Friday, November 22, 2019

PVWA – How to create / update credential files for PVWA manually?



Created Date*
20/07/2009 13:26
Last Modified Date
15/04/2019 09:37
Article Number
000003701




Details
Q:
How can I create / update credential files for the PVWA application manually?

A:
You need to run the createcredfile utility on the PVWA machine as follows:

1. Logon to PrivateArk Client as “Administrator” or any other user with “Manage Users” privileges in the root location.


2. Go to Menu “Tools-Administrative Tools-Users Groups”

3. Select “PVWAAppUser” and click “Update”. (Note: Make sure you select the right PVWAAppUser. Be careful if you have more than one PVWAAppUser, e.g. PVWAAppUser1 and select the correct one by checking C:\CyberArk\Password Vault Web Access\credfiles > appuser.ini and gwuser.ini!)


4. In the “Authentication Tab” specify a new, random password in the “Password” field, repeat it and click “OK”. Then click "Trusted Net Areas" button and make sure "State" is set to "Active". If it is set to "Inactive" click "Activate" to change the state to active.

5. Select “PVWAGWUser” and click “Update”.
(Note: Make sure you select the right PVWAGWUser. Be careful if you have more than one PVWAGWUser, e.g. PVWAGWUser1 and select the correct one!)


6. In the “Authentication Tab” specify a new, random password in the “Password” field, repeat it and click “OK”. Then click "Trusted Net Areas" button and make sure "State" is set to "Active". If it is set to "Inactive" click "Activate" to change the state to active.

7. Remember / write down the passwords set for PVWAAppUser and PVWAGWUser!


8. On the PVWA Server stop IIS, open a command line and go to “C:\CyberArk\Password Vault Web Access\Env”.

9. Run “CreateCredFile.exe appuser.ini


10. When prompted enter the following information:

Vault Username [mandatory] ==> PVWAAppUserVault Password (will be encrypted in credential file) ==> ******** (Note: Type in password as specified before in PrivateArk Client)Disable wait for DR synchronization before allowing password change (yes/no) [No] ==> No (V5.5 and later only)
External Authentication Facility (LDAP/Radius/No) [No] ==> 
NoRestrict to Application Type [optional] ==> PVWAAPPRestrict to Executable Path [optional] ==> C:\windows\system32\inetsrv\w3wp.exe (On Windows 2008 enter C:\Windows\SysWOW64\Inetsrv\w3wp.exe)Restrict to current machine IP (yes/no) [No] ==> YesRestrict to OS User name [optional] ==> <Enter> (Note: Do *not* specify a value here)
Display Restrictions in output file (yes/no) [No] ==> No
Use Operating System Protected Storage for credentials file secret (Machine/User/No) [No] ==> Machine

You should see a message “Command ended successfully”.

11. Run “CreateCredFile.exe gwuser.ini


12. When prompted enter the following information:

Vault Username [mandatory] ==> PVWAGWUser
Vault Password (will be encrypted in credential file) ==> ******** (Note: Type in password as specified before in PrivateArk Client)
Disable wait for DR synchronization before allowing password change (yes/no) [No] ==> No  (V5.5 and later only)
External Authentication Facility (LDAP/Radius/No) [No] ==> No
Restrict to Application Type [optional] ==> PVWAAPP
Restrict to Executable Path [optional] ==> C:\windows\system32\inetsrv\w3wp.exe 
(On Windows 2008 enter C:\Windows\SysWOW64\Inetsrv\w3wp.exe)
Restrict to current machine IP (yes/no) [No] ==> YesRestrict to OS User name [optional] ==> <Enter> (Note: Do *not* specify a value here)
Display Restrictions in output file (yes/no) [No] ==> No
Use Operating System Protected Storage for credentials file secret (Machine/User/No) [No] ==> Machine

You should see a message “Command ended successfully”.

13. Move the newly created “appuser.ini” and “gwuser.ini” to “C:\CyberArk\Password Vault Web Access\CredFiles

14. Make sure to grant "Modify" permissions to user "Network Service" on “appuser.ini” and “gwuser.ini” using Windows Explorer.

15. Start IIS (and its dependent services) on the PVWA machine.

16. Make sure you can access the PVWA using your web browser.

Note: The passwords for these users are automatically changed by the application in the Vault and the credential files are automatically updated with the new passwords each time they change.

No comments:

Entertainment