CyberArk CPM Plugins for Web Applications & ODBC Databases – Complete Development, Testing, Deployment and Troubleshooting Guide (2026)

• June 10 2026

CyberArk CPM Plugins for Web Applications & ODBC Databases – Complete Development, Testing, Deployment and Troubleshooting Guide (2026)

As organizations continue adopting cloud platforms, SaaS applications, web portals, custom business applications, and databases, managing privileged credentials manually becomes increasingly difficult and risky.

The CyberArk Central Policy Manager (CPM) provides automated password lifecycle management, including:

▢ Password Verification
▢ Password Change
▢ Password Reconciliation
▢ Password Rotation Compliance
▢ Privileged Account Governance
▢ Password Policy Enforcement

While CyberArk provides hundreds of out-of-the-box platforms, many organizations use custom web applications and databases that require custom CPM plugins.

In this guide, we will cover:

▢ Creating CPM plugins for Web Applications
▢ WebApp Framework Architecture
▢ Browser Requirements
▢ WebFormFields Development
▢ MFA Handling
▢ iFrame Handling
▢ Plugin Testing & Debugging
▢ ODBC Database Plugin Configuration
▢ Connection Strings & DSN Setup
▢ Password Change & Reconciliation Commands
▢ Security Hardening Best Practices
▢ Troubleshooting Common Issues

---

Understanding CPM Web Application Plugins

Traditional CPM plugins use C# DLL development.

However, CyberArk introduced the Web Application CPM Plugin Framework which allows password management directly through browser automation without writing complex code.

The framework utilizes:

▢ Selenium-based browser automation

▢ Chrome Driver

▢ Edge Driver

▢ WebFormFields logic

▢ CPM WebApp Framework DLL

▢ Credentials Management .NET SDK

This approach significantly reduces development effort while increasing maintainability.

For complete CPM architecture understanding, read:

CyberArk CPM Password Management Complete Guide

---

CPM Web Application Framework Architecture

The Web Application Framework works as follows:

▢ CPM receives a password management task

▢ CPM invokes WebApp Plugin Framework

▢ Browser launches automatically

▢ Framework navigates to target URL

▢ WebFormFields execute actions

▢ Password verification/change/reconciliation occurs

▢ Results are returned to CPM

▢ Vault is updated accordingly

This framework eliminates the need for writing custom Selenium projects from scratch.

---

Browser Prerequisites

Before creating WebApp plugins, ensure supported browsers are installed.

Supported Browsers

▢ Google Chrome Version 100+

▢ Microsoft Edge Version 103+

▢ 32-bit and 64-bit versions supported

---

Driver Requirements

Browser versions and drivers must always match.

Example:

▢ Chrome Browser Version 104

▢ ChromeDriver Version 104

Mismatch frequently causes plugin failures.

Drivers must be copied into:

PasswordManager\bin

---

CPM Infrastructure Requirements

The following components are required:

▢ CyberArk CPM

▢ .NET Framework 4.8

▢ Credentials Management .NET SDK

▢ Web Application CPM Plugin Framework

▢ Supported Browser

▢ Matching Browser Driver

If CPM hardening is enabled:

▢ US QWERTY keyboard must be first priority

▢ PluginManagerUser profile must exist

---

Deploying WebDriver Upgrader

CyberArk recommends automating browser driver updates.

Benefits include:

▢ Reduced maintenance effort

▢ Automatic compatibility management

▢ Reduced plugin failures

▢ Faster browser support adoption

---

Creating a New Web Application Platform

CyberArk provides a Generic Web App Platform through the Marketplace.

Step 1 – Download Framework

Download:

Web Application CPM Plugin Framework

from CyberArk Marketplace.

---

Step 2 – Import Platform

Navigate to:

PVWA → Administration → Platform Management

Click:

Import Platform

Import:

Plugin.WebApp.Import.Platform-vXX.X.X.X-Master.zip

---

Step 3 – Duplicate Platform

Create a new platform from Generic Web App.

Rename it appropriately.

