberArk application or module. This can be specified for Password, Token, or PKI authentication but not for Proxy authentication. For more details about specific applications, refer to CreateCredFile Utility.
Specific path – The credentials file can only be used by an executable located in a certain path.
IP address or hostname – The credentials file can only be used on the machine where it is created.
Operating System user – The credentials file can only be used by an application started by a specified Operating System user.

These restrictions are specified during the credentials file creation process.

Credential files that were created in versions prior to version 4.5 with the CreateAuthFile and CreateCredFile utilities can still be used. However, they do not contain the increased security restrictions that are included in the CreateCredFile utility that is released with this version.

Credentials files that are created with restrictions will not be supported by CyberArk components from previous versions.

Before creating or updating the user credential file, make sure that you are familiar with the user’s authentication details in the Vault as you will be required to provide logon credentials to generate the encrypted credentials file.

Credential file security

Credential files are protected using the following mechanisms:

1. The encrypted token (320-bit) is changed on a daily basis. This means that a credential file that was used today will not be usable tomorrow.
2. The encrypted token is encrypted using AES 256-bit key that comprises the following parts:
a. Random salt that is stored in the credential file (160-bit). This randomness assures that each credential file is encrypted with a unique key.
b. Environmental key material:
Client id – Ten characters that identify a specific component
OS user – The ID of the OS user who runs the component
IP address of the local machine
Application – The specific application or module that will use the credentials file.
c. The key is generated by a secure hash (SHA1) of the above key materials.
3. You can protect your credential files even more using the appropriate operating system permissions.

Specify applications

The following CyberArk applications can be specified in a user credentials file:

Application ID
Central Policy Manager CPM
Password Vault Web Access PVWA
Password Vault Web Access application user PVWAApp
OPM and Credential Provider AppPrv
Privileged Session Manager application user PSMApp
CyberArk Replicator/Restore/Prebackup CABACKUP
Disaster Recovery Vault DR
Event Notification Engine ENE
PrivateArk Client WINCLIENT, GUI
CyberArk CLI PACLI
CyberArk ActiveX API XAPI
CyberArk .Net API NAPI
Export Vault Data EVD
CyberArk Encryption Utility CACrypt

Create user credentials files

The CreateCredFile utility is located in the CyberArk\Utilities installation folder. It can be used to create a user credential file for password, RADIUS, Token, or PKI authentication with a utility that is run from a command line prompt.

It can also create a user credential file for authentication through a Proxy server.

The CreateCredFile utility uses the following syntax:

 

CreateCredFile <FileName> <command> [command parameters]

The following instructions explain how to create a user credential file. The examples used in these instructions run the utility from the Utilities subfolder, and create a credential file called ‘user.cred’.

 

The text typed by the user appears in bold.

Create the user credential file using a token

The Vault supports logon with a password that has been encrypted by a key on a USB token or a Smartcard. This password is stored in the user’s credential file, and is decrypted by the external token for logon.

Any PKCS#11 token can be used for this type of authentication, as long as it meets all of the following criteria:

The token must be a hardware token.
The token is accessible through the PKCS#11 interface.
Access to the token is only possible after supplying a PIN.
The token supports RSA with 1024 or 2048 bit key length.
The token must be able to perform encryption and key generation in hardware.

Create the user credential file for PKI authentication

The user can create a user credential file for logon with a PKI certificate. Before creating the credential file, the authentication certificate must be imported into the Microsoft Windows certificate store. For more details, refer to CreateCredFile Utility.

 

A PIN to access a PKI certificate can only be used in a Windows 2000 environment or later.

Import a certificate for authentication

Authentication certificates can be used to authenticate to the Vault if the certificate has been imported into the Microsoft Windows certificate store.

The certificate store is divided into several locations to limit accessibility (for security reasons). The most common location for certificates is the “Current User” location. When importing certificates into Microsoft Windows, this is the default location into which the certificates are imported. The certificates in the “Current User” location are only accessible to the user that is currently logged on. One user will not be able to access certificates in another user’s “Current User” location.

Create the user credential file for proxy authentication

The Proxy user and password can be stored encrypted in a credentials file instead of being specified in the Vault parameter file.

 
TruePrivileged Access Security11.5