Command Line Interface (PACLI)

Use CyberArk's Command Line Interface (PACLI) to perform quick Vault-level functions without logging in to the PrivateArk client.

 

We recommend using PACLI only if you cannot perform the task using the REST Web services. For details on our available REST APIs, see REST APIs.

The following are examples of tasks you can perform with PACLI:

    • Add or delete Vault users
    • Manage safes
    • Manage network areas
    • Manage requests

    In this section:

PACLI requirements

For information about the minimum system requirements and supported platforms for PACLI, see CyberArk SDKs in the system requirements section of the docs.

CyberArk component compatibility

PACLI works with the Digital Vault server, version 4.5 or later.

What does PACLI include

The PACLI package includes the following:

Version

PACLI Components

PACLI 32-bit

PACLI.exe
calibeay32.dll
cassleay32.dll
msvcr71.dll
icudt42l.dat

PACLI 64-bit

PACLI.exe
calibeay64102k.dll
cassleay64102k.dll
msvcr120.dll
icudt58l.dat

Backward compatibility issues

The following backward compatibility issues are relevant to PACLI, version 7.2.9.

Deprecated commands

The following PACLI commands have been deprecated and are no longer supported by PACLI:

ActiveSafesReport

GWAccountsList

ActiveUsersReport

OwnersListReport

AddressesList

RenameFile

EnableVaultFileCategories

RenameFolder

FindCountersByCategory

SafeActivitiesReport

FindCountersBySafe

SafesListReport

GetNotes

UserActivitiesReport

UsersByLocationReport

UsersLog

Deprecated parameters

The following PACLI parameters have been deprecated and are no longer supported by PACLI:

SafePassword
SafeKeyFile

These parameters are no longer supported in the StoreFile, RetrieveFile, StorePasswordObject and RetrievePasswordObject commands.

How to use PACLI

The following .dll files are distributed as part of the PACLI package:

Version

PACLI .dll or .dat FIles

Store in

PACLI 32-bit:

calibeay32.dll
cassleay32.dll
msvcr71.dll

store in the same folder as the Pacli.exe file or in the system Path

 

PACLI 64-bit:

cassleay64102k.dll
calibeay64102k.dll
msvcr120.dll  

PACLI 32-bit:

icudt42l.dat

store in c:/windows/syswow64/

 

PACLI 64-bit:

icudt58l.dat
  • Most PACLI command lines begin with a definition of the Vault in which the activity will take place, and the Username of the User issuing the command. This ensures that only Users who have permission to carry out the specified task are authorized to do so. Where a password is required but not specified, PACLI prompts the User after which the password can be typed and asterisks will appear at each key entry.

  • Values that are required appear in the command line without parentheses. In the following example, both the name of the Vault and the name of the User are obligatory values for the user to logoff from the Vault. PACLI commands are not case-sensitive.

     

    LOGOFF VAULT=vault USER=user

  • Values that appear in parentheses are optional. In the following example, the quota value that is specified will become the default value.

     

    ADDLOCATION VAULT=vault USER=user LOCATION=location [QUOTA={_-1_|quota}]

  • Default values appear between underscores. In the above example, the default quota is ‘-1’ although this can be changed. If you do not specify a quota, the default will be accepted.

  • String values that contain only digits must be enclosed within quotation marks in order for PACLI to recognize the value as a string.

Examples of PACLI instructions

Let's start with the most basic script that you will use to log into a Vault.

 

PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI LOGON VAULT=NewCo USER=Judy
PACLI LOGOFF VAULT=NewCo USER=Judy
PACLI TERM

The first line, PACLI INIT begins the PACLI working session. After the session has been started, the Vault is defined. In this case, the name of the Vault is 'NewCo', and the Vault’s IP address and other details are listed in a file stored as C:\vault.ini. All other values of the Vault are taken from the Vault default settings. The next line logs the User, Judy, onto the NewCo Vault. As she does not specify her password in the PACLI command, she will be prompted for it. The following line logs Judy off the NewCo Vault. Finally, the last line terminates the PACLI working session.

Now let's look at an example in which we open a Safe that has already been created, and let's store a file in it.

