Documente Academic
Documente Profesional
Documente Cultură
Implementation Guide
Version 7.1
All rights reserved. This document contains information and ideas, which are
proprietary to Cyber-Ark Software. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by any
means, electronic, mechanical, photocopying, recording, scanning, or
otherwise, without the prior written permission of Cyber-Ark Software.
EVD-007-1-0-1
Copyright © 2000-2012 by Cyber-Ark® Software Ltd. All rights reserved.
2 ExportVaultData Utility Implementation Guide
Table of Contents
This version of the ExportVaultData utility includes changes made in the Cyber-Ark
Vault version 7.1.
This chapter introduces you to the new features and includes the following
sections:
New Features
New Features
This section describes the new features that have been added to the
ExportVaultData utility.
New Parameters
The ExportVaultData utility contains two new parameters for ease of use and
improved logging:
Time displayed in reports – The utility can display the times displayed in reports
in either the local time or in GMT.
Logging – An additional layer of trace information can be written in the utility
log files for more informative logging.
The ExportVaultData utility exports data from the Vault to TXT or CSV files, from
where they can be imported into third party applications or databases. Each report
is saved in a different file.
This chapter contains the following sections:
Requirements
Installing the ExportVaultData Utility
Upgrading the ExportVaultData Utility
Using the ExportVaultData Utility
Errors and Logs
Requirements
The minimum operating system requirements for running the Cyber-Ark
ExportVaultData utility on Windows are as follows:
Operating System
Windows 2003R2, Windows 2008R2, Windows 7
SQL Server 2005, SQL Server 2008
Cyber-Ark Vault
Cyber-Ark Vault, version 7.1 or higher
Parameter Specifies
\VaultFile Full path of the Vault configuration file (if not set, default value is ‘vault.ini’).
\CredFile Full path of the user credentials file (if not set, default value is ‘user.ini’).
\Logfile Full path of the log file (if not set, default value is ‘log.txt’).
\Target The output of the utility will be saved in a file.
\LogNumOfDays The number of previous days that will be included in the Safe and user log
activities report. The default number is 1.
\Separator The character that will be used as the separator between fields. The default
separator is comma (,).
Note: Some characters are not valid as separators (e.g., | ).
\Qualifier The character that will be used as the text qualifier. The default qualifier is
quotation-marks (“).
Note: Some characters are not valid as qualifiers (e.g., | ).
\UseQualifier Whether to use the text qualifier in all types of fields, none of the fields, or only
with string fields. Valid values are “All”, “None” or “Strings”). The default value is
“Strings”.
\timezone The time zone that will be used in all reports time fields. Specify one of the
following:
Local time
GMT – This is the default value.
\enabletrace Whether or not Casos log files will include Casos transaction information. Specify
one of the following:
Yes - Casos log files will include Casos transaction information. This is
the default value.
No - Casos log files will not include Casos transaction information.
Note: This affects the size of the log files.
Parameter Specifies
\OutputName The type of report and the name of the output file. At least one output file must
be specified.
Note: Specify the output type and file name directly, as shown in the following
example which would generate a Safes List report:
ExportVaultData \VaultFile=Vault.ini \CredFile=user.cred \Target=File
\SafesList=MySafesList.log
This can be any of the following:
FilesList A files list report will be generated.
LogList A log activities report will be generated.
OwnersList An owners list report will be generated.
RequestsList An incoming requests list report. will be generated
SafesList A Safes list report will be generated.
GroupsList A groups list report will be generated.
GroupMembers List A group members list report will be generated.
UsersList A users list report will be generated.
LocationsList A locations list report will be generated.
ConfirmationsList A request confirmations list report will be
generated.
Italogfile A system log (ITAlog) file will be generated.
EventsList An events list report will be generated.
ObjectProperties A file categories list will be generated.
\? Lists the available options.
