Multi-tier architecture

The structure of Password Safe v8 is based on the principle of multi-tier architecture. This multi-layered design of the individual software components provides the basis for a well thought-out and ground-breaking security concept. The three separately acting layers can each be scaled as needed. As a result, Password Safe v8 can also be used efficiently in companies with very large number of users and sites around the world. If the “end-to-end” encryption is used, data can be encrypted or decrypted also on the clients. This ensures that unencrypted passwords will never exist on the database server or the application server. The “private and public key method” ensures that the private key is always only available to the user. The application server only knows the value of the public key and is thus unable to see the value of the password.

Password Safe version 8 can be set up on small to global system landscapes. Any number of clients, application servers and database servers can be connected within the multi-tier architecture. The use of a fail-safe cluster is recommended for databases in a production system. Microsoft SQL Server can replicate the data to a different data centre, e.g. via WAN. We also recommend providing a separate Windows server in each case.

System landscape

The following overview presents a classic Password Safe system landscape. Version 8 allows use of several database servers across all sites. These are then synchronized with one another using Microsoft standard applications. Any number of application servers can be made available for the client connection. This ensures load distribution, and allows work without significant latency. This technology offers enormous performance advantages, particularly in the case of installations that are spread across worldwide locations.

Client (presentation layer)

The client layer handles the representation of all data and functions, which are provided by the application server.

Application server (business logic)

The application server is entirely responsible for the control of the business logic. This server only ever delivers the data for which the corresponding permissions are available. The multi-tier architecture described at the beginning allows the use of several application servers and ensures efficient load distribution.

Database server (data storage)

Password Safe version 8 uses Microsoft SQL Server to store data due to its widespread use, and its ability to ensure high-performance access even in large and geographically scattered environments. Smaller installations may also use the free SQL Express version.

At least three servers are thus recommended:

  • Database server (MSSQL)
  • Application server (Password Safe services)
  • Web server (IIS)


  • Port 1433 TCP for communication with application server (incoming)


  • Port 443 HTTPS for connection to MATESO license server (outgoing)
  • Port 11011 TCP for communication with clients or web server IIS (incoming)
  • Port 11014 TCP for the backup service (usually does not need to be unlocked)
  • Port 11016 TCP for the Web services (incoming; only when using the WebClient)
  • Port 11018 TCP for real-time update (incoming)
  • Port 1433 TCP for communication with SQL Server (outgoing)


  • Port 11011 TCP for communication with the application server (outgoing)
  • Port 52120 TCP with the add-on (outgoing)


  • Port 443 HTTPS zum Ansprechen des Webservers vom Client (eingehend)
  • Port 11016 zur Kommunikation mit dem Anwendungsserver (ausgehend)
  • Port 11018 für die Echtzeitaktualisierung (ausgehend)

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.