Académique Documents
Professionnel Documents
Culture Documents
Manager - 2.8
Reference
Date: 17-Feb-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
17-Feb-2017 3/373
Table of Contents
Reference 4
AWS API Proxy Access Credentials Add Target Account CLI Parameters ........................................ 25
Attribute.extensionType ............................................................................................................. 26
Cisco Target Connector ............................................................................................................................ 26
Cisco CLI Example .............................................................................................................................. 26
Cisco Add Target Application CLI Parameters .................................................................................... 26
TargetApplication.type ............................................................................................................... 26
Attribute.sshPort ......................................................................................................................... 26
Attribute.sshSessionTimeout ..................................................................................................... 27
Attribute.sshStrictHostKeyCheckingEnabled ............................................................................. 27
Attribute.sshKnownHostKey ....................................................................................................... 27
Attribute.sshKnownHostKeyFingerprint ..................................................................................... 27
Attribute.sshUseDefaultCiphers ................................................................................................. 27
Attribute.sshServerToClientCiphersList ..................................................................................... 28
Attribute.sshClientToServerCiphersList ..................................................................................... 28
Attribute.sshDetectCiphersList ................................................................................................... 28
Attribute.sshUseDefaultHashes ................................................................................................. 28
Attribute.sshServerToClientHashesList ..................................................................................... 28
Attribute.sshClientToServerHashesList ..................................................................................... 29
Attribute.sshUseDefaultKeyExchangeAlgorithms ...................................................................... 29
Attribute.sshKeyExchangeAlgorithmsList .................................................................................. 29
Attribute.sshUseDefaultCompressionAlgorithms ....................................................................... 29
Attribute.sshServerToClientCompressionAlgorithmsList ........................................................... 29
Attribute.sshClientToServerCompressionAlgorithmsList ........................................................... 30
Attribute.sshUseDefaultServerHostKeyAlgorithms .................................................................... 30
Attribute.sshServerHostKeyAlgorithmsList ................................................................................ 30
Attribute.telnetSessionTimeout .................................................................................................. 30
Attribute.telnetPort ..................................................................................................................... 31
Attribute.ciscoVariant ................................................................................................................. 31
Attribute.scriptTimeout ............................................................................................................... 31
Attribute.useUpdateScriptType .................................................................................................. 31
Attribute.revisedUpdateScriptFilename ...................................................................................... 31
Attribute.useVerifyScriptType ..................................................................................................... 31
Attribute.revisedVerifyScriptFilename ........................................................................................ 32
Attribute.userNameEntryPrompt ................................................................................................ 32
Attribute.passwordEntryPrompt ................................................................................................. 32
Attribute.passwordConfirmationPrompt ..................................................................................... 32
Attribute.passwordChangePrompt ............................................................................................. 32
Cisco Add Target Account CLI Parameters ........................................................................................ 33
Attribute.useOtherAccountToChangePassword ........................................................................ 33
Attribute.otherAccount ................................................................................................................ 33
Attribute.protocol ........................................................................................................................ 33
Attribute.pwType ........................................................................................................................ 33
Reference 5
Attribute.useOtherPrivilegedAccount ......................................................................................... 33
Attribute.otherPrivilegedAccount ................................................................................................ 34
Attribute.changeAuxLoginPassword .......................................................................................... 34
Attribute.changeConsoleLoginPassword ................................................................................... 34
Attribute.changeVtyLoginPassword ........................................................................................... 34
Attribute.numVTYPorts .............................................................................................................. 34
Juniper Junos Target Connector ............................................................................................................... 34
Junos CLI Example ............................................................................................................................. 34
Junos Add Target Application CLI Parameters ................................................................................... 35
TargetApplication.type ............................................................................................................... 35
Attribute.extensionType: ............................................................................................................ 35
Attribute.sshPort ......................................................................................................................... 35
Attribute.connectTimeout ........................................................................................................... 35
Attribute.readTimeout ................................................................................................................. 35
Junos Add Target Account CLI Parameters ........................................................................................ 36
Attribute.extensionType ............................................................................................................. 36
Attribute.useOtherAccountToChangePassword ........................................................................ 36
Attribute.otherAccount ................................................................................................................ 36
LDAP Target Connector ............................................................................................................................ 36
Add LDAP Target Application GUI Details .......................................................................................... 36
Add LDAP Target Account GUI Details ............................................................................................... 37
LDAP CLI Example ............................................................................................................................. 38
LDAP Add Target Application CLI Parameters ................................................................................... 38
TargetApplication.type ............................................................................................................... 38
Attribute.port ............................................................................................................................... 38
Attribute.protocol ........................................................................................................................ 38
Attribute.sslCertificate ................................................................................................................ 38
Attribute.ldapConnectTimeout .................................................................................................... 39
Attribute.ldapReadTimeout ........................................................................................................ 39
LDAP Add Target Account CLI Parameters ........................................................................................ 39
Attribute.useOtherAccountToChangePassword ........................................................................ 39
Attribute.otherAccount ................................................................................................................ 39
Attribute.userDN ......................................................................................................................... 39
MSSQL Target Connector ......................................................................................................................... 40
MSSQL CLI Example .......................................................................................................................... 40
MSSQL Add Target Application CLI Parameters ................................................................................ 40
TargetApplication.type ............................................................................................................... 40
Attribute.extensionType ............................................................................................................. 40
Attribute.sslEnabled ................................................................................................................... 40
Attribute.port ............................................................................................................................... 41
Attribute.instance ....................................................................................................................... 41
MSSQL Add Target Account CLI Parameters ..................................................................................... 41
Reference 6
Attribute.useOtherAccountToChangePassword ........................................................................ 41
Attribute.otherAccount ................................................................................................................ 41
MYSQL Target Connector ......................................................................................................................... 41
MYSQL CLI Example .......................................................................................................................... 42
MYSQL Add Target Application CLI Parameters ................................................................................ 42
TargetApplication.type ............................................................................................................... 42
Attribute.port ............................................................................................................................... 42
MYSQL Add Target Account CLI Parameters ..................................................................................... 42
Attribute.schema ........................................................................................................................ 42
Attribute.useOtherAccountToChangePassword ........................................................................ 42
Attribute.otherAccount ................................................................................................................ 43
Attribute.hostNameQualifier ....................................................................................................... 43
Oracle Target Connector ........................................................................................................................... 43
Oracle CLI Example ............................................................................................................................ 43
Oracle Add Target Application CLI Parameters .................................................................................. 43
TargetApplication .type .............................................................................................................. 44
Attribute.extensionType ............................................................................................................. 44
Attribute.port ............................................................................................................................... 44
Attribute.sslEnabled ................................................................................................................... 44
Attribute.sslCertificate ................................................................................................................ 44
Oracle Add Target Account CLI Parameters ....................................................................................... 44
Attribute.schema ........................................................................................................................ 44
Attribute.useOtherAccountToChangePassword ........................................................................ 45
Attribute.otherAccount ................................................................................................................ 45
Attribute.racService .................................................................................................................... 45
Attribute.sysdbaAccount ............................................................................................................ 45
Attribute.replaceSyntax .............................................................................................................. 45
Palo Alto Target Connector ....................................................................................................................... 45
Palo Alto CLI Example ........................................................................................................................ 46
Palo Alto Add Target Application CLI Parameters .............................................................................. 46
TargetApplication.type ............................................................................................................... 46
Attribute.sshPort ......................................................................................................................... 46
Attribute.sshSessionTimeout ..................................................................................................... 46
Attribute.useUpdateScriptType .................................................................................................. 47
Attribute.revisedUpdateScriptFilename ...................................................................................... 47
Attribute.useVerifyScriptType ..................................................................................................... 47
Attribute.revisedVerifyScriptFilename ........................................................................................ 47
Attribute.userNameEntryPrompt ................................................................................................ 47
Attribute.passwordEntryPrompt ................................................................................................. 47
Attribute.passwordConfirmationPrompt ..................................................................................... 48
Attribute.passwordChangePrompt ............................................................................................. 48
Palo Alto Add Target Account CLI Parameters ................................................................................... 48
Reference 7
Attribute.useOtherAccountToChangePassword ........................................................................ 48
Attribute.otherAccount ................................................................................................................ 48
Attribute.protocol ........................................................................................................................ 48
Attribute.pwType ........................................................................................................................ 49
Attribute.useOtherPrivilegedAccount ......................................................................................... 49
Attribute.otherPrivilegedAccount ................................................................................................ 49
Attribute.changeAuxLoginPassword .......................................................................................... 49
Attribute.changeConsoleLoginPassword ................................................................................... 49
Attribute.changeVtyLoginPassword ........................................................................................... 49
Attribute.numVTYPorts .............................................................................................................. 49
SPML Target Connector ............................................................................................................................ 50
SPML CLI Example ............................................................................................................................. 50
SPML Add Target Application CLI Parameters ................................................................................... 50
TargetApplication.type ............................................................................................................... 50
Attribute.extensionType ............................................................................................................. 50
Attribute.port ............................................................................................................................... 50
Attribute.path .............................................................................................................................. 50
Attribute.protocol ........................................................................................................................ 51
Attribute.sslCertificate ................................................................................................................ 51
SPML Add Target Account CLI Parameters ....................................................................................... 51
Attribute.extensionType ............................................................................................................. 51
Attribute.useOtherAccountToChangePassword ........................................................................ 51
Attribute.otherAccount ................................................................................................................ 51
UNIX Target Connector ............................................................................................................................. 52
UNIX CLI Example .............................................................................................................................. 52
UNIX Add Target Application CLI Parameters .................................................................................... 52
TargetApplication.type ............................................................................................................... 52
Attribute.sshPort ......................................................................................................................... 52
Attribute.sshSessionTimeout ..................................................................................................... 52
Attribute.sshKeyPairPolicyID ..................................................................................................... 53
Attribute.sshStrictHostKeyCheckingEnabled ............................................................................. 53
Attribute.sshKnownHostKey ....................................................................................................... 53
Attribute.sshKnownHostKeyFingerprint ..................................................................................... 53
Attribute.sshUseDefaultCiphers ................................................................................................. 53
Attribute.sshServerToClientCiphersList ..................................................................................... 54
Attribute.sshClientToServerCiphersList ..................................................................................... 54
Attribute.sshDetectCiphersList ................................................................................................... 54
Attribute.sshUseDefaultHashes ................................................................................................. 54
Attribute.sshServerToClientHashesList ..................................................................................... 54
Attribute.sshClientToServerHashesList ..................................................................................... 55
Attribute.sshUseDefaultKeyExchangeAlgorithms ...................................................................... 55
Attribute.sshKeyExchangeAlgorithmsList .................................................................................. 55
Reference 8
Attribute.sshUseDefaultCompressionAlgorithms ....................................................................... 55
Attribute.sshServerToClientCompressionAlgorithmsList ........................................................... 55
Attribute.sshClientToServerCompressionAlgorithmsList ........................................................... 56
Attribute.sshUseDefaultServerHostKeyAlgorithms .................................................................... 56
Attribute.sshServerHostKeyAlgorithmsList ................................................................................ 56
Attribute.telnetSessionTimeout .................................................................................................. 56
Attribute.telnetPort ..................................................................................................................... 57
Attribute.scriptTimeout ............................................................................................................... 57
Attribute.unixVariant ................................................................................................................... 57
Attribute.useUpdateScriptType .................................................................................................. 57
Attribute.revisedUpdateScriptFilename ...................................................................................... 57
Attribute.useVerifyScriptType ..................................................................................................... 57
Attribute.revisedVerifyScriptFilename ........................................................................................ 58
Attribute.userNameEntryPrompt ................................................................................................ 58
Attribute.passwordEntryPrompt ................................................................................................. 58
Attribute.passwordConfirmationPrompt ..................................................................................... 58
Attribute.passwordChangePrompt ............................................................................................. 58
Attribute.changePasswordCommand ......................................................................................... 58
Attribute.elevatePrivilegeCommand ........................................................................................... 59
Attribute.substituteUserCommand ............................................................................................. 59
Attribute.echoCommand ............................................................................................................ 59
Attribute.patternMatchingCommand .......................................................................................... 59
Attribute.policyManagementCommand ...................................................................................... 59
Attribute.whoAmICommand ....................................................................................................... 59
Attribute.changeFilePermissionsCommand ............................................................................... 60
UNIX Add Target Account CLI Parameters ......................................................................................... 60
Attribute.useOtherAccountToChangePassword ........................................................................ 60
Attribute.otherAccount ................................................................................................................ 60
Attribute.verifyThroughOtherAccount ......................................................................................... 60
Attribute.passwordChangeMethod ............................................................................................. 60
Attribute.protocol ........................................................................................................................ 61
Attribute.passphrase .................................................................................................................. 61
Attribute.publicKey ..................................................................................................................... 61
Attribute.keyOptions ................................................................................................................... 61
VMWare ESX/ESXi Target Connector ...................................................................................................... 61
VMWARE ESX/ESXi CLI Example ..................................................................................................... 62
VMWARE ESX/ESXi Add Target Application CLI Parameters ........................................................... 62
TargetApplication.type ............................................................................................................... 62
Attribute.extensionType ............................................................................................................. 62
Attribute.sslPort .......................................................................................................................... 62
VMWARE ESX/ESXi Add Target Account CLI Parameters ................................................................ 62
Attribute.extensionType ............................................................................................................. 62
Reference 9
Attribute.useOtherAccountToChangePassword ........................................................................ 63
Attribute.otherAccount ................................................................................................................ 63
VMWare NSX Controller Target Connector .............................................................................................. 63
VMWARE NSX Controller CLI Example .............................................................................................. 63
VMWARE NSX Controller Add Target Application CLI Parameters .................................................... 63
Attribute.sshPort ......................................................................................................................... 64
Attribute.sshSessionTimeout ..................................................................................................... 64
Attribute.scriptTimeout ............................................................................................................... 64
VMWARE NSX Controller Add Target Account CLI Parameters ........................................................ 64
VMWare NSX Manager Target Connector ................................................................................................ 64
VMWARE NSX Manager CLI Example ............................................................................................... 64
VMWARE NSX Manager Add Target Application CLI Parameters ..................................................... 65
TargetApplication.type ............................................................................................................... 65
Attribute.sshPort ......................................................................................................................... 65
Attribute.sshSessionTimeout ..................................................................................................... 65
Attribute.scriptTimeout ............................................................................................................... 65
VMWARE NSX Manager Add Target Account CLI Parameters .......................................................... 65
VMWare NSX Proxy Target Connector ..................................................................................................... 65
VMWARE NSX Proxy CLI Example .................................................................................................... 66
VMWARE NSX Proxy Add Target Application CLI Parameters .......................................................... 66
VMWARE NSX Proxy Add Target Account CLI Parameters ............................................................... 66
WebLogic Target Connector ..................................................................................................................... 66
WebLogic CLI Example ....................................................................................................................... 66
WebLogic Add Target Application CLI Parameters ............................................................................. 66
TargetApplication.type ............................................................................................................... 66
Attribute.extensionType ............................................................................................................. 67
Attribute.port ............................................................................................................................... 67
WebLogic Add Target Account CLI Parameters ................................................................................. 67
Attribute.extensionType ............................................................................................................. 67
Attribute.realm ............................................................................................................................ 67
Attribute.useOtherAccountToChangePassword ........................................................................ 67
Attribute.otherAccount ................................................................................................................ 67
Windows Domain Services Target Connector ........................................................................................... 68
Windows Domain Services CLI Example ............................................................................................ 68
Windows Domain Services Add Target Application CLI Parameters .................................................. 68
TargetApplication.type ............................................................................................................... 69
Attribute.disableAutoConnectTargetAccount ............................................................................. 69
Attribute.domainName ............................................................................................................... 69
Attribute.useDNS ....................................................................................................................... 69
Attribute.dnsServer .................................................................................................................... 69
Attribute.dcPort .......................................................................................................................... 70
Attribute.adSite ........................................................................................................................... 70
Reference 10
Windows Domain Services Add Target Account CLI Parameters ....................................................... 70
Attribute.extensionType ............................................................................................................. 70
Attribute.userDN ......................................................................................................................... 70
Attribute.useOtherAccountToChangePassword ........................................................................ 71
Attribute.otherAccount ................................................................................................................ 71
Attribute.serviceInfo ................................................................................................................... 71
Attribute.tasks ............................................................................................................................ 71
Windows Proxy Target Connector ............................................................................................................. 72
Windows Proxy CLI Example .............................................................................................................. 73
Windows Proxy Add Target Application CLI Parameters .................................................................... 73
Attribute.extensionType ............................................................................................................. 73
Attribute.agentId ......................................................................................................................... 73
Attribute.accountType ................................................................................................................ 73
Attribute.domainName ............................................................................................................... 73
Attribute.domain ......................................................................................................................... 74
Attribute.useDNS ....................................................................................................................... 74
Attribute.dnsServer .................................................................................................................... 74
Attribute.specifiedServersList ..................................................................................................... 74
Attribute.adSite ........................................................................................................................... 75
Windows Proxy Add Target Account CLI Parameters ......................................................................... 75
Attribute.extensionType ............................................................................................................. 75
Attribute.useOtherAccountToChangePassword ........................................................................ 75
Attribute.otherAccount ................................................................................................................ 75
Attribute.serviceInfo ................................................................................................................... 75
Attribute.tasks ............................................................................................................................ 76
Attribute.forcePasswordChange ................................................................................................ 76
CA Privileged Access Manager API Key Target Connector ...................................................................... 76
Reference 11
CSV File Types ......................................................................................................................................... 81
Services ............................................................................................................................................... 81
Roles ................................................................................................................................................... 83
User Groups and Users ...................................................................................................................... 84
Device Groups and Devices ................................................................................................................ 86
Command Filter Lists .......................................................................................................................... 90
Socket Filter Lists ................................................................................................................................ 91
Policy ................................................................................................................................................... 92
Reference 12
Import Users and User Groups ......................................................................................................... 122
Device Groups and Devices .................................................................................................................... 122
Command Filter Lists .............................................................................................................................. 127
Socket Filter Lists .................................................................................................................................... 128
Policy ....................................................................................................................................................... 128
Reference 13
33xxx - CA Threat Analytics Related Messages ............................................................................... 189
Credential Manager Error Messages ...................................................................................................... 189
Log Formats ...................................................................................................................................... 189
Metric Log Entries .................................................................................................................... 189
Audit Log Entries ...................................................................................................................... 190
Message Lists ................................................................................................................................... 192
Message Codes Listed in Documentation ................................................................................ 192
Message Code List Available from Server ............................................................................... 192
Credential Manager Error Codes and Messages .............................................................................. 193
Message Headers .................................................................................................................... 193
Error Codes and Associated Messages ................................................................................... 193
CA-PAM Series Messages ...................................................................................................................... 251
General Messages ............................................................................................................................ 251
Account Discovery (AD) Messages ................................................................................................... 252
Device Discovery (DD) Messages .................................................................................................... 252
Key Discovery (KD) Messages ......................................................................................................... 252
REST (RST) Messages ..................................................................................................................... 253
Scanning (SC) Messages ................................................................................................................. 254
Scheduling (SH) Messages ............................................................................................................... 255
Syslog Messages .................................................................................................................................... 256
Configuration Messages ................................................................................................................... 256
Cluster Messages .............................................................................................................................. 258
User Messages ................................................................................................................................. 258
User Group Messages ...................................................................................................................... 259
Device Messages .............................................................................................................................. 260
Service Messages ............................................................................................................................. 261
Policy Messages ............................................................................................................................... 261
Command Filter Messages ............................................................................................................... 262
Socket Filter Messages ..................................................................................................................... 262
Login Connection Messages ............................................................................................................. 262
Device Connection Messages ........................................................................................................... 262
Violation Messages ........................................................................................................................... 263
Connection Timeout Messages ......................................................................................................... 264
Global Settings Messages ................................................................................................................. 264
Session Manager Messages ............................................................................................................. 264
Examples of Syslog Messages ............................................................................................................... 265
Reference 14
Web GUI .................................................................................................. 269
Toolbar .................................................................................................................................................... 269
Admin ................................................................................................................................................ 270
Admin Button ............................................................................................................................ 270
Admin View Window Fields ...................................................................................................... 271
My Info .............................................................................................................................................. 271
Account Information Fields ....................................................................................................... 271
Contact Information Fields ....................................................................................................... 272
System Info ....................................................................................................................................... 273
Sys Info Link ............................................................................................................................. 273
Config ................................................................................................................................................ 273
3rd Party ................................................................................................................................... 274
Certificate Info .......................................................................................................................... 286
Database .................................................................................................................................. 286
Date and Time .......................................................................................................................... 288
Diagnostics ............................................................................................................................... 290
Licensing .................................................................................................................................. 293
Logs ......................................................................................................................................... 294
Monitor ..................................................................................................................................... 297
Network .................................................................................................................................... 298
Security .................................................................................................................................... 298
SNMP ....................................................................................................................................... 306
SSL VPN .................................................................................................................................. 307
Synchronization ........................................................................................................................ 307
Menu Bar ................................................................................................................................................. 310
Menu Bar Components ..................................................................................................................... 310
Global Settings Menu Bar Reference ................................................................................................ 310
Basic Settings .......................................................................................................................... 311
Passwords ................................................................................................................................ 313
Accounts .................................................................................................................................. 314
Access Methods ....................................................................................................................... 314
Warnings .................................................................................................................................. 315
Applet Customization ............................................................................................................... 315
Configure Terminal Settings ..................................................................................................... 315
Branding ................................................................................................................................... 317
Update /Revert Logo Window .................................................................................................. 317
Sessions Menu Bar Reference ......................................................................................................... 318
Manage Sessions ..................................................................................................................... 318
Services Menu Bar Reference .......................................................................................................... 318
Services ................................................................................................................................... 318
Users Menu Bar Reference ............................................................................................................... 322
Manage Users Dialog ............................................................................................................... 322
Reference 15
Manage Groups Dialog ............................................................................................................ 326
Devices Menu Bar Reference ........................................................................................................... 328
Create Device .......................................................................................................................... 328
Manage Groups ....................................................................................................................... 330
Policy Menu Bar and Dialogs Reference .......................................................................................... 332
Manage Policies ....................................................................................................................... 332
Manage Passwords .................................................................................................................. 340
Import and Export Policy .......................................................................................................... 370
Import and Export Socket Filter Lists ....................................................................................... 372
Reference 16
CA Privileged Access Manager - 2.8
Reference
CA Privileged Access Manager Client Reference (see page 18)
Credential Manager Target Connector Settings (see page 21)
Communication Settings (see page 77)
CSVs for Import and Export (see page 79)
Data Formats (see page 94)
Default Settings (see page 97)
Import Export Provisioning (see page 114)
Messages and Log Formats (see page 131)
Credential Manager Terms and Concepts (see page 266)
Web GUI (see page 269)
17-Feb-2017 17/373
CA Privileged Access Manager - 2.8
Installer
Run the installer file to provide a CA PAM Client instance on your workstation.
Download Buttons
From your client workstation, download an installer from the CA Privileged Access Manager login
page. Point to CA Privileged Access Manager from an approved browser, and from the GUI login
page, select either:
Download CA Privileged Access Manager Client – Click to download the client. CA Privileged
Access Manager will autoselect the correct OS version.
[Down arrow] – Click to open a drop-down menu and select a specific version of four OS types.
The applicable OS releases for each version are identified in CA Privileged Access Manager
Release Notes.
Installer Program
Run the installer file to open its InstallAnywhere wizard.
Set the installation parameters according to its interface. Note the following:
License Agreement – The acceptance button is activated only after you scroll the license text to
the bottom of the panel.
Run: The contents are extracted only to a temporary location and executed.
Installing... – You cannot click Previous after the software starts installation or has completed it.
17-Feb-2017 18/373
CA Privileged Access Manager - 2.8
Client
Run the CA PAM Client program to access the following interfaces.
Client window
From the client window, you can:
Sequence to the connection screen, to the login screen, to the console screen or browser window
Open the Configuration Settings window, or the About window, or (through the connection
screen or console screen) the browser window
Connection screen
Upon client startup, the connection screen appears in the client window.
Client settings:
[Gear] – Opens the Configuration Settings window, with setting controls for the following:
General - (1) Set client memory size; and/or (2) Apply Restore security prompts, which
reverses a previous Ignore host mismatch for this address selection made in a Verify
Certificate pop-up window during CA Privileged Access Manager connection.
[Question mark] – opens the About CA Privileged Access Manager window, which has
information about the client release level.
Connection parameters:
Address
Connect Mode
WEB - Checks for client updates, and processes an update when found. Opens a connection to
the CA Privileged Access Manager server, opens the CA Privileged Access Manager Client
browser window to the CA PAM UI, and closes the console.
CONNECT - Checks for client updates, and processes an update when found. Opens a
connection to CA Privileged Access Manager server, and maintains a status connection
window. Optionally, the CA Privileged Access Manager Client browser window can be opened
from the status window.
17-Feb-2017 19/373
CA Privileged Access Manager - 2.8
Login screen
The console screen appears in the client window, with fields corresponding to those in the traditional
CA PAM GUI:
User
Password
Authentication Type
Upon login you are first presented with either the console window or browser window, depending on
your earlier Connect Mode choice.
Console screen
Upon establishing a connection using CONNECT, the console screentakes the place of the login
screen. This screen displays connections statistics, and allows you to launch the browser or log off.
Browser window
A CA PAM Client browser window appears upon either:
This window displays the traditional GUI, and its features operate in the same way. When you log off
the GUI from the browser window, you are returned to the login screen.
17-Feb-2017 20/373
CA Privileged Access Manager - 2.8
17-Feb-2017 21/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
17-Feb-2017 22/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.extensionType
Required Default Value Valid Values
yes N/A AwsAccessCredentials
Attribute.awsCredentialType
The AWS access credential type.
17-Feb-2017 23/373
CA Privileged Access Manager - 2.8
Attribute.passphrase
The EC2 key passphrase.
Attribute.awsKeyPairName
The EC2 key pair name.
Attribute.accountFriendlyName
The access key user friendly name.
Attribute.awsAccessRole
The user defined AWS access role.
Attribute.awsCloudType
The AWS cloud environment type.
17-Feb-2017 24/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.extensionType
Required Default Value Valid Values
yes N/A AwsApiProxyCredentials
17-Feb-2017 25/373
CA Privileged Access Manager - 2.8
Attribute.extensionType
Required Default Value Valid Values
yes N/A AwsProxyCredentials
TargetApplication.type
The target application connector type.
Attribute.sshPort
The port used to connect to the UNIX host using SSH.
17-Feb-2017 26/373
CA Privileged Access Manager - 2.8
Attribute.sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.
Attribute.sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled,Credential Manager compares the public
key received from the remote host when making a connection to the public key stored in the
sshKnownHostKey attribute. If the keys do not match then the connection attempt is canceled.
Attribute.sshKnownHostKey
Contains the base-64 encoded public host key associated with the target server.
Attribute.sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key contained in the sshKnownHostKey attribute. The
fingerprint is used for display purposes only to allow the user to easily compare one key with
another. The fingerprint specified must correspond to the specified public host key.
Attribute.sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH
connection to the remote host.
17-Feb-2017 27/373
CA Privileged Access Manager - 2.8
Attribute.sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are
listed in order of priority.
Attribute.sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed
in order of priority.
Attribute.sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does
not attempt to use ciphers that are unavailable even if they are specified to use as inbound and/or
outbound ciphers. Ciphers are listed in order of priority.
Attribute.sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH
connection to the remote host.
Attribute.sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are
listed in order of priority.
17-Feb-2017 28/373
CA Privileged Access Manager - 2.8
Attribute.sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are
listed in order of priority.
Attribute.sshUseDefaultKeyExchangeAlgorithms
Specifies whether the default key exchange methods should be used when Credential Manager
makes an SSH connection to the remote host.
Attribute.sshKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are
listed in order of priority.
Attribute.sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods should be used when Credential Manager makes
an SSH connection to the remote host.
Attribute.sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote
host. Methods are listed in order of priority.
17-Feb-2017 29/373
CA Privileged Access Manager - 2.8
Attribute.sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host.
Methods are listed in order of priority.
Attribute.sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager
makes an SSH connection to the remote host.
Attribute.sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Attribute.telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.
17-Feb-2017 30/373
CA Privileged Access Manager - 2.8
Attribute.telnetPort
The port used to connect to the UNIX host using Telnet.
Attribute.ciscoVariant
Specifies the type of Cisco system that is installed on the target server.
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected
input from the remote host.
Attribute.useUpdateScriptType
Specifies whether the default, revised or replacement update script should be used. Customers
should use the default script and contact Customer Support if a revised or replacement script is
needed.
Attribute.revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.
Attribute.useVerifyScriptType
Specifies whether the default, revised or replacement verify script should be used. Customers should
use the default script and contact Customer Support if a revised or replacement script is needed.
17-Feb-2017 31/373
CA Privileged Access Manager - 2.8
Attribute.revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.
Attribute.userNameEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a user
name.
Attribute.passwordEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password.
Attribute.passwordConfirmationPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password be confirmed.
Attribute.passwordChangePrompt
A regular expression that matches the prompt produced by the remote host when it requests that a
password be changed because it has expired.
17-Feb-2017 32/373
CA Privileged Access Manager - 2.8
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Attribute.otherAccount
Specifies which other account to use when updating the target account.
Attribute.protocol
Specifies the protocol to use for communicating with the remote host.
Attribute.pwType
The credential type; whether it pertains to a user or privileged (or "enable") account.
Attribute.useOtherPrivilegedAccount
Required Default Value Valid Values
yes false true, false
17-Feb-2017 33/373
CA Privileged Access Manager - 2.8
Attribute.otherPrivilegedAccount
Required Default Value Valid Values
no N/A a valid target account ID
Attribute.changeAuxLoginPassword
Required Default Value Valid Values
no N/A true, false
Attribute.changeConsoleLoginPassword
Required Default Value Valid Values
yes N/A true, false
Attribute.changeVtyLoginPassword
Required Default Value Valid Values
no N/A true, false
Attribute.numVTYPorts
Required Default Value Valid Values
yes if changeVtyLoginPassword is true N/A 1-15
17-Feb-2017 34/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.extensionType:
Attribute.sshPort
The port used to connect to the Juniper host using SSH.
Attribute.connectTimeout
Specifies the amount of time in milliseconds that Credential Manager should wait for the remote host
to respond.
Attribute.readTimeout
Required Default Value Valid Values
no 5000 1000-99999
17-Feb-2017 35/373
CA Privileged Access Manager - 2.8
Attribute.extensionType
Required Default Value Valid Values
yes N/A juniper
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Attribute.otherAccount
Specifies which other account to use when updating the target account.