The following example shows how to use this utility to generate a log list:
ExportVaultData \VaultFile="D:\ExportVaultData\Vault.ini"
\CredFile="D:\ExportVaultData\auditor.cred" \Target=File
\LogList="D:\ExportVaultData\loglist.txt"
The above example will create a log activities report for the Vault defined in the
Vault.ini file in D:\ExportVaultData. The user who will access the Vault to
generate this report is defined in the auditor.cred file in D:\ExportVaultData.The
log activities report will be saved in a file called loglist.txt, also in
D:\ExportVaultData.
The ExportVaultData utility exports data from the Vault to MSSQL databases. Each
report (output) is stored in a dedicated table inside the database. Once the reports
are in the database, users can use the information to generate the specific report
that they require.
This chapter contains the following sections:
Requirements
Installing the ExportVaultData Utility
Upgrading the ExportVaultData Utility
Configuring the ExportVaultData Utility
ExportVaultData Utility Usage
Utility Logs
Errors
Exporting Vault Data into an MSSQL Database Regularly
Example
Requirements
The minimum operating system requirements for running the Cyber-Ark
ExportVaultData utility on MSSQL are as follows:
Operating System
Windows XP, 2003, 2008
Cyber-Ark Vault
Cyber-Ark Vault, version 5.0 or higher
Parameter Specifies
\VaultFile Full path of the Vault configuration file (if not set, default value is ‘vault.ini’).
\CredFile Full path of the user credentials file (if not set, default value is ‘user.ini’).
\Logfile Full path of the log file (if not set, default value is ‘log.txt’).
\Target The output of the utility will be saved in an MSSQL database.
\DBServerName The name of the MSSQL database where the output of the utility will be
exported. This can be either IP or DNS
\Separator The character that will be used as the separator between fields. The default
separator is comma (,).
Note: Some characters are not valid as separators (eg, | ).
\ContinueOnErrors The utility will continue to import tables into the database after an error
occurs. By default, this parameter is not set.
\OutputName The type of report and the name of the output file. At least one output file
must be specified.
Note: Specify the output type and file name directly, as shown in the following
example which would generate a Safes List report:
ExportVaultData \VaultFile=Vault.ini \CredFile=user.cred \Target=File
\SafesList=MySafesList.log
This can be any of the following:
FilesList A files list report will be generated.
LogList A log activities report will be generated.
OwnersList An owners list report will be generated.
RequestsList An incoming requests list report will be
generated.
SafesList A safes list report will be generated.
GroupsList A groups list report will be generated.
GroupMembers List A group members list report will be generated.
UsersList A users list report will be generated.
LocationsList A locations list report will be generated.
Parameter Specifies
ConfirmationsList A request confirmations list report will be
generated.
Italogfile A system log (ITAlog) file will be generated.
EventsList An events list report will be generated.
ObjectProperties A file categories list will be generated.
\ChunkSize Determines the size of the chunk of information that will be exported. The
default chunk size is -1, which exports 20,000 records. If this parameter is not
specified or specified with a value other than -1, only the first 20,000 records
will be exported.
\? Lists the available options.
The following example shows how to use this utility to generate a log list:
ExportVaultData \VaultFile="D:\ExportVaultData\Vault.ini"
\CredFile="D:\ExportVaultData\auditor.cred" \Target=File
\LogList="D:\ExportVaultData\loglist.txt"
The above example will create a log activities report for the Vault defined in the
Vault.ini file in D:\ExportVaultData. The user who will access the Vault to
generate this report is defined in the auditor.cred file in D:\ExportVaultData.The
log activities report will be saved in a file called loglist.txt, also in
D:\ExportVaultData.
Utility Logs
The ExportVaultData utility creates a log file which contains information about
operations that took place and errors, if they occurred. This log is created the first
time that the ExportVaultData utility is run, and information is added to it each
subsequent time.
In addition, during the import process into the MSSQL database, a new logs folder is
created for the batch file logs.
This folder is created under the ExportVaultData log folder and uses the following
format for its name:
<current date>_<current EVD execution time>
This folder contains one or more of the following files for each imported database
table:
<table name>.isql.out – This log file is created during a full import when the
table in the current database is cleared, to be replaced by new data. This file is
temporary and is automatically deleted after the table has been cleared
successfully.
