Command Line Interface (PACLI) SDK

This section describes how to use CyberArk's Command Line Interface (PACLI).

Use CyberArk's Command Line Interface (PACLI) to perform quick Vault-level functions.

 

We recommend using PACLI only if you cannot perform the task using the REST Web services. For details on our available REST APIs, see REST APIs.

The following are examples of tasks you can perform with PACLI:

    • Add or delete Vaultt users
    • Manage Safes
    • Manage network areas
    • Manage requests

    In this section:

PACLI requirements

For information about the minimum system requirements and supported platforms for PACLI, see Command Line Interface (PACLI) utility system requirements.

PACLI package contents

The PACLI package includes the following files:

  • Pacli.exe

  • calibeay64102o.dll

  • cassleay64102o.dll

  • msvcp120.dll

  • icudt58l.dat

  • CreateCredFile folder

    • CreateCredFile.exe

    • calibeay32102o.dll

    • calibeay32102o.dll

    • msvcp120.dll

    • msvcr120.dll

    The icudt58l.dat file must be in a different folder. Copy the icudt58l.dat file to the c:/windows/syswow64 folder.

How to use the PACLI SDK

Most PACLI command lines begin with a definition of the Vault in which the activity will take place, and the user name of the user issuing the command. This ensures that only users who have permission to carry out the specified task are authorized to do so. Where a password is required but not specified, PACLI prompts the user after which the password can be typed and asterisks will appear at each key entry.

Values that are required appear in the command line without parentheses. In the following example, both the name of the Vault and the name of the User are obligatory values for the user to log off from the Vault. PACLI commands are not case-sensitive.

 

LOGOFF VAULT=vault USER=user

Values that appear in parentheses are optional. In the following example, the quota value that is specified will become the default value.

 

ADDLOCATION VAULT=vault USER=user LOCATION=location [QUOTA={_-1_|quota}]

Default values appear between underscores. In the above example, the default quota is ‘-1’ although this can be changed. If you do not specify a quota, the default will be accepted.

String values that contain only digits must be enclosed within quotation marks in order for PACLI to recognize the value as a string.

PACLI SDK instructions and examples

Let's start with the most basic script that you will use to log in to a Vault.

 

PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI LOGON VAULT=NewCo USER=Judy
PACLI LOGOFF VAULT=NewCo USER=Judy
PACLI TERM

The first line, PACLI INIT begins the PACLI working session. After the session has been started, the Vault is defined. In this case, the name of the Vault is 'NewCo', and the Vault’s IP address and other details are listed in a file stored as C:\vault.ini. All other values of the Vault are taken from the Vault default settings. The next line logs the user, Judy, onto the NewCo Vault. As she does not specify her password in the PACLI command, she will be prompted for it. The following line logs Judy off the NewCo Vault. Finally, the last line terminates the PACLI working session.

Now let's look at an example in which we open a Safe that has already been created, and let's store a file in it.

 

PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI LOGON VAULT=NewCo USER=Judy
PACLI OPENSAFE VAULT=NewCo USER=Judy SAFE=marketing
PACLI STOREFILE VAULT=NewCo USER=Judy SAFE=marketing FOLDER=Root FILE=file.txt LOCALFOLDER=. LOCALFILE=localfile.txt
PACLI CLOSESAFE VAULT=NewCo USER=Judy SAFE=abc
PACLI LOGOFF VAULT=NewCo USER=Judy
PACLI TERM

After initializing the PACLI session, a new Vault is defined. As in the previous example, the name of the Vault is NewCo, and the Vault’s IP address and other details are listed in a file stored as C:\vault.ini. All other values of the Vault are taken from the Vault default settings.

The next line logs the user Judy onto the NewCo Vault. She does not specify her password in the PACLI command, so she is prompted for it.

The following line opens the Safe called marketing which is in the NewCo Vault, and to which she has Owner rights. The STOREFILE command on the next line instructs PACLI to store a file called localfile.txt which is located in the specified local folder, in the NewCo Vault, in the Root folder of the marketing Safe, as a file called file.txt.

The example continues by closing the Safe in the specified Vault, then logs off Judy. Finally, the PACLI session is terminated.

This final example generates several lists, each according to different criteria.

 

PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI DEFAULT VAULT=NewCo USER=Judy SAFE=marketing FOLDER=Root
PACLI LOGON
PACLI SAFESLIST output(ALL,ENCLOSE)
PACLI OPENSAFE
PACLI FILESLIST output(NAME,CREATIONDATE,RAW)
PACLI OPENSAFE SAFE=finance
PACLI FOLDERSLIST SAFE=finance output(NAME)
PACLI FOLDERSLIST output(ALL,ENCLOSE)
PACLI LOGOFF
PACLI TERM

As required, the first command line initiates the PACLI session. The second command line defines the Vault in which the activity will be carried out. As in the previous examples, the name of the Vault is NewCo, and the Vault’s IP address and other details are listed in a file stored as C:\vault.ini. All other values of the Vault are taken from the Vault default settings.

The next line declares default settings for this PACLI session. In this example, all the possible default settings are used, declaring NewCo as the default Vault, Judy as the default user, marketing as the default Safe, and Root as the default folder in the Safe. The LOGON command then prompts Judy for her password and logs her onto the Vault, having already taken her username from the default declaration above.

The SAFESLIST command is based on the default declarations above, and therefore only declares the type of output required. In this case, PACLI will generate a list of all the Safes in the NewCo Vault, and will display the results enclosed in quotation marks.

The OPENSAFE command does not have any values after it, indicating that all the values are to be taken from the default declarations specified earlier in the session. Therefore, the marketing Safe in the NewCo Vault is opened and a list of all the files in the default folder, Root, is generated. The list displays the filename, the creation date of the file, and the raw time of the creation date (for example, the number of seconds that have passed since the OS set the time).

The following line instructs PACLI to open the finance Safe, and a list is generated containing all the names of the folders in the Safe.

The line after that repeats the FOLDERSLIST command, but without a Safe name after it. Therefore, PACLI reverts back to the default Safe and folder, which is the marketing Safe, and will generate a list of all the folders contained in the Root folder. Each folder name will be displayed in quotation marks, as specified by the enclose command.

Finally, Judy is logged off from the Vault, and the PACLI session is terminated.

Special output parameters

The following two parameters are only applicable for specific command line outputs.

RAW

This parameter displays the output date and time values in the number of seconds that have passed since the OS set the time. This is only applicable if a parameter that displays the date or time has been specified in the output command.

Note the format of the date and time in the output of the following example:

Command:

 

pacli safeslist output(name,size,status,lastused,accessed, enclose)

Output:

 

"Marketing","8239","NO","Wed Nov 27 11:41:00 2002","NO","NO"
"Research","140","NO","Tue Dec 10 10:35:04 2002","NO","NO"

In the following example, the <raw> parameter has been added. Note the difference in the output format of the date and time.

Command:

 

pacli safeslist output(name,size,status,lastused,accessed, enclose,raw)

Output:

 

"Marketing","8239","NO","1038390060","NO","NO"
"Research","140","NO","1039509304","NO","NO"

OEM

This parameter translates characters from the localized character set format into the OEM-defined character set that DOS understands.

For example, if the name of a Safe contains Japanese characters, the <OEM> parameter prevents the output Safe name from being generated in random characters, but generates it in a format that is recognized by DOS.

The following example displays how the PACLI SafesList command might be entered if Safes were created using a localized character set.

 

pacli safeslist output(name,size,status,lastused,accessed, enclose,oem)

The output Safenames will appear in the OEM-defined character set which DOS reconciles with the localized Safe name.