CA Privileged Access Manager - 2.8 - ENU - Reference - 20170217 PDF

CA Privileged Access
Manager - 2.8
Reference
Date: 17-Feb-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
17-Feb-2017 3/373
Table of Contents
CA Privileged Access Manager Client Reference ..................................... 18

Installer ...................................................................................................................................................... 18
Download Buttons ............................................................................................................................... 18
Installer Program ................................................................................................................................. 18
Client ......................................................................................................................................................... 19
Client window ...................................................................................................................................... 19
Connection screen ..................................................................................................................... 19
Login screen ............................................................................................................................... 20
Console screen .......................................................................................................................... 20
Browser window ......................................................................................................................... 20
Credential Manager Target Connector Settings ........................................ 21

AS400 Target Connector ........................................................................................................................... 21
AS400 CLI Example ............................................................................................................................ 21
AS400 Add Target Application CLI Parameters .................................................................................. 22
TargetApplication.type ............................................................................................................... 22
AS400 Add Target Account CLI Parameters ...................................................................................... 22
Attribute.useOtherAccountToChangePassword ........................................................................ 22
Attribute.otherAccount ................................................................................................................ 22
AWS Access Credentials Target Connector ............................................................................................. 22
AWS Access Credentials CLI Example ............................................................................................... 23
AWS Access Credentials Add Target Application CLI Parameters ..................................................... 23
Attribute.extensionType ............................................................................................................. 23
AWS Access Credentials Add Target Account CLI Parameters ......................................................... 23
Attribute.awsCredentialType ...................................................................................................... 23
Attribute.passphrase .................................................................................................................. 24
Attribute.awsKeyPairName ........................................................................................................ 24
Attribute.accountFriendlyName .................................................................................................. 24
Attribute.awsCloudType ............................................................................................................. 24
AWS Proxy Credentials Target Connector ................................................................................................ 25
AWS API Proxy Access Credentials CLI Example .............................................................................. 25
AWS API Proxy Access Credentials Add Target Application CLI Parameters .................................... 25
Reference 4
AWS API Proxy Access Credentials Add Target Account CLI Parameters ........................................ 25
Cisco Target Connector ............................................................................................................................ 26
Cisco CLI Example .............................................................................................................................. 26
Cisco Add Target Application CLI Parameters .................................................................................... 26
Attribute.sshPort ......................................................................................................................... 26
Attribute.sshSessionTimeout ..................................................................................................... 27
Attribute.sshStrictHostKeyCheckingEnabled ............................................................................. 27
Attribute.sshKnownHostKey ....................................................................................................... 27
Attribute.sshKnownHostKeyFingerprint ..................................................................................... 27
Attribute.sshUseDefaultCiphers ................................................................................................. 27
Attribute.sshServerToClientCiphersList ..................................................................................... 28
Attribute.sshClientToServerCiphersList ..................................................................................... 28
Attribute.sshDetectCiphersList ................................................................................................... 28
Attribute.sshUseDefaultHashes ................................................................................................. 28
Attribute.sshServerToClientHashesList ..................................................................................... 28
Attribute.sshClientToServerHashesList ..................................................................................... 29
Attribute.sshUseDefaultKeyExchangeAlgorithms ...................................................................... 29
Attribute.sshKeyExchangeAlgorithmsList .................................................................................. 29
Attribute.sshUseDefaultCompressionAlgorithms ....................................................................... 29
Attribute.sshServerToClientCompressionAlgorithmsList ........................................................... 29
Attribute.sshClientToServerCompressionAlgorithmsList ........................................................... 30
Attribute.sshUseDefaultServerHostKeyAlgorithms .................................................................... 30
Attribute.sshServerHostKeyAlgorithmsList ................................................................................ 30
Attribute.telnetSessionTimeout .................................................................................................. 30
Attribute.telnetPort ..................................................................................................................... 31
Attribute.ciscoVariant ................................................................................................................. 31
Attribute.scriptTimeout ............................................................................................................... 31
Attribute.useUpdateScriptType .................................................................................................. 31
Attribute.revisedUpdateScriptFilename ...................................................................................... 31
Attribute.useVerifyScriptType ..................................................................................................... 31
Attribute.revisedVerifyScriptFilename ........................................................................................ 32
Attribute.userNameEntryPrompt ................................................................................................ 32
Attribute.passwordEntryPrompt ................................................................................................. 32
Attribute.passwordConfirmationPrompt ..................................................................................... 32
Attribute.passwordChangePrompt ............................................................................................. 32
Cisco Add Target Account CLI Parameters ........................................................................................ 33
Attribute.protocol ........................................................................................................................ 33
Attribute.pwType ........................................................................................................................ 33
Reference 5
Attribute.useOtherPrivilegedAccount ......................................................................................... 33
Attribute.otherPrivilegedAccount ................................................................................................ 34
Attribute.changeAuxLoginPassword .......................................................................................... 34
Attribute.changeConsoleLoginPassword ................................................................................... 34
Attribute.changeVtyLoginPassword ........................................................................................... 34
Attribute.numVTYPorts .............................................................................................................. 34
Juniper Junos Target Connector ............................................................................................................... 34
Junos CLI Example ............................................................................................................................. 34
Junos Add Target Application CLI Parameters ................................................................................... 35
Attribute.extensionType: ............................................................................................................ 35
Attribute.connectTimeout ........................................................................................................... 35
Attribute.readTimeout ................................................................................................................. 35
Junos Add Target Account CLI Parameters ........................................................................................ 36
LDAP Target Connector ............................................................................................................................ 36
Add LDAP Target Application GUI Details .......................................................................................... 36
Add LDAP Target Account GUI Details ............................................................................................... 37
LDAP CLI Example ............................................................................................................................. 38
LDAP Add Target Application CLI Parameters ................................................................................... 38
Attribute.port ............................................................................................................................... 38
Attribute.sslCertificate ................................................................................................................ 38
Attribute.ldapConnectTimeout .................................................................................................... 39
Attribute.ldapReadTimeout ........................................................................................................ 39
LDAP Add Target Account CLI Parameters ........................................................................................ 39
Attribute.userDN ......................................................................................................................... 39
MSSQL Target Connector ......................................................................................................................... 40
MSSQL CLI Example .......................................................................................................................... 40
MSSQL Add Target Application CLI Parameters ................................................................................ 40
Attribute.sslEnabled ................................................................................................................... 40
Attribute.port ............................................................................................................................... 41
Attribute.instance ....................................................................................................................... 41
MSSQL Add Target Account CLI Parameters ..................................................................................... 41
Reference 6
MYSQL Target Connector ......................................................................................................................... 41
MYSQL CLI Example .......................................................................................................................... 42
MYSQL Add Target Application CLI Parameters ................................................................................ 42
Attribute.port ............................................................................................................................... 42
MYSQL Add Target Account CLI Parameters ..................................................................................... 42
Attribute.schema ........................................................................................................................ 42
Attribute.hostNameQualifier ....................................................................................................... 43
Oracle Target Connector ........................................................................................................................... 43
Oracle CLI Example ............................................................................................................................ 43
Oracle Add Target Application CLI Parameters .................................................................................. 43
TargetApplication .type .............................................................................................................. 44
Attribute.port ............................................................................................................................... 44
Attribute.sslEnabled ................................................................................................................... 44
Oracle Add Target Account CLI Parameters ....................................................................................... 44
Attribute.schema ........................................................................................................................ 44
Attribute.racService .................................................................................................................... 45
Attribute.sysdbaAccount ............................................................................................................ 45
Attribute.replaceSyntax .............................................................................................................. 45
Palo Alto Target Connector ....................................................................................................................... 45
Palo Alto CLI Example ........................................................................................................................ 46
Palo Alto Add Target Application CLI Parameters .............................................................................. 46
Palo Alto Add Target Account CLI Parameters ................................................................................... 48
Reference 7
Attribute.pwType ........................................................................................................................ 49
Attribute.useOtherPrivilegedAccount ......................................................................................... 49
Attribute.otherPrivilegedAccount ................................................................................................ 49
Attribute.changeAuxLoginPassword .......................................................................................... 49
Attribute.changeConsoleLoginPassword ................................................................................... 49
Attribute.changeVtyLoginPassword ........................................................................................... 49
Attribute.numVTYPorts .............................................................................................................. 49
SPML Target Connector ............................................................................................................................ 50
SPML CLI Example ............................................................................................................................. 50
SPML Add Target Application CLI Parameters ................................................................................... 50
Attribute.port ............................................................................................................................... 50
Attribute.path .............................................................................................................................. 50
SPML Add Target Account CLI Parameters ....................................................................................... 51
UNIX Target Connector ............................................................................................................................. 52
UNIX CLI Example .............................................................................................................................. 52
UNIX Add Target Application CLI Parameters .................................................................................... 52
Attribute.sshKeyPairPolicyID ..................................................................................................... 53
Attribute.sshStrictHostKeyCheckingEnabled ............................................................................. 53
Attribute.sshKnownHostKey ....................................................................................................... 53
Attribute.sshKnownHostKeyFingerprint ..................................................................................... 53
Attribute.sshUseDefaultCiphers ................................................................................................. 53
Attribute.sshServerToClientCiphersList ..................................................................................... 54
Attribute.sshClientToServerCiphersList ..................................................................................... 54
Attribute.sshDetectCiphersList ................................................................................................... 54
Attribute.sshUseDefaultHashes ................................................................................................. 54
Attribute.sshServerToClientHashesList ..................................................................................... 54
Attribute.sshClientToServerHashesList ..................................................................................... 55
Attribute.sshUseDefaultKeyExchangeAlgorithms ...................................................................... 55
Attribute.sshKeyExchangeAlgorithmsList .................................................................................. 55
Reference 8
Attribute.sshUseDefaultCompressionAlgorithms ....................................................................... 55
Attribute.sshServerToClientCompressionAlgorithmsList ........................................................... 55
Attribute.sshClientToServerCompressionAlgorithmsList ........................................................... 56
Attribute.sshUseDefaultServerHostKeyAlgorithms .................................................................... 56
Attribute.sshServerHostKeyAlgorithmsList ................................................................................ 56
Attribute.telnetSessionTimeout .................................................................................................. 56
Attribute.telnetPort ..................................................................................................................... 57
Attribute.unixVariant ................................................................................................................... 57
Attribute.changePasswordCommand ......................................................................................... 58
Attribute.elevatePrivilegeCommand ........................................................................................... 59
Attribute.substituteUserCommand ............................................................................................. 59
Attribute.echoCommand ............................................................................................................ 59
Attribute.patternMatchingCommand .......................................................................................... 59
Attribute.policyManagementCommand ...................................................................................... 59
Attribute.whoAmICommand ....................................................................................................... 59
Attribute.changeFilePermissionsCommand ............................................................................... 60
UNIX Add Target Account CLI Parameters ......................................................................................... 60
Attribute.verifyThroughOtherAccount ......................................................................................... 60
Attribute.passwordChangeMethod ............................................................................................. 60
Attribute.passphrase .................................................................................................................. 61
Attribute.publicKey ..................................................................................................................... 61
Attribute.keyOptions ................................................................................................................... 61
VMWare ESX/ESXi Target Connector ...................................................................................................... 61
VMWARE ESX/ESXi CLI Example ..................................................................................................... 62
VMWARE ESX/ESXi Add Target Application CLI Parameters ........................................................... 62
Attribute.sslPort .......................................................................................................................... 62
VMWARE ESX/ESXi Add Target Account CLI Parameters ................................................................ 62
Reference 9
VMWare NSX Controller Target Connector .............................................................................................. 63
VMWARE NSX Controller CLI Example .............................................................................................. 63
VMWARE NSX Controller Add Target Application CLI Parameters .................................................... 63
VMWARE NSX Controller Add Target Account CLI Parameters ........................................................ 64
VMWare NSX Manager Target Connector ................................................................................................ 64
VMWARE NSX Manager CLI Example ............................................................................................... 64
VMWARE NSX Manager Add Target Application CLI Parameters ..................................................... 65
VMWARE NSX Manager Add Target Account CLI Parameters .......................................................... 65
VMWare NSX Proxy Target Connector ..................................................................................................... 65
VMWARE NSX Proxy CLI Example .................................................................................................... 66
VMWARE NSX Proxy Add Target Application CLI Parameters .......................................................... 66
VMWARE NSX Proxy Add Target Account CLI Parameters ............................................................... 66
WebLogic Target Connector ..................................................................................................................... 66
WebLogic CLI Example ....................................................................................................................... 66
WebLogic Add Target Application CLI Parameters ............................................................................. 66
Attribute.port ............................................................................................................................... 67
WebLogic Add Target Account CLI Parameters ................................................................................. 67
Attribute.realm ............................................................................................................................ 67
Windows Domain Services Target Connector ........................................................................................... 68
Windows Domain Services CLI Example ............................................................................................ 68
Windows Domain Services Add Target Application CLI Parameters .................................................. 68
Attribute.disableAutoConnectTargetAccount ............................................................................. 69
Attribute.domainName ............................................................................................................... 69
Attribute.useDNS ....................................................................................................................... 69
Attribute.dnsServer .................................................................................................................... 69
Attribute.dcPort .......................................................................................................................... 70
Attribute.adSite ........................................................................................................................... 70
Reference 10
Windows Domain Services Add Target Account CLI Parameters ....................................................... 70
Attribute.userDN ......................................................................................................................... 70
Attribute.serviceInfo ................................................................................................................... 71
Attribute.tasks ............................................................................................................................ 71
Windows Proxy Target Connector ............................................................................................................. 72
Windows Proxy CLI Example .............................................................................................................. 73
Windows Proxy Add Target Application CLI Parameters .................................................................... 73
Attribute.agentId ......................................................................................................................... 73
Attribute.accountType ................................................................................................................ 73
Attribute.domainName ............................................................................................................... 73
Attribute.domain ......................................................................................................................... 74
Attribute.useDNS ....................................................................................................................... 74
Attribute.dnsServer .................................................................................................................... 74
Attribute.specifiedServersList ..................................................................................................... 74
Attribute.adSite ........................................................................................................................... 75
Windows Proxy Add Target Account CLI Parameters ......................................................................... 75
Attribute.serviceInfo ................................................................................................................... 75
Attribute.tasks ............................................................................................................................ 76
Attribute.forcePasswordChange ................................................................................................ 76
CA Privileged Access Manager API Key Target Connector ...................................................................... 76
Communication Settings ........................................................................... 77
CSVs for Import and Export ...................................................................... 79