17-Feb-2017 36/373
CA Privileged Access Manager - 2.8
Base-64 encoded x.509 Certificate: Select the magnifying glass search icon to fetch a certificate.
Connect Timeout: Enter the time in milliseconds that Credential Manager waits before aborting
the attempt to connect to the server. The value defaults to 3000.
Read Timeout: Enter the time in milliseconds that Credential Manager waits before aborting the
request to the server for data. The read timeout applies to the LDAP response from the server
after the initial connection is established with the server.
Additional LDAP Attributes for Password Modification: This table allows you to specify attribute
name/value pairs to be updated with password modifications. If these attributes are not part of
your LDAP schema, an error can occur during password modification. For the OpenLDAP
shadowLastChange attribute, we provide the dynamic value %EPOCH_DAYS%, which evaluates to
the current number of days since the epoch (1/1/1970). %EPOCH_DAYS% is the only available
dynamic attribute.
Attribute Name: The name of the LDAP attribute to pass, such as shadowLastChange.
Attribute Value: The value to send for that LDAP attribute, such as %EPOCH_DAYS%.
Add/Delete: Use these links to add or remove attributes from this list.
Base DN is optional.
17-Feb-2017 37/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.port
The port that is used to connect to the Active Directory Server.
Attribute.protocol
The protocol that is used to connect to the LDAP server.
Attribute.sslCertificate
The Active Directory SSL certificate.
17-Feb-2017 38/373
CA Privileged Access Manager - 2.8
Required if the protocol is SSL. N/A X.509 digital certificate in BASE64 encoded format
Attribute.ldapConnectTimeout
Time in milliseconds that Credential Manager waits before aborting the attempt to connect to the
server.
Attribute.ldapReadTimeout
Time in milliseconds that Credential Manager waits before aborting the request to the server for
data. The read timeout applies to the LDAP response from the server after the initial connection is
established with the server.
Attribute.useOtherAccountToChangePassword
This attribute specifies whether to use the target account or a different account to perform password
change requests.
Attribute.otherAccount
This attribute specifies which other account to use to perform password change requests.
Attribute.userDN
The distinguished name of the user on the LDAP server.
17-Feb-2017 39/373
CA Privileged Access Manager - 2.8
To connect to a named MSSQL Server instance that uses dynamic port binding rather than a specific
port number, in the Application Details page enter the appropriate MSSQL instance name and leave
the port field blank.
TargetApplication.type
The target application connector type.
Attribute.extensionType
Required Default Value Valid Values
yes N/A mssql
Attribute.sslEnabled
Required Default Value Valid Values
false true, false
17-Feb-2017 40/373
CA Privileged Access Manager - 2.8
Attribute.port
The target application port.
Attribute.instance
The database instance name.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
17-Feb-2017 41/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.port
The target application port.
Attribute.schema
The name of the database schema to which the account belongs.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
17-Feb-2017 42/373
CA Privileged Access Manager - 2.8
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
Attribute.hostNameQualifier
Specifies which other account to use to perform password change requests.
17-Feb-2017 43/373
CA Privileged Access Manager - 2.8
TargetApplication .type
The target application connector type.
Attribute.extensionType
Required Default Value Valid Values
yes N/A oracle
Attribute.port
The port used to connect to the Active Directory server.
Attribute.sslEnabled
Required Default Value Valid Values
false true, false
Attribute.sslCertificate
The SSL certificate.
Attribute.schema
The name of the database schema to which the account belongs.
17-Feb-2017 44/373
CA Privileged Access Manager - 2.8
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
Attribute.racService
Specifies whether the schema is a RAC service name.
Attribute.sysdbaAccount
Specifies whether this user must authenticate as the Sysdba role.
Attribute.replaceSyntax
Specifies whether the REPLACE syntax needs to be used for changing the password usually
associated with otheraccounts.
17-Feb-2017 45/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.sshPort
The port used to connect to the host using SSH.
Attribute.sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected
input from the remote host.
17-Feb-2017 46/373
CA Privileged Access Manager - 2.8
Attribute.useUpdateScriptType
Specifies whether the default, revised or replacement update script should be used. Customers
should use the default script and contact Customer Support if a revised or replacement script is
needed.
Attribute.revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.
Attribute.useVerifyScriptType
Specifies whether the default, revised or replacement verify script should be used. Customers should
use the default script and contact Customer Support if a revised or replacement script is needed.
Attribute.revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.
Attribute.userNameEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a user
name.
Attribute.passwordEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password.
17-Feb-2017 47/373
CA Privileged Access Manager - 2.8
Attribute.passwordConfirmationPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password be confirmed.
Attribute.passwordChangePrompt
A regular expression that matches the prompt produced by the remote host when it requests that a
password be changed because it has expired.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Attribute.otherAccount
Specifies which other account to use when updating the target account.
Attribute.protocol
Specifies the protocol to use for communicating with the remote host.
17-Feb-2017 48/373
CA Privileged Access Manager - 2.8
Attribute.pwType
The credential type; whether it pertains to a user or privileged (or "enable") account.
Attribute.useOtherPrivilegedAccount
Required Default Value Valid Values
yes false true, false
Attribute.otherPrivilegedAccount
Required Default Value Valid Values
no N/A a valid target account ID
Attribute.changeAuxLoginPassword
Required Default Value Valid Values
no N/A true, false
Attribute.changeConsoleLoginPassword
Required Default Value Valid Values
yes N/A true, false
Attribute.changeVtyLoginPassword
Required Default Value Valid Values
no N/A true, false
Attribute.numVTYPorts
Required Default Value Valid Values
yes if changeVtyLoginPassword is true N/A 1-15
17-Feb-2017 49/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.extensionType
Required Default Value Valid Values
yes N/A SPML2
Attribute.port
The port used to connect to the SPML server.
Attribute.path
SPML path Credential Manager connects to. Used along with the target server host name, port
attribute and protocol attribute to form a valid URL.
17-Feb-2017 50/373
CA Privileged Access Manager - 2.8
Attribute.protocol
The protocol used to connect to the SPML server.
Attribute.sslCertificate
The Active Directory SSL certificate.
Attribute.extensionType
Required Default Value Valid Values
yes N/A SPML2
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
17-Feb-2017 51/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.sshPort
The port used to connect to the UNIX host using SSH.
Attribute.sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.
17-Feb-2017 52/373
CA Privileged Access Manager - 2.8
Attribute.sshKeyPairPolicyID
Specifies the SSH Key Policy ID which controls how keys are generated; that is, the key type (RSA or
DSA) and length.
Attribute.sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled,Credential Manager compares the public
key received from the remote host when making a connection to the public key stored in the
sshKnownHostKey attribute. If the keys do not match then the connection attempt is canceled.
Attribute.sshKnownHostKey
Contains the base-64 encoded public host key associated with the target server.
Attribute.sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key contained in the sshKnownHostKey attribute. The
fingerprint is used for display purposes only to allow the user to easily compare one key with
another. The fingerprint specified must correspond to the specified public host key.
Attribute.sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH
connection to the remote host.
17-Feb-2017 53/373
CA Privileged Access Manager - 2.8
Attribute.sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are
listed in order of priority.
Attribute.sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed
in order of priority.
Attribute.sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does
not use ciphers that are unavailable even if they are specified to use as inbound and/or outbound
ciphers. Ciphers are listed in order of priority.
Attribute.sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH
connection to the remote host.
Attribute.sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are
listed in order of priority.
17-Feb-2017 54/373
CA Privileged Access Manager - 2.8
Attribute.sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are
listed in order of priority.
Attribute.sshUseDefaultKeyExchangeAlgorithms
Specifies whether the default key exchange methods should be used when Credential Manager
makes an SSH connection to the remote host.
Attribute.sshKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are
listed in order of priority.
Attribute.sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods should be used when Credential Manager makes
an SSH connection to the remote host.
Attribute.sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote
host. Methods are listed in order of priority.
17-Feb-2017 55/373
CA Privileged Access Manager - 2.8
Attribute.sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host.
Methods are listed in order of priority.
Attribute.sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager
makes an SSH connection to the remote host.
Attribute.sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Attribute.telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.
17-Feb-2017 56/373
CA Privileged Access Manager - 2.8
Attribute.telnetPort
The port used to connect to the UNIX host using Telnet.
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected
input from the remote host.
Attribute.unixVariant
Specifies the type of UNIX system that is installed on the target server.
Attribute.useUpdateScriptType
Specifies whether the default, revised or replacement update script should be used. Customers
should use the default script and contact Customer Support if a revised or replacement script is
needed.
Attribute.revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.
Attribute.useVerifyScriptType
Specifies whether the default, revised or replacement verify script should be used. Customers should
use the default script and contact Customer Support if a revised or replacement script is needed.
17-Feb-2017 57/373
CA Privileged Access Manager - 2.8
Attribute.revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.
Attribute.userNameEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a user
name.
Attribute.passwordEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password.
Attribute.passwordConfirmationPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password be confirmed.
Attribute.passwordChangePrompt
A regular expression that matches the prompt produced by the remote host when it requests that a
password be changed because it has expired.
Attribute.changePasswordCommand
The command on the remote host that is used to change a password.
17-Feb-2017 58/373
CA Privileged Access Manager - 2.8
Attribute.elevatePrivilegeCommand
The command on the remote host that is used to elevate the user's level of privilege.
Attribute.substituteUserCommand
The command on the remote host that is used to act as another user.
Attribute.echoCommand
The command on the remote host that is used to repeat a sequence of characters to the standard
output; that is, the console.
Attribute.patternMatchingCommand
The command on the remote host that prints lines matching a pattern.
Attribute.policyManagementCommand
The command on the remote host that is used to manage policy.
Attribute.whoAmICommand
The command on the remote host that is used to retrieve the effective ID of the currently logged-in
user.
17-Feb-2017 59/373
CA Privileged Access Manager - 2.8
Attribute.changeFilePermissionsCommand
The command on the remote host that is used to alter the permissions on a file.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Attribute.otherAccount
Specifies which other account to use when updating the target account.
Attribute.verifyThroughOtherAccount
Specifies whether or not the credentials of a second target account are used to authenticate to the
remote host when verifying the target account.
Attribute.passwordChangeMethod
Specifies which method to use when updating passwords. For instance, the authenticated user may
require elevated privileges to change a password without being impacted by certain policies in effect
on the remote host (such as the minimum length of time between password updates).
17-Feb-2017 60/373
CA Privileged Access Manager - 2.8
Attribute.protocol
Specifies the protocol to use for communicating with the remote host.
Attribute.passphrase
The passphrase that protects the private key.
Attribute.publicKey
Specifies the public key that corresponds to the target account's private key (which is stored as its
password).
Attribute.keyOptions
Specifies a list of comma-separated option specifications as per the authorized_keys file format
described in the OpenSSH documentation.
17-Feb-2017 61/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.extensionType
Required Default Value Valid Values
yes N/A vmware
Attribute.sslPort
The target application port.
Attribute.extensionType
Required Default Value Valid Values
yes N/A vmware
17-Feb-2017 62/373
CA Privileged Access Manager - 2.8
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
TargetApplication.type
17-Feb-2017 63/373
CA Privileged Access Manager - 2.8
Attribute.sshPort
The port used to connect to the UNIX host using SSH.
Attribute.sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that
Credential Manager waits for the remote host to respond.
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected
input from the remote host.
17-Feb-2017 64/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.sshPort
The port used to connect to the UNIX host using SSH.
Attribute.sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected
input from the remote host.
17-Feb-2017 65/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
17-Feb-2017 66/373
CA Privileged Access Manager - 2.8
Attribute.extensionType
Required Default Value Valid Values
yes N/A weblogic10
Attribute.port
The port used to connect to the WebLogic server.
Attribute.extensionType
Required Default Value Valid Values
yes N/A weblogic10
Attribute.realm
Required Default Value Valid Values
yes N/A valid realm name
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
17-Feb-2017 67/373
CA Privileged Access Manager - 2.8
If the domain account is used for a service or scheduled task, it uses one or more Windows
Proxies to update service or scheduled task credentials and restart services
17-Feb-2017 68/373
CA Privileged Access Manager - 2.8
TargetApplication.type
The target application connector type.
Attribute.disableAutoConnectTargetAccount
Disable automatic connections to the remote target server for all target accounts using this
application type.
True disables automatic connectivity; that is, automatic connections are not
allowed.
Attribute.domainName
The Windows domain managed by the Active Directory server.
Attribute.useDNS
Determines the level to which DNS is used.
Attribute.dnsServer
The host names of the DNS servers to use.
17-Feb-2017 69/373
CA Privileged Access Manager - 2.8
Attribute.dcPort
The port used to connect to the Active Directory server.
Attribute.adSite
The Active Directory site. This parameter is only used if Attribute.useDNS is set to
retrieveDNS or specifiedDNS. If a value is given, Credential Manager uses the value to
narrow the search for domain controllers based on the specified name.
Attribute.extensionType
Specifies the type of account to be used.
Attribute.userDN
The user’s distinguished name on the Active Directory server.
17-Feb-2017 70/373
CA Privileged Access Manager - 2.8
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
Attribute.serviceInfo
List of services.
<proxy hostname>:<hostname>:<servicename>:restart
–or
<proxy hostname>:<hostname>:<servicename>:norestart
Attribute.tasks
List of scheduled tasks.
17-Feb-2017 71/373
CA Privileged Access Manager - 2.8
<proxy hostname>:<hostname>:<taskname>
<hostname>is the name of the server where the scheduled task is hosted.
If the guest account in the domain or on the target server is enabled, the Windows Proxy Connector
may appear to successfully verify the password of the target account that does not exist on the target
server. You must disable the guest account in the domain or on the target server to avoid this false
password verification.
The permissions required for the Windows Proxy are affected by a number of architectural
deployment decisions:
The type accounts being managed by the proxy, for example local, domain, or both
Whether passwords on services and scheduled tasks are also being managed
Whether the proxy is deployed on each server, or whether one proxy is deployed for the domain.
If you only manage local Windows accounts, service or scheduled tasks and you choose to deploy the
proxy on each server or workstation being managed, then the proxy can be run in the context of local
system. This scenario allows successful updates to the local accounts, services and scheduled tasks.
If you deploy a single (or multiple for high availability) proxy to manage multiple servers, the proxy
needs to operate under an account with adequate privileges to manage the accounts, services and
scheduled tasks. If you use the Windows Domain Service connector to manage the domain accounts,
then the proxy only needs to run with a domain account that has privileges to change local
passwords, services or scheduled tasks on the machines being managed.
As a result, the service account being used for the proxy can have its privileges limited to that of a
Domain User. To enable management of Local Windows accounts and the passwords on Windows
services and scheduled tasks, the service account must be a member of the Local Administrator
group on the server hosting the Target Account being managed.
17-Feb-2017 72/373
CA Privileged Access Manager - 2.8
To use the Windows Proxy to manage Domain accounts as well, add the service account to the
domain Account Operators group to allow the proxy to reset passwords in Active Directory.
Attribute.extensionType
Specifies the type of account to be used.
Attribute.agentId
The identifiers for the Windows Proxies used to manage passwords.
Attribute.accountType
The type of account being managed.
Attribute.domainName
The Windows domain for the managed accounts.
17-Feb-2017 73/373
CA Privileged Access Manager - 2.8
Attribute.domain
The Windows domain for the managed accounts. Exists only for backwards compatibility. CA
Technologies recommends using Attribute.domainName instead.
Attribute.useDNS
Determines the level to which DNS is used.
Attribute.dnsServer
The host names of the DNS servers to use.
Attribute.specifiedServersList
Provides a comma separated list of domain controllers.
17-Feb-2017 74/373
CA Privileged Access Manager - 2.8
Attribute.adSite
The Active Directory site. This parameter is only used if Attribute.useDNS is set to
retrieveDNS or specifiedDNS. If a value is given, Credential Manager uses the value to
narrow the search for domain controllers based on the specified name.
Attribute.extensionType
Specifies the type of account to be used.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
Attribute.serviceInfo
List of services.
17-Feb-2017 75/373
CA Privileged Access Manager - 2.8
<hostname>:<servicename>:restart
–or
<hostname>:<servicename>:norestart
Attribute.tasks
List of scheduled tasks.
<hostname>:<taskname>
<hostname>is the name of the server where the scheduled task is hosted.
Attribute.forcePasswordChange
This parameter specifies whether or not Credential Manager updates passwords that fail verification
during an initial synchronization. The default value is false. To update passwords that fail initial
synchronization set the attribute value to true.
It does not introduce any additional parameters when using the CLI to add a target application.
it does not introduce any additional parameters when using the CLI to add a target account.
17-Feb-2017 76/373
CA Privileged Access Manager - 2.8
Communication Settings
The following table describes CA Privileged Access Manager port assignments
17-Feb-2017 77/373
CA Privileged Access Manager - 2.8
More information:
17-Feb-2017 78/373
CA Privileged Access Manager - 2.8
About Imports
CA Privileged Access Manager-managed objects may be imported from comma-separated value (CSV)
files that can be created in any text editor or spreadsheet program and saved as plain text. You may
want to use the sample file (available on an Import/Export page) as a template, and refer to the
information in the tables below to populate the fields.
NOTECurrently, Credential Manager objects cannot be imported.
and
Device Groups, then Devices*# Devices > Import/Export Devices
and
Command Filter Lists# Policy > Import/Export Command Filter Lists
17-Feb-2017 79/373
CA Privileged Access Manager - 2.8
* All User Group records (rows) must be listed in a (Users-only) import file before all User records,
and all Device Group records (rows) must be listed in a (Devices-only) import file before all Device
records.
# UserGroups/Users files may be imported before or after DeviceGroups/Devices files, and Socket
Filter Lists files may be imported before or after Command Filter Lists files.
File content
The only (field) separator permitted in a CSV file is a comma, and thus a comma cannot be used in
field content.
Not all record content must be imported to create a record – the tables identify with asterisks *
which fields are required for particular record types.
The first line in each file is for column names, which are used to identify record fields during
import.
CSV file columns may be rearranged as long as the corresponding CSV File Column Labels are
preserved.
After performing an import, you can check the results (in sum) by clicking the "Download CSV
Import Results" link that appears after the import, below any error messages.
About Exports
File names and types
Each export file is downloaded with a timestamp (to the second) in the filename:
objecttypeYYYYMMDDHHMMSS.csv
EXAMPLE
devices20110715131849.csv
File content
Several informational fields are added to a Users Group/Users export file, and the export does not
preserve the import column arrangement (they are inserted between field columns). These
informational fields are identified in the tables by oblique names.
CA Privileged Access Manager does not display stored passwords in User record exports – each cell in
the "Password" column (which is used only for imports) is empty.
About Transfers
CSV files are frequently used to transfer (export + import) from one CA Privileged Access Manager
appliance to another.
17-Feb-2017 80/373
CA Privileged Access Manager - 2.8
LDAP Users
LDAP User records draw data from two locations, fields from the LDAP source directory as well as any
data to CA Privileged Access Manager-specific fields the administrator may add after the LDAP
import. To perform an LDAP transfer, recreate a baseline LDAP import, and then "overlay" the CA
Privileged Access Manager fields:
1. At the source CA Privileged Access Manager appliance, Export Users to a CSV file.
2. At the destination CA Privileged Access Manager appliance, Import LDAP Group from the
source LDAP directory(ies).
3. At the destination CA Privileged Access Manager appliance, Import Users with the CSV file
obtained from the source CA Privileged Access Manager.
17-Feb-2017 81/373
CA Privileged Access Manager - 2.8
For TCP/UDP services, if a value is specified for both TCP Ports and UDP Ports, the
values must match exactly. For both types of services, a port value is required for
at least one of TCP Ports and UDP Ports.
TCP/UDP Service record labels: Port(s) + Protocol
UDP TC Port The service UDP ports. Either:
Ports P value One or more port numbers separated by space or comma
SSL
One port range with 1-500 port
One port mapping
For TCP/UDP services, if a value is specified for both TCP Ports and UDP Ports, the
values must match exactly. For both types of services, a port value is required for
at least one of TCP Ports and UDP Ports.
TCP/UDP Service record labels: Port(s) + Protocol
Descri All Text Service description.
ption TCP/UDP Service record label: Comments
Enabl TC t = Disable the Service globally; or enable, subject to policy
ed P* enabled
SSL f =
* disable
d
Do not
use
upperc
ase 'T'
or 'F'
Show TC t = Access page display mode
in P* enabled
Colu f=
mn disable
d
Do not
use
upperc
ase 'T'
or 'F'
Appli TC ICA Service application protocol.
catio P* RDP In contrast to the GUI: Disabled, Console, and Web Portal are not used here.
n VNC A Web Portal is specified by the presence of an address in the Web Portal Launch
Proto URL field.
col
Web TC Mapped URL - Use the following form:
Portal P: http[s]://<Local IP>:<First Port>/[path, if any]
Launc W The target address is specified by the Device using the Portal
h URL eb
A target DNS address for the portal can be identified by the Host Header (and Aliases,
if applicable)
Launc Ap Path Location of the remote application used in application publishing. Applicable only
h p* to targets running Microsoft Terminal Services.
Path
17-Feb-2017 82/373
CA Privileged Access Manager - 2.8
Client TC Path Location of the local application that is launched when the service is initiated.
Appli P
catio
n
Host TC FQDN Specify the FQDN of the target website in this field. Per HTTP 1.1, if the Web
Head P: Portal resides on a single IP address which hosts several websites (such as Apache
er W NameVirtualHost or IIS Host Header Access), this setting is used to identify the
eb correct website target.
Note: If Web Portal Launch URL is empty, this field does not populate.
Aliase TC text If the target web portal is referred to by several different names, enter those
s P: names here.
W Example: If Host Header contains "www.example.com", while some links on that
eb portal page point to "example.com" and "someserver.example.com", enter
"example.com" and "someserver.example.com" here (without quotes, separated
by space or comma) so that requests to that site is handled successfully.
Note: If Web Portal Launch URL is empty, this field does not populate.
Hide TC t= If this portal is not intended to be user-facing - for example, for a graphics file
Web P: enabled server - select this checkbox so as not to display an access link for the user on the
Portal W f= Access page.
eb disable TCP/UDP Service record: Hide From User
d
Do not
use
upperc
ase 'T'
or 'F'
Roles
In Users > Import/Export Roles, you can download a sample file and can populate it according to the
specification in Table 12. In Record Type, * = required. This import allows you to create new roles.
You are not limited to the set of preconfigured roles ("Auditor" through "User/Group Manager").
17-Feb-2017 83/373
CA Privileged Access Manager - 2.8
User: Keyboard Layout (Required field in record. GUI default value: AUTO = read from keyboard)
User Group: Users (not needed – Group membership is specified by User records)
17-Feb-2017 84/373
CA Privileged Access Manager - 2.8
17-Feb-2017 85/373
CA Privileged Access Manager - 2.8
17-Feb-2017 86/373
CA Privileged Access Manager - 2.8
17-Feb-2017 87/373
CA Privileged Access Manager - 2.8
17-Feb-2017 88/373
CA Privileged Access Manager - 2.8
17-Feb-2017 89/373
CA Privileged Access Manager - 2.8
Target
Server
Description
1
Target D text If Type Password = t, this option is available
Server
Description
2
Request D text If Type A2A = t, this option is available
Client
Description
1
Request D text If Type A2A = t, this option is available
Client
Description
2
Request D f = False If Type A2A = t, this option is available
Client t = True
Active
Host Name D f = False If Type A2A = t, this option is available
Preserved t = True
ProvisionTy
pe
AlternateId
17-Feb-2017 90/373
CA Privileged Access Manager - 2.8
17-Feb-2017 91/373
CA Privileged Access Manager - 2.8
Policy
In Policy > Import/Export Policy, you can download a sample file and can populate it according to the
specification in the following table. In Record Type, * = required.
TSWEB
SSL VPN P text Specify CA Privileged Access Manager custom SSL VPN Services.
Services Separate any multiple Services by: | (pipe)
Applets P Use the following template per Access Method applet:
'name=Name custom_name=CustomName'
Name options: VNC Telnet SSH Serial Power RDP KVM
Name more options if mainframe licensing is enabled: TN3270 TN3270SSL TN5250
TN5250SSL
CustomName options: (empty); or any string
Separate any multiple applets (Access Methods) by: | (pipe)
Command P text If this policy uses one or more Command Filter Lists, enter them by
Filter name; otherwise, leave blank. If used, ensure to define CFLs (import CFL
CSV file) first.
Note: Ensure that filters are imported before policy.
Socket P text If this policy uses one or more Socket Filter Lists, enter them by name;
Filter otherwise, leave blank. If used, ensure to define SFLs (import SFL CSV
file) first.
Note: Ensure that filters are imported before policy.
Restrict P t = true Note: Only used for applets that rely on this switch: RDP, VNC, and ICA.
login if f = false
agent is (Do not use
not uppercase
running 'T' or 'F')
P
17-Feb-2017 92/373
CA Privileged Access Manager - 2.8
Graphical t = true When 'true', CA Privileged Access Manager performs graphical recording
Recording f = false of every RDP or VNC session between this User(Group)-Device(Group)
(Do not use pair.
uppercase
'T' or 'F')
Command P t = true When 'true', CA Privileged Access Manager performs command line
Line f = false recording of every CLI-based session between this User(Group)-Device
Recording (Do not use (Group) pair.
uppercase
'T' or 'F')
Bidirectio P t = true When 'true' (and when Command Line Recording is 'true'), CA Privileged
nal f = false Access Manager records both the User and Device input for every CLI-
Recording (Do not use based session between this User(Group)-Device(Group) pair.
uppercase (Otherwise, only User input is recorded.)
'T' or 'F')
Web P t = true When 'true', CA Privileged Access Manager performs graphical recording
Portal f = false of every web portal session between this User(Group)-Device(Group)
Recording (Do not use pair.
uppercase
'T' or 'F')
Targets P
17-Feb-2017 93/373
CA Privileged Access Manager - 2.8
Data Formats
The content in this sections describes data formats used by CA Privileged Access Manager.
Message Templates
License acceptance (at Login) – configured in Show License Warning in Global Settings
Blacklist violation – configured in Blacklist Violation Message in Policies > Manage Policies:
Manage Filters > Command Filter Config
Whitelist violation – configured in Whitelist Violation Message in Policies > Manage Policies:
Manage Filters > Command Filter Config
Port Numbers
General Syntax
Use the following conventions to represent port values when populating CA Privileged Access
Manager GUI fields:
17-Feb-2017 94/373
CA Privileged Access Manager - 2.8
Specific ports (a sequence of one or more port numbers delimited by spaces or commas)
Port Range
NOT PERMITTED
Combination syntax cases such as those the following examples have undefined values and, thus, are
not permitted in CA Privileged Access Manager GUI fields:
X:Y U:V does not mean: Port X onto Y -and- port U onto V
Pop-up window: Application path specification field, ports as specified in Service Definition
Basic Info: Specific ports -or- one Range, with 1-500 ports -or- one Mapping
Basic Info: All ports -or- Specific ports -or- one Range, with 1-500 ports -or- one Mapping
17-Feb-2017 95/373
CA Privileged Access Manager - 2.8
Special Type: Specific ports -or- one Range, with 1-500 ports ● No Mapping
Policies > Manage Policies : Manage Filters > Socket Filter Config editing fields:
Where … Example
H = CA Privileged Access Manager Hostname: capam123
N = (Pseudorandom) ID number: 8732209813
T = Start Time of Recording: YYYYMMDDHHMMSSXXX 20120125145538987
“XXX” represents the millisecond resolution of the start time. If there is a collision with an existing
file, this number is incremented by 1 until an available filename is found.
ext = File Type Extension: for a CLI session recording: txt
for an RDP session recording: gsr
for an VNC session recording: vsr
17-Feb-2017 96/373
CA Privileged Access Manager - 2.8
Default Settings
The content in this section describes values populated in the configurable settings when CA PAM
ships. All settings not listed (for example, within managed object templates) are unpopulated (empty)
or logically “off.”
Administration Menus (see page 97)
Credential Management Menus (see page 101)
Administration Menus
The following table provides a listing of menu elements, location (menu or pane), fields, values, and
units.
Access
DEPRECATED
Monitoring
Global Settings
Basic Settings Default Auth Method Local
Default Page Size 30 lines
(Devices)
Login Timeout 10 minutes
Applet Timeout 10 minutes
Access Method Port Offset 0
Default Device Type
Access [selected]
Password Management [available when
licensed]
A2A [available when
licensed]
Passwords Security Level 0 – New Password
Min Length 6 characters
Max Length 14 characters
Change Interval 0 days
History 3 passwords
Failure Limit 0 password
attempts
17-Feb-2017 97/373
CA Privileged Access Manager - 2.8
17-Feb-2017 98/373
CA Privileged Access Manager - 2.8
Built-in services:
Services
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
TCP/UDP Services Local IP 127.0.0.1
[template]
Protocol TCP
Enable [selected]
Show in Column [unselected]
Application Protocol Disabled
RDP Applications
[template] Enable [selected]
SSL VPN Services
[template] Application Protocol Disabled
Import/Export Services
Manage Users [template] Keyboard Layout AUTO
Users
Authentication Local
Account Status Enabled
Activate Account Now
Terminate Session Upon No
Deactivation
Roles Standard User
Manage Disabled Users
Manage Groups
Applet Recording Warning No
Authentication Local
Roles Standard User
Import/Export Users
Approve CAC User
Manage Roles Administrative Auditor Deprecated Role
Auditor
17-Feb-2017 99/373
CA Privileged Access Manager - 2.8
Configuration Manager
Delegated Administrator
Device/Group Manager
Global Administrator
Global Setter
Monitor
Operational Administrator
Password Manager
Policy Manager
Service Manager
Session Manager
Standard User
Troubleshooter
User/Group Manager
Import/Export Roles
Manage Devices Operating System Linux
Devices [template]
Terminal Term Type vt100
Key Mapping xterm-vt220
Manage Groups
Group Type Local
Import/Export Devices
Autodiscovery
Power Hosts
Console Servers
Socket Filter Agent
Tools
Networking Tools [Ports] 1-65535
Timeout 2 minutes
Manage Policies
17-Feb-2017 100/373
CA Privileged Access Manager - 2.8
17-Feb-2017 101/373
CA Privileged Access Manager - 2.8
17-Feb-2017 102/373
CA Privileged Access Manager - 2.8
17-Feb-2017 103/373
CA Privileged Access Manager - 2.8
17-Feb-2017 104/373
CA Privileged Access Manager - 2.8
17-Feb-2017 105/373
CA Privileged Access Manager - 2.8
17-Feb-2017 106/373
CA Privileged Access Manager - 2.8
17-Feb-2017 107/373
CA Privileged Access Manager - 2.8
17-Feb-2017 108/373
CA Privileged Access Manager - 2.8
17-Feb-2017 109/373
CA Privileged Access Manager - 2.8
17-Feb-2017 110/373
CA Privileged Access Manager - 2.8
17-Feb-2017 111/373
CA Privileged Access Manager - 2.8
17-Feb-2017 112/373
CA Privileged Access Manager - 2.8
17-Feb-2017 113/373
CA Privileged Access Manager - 2.8
File Imports
CA PAM-managed objects may be imported only from comma-separated value (CSV) files.