<table name>.out – This log file is created when a table is imported into the
database.
<table name>.err – This error log file is created when a table is imported into
the database. If this file contains information, an error occurred during the
import process.
The ExportVaultData and external MSSQL client log files are not deleted
automatically. They will all be stored until they are deleted manually or by a
scheduled task. For more information, refer to Exporting Vault Data into an MSSQL
Database Regularly, page 21.
Errors
Errors may occur while tables are being imported into the MSSQL database,
whether the process adds new information to existing tables (incremental) or
clears the existing table and creates a new one (full).
Errors during a ‘full’ import – When an error occurs during a full import, data
integrity is not affected as the ExportVaultData utility will import the entire
table from the beginning the next time it runs.
Errors during an ‘incremental’ import – When an error occurs during an
incremental import, the ExportVaultData utility distinguishes between two
types of errors:
Errors that result in a database rollback – When a database rollback occurs,
for example, when the connection to the target MSSQL database is lost
during an import process, incremental indications are not updated for the
current execution. This means that the next time that the ExportVaultData
utility runs, it will begin importing records from exactly the same point as it
did when it started running the previous time (when an error occurred).
Errors that do not result in a database rollback – When a database rollback
does not occur, the external MSSQL client utility completes its importing
process successfully and the incremental indication is updated. This error
indicates that certain records were not imported to the MSSQL database due
to “client side” problems.
Records that were not imported must be handled manually. These records are
listed in the external MSSQL client error log, <table name>.err. For more
information, refer to Utility Logs , page 19.
Example
The following example shows a query that retrieves all the users who accessed
privileged accounts (passwords) in the last month, with the reason for retrieving
the password:
SELECT CAATime, CAFSafeName, CAAInfo1, CAFModificationDate,
CAFModifiedBy, CAAUserName, CAUFirstName, CAULastName,
CAARequestReason
FROM (CALog LEFT JOIN CAFiles ON (CAAInfo1ID = CAFFileID AND
CAASafeID = CAFSafeID)) LEFT JOIN CAUsers ON (CAAUserID =
CAUUserID)
WHERE CAAtime >= DATEADD(month, -1, GETDATE()) AND
CAAActivityCode = 295 AND
CAAInfo1Type = 3
ORDER BY CAFSafeName, CAAInfo1
Output Values
The following tables list the information for each report that is exported from the
Vault into a text file. All the values that are exported into the text file are
enclosed within quotation marks (“”).
This chapter lists the output values for the following reports:
Locations List Report
Users List Report
Groups List Report
Group Members List Report
Safes List Report
Owners List Report
Files List Report
User and Safe Activities Report
System Log Report
Requests List Report
Confirmations List Report
Events List Report
Object Properties Report
Unique IDs
The following unique IDs are used throughout the system:
LocationID – the ID of a Location in the Vault hierarchy.
UserID – the unique ID of a user in the Vault.
GroupID – the unique ID of a group in the Vault.
Note: A user and a group cannot have the same ID.
SafeID – the unique ID of a Safe.
Log Activities MasterID – the unique ID that identifies each report.
System Log Timestamp – a unique timestamp that is attached to the System log,
and which can be configured to a microsecond level. For more information,
refer to the Release Notes for this version.
EventID – the unique ID of an Event.
Note: This ID is unique per Safe.
MapID – the unique ID of an external user & group map.
Notes:
All IDs in the system are non-negative.
If an ID does not exist for a specified object, the ID in the generated output will be
empty. This may be due to:
A previous Vault server version ,
Log records that were created prior to upgrading the Vault server to V3.51,
There is no relevant information.
All date values appear in the format that is specified on the local computer. The date
values include the date and the time.
All date values are converted to UTC (GMT) in order to avoid time zone problems.
If the value of a ‘Date’ field has not been initialized, an empty string will be exported.