About Imports ............................................................................................................................................ 79
File names and types .......................................................................................................................... 79
File content .......................................................................................................................................... 80
About Exports ............................................................................................................................................ 80
File names and types .......................................................................................................................... 80
File content .......................................................................................................................................... 80
About Transfers ......................................................................................................................................... 80
LDAP Users ........................................................................................................................................ 81
Reference 11
CSV File Types ......................................................................................................................................... 81
Services ............................................................................................................................................... 81
Roles ................................................................................................................................................... 83
User Groups and Users ...................................................................................................................... 84
Device Groups and Devices ................................................................................................................ 86
Command Filter Lists .......................................................................................................................... 90
Socket Filter Lists ................................................................................................................................ 91
Policy ................................................................................................................................................... 92
Data Formats ............................................................................................. 94

Multi-Byte Character Support .................................................................................................................... 94
Managed Object Names ..................................................................................................................... 94
Message Templates ............................................................................................................................ 94
Port Numbers ............................................................................................................................................ 94
General Syntax ................................................................................................................................... 94
NOT PERMITTED ...................................................................................................................... 95
Rules for Specific Interfaces ................................................................................................................ 95
Session Recording File Names ................................................................................................................. 96
Default Settings ......................................................................................... 97

Administration Menus ................................................................................................................................ 97
Credential Management Menus .............................................................................................................. 101
Import Export Provisioning ...................................................................... 114

File Imports .............................................................................................................................................. 114
File Import Preparation ...................................................................................................................... 114
File Import Process ........................................................................................................................... 114
File Import Content Considerations ................................................................................................... 115
File Exports ............................................................................................................................................. 115
Exported File Names and Types ....................................................................................................... 115
Exported File Content Considerations .............................................................................................. 116
Transfers ................................................................................................................................................. 116
LDAP Users ............................................................................................................................................. 116
Roles ....................................................................................................................................................... 116
User Groups and Users ........................................................................................................................... 117
Export Users and User Groups to a CSV File. .................................................................................. 117
Download a Sample Import CSV File ................................................................................................ 117
Add Users and User Groups to the Import CSV File ......................................................................... 118
Reference 12
Import Users and User Groups ......................................................................................................... 122
Device Groups and Devices .................................................................................................................... 122
Command Filter Lists .............................................................................................................................. 127
Socket Filter Lists .................................................................................................................................... 128
Policy ....................................................................................................................................................... 128
Messages and Log Formats .................................................................... 131

Administration Service Layer Messages ................................................................................................. 131
00xxx - General Error Messages ...................................................................................................... 132
01xxx - Network Service Messages .................................................................................................. 133
02xxx - User Management Messages ............................................................................................... 138
04xxx - User Group Management Messages .................................................................................... 144
05xxx - Device Management Messages ........................................................................................... 145
06xxx - Roles and Privileges Management Messages ..................................................................... 154
07xxx - Device Group Management Messages ................................................................................ 155
08xxx - Global Settings and Device Task Messages ........................................................................ 156
09xxx - LDAP Messages ................................................................................................................... 156
10xxx - CSV Import/Export Related Messages ................................................................................. 158
11xxx - Device Monitoring Messages, Office365 Integration Messages, SAML IdP and RP Messages
.......................................................................................................................................................... 160
12xxx - Policy Management Messages ............................................................................................. 162
13xxx - Management Console Messages ......................................................................................... 164
14xxx - Managed Server Service Messages ..................................................................................... 165
15xxx - Command and Socket Filter Management Messages .......................................................... 165
16xxx - Logging and Reporting Messages ........................................................................................ 167
17xxx - Policy Conflict Messages ...................................................................................................... 168
18xxx - Authentication-Related Messages ........................................................................................ 169
19xxx - Access Service Messages .................................................................................................... 175
20xxx - Credential Management Messages ...................................................................................... 176
21xxx - Audit Log Messages ............................................................................................................. 177
22xxx - View and Search Management Messages ........................................................................... 177
23xxx - Cluster Management Messages ........................................................................................... 177
24xxx - Login Sessions Management Messages .............................................................................. 180
25xxx - Configuration Management Messages ................................................................................. 181
26xxx - SafeNet HSM Configuration Messages ................................................................................ 185
27xxx - Secondary Transparent Login Management Messages ....................................................... 187
28xxx - AWS and VMware Virtual Device Management Messages .................................................. 188
29xxx - Credential Management API Non-devices Messages .......................................................... 188
30xxx - Session Recording Messages .............................................................................................. 188
31xxx - GateKeeperService Messages ............................................................................................. 188
32xxx - Upgrade, Backup, and Recovery Messages ........................................................................ 188
Reference 13
33xxx - CA Threat Analytics Related Messages ............................................................................... 189
Credential Manager Error Messages ...................................................................................................... 189
Log Formats ...................................................................................................................................... 189
Metric Log Entries .................................................................................................................... 189
Audit Log Entries ...................................................................................................................... 190
Message Lists ................................................................................................................................... 192
Message Codes Listed in Documentation ................................................................................ 192
Message Code List Available from Server ............................................................................... 192
Credential Manager Error Codes and Messages .............................................................................. 193
Message Headers .................................................................................................................... 193
Error Codes and Associated Messages ................................................................................... 193
CA-PAM Series Messages ...................................................................................................................... 251
General Messages ............................................................................................................................ 251
Account Discovery (AD) Messages ................................................................................................... 252
Device Discovery (DD) Messages .................................................................................................... 252
Key Discovery (KD) Messages ......................................................................................................... 252
REST (RST) Messages ..................................................................................................................... 253
Scanning (SC) Messages ................................................................................................................. 254
Scheduling (SH) Messages ............................................................................................................... 255
Syslog Messages .................................................................................................................................... 256
Configuration Messages ................................................................................................................... 256
Cluster Messages .............................................................................................................................. 258
User Messages ................................................................................................................................. 258
User Group Messages ...................................................................................................................... 259
Device Messages .............................................................................................................................. 260
Service Messages ............................................................................................................................. 261
Policy Messages ............................................................................................................................... 261
Command Filter Messages ............................................................................................................... 262
Socket Filter Messages ..................................................................................................................... 262
Login Connection Messages ............................................................................................................. 262
Device Connection Messages ........................................................................................................... 262
Violation Messages ........................................................................................................................... 263
Connection Timeout Messages ......................................................................................................... 264
Global Settings Messages ................................................................................................................. 264
Session Manager Messages ............................................................................................................. 264
Examples of Syslog Messages ............................................................................................................... 265
Credential Manager Terms and Concepts .............................................. 266
Reference 14
Web GUI .................................................................................................. 269
Toolbar .................................................................................................................................................... 269
Admin ................................................................................................................................................ 270
Admin Button ............................................................................................................................ 270
Admin View Window Fields ...................................................................................................... 271
My Info .............................................................................................................................................. 271
Account Information Fields ....................................................................................................... 271
Contact Information Fields ....................................................................................................... 272
System Info ....................................................................................................................................... 273
Sys Info Link ............................................................................................................................. 273
Config ................................................................................................................................................ 273
3rd Party ................................................................................................................................... 274
Certificate Info .......................................................................................................................... 286
Database .................................................................................................................................. 286
Date and Time .......................................................................................................................... 288
Diagnostics ............................................................................................................................... 290
Licensing .................................................................................................................................. 293
Logs ......................................................................................................................................... 294
Monitor ..................................................................................................................................... 297
Network .................................................................................................................................... 298
Security .................................................................................................................................... 298
SNMP ....................................................................................................................................... 306
SSL VPN .................................................................................................................................. 307
Synchronization ........................................................................................................................ 307
Menu Bar ................................................................................................................................................. 310
Menu Bar Components ..................................................................................................................... 310
Global Settings Menu Bar Reference ................................................................................................ 310
Basic Settings .......................................................................................................................... 311
Passwords ................................................................................................................................ 313
Accounts .................................................................................................................................. 314
Access Methods ....................................................................................................................... 314
Warnings .................................................................................................................................. 315
Applet Customization ............................................................................................................... 315
Configure Terminal Settings ..................................................................................................... 315
Branding ................................................................................................................................... 317
Update /Revert Logo Window .................................................................................................. 317
Sessions Menu Bar Reference ......................................................................................................... 318
Manage Sessions ..................................................................................................................... 318
Services Menu Bar Reference .......................................................................................................... 318
Services ................................................................................................................................... 318
Users Menu Bar Reference ............................................................................................................... 322
Manage Users Dialog ............................................................................................................... 322
Reference 15
Manage Groups Dialog ............................................................................................................ 326
Devices Menu Bar Reference ........................................................................................................... 328
Create Device .......................................................................................................................... 328
Manage Groups ....................................................................................................................... 330
Policy Menu Bar and Dialogs Reference .......................................................................................... 332
Manage Policies ....................................................................................................................... 332
Manage Passwords .................................................................................................................. 340
Import and Export Policy .......................................................................................................... 370
Import and Export Socket Filter Lists ....................................................................................... 372
Reference 16
Reference
CA Privileged Access Manager Client Reference (see page 18)
Credential Manager Target Connector Settings (see page 21)
Communication Settings (see page 77)
CSVs for Import and Export (see page 79)
Data Formats (see page 94)
Default Settings (see page 97)
Import Export Provisioning (see page 114)
Messages and Log Formats (see page 131)
Credential Manager Terms and Concepts (see page 266)
Web GUI (see page 269)
17-Feb-2017 17/373
CA Privileged Access Manager Client

