> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CyberArk CCP

The CyberArk CCP (Central Credential Provider) secret provider connects the Orchestrator to CyberArk Vault via the CCP REST API. CCP provides agentless credential retrieval, allowing the Orchestrator to fetch privileged credentials without requiring a local agent installation.

<Note>
  **Console terminology:** In the Maverics Console, Orchestrator instances and
  configuration delivery are managed through **Deployments**. When working directly
  with YAML, configuration is managed as files delivered via the `-config` flag or
  `MAVERICS_CONFIG` environment variable.
</Note>

## Overview

When configured with the CyberArk CCP provider, the Orchestrator authenticates to the CCP web service and retrieves credentials from the CyberArk Vault. CCP is the agentless component of CyberArk's Privileged Access Security solution -- it exposes a REST API that applications call to retrieve credentials without needing the CyberArk Application Identity Manager agent installed locally.

## Use Cases

* **Existing CyberArk deployments** -- retrieve Orchestrator secrets from an existing CyberArk Vault without duplicating credentials into another system
* **Agentless retrieval** -- fetch credentials via the CCP REST API without installing a CyberArk agent on the Orchestrator host
* **Separation of duties** -- CyberArk administrators manage credential policies and rotations; Orchestrator operators consume credentials via CCP

## Configuration

Secret providers are not configured in YAML. They are set via the `MAVERICS_SECRET_PROVIDER` environment variable or the `-secretProvider` CLI flag.

### Configuration via Environment Variable

```bash theme={null}
# Certificate file authentication
export MAVERICS_SECRET_PROVIDER="cyberarkccp://ccp.example.com?appID=MyApp&safe=MySafe&certFile=/path/to/cert.pem&keyFile=/path/to/key.pem"

# With optional CA certificate and folder
export MAVERICS_SECRET_PROVIDER="cyberarkccp://ccp.example.com?appID=MyApp&safe=MySafe&certFile=/path/to/cert.pem&keyFile=/path/to/key.pem&caFile=/path/to/ca.pem&folder=Root"
```

### Configuration via CLI Flag

```bash theme={null}
maverics -config maverics.yaml -secretProvider "cyberarkccp://ccp.example.com?appID=MyApp&safe=MySafe&certFile=/path/to/cert.pem&keyFile=/path/to/key.pem"
```

### Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the account object name in the CyberArk Vault:

```yaml theme={null}
connectors:
  - name: my-idp
    oauthClientSecret: <my-credential-object>
```

## Configuration Reference

### URL Structure

```
cyberarkccp://{ccp-server-address}?appID={appID}&safe={safe}&certFile={certFile}&keyFile={keyFile}
```

### URL Parameters

| Parameter             | Required    | Description                                                                                                            |
| --------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------- |
| Server address        | Yes         | Hostname of the CyberArk CCP web service (e.g., `ccp.example.com`)                                                     |
| `appID`               | Yes         | CyberArk Application ID configured in PVWA                                                                             |
| `safe`                | Yes         | CyberArk Safe containing the credentials                                                                               |
| `certFile`            | Conditional | Path to client certificate file for CCP authentication. Required when not using Windows certificate store.             |
| `keyFile`             | Conditional | Path to client private key file. Required when `certFile` is provided.                                                 |
| `caFile`              | No          | Path to CA certificate file for verifying the CCP server                                                               |
| `folder`              | No          | Folder within the Safe to retrieve credentials from                                                                    |
| `newLineDelim`        | No          | Delimiter string to replace with newline characters in secret values (useful for multi-line secrets like certificates) |
| `winCertThumbprint`   | No          | Windows certificate store thumbprint for client authentication (Windows only)                                          |
| `winCertSubject`      | No          | Windows certificate store subject for client authentication (Windows only)                                             |
| `winRootCAThumbprint` | No          | Windows certificate store thumbprint for CA certificate (Windows only)                                                 |
| `winRootCASubject`    | No          | Windows certificate store subject for CA certificate (Windows only)                                                    |

### Authentication

CCP requires client certificate authentication. Provide certificates using one of two methods:

* **File-based certificates** -- set `certFile` and `keyFile` (and optionally `caFile`)
* **Windows certificate store** -- set `winCertThumbprint` or `winCertSubject` (and optionally `winRootCAThumbprint` or `winRootCASubject`)

<Note>
  The CCP web service must be configured in CyberArk to allow the Orchestrator
  host to retrieve credentials. Ensure the appropriate Application ID and Safe
  permissions are configured in the CyberArk PVWA (Password Vault Web Access).
</Note>

## Troubleshooting

**"Unauthorized" or authentication errors**
Verify that the CyberArk Application ID is configured to allow access from the Orchestrator host's IP address or certificate. Check the CyberArk PVWA audit log for denied requests.

**"Connection refused" when starting the Orchestrator**
Confirm the CCP server address is correct and that the Orchestrator host has network access to the CCP REST API endpoint (typically port 443).

**Secrets not resolving in YAML configuration**
Ensure the angle bracket syntax matches the account names in the CyberArk Vault. The namespace and key in `<namespace.key>` must correspond to the Safe and account object stored in CyberArk.

## Related Pages

<CardGroup cols={2}>
  <Card title="Secret Providers" icon="vault" href="/reference/orchestrator/configuration/secret-providers">
    Overview of all secret providers
  </Card>

  <Card title="CyberArk Conjur" icon="lock" href="/reference/orchestrator/configuration/secret-providers/conjur">
    DevOps-oriented secrets for CI/CD and containers
  </Card>
</CardGroup>
