CreateCredFile utility

Components and applications that require automated access to the Digital Vault use a credential file that contains the user’s Vault username and encrypted logon information.

The credential file contains sensitive logon information, so it’s important to restrict access and usage as much as possible to reduce potential hijacking of the file.

 

Make sure that you are familiar with the user’s Vault authentication details, because you must provide the correct logon credentials to generate the encrypted credential file.

Supported authentication types

Password

For password authentication, the credential file contains a CyberArk user that authenticates to the Vault using a username and a password. You can also use the following external authentication types along with password authentication.

  • RADIUS - A RADIUS user that authenticates to the Vault using a username, password and two-factor authentication via the RADIUS server, which requires user approval using a challenge.

  • LDAP - An LDAP user that authenticates to the LDAP server and connects to the Vault with a username and password.

PKI

For PKI authentication, the credential file contains a CyberArk user that authenticates to the Vault using a username and a PKI certificate with the user details.

You can create a credential file for logon with a PKI certificate. Before creating the file, you must import the authentication certificate into the Microsoft Windows certificate store. For more details, refer to Import a certificate for authentication.

Proxy

You can create a credential file that is used to authenticate to the Vault through a proxy server. The proxy user and password can be stored encrypted in a credential file instead of being specified in the Vault parameter file.

Asymmetric keys

You can create a credential file that contains a key-pair combination and the CyberArk user for authenticating to the Vault.

Additional protection mechanisms

HSM device

The credential file secret can be encrypted by a HSM device. This can be used for both password and key-pair (asymmetric keys) authentication.

Any PKCS#11 library is supported as long as it meets all of the following criteria:

  • The token must be a hardware token.

  • The token is accessible through the PKCS#11 interface.

  • Access to the token is only possible after supplying a PIN.

  • The token supports RSA 2048-bit key length.

  • The token must be able to perform encryption and key generation on hardware.

  • A 32-bit .dll must be used (64-bit is not supported).

DPAPI

The credential file secret can be encrypted by the Windows DPAPI mechanism, which can be used for both password and key-pair (asymmetric keys) authentication.

 

The DPAPI mechanism must be enabled on the Windows operating system.

Credential file security

The credential file is protected using the following mechanisms:

  1. The encrypted token secret is changed daily.

  2. The encrypted secret is encrypted using AES 256-bit key that comprises the following parts:

    1. Random salt that is stored in the credential file (512-bit). This randomness assures that each credential file is encrypted with a unique key.

    2. Environmental key material:

      • Application-based – unique materials that identify the application in the logon process.

      • Machine-based – unique materials that identify the machine in the logon process.

      • Component-based materials - unique materials that identify the component in the logon process.

    3. The key is generated by a secure hash (SHA2-512) of the above key materials.

  3. You can protect your credential file even more using the appropriate operating system permissions.

Create a credential file

The CreateCredFile utility, located in the CyberArk\Utilities installation folder, can create a credential file from a command line prompt.

The CreateCredFile utility uses the following syntax:

 

CreateCredFile <FileName> <command> [command parameters]

The following instructions explain how to create a credential file. The examples used in these instructions run the utility from the Utilities subfolder, and create a credential file called ‘user.cred’.

The CreateCredFile utility can be executed from the same machine where it will be used, or it can be copied to the component or application host machine after it is created.

 

In order to comply with the strongest security guidelines, create the credential file on the same machine where it will be used.

You must use a valid password for the user when you create the credential file. Before creating the credential file, verify the following:

  • You have the correct username for the user.

  • The user is not currently being used by an active component/application.

  • The user is not suspended on all Vaults (Primary and Satellite Vaults).

  • You have reset the password to a known password.

The credential file is created and saved in the current folder or the folder that you specified in the command. The following message appears:

Command ended successfully

  1. Open the command prompt as an admin user.

  2. Run the CreateCredFile.exe utility with all the relevant flags set.

    • Windows syntax:

      • Human user syntax with HSM device (recommended):

         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /ExePath <path> /IpAddress /Hostname /OSUsername <domain\user> /MachineGUID /DiskSignature /EntropyFile /DpapiMachineProtection /HSMProtection /DLLpath <path\pkcs11-provider.dll> /PIN <pin code> /InitToken

      • Human user syntax:

         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /ExePath <path> /IpAddress /Hostname /OSUsername <domain\user> /MachineGUID /DiskSignature /EntropyFile /DpapiMachineProtection /DpapiUserProtection

      • Component or application user syntax with HSM device (recommended):