1 1 Password
1 2 PKI
1 4 SECURID
1 8 NTAuth
1 16 RADIUS
2 0 None
2 1 Users Administrators
2 2 Safes Administrators
2 32 Autdit All
2 64 Backup All
3 0 None
3 1 Full
3 2 Partial
3 4 LogonAs
4 1 Internal
4 2 External
5 1 Internal
5 2 External
5 4 Public (Internet)
6 8 Unsecured
6 16 Secure
6 32 Highly Secured
7 0 None
8 0 None
8 1 Open Safe
8 2 Get File
9 0 None
9 1 Accessed
9 2 New
9 4 Modified
9 7 All
10 0 User
10 1 Group
10 2 Gateway account
11 1 Pending
11 2 Valid
11 4 Invalid
12 1 File
12 2 Password
14 0 None
14 1 User
14 2 Location
14 3 File/Password
14 4 Network area
14 5 Category
15 1 Open Safe
15 2 Get File
15 4 Get Password
16 1 Multiple access
17 0 None
17 1 Expired
17 2 Already Used
17 64 ToDate passed
18 1 Waiting
18 2 Confirmed
19 0 None
19 1 Reject
19 2 Confirm
File
Name: Locations.csv
Database
Name: CALocations
Import mode: Full
The LocationsList parameter generates an output file that contains the following
information:
Field Field Type Description Possible Values Relevant
(File) (Database) (Database) Version
File
Name: Users.csv
Database
Name: CAUsers
Import mode: Full
The UsersList parameter generates an output file that contains the following
information:
Field Field Type Description Possible Values Relevant
(File) (Database) (Database) Version
Internal/External CAUExternal int The type of user: One of the v4.0 and
Internal external or following numeric above
internal. values:
1 – Internal
2 – External
Text type (DB): 4
UserTypeID CAUUserTypeID int The unique user Valid user type ID v5.5
type ID. according to
license
Notes:
The “Master” user’s details cannot be fully exported. Details that cannot be exported
are written as empty values.
* - These fields are used as the index.
File
Name: Groups.csv
Database
Name: CAGroups
Import mode: Full
The GroupsList parameter generates an output file that contains the following
information:
File
Name: GroupMembers.csv
Database
Name: CAGroupMembers
Import mode: Full
The GroupMembersList parameter generates an output file that contains the
following information:
Field Field Type Description Possible Values Relevant
(File) (Database) (Database) Version
GroupID CAGMGroup bigint The ID number of the Numeric (empty All
ID* Group. in old servers)
UserID CAGMUser ID* bigint The user ID of the Group Numeric (empty All
member. in old servers)
- CAGMVault ID nvarchar The name of the Vault String – up to 28 v4.1 and
(28) where the Group is characters above
created.
MemberIsGroup CAGMMember nvarchar Indicates whether the YES/NO v7.1 and
IsGroup (5) Group member is a above
Group.
File
Name: Safes.csv
Database
Name: CASafes
Import mode: Full
The SafesList parameter generates an output file that contains the following
information:
CreationDate CASCreationDate datetime The date when the Date v7.1 and
Safe was created. above
CreatedBy CASCreatedBy nvarchar The name of the user String – up to v7.1 and
(128) who created the Safe. 128 characters above
Size CASSize bigint The size of the Safe (in Numeric All
KB). (positive)
FromHour CASFromHour int The time from when Numeric – 0-24 All
users can access the
Safe.
ToHour CASToHour int The time until when Numeric – 0-24 All
users can access the
Safe.
QuotaOwner CASQuota Owner nvarchar The name of the user String – up to All
(128) who the quota is 128 characters
allocated to.
Notes:
Not all the information from the “System” and “Pictures” Safes can be exported, and
therefore not all their details can be included in the report. Details that cannot be
exported are written as empty values.
* - These fields are used as the index.
File
Name: Owners.csv
Database
Name: CAOwners
Import mode: Full
The OwnersList parameter generates an output file that contains the following
information:
SafeName CAOSafe Name nvarchar The name of the Safe. String – up All
(28) to 28
characters
OwnerName CAOOwner nvarchar The name of the owner. String – up v4.1 and
Name (128) to 128 above
characters.
