CPM installation requirements

This topic describes the requirements for installing CPM on a Windows Server.

PVWA installation

PVWA must be installed before you can install CPM.

Make sure that you have installed the latest version of PVWA that works with your current CPM version. For more information about version compatibility between the PVWA and the CPM, see Vault, PVWA, and component version compatibility .

Enable a secure channel between the CPM and PVWA

If PVWA is configured to communicate through a secure channel (HTTPS), the CPM machine needs to trust the PVWA SSL certificate.

  • Import the CA certificate from the CA that issued the PVWA's SSL certificate to the CPM server.

  • Make sure that the CPM server can access the CRL Distribution Points referenced in the PVWA's certificate.

Security requirements

As the CPM is important in terms of availability and sensitive information handling, its security is imperative. Before installing CPM, make sure that your system complies with security requirements.

  • Use the strictest organizational policy that will enable the CPM to function properly, regarding physical access to the CPM machine, network access, access control, auditing, monitoring, active services and relevant up-to-date security patches.

  • The CPM machine should not have access to, or be accessible from, the Internet or any other unsecured network in the organization.

For more information, see Security Fundamentals.

Windows Server

Set up a clean Windows Server. The following Windows Server versions are supported:

  • Windows 2019

  • Windows 2016

  • Windows 2012 R2


The CPM must be installed on a different machine from the Vault.

Windows PowerShell

Windows PowerShell version 5 or later must be installed.

Network communication

The CPM uses a TCP connection to communicate with the CyberArk Vault. Therefore, any type of network protection on the machine where the CPM is installed must allow TCP communication with the Vault’s IP address. The default TCP port number for communication to the Vault is 1858, but it is configurable.

The CPM must also be able to communicate with the remote machine where passwords are changed. Specific network requirements differ according to the type of remote machine where the passwords will be changed (Windows Domain, Linux, Oracle, etc.).

The CPM Scanner also requires network access to the PVWA server in order to process scans and scan tasks.

Set user authorizations

The user performing the installation must have both Vault user authorizations and Safe ownership.

Vault user authorizations

During installation, Safes and a user are created to enable the CPM to work. In order to create the Safes and the user, the Vault user performing the installation must have the following authorizations in the Vault:

  • Add Safes

  • Add/Update Users

  • Reset Users’ Passwords

  • Activate Users

  • Manage Server File Categories

Safe ownership

The user performing the installation must have ownership of the VaultInternal and Notification Engine Safes, and the following permissions:

  • List Files

  • Retrieve Files

  • Manage Safe

  • Manage Safe Owners

  • View Audit

  • View Owners