         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /ExePath <path> /IpAddress /ClientHostname /OSUsername <domain\user> /AppType <Application ID> /HSMProtection /DLLpath <path\pkcs11-provider.dll> /PIN <pin code> /InitToken

      • Component or application user syntax:

         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /ExePath <path> /IpAddress /Hostname /OSUsername <domain\user> /AppType <Application ID> /MachineGUID /DiskSignature /EntropyFile /DpapiMachineProtection /DpapiUserProtection

      • Human user syntax on a remote server:.gitignore

         

        This method is less secure, and therefore shouldn't be used in a production environment.
         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /OSUsername <domain\user>

      • Component or application user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /OSUsername <domain\user> /AppType <Application ID>

    • *NIX syntax:

      • Human user syntax:

         

        ./CreateCredFile user.cred password -username <username> -password <password> -exepath <path> -hostname -osusername <domain\user> -machineguid -entropyfile

      • Component or application user syntax:

         

        ./CreateCredFile user.cred password -username <username> -password <password> -exepath <path> -hostname -osusername <domain\user> -machineguid -entropyfile -apptype <Application ID>

      • Human user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
          CreateCredFile user.cred password -username <username> -password <password> -osusername <user>

      • Component or application user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
          CreateCredFile user.cred password -username <username> -password <password> - osusername <user> -apptype <Application ID>

         

 

To apply LDAP or RADIUS authentication or other configurations, see CreateCredFile parameters for more details.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    CreateCredFile.exe user.cred PKI /certissuer CN=MyCompany_CA /certserial "1963f68d00000000017c" /Pin PinPass

    /AppType <Application ID> /ExePath <Fullpath> /IPAddress /OSUsername <domain\user>

    The above example shows that this credential file will be called ‘user.cred’, and will be created based on a PKI certificate. The certificate issuer for this credential file is MyCompany_CA and the certificate detail serial number is ‘1963f68d00000000017c’. The PIN required to access this certificate is ‘12341234’.

    If you do not specify the certificate issuer and serial number, the Select Certificate window appears to enable you to select the PKI certificate that will give the user access to the Vault.

     

    If a PIN is required to access the certificate, you must enter the PIN in the command line.

    pki (2)

  2. Select the PKI certificate to use, then click OK; the credential file will now be created and saved in the current folder.

Import a certificate for authentication

Authentication certificates can be used to authenticate to the Vault if the certificate has been imported into the Microsoft Windows certificate store.

The certificate store is divided into several locations to limit accessibility (for security reasons). The default target where certificates are imported to Microsoft Windows is the “Current User” location. Certificates in the “Current User” location are only accessible to the user that is currently logged on, so user A can't access certificates in user B's “Current User” location.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    Createcredfile.exe user.cred Proxy /ProxyUser <ProxyUser> /ProxyPassword <password> /ExePath <Fullpath> /IPAddress /OSUsername <domain\user>

    The above example will create a file called ‘user.cred’ and will enable the proxy user to log onto the Vault with proxy authentication. The credential file will contain an encrypted proxy password for the proxy user called <ProxyUser>.

    If you do not specify the name and password of the proxy user, you will be prompted for them.  An example of this appears in the following example:

     

    Proxy Username [mandatory] ==> PUser

    Proxy Password (will be encrypted in credential file) ==> ****

    Domain name of ProxyUser [optional] ==> MyCompany.com
 

Only use this option if instructed by CyberArk.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    CreateCredFile.exe user.cred KeyPair /username <username> /ExePath <path> /IpAddress /Hostname /OSUsername <domain\user> /AppType <ApplicationID> /MachineGUID /DiskSignature /EntropyFile /DpapiMachineProtection /DpapiUserProtection

The above example creates a credentials file with a generated encrypted private key.

 

Only use this option if instructed by CyberArk.

Using the Convert option allows you to upgrade the credential file version to the latest one but does not improve security. To improve security, we recommend that you create a new credential file.

After you upgrade to version 12.1.1 or later, when logging on using the existing credential file, the credential file is converted automatically to the latest version.

To manually convert a credential file to the latest version, run the following command:

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    CreateCredFile.exe user.cred KeyPair /username <username> /ExePath <path> /IpAddress /Hostname /OSUsername <domain\user> /AppType <ApplicationID> /MachineGUID /DiskSignature /EntropyFile /DpapiMachineProtection /DpapiUserProtection

The above example converts the file called ‘user.cred’ to the latest version, and renames the previous file to ‘user.cred.old’.

