• April 29 2026

CyberArk CPM Plugins: Complete Guide (When to Create, C# Code, DLL Build, Testing & Deployment)

In CyberArk Privileged Access Management (PAM), the Central Policy Manager (CPM) is responsible for:

• Password Rotation

• Password Verification

• Reconciliation

But what if your target system is not supported out-of-the-box?

👉 That’s where CPM Plugins come into play.

---

🧠 What is a CPM Plugin?

A CPM Plugin is a custom-developed integration that allows CyberArk to:

• Connect to unsupported systems

• Verify passwords

• Change passwords

• Reset credentials (Reconcile)

👉 Built using:

• C# (.NET SDK) (Recommended)

• PowerShell / Python (limited cases)

---

⚠️ MOST IMPORTANT: When Do You Need CPM Plugin?

This is the #1 interview + real-world question 🔥

---

✅ You NEED CPM Plugin when:

• Managing Local Website Accounts

• Managing Custom Applications

• Managing Unsupported OS / Systems

• No plugin available in Marketplace

---

❌ You DO NOT NEED CPM Plugin when:

Example:

👉 You are accessing AWS / Web App using Domain Account

✔ Use:

• Windows Domain Platform

• PSM Web Connector

👉 No CPM plugin needed ❌

---

🔥 Golden Rule

Scenario	CPM Plugin Required?
Domain account → website	❌ No
Local website account	✅ Yes
Custom application	✅ Yes
No API / No automation	❌ Impossible

---

⚠️ Critical Limitation (Must Understand)

Before coding, ask:

👉 Can password be changed programmatically?

❌ OTP required → FAIL
❌ No API / UI automation → FAIL

If system cannot be automated, CPM plugin will NOT work.

---

🏗️ CPM Plugin Workflow

CyberArk Vault → CPM → Plugin DLL → Target System
                   ↓
           Verify / Change / Reconcile
                   ↓
              Return Status

---

🛠️ Prerequisites

🔹 Install Visual Studio

Download:
👉 https://visualstudio.microsoft.com/downloads/

✔ Select:

• .NET Desktop Development

---

🔹 Required DLLs (from CPM Server)

C:\Program Files (x86)\CyberArk\Password Manager\bin

Add references:

• CyberArk.Extensions.Utilties.dll

• CyberArk.Extensions.Plugins.Models.dll

---

🏗️ Step-by-Step CPM Plugin Development

---

📁 Step 1: Create Project

1. Open Visual Studio

2. Create New Project

3. Select:
   👉 Class Library (.NET Framework)

4. Name:

   SecAppsCPMPlugin
   

---

🧩 Step 2: BaseAction Class

using System.Collections.Generic;
using CyberArk.Extensions.Plugins.Models;
using CyberArk.Extensions.Utilties;

namespace SecAppsCPMPlugin
{
    public abstract class BaseAction : AbsAction
    {
        public BaseAction(List accountList, ILogger logger)
            : base(accountList, logger)
        {
        }

        protected string GetPassword(System.Security.SecureString secStr)
        {
            return new System.Net.NetworkCredential("", secStr).Password;
        }
    }
}

---

🔍 Step 3: VERIFY Action

using System;
using System.Collections.Generic;
using CyberArk.Extensions.Plugins.Models;

namespace SecAppsCPMPlugin
{
    public class VerifyAction : BaseAction
    {
        public VerifyAction(List accountList, ILogger logger)
            : base(accountList, logger)
        {
        }

        public override CPMAction ActionName
        {
            get { return CPMAction.verifypass; }
        }

        public override int run(ref PlatformOutput platformOutput)
        {
            try
            {
                string username = TargetAccount.AccountProp["username"];
                string address = TargetAccount.AccountProp["address"];
                string password = GetPassword(TargetAccount.CurrentPassword);

                Logger.Info($"Verifying {username} at {address}");

                if (!string.IsNullOrEmpty(password))
                {
                    platformOutput.Message = "Verify successful";
                    return 0;
                }

                platformOutput.Message = "Invalid password";
                return 8801;
            }
            catch (Exception ex)
            {
                platformOutput.Message = "Verify failed: " + ex.Message;
                return 8800;
            }
        }
    }
}

---

🔄 Step 4: CHANGE Action

using System;
using System.Collections.Generic;
using CyberArk.Extensions.Plugins.Models;

namespace SecAppsCPMPlugin
{
    public class ChangeAction : BaseAction
    {
        public ChangeAction(List accountList, ILogger logger)
            : base(accountList, logger)
        {
        }

        public override CPMAction ActionName
        {
            get { return CPMAction.changepass; }
        }

        public override int run(ref PlatformOutput platformOutput)
        {
            try
            {
                string username = TargetAccount.AccountProp["username"];
                string address = TargetAccount.AccountProp["address"];

                string oldPassword = GetPassword(TargetAccount.CurrentPassword);
                string newPassword = GetPassword(TargetAccount.NewPassword);

                Logger.Info($"Changing password for {username}");

                bool success = true;

                if (success)
                {
                    platformOutput.Message = "Password changed successfully";
                    return 0;
                }

                platformOutput.Message = "Password change failed";
                return 8802;
            }
            catch (Exception ex)
            {
                platformOutput.Message = "Change failed: " + ex.Message;
                return 8800;
            }
        }
    }
}

---

🔁 Step 5: LOGON Action

public class LogonAction : BaseAction
{
    public LogonAction(List accountList, ILogger logger)
        : base(accountList, logger)
    {
    }

    public override CPMAction ActionName
    {
        get { return CPMAction.logon; }
    }

    public override int run(ref PlatformOutput platformOutput)
    {
        platformOutput.Message = "Logon successful";
        return 0;
    }
}

---

🏗️ Step 6: Build DLL

👉 Build Solution

Output:

bin\Debug\SecAppsCPMPlugin.dll

---

🧪 Step 7: Manual Testing (Before CyberArk)

📁 Required Files

• Plugin DLL

• CANetPluginInvoker.exe

• Required DLLs

---

📝 user.ini File

[targetaccount]
username=admin1
password=OldPass123
newpassword=NewPass123
address=secappslearning.com
safename=TestSafe
objectname=admin1
PolicyID=TestPlatform

---

▶️ Run Commands

CANetPluginInvoker.exe user.ini verifypass SecAppsCPMPlugin.dll true
CANetPluginInvoker.exe user.ini changepass SecAppsCPMPlugin.dll true

---

🚀 Step 8: Deploy in CyberArk

📌 Copy DLL

C:\Program Files (x86)\CyberArk\Password Manager\bin

---

📌 Update Platform

• Add plugin DLL name

---

📌 Restart Service

CyberArk Password Manager

---

🧪 Step 9: Test in PVWA

✔ Verify Password
✔ Change Password

Check:

• CPM Logs

• PVWA Audit

---

🔐 Best Practices

✔ Never hardcode passwords
✔ Always use ILogger
✔ Use proper return codes
✔ Test manually first

---

⚠️ Common Mistakes

❌ Wrong platform
❌ No API support
❌ Ignoring workflow
❌ OTP-based systems

---

🏆 Interview Questions

• When do you create CPM plugin?

• Difference between Change & Reconcile?

• What if OTP required?

• How to test plugin manually?

• What is BaseAction?

---

📌 Conclusion

👉 Coding is easy
👉 Understanding the system is everything

“If target system cannot be automated, CPM plugin will fail.”