You may want to use the sample file (available on an Import/Export page) as a template and refer to
the information in the following tables to populate the fields.
CSV files must be imported through the matching import page (identified in the following table), as
object-specific error checking is performed. They cannot be successfully imported from other import
pages.
*All User Group records (rows) must be listed in a (Users-only) import file before all User records,
and all Device Group records (rows) must be listed in a (Devices-only) import file before all Device
records.
# UserGroups/Users files may be imported before or after DeviceGroups/Devices files, and Socket
Filter Lists files may be imported before or after Command Filter Lists files.
17-Feb-2017 114/373
CA Privileged Access Manager - 2.8
*All User Group records (rows) must be listed in a (Users-only) import file before all User records,
and all Device Group records (rows) must be listed in a (Devices-only) import file before all Device
records.
# UserGroups/Users files may be imported before or after DeviceGroups/Devices files, and Socket
Filter Lists files may be imported before or after Command Filter Lists files.
The only (field) separator permitted in a CSV file is a comma, and thus a comma cannot be used in
field content.
Not all record content must be imported to create a record – the tables identify with asterisks *
which fields are required for particular record types.
The first line in each file is for column names, which are used to identify record fields during
import.
CSV file columns may be rearranged as long as the corresponding CSV File Column Labels are
preserved.
After performing an import, you can check the results (in sum) by clicking the Download CSV
Import Results link that appears after the import, below any error messages.
File Exports
Exported File Names and Types
Each exported file is downloaded with a timestamp in the file name according to the following
syntax:
17-Feb-2017 115/373
CA Privileged Access Manager - 2.8
objecttypeYYYYMMDDHHMMSS.csv
Example: devices20110715131849.csv
Several informational fields are added to a Users Group/Users export file, and the export does not
preserve the import column arrangement (they are inserted between field columns). These
informational fields are identified in the tables by oblique names.
CA Privileged Access Manager does not display stored passwords in User record exports – each
cell in the Password column (which is used only for imports) is empty.
Transfers
CSV files are frequently used to transfer (export + import) from one CA Privileged Access Manager
appliance to another.
LDAP Users
LDAP user records draw data from two locations: fields from the LDAP source directory and any data
to CA PAM-specific fields the administrator may add after the LDAP import.
To perform an LDAP transfer, recreate a baseline LDAP import, and then “overlay” the CA PAM fields:
2. At the destination CA PAM appliance, Import LDAP Group from the source LDAP directory
(ies).
3. At the destination CA PAM appliance, Import Users with the CSV file obtained from the source
CA Privileged Access Manager.
Roles
In Users > Import/Export Roles, you can download a sample file and populate it according to the
specification in the following table.
In Record Type, * = required. Note that this import allows you to create new roles – you are not
limited to the set of preconfigured roles (“Auditor” through “User/Group Manager”).
17-Feb-2017 116/373
CA Privileged Access Manager - 2.8
A CSV file of existing Users and User Groups is prepared and saved to your local drive. The default
filename is users YYYYMMDDHHSS. csv
17-Feb-2017 117/373
CA Privileged Access Manager - 2.8
Note: For Users provisioned in an external repository (for example, LDAP or AWS, or
VMware), do not modify any field that was sourced from the external repository. For
example, for LDAP users, do not change the User Principle Name (or other LDAP-sourced)
fields.
The following table describes the fields in the User Import CSV file.
Bold text (aside from table column labels) indicates either literal values to be entered into fields
or literal values or legends that are displayed by the GUI or present in export files.
Table Columns:
Rows are shown here in the same order as the columns in the sample file.
Column order is not recognized by import processing – only the items in CSV File Column
Labels are.
Italic text indicates columns that are generated solely for export files – they are not
required in files for import.
Ensure that all required columns (those with a * in the Record Type column) are included
in the CSV file.
Ensure that column headers are spelled as noted in CSV File Column Label or their values
will not be imported.
* = Indicates that this field is required to create a record of this type. (This does not
identify what is necessary to function, however.)
Description
17-Feb-2017 118/373
CA Privileged Access Manager - 2.8
Description
Where the label in a GUI User or User Group record differs from the corresponding
column name for the import file, that User or User Group record label is noted here.
t = Enabled
17-Feb-2017 119/373
CA Privileged Access Manager - 2.8
SMTWTFS
Specifies the days of the week where access is permitted. Each day where access permitted is re
timeFrom
Specifies the number of minutes from midnight the time when access should start.
timeTo
Specifies the number of minutes from midnight to the time when access should end.
User record label: Access Time : Access Days + From (time) + To (time)
U text User Group or User Groups of which the user is a memb
17-Feb-2017 120/373
CA Privileged Access Manager - 2.8
roleName = Choose from the built-in and administrator-defined Access roles. GUI default value:
roleUserGroups =
roleDeviceGroups =
Examples:
roleName=Auditor roleUserGroups= roleDeviceGroups=
roleName=Global Administrator roleUserGroups=ALL roleDeviceGroups=ALL User / User Gro
Smart Button N/A N/A Obsolete. Maintained for backward compatibility only.
Group
User Principle E Extracted from LDAP record (where applicable)
Name
PA Group U text (matching existing name) The names of Credential Manager User Groups of which
Membership
API Keys U only Each API Key cell has values that are represented by the following fields:
name=apiKeyName
isActive=[t|f]
description=descriptionOfApiKey
17-Feb-2017 121/373
CA Privileged Access Manager - 2.8
Delimited with:
EXAMPLE:
Note: In the Roles field, do not assign any User solely the role “Password Manager”. That
role does not contain sufficient privileges for CA Privileged Access Manager access. Instead,
when you intend to allow only password management privileges, add the role “Standard
User” using Credential Manager. (Standard User is the default role populated in a newly
created CA Privileged Access Manager user template.)
2. Select Browse, choose the file to import, and select Open in the File Upload dialog that
appears.
17-Feb-2017 122/373
CA Privileged Access Manager - 2.8
NETKVM1/8
XControl XC412M
Tripp-Lite PDU
(and numerous
others)
Special D text Special Type device login username
Type Login
Special D text Special Type device login password
Type
Password
Special D text Special Type device protocol (Telnet, SSHV1, for
Type example). Must match one of the allowed values for
Protocol Type.
Special D text Special Type Device port or ports
Type Ports
Operating D Enumerated options: Operating system of Device
System (Does not currently allow custom options)
AIX BeOS FreeBSD
HP-UX Linux NetBSD
OpenBSD Other
Solaris
Embedded OS
IBM AS 400
Mac OS 9
Mac OS X
IBM Mainframe
SCO UNIX
17-Feb-2017 123/373
CA Privileged Access Manager - 2.8
Name options:
VNC Telnet SSH Serial Power RDP KVM Embedded VNC
Name additional options if mainframe licensing is enabled:
TN3270 TN3270SSL TN5250 TN5250SSL
CustomName options: (any string; optional)
Port options: One port (only), 0-65535. For VNC: port= (empty); or 0 if disabled
Property options: (empty); NULL
Separate any multiple Access Methods by: | (pipe)
D DG VNC Telnet SSH Serial Access Method category (no specific access information)
Power RDP KVM
Embedded VNC
Services D DG Custom Services, or Specify CA PAM built-in or custom Services. Separate any
Built-in Services: multiple Services by: | (pipe)
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
OOB Serial D f = do not use settings Flag to use Out-of-Band Serial Device settings:
Host Flag t = use settings OOB Serial Host through OOB Serial Port
(Do not use
uppercase 'F' and 'T')
GUI default value: f
OOB Serial D Text Out-of-Band Serial device name
Host
OOB Serial D Text Out-of-Band Serial device port
Port
OOB KVM D f = do not use settings Flag to use Out-of-Band KVM Device settings:
Host Flag t = use settings OOB KVM Host through OOB KVM Port
(Do not use
uppercase 'F' and 'T')
GUI default value: f
D text Out-of-Band KVM device name
17-Feb-2017 124/373
CA Privileged Access Manager - 2.8
17-Feb-2017 125/373
CA Privileged Access Manager - 2.8
17-Feb-2017 126/373
CA Privileged Access Manager - 2.8
Blacklist: List of commands a user may not use; all other commands
are permitted.
CL* text The command or command subset to be restricted.Multiple
Keyword commands for the same list are designated by multiple CSV line
items using the same List Name.
CL* f = do not Flag to:
Alert use alert
t = use alert Notify (immediately) the monitoring administrator of any use of this
command.
CL* f = do not Flag to:
Block use block
t = use block Prevent (immediately) this command from being executed.
CL* f = do not Flag to:
Regexp use regexp
t = use Apply the Keyword field as a regular expression to the command line
regexp for a match. If there is a match, apply any Alert or Block specified.
17-Feb-2017 127/373
CA Privileged Access Manager - 2.8
Policy
Use Policy, Import/Export Policy, to download a sample file and populate it as specified in the the
following table.
17-Feb-2017 128/373
CA Privileged Access Manager - 2.8
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
P text Specify CA PAM custom SSL VPN Services. Separate any multiple
SSL VPN Services by: | (pipe).
Services
Applets P Use the following template per Access Method applet:
'name=Name custom_name=CustomName',
17-Feb-2017 129/373
CA Privileged Access Manager - 2.8
17-Feb-2017 130/373
CA Privileged Access Manager - 2.8
The pre-formatted messages identified herein are included in most syslog output (MSG
field), but not every message is used in a syslog emission, and not all syslog emissions
include a message. For example, some messages are used solely for user interaction.
For Credential Manager messages, see Credential Manager Error Messages (see page 189).
00xxx - General Error Messages (see page 132)
01xxx - Network Service Messages (see page 133)
02xxx - User Management Messages (see page 138)
04xxx - User Group Management Messages (see page 144)
05xxx - Device Management Messages (see page 145)
06xxx - Roles and Privileges Management Messages (see page 154)
07xxx - Device Group Management Messages (see page 155)
08xxx - Global Settings and Device Task Messages (see page 156)
09xxx - LDAP Messages (see page 156)
10xxx - CSV Import/Export Related Messages (see page 158)
11xxx - Device Monitoring Messages, Office365 Integration Messages, SAML IdP and RP Messages
(see page 160)
12xxx - Policy Management Messages (see page 162)
13xxx - Management Console Messages (see page 164)
14xxx - Managed Server Service Messages (see page 165)
15xxx - Command and Socket Filter Management Messages (see page 165)
16xxx - Logging and Reporting Messages (see page 167)
17xxx - Policy Conflict Messages (see page 168)
17-Feb-2017 131/373
CA Privileged Access Manager - 2.8
0011 = Invalid log database type %s. Consult your system administrator
17-Feb-2017 132/373
CA Privileged Access Manager - 2.8
0015 = Too many rows to sort by. Use search criteria to narrow the result set and try again.
0900 = add
0901 = update
0902 = delete
0905 = Connected
0906 = Waiting
0907 = Unknown
0908 = Detection
0909 = Intervention
0910 = Tampering
0913 = Activated
0914 = Deactivated
17-Feb-2017 133/373
CA Privileged Access Manager - 2.8
1018 = Invalid characters in service name. Semicolons, commas, percent signs, and backslashes are
invalid.
1026 = Invalid TCP ports value specified. Values must be valid TCP ports or TCP port ranges.
1027 = Invalid UDP ports value specified. Values must be valid UDP ports or UDP port ranges.
17-Feb-2017 134/373
CA Privileged Access Manager - 2.8
1027 = Invalid UDP ports value specified. Values must be valid UDP ports or UDP port ranges.
1032 = Maximum number of ports in range, 500, exceeded for specified port range %s. Consider
using SSL VPN solution.
1035 = Web portal TCP/UDP services must have LeapFrog Prevention disabled.
1041 = Database corruption - more than one service with the same id was deleted.
1047 = Only the Local IP, Port Settings, Enabled, Show in Column, Client Application, and Comments
of the standard service sftpftp can be updated.
1048 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard
service sftpftpemb can be updated.
1049 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard
service TSWEB can be updated.
17-Feb-2017 135/373
CA Privileged Access Manager - 2.8
1054 = Only the Local IP, Port Settings, Enabled, Show in Column, Client Application, and Comments
of the standard service sftpsftp can be updated.
1055 = Local socket %s:%s of Web Portal %s must be unique across all web portal services. Local
socket already used by Web Portal %s.
1057 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard
service sftpsftpemb can be updated.
1060 = Both Show In Column and Hide Web Portal cannot be checked.
1061 = Maximum number of ports in range, 500, exceeded for the sum of all specified port ranges.
Consider using SSL VPN solution.
1063 = Invalid web portal browser type specified. Valid types are native and xceedium.
1067 = The only properties of the AWS Management Console SSO service that can be changed are
enabled, show in column, and access list.
1071 = The properties of the AWS proxy service can not be changed.
1072 = The only properties of the MS Office 365 service that can be changed are enabled, show in
column, and access list.
17-Feb-2017 136/373
CA Privileged Access Manager - 2.8
1077 = The specified SAML %s certificate is not a valid PEM encoded certificate.
1079 = The SAML initiating party field is invalid: Valid values are sp or idp.
1081 = A SAML service with an entity ID of %s already exists. SAML entity IDs must be unique.
1084 = Invalid SAML require signed authentication request value specified. Valid values are: t, f.
1085 = The SAML encryption certificate is required if NameId or Assertion encryption is enabled.
1086 = The SAML signing certificate is required if Require Signed Authn Requests is enabled.
1087 = There are no SAML 2.0 SPs defined with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST (SAML 1.1 SPs are not supported).
1090 = The following device(s) were %s to host the SAML assertion consumer services: %s.
1091 = Device group %s was provisioned with the provisioned assertion consumer devices as
members. This will facilitate managing policy for all SAML devices.
1092 = SAML attribute with index %s is missing the required name field.
1093 = SAML attribute with index %s is missing the required friendly name field.
1094 = There are multiple SAML attributes with the same name: %s. Names must be unique.
1095 = There are multiple SAML attributes with the same friendly name: %s. Friendly names must be
unique.
1096 = SAML attribute %s can not be deleted. It is used in the following policies: %s.
1097 = The following SAML Name Identifier Formats can not be deleted: %s. They are used in the
following policies: %s.
17-Feb-2017 137/373
CA Privileged Access Manager - 2.8
1100 = SAML services with the Route Through Xsuite setting enabled require the browser type setting
to be set to the Xceedium Browser.
1101 = SAML services using the Xceedium browser must be IdP initiated.
1103 = An auto-login method was provided, but only web portals can have auto-login methods.
1104 = This service is configured to be recorded and must use the Xceedium browser type. The
service is configured to be recorded in the following policies: %s.
2005 = Database corruption - more than one user with the same id was deleted.
2013 = Access time day string is 7 digits long; 1 = access permitted 0 = access forbidden.
17-Feb-2017 138/373
CA Privileged Access Manager - 2.8
2017 = Invalid characters in user name %s. Semicolons, commas, percent signs, single and double
quotes, and backslashes are invalid.
2023 = Special characters quote, double quote, backslash, and percent are not allowed in the
password.
2026 = Password must include both upper and lower case alphabetic characters.
2028 = Password must include at least two lowercase letters, two uppercase letters, two numbers
and two special characters.
2036 = Your role does not allow you to %s this user without any groups.
2037 = You may only add users to the following groups %s.
2038 = You may not delete this user. You may only remove group assignments from it.
17-Feb-2017 139/373
CA Privileged Access Manager - 2.8
2043 = Invalid access time passed in. Missing a required key field.
2047 = Non-local users may not have passwords defined in CA Privileged Access Manager.
2049 = Short name may only be used for users with provision type of LDAP or PKI.
2054 = PAP/CHAP must be specified for RADIUS authentication and only for RADIUS authentication.
2055 = Warning: Global administrators may not have limited access times - any such settings will be
ignored.
2057 = An invisible (shadow) user named %s already exists. Please choose another name.
2058 = A user or group named %s already exists. Please contact your system administrator.
2063 = Can't specify the user as their own login contact. Use the Email Self on Login checkbox.
2065 = Users provisioned from LDAP may not be deleted directly, only by deleting their LDAP group.
2067 = User names, group names, and short names may not be the same.
17-Feb-2017 140/373
CA Privileged Access Manager - 2.8
2084 = An LDAP provisioned user may not be added directly, only imported via LDAP.
2085 = LDAP-provisioned user %s's LDAP groups may not be changed except via LDAP import or
refresh.
2086 = Shadow user %s's membership in RADIUS group %s may not be changed.
2087 = A shadow user may not be added directly, only created via logon.
2089 = Duplicate Password Authority username %s. User not added. Please contact your system
administrator.
2091 = User is not allowed to manage the Password Authority group %s.
2092 = Roles with the Manage Credential privilege must have at least one Password Authority group
to manage.
17-Feb-2017 141/373
CA Privileged Access Manager - 2.8
2097 = Devices provisioned from LDAP may not be deleted directly, only by deleting their LDAP
group.
2098 = The user has been configured to manage a Password Authority group but does not have a role
with sufficient privileges.
2099 = Maximum of %d AWS API Proxy users licensed. Please remove that privilege from one or more
users before proceeding to add this one.
2100 = API keys must be an array of arrays of individual API keys containing id, name, target account
id, active status and set of roles.
2101 = Required API key array element client name not found.
2102 = Required API key array element target account id not found.
2106 = API keys must be deleted before the rest of the user.
2107 = Existing API key %s either does not belong to user %s or does not exist at all.
2108 = Users with provision type %s can not be added to LDAP groups: %s.
2113 = The following user fields may not be changed locally for an ldap user: activationDate,
authType, description, email, expiration, firstName, lastName, password, phone, resetPasswordFlag.
2117 = The super user account's authentication method cannot be set to SAML.
17-Feb-2017 142/373
CA Privileged Access Manager - 2.8
2117 = The super user account's authentication method cannot be set to SAML.
2118 = A user may not have two API keys with the same name. Change the API keys so that only one
is named %s.
2120 = Password has been already used. You have to enter a new password.
2123 = Special characters \ ' % and \ are not allowed in the password
2126 = Must include both upper and lower case alphabetic characters.
2128 = Password must include at least two lowercase letters, two uppercase letters, two numbers
and two special characters.
2129 = User %s must be associated with Password Authority user group %s.
2132 = User groups for a SAML JIT user can only be changed by SAML.
2134 = A SAML JIT user such as %s can only have their user groups changed by SAML.
2135 = A SAML JIT user like %s may not be added directly, only loaded from an identity provider on
login.
2136 = User %s cannot be deleted because it is configured as the login contact for the following list of
users: %s.
2138 = The user has been assigned a role which requires a password authority user group to be
associated with it, but no such group was specified.
17-Feb-2017 143/373
CA Privileged Access Manager - 2.8
4005 = Database corruption - more than one user group with the same id was deleted.
4009 = Database corruption - more than one user group with the same id was inserted.
4012 = Database corruption - more than one user group with the same id was updated.
4024 = Locally provisioned user groups can not have an authentication type of RSA.
4025 = Locally provisioned user groups can not have an authentication type of LDAP+RSA.
17-Feb-2017 144/373
CA Privileged Access Manager - 2.8
4027 = Locally provisioned user groups can not have an authentication type of LDAP+RADIUS.
4028 = The following user group ids are not valid: %s.
4030 = User %s not successfully added to user group. No other users added.
4031 = The following user fields may not be changed locally for an ldap user group: description,
shortName.
5010 = Database corruption - more than one device with the same id was deleted.
5011 = Device ore device group name %s already exists. Names must be unique.
5014 = Database corruption - more than one device with the same id was inserted.
5016 = Device %s was not updated due to Password Authority authorization errors.
5017 = Database corruption - more than one device with the same id was updated.
17-Feb-2017 145/373
CA Privileged Access Manager - 2.8
5020 = Database corruption - more than one device's power status was updated.
5021 = %s %s %s Failed.
5022 = %s %s %s Successful.
5023 = Unknown power status of %s: multiple power ports do not match.
5028 = Database corruption - more than one special type device was inserted.
5030 = Database corruption - more than one special type device was updated.
5034 = Your role does not allow you to %s this device without any groups.
5035 = You may only add or delete device membership from the following groups %s.
5036 = You may not delete this device, only remove group assignments from it.
17-Feb-2017 146/373
CA Privileged Access Manager - 2.8
5050 = Configuring device %s as a %s device will exceed the number of licensed %s devices.
5052 = User requires Device/Group Manager or Delegated Administrator role to add discovered
devices to CA Privileged Access Manager.
5058 = Invalid characters in device name %s. Semicolons, commas, apostrophes and backslashes are
invalid.
5060 = Mainframe access methods are not permitted without a Mainframe-capable license.
5064 = A custom name for a device task may not have colons, semicolons, commas, or backslashes.
5065 = Device cannot have both telnet and ssh2telnet access methods.
5070 = Maximum number of ports in range, 500, exceeded for specified port range %s.
17-Feb-2017 147/373
CA Privileged Access Manager - 2.8
5073 = No access is currently permitted because this CA Privileged Access Manager appliance is over-
provisioned. Please contact your systems administrator.
5074 = This Xceedium appliance currently has more Devices defined than the configured license
permits. Please either obtain a new license from Xceedium or delete devices to bring this appliance
back within its license constraints. Access is disabled until this is remediated.
5075 = Each power task must have a unique combination of power device and port.
5076 = Maximum number of ports in range, 500, exceeded for all specified port ranges.
5087 = Can't assign request server id to a device that is not a request server.
5088 = Operation aborted because Password Authority request server cannot be deleted. See log for
details.
5089 = Operation aborted because Password Authority target server cannot be deleted. See log for
details.
5091 = Device Import cannot add virtual devices only update them. Device Name = %s.
5096 = Target Application %s was not added or updated due to Password Authority authorization
17-Feb-2017 148/373
CA Privileged Access Manager - 2.8
5096 = Target Application %s was not added or updated due to Password Authority authorization
errors.
5098 = A device group's provision type may not be changed. Delete and recreate the group.
5099 = %s device refresh failed due to error. See log for details.
5104 = A target server with the address %s already exists. Target server %s not added.
5105 = A request server with the address %s already exists. Request server %s not added.
5108 = Terminal type VT100 is not compatible with TN5250 or TN5250SSL access methods.
5109 = Device import cannot add VMware device groups only update them. Group name = %s.
5111 = General error with password checkin. See log for details.
5116 = Target server fields may not be defined if device is not of typePassword.
5117 = Request server fields may not be defined if device is not of typeA2A.
5118 = Device import cannot add VMware Device Groups, it may only update them (Group name = %
s).
5119 = Configuring device %s as a %s device will exceed the number of licensed %s devices. Device
added without the type.
5120 = Internal error occurred while updating the runtime status of a device.
5121 = Service AWS Management Console SSO can not be added to a device.
17-Feb-2017 149/373
CA Privileged Access Manager - 2.8
5121 = Service AWS Management Console SSO can not be added to a device.
5122 = %d VMware devices were not deleted. See logs for details. VMware credentials are kept but
the configuration is now inactive.
5123 = %d AWS devices were not deleted. See logs for details. AWS credentials are kept but the
configuration is now inactive.
5124 = AWS region code may not be changed on update. Delete this row and enter a new one.
5127 = This AWS access key and region are already provisioned.
5128 = The access key id must reference an actual Access Key target account.
5133 = Target group %s not added to Password Authority. Error Message: %s.
5134 = Unable to delete target group %s from Password Authority. Error Message: %s.
5135 = Request group %s not added to Password Authority. Error Message: %s.
5136 = Unable to delete request group %s from Password Authority. Error Message: %s.
5137 = AWS Proxy client authorization mapping failed. Error Message: %s.
5138 = Deleting the AWS Proxy client authorization mapping failed. Error Message: %s.
5140 = No such credential source as %s. Device group %s was added without it.
5141 = No such credential source as %s. Device group %s was updated, but the old credential was left
in place.
5143 = %s device group membership may not be changed locally. The %s device groups were
restored.
5144 = A target server with the device name %s already exists. Target server not added.
5145 = A request server with the device name %s already exists. Request server not added.
17-Feb-2017 150/373
CA Privileged Access Manager - 2.8
5146 = A Password Authority problem prevented completing the request. %s Check log for details.
5148 = Command %s not supported for transparent login. Only the commands %s are supported.
5149 = Password prompt for %s command may not contain equals sign or semi-colon.
5153 = The same user may not be assigned twice to the same vCenter for provisioning.
5155 = Either the hostname and the target application application name, or the target application id
is required to add the target account %s.
5156 = Target account id and user name are both required to update a target account.
5157 = VMware URL most commonly should be in the form https://<domain>[:port]/sdk. Please
enter a URL.
5159 = Only the url or the active status may be changed, and one of them must be changed on an
update.
5161 = Invalid device group ids specified. The array must contain only numeric ids.
5162 = The following ids are not ids of existing device groups: %s.
5163 = Invalid device service ids specified. The array must contain only numeric ids.
5164 = The following ids are not ids of valid TCP/UDP or RDP application services: %s.
5165 = Invalid device VPN service ids specified. The array must contain only numeric ids.
5166 = The following ids are not ids of valid VPN services: %s.
5167 = The following ids are not ids of valid TCP/UDP services: %s.
5168 = The following ids are not ids of valid RDP application services: %s.
5169 = Invalid device credential source ids specified. The array must contain only numeric ids.
5170 = The following ids are not ids of valid password devices: %s.
5171 = Invalid device group service ids specified. The array must contain only numeric ids.
17-Feb-2017 151/373
CA Privileged Access Manager - 2.8
5171 = Invalid device group service ids specified. The array must contain only numeric ids.
5172 = Invalid device group VPN service ids specified. The array must contain only numeric ids.
5173 = Invalid device ids specified. The array must contain only numeric ids.
5174 = The following ids are not ids of existing devices: %s.
5179 = Device name and domain name of a virtual device may not be changed via local means.
5184 = A target application with the specified id was not found or does not belong to the specified
device.
5188 = A target application with the same name already exists for the device.
5189 = Invalid target application type specified. Valid types are: Generic, UnixII.
5191 = A target account with the specified id was not found or does not belong to the specified
device or target application.
17-Feb-2017 152/373
CA Privileged Access Manager - 2.8
5200 = Failed to assign '%s' tag to device. '%s' tag prefix is reserved for vSphere NSX Security %s.
5201 = Service VMware NSX API Proxy can not be added to a device.
5207 = Command string %s begins with a forward slash (/), which is not allowed in transparent login
command strings.
5209 = Cannot get name for a target or request group if no group ID is supplied.
5210 = Device %s had missing terminal data; default terminal data has been assigned.
5213 = Device Manager user couldn't delete device %s because it is a Password Management or A2A
device and the user lacks privileges to delete those types of device.
5214 = Device Manager user couldn't change name of device %s because it is a Password
Management or A2A device and the user lacks privileges to rename those types of device.
5215 = Device Manager user couldn't change domain name of device %s because it is a Password
Management or A2A device and the user lacks privileges to change domain names for those types of
device.
17-Feb-2017 153/373
CA Privileged Access Manager - 2.8
6006 = Role not deleted because there are still users assigned to it.
6008 = Role id already assigned at start of add. Role was not added.
6013 = Role %s with these groups may not be added to a user by this user.
6015 = The Autodiscovery role requires Device/Group Manager role or the Delegated Administrator
Role as well.
6017 = Due to role restrictions, group %s may not be added to a user except by a Global
Administrator.
6018 = Roles containing the AWS API Proxy privilege may not be added to groups.
6020 = The following user groups for role %s do not exist: %s.
6021 = The following device groups for role %s do not exist: %s.
6022 = The API key %s for user %s has privileges the user does not. The API key will be disabled until
this is fixed.
17-Feb-2017 154/373
CA Privileged Access Manager - 2.8
7010 = Database corruption - more than one device group with the same id was inserted.
7012 = Database corruption - more than one device group with the same id was updated.
7014 = Database corruption - more than one device group with the same id was deleted.
7017 = Device group cannot have both sftpftp and sftpftpemb services.
7022 = Device group cannot have both sftpsftp and sftpsftpemb services.
7023 = A device group with a network address cannot have services or access methods defined.
17-Feb-2017 155/373
CA Privileged Access Manager - 2.8
7028 = The device group already has the following access methods: %s.
7029 = The device group already has the following %s services: %s.
7030 = The specified access method id does not belong to the device group or is invalid.
7031 = The specified service id does not belong to the device group or is invalid.
7032 = The specified VPN service id does not belong to the device group or is invalid.
8010 = Device group contains invalid SSL VPN service name(s): %s.
8013 = Access method may not be defined twice on the same device.
17-Feb-2017 156/373
CA Privileged Access Manager - 2.8
9005 = Starting point for browsing LDAP directory is not under configured browse points.
9008 = LDAP Group %s imported into Xsuite. %s Users Processed: %s New Users, %s Updated Users, %
s Deleted Users, %s Failed New Users, %s Failed Updated Users, %s Failed Deleted Users.
9010 = %s LDAP group(s) completed with errors. Please check the audit log on the cluster master for
more details.
9012 = Warning: user %s from LDAP group %s has same short name, %s, as user %s from LDAP group
%s. RADIUS authentication process will not be able to differentiate between the two users. Both user
accounts will be deactivated.
9014 = Connection failed to LDAP domain %s using server %s. Failing over to the next configured
LDAP server.
9018 = LDAP Group %s imported into Xsuite. %s Devices Processed: %s New Devices, %s Updated
Devices, %s Deleted Devices, %s Failed New Devices, %s Failed Updated Devices, %s Failed Deleted
Devices.
9019 = Adding LDAP group %s aborted. The LDAP group and all its registered members will be
deleted.
17-Feb-2017 157/373
CA Privileged Access Manager - 2.8
9024 = LDAP is configured but the appliance is unlicensed. License the appliance before launching the
LDAP browser.
10011 = Number of CSV data fields (%s) does not match CSV header count (%s) on line %s.
17-Feb-2017 158/373
CA Privileged Access Manager - 2.8
10028 = TCP/UDP services with both TCP and UDP ports defined must have the same port value(s).
10037 = Device %s does not have access method %s, with name %s.
10049 = Socket filter list entry already exists and therefore will not be added.