The /AppType, /OSUsername, and /ExePath parameters must be the same as in the previous credential file, otherwise the command will fail.

  1. Open the command prompt as an admin user.

  2. Run the CreateCredFile.exe utility with all the relevant flags set.

    • Windows syntax:

      • Human user syntax with HSM device (recommended):

         

        CreateCredFile.exe user.cred Token /username <username> /password <password> /ExePath <path> /IpAddress /ClientHostname /OSUsername <domain\user> /DLLpath <path\pkcs11-provider.dll> /PIN <pin code> /InitToken

      • Human user syntax:

         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /UseOSProtectedStorage <Machine/User> /ExePath <path> /IpAddress /ClientHostname /OSUsername <domain\user>

      • Component or application user syntax with HSM device (recommended):

         

        CreateCredFile.exe user.cred Token /username <username> /password <password> /ExePath <path> /IpAddress /ClientHostname /OSUsername <domain\user> /AppType <Application ID> /DLLpath <path\pkcs11-provider.dll> /PIN <pin code> /InitToken

      • Component or application user syntax:

         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /UseOSProtectedStorage <Machine/User> /ExePath <path> /IpAddress /ClientHostname /OSUsername <domain\user> /AppType <Application ID>

      • Human user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /OSUsername <domain\user>

      • Component or application user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
         

        CreateCredFile.exe user.cred Password /username <username> /password <password> /OSUsername <domain\user> /AppType <Application ID>

    • *NIX syntax:

      • Human user syntax:

         

        CreateCredFile user.cred password -username <username> -password <password> -exepath <path> -clienthostname -osusername <user>

      • Component or application user syntax:

         

        CreateCredFile user.cred password -username <username> -password <password> -exepath <path> -clienthostname -osusername <user> -apptype <Application ID>

      • Human user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
          CreateCredFile user.cred password -username <username> -password <password> -osusername <user>

      • Component or application user syntax on a remote server:

         

        This method is less secure, and therefore shouldn't be used in a production environment.
          CreateCredFile user.cred password -username <username> -password <password> - osusername <user> -apptype <Application ID>

         

 

To apply LDAP or RADIUS authentication or other configurations, see CreateCredFile parameters for more details.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    CreateCredFile.exe user.cred PKI /certissuer CN=MyCompany_CA /certserial "1963f68d00000000017c" /Pin PinPass

    /AppType PACLI /ExePath "C:\Program Files\PrivateArk\Client\PACLI.exe" /IPAddress /OSUsername my_dom\Paul

    /DisplayRestrictions

    The above example shows that this credential file will be called ‘user.cred’, and will be created based on a PKI certificate. The certificate issuer for this credential file is MyCompany_CA and the certificate detail serial number is ‘1963f68d00000000017c’. The PIN required to access this certificate is ‘12341234’.

    If you do not specify the certificate issuer and serial number, the Select Certificate window appears to enable you to select the PKI certificate that will give the user access to the Vault.

     

    If a PIN is required to access the certificate, you must enter the PIN in the command line.

    pki (2)

  2. Select the PKI certificate to use, then click OK; the credential file will now be created and saved in the current folder.

Import a certificate for authentication

Authentication certificates can be used to authenticate to the Vault if the certificate has been imported into the Microsoft Windows certificate store.

The certificate store is divided into several locations to limit accessibility (for security reasons). The default target where certificates are imported to Microsoft Windows is the “Current User” location. Certificates in the “Current User” location are only accessible to the user that is currently logged on, so user A can't access certificates in user B's “Current User” location.

  1. At the command line prompt, run the CreateCredFile.exe utility.

     

    >createcredfile.exe user.cred Proxy /ProxyUser PUser /ProxyPassword Pass /ExePath "C:\Program Files\PrivateArk\Client\PACLI.exe" /IPAddress /OSUsername my_dom\Paul /DisplayRestrictions

    The above example will create a file called ‘user.cred’ and will enable the proxy user to log onto the Vault with proxy authentication. The credential file will contain an encrypted proxy password for the proxy user called PUser.

    If you do not specify the name and password of the proxy user, you will be prompted for them.  An example of this appears in the following example:

     

    Proxy Username [mandatory] ==> PUser

    Proxy Password (will be encrypted in credential file) ==> ****

    Domain name of ProxyUser [optional] ==> MyCompany.com

Specify applications

You can specify the CyberArk applications or utilities in a credential file.

