--- title: "CyberArk CCP" slug: "cyberark-ccp" updated: 2026-06-07T07:54:10Z published: 2026-06-07T07:54:10Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # CyberArk CCP The **CyberArk Central Credential Provider (CCP) Store** integrates with CyberArk’s enterprise-grade credential management platform. It retrieves credentials such as **passwords**, **usernames**, and **database connection details** directly from the CyberArk Vault through the CCP interface. This enables secure, centralized secret management and automated credential rotation without embedding secrets in configuration files. This page details the CyberArk CCP Store Parameters and a guide on how to configure CCP Certificates. ### CyberArk CCP Store-Specific Parameters #### Prerequisites A configured **[CyberArk CCP instance](https://docs.cyberark.com/credential-providers/latest/en/content/ccp/the-central%20-credential-provider.htm#Overview)** is required, along with an **[Application ID (AppID)](https://docs.cyberark.com/credential-providers/latest/en/content/cp%20and%20ascp/implementing-cp-authenticating-applications.htm?TocPath=Administration%7CManage%20applications%7CApplication%20authentication%7C_____0)** authorized to access the required secrets. Depending on your organization’s authentication model, the CCP can use TLS-Cert or TLF-PFX. Ensure that the appropriate authentication certificates or credentials are available to the deployment environment. | **Parameter** | **Description** | **Environment Variable** | **Default** | **Required** | **Valid / Example Values** | | --- | --- | --- | --- | --- | --- | | `auth.method` | Authentication method | `CYBERARK_CCP_AUTH_METHOD` | - | Yes | Valid: `TLS-Cert`, `TLS-PFX` Example: `TLS-Cert` | | `auth.pfxFileName` | PFX file name - relates to the TLS-PFX. | `CYBERARK_CCP_AUTH_PFX_FILE_NAME` | - | Yes* | Example: `/path/to/cert.pfx` | | `auth.pfxPassword` | PFX password - relates to the TLS-PFX. | `CYBERARK_CCP_AUTH_PFX_PASSWORD` | - | Yes* | Example: `${CYBERARK_PFX_PASSWORD}` | | `.auth.caFileName` | CA file name - relates to the TLS-Cert. | `CYBERARK_CCP_AUTH_CA_FILE_NAME` | - | Yes* | Example: `/path/to/ca.pem` | | `auth.certFileName` | Certificate file name - relates to the TLS-Cert. | `CYBERARK_CCP_AUTH_CERT_FILE_NAME` | - | Yes* | Example: `/path/to/certificate.crt` | | `auth.keyFileName` | Key file name - relates to the TLS-Cert. | `CYBERARK_CCP_AUTH_KEY_FILE_NAME` | - | Yes* | Example: `/path/to/private.key` | | `details.url` | CCP server URL | `CYBERARK_CCP_URL` | - | Yes | Example: `https://cyberark-ccp.example.com` | | `details.method` | CCP API HTTP Request method (for CyberArcCCP v14.2+ POST is supported and recommended) | `CYBERARK_CCP_REQUEST_METHOD` | `POST` | No | Valid: `GET`, `POST` Example: `POST` | | `details.timeout` | Connection timeout | `CYBERARK_CCP_CONNECTION_TIMEOUT` | `30s` | No | Example: `30s` | | `details.skipVerify` | Disables or enables CyberArk certificate Validation | `CYBERARK_CCP_SKIP_VERIFY` | `false` | No | Valid: `true`, `false` Example: `false` | | `details.defaultPath` | The default path used for accessing the Secrets in this Store. | `CYBERARK_CCP_DEFAULT_PATH` | - | No | Example: `/AIMWebService/api/Accounts` | | `details.pathPrefix` | The prefix for all paths when accessing Secrets in this Store. | `CYBERARK_CCP_PATH_PREFIX` | - | No | Example: `Accounts` | | `details.appId` | Specifies the unique ID of the Application issuing the password request. | `CYBERARK_CCP_APP_ID` | - | Yes | Example: `MyAppID` | | `details.maxConcurrentRequests` | Maximum concurrent requests | `CYBERARK_CCP_MAX_CONCURRENT_REQUESTS` | `40` | No | Example: `10` | | `details.requestTimeout` | Request timeout | `CYBERARK_CCP_REQUEST_TIMEOUT` | `30s` | No | Example: `30s` | | `details.maxRetries` | Maximum retries | `CYBERARK_CCP_MAX_RETRIES` | `5` | No | Example: `3` | | `details.retryDelay` | Retry delay | `CYBERARK_CCP_RETRY_DELAY` | `10s` | No | Example: `1s` | | `details.forceAttemptHTTP2` | Force HTTP/2 usage if supported by server | `CYBERARK_CCP_FORCE_ATTEMPT_HTTP2` | `true` | No | Valid: `true`, `false` Example: `true` | Required Parameters *Required based on TLS certificate type:* Based on the auth.method chosen: - `TLS-Cert` - certificate, key, and CA files should be provided and defined using: `certFileName`, `keyFileName`, and `caFileName` as required parameters. - `TLS-PFX` - A `.pfx` file should be provided and defined using: `pfxFileName` and `pfxPassword` as required parameters. #### Example The following example is based on the [general store](/v1/docs/stores) and store-specific parameters. ``` secretsMgmt: enabled: true plainIDConfig: config.yaml: secretStore: - id: CYBERARK_CCP_STORE type: CyberArkCCP isDefault: false auth: method: TLS-Cert certFileName: /path/to/cert.pem keyFileName: /path/to/key.pem caFileName: /path/to/ca.pem details: url: https://cyberark-ccp.example.com defaultPath: /AIMWebService/api/Accounts pathPrefix: Accounts appId: MyAppID timeout: 30s maxConcurrentRequests: 10 maxRetries: 3 retryDelay: 1s ``` A typical use case is retrieving credentials from CyberArk—such as database passwords or API tokens—without storing them in configuration files. The CCP handles secret retrieval and renewal, providing seamless rotation and compliance with enterprise security Policies. #### Returned Secret Format CyberArk’s Central Credential Provider (CCP) **always returns secrets in JSON format**. To support this flow, when using a secret key in the client, you must specify a **JSON path expression** in addition to the mandatory `client_id` and `client_secret`. The JSONPath guides the client where to extract the actual secret value from the JSON response. CyberArk CCP responses include credentials in the following JSON structure: ``` { "Content": "", "UserName": "", "LogonDomain": "", "Address": "
", "Database": "" } ``` Secrets are retrieved using **JSON path expressions**. For example: - To extract a password: ``` "{{store=CYBERARK_CCP_STORE,path=PlainID,key=my-secret,jsonpath=$.Content}}" ``` - To extract a username: ``` "{{store=CYBERARK_CCP_STORE,path=PlainID,key=my-secret,jsonpath=$.UserName}}" ``` ### Certificate Configuration for CyberArk CCP Store This section describes how to securely configure certificates for authenticating with the CyberArk CCP Store. Certificates can be provided either by mounting Kubernetes secrets or embedding certificate content directly into configuration files. The method you choose depends on your organization’s security and deployment model. For a full reference on CyberArk CCP configuration and certificate-based authentication, see the **[CyberArk documentation](https://docs.cyberark.com/identity/latest/en/content/coreservices/authenticate/configure-cba.htm)**. #### Method 1: Mounted Certificates from Secrets **To create and mount certificates:** 1. Create a Kubernetes secret containing your certificates: ``` kubectl create secret generic cyberark-cert-secret \ --from-file=ca.pem=/path/to/ca.pem \ --from-file=certificate.crt=/path/to/certificate.crt \ --from-file=private.key=/path/to/private.key ``` 2. Reference the secret in your deployment’s Helm values file: ``` extraVolumes: - name: cyberark-cert-secret secret: defaultMode: 420 secretName: cyberark-cert-secret extraVolumeMounts: - name: cyberark-cert-secret readOnly: true mountPath: /app/ca.pem subPath: ca.pem - name: cyberark-cert-secret readOnly: true mountPath: /app/certificate.crt subPath: certificate.crt - name: cyberark-cert-secret readOnly: true mountPath: /app/private.key subPath: private.key ### There are two methods for configuring reference to the file names: ### A: Using the manual Store configuration, referencing the mount paths: plainIDConfig: config.yaml: secretStore: - id: CYBERARK_CCP_STORE type: CyberArkCCP isDefault: false auth: method: TLS-Cert caFileName: /app/ca.pem certFileName: /app/certificate.crt keyFileName: /app/private.key details: url: ${CYBERARK_CCP_URL} appId: ${CYBERARK_CCP_APP_ID} ### B: Using the extraEnv and declaring environment variable referencing the mount paths: extraEnv: ENV_VAR_CCP_CERT_FILE_NAME: "/app/config/cert.crt" ENV_VAR_CCP_KEY_FILE_NAME: "/app/config/private.key" ENV_VAR_CCP_CA_FILE_NAME: "/app/config/ca.pem" ``` #### Method 2: Embedded Certificate Content You can embed certificate content directly into your configuration: ``` plainIDConfig: config.yaml: secretStore: - id: CYBERARK_CCP_STORE type: CyberArkCCP isDefault: false auth: method: TLS-Cert caFileName: /app/ca.pem certFileName: /app/certificate.crt keyFileName: /app/private.key details: url: ${CYBERARK_CCP_URL} appId: ${CYBERARK_CCP_APP_ID} ca.pem: | -----BEGIN CERTIFICATE----- ... your CA certificate content ... -----END CERTIFICATE----- certificate.crt: | -----BEGIN CERTIFICATE----- ... your certificate content ... -----END CERTIFICATE----- private.key: | -----BEGIN PRIVATE KEY----- ... your private key content ... -----END PRIVATE KEY----- ``` --- ### Standalone Deployment In a standalone deployment, certificate related files will be deployed on the machine, as an example under the Secret Manager service app folder and referenced from there. In this pattern there is no need for environment variables or secrets and instead the store configuration will simply point to the files locations and the certificates will be be read from the file while authenticating to CCP. **Example (Standalone Format):** ``` /app/config/cert.crt /app/config/private.key /app/config/ca.pem ``` Whenever these values are referenced (whether in manual configuration, platform-managed environment variables, or other input fields), you **refer to them exactly by path**, e.g.: ``` certFileName: /app/config/cert.crt keyFileName: /app/config/private.key caFileName: /app/config/ca.pem ``` This approach eliminates the need for Kubernetes secrets but should only be used in controlled environments where configuration files are securely managed.