Reference
The CA Privileged Access Manager Client enables you to log in to CA Privileged Access Manager and
perform administrator and end-user activities without the use of a customer-installed web browser
and Oracle Java engine, removing the maintenance required to keep Java and browser configurations
compatible with CA Privileged Access Manager.
Installer
Run the installer file to provide a CA PAM Client instance on your workstation.
Download Buttons
From your client workstation, download an installer from the CA Privileged Access Manager login
page. Point to CA Privileged Access Manager from an approved browser, and from the GUI login
page, select either:
Download CA Privileged Access Manager Client – Click to download the client. CA Privileged
Access Manager will autoselect the correct OS version.
[Down arrow] – Click to open a drop-down menu and select a specific version of four OS types.
The applicable OS releases for each version are identified in CA Privileged Access Manager
Release Notes.
Installer Program
Run the installer file to open its InstallAnywhere wizard.
Set the installation parameters according to its interface. Note the following:
License Agreement – The acceptance button is activated only after you scroll the license text to
the bottom of the panel.
Choose Install Set – Select one of the following:
Typical: install the client on the local workstation or
Run: The contents are extracted only to a temporary location and executed.
Installing... – You cannot click Previous after the software starts installation or has completed it.
17-Feb-2017 18/373
Client
Run the CA PAM Client program to access the following interfaces.
Client window
From the client window, you can:
Sequence to the connection screen, to the login screen, to the console screen or browser window
Open the Configuration Settings window, or the About window, or (through the connection
screen or console screen) the browser window
Connection screen
Upon client startup, the connection screen appears in the client window.
Client settings:
[Gear] – Opens the Configuration Settings window, with setting controls for the following:
Proxy - When applicable, identify the client proxy.
General - (1) Set client memory size; and/or (2) Apply Restore security prompts, which
reverses a previous Ignore host mismatch for this address selection made in a Verify
Certificate pop-up window during CA Privileged Access Manager connection.
Cache - Set the client cache size.
Certificate - Choose an applicable security certificate.
[Question mark] – opens the About CA Privileged Access Manager window, which has
information about the client release level.
You cannot have both windows open at the same time.
Connection parameters:
Address
Connect Mode
WEB - Checks for client updates, and processes an update when found. Opens a connection to
the CA Privileged Access Manager server, opens the CA Privileged Access Manager Client
browser window to the CA PAM UI, and closes the console.
CONNECT - Checks for client updates, and processes an update when found. Opens a
connection to CA Privileged Access Manager server, and maintains a status connection
window. Optionally, the CA Privileged Access Manager Client browser window can be opened
from the status window.
17-Feb-2017 19/373
Login screen
The console screen appears in the client window, with fields corresponding to those in the traditional
CA PAM GUI:
User
Password
Authentication Type
Upon login you are first presented with either the console window or browser window, depending on
your earlier Connect Mode choice.
Console screen
Upon establishing a connection using CONNECT, the console screentakes the place of the login
screen. This screen displays connections statistics, and allows you to launch the browser or log off.
Browser window
A CA PAM Client browser window appears upon either:
establishing a connection using WEB, or
selecting Launch Web Browser from the console window
This window displays the traditional GUI, and its features operate in the same way. When you log off
the GUI from the browser window, you are returned to the login screen.
17-Feb-2017 20/373
Credential Manager Target Connector Settings

The content in this CA Privileged Access Manager section describes the settings for Credential
Manager target connectors.
AS400 Target Connector (see page 21)
AWS Access Credentials Target Connector (see page 22)
AWS Proxy Credentials Target Connector (see page 25)
Cisco Target Connector (see page 26)
Juniper Junos Target Connector (see page 34)
LDAP Target Connector (see page 36)
MSSQL Target Connector (see page 40)
MYSQL Target Connector (see page 41)
Oracle Target Connector (see page 43)
Palo Alto Target Connector (see page 45)
SPML Target Connector (see page 50)
UNIX Target Connector (see page 52)
VMWare ESX/ESXi Target Connector (see page 61)
VMWare NSX Controller Target Connector (see page 63)
VMWare NSX Manager Target Connector (see page 64)
VMWare NSX Proxy Target Connector (see page 65)
WebLogic Target Connector (see page 66)
Windows Domain Services Target Connector (see page 68)
Windows Proxy Target Connector (see page 72)
CA Privileged Access Manager API Key Target Connector (see page 76)
AS400 Target Connector

The AS400 target connector provides password synchronization functionality for AS400 and iSeries
IBM midrange systems.
AS400 CLI Example

cmdName=addTargetApplication TargetServer.hostName=myhostname.mydomain.com
TargetApplication.name=my_AS400_app TargetApplication.type=AS400 Attribute.
extensionType=AS400

cmdName=addTargetAccount TargetServer.hostName=myhostname.mydomain.com
TargetApplication.name=my_AS400_app TargetAccount.userName=admin TargetAccount.
password=p@ssw0rd Attribute.extensionType=AS400 Attribute.
useOtherAccountToChangePassword=false
17-Feb-2017 21/373
AS400 Add Target Application CLI Parameters

Use the following additional parameters when using the CLI to add a target application that uses the
AS400 target connector.
TargetApplication.type
The target application connector type.
Required Default Value Valid Values

yes N/A AS400
AS400 Add Target Account CLI Parameters

Use the following additional parameters when using the CLI to add a target account that uses the
AS400 target connector.
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account to perform password change
requests.

yes N/A true, false
Attribute.otherAccount
Specifies which other account to use to perform password change requests.
Required Default Valid Values

Value
yes if Attribute. N/A String.
useOtherAccountToChangePassword is true
A valid target account
ID.
AWS Access Credentials Target Connector

The AWS Access Credentials target connector provides a placeholder application for Amazon Web
Services (AWS) access credentials, and can be associated only with the built-in target server
xceedium.aws.amazon.com. Only available when CA Privileged Access Manager is licensed for AWS
Capability.
17-Feb-2017 22/373
AWS Access Credentials CLI Example

TargetApplication.name=My_AWS_Access_Credentials
TargetApplication.type=AwsAccessCredentials Attribute.
extensionType=AwsAccessCredentials

TargetApplication.name=My_AWS_Access_Credentials
TargetAccount.userName=admin argetAccount.password=ASJKNSKKA9FJJSFS Attribute.
extensionType=AwsAccessCredentials
Attribute.awsMasterAccount=1001 Attribute.awsCredentialType=SECRET_ACCESS_KEY
Attribute.accountFriendlyName=xceediumAWS
Attribute.awsAccessRole=Admin Attribute.awsCloudType=commercial
AWS Access Credentials Add Target Application CLI

Parameters
AWS access credentials target connector.

yes N/A AwsAccessCredentials
Attribute.extensionType
yes N/A AwsAccessCredentials
AWS Access Credentials Add Target Account CLI Parameters

AWS Access Credentials target connector.
Attribute.awsCredentialType
The AWS access credential type.
Req Default Valid Values

uire Value
d
17-Feb-2017 23/373
yes EC2_PRI SECRET_ACCESS_KEY,CLOUDFRONT_PRIVATE_KEY,EC2_PRIVATE_KEY,

VATE_KE X509_CERT_PRIVATE_KEY. Currently only SECRET_ACCESS_KEY and EC2_PRIVATE_KEY
Y are supported
Attribute.passphrase
The EC2 key passphrase.

no N/A a string of one or more characters consisting of: a-z, A-Z, 0-9
Attribute.awsKeyPairName
The EC2 key pair name.

Value
yes when credential type is EC2_PR N/A a string of one or more characters consisting of any
IVATE_KEY character except @
Attribute.accountFriendlyName
The access key user friendly name.