Component

Application user

Application ID

Usage

CPM

Central Policy Manager

CPM

Password

PVWA

Password Vault Web Access gateway user

PVWA

Password

Password Vault Web Access application user

PVWAApp

  • Password

  • Key pair

OPM

OPM application user

OPMProvider

Password

PSM

Privileged Session Manager application user

PSMApp

  • Password

  • Key pair

Privileged Session Manager gateway user

PSMGWApp

Password

PSMP

 

 

AD Bridge applicative user

PSMPAdBridge

Password

PSMP applicative user

PSMPServer

Password

PSMP gateway user

PSMPServer

Password

Digital Vault

 

Disaster Recovery Application user

DR

Password

Event Notification Engine

ENE

Password

PrivateArk Client

PrivateArk Client application user

WINCLIENT

GUI

Password

AAM

Credential Provider

AIMProvider

Password

Synchronizer

AIMProvider

Password

Telemetry

Telemetry

Telemetry

Password

PTA

Privileged Threat Analytics

PTAAPP

Password

Utility

Application user

Application ID

Usage

Replicate

CyberArk Backup and Restore application user

CABACKUP

Password

CyberArk SDK

CyberArk CLI application user

PACLI

Password

Export Vault Data

Export Vault Data application user

EVD

Password

CreateCredFile parameters

Command

Parameter

Description

Mandatory

Filename

The name of the user credential file to create or update, specifically user.cred.

Yes

Password

Indicates that the credential file is created with password authentication details.

Optional

 

/Username

Sets the username in the credential file.

Yes

 

/Password

The password that is encrypted and stored in the credential file.

Yes

 

/DisableSyncPassword
ToDR

Whether or not passwords in user credential files are replicated to all DR sites before they are replaced.
By default, this parameter is set to No, which makes sure that user credential files on all DR sites (if they exist) are synchronized with the Production Vault and that users will be able to continue working with the Vault seamlessly after a failover. If this parameter is changed to Yes, passwords are replaced in credential files regardless of whether or not they have been replicated to all DR sites.

No

 

/ExternalAuth

The type of external authentication that is used to authenticate users to the Vault.

Valid values:

Radius - Creates a credential file for use with RADIUS server.

LDAP - Creates a credential file for use with an LDAP directory.

None - This credential file is not used with either a RADIUS server or an LDAP directory.

Default value: None

No

 

/AppType

A unique application ID that specifies the application that is able use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that is able to use this file. Specify the full path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/Hostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername

The name of the operating system user who can use this file.

Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

 

/MachineGUID

Specify this parameter to require the identifier of the current machine for user authentication.

 No

 

/DiskSignature

Specify this parameter to require the data storage device ID of the current machine for user authentication.

No

 

/EntropyFile

Specify this parameter to require the entropy file for user authentication.

No

 

/HSMProtection

Use HSM protection for user authentication.

  • /Dllpath specifies the 32-bit .dll path used by the HSM client

  • /PIN specifies the HSM pin code

  • /InitToken - specify this parameter the first time the HSM is used

No

 

/DPAPIMachineProtection

Use DPAPI machine protection for user authentication.

No

 

/DPAPIUserProtection

Use DPAPI machine protection for user authentication.

No

PKI

Creates a credential file based on a PKI certificate.

Optional

 

/CertIssuer

Personal certificate issuer.

Yes

 

/CertSerial

Personal certificate serial number.

Yes

 

/PIN

Specifies the PIN code required to access the certificate.
This parameter is required if the certificate is stored on a token.

Yes

 

/AppType

A unique application ID that specifies the application that can use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that will be able to use this file. Specify the complete path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/Hostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername <Operating
System User name>

The name of the operating system user who can use this file.

Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

PROXY

Creates a credential file based on proxy authentication.

Optional

 

/ProxyUser

The name of the proxy user.
This parameter is required. If you do not specify it in the command, you will be prompted for it.

Yes

 

/ProxyPassword

The password that will be decrypted in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.

Yes

 

/ProxyAuth Domain

The domain name of the proxy user.

No

 

/ExePath

The full path of the executable that can use this file. Specify the complete path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/Hostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername <Operating
System User name>

The name of the operating system user who can use this file. Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

 

/?

Lists the available options.

Optional

Convert

Optional

 

/AppType

A unique application ID that specifies the application that can use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that is able to use this file. Specify the complete path.

No

 

/OSUsername

The name of the operating system user who can use this file. Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/?

Lists the available options.

Optional

KeyPair

Optional

 

/Username

Sets the username in the credential file.