OwnerType CAOOwner int The type of the owner One of the v4.1 and
Type following above
numeric
values:
0 – User
1 – Group
2 – Gateway
account
Text type
(DB): 10
Expdt CAOExpdt datetime The date when the user’s Date v7.1 and
ownership on the Safe above
will expire.
File
Name: Files.csv
Database
Name: CAFiles
Import mode: Full
The FilesList parameter generates an output file that contains the following
information:
Notes:
The ‘IsRequestNeeded’ field returns a user-related value. If the specific user that is
logged on has the ‘Access Safe without Confirmation’ authorization, the value will be
NO, even if confirmation is required by other users to access the file.
The ‘IsRequestNeeded’ field is also not time-dependent. If the user doesn’t need
confirmation at this specific point in time because there is already a confirmed request
for this object, but a request is required to retrieve the file, the value will be YES.
* - These fields are used as the index.
File
Name: Log.csv
Database
Name: CALog
Import mode: Incremental
The LogList parameter generates an output file that contains the following
information:
LogID CAAActivity ID bigint The log record ID. Numeric (empty in old All
This ID is unique to servers)
the type of entity –
User/Safe.
Type CAAActivity int The log record type. One of the following All
Type numeric values:
2 – User log record
3 – Safe log record
Text type (DB): 13
Code CAAActivity int The code number for Numeric (positive) All
Code the specified type of
log record.
For a list of the codes
and log messages
generated by this
report, refer to
Appendix D: Action
Codes, page 70.
SafeID CAASafeID bigint The ID of the Safe in Numeric (empty in old All
the ‘SafeName’ field. servers or if this is a
user activity)
SafeName CAASafeName Nvarchar The name of the Safe String – up to 260 All
(260) where the action took characters
place.
UserTypeID CAAUser int The unique User Type A valid User Type ID V5.5
TypeID Id that specifies the specified in the license.
type of user.
InterfaceID CAAInterface nvarchar The unique Client ID Any valid interface ID. V5.5
Id (11) that specifies the
type of interface that
the user can use to
access the Vault.
Info1ID CAAInfo1ID bigint The ID of the value in Numeric – specific field All
the ‘Info1’ field. value depends on the
action (empty in old
servers or if there is no
relevant information)
Info1Type CAAInfo1 int The type of the value One of the following All
Type in the ‘Info1’ field. numeric values:
0 – None
1 – User
2 – Location
3 – File/password
4 – Network area
5 – Category
Text type (DB): 14
Info2ID CAAInfo2ID bigint The ID of the value in Numeric – specific field All
the ‘Info2’ field. value depends on the
action (empty in old
servers or if there is no
relevant information)
Info2Type CAAInfo2 int The type of the value One of the following All
Type in the ‘Info2’ field. numeric values:
0 – None
1 – User
2 – Location
3 – File/ password
4 – Network area
5 – Category
Text type (DB): 14
RequestID CAARequestID int The ID of the request Numeric (empty in old All
(if relevant). servers or if a request
was not required)
Request CAARequest nvarchar The reason for the String – up to 520 All
Reason Reason (520) request (if relevant). characters
File
Name: ITALog.csv
Database
Name: CAITALog
Import mode: Full
The ITAlogfile parameter generates an output file that contains the following
information:
Time CASLTime* int The time when Unique timestamp. This All
the log record timestamp is configurable to
was written. the micro second level in the
Vault dbparm.ini file.
File
Name: Requests.csv
Database
Name: CARequests
Import mode: Full
The RequestsList parameter generates an output file that contains the following
information:
UserID CARUser ID bigint The ID of the user who Numeric (empty All
sent this request. in old servers)
UserName CARUserName nvarchar The name of the user String – up to 128 All
(128) who sent this request. characters
SafeID CARSafeID* bigint The ID of the Safe for Numeric (empty All
which the request has in old servers)
been sent.
FolderName CARFolder nvarchar The name of the folder String – up to 170 All
Name (170) that the request refers characters
to.