Value
yes when credential type is SECRET_ACCESS_KE N/A a user friendly account name
Y string
Attribute.awsAccessRole
The user defined AWS access role.

Value
optional when credential type is SECRE N/A a string of up to 64 characters with alphanumeric
T_ACCESS_KEY and '+=,.@-' characters
Attribute.awsCloudType
The AWS cloud environment type.

yes when credential type is SECRET_ACCESS_KEY commercial commercial, government
17-Feb-2017 24/373
AWS Proxy Credentials Target Connector

The AWS Proxy Credentials target connector provides a placeholder application for Amazon Web
Services (AWS) proxy credentials, and can be associated only with the built-in target server xceedium.
aws.amazon.com. Only available when CA Privileged Access Manager is licensed for AWS API Proxy
Users.
AWS API Proxy Access Credentials CLI Example

TargetApplication.name=My_AWS_Proxy_Credentials
TargetApplication.type=AwsProxyCredentials Attribute.
extensionType=AwsProxyCredentials

TargetApplication.name=My_AWS_ProxyCredentials
TargetAccount.userName=admin@nowhere.com TargetAccount.password=p@ssw0rd Attribute.
extensionType=AwsProxyCredentials
AWS API Proxy Access Credentials Add Target Application

CLI Parameters
AWS API proxy credentials target connector.

yes N/A AwsApiProxyCredentials
yes N/A AwsApiProxyCredentials
AWS API Proxy Access Credentials Add Target Account CLI

Parameters
AWS API Proxy Access Credentials target connector.
17-Feb-2017 25/373
yes N/A AwsProxyCredentials
Cisco Target Connector

Use the Cisco connector to manage accounts on a Cisco router. This connector uses either the SSHv2
or Telnet protocol for communication.
Cisco CLI Example

cmdName=addTargetApplication TargetServer.hostName=www.ca.com TargetApplication.
type=CiscoSSH TargetApplication.name=Cisco
Attribute.extensionType=CiscoSSH Attribute.useDefaultUpdateScript=true Attribute.
useDefaultVerifyScript=true

cmdName=addTargetAccount TargetServer.hostName=www.ca.com TargetApplication.
name=Cisco TargetAccount.userName=account1
TargetAccount.password=password1 Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.
pwType=user useOtherPrivilegedAccount=false changeAuxLoginPassword=false
changeConsoleLoginPassword=false
changeVtyLoginPassword=true numVTYPorts=1
Cisco Add Target Application CLI Parameters

Cisco target connector.

yes N/A CiscoSSH
Attribute.sshPort
The port used to connect to the UNIX host using SSH.

no 22 0-65535
17-Feb-2017 26/373
Attribute.sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that
Credential Manager should wait for the remote host to respond.

no 5000 1000-99999
Attribute.sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled,Credential Manager compares the public
key received from the remote host when making a connection to the public key stored in the
sshKnownHostKey attribute. If the keys do not match then the connection attempt is canceled.

no false true, false
Attribute.sshKnownHostKey
Contains the base-64 encoded public host key associated with the target server.

Value
yes if sshStrictHostKeyCheckingEnabled N/A a base-64 encoded SSH public host
is true key
Attribute.sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key contained in the sshKnownHostKey attribute. The
fingerprint is used for display purposes only to allow the user to easily compare one key with
another. The fingerprint specified must correspond to the specified public host key.

no N/A a public key fingerprint
Attribute.sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH
connection to the remote host.

no true true, false
17-Feb-2017 27/373
Attribute.sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are
listed in order of priority.

yes if sshU aes128-ctr,aes128- A comma-separated list containing one or more of the following
seDefaul cbc,3des-ctr,3des-cbc, values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-
tCiphers blowfish-cbc,aes192- cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Note
is false cbc,aes256-cbc that spaces may not be used in the list.
Attribute.sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed
in order of priority.

Attribute.sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does
not attempt to use ciphers that are unavailable even if they are specified to use as inbound and/or
outbound ciphers. Ciphers are listed in order of priority.

Attribute.sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH

no true true, false
Attribute.sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are
17-Feb-2017 28/373

yes if sshUse hmac-md5,hmac- A comma-separated list containing one or more of the following
DefaultHas sha1,hmac-sha1- values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96.
hes is false 96,hmac-md5-96 Note that spaces may not be used in the list.
Attribute.sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are

Attribute.sshUseDefaultKeyExchangeAlgorithms
Specifies whether the default key exchange methods should be used when Credential Manager
makes an SSH connection to the remote host.

no true true, false
Attribute.sshKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are

yes if sshUseD diffie-hellman-group1- A comma-separated list containing one or more of the
efaultKeyEx sha1,diffie-hellman- following values: diffie-hellman-group1-sha1, diffie-
changeAlgor group14-sha1,diffie- hellman-group14-sha1, diffie-hellman-group-exchange-
ithms is false hellman-group- sha1. Note that spaces may not be used in the list.
exchange-sha1
Attribute.sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods should be used when Credential Manager makes
an SSH connection to the remote host.

no true true, false
Attribute.sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote
host. Methods are listed in order of priority.
17-Feb-2017 29/373

Value
yes if sshUseDefaultC N/A (do not comma-separated list containing one or more of the
ompressionAlgorith use following values: zlib, zlib@openssh.com. Note that spaces
ms is false compression may not be used in the list.
)
Attribute.sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host.
Methods are listed in order of priority.

Value
Yes if sshUseDefaultC N/A (do not A comma-separated list containing one or more of the
ompressionAlgorit use following values: zlib, zlib@openssh.com. Note that spaces
hms is false compression may not be used in the list.
)
Attribute.sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager

no true true, false
Attribute.sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Required Defaul Valid Values

t
Value
yes if sshUseDefaultSer ssh- A comma-separated list containing one or more of the
verHostKeyAlgorithms rsa, following values: ssh-rsa, ssh-dss. Note that spaces may not be
is false sshused in the list.
dss
Attribute.telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that

no 5000 1000-99999
17-Feb-2017 30/373
Attribute.telnetPort
The port used to connect to the UNIX host using Telnet.

no 23 0-65536
Attribute.ciscoVariant
Specifies the type of Cisco system that is installed on the target server.

no IOS_12_4 IOS_10_0, IOS_12_4 or ASA_IOS_7_0_1.
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected
input from the remote host.

no 5000 5000-59999
Attribute.useUpdateScriptType
Specifies whether the default, revised or replacement update script should be used. Customers
should use the default script and contact Customer Support if a revised or replacement script is
needed.

no 'DEFAULT' 'DEFAULT', 'REVISED' or 'REPLACEMENT'
Attribute.revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as
the revised script. Customers should use the default script and contact Customer Support if a revised
script is needed.

no N/A a file name
Attribute.useVerifyScriptType
Specifies whether the default, revised or replacement verify script should be used. Customers should
use the default script and contact Customer Support if a revised or replacement script is needed.

17-Feb-2017 31/373
Attribute.revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as
script is needed.

no N/A a file name
Attribute.userNameEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a user
name.

no (?si).*?(login|username):.*? valid regular expression syntax
Attribute.passwordEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a
password.

no (?si)(.*?password(\sfor|:).*?) valid regular expression syntax
Attribute.passwordConfirmationPrompt
password be confirmed.

no AIX: (?si).*?new password.*? valid regular expression syntax
All other platforms: (?si).*?password:.*?)
Attribute.passwordChangePrompt
A regular expression that matches the prompt produced by the remote host when it requests that a
password be changed because it has expired.

no (?si).*?change your password.*? valid regular expression syntax
17-Feb-2017 32/373
Cisco Add Target Account CLI Parameters

Cisco target connector.
Specifies whether to use the target account or a different account when updating the target account.

yes false true, false
Specifies which other account to use when updating the target account.

Value
yest if Attribute. N/A a valid target account
useOtherAccountToChangePassword is true. ID.
Attribute.protocol
Specifies the protocol to use for communicating with the remote host.

yes if useOtherAccountToChangePassword SSH2_PASSWORD_A SSH2_PASSWORD_AUTH,
is false UTH TELNET
Attribute.pwType
The credential type; whether it pertains to a user or privileged (or "enable") account.

yes user user, privileged
Attribute.useOtherPrivilegedAccount
17-Feb-2017 33/373
Attribute.otherPrivilegedAccount
no N/A a valid target account ID
Attribute.changeAuxLoginPassword
no N/A true, false
Attribute.changeConsoleLoginPassword
yes N/A true, false
Attribute.changeVtyLoginPassword
no N/A true, false
Attribute.numVTYPorts
yes if changeVtyLoginPassword is true N/A 1-15
Juniper Junos Target Connector

This target connector provides password synchronization functionality for Juniper JUNOS® accounts.
Junos CLI Example

TargetApplication.name=JP1
TargetApplication.type=juniper Attribute.extensionType=juniper Attribute.sshPort=22

TargetApplication.name=FW1
TargetAccount.UserName=admin TargetAccount.password=P@ssw0rd Attribute.
extensionType=juniper Attribute.useOtherAccountToChangePassword=false
17-Feb-2017 34/373
Junos Add Target Application CLI Parameters

Junos target connector.

yes N/A juniper
Attribute.extensionType:
The attribute extension type

yes N/A juniper
Attribute.sshPort
The port used to connect to the Juniper host using SSH.

yes 22 0-65535
Attribute.connectTimeout
Specifies the amount of time in milliseconds that Credential Manager should wait for the remote host
to respond.

no 60000 1000-99999
Attribute.readTimeout
no 5000 1000-99999
17-Feb-2017 35/373
Junos Add Target Account CLI Parameters

Junos target connector.
yes N/A juniper


Value
yes if Attribute. N/A a valid target account
LDAP Target Connector

Use the LDAP connector to manage any accounts that support the OpenLDAP V3 protocol. Optionally,
you can configure the LDAP connector to use LDAP over an SSL connection.
Add LDAP Target Application GUI Details (see page 36)

Add LDAP Target Account GUI Details (see page 37)
LDAP CLI Example (see page 38)
LDAP Add Target Application CLI Parameters (see page 38)
LDAP Add Target Account CLI Parameters (see page 39)
Add LDAP Target Application GUI Details