Yes

 

/DisableSyncKeyToDR

Whether or not passwords in user credential files are replicated to all DR sites before they are replaced.

By default, this parameter is set to No, which makes sure that user credential files on all DR sites (if they exist) are synchronized with the Production Vault, and that users will be able to continue working with the Vault seamlessly after a failover. If this parameter is changed to Yes, passwords are replaced in credential files regardless of whether or not they have been replicated to all DR sites.

No

 

/AppType

A unique application ID that specifies the application that can use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that is able to use this file. Specify the full path.

No

 

/OSUsername

The name of the operating system user who can use this file. Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/Hostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/MachineGUID

Specify this parameter to require the identifier of the current machine for user authentication.

 No

 

/DiskSignature

Specify this parameter to require the data storage device ID of the current machine for user authentication.

No

 

/EntropyFile

Specify this parameter to require the entropy file for user authentication.

No

 

/DPAPIMachineProtection

Use DPAPI machine protection for user authentication

No

 

/DPAPIUserProtection

Use DPAPI machine protection for user authentication.

No

 

/DisplayRestrictions

Shows all the restrictions in the generated credential file in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

 

/?

Lists the available options.

Optional

Command

Parameter

Description

Mandatory

Filename

The name of the credential file to create or update, specifically user.cred.

Yes

Password

Indicates that the credential file is created with password authentication details.

Yes

 

-username

Sets the username in the credential file.

Yes

 

-password

The password that is encrypted in the credential file.

Yes

 

-DisableSyncPassword
ToDR

Whether or not passwords in user credential files are replicated to all DR sites before they are replaced.
By default, this parameter is set to No, which ensures that user credential files on all DR sites (if they exist) are synchronized with the Production Vault and that users can continue working with the Vault seamlessly after a failover. If this parameter is changed to Yes, passwords are replaced in credential files regardless of whether or not they have been replicated to all DR sites.

No

 

-externalauth

The type of external authentication that is used to authenticate users to the Vault.

Valid values:

-radius - Creates a credential file for use with RADIUS server.

-ldap - Creates a credential file for use with an LDAP directory.

-none - This credential file is not used with either a RADIUS server or an LDAP directory.

Default value: -none

No

 

-apptype

A unique application ID that specifies the application that can use this file. For a list of accepted values, see Specify applications above.

No

 

-exepath

The full path of the executable that can use this file. If the executable is executed from the PATH you can specify only the name of the executable. Otherwise, specify the complete path.

No

 

-ipaddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

-hostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

-osusername

The name of the operating system user who can use this file. Specify only the username.

No

 

-displayrestrictions

When this parameter is defined the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

 

-machineguid

Specify this parameter to require the identifier of the current machine for user authentication.

 No

 

-entropyfile

Specify this parameter to require the entropy file for user authentication.

No

 

-hsmprotection

Use HSM protection for user authentication.

  • -dllpath specifies the 32-bit .dll path used by the HSM client

  • -pin specifies the HSM pin code

  • -inittoken - specify this parameter the first time the HSM is used

No

/?

Lists the available options.

No

Command

Parameter

Description

Mandatory

Filename

The name of the user credential file to create or update, specifically user.cred.

Yes

Password

Indicates that the credential file is created with password authentication details.

Optional

 

/Username

Sets the username in the credential file.

Yes

 

/Password

The password that is encrypted in the credential file.

Yes

 

/UseOSProtectedStorage

Use the operating system's protected storage for the credential file secret.
Valid values:

Machine - Use protected storage that is accessible only for the machine where the CreateCredFile utility was invoked.

User - Use protected storage that is accessible only to the user who is logged on and invoked the CreateCredFile utility.

None - Do not use operating system protected storage.
Default value: None

No

 

/DisableSyncPassword
ToDR

Whether or not passwords in user credential files are replicated to all DR sites before they are replaced.
By default, this parameter is set to No, which makes sure that user credential files on all DR sites (if they exist) are synchronized with the Production Vault and that users will be able to continue working with the Vault seamlessly after a failover. If this parameter is changed to Yes, passwords are replaced in credential files regardless of whether or not they have been replicated to all DR sites.

No

 

/ExternalAuth

The type of external authentication that is used to authenticate users to the Vault.

Valid values:

Radius - Creates a credential file for use with RADIUS server.

LDAP - Creates a credential file for use with an LDAP directory.

None - This credential file is not used with either a RADIUS server or an LDAP directory.

