Trust Protection Foundation components

The following is a list of components that are available for selection in CyberArk Configuration Console. Any component that is not selected during installation can be enabled later in the configuration console.

Some components can't be added to your system. For example, if IIS is not installed, or if you don't have a valid license for a specific product, related components won't be available.

Filtering the table

You can use the search box to filter the table contents, OR click one of the Product buttons to see its related components. (These features don't work together.)

Component	Answer file key	Products	Description
ACME Service	Acme	Certificate Manager - Self-Hosted,	Provides certificate automation via an Automated Certificate Management Environment (ACME). An HTTPS server is set up and configured to automatically obtain a browser-trusted certificate without any human intervention. A certificate management agent runs on the web server. IMPORTANT CyberArk's implementation of the ACME protocol was designed and tested for use with the following clients: certbot, win-acme, and acme.sh. If you're using a different client, you might encounter limitations. For example, your alternate ACME client might use portions of the ACME protocol that aren't supported by CyberArk's integration with the certbot and win-acme clients.
Authentication Server	AuthServer	Platform	Provides authentication for REST access for web components.
Automatic Layout Manager	AutoLayout	Platform	Enables Placement Job feature, allowing you to reconcile duplicates and organize certificates and devices in folders based on placement rules. If this feature is installed during installation of CyberArk Trust Protection Foundation, it can be enabled or disabled either in the CyberArk Configuration Console, or in Policy Tree on the Platforms tree. If you have multiple servers in your cluster, you may want to enable this feature on some, but not all, of the servers in the cluster for performance reasons. That would enable one server to be running the placement jobs feature without impacting the performance of other servers in the cluster.
Bulk Provisioning Manager	BulkProvisioning	Certificate Manager - Self-Hosted	Provisions keys and certificates to one or more devices simultaneously.
CA Import	CAImport	Certificate Manager - Self-Hosted,	Automatically imports certificates from supported Certificate Authorities.
Certificate Lifecycle and Monitoring	Certificates	Certificate Manager - Self-Hosted, Code Sign Manager - Self-Hosted	Provides certificate lifecycle management. Responsible for certificate-related tasks such as expiration notifications, issuance, renewal and revocation, and for provisioning of certificates to devices.
Certificate Revocation Monitoring	Revocation	Certificate Manager - Self-Hosted,	Provides the ability for Trust Protection Foundation to provide CRL Distribution Point monitoring. Monitors the revocation status of all certificates in inventory at least daily. Allows you to do an on-demand revocation check for an individual certificate in either Aperture or Policy Tree. Monitors OCSP and CDP endpoint validity. This component does not control your ability to revoke certificates; this component adds the ability to monitor for revocations and to monitor CDP and OCSP endpoints. IMPORTANT Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Foundation in the CyberArk Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Foundation prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring. When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access. If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints. CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree.
Client REST	Client	Platform	Enables communication between agents and Trust Protection Foundation.
Code Signing Client Distribution	ClientDistribution	Code Sign Manager - Self-Hosted	Enables a web page that provides helpful scripting information and links for downloading Code Sign Manager - Self-Hosted clients. You can access the page by adding `/csc` to your Trust Protection Foundation URL, such as: https://TPP-Server-Name/csc For more information, see Using the Code Sign Manager - Self-Hosted Client Downloads page.
Code Signing Key Server	KeyServer	Code Sign Manager - Self-Hosted	Provides functionality to set up a JWK key server and a GPG key server to store public keys and make them publicly available through a RESTful HTTP request. For more information, see GPG public key server .
Enrollment over Secure Transport Service	EstService	Certificate Manager - Self-Hosted	This service provides certificate enrollment capability for devices via the Enrollment over Secure Transport (EST) protocol. For more information on EST, see Certificate enrollment via EST protocol.
HSM Backend	HsmBackend	Code Sign Manager - Self-Hosted	Provides virtual HSM capability within Trust Protection Foundation for code signing. This allows CyberArk Code Sign Manager - Self-Hosted clients to request signing operations using private code signing keys that are managed by Trust Protection Foundation.
Key Lifecycle and Monitoring	KeyManager	Code Sign Manager - Self-Hosted	Provides key lifecycle management. Responsible for tasks such creating new keys and monitoring key expiration. This component is required for GPG and .NET Code Sign Manager - Self-Hosted Environments, as well as for SSH Manager for Machines.
Kubernetes Discovery Manager	JSSDiscovery	Certificate Manager - Self-Hosted	Provides a way to monitor TLS certificates used on clusters managed by CyberArk Certificate Manager for Kubernetes. With the Kubernetes discovery feature, administrators can create new discovery jobs which import certificates from all Kubernetes clusters registered to Certificate Manager for Kubernetes.
Network Device Enrollment	Scep	Certificate Manager - Self-Hosted	Enables devices to use the SCEP protocol to request certificates from Trust Protection Foundation. You would want to enable this feature if you have SCEP-enabled devices or applications and you want those devices and applications to be able to get certificates directly from Trust Protection Foundation. This feature is frequently used with mobile-device management solutions. For more information on configuring Network Device Enrollment, see Certificate enrollment via SCEP protocol of the CyberArk Trust Protection Foundation Certificate Management Guide.
Network Discovery	Discovery	Platform	Runs the Network Discovery surveys configured in your system’s Discovery objects. During a Network Discovery, the Discovery server scans designated IPv4 address ranges and ports to identify SSL certificates. For more information on discovering network certificates, see Discovering certificates and keys.
Object Monitoring	Monitoring	Platform	Monitors SSH key and credential objects for expiration and generates expiration notifications. For more information on logging and event notifications, see Notification and logging overview.
Onboard Discovery Manager	OBDDiscovery	Certificate Manager - Self-Hosted	Configuring onboard discovery jobs lets you automate the process of provisioning by adding devices to one or more specific policies. You then have control over the placement of discovered certificates without having to manually update jobs or reorganize certificates after they've been discovered.
Reporting	Reporting	Platform	Generates and distributes pre-defined and custom reports.
SSH Certificate Lifecycle and Monitoring	SSHCertificates	SSH Manager for Machines	Allow you to use SSH Manager for Machines to manage SSH Certificates.
SSH Key Detection and Remediation	SSH	SSH Manager for Machines	Secures and protect SSH keys and systems through discovery, reporting, policy enforcement, and remediation.
Time Stamp Service	TimeStampService	Code Sign Manager - Self-Hosted	Provides an RFC 3161-compliant time stamping service for code signing. This service allows you to use either your own time stamping certificate or to specify a list of time stamping proxies. Once configured, you can then specify Trust Protection Foundation as your time stamping server.
Validation	Validation	Certificate Manager - Self-Hosted	Runs the network and onboard validation processes. Network validation verifies a certificate or key is installed on the target system, then determines if the correct certificate is being used. For more information on validating certificates and applications, see SSL/TLS network validation.
Web Console	WebConsole	Platform	Web-based management interface. Installs both Policy Tree and Aperture. At least two Trust Protection Foundation servers needs to have Web Console enabled. If Web Console is configured on two different servers, you can disable this component. Server requirements for Web Console are outlined in Web Server Roles (CyberArk web services enabled).
Web SDK	WebSDK	Platform	Extend your custom environments by integrating them with CyberArk solutions using the Web SDK code library. For more information, see DevOps and Automation.