When you select Add from the Target, Applications menu, the Application Details panel opens. When
you select the LDAP application type, extra fields appear specific to LDAP.
Protocol: Select either LDAP or LDAPS (SSL).
17-Feb-2017 36/373
Protocol: Select either LDAP or LDAPS (SSL).
Port: Enter the port that the LDAP application uses.
Base-64 encoded x.509 Certificate: Select the magnifying glass search icon to fetch a certificate.
Connect Timeout: Enter the time in milliseconds that Credential Manager waits before aborting
the attempt to connect to the server. The value defaults to 3000.
Read Timeout: Enter the time in milliseconds that Credential Manager waits before aborting the
request to the server for data. The read timeout applies to the LDAP response from the server
after the initial connection is established with the server.
Additional LDAP Attributes for Password Modification: This table allows you to specify attribute
name/value pairs to be updated with password modifications. If these attributes are not part of
your LDAP schema, an error can occur during password modification. For the OpenLDAP
shadowLastChange attribute, we provide the dynamic value %EPOCH_DAYS%, which evaluates to
the current number of days since the epoch (1/1/1970). %EPOCH_DAYS% is the only available
dynamic attribute.
Attribute Name: The name of the LDAP attribute to pass, such as shadowLastChange.
Attribute Value: The value to send for that LDAP attribute, such as %EPOCH_DAYS%.
Add/Delete: Use these links to add or remove attributes from this list.
Account Discovery: To enable Account Discovery (https://docops.ca.com/display/CAPAM28

/Account+Discovery) using this account, enter values in at least the two required fields out of the
four.
Base DN is optional.
Account Object is an objectClass name corresponding to accounts or users in the directory.
Name Attribute denotes an account name.
Filter allows addition of an optional filter string to limit your results.
For more information, see your LDAP provider documentation.
Add LDAP Target Account GUI Details

When you select Add from the Target, Accounts menu, the Account Details panel opens. When you
select an LDAP Application Name, extra fields appear specific to LDAP accounts.
DN: Enter a Distinguished Name for the LDAP Account to use.
Set Change Process to one of these choices:
Account can change its own password
17-Feb-2017 37/373
Use the following account to change the password

Selecting the second option opens a text box. Select the magnifying glass search icon to select
an account.
LDAP CLI Example

TargetApplication.name=myLDAP
TargetApplication.type=ldap Attribute.port=389

TargetApplication.name=myLDAP TargetAccount.userName=admin
TargetAccount.password=p@ssw0rd TargetAccount.cacheBehavior=useCacheFirst
TargetAccount.cacheDuration=21 Attribute.userDN=admin
Attribute.useOtherAccountToChangePassword=false
LDAP Add Target Application CLI Parameters

Use the following extra parameters when using the CLI to add a target application that uses the LDAP
target connector.

Yes N/A ldap
Attribute.port
The port that is used to connect to the Active Directory Server.

Yes N/A 0-65535. The GUI uses default value 389.
Attribute.protocol
The protocol that is used to connect to the LDAP server.

No clear clear, ssl
Attribute.sslCertificate
The Active Directory SSL certificate.
17-Feb-2017 38/373
Required if the protocol is SSL. N/A X.509 digital certificate in BASE64 encoded format
Attribute.ldapConnectTimeout
Time in milliseconds that Credential Manager waits before aborting the attempt to connect to the
server.

No 3000 1000-99999
Attribute.ldapReadTimeout
Time in milliseconds that Credential Manager waits before aborting the request to the server for
data. The read timeout applies to the LDAP response from the server after the initial connection is
established with the server.

No 3000 1000-99999
LDAP Add Target Account CLI Parameters

Use the following extra parameters when using the CLI to add a target account that uses the LDAP
target connector.
This attribute specifies whether to use the target account or a different account to perform password
change requests.

Yes N/A true, false
This attribute specifies which other account to use to perform password change requests.

Value
yes Attribute.useOtherAccountToChangePassword N/A A valid target account
is true. ID.
Attribute.userDN
The distinguished name of the user on the LDAP server.
17-Feb-2017 39/373
yes N/A String.
MSSQL Target Connector

Use the MSSQL connector to manage accounts on MS SQL 2000 server and later databases. The MS
SQL connector uses JDBC for communication.
To connect to a named MSSQL Server instance that uses dynamic port binding rather than a specific
port number, in the Application Details page enter the appropriate MSSQL instance name and leave
the port field blank.
MSSQL CLI Example

TargetApplication.name=myMSsql
TargetApplication.type=mssql Attribute.port=1433

TargetApplication.name=myMSsql
TargetAccount.userName=admin TargetAccount.password=p@ssw0rd TargetAccount.
cacheBehavior=useCacheFirst
TargetAccount.cacheDuration=21 Attribute.useOtherAccountToChangePassword=false
MSSQL Add Target Application CLI Parameters

MSSQL target connector.

yes N/A mssql
yes N/A mssql
Attribute.sslEnabled
false true, false
17-Feb-2017 40/373
Attribute.port
The target application port.

no N/A 0-65535. The GUI uses default value 1433
Attribute.instance
The database instance name.
Requir Default Value Valid

ed Values
no N/A. If an instance is not specified, the target connector connects with the default String.
database instance.
MSSQL Add Target Account CLI Parameters

MSSQL target connector.
requests.

yes N/A true, false

Value
yes if Attribute. N/A A valid target account
MYSQL Target Connector

This target connector provides password synchronization functionality for MySQL 5 databases.
17-Feb-2017 41/373
MYSQL CLI Example

TargetApplication.name=MySQL01
TargetApplication.type=mysql Attribute.extensionType=mysql Attribute.port=3306

TargetApplication.name=MySQL01
cacheAllow=true TargetAccount.cacheDuration=21 Attribute.extensionType=mysql
MYSQL Add Target Application CLI Parameters

MYSQL target connector.

yes N/A mysql
Attribute.port

yes 3306 0-65535
MYSQL Add Target Account CLI Parameters

MYSQL target connector.
Attribute.schema
The name of the database schema to which the account belongs.

yes N/A String
requests.
17-Feb-2017 42/373

yes N/A true, false

Value
Attribute.hostNameQualifier

yes if Attribute. MySQL wildcard A valid target
useOtherAccountToChangePassword is true. (%) account ID.
Oracle Target Connector

Use the Oracle connector to manage accounts on Oracle 9 or Oracle 10 databases. The Oracle
connector uses JDBC for communication.
Oracle CLI Example

TargetApplication.name=myOracle
TargetApplication.type=oracle Attribute.port=1433

TargetApplication.name=myOracle
TargetAccount.cacheDuration=21 Attribute.schema=payroll Attribute.
Attribute.racService=false Attribute.sysdbaAccount=false Attribute.
replaceSyntax=false
Oracle Add Target Application CLI Parameters

Oracle target connector.
17-Feb-2017 43/373
TargetApplication .type

yes N/A oracle
yes N/A oracle
Attribute.port
The port used to connect to the Active Directory server.

yes N/A 0-65535. The GUI uses default value 1521
Attribute.sslEnabled
false true, false
The SSL certificate.

Required if the protocol is SSL. N/A X.509 digital certificate in BASE64 encoded format
Oracle Add Target Account CLI Parameters

Oracle target connector.
Attribute.schema
The name of the database schema to which the account belongs.

yes N/A String
17-Feb-2017 44/373
requests.

yes N/A true, false

Value
Attribute.racService
Specifies whether the schema is a RAC service name.

yes N/A true, false
Attribute.sysdbaAccount
Specifies whether this user must authenticate as the Sysdba role.

yes N/A true, false
Attribute.replaceSyntax
Specifies whether the REPLACE syntax needs to be used for changing the password usually
associated with otheraccounts.

yes N/A true, false
Palo Alto Target Connector

Use the Palo Alto connector to manage accounts on Palo Alto routers and PAN-OS. This connector
uses the SSHv2 protocol for communication.
17-Feb-2017 45/373
Palo Alto CLI Example

cmdName=addTargetApplication TargetServer.hostName=www.ca.com (http://www.ca.com)
TargetApplication.type=????? TargetApplication.name (http://TargetApplication.name)=PaloA
lto
Attribute.extensionType=????? Attribute.useDefaultUpdateScript=true Attribute.
useDefaultVerifyScript=true

cmdName=addTargetAccount TargetServer.hostName=www.ca.com (http://www.ca.com) TargetAppl
ication.name (http://TargetApplication.name)=PaloAlto TargetAccount.userName=account1
pwType=user useOtherPrivilegedAccount=false changeAuxLoginPassword=false
changeConsoleLoginPassword=false
changeVtyLoginPassword=true numVTYPorts=1
Palo Alto Add Target Application CLI Parameters

Palo Alto target connector.

yes N/A Palo Alto
Attribute.sshPort
The port used to connect to the host using SSH.

no 22 0-65535

no 5000 1000-99999

no 5000 5000-59999
17-Feb-2017 46/373
needed.

script is needed.

no N/A a file name

script is needed.

no N/A a file name
name.

password.
17-Feb-2017 47/373



Palo Alto Add Target Account CLI Parameters

Palo Alto target connector.


Value
yest if Attribute. N/A a valid target account
Attribute.protocol
17-Feb-2017 48/373

yes if useOtherAccountToChangePassword is SSH2_PASSWORD_AU SSH2_PASSWORD_AU
false TH TH
Attribute.pwType
The credential type; whether it pertains to a user or privileged (or "enable") account.

yes user user, privileged
Attribute.useOtherPrivilegedAccount
Attribute.otherPrivilegedAccount
no N/A a valid target account ID
Attribute.changeAuxLoginPassword
no N/A true, false
Attribute.changeConsoleLoginPassword
yes N/A true, false
Attribute.changeVtyLoginPassword
no N/A true, false
Attribute.numVTYPorts
yes if changeVtyLoginPassword is true N/A 1-15
17-Feb-2017 49/373
SPML Target Connector

Use the SPML connector to manage any Service Provisioning Markup Language (SPML) v2 accounts.
SPML CLI Example

cmdName=addTargetApplication TargetServer.hostName=myHostName.myDomain.com
TargetApplication.name=spmlAppl
TargetApplication.type=SPML2 Attribute.path=myServletPath Attribute.port=389

TargetApplication.name=spmlAppl
TargetAccount.userName=admin TargetAccount.password='p@ssw0rd' TargetAccount.
TargetAccount.cacheDuration=21 Attribute.useOtherAccountToChangePassword=false
SPML Add Target Application CLI Parameters

SPML target connector.

yes N/A SPML2
yes N/A SPML2
Attribute.port
The port used to connect to the SPML server.

yes N/A 0-65535. The GUI uses default value 8080.
Attribute.path
SPML path Credential Manager connects to. Used along with the target server host name, port
attribute and protocol attribute to form a valid URL.
17-Feb-2017 50/373
no N/A Text string
Attribute.protocol
The protocol used to connect to the SPML server.

no clear clear, ssl
The Active Directory SSL certificate.