AccessType CARAccess Type int The access type of the One of the All
request. following numeric
values:
0 – OneTime
access
1 – Multiple
access
Text type (DB):
16
File
Name: Confirmations.csv
Database
Name: CAConfirmations
Import mode: Full
The ConfirmationsList parameter generates an output file that contains the
following information:
SafeID CACSafeID* bigint The ID of the Safe where Numeric (empty in old All
the request was created. servers)
UserID CACUserID* bigint The ID of the User who Numeric (empty in old All
confirmed/ rejected the servers or if the
request. authorized owner is a
group and the request
is waiting for a group
member to
confirm/reject it)
UserName CACUser nvarchar The name of the User String – up to 128 All
Name (128) who confirmed/ characters
rejected the request.
GroupID CACGroup bigint The ID of the Group that Numeric (empty in old All
ID the authorized user who servers or if the
confirmed/rejected the authorized owner is a
request belongs to. user)
GroupName CACGroup nvarchar The name of the Group String – up to 128 All
Name (128) that the authorized user characters
who confirmed/rejected
the request belongs to.
Reason CACReason nvarchar The reason for retrieving String – up to 170 All
(170) the file/ password. characters
Action CACAction int The action that the One of the following All
authorized user carried numeric values:
out on the request. 0 – None
1 – Reject
2 – Confirm
Text type (DB): 19
File
Name: Events.csv
Database
Name: CAEvents
Import mode: Incremental
The EventsList parameter generates an output file that contains the following
information:
SafeName CAESafe nvarchar The Safe in which the String – up v4.0 and
(28) Event was created. to 28 above
characters
UserName CAEUser nvarchar The user who created String – up v4.0 and
(128) the Event. to 128 above
characters
AgentName CAEAgent nvarchar The agent that created String – up v4.0 and
(128) the Event. to 128 above
characters
FromIP CAEFromIP nvarchar The IP where the event String – up v4.0 and
(15) was created. to 15 above
characters
CreationDate CAECreation datetime The date when the Date v4.0 and
Date Event was created. above
ExpirationDate CAEExpiration datetime The date when the Date v4.0 and
Date event will expire. above
Data CAEData nvarchar The data of the event. String – up v4.0 and
(1000) to 1000 above
characters
Notes:
Events data may contain unprintable characters.
* - These fields are used as the index.
File
Name: ObjectProperties.csv
Database
Name: CAObjectProperties
Import mode: Full
The ObjectProperties parameter generates an output file that contains the
following information:
Object CAOPObject nvarchar The value of the file String – up to v5.5 – 161
Property Property (4000) category. 4000 characters,
Value Value v7.1 – 4000
characters
Appendices
CreateCredFile Utility
The ExportVaultData utility, version 5.5, uses the CreateCredFile utility to create a
user credential file that contains the user’s Vault username and encrypted logon
information. This user credential file can be created for password, Token, PKI, or
Radius authentication with a utility that is run from a command line prompt. It can
also create a credentials file for authentication through a Proxy server.
User credential files can specify restrictions which increase their security level and
ensure that they cannot be used by anyone who is not permitted to do so, nor from
an unauthorized location. The CreateCredFile utility included in this version can
enforce any of the following restrictions:
Specific application – The credentials file can only be used by a specific Cyber-
Ark application or module. This can be specified for Password, Token, or PKI
authentication but not for Proxy authentication. For more details about specific
applications, refer to Specifying Applications, page 60.
Specific path – The credentials file can only be used by an executable located
in a certain path.
IP address – The credentials file can only be used on the machine where it is
created.
Operating System user – The credentials file can only be used by an
application started by a specified Operating System user.
These restrictions are specified during the credentials file creation process.
Credential files that were created in previous versions with the CreateAuthFile
utility can still be used. However, they do not contain the increased security
restrictions that are included in up-to-date CreateCredFile utility.
Credentials files that are created with restrictions will not be supported by
previous versions of the ExportVaultData utility.
Before creating or updating the user credential file, make sure that you are
familiar with the user’s authentication details in the Vault as you will be required
to provide logon credentials to generate the encrypted credentials file.