Example:

CustomSalesPortal

HRWebApplication

CloudAdminPortal

---

Important Platform Parameters

URLs

Configure action-specific URLs.

▢ VerifyURL

▢ ChangeURL

▢ ReconcileURL

These URLs may contain placeholders.

Example:

https://portal.secappslearning.com/login

---

WebFormFieldsFile

Defines automation logic file.

Example:

ElementsData.ini

---

Browser Configuration

Browser

Chrome

or

Edge

---

BrowserPath

Example:

C:\Program Files\Google\Chrome\Application\chrome.exe

---

Timeout Parameters

CyberArk provides several tuning options.

▢ ActionTimeout

▢ PageLoadTimeout

▢ BrowserDriverCommandTimeout

▢ WaitForElementActionableTimeout

▢ WaitForElementIsNotVisibleTimeout

▢ WaitForiFrameLoadDelay

These parameters improve stability for slow applications.

---

CPM Hardened Environment Configuration

In hardened environments, browsers require a user profile.

CyberArk provides:

CPM_Password_Manager_Services_LocalUser.psm1

Run:

Import-Module .\CPM_Password_Manager_Services_LocalUser.psm1
Execute

This creates a profile for:

PluginManagerUser

allowing browser execution.

---

Non-Hardened Environment Configuration

In non-hardened environments:

▢ Create local user

▢ Grant CPM permissions

▢ Configure CPM service to run under new user

This is required because Microsoft restricts browser execution under certain system accounts.

---

Understanding WebFormFields

WebFormFields are the heart of WebApp plugins.

They define browser actions using simple commands.

Instead of writing code:

driver.FindElement()

you simply configure:

username > {username}
password > {password}
login > (Button)

---

WebFormField Commands

Input Command

Enter text into a field.

Example:

username > {username}

---

Button Command

Click a button.

Example:

login > (Button)

---

Validation Command

Verify successful login.

Example:

Dashboard > (Validation)

---

iFrame Command

Switch context into iframe.

Example:

frame1 > (iFrame)

---

MainWindow Command

Return from iframe.

Example:

(MainWindow)

---

Redirect Command

Navigate to another URL.

Example:

(Navigate=https://portal.company.com)

---

Gmail Verification Example

CyberArk documentation provides a Gmail example.

identifierId > {username}
identifierNext > (Button)

password > {password}
passwordNext > (Button)

gb > (Validation)
gbq1 > (Validation)

Workflow:

▢ Enter Username

▢ Click Next

▢ Enter Password

▢ Click Next

▢ Validate successful login

---

Working with iFrames

Many enterprise applications use iFrames.

Example:

gsft_main > (iframe)

user_name > {username}

user_password > {password}

sysverb_login > (Button)

(MainWindow)

Without iframe handling, plugins usually fail.

---

Handling MFA Authentication

CyberArk WebApp Framework supports TOTP generation.

Example:

Run Generate_TOTP_MFA_Code
(MFADeviceSecret=SECRETKEY)

Use generated token:

mfa_code > &MFACode&

Supported secret formats:

▢ Base32

▢ Hex String

This is extremely useful for:

▢ Google Authenticator

▢ Microsoft Authenticator

▢ Custom TOTP Applications

---

Failure Handling

Instead of generic errors, plugins can return meaningful messages.

Example:

Invalid Username > (Failure)
(Message="Invalid username or password")

Benefits:

▢ Faster troubleshooting

▢ Better CPM logs

▢ Easier support

---

Conditional Logic

WebFormFields support IF conditions.

Example:

if((Logout > (Condition)(Exists eq True)))

Logout > (Button)

end-if

This enables advanced workflows without coding.

---

Testing WebApp Plugins

Before importing into production, perform standalone testing.

CyberArk provides:

CANetPluginInvoker.exe

---

Create user.ini

The file simulates CPM input.