 

PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI LOGON VAULT=NewCo USER=Judy
PACLI OPENSAFE VAULT=NewCo USER=Judy SAFE=marketing
PACLI STOREFILE VAULT=NewCo USER=Judy SAFE=marketing FOLDER=Root FILE=file.txt LOCALFOLDER=. LOCALFILE=localfile.txt
PACLI CLOSESAFE VAULT=NewCo USER=Judy SAFE=abc
PACLI LOGOFF VAULT=NewCo USER=Judy
PACLI TERM

After initializing the PACLI session, a new Vault is defined. As in the previous example, the name of the Vault is NewCo, and the Vault’s IP address and other details are listed in a file stored as C:\vault.ini. All other values of the Vault are taken from the Vault default settings. The next line logs the user Judy onto the NewCo Vault. As she does not specify her password in the PACLI command, she will be prompted for it. The following line opens the Safe called marketing which is in the NewCo Vault, and to which she has Owner Rights. The STOREFILE command on the next line instructs PACLI to store a file called localfile.txt which is located in the specified local folder, in the NewCo Vault, in the Root folder of the marketing Safe, as a file called file.txt.

The example continues by closing the Safe in the specified Vault, then logs off Judy. Finally, the PACLI session is terminated.

This final example generates several lists, each according to different criteria.

 

PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI DEFAULT VAULT=NewCo USER=Judy SAFE=marketing FOLDER=Root
PACLI LOGON
PACLI SAFESLIST output(ALL,ENCLOSE)
PACLI OPENSAFE
PACLI FILESLIST output(NAME,CREATIONDATE,RAW)
PACLI OPENSAFE SAFE=finance
PACLI FOLDERSLIST SAFE=finance output(NAME)
PACLI FOLDERSLIST output(ALL,ENCLOSE)
PACLI LOGOFF
PACLI TERM

As required, the first command line initiates the PACLI session. The second command line defines the Vault in which the activity will be carried out. As in the previous examples, the name of the Vault is NewCo, and the Vault’s IP address and other details are listed in a file stored as C:\vault.ini. All other values of the Vault are taken from the Vault default settings.

The next line declares default settings for this PACLI session. In this example, all the possible default settings are used, declaring NewCo as the default Vault, Judy as the default user, marketing as the default Safe, and Root as the default folder in the Safe. The LOGON command then prompts Judy for her password and logs her onto the Vault, having already taken her username from the default declaration above.

The SAFESLIST command is based on the default declarations above, and therefore only declares the type of output required. In this case, PACLI will generate a list of all the Safes in the NewCo Vault, and will display the results enclosed in quotation marks.

The OPENSAFE command does not have any values after it, indicating that all the values are to be taken from the default declarations specified earlier in the session. Therefore, the marketing Safe in the NewCo Vault is opened and a list of all the files in the default folder, Root, is generated. The list will display the filename, the creation date of the file, and the raw time of the creation date (ie, the number of seconds that have passed since the OS set the time).

The following line instructs PACLI to open the finance safe, and a list is generated containing all the names of the folders in the Safe.

The line after that repeats the FOLDERSLIST command, but without a Safe name after it. Therefore, PACLI will revert to the default Safe and folder, which is the marketing Safe, and will generate a list of all the folders contained in the Root folder. Each folder name will be displayed in quotation marks, as specified by the enclose command.

Finally, Judy is logged off from the Vault, and the PACLI session is terminated.

Special output parameters

The following two parameters are only applicable for specific command line outputs.

RAW

This parameter displays the output date and time values in the number of seconds that have passed since the OS set the time. This is only applicable if a parameter that displays the date or time has been specified in the output command.

Note the format of the date and time in the output of the following example:

Command:

 

pacli safeslist output(name,size,status,lastused,accessed, enclose)

Output:

 

"Marketing","8239","NO","Wed Nov 27 11:41:00 2002","NO","NO"
"Research","140","NO","Tue Dec 10 10:35:04 2002","NO","NO"

In the following example, the <raw> parameter has been added. Note the difference in the output format of the date and time.

Command:

 

pacli safeslist output(name,size,status,lastused,accessed, enclose,raw)

Output:

 

"Marketing","8239","NO","1038390060","NO","NO"
"Research","140","NO","1039509304","NO","NO"

OEM

This parameter translates characters from the localized character set format into the OEM-defined character set that DOS understands.

For example, if the name of a Safe contains Japanese characters, the <OEM> parameter prevents the output Safe name from being generated in random characters, but generates it in a format that is recognized by DOS.

The following example displays how the PACLI SafesList command might be entered if Safes were created using a localized character set.

 

pacli safeslist output(name,size,status,lastused,accessed, enclose,oem)

The output Safenames will appear in the OEM-defined character set which DOS reconciles with the localized Safe name.