Specifying Applications
The following Client ID can be specified in the user credentials file to enable the
ExportVaultData user to log onto the Vault:
Application ID
ExportVaultData utility HTTPGW
Parameter Specifies
Filename The name of the user credential file to create or update, specifically
user.cred.
Password Indicates that the credential file will be created with password
authentication details.
/Username Sets the username in the credential file.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/Password The password that will be encrypted in the credential file.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/DisableSyncPasswordToDR Whether or not replaced passwords will be replicated to all the
configured DR sites before they are removed from the credential file.
By default, this parameter is set to ‘No’.
/ExternalAuth The type of external authentication that will be used to authenticate
users to the Vault.
Radius Creates a user name-password credential file for use with RADIUS
server.
LDAP Creates a user name-password credential file for use with an LDAP
directory.
No This credential file will not be used with either a Radius server or an
LDAP directory.
/AppType A unique application ID that specifies the application that will be able
<Application ID> use this file.
/ExePath <Path> The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH
you can specify only the name of the executable. Otherwise, specify
the complete path.
When you specify PVWA, specify the full path of the web server
executable, e.g. c:\windows\system32\inetsrv\w3wp.exe.
/IpAddress When this parameter is specified, the credentials file will specify the IP
address of the current machine and will only authenticate the user to
the Vault from the current machine.
Parameter Specifies
/OSUsername <Operating The name of the Operating System user who will be able to use this file.
System User name> Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in
“domain_name\username” format.
When the application is executed as a Windows service that uses
local system permissions, specify “nt authority\system”. The
quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions When this parameter is specified, the generated credentials file will
specify all the restrictions in a readable manner. This will enable users
to understand the exact restrictions on the file.
Token Creates a user credential file with a key stored on a token.
/Username Sets the username in the credential file.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/Password The password that will be encrypted in the credential file.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/DLLpath Specifies the DLL file path used by the token device.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/PIN Specifies the PIN code required by the token device.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/ExternalAuth The type of external authentication that will be used to authenticate
users to the Vault.
Radius Creates a credential file for use with RADIUS server.
LDAP Creates a credential file for use with an LDAP directory.
No This credential file will not be used with either a Radius server or an
LDAP directory.
/InitToken Initializes the token device for use with Cyber-Ark password
authentication. This parameter must be specified the first time you use
a token device to store a Cyber-Ark password encryption key.
/AppType A unique application ID that specifies the application that will be able
<Application ID> use this file.
/ExePath <Path> The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH
you can specify only the name of the executable. Otherwise, specify
the complete path.
When you specify PVWA, specify the full path of the web server
executable.
/IpAddress When this parameter is specified, the credentials file will specify the IP
address of the current machine and will only authenticate the user to
the Vault from the current machine.
Parameter Specifies
/OSUsername <Operating The name of the Operating System user who will be able to use this file.
System User name> Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in
“domain_name\username” format.
When the application is executed as a Windows service that uses
local system permissions, specify “nt authority\system”. The
quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions When this parameter is specified, the generated credentials file will
specify all the restrictions in a readable manner. This will enable users
to understand the exact restrictions on the file.
PKI Creates a credential file based on a PKI certificate.
/CertIssuer Personal certificate issuer.
/CertSerial Personal certificate serial number.
/PIN Specifies the PIN code required to access the certificate.
This parameter is required if the certificate is stored on a Token.
/AppType A unique application ID that specifies the application that will be able
<Application ID> use this file.
/ExePath <Path> The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH
you can specify only the name of the executable. Otherwise, specify
the complete path.
When you specify PVWA, specify the full path of the web server
executable.
/IpAddress When this parameter is specified, the credentials file will specify the IP
address of the current machine and will only authenticate the user to
the Vault from the current machine.
/OSUsername <Operating The name of the Operating System user who will be able to use this file.
System User name> Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in
“domain_name\username” format.
When the application is executed as a Windows service that uses
local system permissions, specify “nt authority\system”. The
quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions When this parameter is specified, the generated credentials file will
specify all the restrictions in a readable manner. This will enable users
to understand the exact restrictions on the file.