Example:

[targetaccount]
username=Admin
password=Password123
newpassword=Password456

[extrainfo]
VerifyURL=https://portal.company.com
WebFormFieldsFile=ElementsData.ini

---

Execute Plugin

CANetPluginInvoker.exe user.ini verifypass CyberArk.Extensions.Plugin.WebApp.dll True

Available actions:

▢ verifypass

▢ changepass

▢ reconcilepass

---

Enable Advanced Debugging

CyberArk introduced:

EnableAdvancedDebugging=Yes

Benefits:

▢ Screenshot capture

▢ Step-by-step execution tracking

▢ Visual troubleshooting

▢ Faster plugin development

After debugging:

▢ Delete screenshot folders

▢ Remove sensitive images

---

CPM Plugins for ODBC Databases

CyberArk also supports databases through ODBC.

Supported use cases include:

▢ SQL Server

▢ Oracle

▢ MySQL

▢ PostgreSQL

▢ DB2

▢ Any ODBC-compliant database

---

ODBC Connection Methods

CyberArk supports:

DSN Connection

Uses predefined ODBC DSN.

Example:

FinanceDB

---

DSN-Less Connection

Uses direct connection string.

Example:

Driver={SQL Server};
Server=%ADDRESS%;
Database=%DATABASE%;
Uid=%USER%;
Pwd=%LOGONPASSWORD%;

---

ODBC Password Change Commands

Example SQL Server Change Command:

sp_password "%OLDPASSWORD%", "%NEWPASSWORD%"

Variables available:

▢ %USER%

▢ %OLDPASSWORD%

▢ %NEWPASSWORD%

▢ %DATABASE%

▢ %LOGONPASSWORD%

---

ODBC Reconciliation Commands

Example:

sp_password
@new="%NEWPASSWORD%",
@loginame="%USER%"

Used when passwords become out-of-sync.

---

Security Best Practices

Browser Security

▢ Use HTTPS only

▢ Avoid HTTP applications

▢ Keep browsers updated

▢ Keep drivers updated

---

CPM Security

▢ Enable hardening

▢ Restrict local administrator access

▢ Protect plugin files

▢ Use dedicated service accounts

---

Database Security

▢ Use IPSec between CPM and Database

▢ Restrict ODBC connectivity

▢ Limit reconciliation accounts

▢ Audit all password changes

---

Common Troubleshooting Issues

Browser Driver Mismatch

Symptoms:

▢ Browser launches then closes

▢ Session creation failure

Solution:

▢ Match browser and driver versions.

---

Element Not Found

Symptoms:

Element not found

Solution:

▢ Validate ID

▢ Validate XPath

▢ Increase timeout values

---

iFrame Failures

Symptoms:

▢ Username field not found

Solution:

▢ Switch to correct iframe first.

---

MFA Failure

Symptoms:

▢ Invalid MFA token

Solution:

▢ Verify Base32 secret

▢ Verify server time synchronization

---

ODBC Connectivity Failure

Symptoms:

Connection failed

Solution:

▢ Verify DSN

▢ Verify driver

▢ Verify firewall

▢ Verify database listener

---

Related CyberArk Guides

For deeper understanding, explore:

▢ CyberArk CPM Password Management Complete Guide

▢ CyberArk CPM Plugins Complete Guide

▢ CyberArk CPM Plugin Development Using C# DLLs

▢ CyberArk PSM Session Management Guide

▢ CyberArk PSM for SSH Installation Guide

▢ CyberArk SIA vs PSM Complete Guide

▢ CyberArk Vault Components & PrivateArk Guide

---

Learn CyberArk from Industry Experts

▢ CyberArk Privilege Cloud (CPC)

▢ CyberArk CPM Plugins

---

Conclusion

CyberArk Web Application CPM Plugins have significantly simplified password management automation for web applications. By leveraging the WebApp Framework, Selenium-based browser automation, MFA support, conditional logic, and visual debugging, organizations can automate password rotation for virtually any web application without extensive coding.

Combined with ODBC database password management capabilities, CyberArk CPM provides a powerful framework for managing privileged credentials across modern web platforms, legacy applications, and enterprise databases while maintaining security, compliance, and operational efficiency.