17-Feb-2017 159/373
CA Privileged Access Manager - 2.8
11011 = Invalid web session recording quality specified. Valid values are high and low.
11012 = Unauthorized attempt to delete policies associated with the Office365 service.
11013 = Calculating the certificate fingerprint for IdP %s failed. The IdP configuration will not be
saved.
11014 = The SAML RP's %s is a required field. Please enter a valid value.
11015 = The SAML RP's Fully Qualified Hostname is not a valid hostname.
11016 = The %s of Identity Provider %s is a required field. Please enter a valid value.
11017 = Invalid Identity Provider SSO binding specified for Identity Provider %s. Valid values are: %s.
11018 = The Single Sign On Service URL for Identity Provider %s is not a valid HTTP URL.
11019 = The specified %s of Identity Provider %s is invalid. Valid values are: true or false.
11020 = The specified certificate for Identity Provider %s is not a valid PEM certificate.
11021 = Invalid Signature Algorithm specified for Identity Provider %s. Valid values are: %s.
11022 = Invalid Name ID Formats specified for Identity Provider %s. Valid values are: %s.
11023 = Invalid Authentication Contexts specified for Identity Provider %s. Valid values are: %s.
17-Feb-2017 160/373
CA Privileged Access Manager - 2.8
11023 = Invalid Authentication Contexts specified for Identity Provider %s. Valid values are: %s.
11024 = Identity Provider entity IDs must be unique. The are multiple identity providers with the
following entity ID(s): %s.;
11025 = Invalid SAML version specified for Identity Provider %s. Valid values are: 1.1, 2.0;
11027 = Identity Provider friendly names must be unique. The are multiple identity providers with the
following friendly name(s): %s.;
11028 = Invalid vulnerability reporting level specified. Valid values are 'Log' or 'Log And Warn'.
11030 = The following required fields in the SAML RP configuration must be specified before the
configuration can be saved or an IdP can be configured: Entity ID, Fully Qualified Hostname,
Certificate Key Pair.
11031 = The required field, 'Fully Qualified Hostname', in the SAML configuration on cluster member
%s has not been defined. Please specify a value for the field before downloading metadata.
11033 = An attempt was made to access the SAML IdP Proxy service when Xsuite is not deployed in a
cluster.
11034 = An error occurred while completing this request. Please contact your administrator for
further assistance.
11035 = An attempt was made to access the SAML IdP Proxy service on this node but this node is not
the cluster master.
11040 = Invalid value specified for SAML Accept RSA-SHA1 Signed Responses. Valid values are: t,f.
11041 = Invalid value specified for Client Distribution Intranet URL. Only domain names and IP
addresses are allowed.
17-Feb-2017 161/373
CA Privileged Access Manager - 2.8
12009 = Invalid restrict login if agent is not running value. Valid values are: t, f.
12010 = RDP applications with <AWSURL> in the launch path must have policies, and no others may.
12012 = Web portal recording can only be enabled for policies that contain a web portal services
utilizing the Xceedium browser. Please set the browser type property of the service to Xceedium.
12013 = Policies involving xceedium.aws.amazon.com may not be imported or exported via csv.
12014 = Attempt to add a target account %s to a policy that does not have access to it.
12015 = There is credentials conflict in Transparent Login Window with title '%s' ('%s' and '%s' RDP
Applications).
12017 = The specified device does not offer any access methods for policy. Please add access
methods to the device first.
12018 = The specified device does not offer device access methods with the following id(s): %s.
12019 = The specified device does not offer any TCP/UDP nor RDP application services for policy.
Please add services to the device first.
12020 = The specified device does not offer TCP/UDP nor RDP application services with the following
id(s): %s.
12021 = The specified device does not offer any VPN services for policy. Please add VPN services to
the device first.
17-Feb-2017 162/373
CA Privileged Access Manager - 2.8
12022 = The specified device does not offer VPN services with the following id(s): %s.
12024 = The restrict login flag requires a socket filter list to be set for this policy.
12027 = No applets or services which support bidrectional CLI recording are selected.
12028 = The specified device does not offer any target accounts for viewing. Please add target
accounts to the device first.
12029 = A policy must specify either an access method, a service, a vpn service, or target accounts.
12030 = The bidirectional flag may only be set on if CLI recording is selected.
12031 = Transparent login not defined for any selected access method or service.
12032 = A policy association between user (group) %s and device (group) %s doesn't exist.
12036 = The specified account id is not selected in the policy for viewing.
12037 = The policy does not contain the access method with id %s. Use POST for adding.
12038 = The policy already contains the access method with id %s. Use PUT for updates.
12039 = The policy does not contain the service with id %s. Use POST for adding.
12040 = The policy already contains the service with id %s. Use PUT for updates.
12041 = The policy already contains the SSLVPN service with id %s.
12042 = The policy is already configured to allow viewing the password for the account with id %s.
12043 = The following account id(s) do not belong to the specified device: %s.
12044 = A policy association between the specified user (group) and device (group) already exists.
12045 = A mapping for the required SAML attribute, %s, for users with provision type %s must be
defined.
12046 = The following SAML attributes have not been mapped to a valid value: %s.
17-Feb-2017 163/373
CA Privileged Access Manager - 2.8
12047 = The following provision types have multiple Subject Name Identifier mappings defined: %s.
There can only be one mapping defined per provision type.
12048 = The following SAML requested attribute ids for SAML resolved attributes are invalid: %s.
12049 = The format for the following SAML attribute is invalid: %s. Expected format is: %s.
12051 = Target servers and all associated applications and accounts were deleted from policies.
12052 = Target applications and all associated accounts were deleted from policies.
12054 = Target account belonging to device %s for target application %s with user name %s not
found.
12057 = ssoWindow winId %s is not valid for RDP Application service id %s. Either the winId doesn't
exist or it is not assigned to the service.
13005 = CA Privileged Access Manager appliance already imported into management console.
13008 = A policy must contain at least one module before associating it with an CA Privileged Access
Manager appliance.
17-Feb-2017 164/373
CA Privileged Access Manager - 2.8
13011 = CA Privileged Access Manager credentials not specified. Please set the credentials for the
server or set the default credentials for all servers.
15003 = Invalid agent listening port. Port must be a valid TCP port.
15004 = Invalid CA Privileged Access Manager appliance ID. . ID must be numeric and between 1 and
254.
15008 = Invalid characters in socket filter list name. Semicolons, commas, percent signs, and
backslashes are invalid.
15009 = Invalid socket filter list type. Valid types are: black, white.
15011 = Invalid socket filter host address. Address must be a valid IP address.
15013 = Invalid socket filter port %s. Port must be a valid TCP port.
17-Feb-2017 165/373
CA Privileged Access Manager - 2.8
15018 = Invalid characters in command filter list name. Semicolons, commas, percent signs, and
backslashes are invalid.
15019 = Invalid command filter list type. Valid types are: black, white.
15022 = Invalid command filter regular expression value. Valid values are: t, f.
15032 = Either (comma delimited) individual ports or a single port range must be specified, not (%s).
15033 = A comma delimited port string cannot be more than 512 characters long.
15034 = Invalid AWS policy name %s. Name must only have alphanumeric characters and =,.@ or -.
15041 = AWS policy too large to compile. See log for details.
17-Feb-2017 166/373
CA Privileged Access Manager - 2.8
15044 = In order to create an AWS policy at least one Access Key must be defined in Password
Authority.
15045 = Invalid filter list type specified. Valid values are: white, black.
15046 = The enabled filter is not supported for SSLVPN service type.
16007 = Invalid email address specified. Multiple addresses must be separated by a comma.
16012 = Only the original author of a report or a Global Administrator may update or delete it.
16013 = Relative report dates must specify the number of days, weeks or months to include in the
report.
17-Feb-2017 167/373
CA Privileged Access Manager - 2.8
16018 = Unable to locate recording data. The file may have been removed, or the mount may be
down.
16019 = Session Recording Integrity Failure: This session recording appears to have been modified
since it was recorded. Proceed at your own risk.
16023 = Session recording can not be started for '%s' in %s safe mode because mount is down.
16024 = Session recording can not be started for '%s' because %s session recording is disabled.
17001 = Socket filter %s list policy %s from association between user %s and device %s.
17002 = Command filter %s list policy %s from association between user %s and device %s.
17003 = Adding %s to group %s will cause a %s filter policy conflict for %s from the following policies:
17004 = Adding device %s to %s will cause a %s filter policy conflict for %s from the following policies:
17005 = Adding %s to group %s will cause a %s filter policy conflict for %s from the following policies:
17006 = Policy settings for association will cause a %s filter policy conflict for %s and %s from the
following policies:
17008 = Policy conflicts exist in CA Privileged Access Manager.. Navigate to the policy conflict page to
view the conflicts.
17-Feb-2017 168/373
CA Privileged Access Manager - 2.8
17010 = Updating the group membership for %s will cause a credential policy conflict for access
method %s on %s from the following policies:
17011 = Adding %s to group %s will cause a credential policy conflict for access method %s on %s
from the following policies:
17012 = Adding device %s to %s will cause a credential policy conflict for %s for access method %s
from the following policies:
17013 = Adding access method %s to %s will cause a credential policy conflict for %s from the
following policies:
17014 = Adding %s to group %s will cause a credential policy conflict for %s for access method %s
from the following policies:
17015 = Adding access method %s to group %s will cause a credential policy conflict for %s on %s
from the following policies:
17016 = Policy settings for association will cause a credential policy conflict for %s and access method
%s on %s from the following policies:
17017 = Policy settings cause a credential conflict for secondary login. See your Xsuite Administrator
and check the log for details.
18005 = This account is deactivated. See your CA Privileged Access Manager Administrator.
18008 = User <name> deactivated due to reaching the password failure limit.
18009 = Account <name> has expired. See your CA Privileged Access Manager Administrator.
18010 = Account <name> is not yet activated. See your CA Privileged Access Manager Administrator.
18011 = Account <name> has been deactivated due to extended inactivity. See your CA Privileged
Access Manager Administrator.
17-Feb-2017 169/373
CA Privileged Access Manager - 2.8
18016 = User <name> has logged into the Xceedium CA Privileged Access Manager appliance device.
18018 = This Xsuite appliance is in maintenance mode. Only admin level users can login.
18026 = Multiple CA Privileged Access Manager user accounts have the same SAML user name <
name>. %s. Rejecting the SAML authentication request and deactivating all user accounts with SAML
user name <name>.
18027 = User <name> from SAML enabled group <name> has the same SAML user name <name>
from SAML attribute %s. User account deactivated.
18028 = Single sign-on authentication failed. Please contact your system administrator.
18029 = SAML user <name> not found in CA Privileged Access Manager or does not belong to a SAML
enabled group.
18031 = SAML assertion issuer, %s, does not match configured issuer %s.
18033 = SAML assertion recipient, %s, not recognized. Valid recipients are: %s.
18034 = SAML assertion received by authentication service at time %s is before SAML Not-Before
Condition %s.
18035 = SAML assertion received by authentication service at time %s is after SAML Not-On-Or-After
Condition %s.
17-Feb-2017 170/373
CA Privileged Access Manager - 2.8
18037 = CA Privileged Access Manager appliance in FIPS mode. SAML SSO disabled.
18038 = User attempted to login via SAML SSO but SAML SSO is not enabled.
18042 = Verification of SAML assertion failed: Certificate of SAML assertion producer has not been
uploaded to CA Privileged Access Manager.
18046 = Login failed for user <name> due to multiple active RADIUS users having the same login
name. All RADIUS users with login name <name> will be deactivated.
18047 = Login Failed. Please contact your system administrator for further assistance.
18050 = GK Authentication Daemon General Error occurred (%s). Please check if the GK auth daemon
is properly set up.
18051 = RADIUS user <name> is not registered. Contact your CA Privileged Access Manager
Administrator.
18052 = Authentication failed for RADIUS user %s. RADIUS authentication succeeded but unable to
retrieve the user's RADIUS group.
18053 = Authentication failed for RADIUS user %s. RADIUS authentication succeeded but the user's
RADIUS group changed from %s to %s. The new RADIUS group is not registered with CA Privileged
Access Manager. User account deleted.
18054 = RADIUS user %s moved from RADIUS group <name> to RADIUS group <name>.
18055 = Authentication failed for RADIUS user <name>. RADIUS authentication succeeded but the
user's RADIUS group, <name>, is not registered. User will be logged out.
18056 = Adding RADIUS user <name> to CA Privileged Access Manager failed with message(s): %s.
18058 = Unrecognized RADIUS challenge type %s. Authentication request for user < name> denied.
17-Feb-2017 171/373
CA Privileged Access Manager - 2.8
18058 = Unrecognized RADIUS challenge type %s. Authentication request for user < name> denied.
18059 = SAML RADIUS authentication succeeded but the RADIUS group was not passed to CA
Privileged Access Manager. User will be deleted and logged out.
18060 = Cisco SSO RADIUS user <name> moved to registered RADIUS group %s.
18062 = Verify user credentials does not support the authentication method configured for the user.
18064 = Determining the least-loaded CA Privileged Access Manager appliance for user (< name>)'s
session failed. Granting the user a session on this appliance.
18065 = Invalid attempt to acquire a session on this CA Privileged Access Manager appliance as user <
name> via CA Privileged Access Manager load balance redirect.
18066 = Login failed for user <name> due to multiple active RSA users having the same login name.
All RSA users with login name <name> will be deactivated.
18067 = Login Failed. Please contact your system administrator for further assistance.
18068 = User %s selected to authenticate via %s but the configured authentication method for the
user is %s.
18069 = The Active Directory user with user principal name <name> or samAccountName %s is not
registered with Xsuite.
18070 = The LDAP user with attribute %s=%s is not registered with CA Privileged Access Manager
18071 = User <name> session is set for post-authentication load balancing to member %s. The user's
session will be destroyed on this member and resumed on member %s.
18072 = User <name> session has been post-authentication load balanced to this member. The user's
session will be resumed on this member.
18073 = User <name> failed LDAP+RSA authentication. The LDAP authentication failed.
18074 = User <name> failed LDAP+RSA authentication. The RSA authentication failed with RSA user
name <name>.
18075 = User <name> attempted to access from an unauthorized IP: %s. The only authorized
networks are [%s].
18076 = You have attempted to gain access from an invalid network. Please contact your
administrator.
17-Feb-2017 172/373
CA Privileged Access Manager - 2.8
18081 = LDAP authentication failed for user <name> with error code (%s) and error string (%s). The
user entered an incorrect password.
18082 = Your LDAP password has been reset. You are required to change your password.
18083 = Your LDAP password has expired. You are required to change your password.
18084 = The user's LDAP domain is not configured with CA Privileged Access Manager to use TLS and
therefore CA Privileged Access Manager will not enable the user to change their password.
18085 = User <name> logged in successfully via %s authentication but will be required to change
their password.
18086 = A user authenticated with login name <name> but a user with the specified login name is not
registered with CA Privileged Access Manager.
18087 = User <name> failed LDAP+RADIUS authentication. The LDAP authentication failed.
18088 = User <name> failed LDAP+RADIUS authentication. The RADIUS authentication failed with
RADIUS user name <name>.
18092 = Unable to approve the pending PKI user <name> for access: %s.
18100 = User $name logged in successfully via local authentication but will be required to change
their password.
18101 = A user authenticated with login name $name but a user with the specified login name is not
registered with CA Privileged Access Manager.
18103 = User $user failed LDAP+RADIUS authentication. The RADIUS authentication failed with
RADIUS user name $name2.
18107 = Unable to approve the pending PKI user <name> for access: %s.
18108 = Xsuite as a SAML RP received an authentication request for uknown SAML identity provider %
s.
17-Feb-2017 173/373
CA Privileged Access Manager - 2.8
18110 = SAML SSO Authentication Failure: The received assertion did not include a subject name
identifier nor the userName SAML attribute.
18111 = SAML password view request out-of-sync (%s != %s): The user's internal id did not match the
id contained in the user's session.
18113 = The user was required to accept the license but canceled. Access denied.
18114 = The following group names contained in the SAML assertion do not exist in Xsuite and will be
ignored in the Just In Time provisioning of the user user_name: %s.
18122 = Attempt to approve PKI user <name> failed. Message was %s.
18123 = SAML SSO of Just-In-Time provisioned user <name> failed due to missing required attribute %
s.
18124 = SAML SSO of Just-In-Time provisioned user <name> failed because the userGroup attribute
of the SAML assertion does not contain a valid Xsuite user group name. The groups specified in the
SAML assertion were: %s.
18125 = The user groups of the Just-In-Time provisioned user <name> has been updated: %s.
18126 = The user groups of the Just-In-Time provisioned user <name> has been updated: %s. The
following user groups contained in the assertion are not valid Xsuite user groups and will be ignored:
%s.
18127 = SAML SSO Authentication Failed: Updating the user groups of SAML SSO Just-In-Time
provisioned user <name> failed: %s
18128 = SAML SSO of Just-In-Time provisioned user <name> succeeded. The user's group
membership has not changed. The assertion also contained the following group names that do not
exist in Xsuite: %s.
17-Feb-2017 174/373
CA Privileged Access Manager - 2.8
19005 = Unauthorized attempt by user %s to view the access page for user %s.
19012 = Unable to launch AWS Management Console. If this problem persists then ask your
Administrator to investigate.
19013 = User %s attempted to launch recorded web portal %s but the mount is down. Due to the
configured security safe policy, the user's connection attempt will be denied;
19014 = User %s attempted to launch recorded web portal %s but the mount is down. Due to the
configured operational safe policy, the user's connection attempt will be granted but not recorded.;
19015 = CA Privileged Access Manager denied web portal %s's connection to host %s because it does
not match an entry in the web portal's access list.
19016 = CA Privileged Access Manager denied a request to proxy an HTTP connection to host %s
because the request could not be verified to have originated from an Xceedium browser instance.
19017 = CA Privileged Access Manager denied the user's access to web portal %s. The Xceedium
browser is not supported on the %s operating system.
19018 = CA Privileged Access Manager denied user's unauthorized access to web portal %s on host %
s.
19019 = CA Privileged Access Manager unable to find connection data authorizing service %s's access
to host %s.
19020 = CA Privileged Access Manager denied the user's access to web portal %s. The Xceedium
browser requires a 32-bit JRE.
19021 = CA Privileged Access Manager denied the user's SSO access to the AWS Management
17-Feb-2017 175/373
CA Privileged Access Manager - 2.8
19021 = CA Privileged Access Manager denied the user's SSO access to the AWS Management
Console with: invalid SSO credentials specified.
19023 = Unable to launch Office 365 portal: Error code %s: %s.
19024 = Unable to launch Office 365 portal: Office 365 parameters are not configured.
19025 = Unable to launch Office 365 portal: Login credential not found.
19100 = Access to credential denied because authorization is required. Authorization request sent.
Try again later.
19101 = Access to credential denied because the credential is already checked out by someone else.
Try again later.
19102 = Access to credential denied because authorization request is still pending. Try again later.
19103 = Unable to generate AWS proxy account. Please contact Xsuite administrator
19104 = Unable to generate NSX proxy account. Please contact Xsuite administrator
19105 = The session URL does not match with the URL triggered by the UI
19106 = Access denied because of internal failure. Please contact Xsuite administrator.
19107 = Access denied because a credential was not chosen or is not available. Please launch the
service and choose an available credential.
19108 = Access denied because dual authorization is required. If a password view request is not
pending please launch the service to create one.
19109 = Proxy was not launched because the user failed to correctly respond to the pop up in time.
20003 = Could not update or save credential. Check that the title is not already in use.
20007 = This password is a privileged password; it cannot be used for single sign-on for target device.
17-Feb-2017 176/373
CA Privileged Access Manager - 2.8
20007 = This password is a privileged password; it cannot be used for single sign-on for target device.
20009 = The credential service did not find a cryptographic encryption key. Regenerating key; existing
credentials will be lost.
20014 = Unexpected error sent by credential daemon; please contact your administrator.
17-Feb-2017 177/373
CA Privileged Access Manager - 2.8
23010 = Cluster must contain at least two members, including this CA Privileged Access Manager
appliance.
23011 = The IP address specified for this CA Privileged Access Manager appliance in the cluster
member list cannot be assigned to the cluster interface.
23012 = This CA Privileged Access Manager appliance must be a member of the cluster.
23013 = The subnet of the CA Privileged Access Manager appliance cluster interface is required.
23017 = The specified cluster subnet does not have enough host addresses (%s) for all cluster
members (%s).
23021 = Failed to authenticate to cluster member %s. Please confirm that the shared key has been
configured on the cluster member.
23022 = Failed to save the cluster configuration on member %s. Error(s) received: %s
23023 = Failed to save the cluster configuration on member %s. Unable to establish a connection to
the CA Privileged Access Manager appliance.
23025 = The cluster configuration values do not match for fields: %s.
23026 = Failed to start the cluster. The cluster configuration on members %s and %s are not the
same. The errors reported by %s are: %s.
23027 = Failed to start the cluster. Unable to check for consistent cluster configuration on member %
s. The remote errors reported are: %s.
23028 = Failed to start the cluster. Unable to establish a connection to member %s.
23029 = Failed to start the cluster. Configuring the replication interface on member %s failed.
17-Feb-2017 178/373
CA Privileged Access Manager - 2.8
23029 = Failed to start the cluster. Configuring the replication interface on member %s failed.
23030 = Failed to start the cluster. Unable to successfully ping cluster member %s.
23031 = Failed to start the cluster. Unable to retrieve hostname data from cluster member %s.
23032 = Failed to start the cluster. Unable to save hostname data on cluster member %s.
23035 = Failed to start the cluster. Unable to configure and start the cluster runtime.
23040 = The specified CA Privileged Access Manager appliance is not a member of the cluster.
23043 = The cluster interface, %s, is already in use on cluster member %s.
23044 = Unable to make a connection to the remote CA Privileged Access Manager appliance %s.
23045 = The cluster must be enabled before starting or stopping individual cluster members.
23047 = Checking the consistency of the cluster configuration across all members ...
23048 = Starting the cluster failed. Checking the cluster configuration consistency failed for %s
member(s): %s.
23051 = Assigning computed addresses to the cluster interface failed for member(s): %s.
23052 = Verifying that all cluster interfaces have been properly configured ...
23053 = Pinging all cluster members using the configured cluster interface failed for member(s): %s.
23055 = Assigning internal hostnames to cluster members failed for member(s): %s.
17-Feb-2017 179/373
CA Privileged Access Manager - 2.8
23055 = Assigning internal hostnames to cluster members failed for member(s): %s.
23061 = The cluster master is online. Starting the remaining cluster member(s) ...
23062 = Starting the cluster has failed. Unable to start the cluster master %s.
23063 = Attempt %s/%s: Waiting for %s/%s member(s) to come online ...
23066 = Starting the cluster has failed: Unable to start cluster member(s): %s.
23075 = The cluster is currently out of sync, or a node is missing. Please go to the Synchronization
page for more information.
23076 = This cluster node received a remote API call from source %s with an incorrect shared key: %s.
23077 = Unauthorized attempt to retrieve cluster logs on this node. The shared key did not match.
17-Feb-2017 180/373
CA Privileged Access Manager - 2.8
24003 = A potential tampering attempt has been detected, the end-user's local system may be
compromised. Account deactivated.
24008 = Your session has been terminated by an CA Privileged Access Manager administrator.
24010 = Your account has been deactivated. See your CA Privileged Access Manager administrator.
24012 = A potential tampering attempt has been detected, the end-user's local system may be
compromised. Session will be terminated.
24013 = Exceeded the maximum number of allowed violations but since this is a global administrator
account, the account will not be deactivated.
24014 = A potential tampering attempt has been detected on your system. Your session will be
terminated.
25004 = CA Privileged Access Manager license has expired and access services will be disabled on %s.
Please contact your Xceedium Account Representative.
17-Feb-2017 181/373
CA Privileged Access Manager - 2.8
25005 = CA Privileged Access Manager license has expired and access services are now disabled.
Please contact your Xceedium Account Representative.
25031 = There are more CA Privileged Access Manager devices than this license permits.
25032 = There are more Password devices than this license permits.
25033 = There are more A2A devices than this license permits.
25034 = New license does not permit AWS. Clear your AWS configuration before continuing.
25035 = New license does not permit mainframe access. Remove existing mainframe Access Methods
17-Feb-2017 182/373
CA Privileged Access Manager - 2.8
25035 = New license does not permit mainframe access. Remove existing mainframe Access Methods
before continuing.
25036 = CA Privileged Access Manager license is invalid and access services are now disabled. Please
contact your Xceedium Account Representative.
25038 = The license was not updated. There was a failure deleting the Office365 device. See the audit
log for more details.
25039 = The license was not updated. There was an error provisioning the Office365 device. See the
audit log for more details.
25040 = The license was not updated. There was a failure deleting the AWS device. See the audit log
for more details.
25041 = The license was not updated. There was an error provisioning the AWS device. See the audit
log for more details.
25042 = New license does not permit Office365. Clear your Office365 configuration before
continuing.
25043 = There are more AWS Proxy users than this license permits.
25044 = AWS Proxy license requires Access, Password, and A2A nodes.
25046 = CA Privileged Access Manager evaluation license has expired and access services will be
disabled on %s. Please contact your Xceedium Account Representative.
25047 = CA Privileged Access Manager evaluation license has expired and access services are now
disabled. Please contact your Xceedium Account Representative.
25048 = Spike (temporary) CA Privileged Access Manager license will expire on %s.
25050 = Spike CA Privileged Access Manager license has expired and access services will be disabled
on %s. Please contact your Xceedium Account Representative.
25051 = Spike CA Privileged Access Manager license has expired and access services are now
disabled. Please contact your Xceedium Account Representative.
25053 = New license does not permit VMware. Clear your VMware configuration before continuing.
17-Feb-2017 183/373
CA Privileged Access Manager - 2.8
25064 = More GateKeeper Devices are provisioned than are permitted by this CA Privileged Access
Manager license.
25065 = More Password Devices are provisioned than are permitted by this CA Privileged Access
Manager license.
25066 = More A2A Devices are provisioned than are permitted by this CA Privileged Access Manager
license.
25068 = Mainframe access method policies found, but not permitted by license.
25073 = AWS API Proxy license cannot be removed. There are %s user(s) with the AwsApiProxy
privilege.
25074 = AWS API Proxy capabilities in use, but not permitted by license.
25081 = SafeNet HSM must be removed before Thales HSM may be licensed.
25082 = Thales HSM must be removed before SafeNet HSM may be licensed.
25083 = Only one type of HSM (SafeNet, Thales) may be specified in a license.
25084 = The license was not updated. There was a failure setting up VMware. See the audit log for
more details.
25085 = The license was not updated. There was a failure shutting down VMware. See the audit log
17-Feb-2017 184/373
CA Privileged Access Manager - 2.8
25085 = The license was not updated. There was a failure shutting down VMware. See the audit log
for more details.
25086 = Upgrade failed. Please review the audit log and then perform a system recovery.
25087 = Failed to install API key infrastructure. Please check the logs to find the problem and reapply
the license.
25088 = The license was not updated. External API feature was not added. Please check the logs to
find the problem and reapply the license.
25089 = The license was not updated. External API feature not removed. Existing client API keys may
need to be deleted.
25094 = AWS Proxy Account cannot be generated. There are more AWS proxy accounts than license
permits;
25095 = NSX Proxy Account cannot be generated. There are more NSX proxy accounts than license
permits;
25096 = The license was not updated. Uploaded license file could not be verified or read.
25098 = The BAP special user is deleted when the BAP is no longer licensed, and may not be deleted
otherwise.
25100 = The license was not updated. Behavior Analytics feature was not added. Please check the
logs to find the problem and reapply the license.
25101 = The license was not updated. Behavior Analytics feature not removed. Please check the logs
to find the problem and reapply the license.
26002 = Error trying to provision CA Privileged Access Manager for SafeNet HSM.
17-Feb-2017 185/373
CA Privileged Access Manager - 2.8
26004 = Attempt to remove the SafeNet HSM configuration failed due to the passwords currently
being re-encrypted
26013 = Success inserting the encrypted cipher key into the LunaPCI-E device
26019 = Failed to secure the partition password for the LunaPCI-E partition
26020 = Failed to log into the partition with the supplied password
26021 = Failed to generate the cypher key during the initial activation
26022 = Success activating the LunaPCI-E device on this non primary clustered CA Privileged Access
Manager
26023 = Success activating the LunaPCI-E device on this primary clustered CA Privileged Access
Manager
26024 = Success activating the LunaPCI-E device on this standalone CA Privileged Access Manager
17-Feb-2017 186/373
CA Privileged Access Manager - 2.8
27003 = Transparent Login Configuration name cannot be longer than 128 characters.
27007 = The given Transparent Login Configuration is used by one or several RDP applications.
27015 = Invalid Application Fingerprint. Only the following characters are allowed for fingerprint: 0-9
A-F.
27016 = Transparent Login Configurations for RDP Application %s do not exist, or the Transparent
Login section contains invalid data (Window Titles: %s).
27017 = Transparent Login Window with the title '%s' already exists for this RDP application.
27018 = Login failed for user %s due to multiple active TACACS+ users having the same login name.
All TACACS+ users with login name %s will be deactivated.
27019 = Login Failed. Please contact your system administrator for further assistance.
27020 = TACACS+ user %s moved from TACACS+ group %s to TACACS+ group %s.
27021 = Authentication failed for TACACS+ user %s. TACACS+ authentication succeeded but the user's
TACACS+ group changed from %s to %s. The new TACACS+ group is not registered with Xsuite. User
account deleted.
17-Feb-2017 187/373
CA Privileged Access Manager - 2.8
27023 = Authentication failed for TACACS+ user %s. TACACS+ authentication succeeded but unable to
retrieve the user's TACACS+ group.
28002 = Unable to retrieve AWS proxy account. Please contact Xsuite administrator.
28003 = Unable to retrieve NSX proxy account. Please contact Xsuite administrator.
32004 = This upgrade requires a reboot of the system. Please stop the cluster before proceeding with
the upgrade
17-Feb-2017 188/373
CA Privileged Access Manager - 2.8
32006 = Backup of the appliance takes time. Please be patient and wait until it reboots.<br/>The LCD
will show the message <b>System backup! Please wait!</b><br/> Wait until the normal operation
message shows on the LCD then log in again and resume work in your browser.
32007 = Recover of the appliance takes time. Please be patient and wait until it reboots.<br/>The LCD
will show the message <b>System backup! Please wait!</b><br/> Wait until the normal operation
message shows on the LCD then log in again and resume work in your browser.
33004 = CA Privileged Access Manager is collecting and analyzing limited information about your
client system and sessions
Log Formats
Metric Log Entries
Metric log entries represent functions that take non-trivial time and must be recorded as successes or
failures, such as login attempts and password changes.