PROXY Creates a credential file based on PROXY authentication.
/ProxyUser The name of the Proxy user.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/ProxyPassword The password that will be decrypted in the credential file.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/ProxyAuth Domain The domain name of the Proxy user.
Parameter Specifies
/ExePath <Path> The full path of the executable that will be able to use this file.
Notes:
On UNIX machines, if the executable will be executed from the PATH
you can specify only the name of the executable. Otherwise, specify
the complete path.
When you specify PVWA, specify the full path of the web server
executable.
/IpAddress When this parameter is specified, the credentials file will specify the IP
address of the current machine and will only authenticate the user to
the Vault from the current machine.
/OSUsername <Operating The name of the Operating System user who will be able to use this file.
System User name> Notes:
On UNIX machines, specify only the username.
On Windows machines, specify the username in
“domain_name\username” format.
When the application is executed as a Windows service that uses
local system permissions, specify “nt authority\system”. The
quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions When this parameter is specified, the generated credentials file will
specify all the restrictions in a readable manner. This will enable users
to understand the exact restrictions on the file.
/? Lists the available options.
The following instructions explain how to create a user credential file. The
examples used in these instructions run the utility from the EVD\Utilities folder,
and create a credential file called ‘user.cred’.
Note: The text typed by the user appears in bold.
The above example shows that this credential file will be called ‘EVDuser.cred’,
and will contain an encrypted password for the Vault user called ‘EVDuser’. The
file can be used to log onto the file with Radius authentication.
If you do not specify the command parameters, username, password, and
radius, you are prompted for them now. An example of this appears in the
following example:
Vault Username [mandatory] ==> EVDuser
Vault Password (will be encrypted in credential file) ==> *******
Radius server will be used for authentication (yes/no) [y] ==> yes
The user’s credential file will now be created and saved in the current folder.
Command ended successfully
The above example shows that this credential file will be called ‘EVDuser.cred’,
and will be created with a key that is stored on a token. ‘EVDuser’ is the user
who will be specified in the credential file, together with his password, asdf.
The dll path used by the token device is specified, as well as the PIN that is
required to access the token device.
If you have not specified the username, password, dll path and password, you
are prompted for it now.
Vault Username [mandatory] ==> EVDuser
Vault Password (will be encrypted in credential file) ==> ****
Path of Token dll [mandatory] ==> i:\windows\system32\etpkcs11.dll
Pin code required by the Token device ==> ********
Radius server will be used for authentication (yes/no) [optional] ==> no
Initialize the Token (yes/no) [optional] ==> no
The above example shows that this credential file will be called ‘EVDuser.cred’,
and will be created based on a PKI certificate. The certificate issuer for this
credential file is MyCompany_CA and the certificate detail serial number is
‘1963f68d00000000017c’. The PIN required to access this certificate is
‘12341234’.
If you do not specify the certificate issuer and serial number, the Select
Certificate window appears to enable you to select the PKI certificate that will
give the user access to the Vault.
Note: If a PIN is required to access the certificate, you must enter the PIN in the
command line.
Select the PKI certificate to use, then click OK; the user’s credential file will
now be created and saved in the current folder.
The following message appears to confirm that the authentication file has been
created successfully.
Command ended successfully
For details about configuring the Vault and the user to work with PKI
authentication, refer to the PIM Suite Installation Guide.
The above example will create a file called ‘PUser.cred’ and will enable the
proxy user to log onto the Vault with proxy authentication. The credentials file
will contain an encrypted proxy password for the proxy user called PUser on a
proxy authentication domain called ‘MyCompany.com’.
If you do not specify the name and password of the proxy user, you will be
prompted for them. An example of this appears in the following example:
Proxy Username [mandatory] ==> PUser
Proxy Password (will be encrypted in credential file) ==> ****
Domain name of ProxyUser [optional] ==> MyCompany.com
The user’s credential file will now be created and saved in the current folder.
Command ended successfully