System Requirements for Verify Privilege Vault

This topic applies to Verify Privilege Vault On-Premise and Verify Privilege Vault Cloud.

Most of this topic applies to Verify Privilege Vault On-Premise, but the distributed engine requirements also apply to Verify Privilege Vault Cloud.

Please read the notes at the bottom of this article.

Minimum Requirements for Basic Deployments

Web Server Database Server
4 CPU Cores 4 CPU Cores
16 GB RAM 16 GB RAM
25 GB Disk Space 100+ GB Disk Space
Windows Server 2016-2022 Windows Server 2016-2022
IIS 7 or newer (64-bit applications only) SQL Server 2016-2022
.NET 4.8 or newer Collation SQL_Latin1_General_CP1_CI_AS on both SQL Server and the Verify Privilege Vault database.

Minimum Requirements for Advanced Deployments

For organizations deploying significant discovery, session recording, event pipelines, syslog, or many distributed engines:

Web Server Database Server
8 CPU Cores 8 CPU Cores
16 GB RAM 16 GB RAM
25 GB Disk Space 100+ GB Disk Space
Windows Server 2016-2022 Windows Server 2016-2022
IIS 8 or newer (64-bit applications only) SQL Server 2016-2022
.NET 4.8 or newer Collation SQL_Latin1_General_CP1_CI_AS on both SQL Server and the Verify Privilege Vault database.

Windows Server 2022 is supported by Verify Privilege Vault 11.0 or later. It may work with earlier versions, but that has not been officially confirmed.

Recommended Session Recording Requirements

Session Recording Requirements

See Basic Session Recording Requirements and Advanced Session Recording Requirements.

Distributed Engine and RabbitMQ Requirements

Distributed Engines RabbitMQ Messaging Server
4 CPU Cores 4 CPU Cores
4 GB RAM 4 GB RAM
25 GB Disk Space 40 GB Disk Space

For scalability and reliability, Delinea strongly recommends using RabbitMQ. MemoryMQ is an easier but less capable alternative and can be used for trials and proof of concepts but should not be used for production environments.

Further adjustments to system requirements for both RabbitMQ and distributed engines are at the discretion of IBM Security Professional Services engineers.

The latest Distributed Engine supported version is always the latest current version. Older versions can also be run if they are up to date or if the version used is just behind the latest. If there are breaking changes, an update will be forced.

For RabbitMQ, there is not an officially supported set of versions. Installation is only supported using the latest RabbitMQ Helper, which will install the latest versions. Any version of RabbitMQ available since the introduction of durable queues will work. If you wish to install an older version you can at your own discretion. Please note they might be prone to certain errors in functionality.

System Requirements for Virtual Machines and Processors

All cores are physical unless otherwise noted.

A vCPU is a virtualized CPU core assigned to a virtual machine (VM) from the physical CPUs available on the host server. The following are some key points. Please see What is a vCPU and How Do You Calculate vCPU to CPU? for details.

Key points:

  • vCPUs allow multiple VMs to share the physical CPU cores on a host through time-slicing and context switching.

  • The ratio of vCPUs to physical cores determines CPU oversubscription. An oversubscribed CPU is shared among too many vCPUs, leading to potential performance issues.

  • There is no fixed ratio for calculating optimal vCPU to physical core mapping. It depends on the specific workloads and resource demands of each VM.

  • Monitoring CPU utilization for the VMs and host is crucial to identify performance bottlenecks and adjust vCPU allocations accordingly.

  • Using too many vCPUs unnecessarily can increase licensing costs for some software that charges per vCPU.

  • It is important to understand application resource needs, monitoring performance metrics, and adjusting vCPU allocations to strike the right balance between oversubscription and performance for cost optimization.

Notes

This section contains caveats potentially having a significant effect on any installation.

  • For the highest scalability and reliability, IBM Security recommends using RabbitMQ. MemoryMQ is an easier but less capable alternative and can be used for trials and proof of concepts but should not be used for production environments. Two exceptions are very small deployments and customers that do not use open-source software for compliance reasons.

  • The use of Server Core for Verify Privilege Vault installations is not recommended; All QA and testing is based non-core versions of Windows Server.

  • To comply with Microsoft licensing requirements, there is an additional constraint on which Microsoft Windows Server version you can use as the RDS server for session connector.

    If you use Microsoft User Client Access Licenses (CALs), you cannot use Windows Server 2019. You must use Windows Server 2012 or 2016. If you use Microsoft Device CALs, you can use any supported version of Windows Server.

  • Verify Privilege Vault requires that Microsoft SQL Server and its database be set to the collation SQL_Latin1_General_CP1_CI_AS. See Microsoft SQL collation requirements and check your server collation settings before upgrading.

  • System Requirements apply to both physical and virtual machines.

  • For best performance, we recommend using dedicated (clean) servers for hosting IBM Security products.

  • If .NET or IIS features are not already installed on the web server, the IBM Security Installer will add and configure them automatically.

  • If SQL is not already installed on a database server, the IBM Security installer can setup SQL Express on the web server; however, SQL Express is intended for trials and sandbox environments only. IBM Security does not support it because of performance issues due to the memory and product limitations.

  • A link to Microsoft documentation on the use and limitations of SQL Express can be found at: https://docs.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2017.

  • Installing Verify Privilege Vault with Azure SQL: Currently, we do not recommend using Verify Privilege Vault with Azure SQL when the Web host and the Azure SQL instance are in different datacenters. According to Microsoft, applications, such as Verify Privilege Vault, that use frequent, high-volume, ad hoc queries use substantial response time on network communication between the application and Azure SQL database tiers. Thus, network latency with many data access operations across datacenters can become an issue.

  • Unsupported Web Servers: Small Business Server (SBS), The Essentials Edition, Any client OS, domain controllers, SharePoint servers.

  • Verify Privilege Vault Cloud requires an on-premise machine to use a distributed engine.

  • SQL launchers do not support SSMS 18.0 or higher.

  • Discovery scanning for Windows Server 2016 scheduled tasks requires that either the Verify Privilege Vault node or the distributed engine that is executing the scan must run on Windows Server 2016 or later. This is due to changes in Windows Server 2016 API used for scheduled task dependency scans.

  • AWS RDS: Currently, we do not recommend using Verify Privilege Vault with AWS Relational Database Service when the Web host and the SQL instance are in different datacenters. Applications, such as Verify Privilege Vault, that use frequent, high-volume, ad hoc queries depend on fast network communication response time between the application and SQL database. Thus, network latency with many data access operations across datacenters can become an issue.

  • Verify Privilege Vault requires the application pool to have the "load user profile" setting enabled. Verify Privilege Vault will report a critical alert to notify admins if this setting is not enabled.

  • Supported Web browsers: See Verify Privilege Vault Major Browser Support .