17-Feb-2017 189/373
CA Privileged Access Manager - 2.8
Each metric log entry contains an object that has a number of built-in fields. These fields are applied
as tag names. They might also, and usually do, have 'extended' attributes that are object specific. For
example, target accounts uses extended attributes to store information that depends on the type of
account, while fields are used to store information common to all target accounts. Extended
attributes are stored within a tag with 'k' and 'v' pairs. The 'k' element identifies the attribute name
while the 'v' element identifies the attribute value.
type: Type of metric, for example: login, password change. This also determines what the
'description' field contains.
errorCode: If the operation failed, the error code identifying the reason for the failure is identified
here. 0 = Success
adminUserId: This identifies the user (not necessarily an administrator) that performed the
activity in question.
success: This identifies whether the operation was successful. If not, the errorCode field identifies
why not.
description: This field contains an embedded field (typically a hashmap) representing details
specific to the type of metric.
An example Credential Management metric log entry that ordinarily appears as a string:
17-Feb-2017 190/373
CA Privileged Access Manager - 2.8
</c.cw.m.at (http://c.cw.m.at)>
<c.cw.m.at (http://c.cw.m.at)>
<bm.id (http://bm.id)>1005</bm.id (http://bm.id)>
<bm.cd (http://bm.cd)>1473152059000</bm.cd (http://bm.cd)>
<bm.cu (http://bm.cu)>super</bm.cu (http://bm.cu)>
<bm.ud>1473152881000</bm.ud>
<bm.uu>super</bm.uu>
<bm.ha>Wpkmh+aP00rWk/Are28s57Mjowo=</bm.ha>
<at.na (http://at.na)>descriptor2</at.na (http://at.na)>
<at.ob.id (http://at.ob.id)>1004</at.ob.id (http://at.ob.id)>
<at.ob.cl (http://at.ob.cl)>c.cw.m.ts</at.ob.cl (http://at.ob.cl)>
</c.cw.m.at (http://c.cw.m.at)>
</bm.at.li (http://bm.at.li)>
<hn>123.123.123.000</hn>
<ip>123.123.124.000</ip>
<dn>redhat</dn>
</c.cw.m.ts>
bm = baseModel, which is the parent of all object types. This is found in all objects for their
common attributes.
For example, this may be a target account id or the target server id or the PVR id.
A log of metric entries only specify the id but not the name. The session log entries are
comprehensive, so you can find an id when given the name.
17-Feb-2017 191/373
CA Privileged Access Manager - 2.8
ts = Target server
tp = Target application
rs = Request server
sc = Script
sp = System property
us = User
Message Lists
Message Codes Listed in Documentation
The code list at the last update is provided in Credential Manager Error Codes and Messages (see
page 193).
For improved readability of the output, CA Technologies, Inc. recommends that you direct the XML
structure to a separate file and then open it with an XML editor.
Example
This example directs the output of the getErrorCodes CLI command to a file called
error_codes.xml.
17-Feb-2017 192/373
1. CA Privileged Access Manager - 2.8
error.entityNotCorrectType=The retrieved entity of type {0} does not match the expected type of
{1}
error.code.11=Invalid password.
error.code.12=Login failed.
error.code.15=Account suspended.
17-Feb-2017 193/373
CA Privileged Access Manager - 2.8
error.code.22=Authorization failed. User {0} does not have permission for this action.
error.code.26=Authorization failed. User {0} does not have permission for this entity.
error.code.32=Success. {Warning: Approaching license limit; you may need to upgrade your
license.}
17-Feb-2017 194/373
CA Privileged Access Manager - 2.8
error.code.406=An error occurred; if this problem persists then please ask your Administrator to
investigate.
17-Feb-2017 195/373
CA Privileged Access Manager - 2.8
error.code.434=Invalid username.
error.code.447=Authorization mapping validation error. Invalid file path specified for request
script.
error.code.449=Authorization mapping validation error. Missing hash value for request script.
error.code.452=Primary site is unavailable. Any workflow tasks associated with the account's
password view policy (dual authorization, change password, or checkin/checkout) have not been
performed.
17-Feb-2017 196/373
CA Privileged Access Manager - 2.8
error.code.801=Invalid status.
error.code.802=Approval process failure. Please ask your Administrator to investigate the issue.
error.code.993=Delete failed. No user group would leave users without user groups or roles.
17-Feb-2017 197/373
CA Privileged Access Manager - 2.8
error.code.1012=Duplicate IP address.
error.code.1025=Key has already been changed. Waiting for request server to accept new key.
17-Feb-2017 198/373
CA Privileged Access Manager - 2.8
error.code.1033=Cannot change the request server for this request script. Existing authorizations
reference this script.
error.code.1040=Invalid user view type specified. Valid values are admin or general.
error.code.1044=The specified user is an email notifier of a password view policy and cannot be
deleted.
error.code.1048=Application error.
17-Feb-2017 199/373
CA Privileged Access Manager - 2.8
error.code.1069=Target server cannot be deleted because it has target account(s) owned by user
(s).
error.code.1081=active parameter not specified, or is incorrect. Valid values are true or false.
17-Feb-2017 200/373
CA Privileged Access Manager - 2.8
error.code.1102=Cannot assign user(s) for email notification if they are missing an email address.
error.code.1306=Account discovery service class not found in target application configuration file.
17-Feb-2017 201/373
CA Privileged Access Manager - 2.8
error.code.1502=A problem occurred during archive. Not all records were archived. Please run
the command again.
error.code.1601=Failed to verify password with target. If this problem persists then please ask
your Administrator to investigate.
error.code.1604=Authentication failed.
error.code.1606=Account is unsynchronized.
error.code.1701=Role is read-only.
17-Feb-2017 202/373
CA Privileged Access Manager - 2.8
17-Feb-2017 203/373
CA Privileged Access Manager - 2.8
error.code.2302=This job will never run, the specified start date/time is in the past.
17-Feb-2017 204/373
CA Privileged Access Manager - 2.8
error.code.3305=The specified password view policy has "change password on view" enabled, but
the account is unsynchronized.
error.code.3315=The specified password view policy has "change password on SSO" enabled, but
the account is unsynchronized.
error.code.3401=Target alias name must consist only of characters [a-z A-Z 0-9 ~ \! @ \# $ % ^ . \:
_ - + = \\ /].
error.code.3501=Request Server does not exist or has never connected to Password Authority
Server.
17-Feb-2017 205/373
CA Privileged Access Manager - 2.8
error.code.3907=Role is read-only.
error.code.3959=Group is read-only.
17-Feb-2017 206/373
CA Privileged Access Manager - 2.8
17-Feb-2017 207/373
CA Privileged Access Manager - 2.8
US 121 Messages
error.code.4118=Invalid e-mail subject for Password View.
US 120 Messages
error.code.4120=Invalid e-mail subject for Expired Password View Request.
US 91 Messages
error.code.4124=Invalid e-mail subject for Report Results.
17-Feb-2017 208/373
CA Privileged Access Manager - 2.8
error.code.4207=Release now only supported for request servers of version 4.5.2 and up.
error.code.4309=Password policy special characters cannot contain XML characters (> < & ' ").
error.code.4317=Select at least one character set in the 'First Must Contain' category.
error.code.4318=First upper case character conflicts with no upper case characters anywhere.
error.code.4319=First lower case character conflicts with no lower case characters anywhere.
17-Feb-2017 209/373
CA Privileged Access Manager - 2.8
error.code.4329=Some first special characters are not allowed anywhere in the password.
error.code.4332=No valid first upper case characters available. All have been excluded.
error.code.4333=No valid first lower case characters available. All have been excluded.
error.code.4334=No valid first numeric characters available. All have been excluded.
error.code.4335=No valid first special characters available. All have been excluded.
error.code.4336=No valid upper case characters available. All have been excluded.
error.code.4337=No valid lower case characters available. All have been excluded.
17-Feb-2017 210/373
CA Privileged Access Manager - 2.8
error.code.4355=Password does not contain any uppercase characters. See password policy.
error.code.4356=Password does not contain any lowercase case characters. See password policy.
error.code.4357=Password does not contain any numeric characters. See password policy.
error.code.4358=Password does not contain any special characters. See password policy.
error.code.4373=Cannot reuse a password from the last number of days specified in password
policy.
error.code.4374=Need to add a required character of a specific type, but not enough characters
available.
17-Feb-2017 211/373
CA Privileged Access Manager - 2.8
error.code.4411=Invalid value for 'First must contain upper case characters' boolean.
error.code.4412=Invalid value for 'First must contain lower case characters' boolean.
17-Feb-2017 212/373
CA Privileged Access Manager - 2.8
error.code.4437=You are not allowed to update your own password view request.
error.code.4447=SSO type value is not supported. Valid values are 'Any', 'WebBrowser', 'SSH',
'RDP', 'VNC', 'AWSAPI', 'NSXAPI', 'Telnet', or 'Other'.
17-Feb-2017 213/373
CA Privileged Access Manager - 2.8
error.code.4605=Invalid value for change password on view was specified. Valid values are "true"
or "false".
error.code.4606=Invalid value for change password interval was specified. Numeric value
between 1 and 525600 must be specified.
error.code.4607=Invalid value for checkout / checkin required was specified. Valid values are
"true" or "false".
error.code.4608=Invalid value for checkout / checkin interval was specified. Numeric value
between 1 and 525600 must be specified.
error.code.4609=Invalid value for dual authorization required was specified. Valid values are
"true" or "false".
error.code.4610=Invalid value for dual authorization interval was specified. Numeric value
between 1 and 525600 must be specified.
error.code.4616=Password view policy approvers are not able to access the target account(s) that
use this policy.
error.code.4617=One or more of the approvers in this policy are unable to update password view
requests.
17-Feb-2017 214/373
CA Privileged Access Manager - 2.8
error.code.4624=You have a pending request to view this account password that has not been
approved yet.
error.code.4625=This account has dual authorization enabled. A request for authorization to view
the password has been e-mailed to the approvers of this account on your behalf.
error.code.4627=Your account password request has been approved, but you are outside the
approval period.
error.code.4628=Password view policy has "change password on view" enabled, but the account
is unsynchronized. Password will not be changed.
error.code.4629=The specified status is invalid. Allowed values for Dual Authorization are
approved(1), denied(2), pending(3), expiredapproved(6), or expiredpending(8). For Check-out/
Check-in the values are checkout(4), checkedin(5).
error.code.4630=Invalid value for authentication required was specified. Valid values are "true"
or "false".
error.code.4631=The above error occurred updating the account password, but the account has
still been checked in.
error.code.4634=Invalid value for email notification required was specified. Valid values are
"true" or "false".
error.code.4637=Start and/or end date is outside the maximum allowable request period.
Requests cannot be made more than {0} days in the future.
error.code.4640=The default password view request interval must be equal or less than the
maximum password view request interval.
17-Feb-2017 215/373
CA Privileged Access Manager - 2.8
error.code.4656=The operation is allowed only on the primary domain controller of the domain.
error.code.4661=Unable to update the password. The provided new password does not meet the
length, complexity, or history requirement of the domain.
error.code.4663=Configuration information could not be read from the domain controller, either
because the machine is unavailable, or access has been denied.
17-Feb-2017 216/373
CA Privileged Access Manager - 2.8
error.code.4672=Password Authority Windows Proxy error - Specified database does not exist.
error.code.4673=Password Authority Windows Proxy error - Data area passed to a system call is
too small.
error.code.4693=Invalid value for "Reason Required For View" was specified. Valid values are
"true" or "false".
error.code.4694=Invalid value for "Reason Required For Auto-Connect" was specified. Valid
values are "true" or "false".
error.code.4696=Reason Required For View and Reason Required For Auto-Connect are required
when Service Desk integration is specified.
17-Feb-2017 217/373
CA Privileged Access Manager - 2.8
error.code.4698=Password view policy has "Change Password on Auto-Connect" enabled, but the
account is unsynchronized. Password will not be changed.
error.code.4699=Invalid value for allow "Change Password on Auto-Connect" was specified. Valid
values are "true" or "false".
error.code.4712=Invalid key
17-Feb-2017 218/373
CA Privileged Access Manager - 2.8
error.code.4911=Cannot provision a secondary site until the primary site has been provisioned.
error.code.4951=Secondary site out of sync with primary. Secondary site has higher replication
record than primary.
error.code.4955=Primary site error while processing secondary site request (class not found).
error.code.4956=Primary site error while processing secondary site request (execute command
request).
error.code.4957=Primary site error while processing secondary site request (proxy command
17-Feb-2017 219/373
CA Privileged Access Manager - 2.8
error.code.4957=Primary site error while processing secondary site request (proxy command
requests).
error.code.5001=Account is locked
error.code.5003=Account is expired
<error code="5056">The operation is allowed only on the primary domain controller of the
domain.</error>
17-Feb-2017 220/373
CA Privileged Access Manager - 2.8
<error code="5058">Password error. (The password could be too short, be too long, be too
recent in its change history, not have enough unique characters, or not meet another password
policy requirement.)</error>
<error code="5060">Could not find the domain controller for the domain.</error>
<error code="5061">Unable to update the password. The value provided for the new password
does not meet the length, complexity, or history requirement of the domain.</error>
<error code="5063">Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied.</error>
<error code="5073">Agent error - The data area passed to a system call is too small.</error>
17-Feb-2017 221/373
CA Privileged Access Manager - 2.8
<error code="5081">Host name and service name must have 1 to 100 characters and must not
contain special characters.</error>
<error code="5100">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="5103">Failed to update the account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="5104">Failed to verify the account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="5105">Cannot use another account's credentials to verify this account's credentials;
the operation is not supported.</error>
<error code="5106">Failed to enter into privileged EXEC mode. Review the log file for further
information or else contact your Administrator.</error>
<error code="5122">An invalid SSH port number was specified; the value must be in the range 0..
65535.</error>
17-Feb-2017 222/373
CA Privileged Access Manager - 2.8
<error code="5124">Must NOT specify list of key exchange algorithms because default algorithms
will be used instead.</error>
<error code="5126">Must NOT specify list of compression algorithms because default algorithms
will be used instead.</error>
<error code="5128">Must NOT specify list of server host key algorithms because default
algorithms will be used instead.</error>
<error code="5129">An invalid Telnet port number was specified; the value must be in the range
0..65535.</error>
<error code="5130">An invalid SSH communication timeout was specified; the value must be in
the range 1000..99999.</error>
<error code="5132">An invalid script processor read timeout was specified; the value must be in
the range 1000..59999.</error>
<error code="5138">Must NOT specify list of ciphers because default ciphers will be used instead.
</error>
<error code="5139">An invalid Telnet communication timeout was specified; the value must be
in the range 1000..99999.</error>
<error code="5141">Must NOT specify list of hashes because default ciphers will be used instead.
</error>
17-Feb-2017 223/373
CA Privileged Access Manager - 2.8
<error code="5173">The value assigned to the 'pwType' attribute must be 'user' or 'privileged'.<
/error>
<error code="5176">Must specify whether or not the change the Console password.</error>
<error code="5181">The value assigned to the 'numVTYPorts' attribute must be an integer in the
range 1..15.</error>
<error code="5200">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="5242">Must specify whether the account will be verified through another account.<
/error>
<error code="5250">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="5251">An invalid LDAP connect timeout was specified; the value must be in the
range 1000..99999.</error>
<error code="5252">An invalid LDAP read timeout was specified; the value must be in the range
1000..99999.</error>
<error code="5255">An invalid port number was specified; the value must be in the range 0..
65535.</error>
17-Feb-2017 224/373
CA Privileged Access Manager - 2.8
<error code="5301">An invalid port number was specified; the value must be in the range 0..
65535.</error>
<error code="5304">Incorrect value specified for racService attribute. Valid values are true or
false.</error>
<error code="5305">Incorrect value specified for sysdbaAccount attribute. Valid values are true
or false.</error>
<error code="5306">Incorrect value specified for replaceSyntax attribute. Valid values are true or
false.</error>
<error code="5315">Failed to synchronize Crystal Reports credentials. See logs for details.<
/error>
<error code="5513">Communication failure. The target server must be SQL Server 2000 or later.<
/error>
<error code="5514">Invalid character in password. Single quotation mark (') is not a valid
password character.</error>
17-Feb-2017 225/373
CA Privileged Access Manager - 2.8
<error code="5513">Communication failure. The target server must be SQL Server 2000 or later.<
/error>
<error code="5514">Invalid character in password. Single quotation mark (') is not a valid
password character.</error>
<error code="5515">Failed to synchronize Crystal Reports credentials. See logs for details.<
/error>
17-Feb-2017 226/373
CA Privileged Access Manager - 2.8
<error code="5342">Unable to verify the password; failed to connect to the target server.<
/error>
<error code="5604">Invalid timeout value specified for update script in target application.<
/error>
<error code="5607">Invalid timeout value specified for verify script in target application.</error>
17-Feb-2017 227/373
CA Privileged Access Manager - 2.8
<error code="5757">Error updating service credentials. See log for more information</error>
<error code="5759">Error updating password in Active Directory. Service credentials for this
account (if any) were not updated.</error>
<error code="5769">An error occurred when discovering accounts on the domain controller.<
/error>
17-Feb-2017 228/373
CA Privileged Access Manager - 2.8
<error code="5772">Error updating task credentials. See log for more information</error>
<error code="5773">An invalid LDAP connect timeout was specified; the value must be in the
range 1000..99999.</error>
<error code="5774">An invalid LDAP read timeout was specified; the value must be in the range
1000..99999.</error>
Error Code Messages for Remedy Target Manager Connector (5800 through 5819)
<error code="5800">Change process not specified.</error>
17-Feb-2017 229/373
CA Privileged Access Manager - 2.8
17-Feb-2017 230/373
CA Privileged Access Manager - 2.8
<error code="5963">An invalid SSH communication timeout was specified; the value must be in
the range 1000..99999.</error>
<error code="5964">An invalid script processor read timeout was specified; the value must be in
the range 1000..59999.</error>
<error code="5966">An invalid UID/GID number was specified; the value must be in the range 0..
65535.</error>
<error code="5973">Failed to synchronize Crystal Reports credentials. See logs for details.<
/error>
<error code="5976">Must specify whether the account will be verified through another account.<
/error>
<error code="5988">Must NOT specify list of ciphers because default ciphers will be used instead.
</error>
<error code="5990">An invalid Telnet communication timeout was specified; the value must be
in the range 1000..99999.</error>
<error code="5995">Failed to update the account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="5996">Failed to verify the account credentials. Review the log file for further
information or else contact your Administrator.</error>
17-Feb-2017 231/373
CA Privileged Access Manager - 2.8
<error code="5998">Must NOT specify list of hashes because default ciphers will be used instead.
</error>
<error code="6014">Failed to update account. Access violation for account. Check target server
or host_name qualifier.</error>
<error code="6104">The Access Key ID must be composed with upper case letters, digits and
must be 20 characters in length.</error>
<error code="6105">The Secret Access Key must composed with alphanumeric, "+", "/"
characters and must be 40 characters in length.</error>
<error code="6106">The uploaded EC2 Private Key file does not contain a PEM-formatted
certificate.</error>
17-Feb-2017 232/373
CA Privileged Access Manager - 2.8
<error code="6109">The X.509 certificate file name must match the pattern "pk-[A-Z0-9]{32}.
pem". Example: "pk-4QUDAEWQENET2S22ABOOJ4BMUN6AUZY5.pem"</error>
<error code="6110">A PEM-formatted certificate file containing the EC2 Private Key must be
uploaded.</error>
<error code="6114">A Key Pair Name may be specified only when the Credential Type is EC2
Private Key.</error>
<error code="6116">The EC2 Instance User Name is formatted incorrectly or it contains the
disallowed "@" character.</error>
<error code="6117">The Key Pair Name may not contain the "@" character.</error>
<error code="6121">AWS access role name only allows alphanumeric and '+=,.@-' characters<
/error>
<error code="6125">Failed update AWS Access credentials. Please contact your Administrator.<
/error>
<error code="6126">Failed verify AWS Access credentials. Please contact your Administrator.<
/error>
<error code="6130">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="6131">Attempted to create resources beyond the current AWS account limits.
Please contact your system administrator.</error>
17-Feb-2017 233/373
CA Privileged Access Manager - 2.8
<error code="6303">Login account not found. Check login info specified in nisConnector.
properties.</error>
17-Feb-2017 234/373
CA Privileged Access Manager - 2.8
<error code="6527">An unknown error occurred; please consult the server log or contact your
Administrator.</error>
<error code="6529">Failed to update password; the target device is currently in use by another
user.</error>
<error code="6530">Failed to connect to the target device; a timeout occured while waiting to
connect.</error>
<error code="6532">A communications error occurred while receiving data from the target
device.</error>
<error code="6551">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="6554">Failed to update account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="6555">Failed to verify account credentials. Review the log file for further
17-Feb-2017 235/373
CA Privileged Access Manager - 2.8
<error code="6555">Failed to verify account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="6580">An invalid SSH port number was specified; the value must be in the range 0..
65535.</error>
<error code="6600">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="6603">Failed to enter privilege mode. Review the log file for further information or
else contact your Administrator.</error>
<error code="6604">Failed to update account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="6605">Failed to enter configuration mode. Please try again. If problem persist
contact your Administrator.</error>
<error code="6606">Failed to verify account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="6630">An invalid SSH port number was specified; the value must be in the range 0..
65535.</error>
<error code="6660">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="6670">Failed update AWS account credentials. Please contact your Administrator.<
/error>
<error code="6671">Failed verify AWS account credentials. Please contact your Administrator.<
/error>
<error code="6672">Password did not meet the requirements imposed by the account password
policy. Please contact your Administrator.</error>
<error code="6673">Account is temporarily unmodifiable. Please try again after waiting several
minutes or contact your Administrator.</error>
<error code="6674">Current account does not exist. Please contact your Administrator.</error>
<error code="6675">Trying to create resources beyond the current AWS account limits. Please
contact your Administrator.</error>
<error code="6700">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
17-Feb-2017 236/373
CA Privileged Access Manager - 2.8
<error code="6703">Failed to update account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="6704">Failed to verify account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="6705">Cannot verify account's credentials for non Privilege account type; the
operation is not supported.</error>
<error code="6706">Cannot update account's credentials for non Privilege account type; the
operation is not supported.</error>
<error code="6720">An invalid SSH port number was specified; the value must be in the range 0..
65535.</error>
<error code="6721">An invalid SSH communication timeout was specified; the value must be in
the range 1000..99999.</error>
<error code="6722">An invalid script processor read timeout was specified; the value must be in
the range 1000..59999.</error>
17-Feb-2017 237/373
CA Privileged Access Manager - 2.8
17-Feb-2017 238/373
CA Privileged Access Manager - 2.8
17-Feb-2017 239/373
CA Privileged Access Manager - 2.8
Error Code Messages for Remedy View Password Plugin (13000 - 13099)
error.code.13000=A Remedy server must be specified.
error.code.13005=Remedy server specified in the password view policy could not be found.
error.code.13006=Remedy application specified in the password view policy could not be found.
error.code.13007=Remedy account specified in the password view policy could not be found.
17-Feb-2017 240/373
CA Privileged Access Manager - 2.8
Error Code Messages for ServiceNow View Password Plugin (13100 - 13199)
error.code.13105=ServiceNow server specified in the password view policy could not be found.
error.code.13107=ServiceNow account specified in the password view policy could not be found.
Error Code Messages for CA SDM View Password Plugin (13200 - 13299)
error.code.13200=A CA SDM server must be specified.
error.code.13209=CA SDM server specified in the password view policy could not be found.
error.code.13210=CA SDM application specified in the password view policy could not be found.
17-Feb-2017 241/373
CA Privileged Access Manager - 2.8
error.code.13211=CA SDM account specified in the password view policy could not be found.
Error Code Messages for Salesforce Service Cloud View Password Plugin (13400 - 13499)
error.code.13400=A Salesforce Service Cloud server must be specified.
error.code.13411=Salesforce Service Cloud server specified in the password view policy could not
be found.
error.code.13413=Salesforce Service Cloud account specified in the password view policy could
not be found.
error.code.13417=Could not retrieve the ticket from the Salesforce Service Cloud system.
17-Feb-2017 242/373
CA Privileged Access Manager - 2.8
Error Code Messages for HP Service Manager View Password Plugin (13500 - 13599)
error.code.13500=An HP Service Manager server must be specified.
error.code.13508=HP Service Manager server specified in the password view policy could not be
found.
error.code.13509=HP Service Manager application specified in the password view policy could not
be found.
error.code.13510=HP Service Manager account specified in the password view policy could not be
found.
error.code.13514=Could not retrieve the ticket from the HP Service Manager system.
17-Feb-2017 243/373
CA Privileged Access Manager - 2.8
error.code.15005=An invalid session duration was specified; the allowed range is 3600 - 129600
seconds.
error.code.15009=The AWS client reports that corrupted data was received from the AWS server;
the error message is: {0}
error.code.15010=The AWS client reports that communications with the AWS server failed; the
error message is: {0}
error.code.15012=The AWS service reported a problem; the error message is: {0}
error.code.15013=The requested operation is not allowed on the AWS Access Credentials Target
Application.
error.code.15016=The specified federated user name is incompatible with AWS; it contains too
few characters.
error.code.15017=The specified federated user name is incompatible with AWS; it contains too
many characters.
error.code.15021=The requested operation is not allowed on the AWS API Proxy Credentials
Target Account.
error.code.15100=Delete Check: the requested operation would delete an existing Target Server
17-Feb-2017 244/373
CA Privileged Access Manager - 2.8
error.code.15100=Delete Check: the requested operation would delete an existing Target Server
with ID: {0}
error.code.15101=Delete Check: the specified host name corresponds to one or more deleted
Target Server(s): {0}
error.code.15102=Delete Check: the specified host name does not correspond to any existing or
deleted Target Server(s): {0}
error.code.15105=Delete Check: the requested operation would delete an existing Request Server
of type CLIENT or AGENT with ID: {0}
error.code.15106=Delete Check: the specified host name corresponds to one or more deleted
Request Server(s) of type {1}: {0}
error.code.15107=Delete Check: the specified host name does not correspond to any existing or
deleted Request Server(s) of type {1}: {0}
error.code.15111=Delete Check: the specified ID does not correspond to any existing or deleted
Target Server(s): {0}
Extension Manager: Common Channel and Processor Target Connector API (15200 - 15299)
error.code.15200=Failed to process a target connector script. Refer to the log file for further
information.
error.code.15204=An error occurred while processing a target connector script. The Target
Account specifies an unrecognized password change method.
error.code.15205=An error occurred while processing a target connector script. The Target
Account specifies an unsupported protocol.
17-Feb-2017 245/373
CA Privileged Access Manager - 2.8
error.code.15206=An error occurred while configuring the communications channel. The Target
Account specifies an unsupported protocol.
error.code.15207=Failed to find {0} pattern(s) while reading from the communications channel:
{1}
error.code.15208=An error occurred while configuring the script processor. Failed to retrieve a
Target Account with ID {0}.
error.code.15209=An error occurred while configuring the script processor. The Target Account
specifies another account should be used for authentication and/or verification but no value is
assigned to the other account attribute.
error.code.15213=An error occurred while configuring the script processor. An invalid pattern
was specified for the password entry prompt.
error.code.15214=An error occurred while configuring the script processor. An invalid pattern
was specified for the password confirmation prompt.
error.code.15215=An error occurred while configuring the script processor. An invalid pattern
was specified for the password change prompt.
error.code.15216=An error occurred while configuring the script processor. An invalid pattern
was specified for the user name entry prompt.
error.code.15218=An error occurred while configuring the script processor. Failed to retrieve a
Target Account with ID {0}.
error.code.15219=An error occurred while configuring the script processor. The Target Account
specifies another privileged account should be used but no value is assigned to the other
privileged account attribute.
error.code.15220=A problem occurred while executing the script processor. Please try your
request again or contact your Administrator.
17-Feb-2017 246/373
CA Privileged Access Manager - 2.8
Extension Manager: Common Channel and Processor Target Connector UI (15300 - 15399)
error.code.15300=Cannot read the revised update script file. Verify the filename and ensure the
patch obtained from Customer Support has been applied.
error.code.15301=Cannot read the revised verify script file. Verify the filename and ensure the
patch obtained from Customer Support has been applied.
error.code.15302=An invalid filename was specified for the revised update script file. Verify the
filename or else contact Customer Support to obtain the correct filename.
error.code.15303=An invalid filename was specified for the revised verify script file. Verify the
filename or else contact Customer Support to obtain the correct filename.
error.code.15304=Must choose the filename of the revised update script if any are available. Only
use this field if instructed to do so by Customer Support.
error.code.15305=Must choose the filename of the revised verify script if any are available. Only
use this field if instructed to do so by Customer Support.
error.code.15306=An invalid regular expression was specified to match the Password Change
prompt.
error.code.15315=Must specify a replacement update script. Only use this field if instructed to do
so by Customer Support.
error.code.15316=Must specify a replacement verify script. Only use this field if instructed to do
so by Customer Support.
error.code.15319=An invalid regular expression was specified to match the Password Entry
prompt.
17-Feb-2017 247/373
CA Privileged Access Manager - 2.8
error.code.15320=An invalid regular expression was specified to match the User Name Entry
prompt.
error.code.15402=The Security Token Service endpoint URL is missing from the request.
error.code.15404=The Security Token Service endpoint reference URI is missing from the request.
error.code.15412=Failed to retrieve token request response from the Security Token Service.
error.code.15501=The specified SSH Key Pair Policy ID is invalid; it must be an integer greater
than zero.
error.code.15503=The specified SSH Key Pair Policy name is invalid; it must consist of characters
[a-z, A-Z, 0-9].
error.code.15504=The specified SSH Key Pair Policy name is too long; reduce the number of
17-Feb-2017 248/373
CA Privileged Access Manager - 2.8
error.code.15504=The specified SSH Key Pair Policy name is too long; reduce the number of
characters that it contains.
error.code.15506=The SSH Key Pair Policy description is invalid; it must consist of characters [a-z,
A-Z, 0-9].
error.code.15507=The SSH Key Pair Policy description is too long; reduce the number of
characters that it contains.
error.code.15509=The specified SSH Key Pair Policy key type is invalid; it must be RSA or DSA.
error.code.15514=The specified SSH Key Pair type and length are not compatible.
error.code.15516=Failed to load an SSH Key Pair Policy having the specified ID or Name.
error.code.15517=Must specify either an SSH Key Pair Policy ID or a Name but not both.
Error Code Messages for CA NIM UM Target Manager Connector (15720 - 15739)
error.code.15721=Change process not specified.