Require if the protocol is SSL. N/A X.509 digital certificate in BASE64 encoded format
SPML Add Target Account CLI Parameters

SPML target connector.
yes N/A SPML2
requests.

yes N/A true, false

Value
17-Feb-2017 51/373
UNIX Target Connector

Use the UNIX connector to manage UNIX-based privileged accounts. This connector uses either the
SSHv2 or Telnet protocol for communication.
UNIX CLI Example

cmdName=addTargetApplication TargetServer.hostName=www.ca.com TargetApplication.
type=unixII TargetApplication.name=UNIX
Attribute.extensionType=unixII Attribute.useDefaultUpdateScript=true Attribute.
useDefaultVerifyScript=true Attribute.unixVariant=GENERIC

cmdName=addTargetAccount TargetServer.hostName=www.ca.com TargetApplication.name=UNIX
TargetAccount.userName=account1
Attribute.passwordChangeMethod=DO_NOT_USE_SUDO
UNIX Add Target Application CLI Parameters

UNIX target connector.

yes N/A unixII
Attribute.sshPort

no 22 0-65535

no 5000 1000-99999
17-Feb-2017 52/373
Attribute.sshKeyPairPolicyID
Specifies the SSH Key Policy ID which controls how keys are generated; that is, the key type (RSA or
DSA) and length.

no N/A 0-9
Attribute.sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled,Credential Manager compares the public
key received from the remote host when making a connection to the public key stored in the
sshKnownHostKey attribute. If the keys do not match then the connection attempt is canceled.

Attribute.sshKnownHostKey
Contains the base-64 encoded public host key associated with the target server.

Value
yes if sshStrictHostKeyCheckingEnabled N/A a base-64 encoded SSH public host
is true key
Attribute.sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key contained in the sshKnownHostKey attribute. The
fingerprint is used for display purposes only to allow the user to easily compare one key with
another. The fingerprint specified must correspond to the specified public host key.

no N/A a public key fingerprint
Attribute.sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH

no true true, false
17-Feb-2017 53/373
Attribute.sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are

Attribute.sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed
in order of priority.

Attribute.sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does
not use ciphers that are unavailable even if they are specified to use as inbound and/or outbound
ciphers. Ciphers are listed in order of priority.

Attribute.sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH

no true true, false
Attribute.sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are
17-Feb-2017 54/373

Attribute.sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are

Attribute.sshUseDefaultKeyExchangeAlgorithms
Specifies whether the default key exchange methods should be used when Credential Manager

no true true, false
Attribute.sshKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are

yes if sshUseD diffie-hellman-group1- A comma-separated list containing one or more of the
efaultKeyEx sha1,diffie-hellman- following values: diffie-hellman-group1-sha1, diffie-
changeAlgor group14-sha1,diffie- hellman-group14-sha1, diffie-hellman-group-exchange-
ithms is false hellman-group- sha1. Note that spaces may not be used in the list.
exchange-sha1
Attribute.sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods should be used when Credential Manager makes
an SSH connection to the remote host.

no true true, false
Attribute.sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote
host. Methods are listed in order of priority.
17-Feb-2017 55/373

Value
yes if sshUseDefaultC N/A (do not comma-separated list containing one or more of the
ompressionAlgorith use following values: zlib, zlib@openssh.com. Note that spaces
ms is false compression may not be used in the list.
)
Attribute.sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host.
Methods are listed in order of priority.

Value
Yes if sshUseDefaultC N/A (do not A comma-separated list containing one or more of the
ompressionAlgorit use following values: zlib, zlib@openssh.com. Note that spaces
hms is false compression may not be used in the list.
)
Attribute.sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager

no true true, false
Attribute.sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Required Defaul Valid Values

t
Value
yes if sshUseDefaultSer ssh- A comma-separated list containing one or more of the
verHostKeyAlgorithms rsa, following values: ssh-rsa, ssh-dss. Note that spaces may not be
is false sshused in the list.
dss
Attribute.telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that

no 5000 1000-99999
17-Feb-2017 56/373
Attribute.telnetPort
The port used to connect to the UNIX host using Telnet.

no 23 0-65536

no 5000 5000-59999
Attribute.unixVariant
Specifies the type of UNIX system that is installed on the target server.

no GENERIC AIX, GENERIC, HPUX, LINUX, SOLARIS or OTHER.
needed.

script is needed.

no N/A a file name

17-Feb-2017 57/373
script is needed.

no N/A a file name
name.

password.



Attribute.changePasswordCommand
The command on the remote host that is used to change a password.
17-Feb-2017 58/373

no passwd depends on remote host
Attribute.elevatePrivilegeCommand
The command on the remote host that is used to elevate the user's level of privilege.

no sudo depends on remote host
Attribute.substituteUserCommand
The command on the remote host that is used to act as another user.

no su depends on remote host
Attribute.echoCommand
The command on the remote host that is used to repeat a sequence of characters to the standard
output; that is, the console.

no echo depends on remote host
Attribute.patternMatchingCommand
The command on the remote host that prints lines matching a pattern.

no grep depends on remote host
Attribute.policyManagementCommand
The command on the remote host that is used to manage policy.

no AIX: pwdadm depends on remote host
All other platforms: N/A
Attribute.whoAmICommand
The command on the remote host that is used to retrieve the effective ID of the currently logged-in
user.
17-Feb-2017 59/373

no whoami depends on remote host
Attribute.changeFilePermissionsCommand
The command on the remote host that is used to alter the permissions on a file.

no chmod depends on remote host
UNIX Add Target Account CLI Parameters

UNIX target connector.


Value
yes if Attribute. N/A a valid target account
Attribute.verifyThroughOtherAccount
Specifies whether or not the credentials of a second target account are used to authenticate to the
remote host when verifying the target account.
Required Default Valid

Value Values
yes if Attribute.useOtherAccountToChangePassword is true. false true, false
Attribute.passwordChangeMethod
Specifies which method to use when updating passwords. For instance, the authenticated user may
require elevated privileges to change a password without being impacted by certain policies in effect
on the remote host (such as the minimum length of time between password updates).
17-Feb-2017 60/373

Value
yes if Attribute. DO_NOT_ DO_NOT_USE_SUDO, USE_SUDO,
useOtherAccountToChangePassw USE_SUDO IS_ROOT_ACCOUNT,
ord is false. USE_AUTHENTICATED_SUDO
Attribute.protocol

yes if useOtherAccountToChangeP SSH2_PASSWOR SSH2_PASSWORD_AUTH,
assword is false D_AUTH SSH2_PUBLIC_KEY_AUTH, TELNET
Attribute.passphrase
The passphrase that protects the private key.

no N/A a string
Attribute.publicKey
Specifies the public key that corresponds to the target account's private key (which is stored as its
password).

Value
yes if the chosen protocol is SSH2_PUBLIC_KEY_AU N/A an OpenSSH-formatted public
TH key
Attribute.keyOptions
Specifies a list of comma-separated option specifications as per the authorized_keys file format
described in the OpenSSH documentation.

no N/A comma-separated list of OpenSSH key options
VMWare ESX/ESXi Target Connector

This target connector uses WSDL with SSL to support ESX/ESXi target account password
synchronization.
17-Feb-2017 61/373
VMWARE ESX/ESXi CLI Example

TargetApplication.name=myESXi
TargetApplication.type=vmware Attribute.extensionType=vmware Attribute.sslPort=443

TargetAccount.userName=root TargetAccount.password=P@ssw0rd TargetAccount.
cacheAllow=true
TargetAccount.cacheDuration=19 Attribute.extensionType=vmware Attribute.
VMWARE ESX/ESXi Add Target Application CLI Parameters

VMWARE ESX/ESXi target connector.

yes N/A vmware
yes N/A vmware
Attribute.sslPort

yes 443 0-65535
VMWARE ESX/ESXi Add Target Account CLI Parameters

VMWARE ESX/ESXi target connector.
yes N/A vmware
17-Feb-2017 62/373
requests.

yes N/A true, false

Value
yes Attribute.useOtherAccountToChangePassword N/A A valid target account
is true. ID.
VMWare NSX Controller Target Connector

This target connector provides synchronization support for NSX controller target accounts.
VMWARE NSX Controller CLI Example

TargetApplication.type=nsxcontroller Attribute.extensionType=nsxcontroller
Attribute.sshPort=22

TargetApplication.name=myNSX
cacheAllow=true TargetAccount.cacheDuration=19
VMWARE NSX Controller Add Target Application CLI

Parameters
VMWARE NSX Controller target connector.

yes N/A nsxcontroller
17-Feb-2017 63/373
Attribute.sshPort

no 22 0-65535
Credential Manager waits for the remote host to respond.

no 5000 1000-99999

no 5000 5000-59999
VMWARE NSX Controller Add Target Account CLI Parameters

This target connector does not introduce any additional parameters when using the CLI to add a
target account.
VMWare NSX Manager Target Connector

This target connector provides synchronization support for NSX manager target accounts.
VMWARE NSX Manager CLI Example

TargetApplication.type=nsxmanager Attribute.extensionType=nsxmanager Attribute.
sshPort=22

TargetApplication.name=myNSX
17-Feb-2017 64/373
VMWARE NSX Manager Add Target Application CLI

Parameters
VMWARE NSX manager target connector.

yes N/A nsxmanager
Attribute.sshPort

no 22 0-65535

no 5000 1000-99999

no 5000 5000-59999
VMWARE NSX Manager Add Target Account CLI Parameters

target account.
VMWare NSX Proxy Target Connector

This target connector provides synchronization support for NSX proxy target accounts.
17-Feb-2017 65/373
VMWARE NSX Proxy CLI Example

TargetApplication.type=nsxproxy Attribute.extensionType=nsxproxy

TargetApplication.name=myNSX_Proxy
VMWARE NSX Proxy Add Target Application CLI Parameters

target application.
VMWARE NSX Proxy Add Target Account CLI Parameters

target account.
WebLogic Target Connector

This target connector provides password synchronization functionality for WebLogic v10 systems.
WebLogic CLI Example

TargetApplication.name=weblogic10
TargetApplication.type=weblogic10 Attribute.extensionType=weblogic10 Attribute.
port=7001

TargetApplication.name=weblogic10
cacheAllow=true
TargetAccount.cacheDuration=21 Attribute.extensionType=weblogic10 Attribute.
realm=myrealm
WebLogic Add Target Application CLI Parameters

WebLogic target connector.
17-Feb-2017 66/373

yes N/A weblogic10
yes N/A weblogic10
Attribute.port
The port used to connect to the WebLogic server.