Default value: None

No

 

/AppType

A unique application ID that specifies the application that is able use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that is able to use this file. Specify the complete path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/Hostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername

The name of the operating system user who can use this file.

Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

Token

Creates a user credential file with a key stored on a token.

Optional

 

/Username

Sets the username in the credential file.

Yes

 

/Password

The password that will be encrypted in the credential file.

Yes

 

/DLLpath

Specifies the DLL file path used by the token device.

Yes

 

/PIN

Specifies the PIN code required by the token.

Yes

 

/ExternalAuth

The type of external authentication that is used to authenticate users to the Digital Vault.

Valid values:

Radius - Creates a credential file for use with RADIUS server.

LDAP - Creates a credential file for use with an LDAP directory.

None - This credential file is not used with either a RADIUS server or an LDAP directory.

Default value: None

No

 

/InitToken

Initializes the token for use with CyberArk password authentication. This parameter must be specified the first time you use a token to store a CyberArk password encryption key.

No

 

/AppType

A unique application ID that specifies the application that is able use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that can use this file. Specify the complete path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/ClientHostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername

The name of the operating system user who can use this file. Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

PKI

Creates a credential file based on a PKI certificate.

Optional

 

/CertIssuer

Personal certificate issuer.

Yes

 

/CertSerial

Personal certificate serial number.

Yes

 

/PIN

Specifies the PIN code required to access the certificate.
This parameter is required if the certificate is stored on a token.

Yes

 

/AppType

A unique application ID that specifies the application that can use this file. For a list of accepted values, see Specify applications above.

No

 

/ExePath

The full path of the executable that will be able to use this file. Specify the complete path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/ClientHostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername <Operating
System User name>

The name of the operating system user who can use this file.

Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

PROXY

Creates a credential file based on proxy authentication.

Optional

 

/ProxyUser

The name of the proxy user.
This parameter is required. If you do not specify it in the command, you will be prompted for it.

Yes

 

/ProxyPassword

The password that will be decrypted in the credential file.
This parameter is required. If you do not specify it in the command, you will be prompted for it.

Yes

 

/ProxyAuth Domain

The domain name of the proxy user.

Yes

 

/ExePath

The full path of the executable that can use this file. Specify the complete path.

No

 

/IpAddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

/ClientHostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

/OSUsername <Operating
System User name>

The name of the operating system user who can use this file. Specify the username in “domain_name\username” format.

When the application is executed as a Windows service that uses local system permissions, specify “nt authority\system”.

 

The quotation marks are required because of the space in “nt authority”.

No

 

/DisplayRestrictions

When this parameter is defined, the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

 

/?

Lists the available options.

Optional

Command

Parameter

Description

Mandatory

Filename

The name of the credential file to create or update, specifically user.cred.

Yes

Password

Indicates that the credential file is created with password authentication details.

Yes

 

-username

Sets the username in the credential file.

Yes

 

-password

The password that is encrypted in the credential file.

Yes

 

-DisableSyncPassword
ToDR

Whether or not passwords in user credential files are replicated to all DR sites before they are replaced.
By default, this parameter is set to No, which ensures that user credential files on all DR sites (if they exist) are synchronized with the Production Vault and that users can continue working with the Vault seamlessly after a failover. If this parameter is changed to Yes, passwords are replaced in credential files regardless of whether or not they have been replicated to all DR sites.

No

 

-externalauth

The type of external authentication that is used to authenticate users to the Vault.

Valid values:

-radius - Creates a credential file for use with RADIUS server.

-ldap - Creates a credential file for use with an LDAP directory.

-none - This credential file is not used with either a RADIUS server or an LDAP directory.

Default value: -none

No

 

-apptype

A unique application ID that specifies the application that can use this file. For a list of accepted values, see Specify applications above.

No

 

-exepath

The full path of the executable that can use this file. If the executable is executed from the PATH you can specify only the name of the executable. Otherwise, specify the complete path.

No

 

-ipaddress

Specify this parameter to require the IP address of the current machine for user authentication.

No

 

-clienthostname

Specify this parameter to require the hostname of the current machine for user authentication.

No

 

-osusername

The name of the operating system user who can use this file. Specify only the username.

No

 

-displayrestrictions

When this parameter is defined the generated credential file shows all the restrictions in a readable format.

 

This parameter affects security. Do not use it in production environments.

No

/?

Lists the available options.

No

Troubleshoot the credentials utility and file

Troubleshoot the CreateCredFile utility

 

Troubleshoot the credentials file