17-Feb-2017 249/373
CA Privileged Access Manager - 2.8
Error Code Messages for ServiceNow Target Manager Connector (15740 - 15759)
error.code.15741=Change process not specified.
error.code.15762=The CA NIM UM target application specified in the password view policy could
not be found.
error.code.15763=The CA NIM UM target account specified in the password view policy could not
be found.
Error messages for HP Service Manager target manager connector (15780 - 15799)
error.code.15780=Change process not specified.
17-Feb-2017 250/373
CA Privileged Access Manager - 2.8
Error Code Messages for CA SDM Target Manager Connector (15800 - 15819)
error.code.15800=Change process not specified.
manageFailed=CA-PAM-2203: Account management failed for account {0} with the following
error: {1}
17-Feb-2017 251/373
CA Privileged Access Manager - 2.8
expectingEmbeddedKeys=CA-PAM-KD-0004 Invalid discovery response from device {0} for file {1};
expected embedded keys but instead received {2}
expectingEmbeddedKey=CA-PAM-KD-0005 Invalid discovery response from device {0} for file {1};
expected embedded key but instead received {2}
emptyEmbeddedKey=CA-PAM-KD-0006 Invalid discovery response from device {0} for file {1};
embedded key was empty.
nonNumericBits=CA-PAM-KD-0007 Invalid discovery response from device {0} for file {1}; bits
portion of protocol version 1 key non-numeric: {2}
17-Feb-2017 252/373
CA Privileged Access Manager - 2.8
17-Feb-2017 253/373
CA Privileged Access Manager - 2.8
17-Feb-2017 254/373
CA Privileged Access Manager - 2.8
invaliSchedTime=CA-PAM-SH-9016: The specified time has already passed. Schedule will never
trigger.
17-Feb-2017 255/373
CA Privileged Access Manager - 2.8
Syslog Messages
The following list is representative of syslog messages generated by CA Privileged Access Manager.
Configuration Messages
Updating LDAP Group $name failed. Connection to all configured LDAP servers failed. 0 New
Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 0 Failed Updated Users, 0 Failed
Deleted Users, 0 Users Retrieved From LDAP Directory Server
Updated Syslog Settings. Status: Enabled, Remote Server(s): $address with default port Settings.
Status: Enabled
17-Feb-2017 256/373
CA Privileged Access Manager - 2.8
Keystroke Logging configuration updated successfully. Syslog: $state NFS/CIFS/S3 (CLI | Graphical)
Recording: $state
An exception (details) occurred while processing LDAP group name. LDAP sync for this group will
be aborted.
Error when attempting to add target account for username $name – error was Failed to verify
password with target. If this problem persists then please ask your Administrator to investigate.
AddTargetAccountCmd.invoke: Failed to verify password with target
Error when attempting to add target account for username $name – error was Error. Attempt to
create a duplicate entry. Account with same userName already exists for same application
17-Feb-2017 257/373
CA Privileged Access Manager - 2.8
Cluster Messages
Saved cluster config to all cluster members.
SEVERE: Unable to turn on the cluster because one or more cluster members failed cluster start
checks.
Turned cluster on
SEVERE: Turned cluster off. The cluster was in a bad state. The administrator who performed this
action was given guidance regarding how to remedy this, and those recommendations were
acknowledged before the cluster was stopped.
The user has acknowledged the warnings related to rebooting an appliance while the cluster is
running. The will appliance will now be rebooted.
User Messages
User $name successfully added. Activation: $when1; Expiration: $when2; Roles: $roles Groups:
$groups; API keys: $apikeys; User $user added to PA with group membership: $pagroup
User $name successfully deleted. User $name deleted from Password Authority
User $name successfully updated. $what; Roles: $roles; Groups: $groups; API keys: $apikeys PA
User group membership: $pagroup
17-Feb-2017 258/373
CA Privileged Access Manager - 2.8
User $name deleted from LDAP group $group but is a member of other registered LDAP groups.
User $apiid using API key Orchestrator called $file via HTTP DELETE (user issued a DELETE on a
device)
User apiid using API key Orchestrator called $file via HTTP GET (user issued a GET on a device)
User apiid using API key Orchestrator called $file via HTTP POST (user issued a POST on a device)
User apiid using API key Orchestrator called $file via HTTP PUT (user issued a PUT on a device)
An exception ( [LDAP: error code 32 - 0000208D: NameErr: $ID, problem 2001 (NO_OBJECT), data
0, best match of:
Could not rename user $name Err (mailto:chris_ryder@bcbsil.comErr)or was Error. Attempt to create
a duplicate entry. User already exists
18081 = LDAP authentication failed for user <name> with error code (%s) and error string (%s).
The user entered an incorrect password.
18018 = This Xsuite appliance is in maintenance mode. Only admin level users can login.
18069 = The Active Directory user with user principal name $name or samAccountName %s is not
registered with Xsuite.
18100 = User $name logged in successfully via local authentication but will be required to change
their password.
17-Feb-2017 259/373
CA Privileged Access Manager - 2.8
LDAP Group $name. 0 New Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 0 Failed
Updated Users, 0 Failed Deleted Users, $number Users Retrieved From LDAP Directory Server
9008 = LDAP Group %s imported into Xsuite. %s Users Processed: %s New Users, %s Updated
Users, %s Deleted Users, %s Failed New Users, %s Failed Updated Users, %s Failed Deleted Users.
Device Messages
Device xxx added successfully. Access Methods: $method; Services: $services; VPN Services:
$sslvpn; Groups: $groups; Tags: $tags
Device xxx added successfully. Access Methods: $method; Services: $services; VPN Services:
$sslvpn; Groups: $groups; Tags: $tags; Target Server xxx added to Password Authority
Device xxx added successfully. Access Methods: $method; Services: $services; VPN Services:
$sslvpn; Groups: $groups; Tags: $tags; Request Server xxx added to A2A
Device xxx added successfully. Access Methods: $method; Services: $services; VPN Services:
$sslvpn; Groups: $groups; Tags: $tags; Target Server xxx Request Server xxx added to A2A via
autoregistration
Device xxx updated successfully Access Methods: SSH:22; Services: None; VPN Services: None;
Groups: $groups; Target server xxx updated.
Device xxx updated successfully Access Methods: $method; Target server xxx updated; Request
server xxx updated.
Device xxx updated successfully Access Methods: $method; Target server xxx updated.
Device xxx updated successfully; Target server xxx updated; Request server xxx updated.
Device xxx updated successfully; Target server xxx updated and renamed to $name; Request
server xxx updated. Request server $name changed to $name.
Device xxx updated successfully; Target server xxx added to Password Authority; Request server
xxx updated.
Device xxx updated successfully; Target server xxx deleted; Request server xxx updated.
Target Server $name not added to Password Authority. Error Message Duplicate host name.
AddTargetServer.invoke HostName '$address' already exists.
Target Server $name not updated. Error message was Duplicate host name $name.
updateTargetServer HostName already exists.
Could not successfully retrieve Password Authority Managed Data for Dashboard
17-Feb-2017 260/373
CA Privileged Access Manager - 2.8
Could not successfully retrieve Password Authority Managed Data for Dashboard
Service Messages
Service $name (added | updated) successfully. Launch Path: $launchpath; Enabled: (on | off);
Service $name (added | updated) successfully. Local IP: $address; Ports: $ports; Protocol: $proto;
Application Protocol: $appproto; Enabled: (on | off);
Service $name (added | updated) successfully. Local IP: $address; Ports: $ports; Protocol: tcp;
Application Protocol: WEB; Web Portal Launch URL: $launchurl; Browser Type: $type; Access List:
$acl; Enabled: (on | off);
Service $name (added | updated) successfully. Local IP: $address; Ports: $ports; Protocol: tcp;
Application Protocol: (RDP | SSH | TELNET); Client Application: $launchpath; Enabled: (on | off);
Policy Messages
(Created | Updated) policy. User: $user; Host: $host; Applets: $applets, Credential(s): $creds;
Services: $services, Credential: $creds; SSL VPN Services: $ssl_vpn; Target Applications:
$applications; Updated filters and session recording: ; Filtering: Command Filtering: $cf; Socket
Filtering: $sf; Session Recording: CLI Session Recording: (on | off); Graphical Session Recording:
(on | off); Web Session Recording: (on | off); Transparent Login: (on | off); Server Control Login:
(on | off)
Unable to retrieve target account list for policies - error was No response from Password
Authority.
17-Feb-2017 261/373
CA Privileged Access Manager - 2.8
Accounts deleted
Command Filter List (Created | Updated). Name: $name: $type Keywords: Keyword: $keyword
Alert: (On | Off) Regex: (On | Off) Block: (On | Off);
Socket Filter List $name Updated. Name: $name Type: (black | white) Hosts: $hosts
Socket Filter Configuration Updated. Agent Port:$port SFA Monitoring: Enabled Gatekeeper ID: 1
Violation Message: Access denied. Violation Additional e-mail Message: Violations Before Action:
3 Action After Limit Exceeded: take no action
This client has not responded to Xsuite messages. We have assumed the client has gone away,
and the session is being reaped.
17-Feb-2017 262/373
CA Privileged Access Manager - 2.8
Xsuite user transparently logged into RDP Application "$application" to "Login" window as
"$user" user transparently logged into RDP Application "$application" to "Login" window as
"$user"
Logout OK
Violation Messages
Unauthorized word $keyword typed;
A potential tampering attempt has been detected, and the end-user's local system may be
compromised. Account deactivated.
Granted Access to Host ".$_GET["host"].":".$_GET["port"] ." - Blacklist policy allowed host and
port.
17-Feb-2017 263/373
CA Privileged Access Manager - 2.8
Granted Access to Host ".$_GET["host"].":".$_GET["port"] ." - Whitelist policy allowed host and
port.
xsuite[%d]: Connection timed out after %d minutes of idle time; Duration: %s;%s
Session expired
17-Feb-2017 264/373
CA Privileged Access Manager - 2.8
17-Feb-2017 265/373
CA Privileged Access Manager - 2.8
Batch processing: The Credential Manager CLI feature that lets you read an XML formatted file as
input to a registration activity.
Credentials: User name and password or RSA key that is associated with an account
Master account: A target account that is used to change another account. This account must have
the ability to change another account password, such as root or sudo-enabled accounts in
UNIX. See also Slave account.
Privileged accounts: Accounts that have elevated privileges; for example, UNIX root accounts and
database administrator accounts. Attended privileged accounts are associated with people.
Unattended privileged accounts are associated with automated applications or machines.
Privileged accounts can usually affect multiple users. Privileged accounts are often used for access
and password viewing. See also Unprivileged accounts.
Registration: The act of adding data to the CA Privileged Access Manager appliance
Remote host: A computing platform other than the CA Privileged Access Manager appliance.
Examples include servers, laptops, desktops, and routers.
Roles: A collection of actions that can be performed on the GUI and CLI. Roles can be built for
each series of permissions you want to assign to Credential Manager administrators. Credential
Manager roles are distinct and separate from CA Privileged Access Manager roles. See Credential
Manager Grouping Terminology (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Grouping+Terminology).
Slave account: A target account whose password is changed by a master account. See also Master
account.
17-Feb-2017 266/373
CA Privileged Access Manager - 2.8
Target: General term for a target account, target application, and target server.
Target account: An account that is located on a remote host and is managed by Credential
Manager.
Target applications: Applications on a remote host that require credentials for access. Examples
include a databases or the remote host OS. A target application can contain one or more target
accounts. Multiple target application types exist, each corresponding to a different target
connector.
Target connector: Code and extensions that are applied to the Credential Manager target
application and target account details pages that communicate with a given type of remote
application. Each target connector is associated with a target application.
Target group: A collection of target servers, target applications, or target accounts that meet
specific filter criteria; for example, all target servers that have the identifier London in the
descriptor field. A single target can belong to multiple target groups. When a target group
consists of target servers, all applications and accounts on that server are automatically within
that target group.
Target server: A server hosting one or more target applications. In the CA Privileged Access
Manager appliance, it is configured as a Device of type Password Management.
Unprivileged accounts: Accounts that have restricted privileges, usually allowing a user to read or
affect only their own data. See also privileged accounts. See also Privileged accounts.
User group: A collection of one target group, one requestor group, and one role. Credential
Manager user groups are distinct and separate from CA Privileged Access Manager User Groups.
See Credential Manager Grouping Terminology (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Grouping+Terminology).
Users: Users are people that access and operate Credential Manager. Each user belongs to one or
more user groups. The user groups define what targets and requestors the user can see and what
actions the user can perform on the Credential Manager interfaces.
In addition, the following terms and concepts apply when referring to Application-to-application
(A2A) functionality:
Client: A program that identifies information about the invoking program or script (such as its
name, path, hash, and userId). For UNIX and Linux, the client stub is cspmclient. For Windows,
the client stub is cspmclient.exe. For Java programs, the client stub is cspmclient.jar.
Client daemon or service: A UNIX daemon or Windows service that caches credentials from the
CA Privileged Access Manager appliance. The A2A Client requests credentials from it. If the
credentials are not cached, it requests the credentials from the CA Privileged Access Manager
appliance. It then caches them before returning the credentials to the client.
17-Feb-2017 267/373
CA Privileged Access Manager - 2.8
Requestor application: Applications that initiate communications with target applications using
target credentials. Requestor applications invoke a client stub to communicate to the CA
Privileged Access Manager appliance to get the required credentials.
Requestor group: A collection of requestors or requestor servers that meet specific filter criteria;
for example, all requestor servers that have the identifier London in the descriptor field. A single
requestor can belong to multiple requestor groups. When a requestor group consists of requestor
servers, all requestors on that server are automatically within that requestor group.
Requestor script: A Perl, Python, PHP, sh, ksh, or csh script that invokes a client stub to get
credentials.
17-Feb-2017 268/373
CA Privileged Access Manager - 2.8
Web GUI
This section describes the Web GUI for the CA Privileged Access Manager software environment. The
Access window is made up of the following parts:
Toolbar (see page 269)
Admin (see page 270)
My Info (see page 271)
System Info (see page 273)
Config (see page 273)
3rd Party (see page 274)
Certificate Info (see page 286)
Database (see page 286)
Date and Time (see page 288)
Diagnostics (see page 290)
Licensing (see page 293)
Logs (see page 294)
Monitor (see page 297)
Network (see page 298)
Security (see page 298)
SNMP (see page 306)
SSL VPN (see page 307)
Synchronization (see page 307)
Menu Bar (see page 310)
Global Settings Menu Bar Reference (see page 310)
Sessions Menu Bar Reference (see page 318)
Services Menu Bar Reference (see page 318)
Users Menu Bar Reference (see page 322)
Devices Menu Bar Reference (see page 328)
Policy Menu Bar and Dialogs Reference (see page 332)
Manage Policies (see page 332)
Manage Passwords (see page 340)
Import and Export Policy (see page 370)
Import and Export Socket Filter Lists (see page 372)
This document shows the appropriate UI pane and provides a table that identifies each component in
that pane, including a brief explanation. For more information click the links.
Toolbar
The following sections document toolbar features:
Admin (see page 270)
My Info (see page 271)
17-Feb-2017 269/373
CA Privileged Access Manager - 2.8
This document provides tables that identify each component, including a brief explanation. For more
information see either the Planning Guide or the Implementation Guide.
Dashboard Toolbar
Toolbar
Toolbar Components
The Toolbar tabs listed in the table are described in the following sections.
Admin
Admin Button
This button allows you to get back to the Administration GUI, which shows the menu bar, used
mostly for provisioning.
17-Feb-2017 270/373
CA Privileged Access Manager - 2.8
Provision users, privileged user password management, A2A access, target devices, and access
control policies;
When a host is connected to a smart power switch, CA PAM can be used to control the
switch via the Power button. The Power button light indicates the last power status CA PAM
is aware of. Red indicates power off, green indicates power on, and no light indicates that
CA PAM cannot determine the Power Status of that device. Clicking the Power button
launches a popup that gives you choices for that device. The buttons perform the
straightforward function of power Turn device on, power Turn device off, and Reset device.
The Restart Session link is used to refresh your access page matrix. If your systems
Restart administrator has made policy changes, click this link, or log out then back in again, for them
Session to be reflected in your session. Clicking Restart Session forcibly closes any sessions that you
are currently running.
The My Views link allows you to select from preconfigured, filtered views. You create a
My named filtered view (for use in My Views) through the Save as View link.
Views
My Info
Account Information Fields (see page 271)
Contact Information Fields (see page 272)
17-Feb-2017 271/373
CA Privileged Access Manager - 2.8
17-Feb-2017 272/373
CA Privileged Access Manager - 2.8
System Info
Sys Info Link
Sys Info Components
Firmware version number and whether the appliance has been preconfigured in FIPS
Basic Info mode.
Current CPU usage, Disk total/used/free storage, and total/used/free Memory Usage
System statistics.
Resources
Identifies the continuous uptime since the last appliance boot, the number of Users that
System are currently logged in (Active Logins), the number of connection sessions currently
Activity underway by those Users (Active Sessions).
Current quantities of [Devices defined]/[Devices licensed] for each license type; whether
Licensing a Mainframe option has been applied to the Access license (if any); and the license string
for Access (if any).
Firmware serial number and the hardware serial number (if assigned).
Serial
Numbers
Identifies any Hotfixes applied to this installation of CA PAM.
Hotfixes
Refreshes the data in the screen.
Refresh
Creates a text file of the sys info data.
Download
Config
The CA Privileged Access Manager Config panel is home to settings for optional features, connections
to external systems, diagnostics, and security methods.
3rd Party (see page 274)
Certificate Info (see page 286)
Database (see page 286)
Date and Time (see page 288)
Diagnostics (see page 290)
Licensing (see page 293)
17-Feb-2017 273/373
CA Privileged Access Manager - 2.8
3rd Party
Configure servers that provide provisioning and authentication resources, encryption services,
account access specifications, and other services to CA Privileged Access Manager.
The following panels appear only when explicitly licensed from CA Privileged Access Manager (as
specified on the Config, Licensing page):
AWS API Proxy Users license: AWS API Proxy Auto-Activation Whitelist panel
AWS Capability license: Amazon Web Services (AWS) Configuration panel; Add/Edit AWS
Connection panel
HSM license, either SafeNet HSM Capability for SafeNet HSM or Thales HSM Capability: Network
Attached HSMs panel; LUNA PCI-E Configuration; SafeNet HSM Configuration; Thales HSM
Configuration
VMware Capability license: VMware Configuration, Add VMware vCenter, VMware NSX panels
Status - "Online" or "Offline", depending on whether the HSM can be reached by CA Privileged
Access Manager.
When CA Privileged Access Manager is configured with an internal SafeNet Luna PCI-E card, this panel
is populated with a single line item identifying that internal HSM:
HSM - "LunaPCI-E"
17-Feb-2017 274/373
CA Privileged Access Manager - 2.8
HSM - "LunaPCI-E"
Security Principal Username - Enter the name that you set when configuring the Luna
administrative account.
Security Principal Password - Enter the password that you set when configuring the Luna
administrative account.
Partition Password - Enter the password that you set when creating storage during your Luna
configuration procedure earlier.
Add button - Configure CA Privileged Access Manager to use the Luna HSM specified by these
fields. After configuration is established, the HSM is listed in the Network Attached HSMs panel.
Partition Password (2nd) - Enter a new partition password. Set the new password on the Luna
before entering it here.
Update & Activate button - After clicking this button, CA Privileged Access Manager:
Token Label - Enter the name of the applicable OCS (Operator Card Set) you created when
configuring the nShield appliance.
Remote File System - Enter the IP address of the Remote File System (RFS) used. Note: For Thales
HSMs, a DNS name is not permitted.
Token Password - Enter the password of the applicable OCS (Operator Card Set) you created
when configuring the nShield appliance.
Address - Enter the IP address of the nShield Connect. Note: For Thales HSMs, a DNS name is not
permitted.
Add button - Configure CA Privileged Access Manager to use the Thales HSM specified by these
17-Feb-2017 275/373
CA Privileged Access Manager - 2.8
Add button - Configure CA Privileged Access Manager to use the Thales HSM specified by these
fields. After configuration is established, the HSM is listed in the Network Attached HSMs panel.
Token Password (2nd) - Enter a new token password for the applicable OCS (Operator Card Set)
you set when configuring the nShield appliance. Set the new password on the nShield before
entering it here.
Update & Activate button - After clicking this button, CA Privileged Access Manager:
Password - Enter the challenge string that you obtained from the PED when configuring the Luna
card.
Public Key - During PCI cluster configuration, use this field either to (1) see the key in the field
after pressing Get Public Key on a non-primary, or (2) paste the key (after obtaining it from a non-
primary) into the field on the primary.
Encrypted Key - During PCI cluster configuration, use this field either to (1) see the key in the field
after pressing Extract Key on the primary, or (2) paste the key (after obtaining it from the
primary) into the field on the non-primary.
Activate button - Following an initialization process using the Luna PED and PED Keys, click this
button to switch over from built-in CA Privileged Access Manager cryptography to Luna
cryptography.
Note: This activation cannot be reversed - your appliance will be configured permanently to use
Luna PCI-E.
Get Public Key button - During PCI cluster configuration, you use this button to see and copy the
Public Key from a non-primary appliance.
Extract Key button - During PCI cluster configuration, you use this button to extract the Public Key
from a primary appliance. The result appears in the Encrypted Key field.
Insert Key button - During PCI cluster configuration, you will use this button on a non-primary to
insert from the Encrypted Key field, after generating at (using Extract Key) and copying from a
primary appliance and then pasting into the corresponding field in a non-primary appliance.
17-Feb-2017 276/373
CA Privileged Access Manager - 2.8
Be sure to read the section at the end of the article, "For Reference: Smart Link
URL template. The following sample shows how you might create your URL:
wctx=wa=wsignin1.0&rpsnv=2&ct=1372192193&rver=
6.1.6206.0&wp=MCMBI&wreply=https:%2F%
2Fportal.microsoftonline.com%2Flanding.aspx%
3Ftarget%3D%252fdefault.aspx&lc=
1033&id=271346
Decoding the smart link is not a listed step in the Microsoft procedure, but should
be done. A useful link for decoding is:
http://coderstoolbox.net/string/#!encoding=
url&action=decode&charset=us_ascii. (http://coderstoolbox.net/string#!
encoding=url&action=decode&charset=us_ascii)
17-Feb-2017 277/373
CA Privileged Access Manager - 2.8
30
minutes
default:
60
minutes
button Attempts a connection to AWS with the credentials of the account for
Test this connection, and confirms or denies success.
17-Feb-2017 278/373
CA Privileged Access Manager - 2.8
Note: The CA PAM AWS API Proxy 2.0 can now be used with CA PAM to
successfully reach AWS GovCloud accounts to execute API calls.
GovCloud accounts can already be configured for use with CA PAM.
button Saves the current settings as a provisioning record that is displayed in
Add the AWS Provisioning pane. Does not make connection to AWS.
17-Feb-2017 279/373
CA Privileged Access Manager - 2.8
Default:
Unchec
ked
(off)
List of configured vCenter provisions:
Edit Button Edit Toggles the edit mode of this line item:
column butt The Edit button opens the line item for editing (turns on edit mode).
on The Save button saves any changes to the currently staged line item
values (URL and Active widgets), and closes the line item for editing
-or- (turns off edit mode).
Save
butt Initially, the edit mode is turned off.
on
vCenter String Displays the vCenter Authentication Device – vCenter User combination
Accoun
t
column
URL String Edit Displays the previously saved URL for this line item.
column in URL mode
format on:
URL
string
can be
edited.
Active Edit Edit Edit mode off:
column mode mode
off: off: YES: Configuration is scheduled to sync periodically (to import from
vCenter) after each vCenter Refresh Interval.
Enume YES -or-
rated NO NO: Configuration is not scheduled to sync periodically (will not import
from vCenter).
17-Feb-2017 280/373
CA Privileged Access Manager - 2.8
https://address[:port]/sdk
Examples:
https://vcenter.example.com/sdk
https://192.0.2.1:55555/sdk
https://vcenter2.example.com:77777/
17-Feb-2017 281/373
CA Privileged Access Manager - 2.8
VMware NSX
The VMware NSX fields are not populated unless VMware NSX is licensed.
17-Feb-2017 282/373
CA Privileged Access Manager - 2.8
Current Servers
Server IPv4 IP address or DNS name of the RADIUS server.
addr
ess
Port Corresponding port for the RADIUS server. Note: The IANA-registered RADIUS
[1812 authentication port = 1812. Some RADIUS servers might be configured to use a
] former, unofficial port = 1645.
Type Lists RADIUS or TACACS+ servers.
Share A shared secret is a text string used as a password between a RADIUS client and
d RADIUS server, a RADIUS client and a RADIUS proxy, or a RADIUS proxy and a
Secret RADIUS server.
Add New Servers
Server IPv4 IP address or DNS name of the RADIUS server.
addr
ess
Port Corresponding port for the RADIUS server. Note: The IANA-registered RADIUS
[1812 authentication port = 1812. Some RADIUS servers might be configured to use a
] former, unofficial port = 1645
Type Select RADIUS or TACACS from the list box.
Share A shared secret is a text string that is used as a password between a RADIUS client
d and RADIUS server, a RADIUS client and a RADIUS proxy, or a RADIUS proxy and a
Secret RADIUS server.
Add butt Add server specified by current values in data entry fields. After a successful Add,
on confirmation in red text.
17-Feb-2017 283/373
CA Privileged Access Manager - 2.8
Name Description
The following Edit and Delete buttons are displayed only after a server is added.
Edit butt Move record to editing fields.
on (After editing, re-Add.)
Delet butt Remove access to selected RADIUS server (and delete line item from this list).
e on
Timeo int Defa Optional
ut (seco ult:
nds) 60
17-Feb-2017 284/373
CA Privileged Access Manager - 2.8
Node secret
1. Choose File
2. Upload
Whitelisted Subnets: (separated by commas or newlines) - Enter the subnets containing the AWS
API Proxy instances.
17-Feb-2017 285/373
CA Privileged Access Manager - 2.8
Whitelisted Subnets: (separated by commas or newlines) - Enter the subnets containing the
VMware NSX API Proxy instances.
arapi8*.jar
arutil81*.jar
3. Save the copied JAR files to a location accessible to the CA Privileged Access Manager system.
4. Use the Choose File button to browse for the JAR files individually. Use the Upload button to
upload each file, one at a time.
Note: If you are load balancing, you have to upload the JAR files to each server. The files are
the same for Windows and Linux.
5. Restart the app server by clicking the Restart Tomcat button. Wait until the process completes.
A message displays: "Tomcat restarted successfully."
Certificate Info
Certificate Info (see page 286)
Certificate Info
Certificate Info
The Certificate Revocation List shows all existing Certificate Revocation List (CRL) files
Certificate currently on CA PAM, with the status of each.
Info
Database
Database (see page 287)
Schedule Backup, Save Configuration and Database, or Reset Database (see page 287)
Schedule Backup (see page 287)
17-Feb-2017 286/373
CA Privileged Access Manager - 2.8
Database
Schedule Backup
Select All for any field that should not be a constraint to the schedule. (Any value will be
allowed.)
Example: To schedule a backup that begins every night at 11PM, set Month, Day, and W
eekday each to All , the Hour to 23, and the Min to 00.
Displays the timezone for the system.
Timezone
Path The authentication and path are set with the syntax provided - <user>@<server>:
/<path>
Port Change the port on the destination serverDefault = 22
Select Define the key file for use in authentication
authorizatio
n file
Check this box if the Configuration and Database backup files should be deleted from
local storage on CA PAM.
17-Feb-2017 287/373
CA Privileged Access Manager - 2.8
Date/Time Configuration
Time Servers
Name Type Enum Description/Notes
/Format /Example
[untitl enumer defaults: List of time servers that are queried by CA PAM to set CA PAM clock.
ed] ated IMPORTANT: DNS must be set to reliable DNS servers in Config, Network.
0.pool. If DNS is known not to be set properly and cannot practically be fixed, the
ntp.org time server names should be changed to their current IP addresses.
1.pool.
ntp.org
17-Feb-2017 288/373
CA Privileged Access Manager - 2.8
2.pool.
ntp.org
3.pool.
ntp.org
Synch checkbo Sets CA PAM to execute a timeservers query and CA PAM clock reset
ronize x during CA PAM boot. IMPORTANT: If CA PAM does not have access to an
at NTP server (or does not have access to DNS), Time Servers should be
boot disabled by clearing this checkbox.
Save button Upon clicking Save:
2. If the time server DNS addresses displayed are not the most recently
held in storage, storage is updated to reflect displayed values.
You can set time to any value using the “Enter Date and Time” widget.
Authenticated NTP
Name Type Enum/Example Description/Notes
/Format
NTPv4 text Copy and paste into this text box the NTP v4 autokey
Autok you obtain from your NTP v4 server. After you click Sa
ey ve, this autokey is applied.
Securi 2- Only use authenticated NTP, When selected, CA PAM will implement
ty option do not communicate with Authenticated NTP using the autokey copied into the
Policy option unauthenticated peers. text box above.
button
Authentication not required. When selected, CA PAM will not use NTP.
17-Feb-2017 289/373
CA Privileged Access Manager - 2.8
NTP Status
text Displays the output of the authenticated NTP server.
Button Update the NTP status output (shown immediately above).
Refresh
Diagnostics
Diagnostics Fields (see page 290)
System Diagnostic (see page 291)
Tomcat Logs (see page 291)
Applet Log Level (see page 291)
Xsuite As SAML RP Log Level Fields (see page 291)
Xsuite As SAML IdP Log Level (see page 291)
Maintenance Mode (Off) (see page 292)
Remote Xceedium Debugging Services (Off) (see page 292)
Performance Graphs (see page 292)
Diagnostics Fields
The System Diagnostic tool gathers information about specified CA Privileged
System Diagnostic Access Manager file versions. The tool provides a listing of filenames, showing
(see page 291) the dates they were modified and their file versions.
Maintenance Mode prevents new logins so that an administrator can make
Maintenance Mode configuration changes without user activity interference.
(Off) (see page 292)
Maintenance Mode does not disable the Credential Manager CLI.
17-Feb-2017 290/373
CA Privileged Access Manager - 2.8
System Diagnostic
CA Support provides this file.
Configuration File
This command creates an encrypted file for review by CA Support.
Run System Diagnostic
Tomcat Logs
Downloads the "catalina.out" logfiles from the appliance to CA Technologies, Inc.
Download Support's local client access computer.
Tomcat Log File
17-Feb-2017 291/373
CA Privileged Access Manager - 2.8
Performance Graphs
Performance Graphs
17-Feb-2017 292/373
CA Privileged Access Manager - 2.8
Licensing
Maximum number of Access Devices that can be used.
