Install the Central Credential Provider (CCP)

This section describes how to install and configure the CCP.

Installation and configuration comprises several stages before you can go on to use the CCP web services to retrieve passwords.

  1. Install the Credential Provider for Windows.

  2. Install the CCP Web Service.

  3. Deploy applications

 
  • PAM - Self-Hosted: You can install CCP on the same server as the PVWA. However, if you plan to harden the PVWA, install CCP after the hardening process.

  • Privilege Cloud: You can install CCP on the same machine as the Privilege Cloud Connector alongside CPM/PSM. This machine is a hardened machine. If you install the CCP on the Privilege Cloud Connector machine, we strongly recommend that your application uses IIS with Windows OS User authentication.

Installation

First you install the Credential Provider for Windows, and then the CCP web services.

Step 1: Prerequisites

  1. To authenticate applications using Windows domain users, the Central Credential Provider must be in the same domain as the requesting application machines. Alternatively, the requesting application domain must be trusted by the Central Credential Provider domain. For more information about authenticating applications with the Windows domain users, refer to Application authentication methods.
  2. During the Credential Provider installation, the following prerequisite is automatically installed:

    • Visual C++ 2019 Redistributable Package (x86 and x64)

  3. Make sure Windows has IIS 10 installed and supports IIS 6.0 compatibility mode.

    1. On the Windows IIS machine, open the Server Manager.

    2. In the Dashboard, select Add Roles and Features > Server Selection > Server Roles.

    3. In Web Server (IIS) > Management Tools, verify that IIS 6 Management Compatibility and IIS 6 Management Compatibility > IIS 6 Metabase Compatibility (or IIS Metabase and IIS 6 configuration compatibility) are selected.
    4. Under Web ServerApplication Development, ensure that the following are selected:

      • .NET Extensibility 4.x (according to your .NET Framework). For details, see Verify .NET Framework version.

      • ASP

      • ASP.NET 4.x (according to your .NET Framework)

      • ISAPI Extensions

      • ISAPI Filters

    5. Click Next twice, then click Install.

  4. Prepare locations on the CCP machine from which to run the Credential Provider for Windows and CCP Web Services installations:

    1. Create a new folder called Central Credential Provider.
    2. In the Central Credential Provider, create the following subfolders:

      • Windows
      • Central Credential Provider Web Service
  5. If CCP is set behind a load balancer, set one of the following options:

    • Define the load balancer as a Transparent Proxy to preserve the source IP of the originator.

    • Set the load balancer to attach the X-Forwarded-For header to the routed packets with the specification of the original source IP. This should be done in CCP as well.

      These steps are necessary for better auditing and to get the actual IPs. For more information, see Allowed machines authentication.

  6. Install the Credential Provider for Windows as described in Install the Credential Provider on Windows.

    As a best practice, privileged users should always access the Credential Providers server through a PSM server so that their sessions can be recorded and monitored. It is not recommended to allow privileged users direct access to a Credential Provider server.

Step 2: Install the CCP web service

The CCP web service must be installed using the same installation packages as the Credential Provider.

  1. Copy the content from the installation package's \Central Credential Provider\Central Credential Provider Web Service folder into the local \Central Credential Provider\Central Credential Provider Web Service folder that you created above.

  2. Run the CCP installation:

If you installed CCP on a hardened PVWA, in the web.config file (C:\inetpub\wwwroot\AIMWebService\web.config), change the httpRedirect parameter from enabled="true" to enabled="false".

The HTTP Redirect setting must be disabled when installing CCP on a hardened PVWA, so that the CCP can be called without redirecting to PVWA.

Continue with Post installation below.

Post installation

After installing the CCP web services, do the following post installation tasks.

The Central Credential Provider does not configure the IIS. It is the customer’s responsibility to configure the IIS to define and maximize security capabilities. For more information, see Security overview.