yes N/A 0-65535. The GUI uses default value 7001.
WebLogic Add Target Account CLI Parameters

WebLogic target connector.
yes N/A weblogic10
Attribute.realm
yes N/A valid realm name
requests.

yes N/A true, false

Value
17-Feb-2017 67/373

Windows Domain Services Target Connector

The Windows Domain Services connector and the Windows Proxy connector both manage Windows
accounts. Use the Windows Domain Services connector to update the password of Active Directory
accounts. This connector uses the LDAP or LDAPS interface to Active Directory to update account
passwords. You can also use this connector to update Windows services and scheduled tasks if the
connector communicates with a deployed Windows Proxy. The connector performs the following
activities:
Verifies and synchronizes the password against an Active Directory database
Queries one or more DNS servers to find domain controllers (optional)
Uses LDAP to connect to the domain controller
If the domain account is used for a service or scheduled task, it uses one or more Windows
Proxies to update service or scheduled task credentials and restart services
Uses HTTPS and AES encryption for secure communications
Windows Domain Services CLI Example

TargetApplication.name=myAD TargetApplication.type= windowsDomainService Attribute.
domainName=cspm2
Attribute.useDNS= specifiedDNS Attribute.dnsServer= dns1.cloakware.com,dns2.cloakware.
com
Attribute.dcPort=636 Attribute.adSite=London

TargetApplication.name=mywindows
TargetAccount.userName=admin TargetAccount.password=P@ssw0rd TargetAccount.
cacheAllow=true
TargetAccount.cacheDuration=19 Attribute.extensionType=windows Attribute.
Attribute.forcePasswordChange=false Attribute.userDN= cn=admin,dc=cspm2
Attribute.serviceInfo=proxyhostA:HostA:serviceName:restart|proxyhostB:HostB:
serviceName:norestart
Attribute.tasks=proxyHostA:HostA:taskName|proxyHostB:HostB:taskName
Windows Domain Services Add Target Application CLI

Parameters
Windows Domain Services target connector.
17-Feb-2017 68/373

yes N/A windowsDomainService
Attribute.disableAutoConnectTargetAccount
Disable automatic connections to the remote target server for all target accounts using this
application type.
Require Default Valid Values

d Value
True disables automatic connectivity; that is, automatic connections are not
allowed.
False enables automatic connectivity; that is, automatic connections are

allowed.
Attribute.domainName
The Windows domain managed by the Active Directory server.

yes N/A Domain name (a text string)
Attribute.useDNS
Determines the level to which DNS is used.

d Value
yes none One of:
noDNS. DNS is not used
retrieveDNS. Retrieve the DNS server used by the Credential Manager
server
specifiedDNS. Use the DNS server specified by the dnsServer
attribute
Attribute.dnsServer
The host names of the DNS servers to use.
17-Feb-2017 69/373

Value
Required if Attribute.useDNS is set to speci none Comma separated list of DNS server
fiedDNS host names.
Attribute.dcPort
The port used to connect to the Active Directory server.

no 636 Numeric.
Attribute.adSite
The Active Directory site. This parameter is only used if Attribute.useDNS is set to
retrieveDNS or specifiedDNS. If a value is given, Credential Manager uses the value to
narrow the search for domain controllers based on the specified name.

no N/A String.
Windows Domain Services Add Target Account CLI

Parameters
Windows Domain Services target connector.
Specifies the type of account to be used.

yes N/A windows
Attribute.userDN
The user’s distinguished name on the Active Directory server.

yes N/A String.
17-Feb-2017 70/373
requests.

yes N/A true, false

Value
Required if Attribute. N/A String.
useOtherAccountToChangePassword is true.
A valid target
account ID.
Attribute.serviceInfo
List of services.

d Value
no N/A <empty string> no services
Add the following for each service:
<proxy hostname>:<hostname>:<servicename>:restart
–or
<proxy hostname>:<hostname>:<servicename>:norestart
Multiple services are delimited by the | character.
<proxy hostname> is the name of the server running the proxy.
<hostname> is the name of the server where the service is hosted.
Attribute.tasks
List of scheduled tasks.

d Value
17-Feb-2017 71/373
no none <empty string> no tasks
Add the following for each task:
<proxy hostname>:<hostname>:<taskname>
Multiple tasks are delimited by the | character.
<ProxyHost> is the name of the server running the proxy.
<hostname>is the name of the server where the scheduled task is hosted.
Windows Proxy Target Connector

The Windows Proxy connector and the Windows Domain Services connector both manage Windows
accounts. Use the Windows Proxy connector to manage the Active Directory and local Windows
accounts, as well as the passwords for Windows services and scheduled tasks. This connector uses
the Windows APIs to make updates to the account, services and scheduled tasks passwords. The
connector can optionally query one or more DNS servers to find domain controllers. The Windows
Proxy connector uses HTTPS and AES encryption for secure communications.
If the guest account in the domain or on the target server is enabled, the Windows Proxy Connector
may appear to successfully verify the password of the target account that does not exist on the target
server. You must disable the guest account in the domain or on the target server to avoid this false
password verification.
The permissions required for the Windows Proxy are affected by a number of architectural
deployment decisions:
The type accounts being managed by the proxy, for example local, domain, or both
Whether passwords on services and scheduled tasks are also being managed
Whether the proxy is deployed on each server, or whether one proxy is deployed for the domain.
If you only manage local Windows accounts, service or scheduled tasks and you choose to deploy the
proxy on each server or workstation being managed, then the proxy can be run in the context of local
system. This scenario allows successful updates to the local accounts, services and scheduled tasks.
If you deploy a single (or multiple for high availability) proxy to manage multiple servers, the proxy
needs to operate under an account with adequate privileges to manage the accounts, services and
scheduled tasks. If you use the Windows Domain Service connector to manage the domain accounts,
then the proxy only needs to run with a domain account that has privileges to change local
passwords, services or scheduled tasks on the machines being managed.
As a result, the service account being used for the proxy can have its privileges limited to that of a
Domain User. To enable management of Local Windows accounts and the passwords on Windows
services and scheduled tasks, the service account must be a member of the Local Administrator
group on the server hosting the Target Account being managed.
17-Feb-2017 72/373
To use the Windows Proxy to manage Domain accounts as well, add the service account to the
domain Account Operators group to allow the proxy to reset passwords in Active Directory.
Windows Proxy CLI Example

TargetApplication.name=myWindows
TargetApplication.type=windows Attribute.extensionType=windows Attribute.agentId=1
Attribute.accountType=domain Attribute.domainName=testDomain

TargetApplication.name=mywindows
TargetAccount.userName=admin TargetAccount.password=P@ssw0rd TargetAccount.
cacheAllow=true
TargetAccount.cacheDuration=19 Attribute.extensionType=windows Attribute.
Attribute.forcePasswordChange=false Attribute.serviceInfo=HostA:serviceName:
restart|HostB:ServiceName:norestart
Attribute.tasks=HostA:taskName|HostB:taskName
Windows Proxy Add Target Application CLI Parameters

Windows Proxy target connector.

yes N/A windows
Attribute.agentId
The identifiers for the Windows Proxies used to manage passwords.

yes N/A Comma separated list of Windows Proxy IDs. Each ID is a numeric.
Attribute.accountType
The type of account being managed.

no domain domain, local
Attribute.domainName
The Windows domain for the managed accounts.
17-Feb-2017 73/373

Value
Required if Attribute.accountType is set to domain none Domain name (a text
(the default) string)
Attribute.domain
The Windows domain for the managed accounts. Exists only for backwards compatibility. CA
Technologies recommends using Attribute.domainName instead.

Value
Required if Attribute.accountType is set to domain none Domain name (a text
(the default) string)
Attribute.useDNS
Determines the level to which DNS is used.

Value
Required if Attribute.accountType none One of:
is set to domain (the default) noDNS. DNS is not used
retrieveDNS. Retrieve the DNS server
used by the Credential Manager server
specifiedDNS. Use the DNS server
specified by the dnsServer attribute
Attribute.dnsServer
The host names of the DNS servers to use.

Value
Required if Attribute.useDNS is set to speci none Comma separated list of DNS server
fiedDNS host names.
Attribute.specifiedServersList
Provides a comma separated list of domain controllers.

Value
Required if Attribute.useDNS is set to specif none Comma separated list of valid
iedServers domain controllers.
17-Feb-2017 74/373
Attribute.adSite
The Active Directory site. This parameter is only used if Attribute.useDNS is set to
retrieveDNS or specifiedDNS. If a value is given, Credential Manager uses the value to
narrow the search for domain controllers based on the specified name.

no none String.
Windows Proxy Add Target Account CLI Parameters

Windows Proxy target connector.

yes N/A windows
requests.

yes N/A true, false, agent

Value
Required if Attribute. N/A String.
useOtherAccountToChangePassword is true.
A valid target
account ID.
Attribute.serviceInfo
List of services.

no N/A <empty string> no services
17-Feb-2017 75/373
Add the following for each service:
<hostname>:<servicename>:restart
–or
<hostname>:<servicename>:norestart
<hostname>is the name of the server where the service is hosted.
Attribute.tasks
List of scheduled tasks.

d Value
no none <empty string> no tasks
Add the following for each task:
<hostname>:<taskname>
<hostname>is the name of the server where the scheduled task is hosted.
Attribute.forcePasswordChange
This parameter specifies whether or not Credential Manager updates passwords that fail verification
during an initial synchronization. The default value is false. To update passwords that fail initial
synchronization set the attribute value to true.