Access
Devices
Maximum number of Credential Manager Devices that can be used.
Current Password
License Devices
Maximum number of A2A Devices that can be used.
A2A
Devices
Enabled or Disabled for use of mainframe access methods: TN3270,
Mainframe TN3270SSL, TN5250, and TN5250SSL.
Capability
Enabled or Disabled for device import and AWS Management Console access
AWS to Amazon Web Services (AWS) accounts. Requires more configuration in
Capability Config, 3rd Party.
Number of CA PAM Users who can simultaneously access AWS through CA
AWS API PAM using AWS API requests. Requires more configuration in Config, 3rd
Proxy Party and deployment of AWS API Proxy devices in an AWS environment.
Users
Number of CA PAM Users who can simultaneously access VMware NSX API
VMware through CA PAM using NSX API requests. Requires more configuration in
NSX API Config, 3rd Party and deployment of NSX API Proxy devices in a VMware
Proxy environment.
Users
Enabled or Disabled for access to a VMware account. Requires more
VMware configuration in Config, 3rd Party.
Capability
Enabled indicates that the External Rest API is licensed. To activate this
External feature, you must also select Enable External Rest API in
API Config>Security>External API Access.
Capability
Enabled or Disabled for access to a Microsoft Office 365 administrative
Office365 account. Requires more configuration in Config >3rd Party.
Capability
Enabled or Disabled for access to SafeNet Luna SA or SafeNet Luna PCI-E
SafeNet HSMs (hardware security modules). Requires more configuration in Config,
HSM 3rd Party. NOTE: If Enabled, Thales HSM Capability must be Disabled.
Capability
Enabled or Disabled for access to Thales nShield Connect HSMs (hardware
Thales security modules). Requires more configuration in Config, 3rd Party. NOTE: If
HSM Enabled, SafeNet HSM Capability must be Disabled.
Capability
Date on which (at 12:00AM) the license is active.
Start Date
17-Feb-2017 293/373
CA Privileged Access Manager - 2.8
Logs
Manual Logs (see page 294)
Automatic Log Purge Settings (see page 294)
Sys Logs Settings (see page 295)
External Log Server (see page 296)
Session Recording (see page 296)
Session Recording Preference (see page 297)
Manual Logs
Name Values Description
Up 'till [Month] Enumerate Set an end date for a batch operation by the Save to file or Purge
[DD][YYYY] d lists buttons.
Save to file Button Save all logs up to the specified date to a single file.
Purge Button Delete all logs up to the specified date.
Purge All Button Delete all logs in CA PAM internal storage.
Reset Button Resets the date for the manual log purge.
Pick a filename. Enumerate Drop-down list list of log files that are batched through previous
d list (manual and automatic) log purges.
Download Button Download selected log file through browser from CA PAM internal
storage.(secondary drive)
Delete Button Delete selected log file from CA PAM internal storage (secondary
drive).
17-Feb-2017 294/373
CA Privileged Access Manager - 2.8
Admin Email
SMTP Server
---------------------------------
17-Feb-2017 295/373
CA Privileged Access Manager - 2.8
Session Recording
Name Values Description
Text based Defaul Send the command line session recordings (ASCII text) to the syslog
recording to the t: server.PREREQUISITE: The syslog server hostname or IP address must
syslog server [unche have been added to the “Syslog” settings with the appropriate options
cked] enabled.
Text based Defaul Store the command line session recordings (ASCII text) on a mounted
recording to NFS t: file system. Includes NFS, CIFS, or Amazon S3.
/CIFS/S3 mounted [unche
directory cked] PREREQUISITE: The mount must have been enabled in “NFS/CIFS/S3
Settings.”
17-Feb-2017 296/373
CA Privileged Access Manager - 2.8
Monitor
Name Values Description
Admin Example: Email address for the CA PAM administrator account
Email NOTE: This setting allows specification of a single
admin1@example.com account. It might work better as a role account to allow
multiple recipients.
SMTP IPv4 address Server address of the SMTP server that delivers alerts.
Server PREREQUISITE: If relay is necessary, it must be configured
-or- correctly on the SMTP server.
FQDN hostname
Appliance Example: Address that is inserted into “From” field of any
From monitoring email sent by CA PAM.
Address xsuiteadmin@example.com
IMPORTANT: This is not a “dummy” field – the address
MUST be properly formed, for example:
<mailbox>@<domain>.<tld>
17-Feb-2017 297/373
CA Privileged Access Manager - 2.8
Network
Configuration settings for the default
Network Configuration (see page 298) network.
Lists IP or CIDR blocked addresses.
Administrative Access Restriction Table (see page 298)
Network Configuration
Name Type Enum Description
/Format /Example
Hostn DNS- Default: CA Important: When configuring multiple appliances for a CA PAM cluster,
ame conform Privileged use different Hostnames to distinguish the appliances from each other.
ing char Access The IP address is not sufficient.
string Manager
Defau IPv4 192.0.2.1 Routing device to which CA PAM sends all packets to destinations
lt address without an explicit route. This is necessary (at least) when sending
Gate traffic to the Internet, to remotely managed devices or for any other
way resource access.
Doma domain. example. Top-level and second-level domains.
in tld com
Name
DNS IPv4 dns1. Proximate DNS servers.
Server address example.
s com192.
0.2.11
Security
The following topics explain the configurable security settings.
17-Feb-2017 298/373
CA Privileged Access Manager - 2.8
Create Certificate or CSR Settings (see page 299)
Upload Certificate or Private Key Settings (see page 299)
Download Certificate or CSR Settings (see page 300)
Set Certificate (see page 300)
CRL Options (see page 300)
PKI Options (see page 301)
Sign CA Privileged Access Manager Applets (see page 301)
CA Privileged Access Manager SAML RP Configuration (see page 302)
Notes:
Do not add a newline (line feed) after the last entry.
Refer to: X.509 Subject Alternative Name
Filename Create a name for the certificate.
17-Feb-2017 299/373
CA Privileged Access Manager - 2.8
Field Description
Other
Options
Create a name for the certificate.
Filename
May be used to change the filename of the certificate. This field may be left blank if the
Dest. name will stay the same. NOTE: If CA PAM generated the CSR, the “Destination
Filename Filename” must match the name of the CSR in order to match the private key properly.
Enter the passphrase, then re-enter in Confirm, when necessary for the certificate.
Passphrase
/Confirm NOTE: A passphrase is probably necessary, and will have been set by the third-party
[Passphrase] CA.
Set Certificate
Set Certificate
CRL Options
CA PAM sends an Online Certificate Status Protocol (OCSP) request to the OCSP server to
Use validate client certificates.
OCSP
CA PAM updates the relevant CRL file by copying from the URL location at the interval
Use CRL specified in the Time setting.
URL
17-Feb-2017 300/373
CA Privileged Access Manager - 2.8
PKI Options
The PKI/Smartcard User Logon checkbox is used to enable/disable PKI authentication. With
PKI/CAC this option checked, the browser prompts for a client-side certificate upon locating the URL
User of the configured CA PAM.
Login
Enable
The Login Page Without CAC checkbox provides the ability to enable/disable username
Login /password-based logons. When this box is checked and if a smartcard is not present, users
Page will not be able to log onto CA PAM. If the box is unchecked, users will have the option of
Without authenticating via username and password or other configured authentication methods. In
CAC No the event that users are not able to authenticate via smart-card, the configuration page is
Login always available via a known username and password.
Page
Disables the built-in "config" user account (or that of any substitute name that was set
Disable through the Change Password page on initial login).
config user
17-Feb-2017 301/373
CA Privileged Access Manager - 2.8
Example:
ABCserver123
Friendly Assign a name to be used by CA Privileged Access Manager to identify this SAML RP
Name Entity.
Fully REQUIRED
Qualified
Hostname * FQDN of CA Privileged Access Manager RP, where FQDN is specified in location:
<md:EntityDescriptor … >
<md:SPSSODescriptor … >
Example:
xsuite-sp.example.com
Description Description for this CA Privileged Access Manager RP.
Organization Name of the company or other organization responsible for this CA Privileged Access
Name Manager RP:
<md:EntityDescriptor … >
<md:Organization … >
<md:OrganizationName>organizationName</md:OrganizationName>
Organization URL for the company or other organization responsible for this CA Privileged Access
URL Manager RP.
<md:EntityDescriptor … >
<md:Organization … >
<md:OrganizationURL>organizationURL</md:OrganizationURL>
Administrativ Administrative contact for this CA Privileged Access Manager RP.
e Contact
Name <md:EntityDescriptor … >
<md:ContactPerson … >
17-Feb-2017 302/373
CA Privileged Access Manager - 2.8
<md:GivenName>givenName</md:GivenName>
Administrativ Email for administrative contact for this CA Privileged Access Manager RP.
e Contact
Email <md:EntityDescriptor … >
<md:ContactPerson … >
<md:EmailAddress>emailAddress</md:EmailAddress>
Certificate REQUIREDSelect from the certificate files currently uploaded to this CA Privileged
Key Pair * Access Manager-as-RP (through Config > Security > Upload Certificate or Private Key)
the desired SSL certificate + private key concatenated file.
Accept RSA- Select if you wish to accept RSA SHA1 signature method when presented.
SHA1 Signed
Responses
Configured Remote SAML Identity Providers
The buttons below are activated when, at minimum, the required RP components (indicated by *)
have been populated and Save Configuration has been successfully performed:
Add An Manually create an Identity Provider (IdP) record in the template that opens below the
Identity button. After populating the template, click Save Configuration to create the IdP
Provider record, create a line item in this panel, and close the template.
Upload An Upload an Identity Provider (IdP) metadata file to CA Privileged Access Manager and
Identity create a new IdP record with a corresponding line item in this panel.
Provider
Metadata
The fields below are displayed (above the link buttons) for an Identify Provider (IdP) record that has
been successfully populated from either of the Identity Provider creation link buttons:
Friendly Assign a name for this IdP for use by CA Privileged Access Manager
Name
EntityID <md:EntityDescriptor … entityID="entityIdName" … >
Example:
ABCserver123
Metadata Click the Download link to get the RP metadata file for this IdP so that you can import
it into the IdP and establish trust of this CA Privileged Access Manager RP.
Edit Click the Edit button to open the editing template for the associated IdP record. Its
fields are identified in the next section of this table.
Delete Click the Delete button to remove the line item and associated IdP record.
Test Click the Test button to test the connection to the associated IdP.
Identity Provider (IdP) template
Friendly REQUIREDAssign a name for this IdP for use by CA Privileged Access Manager
Name *
Organization Name of the company or other organization responsible for this IdP:
Name
<md:EntityDescriptor … >
17-Feb-2017 303/373
CA Privileged Access Manager - 2.8
<md:Organization … >
<md:OrganizationName>organizationName</md:OrganizationName>
Entity ID * REQUIRED
SAML ID for this IdP that is unique for this SAML space:
Example:
ABCserver123
Description Description for this IdP.
Single Sign REQUIRED
On Protocol
Binding * Applicable protocol binding for this IdP:
<md:EntityDescriptor … >
<md:IDPSSODescriptor … >
Options:
SAML:2.0:bindings:HTTP-Redirect
SAML:2.0:bindings:HTTP-POST
Single Sign REQUIRED
On Service *
Service location for this IdP:
<md:EntityDescriptor … >
<md:IDPSSODescriptor … >
Example:
https://rp.example.com/idp/profile/SAML2/Redirect/SSO
Allow Just In Select this checkbox to enable CA PAM to provision a User account for an asserted
Time SAML user if the account doesn’t already exist on the SP.
Provisioning
Include this User also in all existing User Groups on the SP as designated by the
‘userGroup’ attribute in the SAML assertion.
• If an asserted User Group does not exist on the SP, do not create it.
Certificate * REQUIRED
<md:EntityDescriptor … >
17-Feb-2017 304/373
CA Privileged Access Manager - 2.8
<md:IDPSSODescriptor … >
<ds:KeyInfo … >
<ds:X509Data> <ds:X509Certificate>encodedContent</ds:X509Certificate>
Example:
-----BEGIN CERTIFICATE-----
MIIGhzCCBG+gAwIBAgIKYQrABAAAAAAAajANBgkqhkiG9w0BABGMRMwEQYK
...
0VyUrN0fafQmeuYITYzUoOt88LFClepqhrjn2s0AVoBLxcnmuemkw7nfgw==
------END CERTIFICATE------
Sign Select this checkbox if authentication requests must be signed.
Authenticatio
n Requests
Signature Select the signature algorithm to be applied.
Algorithm
Options:
RSA-SHA1
RSA-SHA256
RSA-SHA384
RSA-SHA512
Authenticatio Identify the applicable authentication contexts for this IdP.
n Contexts
Options:
SAML:2.0:ac:classes:Kerberos
SAML:2.0:ac:classes:PasswordProtectedTransport
SAML:2.0:ac:classes:X509
SAML:2.0:ac:classes:SmartcardPKI
SAML:2.0:ac:classes:TLSClient
SAML:2.0:ac:classes:TimeSyncToken
SAML:2.0:ac:classes:unspecified
Require Select this checkbox if this requires encrypted assertions.
Encrypted
Assertions
Enable Select this checkbox if you requireCA PAM to be configured for smartcard
Holder of authentication.
Key Support
17-Feb-2017 305/373
CA Privileged Access Manager - 2.8
SNMP
SNMP Configuration
Used to authorize SNMP polling of CA PAM.
Poll Server Configuration (see page 306)
Provides parameters of, and user credentials for, NMS
Trap Server Configuration (see page 307) server.
NOTES:
SNMP Version 2c does not implement encryption.
SNMP v3 is required for FIPS mode.
Read-only Community String If using SNMP v2c, enter the SNMP Community String for
authentication purposes.
Start at boot Checkb Check this checkbox to start a poll server upon boot.
ox
Server Status Enume Current status of polling
rated:
Not
runnin
g
Runnin
g
SNMPv3 Add/Update Poll User
Username Text Specify the account username authorized to allow Polling.NOTE:
Do not use the name “CA Technologies, Inc.,” as it is reserved.
text Specify the public passphrase for Polling, and retype for error
checking
17-Feb-2017 306/373
CA Privileged Access Manager - 2.8
SSL VPN
SSL VPN Configuration
Identifies a device-routable IP address on the internal network.
Virtual Network
Enables/disables split tunneling to an internal network and a public network.
Enable Split
Tunneling
Synchronization
This content describes synchronization fields.
17-Feb-2017 307/373
CA Privileged Access Manager - 2.8
Interface
radio Select the interface that will be used when the device is the cluster
GB1 button management node and has the Virtual IP.
set
The specified interface will be used for communications between the
GB2 …
clustered CA PAMs.
NOTE: The same interface must be used in all the clustered members.
Cluster Settings
IPv4 Enter the virtual IP address that will be used to access the cluster. NOTE: The
Virtual addres cluster will always be available for all users, through this virtual IP address. The
Management s Master CA PAM will have the virtual management IP address defined for it,
IP and will redirect user requests to the least-loaded member of the cluster.
FQDN Enter the fully qualified domain name string that will be used to access the
Virtual cluster. Example: CA PAM.example.com IMPORTANT: This setting should be
Management used only when configuring a cluster that is using DNS.
IP Domain
Name
List of all known cluster member IP addresses.
Cluster Members
All cluster members are synchronized automatically.
17-Feb-2017 308/373
CA Privileged Access Manager - 2.8
Cluster Control
button Saves the current configuration to the local CA PAM exclusively.
Save Config
Locally
button Saves the current configuration to all cluster members.
Save To
Cluster
radio Immediately activate synchronization.
Turn Cluster button
On s
Immediately deactivate synchronization.
Turn Cluster
Off
Status
This toggle button is available to unlock or lock the Credential Management
Unlock Me button database while the cluster is fully configured but is in the stopped state.
| Lock Me Locking a member prevents database changes from being written to it. Locking
is useful if that member will be a secondary upon cluster restart, because in
that case any new data would be overwritten when propagated from the
primary.
When an administrator clicks the Unlock button, a flag is set that permits
writing to the Credential Management database, the Credential
Management function is restarted, and the button changes to Lock.
When an administrator clicks the Lock button, that flag is cleared, writing
to the Credential Management database is no longer permitted, and the
button changes to Unlock.
The flag is also cleared when the appliance is factory reset
The flag is also cleared on all members during cluster start and stop
17-Feb-2017 309/373
CA Privileged Access Manager - 2.8
Menu Bar
Menu Bar
17-Feb-2017 310/373
CA Privileged Access Manager - 2.8
Basic Settings
Option Default Units Description
0 Generally: A value of zero (0) removes the restrictions that the
particular setting is intended to enforce.
Local Select from a drop-down list the default authentication method that
Default Auth appears on the login page.
Method
Options: LOCAL, LDAP, RSA, RADIUS, TACACS+, LDAP+RSA,
LDAP+RADIUS
Note: At least one user must be created with the chosen authentication
method before this option is available.
30 Devic Number of device line items to display on Access page (immediately
Default Page es following login).
Size
Table 60 Seco The default refresh interval for Discovery Scan tables. 0 indicates no
Refresh nds refresh.
Interval
Scan Purge 30 Days Number of days to keep Discovery scans.
Interval
10 minu Set the maximum length of login inactivity before a login session closes
Login tes out and requires reauthentication from the login page. (“Inactivity”
Timeout refers to a lack of data communication between the User client and the
CA PAM appliance, or idle time.)
If this value is not zero, every CA PAM User login begins a countdown at
the start of the session. While this User maintains active (live)
connections to back-end (target) devices, the timeout stops counting
down and resets itself to the Login Timeout value. When (all)
connections are closed, the countdown starts again from that value.
17-Feb-2017 311/373
CA Privileged Access Manager - 2.8
If this value is not zero, every CA PAM User login begins a countdown at
the start of the session. While this User maintains active (live)
connections to back-end (target) device, this timeout counts down.
When its value becomes zero, the applet provides a popup message to
the user.
17-Feb-2017 312/373
CA Privileged Access Manager - 2.8
Passwords
Option Default Units Description
0 Generally: A value of zero (0) removes the restrictions that the particular
setting is intended to enforce.
2 Set the level of complexity required in user passwords. Default is Level 2.
Security
Level 0 – New Password … The New Password (only) must be different from the
previous password.
17-Feb-2017 313/373
CA Privileged Access Manager - 2.8
Accounts
Option Default Units Description
0 Generally: A value of zero (0) removes the restrictions that the
particular setting is intended to enforce.
30 Days Deactivate inactive user accounts after a set number of days
Disable
Inactive When restoring a database from a backup, accounts are disabled
After if the backup is older than the time limit.
0 Days Remove disabled user accounts after a specified number of days.
Remove
Disabled This function is not available with LDAP users.
After
(empty User name, Identify the administrator who is notified (through the email
Forced ) by specified in his/her user record) that a user has been
Deactivation autosuggest deactivated.
Alert
Access Methods
Access Default Description
Method Port
5900 Graphical desktop remote access application that enables access to the device.
VNC A Windows, Unix, Mac, or X Windows desktop can be accessed directly using
this feature. VNC sessions can be graphically recorded. Note: This feature
requires installation of the VNC (Virtual Network Computing) service on each of
the devices/servers being accessed.
3389 Remote Desktop Protocol (RDP) is an access method for connecting to Microsoft
RDP Terminal Services and is commonly used for administration of Windows servers.
RDP sessions can be graphically recorded.
23 Standard Telnet access to a host. The Telnet service on the device being
Telnet accessed must be running for this to work. See the specific device manufacturer
documentation on how to set it up. Note: CA PAM does not support Telnet
sessions to itself.
22 Supports SSH Versions 1 and 2. SSH must be running on the device being
SSH accessed for this to work. See the specific device or system manufacturer
documentation on how set it up.
Mainframe Access Methods appear only if licensed.
Mainframe
17-Feb-2017 314/373
CA Privileged Access Manager - 2.8
Warnings
Option Description
Display a message to all users at the login page.
Show
License Use the text box to type the message that appears.
Warning
Login page Note: Double-byte characters such as those used for traditional Chinese are supported.
Display a message at the top of any Telnet or ssh applet to warn users that they are
Show being monitored through alert, intervention, keyboard logging, session recording, or
Recording socket filtering features of CA PAM. Use the text box to type the message that appears.
Warning
Applet
Applet Customization
Opens the Configure Terminal Settings pane.
Configure Terminal Settings
Default: Disable
17-Feb-2017 315/373
CA Privileged Access Manager - 2.8
This factor determines how RDP is compressed: A small keyframe duration is equivalent
RDP to more frequent full frames of video data, which results in a large file, but allows more
Keyframes a rapid seek in the RDP viewer. For sessions using RDP 6.1, file size can be reduced
Duration significantly by increasing the keyframe duration. Reductions to about half the size have
been observed.
Options:
Small (Fast Seek/Large File) – Recommended for all RDP versions except 6.1
Medium
Large
Default: Disable
When "Enable SCP/SFTP" is selected, the MindTerm-based SSH Access Method applet
SSH provides the menu items Plugins, SFTP File Transfer and Plugins, SCP File Transfer.
Terminal When one of those menu items is selected, it invokes a new applet window that allows
File you to operate the corresponding transfer method (SCP or SFTP) that provides a file
Transfer transfer interface.
CAUTION: Due to logging and recording limitations of the SCP/SFTP window activity, CA
PAM MindTerm-based SSH Access Method file transfer feature is disabled by default.
However, should the Administrator determine this functionality is to be activated, it is
recommended that the following limitations and the security implications of an
incomplete audit trail are fully appreciated and accepted.
For Files transferred, CA PAM Session Logs will identify the name of the file or folder
in addition to the User client computer location from which the transfer was
initiated as illustrated below:
Logs will not identify the location on the target device to which the files were
transferred
When a file or folder is renamed using the “rename” command this activity is not
recorded in the Session Logs.
17-Feb-2017 316/373
CA Privileged Access Manager - 2.8
Option Description
When a file or folder is deleted, this activity is not recorded in the Session Logs.
When a user changes directory (cd command) on the target this activity is not
recorded in the Session Logs.
Even when session recording is provisioned, neither SFTP nor SCP windows are
recorded.
Specifies the color depth and frame rate to use when recording a web portal session.
Web Options:
Recording High (= 24 bits per pixel / 7 frames per second)
Quality Medium (= 16 BPP / 5 FPS)
Low (= 8 BPP / 3 FPS)
Default: High
Sets the application cache for secondary transparent login on Windows targets.
Transparent
Login Cache When Enabled, the Windows target caches the Transparent Login Agent (TLA), Learn
Tool, and Control Viewer that are downloaded during connection from CA PAM when
transparent login has been configured, provisioned, and activated. On subsequent
connections to that Windows target, the load times for these applications are reduced.
The data used by these applications (for example, the transparent login configuration
files) is stored only on CA PAM.
Default: Disable
Lets an administrator to enable or disable the Java applet Access Agent from retrieving
Retrieve the user's public address. After a user logs in to CA PAM, the Java Applet Access Agent
Public is downloaded to the user desktop. The applet tries to retrieve the address of the
Address gateway used for external access for auditing and for the VMware NSX feature. In some
environments, this behavior is not desirable. The Retrieve Public Address setting lets
administrators disable this feature.
Default: Enable
Branding
Allows you to use your company logo in the place of the CA PAM logo.
Update/Revert Logo
17-Feb-2017 317/373
CA Privileged Access Manager - 2.8
Field Definition
/Column
Timeout Time remaining until the Login Session times out, at which point the User will be
automatically logged out.
Idle time corresponds to the duration for which no communication has been made
between the client GUI with CA PAM.
If Global Settings: Login Timeout has been set to “0” at the time the Login Session is
established, the Timeout value for that sessions is always “NEVER”.
When the corresponding Login Session begins an active Connection Session(s), the
Timeout countdown is suspended; in place of the current value of Timeout, you will see
a “UNDVC” placeholder. When every active session for this Login has closed, the
Timeout countdown is reset back to the Global Login Timeout value, and begins a new
countdown.
When Timeout is changed while a Login Session is active, that Login Session will
continue to use the previous Timeout value.
Services
TCP/UDP Services
TCP/UDP Services Fields
Opens the Create TCP/UDP Services . New services can be created by an CA PAM
Create administration user on known ports and to specific applications. These services may
TCP include: fat client access such as SQL query frontends, mainframe clients, or any proprietary
/UDP applications, which use TCP or UDP connections.
Services
Basic Info
Basic Info Fields
17-Feb-2017 318/373
CA Privileged Access Manager - 2.8
Use To…
this
field…
Define all ports that the client application will open to gain access to the device, using:
Port(s) Port combination/redirection syntax is: RemotePort:LocalPort (separated by a colon)
where:
RemotePort is on the destination device
LocalPort is where the CA PAM listener will wait for (connections on) the local user’s
desktop.
Multiple ports: Each pair of ports is separated by a space, comma, or comma and space.
Example: 67 3450 23
Example: 14575–15004
IMPORTANT: Do not combine Multiple Ports syntax with Port Range syntax - use only one or
the other. Thus the following example usage is incorrect: 51000-51002, 55555
Administration
Administration Fields
Use To…
this
field…
Administration
Enabl Select the checkbox to enable the service and allow it to be displayed. If it is disabled, it shows
e up lightly shaded in the Devices screens. Disabled services do not work for any user, including
super.
Show On the Access page, display the Service as a button instead of a drop-down list box.
in
Colum
n
Client In this field, you can pre-load the path to the local application for automatic launching once
Applic the Service is initiated. This can also be set or overridden by the user at launch time through a
ation pop-up window that appears on the Access page.
IMPORTANT: To use a path that requires embedded spaces, enclose the path up to and
including the application executable filename in double quotes, as shown in this example:
However, do not enclose the entire string in quotes, or the command will not execute.
17-Feb-2017 319/373
CA Privileged Access Manager - 2.8
Web Portal
Web Portal Fields
NOTE: CA PAM Browser is required if you intent to record the web portal session.
(Otherwise, you will not be able to assign Recording Web Portal on the Policy page.)
Example: www.example.com
Aliases Specify any strings which can be used as a substitute portal target, separated by commas.
If the target web portal is referred to by several different names, enter those names here.
17-Feb-2017 320/373
CA Privileged Access Manager - 2.8
Message 19015: CA PAM denied web portal AWS Management Console SSO's connection to
the host amazonwebservices.d2.sc.omtrdc.net because it does not match an entry in the
web portal's access list.
Each host (in the above example, "amazonwebservices.d2.sc.omtrdc.net") that you want to
allow access to should be included in the Access List field, one line per host. Exclude any
hosts that pose security risks.
NOTE: This is not a secure solution, but permits rapid activation of a web portal.
RDP Specifies a unique name for this CA PAM Service record identifying an application hosted on a
App Windows device with RDP access enabled.
Nam
e
Launc Provides the full path to the RDP application that will run (without the Windows shell) when
h the user connects.
path Example: C:\Windows\System32\notepad.exe
Com Additional information about the application can be noted here.
ment
s
Enabl Make this application available for use by CA PAM Devices.
e
This allows an application to be provisioned with any number of Devices, but switched on or
off with one step.
Default: checked
Opens the Transparent Login configuration pane (description follows). Default: unchecked
17-Feb-2017 321/373
CA Privileged Access Manager - 2.8
Trans
paren
t
Login
Hide Do not display an RDP Application link to the User on the Access page.
From
User This is particularly relevant to transparent login: While a direct link to the RDP Application
(which bypasses the Windows shell) is prevented, transparent login credentials handling
(automatic login to the application target) for this application in an RDP session is still
enforced.
Default: unchecked
Basic Info
Basic Info Fields
17-Feb-2017 322/373
CA Privileged Access Manager - 2.8
Users of AWS: Note that the Username must be between 2 and 32 characters inclusive in
order to work in AWS.
Keyboard The type of character set mapping to keyboard.Default: AUTO – Keyboard mapping is the
LayoutReq current system default.
uired
Password R Select the Password used for the initial sign in. The User is automatically forced to
equired change the password at first connection. The minimum password strength can be set on
the Global Settings page.
RDP Used by the RDP applet in credentials for access to remote Windows device.
Username
Mainframe Display Name used by the AS/400 applets TN5250 and TN5250SSL.
Display
Name
Description Specify any optional information pertaining to this user.
Administration
Administration Fields
- upon reaching this account's Account Expiration date-time setting (if any),
- upon the day-time moving outside the account's Access Time (if any)
17-Feb-2017 323/373
CA Privileged Access Manager - 2.8
Formats:
Single IP192.0.2.1
CIDR192.0.2.0/28
Range192.0.2.1-32
NOTE: User definition overrides (any) User Group definition, for either more or less
restrictive rules. Also, if no User policy is defined, but that User is a member of
multiple User Groups with different rules, the group permissions are additive (less
restrictive).
Roles
Roles Fields
Field Description
Avail Select the Access Roles (indicated in the drop-down list) for which this user should have
able authorization.
Role
s IMPORTANT: Do not assign any User solely the role Password Manager.
This role does not contain sufficient privileges for CA PAM access. Instead, keep the default role
Standard User – and then add Password Manager as well – when you intend to allow only
password management privileges.
Roles are defined in terms of privilege sets specified per role as identified in Users > Manage
Roles. A set of about 15 roles is preset at installation, while other, user-defined, roles may have
been added in Manage Roles.
User roles Standard User (for the Access page) is the default set for a new user. The user roles
specified allow for configuration and administration of various functional components of CA
PAM. A Role can be removed (made unassigned) by clicking Remove next to the name
/description of the role.
PM Appears, and is required, only when role(s) are selected with password managing capacities
Grou
ps
If above-selected Role is credential-management related:
17-Feb-2017 324/373
CA Privileged Access Manager - 2.8
Field Description
Avail Provides drop-down menu of Password Management User Groups available that are applicable
able to the selected Role.
Grou
ps
Access Time
NOTE When Terminate Session Upon Account Expiration="Yes", login termination can occur by any
of the following:
upon the day-time moving outside the accounts Access Time as set here (if any, as set here)
Add Button that expands the current User specification window, providing the two widgets below
Rules for access time rules specification.
Access Days Select one or more days for which the User is permitted access.
From _ To _ Select a time range within the Access Days specified during which the User is
permitted access.
Displays Add New Rule .
Add New Rule
Removes existing rules from CA PAM.
Remove All
Rules
API Keys
Create New API Keys
Assign a name for this key. The name will also be available to this User. This option allows
Name you to store keys continuously for this user, but activate or deactivate the keys as desired.
required
Allows named key to be the active key.
Active
required
Select a role from the drop-down menu, which includes only roles available to you, the
editing administrator. You may also assign no role if your are not currently using the key.
