CreateCredFile utility

Components and applications that require automated access to the Digital Vault use a credential file that contains the user’s Vault username and encrypted logon information.

The credential file contains sensitive logon information, so it’s important to restrict access and usage as much as possible to reduce potential hijacking of the file.

 

Make sure that you are familiar with the user’s Vault authentication details, because you must provide the correct logon credentials to generate the encrypted credential file.

Supported authentication types

Password

For password authentication, the credential file contains a CyberArk user that authenticates to the Vault using a username and a password. You can also use the following external authentication types along with password authentication.

  • RADIUS - A RADIUS user that authenticates to the Vault using a username, password and two-factor authentication via the RADIUS server, which requires user approval using a challenge.

  • LDAP - An LDAP user that authenticates to the LDAP server and connects to the Vault with a username and password.

PKI

For PKI authentication, the credential file contains a CyberArk user that authenticates to the Vault using a username and a PKI certificate with the user details.

You can create a credential file for logon with a PKI certificate. Before creating the file, you must import the authentication certificate into the Microsoft Windows certificate store. For more details, refer to Import a certificate for authentication.

Proxy

You can create a credential file that is used to authenticate to the Vault through a proxy server. The proxy user and password can be stored encrypted in a credential file instead of being specified in the Vault parameter file.

Asymmetric keys

You can create a credential file that contains a key-pair combination and the CyberArk user for authenticating to the Vault.

Additional protection mechanisms

HSM device

The credential file secret can be encrypted by a HSM device. This can be used for both password and key-pair (asymmetric keys) authentication.

Any PKCS#11 library is supported as long as it meets all of the following criteria:

  • The token must be a hardware token.

  • The token is accessible through the PKCS#11 interface.

  • Access to the token is only possible after supplying a PIN.

  • The token supports RSA 2048-bit key length.

  • The token must be able to perform encryption and key generation on hardware.

  • A 32-bit .dll must be used (64-bit is not supported).

DPAPI

The credential file secret can be encrypted by the Windows DPAPI mechanism, which can be used for both password and key-pair (asymmetric keys) authentication.

 

The DPAPI mechanism must be enabled on the Windows operating system.

Credential file security

The credential file is protected using the following mechanisms:

  1. The encrypted token secret is changed daily.

  2. The encrypted secret is encrypted using AES 256-bit key that comprises the following parts:

    1. Random salt that is stored in the credential file (512-bit). This randomness assures that each credential file is encrypted with a unique key.

    2. Environmental key material:

      • Application-based – unique materials that identify the application in the logon process.

      • Machine-based – unique materials that identify the machine in the logon process.

      • Component-based materials - unique materials that identify the component in the logon process.

    3. The key is generated by a secure hash (SHA2-512) of the above key materials.

  3. You can protect your credential file even more using the appropriate operating system permissions.

Create a credential file

The CreateCredFile utility, located in the CyberArk\Utilities installation folder, can create a credential file from a command line prompt.

The CreateCredFile utility uses the following syntax:

 

CreateCredFile <FileName> <command> [command parameters]

The following instructions explain how to create a credential file. The examples used in these instructions run the utility from the Utilities subfolder, and create a credential file called ‘user.cred’.

The CreateCredFile utility can be executed from the same machine where it will be used, or it can be copied to the component or application host machine after it is created.

 

In order to comply with the strongest security guidelines, create the credential file on the same machine where it will be used.

You must use a valid password for the user when you create the credential file. Before creating the credential file, verify the following:

  • You have the correct username for the user.

  • The user is not currently being used by an active component/application.

  • The user is not suspended on all Vaults (Primary and Satellite Vaults).

  • You have reset the password to a known password.

The credential file is created and saved in the current folder or the folder that you specified in the command. The following message appears:

Command ended successfully

CreateCredFile parameters

Troubleshoot the credentials utility and file

Troubleshoot the CreateCredFile utility

 

Troubleshoot the credentials file