Install PAM - Self-Hosted

This section includes instructions for installing the components included in the Privileged Access Manager - Self-Hosted solution and the different methods of installation.

In this section:

General installation flow

The following procedure describes a general installation workflow. Some of the steps are optional, depending on the deployment you choose. You must perform the steps in order they appear so that each component is installed with its complete functionality.

Review the Installation methods and select the right one for you.

  1. Install the Digital Vault

    Define the Digital Vault and install the security layers that surround it. You can also configure the remote administration agent so that you can manage the Digital Vault from a remote location.

    You can install the Digital Vault in the following architectures:

    • Primary-DR

    • Distributed Vaults

    Both architectures can also be installed as a two-node cluster.

    For details, see Introduction to Digital Vault installation.

  2. Install the PrivateArk Client

    Install the PrivateArk Client on the Vault machine so that can carry out initial administrative activities, such as creating and administrating Safes and Users.

    For details, see Install the PrivateArk Administrative Client.

  3. Install the Password Vault Web Access

    Install the Password Vault Web Access (PVWA) which enables users to create, request, access and manage privileged passwords throughout the enterprise.

    You can install multiple PVWAs for a high availability or load-balancing implementation, or to enable users from different networks to access passwords in the Vault with different authentication methods.

    For more information about installation, see Install PVWA.

  4. Install the Central Policy Manager

    After installing the PVWA, install the Central Policy Manager (CPM) that will automatically manage the passwords stored in the Password Vault. If you require more than one CPM to manage multiple networks or for a load balancing implementation, you can install additional CPMs.

    For more information about installation, see Install CPM.

  5. Install Privileged Session Manager (PSM

    Install PSM which enables you to secure, control and monitor privileged access to network devices by using Vaulting technology to manage privileged accounts and record all IT administrator privileged sessions on remote machines.

    You can install as many PSMs as you require in high availability or load-balancing implementations.

    For details on manual installation, see Install PSM.

  6. Install Privileged Threat Analytics

    Install Privileged Threat Analytics (PTA) to continuously monitor the use of privileged accounts that are managed in the PAM - Self-Hosted platform, as well as accounts that are not yet managed by CyberArk, and look for indications of abuse or misuse of the CyberArk platform.

    PTA also looks for attackers who compromise privileged accounts by running sophisticated attacks, such as Golden Ticket.

    For details on manual installation, see Install PTA.

  7. Install the On-Demand Privileges Manager (optional)

    The OPM enables you to secure, control and monitor privileged access to UNIX commands. This is done by using Vaulting technology to allow end users to perform super-user tasks with their own personal account, whilst maintaining the least-privilege concept.

    The OPM provides complete visibility and control of super users and privileged accounts across the enterprise, and enables centralized management and auditing from a unified product to all aspects of privileged account management.

    For details, see Install On-Demand Privileges Manager.

  8. Install a Backup Solution (optional)

    CyberArk’s Backup Utility uses the CyberArk Vault protocol to access the Vault and replicate its encrypted contents to an external location without compromising the Vault’s security. You can then use your own enterprise backup solution to backup the Vault’s contents from this location. In addition, the Vault can support various third-party backup solutions on the Vault.

    For details, see Install a Vault backup solution.

  9. Install the Remote Administration Clients (optional)

    To enable you to manage and configure them from remote locations, without the need to physically approach the Vault machines.

    For details, see Install remote administration clients.

Installation methods

There are various methods for installing the PAM - Self-Hosted solution components, except for the Vault, which can only be installed manually, and PSM for SSH, which cannot be installed manually.

The following table describes all installation methods. Select the method that best suites your needs.




Install the Privileged Access Manager - Self-Hosted solution manually.

This is applicable for Digital Vault, PVWA, CPM, PSM, OPM, and PTA.


Use the PAM - Self-Hosted deployment scripts provided with the installation package to automatically install and configure the PAM - Self-Hosted components on multiple servers, according to your organizational requirements.

This is applicable for PVWA, CPM, PSM, PSM for SSH, and PTA.

Note: The Vault must be installed manually.

Ansible roles

PAS Orchestrator is a set of Ansible Roles that you can use to deploy CyberArk PAM - Self-Hosted components simultaneously in multiple environments, regardless of the environment’s location.

Note: The Vault must be installed manually.

The Ansible Roles can be integrated with your organization’s CI/CD playbooks.

For details, see Ansible Roles.

Cloud installation

Install and configure the PAM - Self-Hosted solution on AWS or Microsoft Azure.

For details, see Install Privileged Access Manager - Self-Hosted in a cloud environment.

See also