17-Feb-2017 325/373
CA Privileged Access Manager - 2.8
Available
Roles
If the User has inherited roles from a User Group, clicking this link will identify them.
View
Inherited
Roles
Click this link to create another API Key.
Create
New API
Key
Basic Info
Format if imported (using Import LDAP Group) from other than Active Directory (for
example, from SunOne, OpenLDAP, or other):
LDAPsourceGroupName
Authentication
Authentication Fields
Authentication method to be used during User login. The options available depend on which
type group is being created (Local, RADIUS, or imported LDAP)
17-Feb-2017 326/373
CA Privileged Access Manager - 2.8
Auth
entic
ation
Select either Local or SAML.
Local
SAML Enumerated:
Attri
bute If the User provisioning source was an LDAP directory Active Directory:
Distinguished Name
If the User provisioning source was an LDAP directory of type OpenLDAP, SunOne, or other:
Distinguished Name
Unique Attribute
User Name
Login Network access definition:
IP Identify source IP address range(s), if any, required for CA PAM login client.
Rang
es Formats:
Single IP192.0.2.1
CIDR192.0.2.0/28
Range192.0.2.1-32
NOTE: User definition overrides (any) User Group definition, for either more or less restrictive
rules. Also, if no User policy is defined but that User is a member of multiple User Groups with
different rules, the group permissions are additive (less restrictive).
Roles
Roles Fields
Avai Drop-down list of CA PAM User Roles available through previous provisioning. Multiple roles
lable can be assigned per group (or for an individual user through an individual user record).
Role
s Default: Standard User.
17-Feb-2017 327/373
CA Privileged Access Manager - 2.8
Add Rules
Access Days Select one or more days for which the User is permitted access.
From _ To _ Select a time range within the Access Days specified during which the User is
permitted access.
Displays Add New Rule .
Add New Rule
Removes existing rules from CA PAM.
Remove All
Rules
Users
Users Fields
Displays a sequence of the Usernames that are members of this User Group.
Users
For Local groups: Set of all member usernames; usernames can be added or removed.
For Imported LDAP groups: Set of all member usernames; usernames cannot be added or
removed – that editing must be accomplished in the source LDAP directory.
Create Device
Basic Info
Create Device Basic Info Fields
Basic Info
The user specified name of the device. Users see this name on the access page. NOTE:
Device Double-byte characters such as those used for traditional Chinese are supported.
Name
Required
17-Feb-2017 328/373
CA Privileged Access Manager - 2.8
Basic Info
The device’s IP or DNS name (DNS must be set up properly under the Config>Network
Address screen)
Required
The utility that executes a port scan to detect services that have been configured.
Scan
Select one or more of the listed device type designations to provision their functionality
Device in this device:
Type Access
Password Management
A2A
Each device type prompts its own fields – these are each indicated below by white prefix
letters in each header.
Choose the radio button Special Type = yes only for KVM over IP, intelligent power, or
Special serial console devices.
Type
Access: Special Type: Special Type DeviceAppears only upon selection “yes” for above radio
button: Special Type
Choose from an enumerated list of the CA PAM-aware device types.
Type
Required
If required by Device: Username for access.
Login
If required by Device: Password for the identified Username.
Password
Default: false
Prevents the request server host name from being overwritten each time this A2A Client
Preserve registers.Default: When left empty, existing hostname value is not changed.
Hostname
17-Feb-2017 329/373
CA Privileged Access Manager - 2.8
Tags
Tags Fields
Terminal
Terminal Fields
ansi
Term Type
ibm – allows punch-through (only) to an AS/400 target device using an CA PAM
provisioned credential
scoansi
vt100 – Default
vt220
vt320
xterm
None selected
Key Mapping
AT 386
xterm-vt220 – Default
vt320
NOTE: This function is deprecated.
“End” to Select
Triggers Terminal Customization expansion (See the following section).
Terminal
Customization
Manage Groups
Create Device Groups
Basic Info
Basic Info Fields
The user specified name of the device group. This is the name that the users will see on
the access page. NOTE: Double-byte characters such as those used for traditional Chinese
are supported.
17-Feb-2017 330/373
CA Privileged Access Manager - 2.8
Group
NameRequ
ired
Group If this appliance/instance has been configured for AWS Use, two options are available:
TypeRequi “Local” and “AWS”. If “AWS” is selected, this Device Group will act as a container for CA
red PAM Device records that are created as a result of an import of AWS devices.
From a drop-down menu of CA PAM Devices, specify one or more Password Management
Credential Device(s) (for example, a Windows domain controller) that will be used to provide a
Source domain account for each policy used to provide SSO to any member of this Device Group.
NOTE: When a Device specified as a Credential Source is deleted or has Device Type:
“Password Management” unchecked, that Device is removed from any and all Credential
Source specification(s). This action is noted in the logs.
NOTE: This Device may be at the same time a member of the Device Group.
NOTE: As of 2.4 FP3, you can specify a Credential Source that uses the SSH Access
Method. This was previously available only for the RDP Access Method.
Descriptio This field is used for any additional information the administrator wishes to add to this
n record.
Devices
Device Fields
The new Device Group is populated here with (existing) Devices.To add a Device: Start typing
[List] its name until it appears in a dialog box list. Then select it (its line item) to populate the Devices
field.
Access Methods
Access Methods Fields
VNC Checkbox (for each method) indicates that each member of the Device Group is capable of,
and authorized to use (respond to), the specified Access Method.
Telne
t
SSH
Serial
Powe
r
RDP
KVM
TN32
70
17-Feb-2017 331/373
CA Privileged Access Manager - 2.8
TN52
50
TN32
70SSL
TN52
50SSL
Enable
Enable
Include the following: target applications: SSH (22), LDAP (389), MSSQL (1433), Oracle
Target (1521) and Sysbase (5000).
Applications
The scan compares the number of defined and undefined hosts scanned with the
Scan license quota, and displays the number of licensed nodes available.
Manage Policies
Create Policy (see page 333)
Access Methods (see page 333)
Services (see page 333)
Passwords (see page 333)
OOB & Power (see page 333)
Filters (see page 334)
Recording (see page 335)
Manage Filters (see page 335)
Command Filters Config (see page 336)
Command Filters Lists (see page 336)
17-Feb-2017 332/373
CA Privileged Access Manager - 2.8
Create Policy
Access Methods
During configuration, options for Access Methods were selected. This list displays those
Add selected Access Methods.
Services
Depending upon the Device (Group) selected, the options available vary. For instance, if the
Add Device (Group) selected is: xxxxx.aws.amazon.com, a dialog such as the one shown here
displays.If AWS Management Console SSO is checked, the following dialog displays.
Passwords
Select from Target Application [+ (optional) Target Account] sets as previously activated for this
Add Device.
NOTE: For AWS AMI instance UNIX and Linux Devices, only EC2 keys autopopulate as options
EXAMPLE: The "Administrator" account for the OS ("Win 2k8 R2 S1") application is available for
management by User ("super").
Power
Serial
17-Feb-2017 333/373
CA Privileged Access Manager - 2.8
Filters
Select one or no Command Filter, and one or no Socket Filter. The available filters have been
previously set in the Manage Filters interface for this User + Device.
As previously defined for this User + Device.
Command Filters
Through Policy, these restrictions to Device or Device Group access can be
imposed on a particular User or User Group:
Command Filtering
Socket Filtering
As previously defined for this User + Device
Socket Filters EXAMPLE: The "PrimaryBlacklist" filter has been selected from the drop-down
list, and is applied to the login session.
PREREQUISITE: Populated Socket Filters
Restrict Login if
agent is not When selected: If CA PAM cannot detect a running Socket Filter Agent on this
running device and a SFA monitored connection is being attempted, the login is rejected.
NOTE: For connection types that are not monitored by CA PAM socket filtering,
connection instances are not rejected by this feature.
NOTE:
Connections that SFAs monitor include: Access Method GUI, CLI, and
mainframe applets; and RDP, VNC, and ICA Services.
Connections that SFAs do not monitor include: standard (customized) Services
and Web Portal Services.
17-Feb-2017 334/373
CA Privileged Access Manager - 2.8
Recording
The options that are provided in the lists have been previously set in the configuration record for this
Device. See Provisioning: Devices for more information.
PREREQUISITE: RDP and VNC are permitted (listed in Selected Access Methods).
Graphicals
Select if you want this User activity on this Device to be recorded graphically: Graphical
session recording is available for the RDP and VNC applets.
EXAMPLE: In the example below, this option has been selected, so the RDP session are
recorded and saved.
CAUTION: VNC access by Service (rather than VNC Access Method) cannot be recorded.
PREREQUISITE: TELNET, SSH, and Console are permitted (listed in Selected Access
Command Methods).
Line
Select if you want this User command line activity on this Device to be recorded (as
plain text): TELNET, SSH, and Console user keystrokes can be recorded.
CAUTION: To text search capability in your CLI recording, use an Access Method applet
for access, not a native application Service. Text search does not work in recordings of
native applications (such as PuTTY).
PREREQUISITE: Command Line option has been selected.
Bidirectional
Select if you want Device command line output to be recorded in addition to the User
command line entries.
Select if you want this User activity on this Device Web Portal to be recorded
graphically.
NOTE: If your policy applies to multiple Web Portal type Services, and some of those
Services use the Native Browser and some use the CA PAM Browser, this checkbox is
available, but will only apply.
Displays the On Violation pane.
On Violation
Manage Filters
Blacklist and Whitelist violation messages display. Also, email violation messages.
Messages
Defines the number of violations before action taken and the type of action to be taken.
Actions
17-Feb-2017 335/373
CA Privileged Access Manager - 2.8
… where “[command]” is substituted during execution with the string (keyword) used,
and “[violations]” is substituted during execution with the number of (including the
current) occurrences of this violation by this user (and “[newline]” is substituted with a
line feed).
NOTE: Double-byte characters such as those used for traditional Chinese are permitted.
Whitelist The default that is provided is:
Violation
Message WARNING: [command] is an unauthorized command.[newline][newline]Please contact
the administrator if you have any questions.
… where “[command]” is substituted during execution with the string (keyword) used
(and “[newline]” is substituted with a line feed).
NOTE: Double-byte characters such as those used for traditional Chinese are permitted.
Violation This area is provided for information that is sent to 'super' if violations occur.
Additional
email (No default is provided.)
Message
NOTE: Double-byte characters are NOT permitted in email messages. (They are permitted
only in screen messages.)
Action
# The numerical value of the number of violations that are permitted to occur. When the
Violations violation count matches the threshold, the action in Action After Limit Exceeded is taken.
Before Set this value to zero (0) for no count to be enforced. The count of violations is on a per
Action device basis regardless of how many times the user connects.
Action Select the appropriate action that complies with policy when the user exceeds the
After number of violations.
Limit
Exceeded
Saves Command Filter Config file.
Save
Command
Filter
Config
17-Feb-2017 336/373
CA Privileged Access Manager - 2.8
Create List
Create List
17-Feb-2017 337/373
CA Privileged Access Manager - 2.8
Basic Info
Agent The default is 8550. The value must match the port where the agents are listening. NOTE:
Port The socket filter agents must be configured to use the same port.
SFA IMPORTANT: This checkbox must be selected for filters to be monitored (in addition to
Monito device filter specification on the specific device page). Enable this option if the policies
ring include disallowing users to log on to a device if the agent is not running. Agent status also
appears in the Devices menu button under Socket Filter Agent.
Applian This is a unique number that refers to each physical appliance, and must be set when using
ce ID SFAs with Windows. Thus when CA PAMs are clustered, each member must have a unique
ID.
Logs all White and Black list.
Log All
(White
and
Black
list)
Messages
Messages Fields
Violation Message Provides ability for customization of the message that appears to the User
when a policy is violated.
When the following strings (including brackets) are used in a Socket Filter
Config message, they are substituted as specified:
[host] - Replaced by the IP address of the blocked host.
[port] - Replaced by the port of the blocked connection.
NOTE: Double-byte characters such as those used for traditional Chinese are
permitted.
Violation Additional The area for information that is sent to "super" if violations occur.
email Message
PREREQUISITE: Administrator email must be configured.
NOTE: Double-byte characters are NOT permitted in email messages. (They are
permitted only in screen messages.)
Action
Action Fields
17-Feb-2017 338/373
CA Privileged Access Manager - 2.8
# The numerical value of the number of violations that are permitted to occur. When the
Viola violation count matches this threshold, the action that is specified in Action After Limit
tions Exceeded is taken. Set this value to zero (0) for no count to be enforced. NOTE: The count of
Befor violations is persistent per user-device basis regardless of how many times the user connects.
e Thus a user is not permitted to “re-zero” the count by reconnecting and trying again.
Actio
n
Actio Select the appropriate action that complies with policy when the user exceeds the number of
n violations.
After
Limit
Exce
eded
Basic Info
Hosts
Host Fields
17-Feb-2017 339/373
CA Privileged Access Manager - 2.8
AWS Policies
Manage AWS Policies Fields
Field Description
Name Assign a policy name. (This is a tag that is used only in CA PAM.)
Access Assign an Access Key Alias from this drop-down list composed from the corresponding fields
Key in target accounts specified for use with the AWS Access Credential Accounts target
Alias application.
Session Designates the amount of time that is permitted for the policy to be applied before
Timeou disconnection.
t
Policy The IAM Policy content to be applied.
Manage Passwords
Manage Passwords (see page 341)
Targets (see page 341)
Accounts (see page 341)
AWS API Proxy Access Credentials (see page 342)
Proxies (see page 364)
Password Composition Policies (see page 364)
SSH Key Pair Policies (see page 364)
Workflow Menu (see page 364)
A2A Menu (see page 364)
Scripts (see page 364)
Clients (see page 364)
Mappings (see page 364)
Request Groups (see page 365)
Groups (see page 366)
17-Feb-2017 340/373
CA Privileged Access Manager - 2.8
Manage Passwords
Targets
Accounts
Use this Application Type, along with Host Name “xceedium.aws.amazon.com”, when creating target
accounts that are applicable only to AWS access.
A string that functions in CA PAM like a username for AWS Account + Region access.
User
Friendly
Account
Name
An alphabetic string that functions in AWS like a username for AWS account access.
Access Key
ID
The longer string corresponding to the Access Key ID that functions like a password
Secret with the above ID.
Access Key
Select this checkbox to reveal the Secret Access Key characters (which are otherwise
View obfuscated).
Private Key
Assign a short “name” to this credential pair so that you can easily identify and select it
Key Alias when required elsewhere in the GUI.
Provide this if these credentials are applicable to an AWS API Proxy account.
Access Role
Name
Select Commercial if these credentials are applicable to a regular AWS account, or Gove
AWS Cloud rnment if applicable to a United States government authorized AWS GovCloud (US)
Type Region account.
17-Feb-2017 341/373
CA Privileged Access Manager - 2.8
Use this Application Type, along with Host Name “xceedium.aws.amazon.com”, when creating target
accounts that are applicable only to the AWS API access.
Application Type
The following expansion windows, populated with default values, are provided to allow option
specification for the corresponding account types.
For most Target Account types, a Change Process option specifies whether the account being
managed can change its own password or whether another, higher-privilege account must be
specified to do that. When the latter option is selected (Use the following account to change
password), a field appears below the legend so that you can enter the password-changing account.
Application Types
17-Feb-2017 342/373
CA Privileged Access Manager - 2.8
VMware ESX/ESXi
Generic
No requirement.
AS400
No requirement.
Cisco
Cisco Application Type Fields
Fields are initially “populated” with (invisible) default values. When a field is empty, the default value
identified below that field is in effect. CA PAM will accept a regular expression in those field which
end in "Prompt".
Cisco Script Processor Dialog BoxFields
Default: 5000
17-Feb-2017 343/373
CA Privileged Access Manager - 2.8
17-Feb-2017 344/373
CA Privileged Access Manager - 2.8
Use a revised default script (requires patch) -- Specifies the name of the file
containing the revised verify script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available
scripts, each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement verify script. When selected,
this option opens a text field in which to insert the replacement script.
Use of the Cisco application type displays the following drop-down menu. The second displays these
fields expanded.
Juniper Junos
Milliseconds
Connect timeout
17-Feb-2017 345/373
CA Privileged Access Manager - 2.8
LDAP
Use of the LDAP connector requires specification of the following parameters. Accounts must support
the Open LDAP v3 protocol.
MSSQL
Use of the MSSQL connector requires specification of the following parameters (unless marked
“optional”) for Microsoft SQL Server 2000 and later.
MYSQL
Oracle
SPML V.2
17-Feb-2017 346/373
CA Privileged Access Manager - 2.8
SPML V.2
Use of the SPML (Service Provisioning Markup Language) v2.0 connector requires specification of the
following parameters. When the path is specified, along with the target server host name, port
attribute and protocol attribute, a valid URL is formed.
UNIX
Fields are initially “populated” with (invisible) default values. When a field is empty, the default value
identified below that field is in effect. CA PAM will accept a regular expression in those fieldwhich
end in "Prompt".
Default: 5000
17-Feb-2017 347/373
CA Privileged Access Manager - 2.8
A regular expression that matches the prompt produced by the remote host when it
Password requests a password.Regex match:
Entry Prompt (?si)(.*?password(\sfor|:).*?)
A regular expression that matches the prompt produced by the remote host when it
User Name requests a user name.Regex match:
Entry Prompt (?si).*?login:.*?
UNIX Commands to be called by the script. You may enter a substitute string.
Commands
The command on the remote host that is used to change a password.Default: passwd
Change
Password
Command
The command on the remote host that is used to repeat a sequence of characters to
Echo the standard output, that is, the console.Default: echo
Command
The command on the remote host that is used to manage policy.
Policy
Management Default on AIX: pwdadm
Command
Default on any other platform: (none)
The command on the remote host that is used to elevate the user's level of privilege.
Privilege Default: sudo
Elevation
Command
The command on the remote host that is used to act as another user.Default: su
Substitute
User
Command
Default: uname
System
Information
Command
The command on the remote host that is used to retrieve the effective ID of the
Who Am I currently logged-in user. Default: whoami
Command
Specify the script to be used for updating credentials.Customers should use the
Update default script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
Use the default script – Indicates that CA PAM will use the default script provided
Use which with the release.
type of
script?? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Use a revised default script (requires patch) - Specifies the name of the file
containing the revised update script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available
scripts, each of which has been uploaded from a patch supplied by Support.
17-Feb-2017 348/373
CA Privileged Access Manager - 2.8
Use of the UNIX application type displays the following drop-down menu. The second displays these
fields expanded.
17-Feb-2017 349/373
CA Privileged Access Manager - 2.8
Use default
server host key
types?
Settings applicable to Telnet
Telnet
Communication
Channel
The port used to connect to the UNIX host using Telnet.Default: 23
Port
When using the Telnet communication channel, specifies the amount of time in
Communication milliseconds that CA PAM should wait for the remote host to respond.Default:
Timeout 60000
Script Processor
Specifies the amount of time in milliseconds that Credential Manager waits to
Script Timeout receive some expected input from the remote host.
Default: 5000
Default: 22
When using the SSH communication channel, specifies the amount of time in
Communications milliseconds that Credential Manager waits for the remote host to respond.
Timeout
Valid values are 1000-99999.
Default: 5000
Script Processor
Specifies the amount of time in milliseconds that Credential Manager waits to
Script Timeout receive some expected input from the remote host.
Default: 5000
17-Feb-2017 350/373
CA Privileged Access Manager - 2.8
Default: 22
When using the SSH communication channel, specifies the amount of time in
Communications milliseconds that Credential Manager should wait for the remote host to respond.
Timeout
Valid values are 1000-99999.
Default: 5000
No requirements.
WebLogic 1.0
17-Feb-2017 351/373
CA Privileged Access Manager - 2.8
If a value is given, CA PAM will use the value to narrow the search for domain
controllers based on the specified name.
Window Proxy
If Local Account:
(no further specification is required)
If Domain Account:
Specifies the DNS method to use:
Domain Controller Do not use DNS (connect to target server)
Lookup
Do not use DNS (connect to specified servers) – If selected, populate
“Specified Server(s)” below
Retrieve DNS list – Retrieves the Domain Controller’s name from the DNS
server used by the CA PAM server.
Use specified DNS server(s) – If selected, populate “Specified DNS Server
(s)” immediately below
Use following server(s) (comma-separated):
Specified Server(s)
Use following DNS server(s) (comma-separated): Retrieves the Domain
Specified DNS Server Controller’s name from a specified list of DNS servers.
(s)
Specifies the Windows domain of the managed account.
Domain Name
This is used only if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory Site specified DNS server(s).
If a value is given, CA PAM will use the value to narrow the search for domain
controllers based on the specified name.
No Requirement.
17-Feb-2017 352/373
CA Privileged Access Manager - 2.8
Application Types
VMware ESX/ESXi
Cisco
Script Processor
Fields are initially “populated” with (invisible) default values. When a field is empty, the default value
identified below that field is in effect. CA PAM will accept a regular expression in those field which
end in "Prompt".
Cisco Script Processor Dialog Box Fields
17-Feb-2017 353/373
CA Privileged Access Manager - 2.8
Default: 5000
Specify the script to be used for updating credentials.Customers should use the default
Update script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
Use the default script – Indicates that CA PAM will use the default script provided
Use which with the release.
type of
script? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Use a revised default script (requires patch) - Specifies the name of the file
containing the revised update script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available scripts,
each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement update script. When selected,
this option opens a text field in which to insert the replacement script.
Specify the script to be used for verifying credentials.Customers should use the default
script and contact CA Technologies, Inc. Support if a revised script is needed.
17-Feb-2017 354/373
CA Privileged Access Manager - 2.8
Verify
Credentials
Script
Use the default script – Indicates that CA PAM will use the default script provided
Use which with the release.
type of
script? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Use a revised default script (requires patch) -- Specifies the name of the file
containing the revised verify script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available scripts,
each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement verify script. When selected, this
option opens a text field in which to insert the replacement script.
Use of the Cisco application type displays the following drop-down menu. The second displays these
fields expanded.
17-Feb-2017 355/373
CA Privileged Access Manager - 2.8
Telnet
Communication
Channel
The port used to connect to the UNIX host using Telnet.Default: 23
Port
When using the Telnet communication channel, specifies the amount of time in
Communication milliseconds that CA PAM should wait for the remote host to respond.Default:
Timeout 60000
Juniper Junos
Use of the Junos connector requires specification of the parameters shown here.
LDAP
Use of the LDAP connector requires specification of the following parameters. Accounts must support
the Open LDAP v3 protocol.
Port used to connect to the LDAP (for example, Active Directory or AD)
Port server.Required. Default: 389
The protocol used to connect to the LDAP server.
Protocol
Non-SSL –or– SSL
Default: Non-SSL
SSL certificate.Required if Protocol is SSL.
Base-64 encoded x.509
Certificate
MSSQL
Use of the MSSQL connector requires specification of the following parameters (unless marked
“optional”) for Microsoft SQL Server 2000 and later.
17-Feb-2017 356/373
CA Privileged Access Manager - 2.8
SSL Enabled
MS SQL Port Default: 1433
Port (Optional, default 1433)
MS SQL Server instance name
Instance (Optional)
MYSQL
Oracle
SPML V.2
Use of the SPML (Service Provisioning Markup Language) v2.0 connector requires specification of the
following parameters. When the path is specified, along with the target server host name, port
attribute and protocol attribute, a valid URL is formed.
Default: 8080
SPML path CA PAM connects to. Optional.
Path
Protocol used to connect to the SPML server.
Protocol Non-SSL –or– SSL
Default: Non-SSL
SSL certificateRequired if SSL is used.
Base-64 encoded x.509 Certificate
UNIX
17-Feb-2017 357/373
CA Privileged Access Manager - 2.8
Fields are initially “populated” with (invisible) default values. When a field is empty, the default value
identified below that field is in effect. CA PAM will accept a regular expression in those fieldwhich
end in "Prompt".
Default: 5000
17-Feb-2017 358/373
CA Privileged Access Manager - 2.8
Commands
The command on the remote host that is used to change a password.Default: passwd
Change
Password
Command
The command on the remote host that is used to repeat a sequence of characters to
Echo the standard output, that is, the console.Default: echo
Command
The command on the remote host that is used to manage policy.
Policy
Management Default on AIX: pwdadm
Command
Default on any other platform: (none)
The command on the remote host that is used to elevate the user's level of privilege.
Privilege Default: sudo
Elevation
Command
The command on the remote host that is used to act as another user.Default: su
Substitute
User
Command
Default: uname
System
Information
Command
The command on the remote host that is used to retrieve the effective ID of the
Who Am I currently logged-in user. Default: whoami
Command
Specify the script to be used for updating credentials.Customers should use the
Update default script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
Use the default script – Indicates that CA PAM will use the default script provided
Use which with the release.
type of
script?? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Use a revised default script (requires patch) - Specifies the name of the file
containing the revised update script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available
scripts, each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement update script. When selected,
this option opens a text field in which to insert the replacement script.
Specify the script to be used for verifying credentials.Customers should use the default
Verify script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
17-Feb-2017 359/373
CA Privileged Access Manager - 2.8
Use the default script – Indicates that CA PAM will use the default script provided
Use which with the release.
type of
script? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Use a revised default script (requires patch) -- Specifies the name of the file
containing the revised verify script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available
scripts, each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement verify script. When selected,
this option opens a text field in which to insert the replacement script.
Use of the UNIX application type displays the following drop-down menu. The second displays these
fields expanded.
17-Feb-2017 360/373
CA Privileged Access Manager - 2.8
Telnet
Communication
Channel
The port used to connect to the UNIX host using Telnet.Default: 23
Port
When using the Telnet communication channel, specifies the amount of time in
Communication milliseconds that CA PAM should wait for the remote host to respond.Default:
Timeout 60000
VMware ESX/ESXi
Default: 443
SSL Port
Script Processor
Specifies the amount of time in milliseconds that Credential Manager waits to
Script Timeout receive some expected input from the remote host.
Default: 5000
Default: 22
When using the SSH communication channel, specifies the amount of time in
Communications milliseconds that Credential Manager waits for the remote host to respond.
Timeout
Valid values are 1000-99999.
Default: 5000
17-Feb-2017 361/373
CA Privileged Access Manager - 2.8
Script Processor
Specifies the amount of time in milliseconds that Credential Manager waits to
Script Timeout receive some expected input from the remote host.
Default: 5000
Default: 22
When using the SSH communication channel, specifies the amount of time in
Communications milliseconds that Credential Manager should wait for the remote host to respond.
Timeout
Valid values are 1000-99999.
Default: 5000
No requirements.
WebLogic 1.0
17-Feb-2017 362/373
CA Privileged Access Manager - 2.8
Specifies the port used to connect to the Domain Controller. Default: 636
Domain Controller
Port (SSL)
This is only used if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory following DNS server.
Site
If a value is given, CA PAM will use the value to narrow the search for domain
controllers based on the specified name.
Window Proxy
If Local Account:
(no further specification is required)
If Domain Account:
Specifies the DNS method to use:
Domain Controller Do not use DNS (connect to target server)
Lookup
Do not use DNS (connect to specified servers) – If selected, populate
“Specified Server(s)” below
Retrieve DNS list – Retrieves the Domain Controller’s name from the DNS
server used by the CA PAM server.
Use specified DNS server(s) – If selected, populate “Specified DNS Server
(s)” immediately below
Use following server(s) (comma-separated):
Specified Server(s)
Use following DNS server(s) (comma-separated): Retrieves the Domain
Specified DNS Server Controller’s name from a specified list of DNS servers.
(s)
Specifies the Windows domain of the managed account.
Domain Name
This is used only if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory Site specified DNS server(s).
If a value is given, CA PAM will use the value to narrow the search for domain
controllers based on the specified name.
17-Feb-2017 363/373
CA Privileged Access Manager - 2.8
Available Proxies ßà
Selected Proxies
Proxies
Password Composition Policies
Workflow Menu
A2A Menu
Scripts
Scripts Details
Clients
Mappings
Mappings Fields
17-Feb-2017 364/373
CA Privileged Access Manager - 2.8
Mappings Fields
Select All or Filter By. If filtering, select from the list or use Search.
Show
Opens the Authorization Details .
Add
Authorization Details
Request Groups
Select All or Filter By. If filtering, select from the list or use Search.
Show
Opens the Group Details (Type = Dynamic) pane.
Add Dynamic Group
Opens the Group Details (Type = Static) pane.
Add Static Group
17-Feb-2017 365/373
CA Privileged Access Manager - 2.8
Groups
Groups Menu Fields
User Groups
Roles
Settings Menu
General Settings
This setting is used to override a check that verifies that the CA PAM appliance host
Disable CLI name is correct in the certificate used by a server executing CLI commands.
Host Name
Check
When a password view request requires approval, and the User requesting approval
Allow Self is an authorized approver, this specifies whether the User should be allowed to
Approval of approve his or her own requests. Default: Checked ( = Allow self-approval)
Password View
Request
Specify the maximum number of rows to generate when a Credential Manager
Maximum report (in Reports > Reports) is generated.
Number of
Report Entries Default: 5000
Specifies the number of days after which a password view request expires.
Password View
Request Delete Example: If you set this field to “12”, the password view requests are deleted
Interval Days automatically from the My Approval List when they become 12 days old. NOTE:
More information on My Approval List can be found in Workflow>My Approval List.
Default: 30.
Enables automatic updates to the passwords for synchronized accounts when the
Automatically password age exceeds that specified in the associated Password Composition Policy.
Update Expired Default: Unchecked
Passwords
17-Feb-2017 366/373
CA Privileged Access Manager - 2.8
17-Feb-2017 367/373
CA Privileged Access Manager - 2.8
For email sent by CA PAM to a requestor and the other approvers in dual
authorization list when expiring the password view request.
17-Feb-2017 368/373
CA Privileged Access Manager - 2.8
UI Settings
UI Settings Fields
17-Feb-2017 369/373
CA Privileged Access Manager - 2.8
IMPORTANT:Make sure to synchronize your Time Zone setting with the corresponding
setting in Config > Date/Time > Change Timezone.
Number or items to display on a page.
List Page
Size
Enables graphical charts in the Dashboard reports.
Enable
Charts
Dashboard Tab
Disaster Recovery
17-Feb-2017 370/373
CA Privileged Access Manager - 2.8
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
P text Specify CA PAM custom SSL VPN Services. Separate any multiple
SSL VPN Services by: | (pipe).
Services
Applets P Use the following template per Access Method applet:
'name=Namecustom_name=CustomName',
17-Feb-2017 371/373
CA Privileged Access Manager - 2.8
17-Feb-2017 372/373
CA Privileged Access Manager - 2.8
17-Feb-2017 373/373