Console terminology: In the Maverics Console, Orchestrator instances and
configuration delivery are managed through Deployments. When working directly
with YAML, configuration is managed as files delivered via the
-config flag or
MAVERICS_CONFIG environment variable.Overview
When configured with the CyberArk CCP provider, the Orchestrator authenticates to the CCP web service and retrieves credentials from the CyberArk Vault. CCP is the agentless component of CyberArk’s Privileged Access Security solution — it exposes a REST API that applications call to retrieve credentials without needing the CyberArk Application Identity Manager agent installed locally.Use Cases
- Existing CyberArk deployments — retrieve Orchestrator secrets from an existing CyberArk Vault without duplicating credentials into another system
- Agentless retrieval — fetch credentials via the CCP REST API without installing a CyberArk agent on the Orchestrator host
- Separation of duties — CyberArk administrators manage credential policies and rotations; Orchestrator operators consume credentials via CCP
Configuration
Secret providers are not configured in YAML. They are set via theMAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Configuration via Environment Variable
Configuration via CLI Flag
Referencing Secrets in YAML
Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the account object name in the CyberArk Vault:Configuration Reference
URL Structure
URL Parameters
| Parameter | Required | Description |
|---|---|---|
| Server address | Yes | Hostname of the CyberArk CCP web service (e.g., ccp.example.com) |
appID | Yes | CyberArk Application ID configured in PVWA |
safe | Yes | CyberArk Safe containing the credentials |
certFile | Conditional | Path to client certificate file for CCP authentication. Required when not using Windows certificate store. |
keyFile | Conditional | Path to client private key file. Required when certFile is provided. |
caFile | No | Path to CA certificate file for verifying the CCP server |
folder | No | Folder within the Safe to retrieve credentials from |
newLineDelim | No | Delimiter string to replace with newline characters in secret values (useful for multi-line secrets like certificates) |
winCertThumbprint | No | Windows certificate store thumbprint for client authentication (Windows only) |
winCertSubject | No | Windows certificate store subject for client authentication (Windows only) |
winRootCAThumbprint | No | Windows certificate store thumbprint for CA certificate (Windows only) |
winRootCASubject | No | Windows certificate store subject for CA certificate (Windows only) |
Authentication
CCP requires client certificate authentication. Provide certificates using one of two methods:- File-based certificates — set
certFileandkeyFile(and optionallycaFile) - Windows certificate store — set
winCertThumbprintorwinCertSubject(and optionallywinRootCAThumbprintorwinRootCASubject)
The CCP web service must be configured in CyberArk to allow the Orchestrator
host to retrieve credentials. Ensure the appropriate Application ID and Safe
permissions are configured in the CyberArk PVWA (Password Vault Web Access).
Troubleshooting
“Unauthorized” or authentication errors Verify that the CyberArk Application ID is configured to allow access from the Orchestrator host’s IP address or certificate. Check the CyberArk PVWA audit log for denied requests. “Connection refused” when starting the Orchestrator Confirm the CCP server address is correct and that the Orchestrator host has network access to the CCP REST API endpoint (typically port 443). Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the account names in the CyberArk Vault. The namespace and key in<namespace.key> must correspond to the Safe and account object stored in CyberArk.