CPM post-installation tasks

This topic describes tasks that you perform after you have installed the CPM.

To enhance your security, use the most recent platform release. Download the latest available platform from the CyberArk Marketplace > Integrations and Tools.

To receive notifications about new and upgraded integrations and tools, new content, and updates to the site, join Marketplace News and Updates.

Create a Trusted Network Area

During installation, several Vault objects are created to enable the CPM to access existing passwords, generate new ones and replace them on a remote machine. However, before the CPM can begin working, it is recommended to create a Trusted Network Area for the CPM user to log on to the Vault.

Make sure that the CPM user can only log on to the Vault from the CPM machine.

To create a trusted network area:

  1. Create a Network Area that includes only the IP address of the CPM machine, and from where the CPM user will log on to the Vault.

  2. In the User Properties window, add this network area to the user’s Trusted Network Areas.

  3. Restart the following services:

    • CyberArk Password Manager service

    • CyberArk Central Policy Manager Scanner

Check the installation log files

During installation, the log file, CPMInstall.log, is created to monitor the installation process and to verify that the CPM was installed successfully.

This log file is created in the Windows Temp folder and it contains a list of all the activities performed during the installation procedure.

Other log files that are used for internal purposes are created in the same folder during installation.

Check the CPM services

During CPM installation, the following services are added:

CyberArk Password Manager
CyberArk Central Policy Manager Scanner

These services are started automatically after installation.

Add restrictions to the protected credentials file

During installation, a credentials file is created to enable the CPM user to log on to the Vault.

To enhance the security of the credentials file, use the CreateCredFile utility in the Env folder to create a protected credentials file. For more information, see User credential files.


The credentials file is created dynamically during CPM installation, and is not removed automatically when the CPM is uninstalled.

Credential file used to access PVWA

During installation, a credential file (apikey.ini) is created and saved in the CPM installation folder. The credential file enables the CPM Scanner to communicate with the PVWA.

The following parameters in the API section of the CPM's Vault parameter file enable the CPM's PasswordManager user to issue requests to the PVWA.




The URL of the PVWA. Separate multiple PVWAs with commas.

If the CPM was installed before the PVWA, a warning is written to the scanner logs, and the URL of the PVWA must be updated manually after PVWA installation.


The location of the credential file that enables the CPM's PasswordManager user to access the PVWA.

If this key is not synchronized, it can be reset by running the APIKeyManager Utility that is in the CPM installation folder.