CA Privileged Access Manager API Key Target

Connector
This target connector is for internal use only.
It does not introduce any additional parameters when using the CLI to add a target application.
it does not introduce any additional parameters when using the CLI to add a target account.
17-Feb-2017 76/373
Communication Settings
The following table describes CA Privileged Access Manager port assignments
Port Source Destination Notes

22 CA Privileged SSH device Required for target device access through built-in SSH
Access Manager targets access method.
server
23 CA Privileged Telnet device Required for target device access through built-in telnet,
Access Manager targets TN3270, TN5250 or TN3270SSL access methods.
server
49 CA Privileged TACACS server Required for CA PAM integration with TACACS server.
Access Manager
server
123 CA PAM server NTP server(s) Optional for standalone CA Privileged Access Manager
server, required for CA Privileged Access Manager cluster
members.
389 CA PAM server LDAP server Required for CA PAM integration with LDAP server.
443 Client CA PAM server Required for HTTPS access to CA PAM server.
workstations
CA PAM Socket CA PAM server Required for CA PAM socket filter agent (SFA) use.
Filter Agent
(SFA) on target
device
CA PAM server: Other CA PAM Required bi-directional communication between members
cluster member server: cluster of a CA Privileged Access Manager cluster.
member
445 CA PAM server CIFS server Required for CA PAM integration with CIFS server for
session log storage.
636 CA PAM server Domain Required for Windows Domain Service target application.
Controller
992 CA PAM server TN5250 SSL Required for target device access through built-in TN5250
targets SSL access method.
181 CA PAM server RADIUS server Required for CA PAM integration with a RADIUS server.
2
204 CA PAM server NFS server Required for integration with NFS server for session log
9 storage. May require port 111 as well.
330 CA PAM server: Other CA PAM Required bi-directional between members of a CA-PAM
6 cluster member server: cluster cluster.
member
CA PAM server External MySQL Required if external log server is configured.
log server
CA PAM server
17-Feb-2017 77/373
Port Source Destination Notes

338 RDP target Required for target device access through built-in RDP
9 devices access method.
550 CA PAM server RSA server Required for integration with an RSA authentication server.
0
590 CA PAM server VNC target Required for target device access using CA PAM built-in VNC
0 devices access methods.
CA PAM server: Other CA PAM Required bi-directional between members of a CA-PAM
cluster member server: cluster cluster (Hazelcast).
member
0 cluster member server: cluster cluster (JGroups).
member
1 cluster member server: cluster cluster (JGroups heartbeat).
member
2 cluster member server: cluster cluster (Password Management sync).
member
855 CA PAM server CA PAM Socket Required for CA PAM socket filter agent use.
0 Filter Agent
(SFA) on target
device
270 CA PAM server CA PAM Required for CA Privileged Access Manager Windows Proxy
77 Windows proxy use.
288 CA PAM server CA PAM A2A Required for CA Privileged Access Manager A2A Client use.
88 Client
TBD Client Target devices Any port needed to access configured services on target
workstations devices to which a CA Privileged Access Manager user is
connecting using a local third-party application from the
client
More information:
Default Port Settings (https://docops.ca.com/display/CAPAM28/Default+Port+Settings)
17-Feb-2017 78/373
CSVs for Import and Export

Comma-separated-values files can be used to import and export several types of CA Privileged Access
Manager managed objects as described in the next section. Templates with sample data are provided
at each of the Import and Export GUI pages.
About Imports (see page 79)
About Exports (see page 80)
About Transfers (see page 80)
CSV File Types (see page 81)
About Imports
CA Privileged Access Manager-managed objects may be imported from comma-separated value (CSV)
files that can be created in any text editor or spreadsheet program and saved as plain text. You may
want to use the sample file (available on an Import/Export page) as a template, and refer to the
information in the tables below to populate the fields.
NOTECurrently, Credential Manager objects cannot be imported.
File names and types

When provisioning multiple CA Privileged Access Manager objects using CSV files, they should be
imported in the following order to handle attribute dependencies. Files may use any name, as long as
they have been saved in plain text and have file extension: .csv
IMPORTANTCSV files must be imported through the matching import page (identified immediately
below), as object-specific error checking is performed. They cannot be successfully imported from
other import pages.
Managed objects in file Import/Export page to use
1. Services Services > Import/Export Services
2. Roles Users > Import/Export Roles
3. User Groups, then Users*# Users > Import/Export Users
and
Device Groups, then Devices*# Devices > Import/Export Devices
1. Socket Filter Lists# Policy > Import/Export Socket Filter Lists
and
Command Filter Lists# Policy > Import/Export Command Filter Lists
1. Policies Policy > Import/Export Policy
17-Feb-2017 79/373
* All User Group records (rows) must be listed in a (Users-only) import file before all User records,
and all Device Group records (rows) must be listed in a (Devices-only) import file before all Device
records.
# UserGroups/Users files may be imported before or after DeviceGroups/Devices files, and Socket
Filter Lists files may be imported before or after Command Filter Lists files.
File content
The only (field) separator permitted in a CSV file is a comma, and thus a comma cannot be used in
field content.
Not all record content must be imported to create a record – the tables identify with asterisks *
which fields are required for particular record types.
The first line in each file is for column names, which are used to identify record fields during
import.
CSV file columns may be rearranged as long as the corresponding CSV File Column Labels are
preserved.
After performing an import, you can check the results (in sum) by clicking the "Download CSV
Import Results" link that appears after the import, below any error messages.
About Exports
File names and types
Each export file is downloaded with a timestamp (to the second) in the filename:
objecttypeYYYYMMDDHHMMSS.csv
EXAMPLE
devices20110715131849.csv
File content
Several informational fields are added to a Users Group/Users export file, and the export does not
preserve the import column arrangement (they are inserted between field columns). These
informational fields are identified in the tables by oblique names.
CA Privileged Access Manager does not display stored passwords in User record exports – each cell in
the "Password" column (which is used only for imports) is empty.
About Transfers
CSV files are frequently used to transfer (export + import) from one CA Privileged Access Manager
appliance to another.
17-Feb-2017 80/373
LDAP Users
LDAP User records draw data from two locations, fields from the LDAP source directory as well as any
data to CA Privileged Access Manager-specific fields the administrator may add after the LDAP
import. To perform an LDAP transfer, recreate a baseline LDAP import, and then "overlay" the CA
Privileged Access Manager fields:
1. At the source CA Privileged Access Manager appliance, Export Users to a CSV file.
2. At the destination CA Privileged Access Manager appliance, Import LDAP Group from the
source LDAP directory(ies).
3. At the destination CA Privileged Access Manager appliance, Import Users with the CSV file
obtained from the source CA Privileged Access Manager.
CSV File Types

Services
In Services, Import/Export Services, you can download a sample file and can populate it according to
the specifications in the following table. In Record Type, * = required for that type of record (TCP
/UDP, TCP/UDP: Web Portal, SSL VPN, or Application).
CSV Re Permitt Description / Notes

File cor ed
Colu d Values
mn Ty
Label pe
Type All TCP Import record (row) type
* /UDP
Applica
tion
SSL
VPN
Servic All text Name of the service
e * Application record label: App Name
Name
Local TC IPv4 The local IP address of this service. Must be on the Class A 127 network.
IP P* local
address
TCP TC Port The service TCP ports. Either:
Ports P value One or more port numbers separated by space or comma
SSL
One port range with 1-500 port
One port mapping
17-Feb-2017 81/373
For TCP/UDP services, if a value is specified for both TCP Ports and UDP Ports, the
values must match exactly. For both types of services, a port value is required for
at least one of TCP Ports and UDP Ports.
TCP/UDP Service record labels: Port(s) + Protocol
UDP TC Port The service UDP ports. Either:
Ports P value One or more port numbers separated by space or comma
SSL
One port range with 1-500 port
One port mapping
For TCP/UDP services, if a value is specified for both TCP Ports and UDP Ports, the
values must match exactly. For both types of services, a port value is required for
at least one of TCP Ports and UDP Ports.
TCP/UDP Service record labels: Port(s) + Protocol
Descri All Text Service description.
ption TCP/UDP Service record label: Comments
Enabl TC t = Disable the Service globally; or enable, subject to policy
ed P* enabled
SSL f =
* disable
d
Do not
use
upperc
ase 'T'
or 'F'
Show TC t = Access page display mode
in P* enabled
Colu f=
mn disable
d
Do not
use
upperc
ase 'T'
or 'F'
Appli TC ICA Service application protocol.
catio P* RDP In contrast to the GUI: Disabled, Console, and Web Portal are not used here.
n VNC A Web Portal is specified by the presence of an address in the Web Portal Launch
Proto URL field.
col
Web TC Mapped URL - Use the following form:
Portal P: http[s]://<Local IP>:<First Port>/[path, if any]
Launc W The target address is specified by the Device using the Portal
h URL eb
A target DNS address for the portal can be identified by the Host Header (and Aliases,
if applicable)
Launc Ap Path Location of the remote application used in application publishing. Applicable only
h p* to targets running Microsoft Terminal Services.
Path
17-Feb-2017 82/373
Client TC Path Location of the local application that is launched when the service is initiated.
Appli P
catio
n
Host TC FQDN Specify the FQDN of the target website in this field. Per HTTP 1.1, if the Web
Head P: Portal resides on a single IP address which hosts several websites (such as Apache
er W NameVirtualHost or IIS Host Header Access), this setting is used to identify the
eb correct website target.
Note: If Web Portal Launch URL is empty, this field does not populate.
Aliase TC text If the target web portal is referred to by several different names, enter those
s P: names here.
W Example: If Host Header contains "www.example.com", while some links on that
eb portal page point to "example.com" and "someserver.example.com", enter
"example.com" and "someserver.example.com" here (without quotes, separated
by space or comma) so that requests to that site is handled successfully.
Note: If Web Portal Launch URL is empty, this field does not populate.
Hide TC t= If this portal is not intended to be user-facing - for example, for a graphics file
Web P: enabled server - select this checkbox so as not to display an access link for the user on the
Portal W f= Access page.
eb disable TCP/UDP Service record: Hide From User
d
Do not
use
upperc
ase 'T'
or 'F'
Roles
In Users > Import/Export Roles, you can download a sample file and can populate it according to the
specification in Table 12. In Record Type, * = required. This import allows you to create new roles.
You are not limited to the set of preconfigured roles ("Auditor" through "User/Group Manager").
CSV File Permitt Description / Notes

Column ed
Label Values
Type role Import record (row) type
Role text* Name of the Role
Name
Descriptio text Role description or other information
n
Role text Role privileges (not case-sensitive). The list of valid role privilege names can be
Privileges retrieved from the Manage Roles page in the GUI. Multiple privileges are
separated by: | (pipe)
17-Feb-2017 83/373
User Groups and Users

In Users > Import/Export Users, you can download a sample file and can populate it according to the
specification in the following table. In Record Type, * = required for that type of record ( User or User
Group).
In the field "Roles", do not assign any User solely the role "Password Manager". That role does not
contain sufficient privileges for CA Privileged Access Manager access. Instead, when you intend to
allow only password management privileges, add the role "Standard User" with Password Manager.
Standard User is the default role populated in a newly created CA Privileged Access Manager User
template.
The following GUI record fields are not currently supported in User / User Group file imports:
User: Keyboard Layout (Required field in record. GUI default value: AUTO = read from keyboard)
User: RDP Username
User: Mainframe Display Name
User Group: SAML Attribute
User Group: Users (not needed – Group membership is specified by User records)
CSV File Rec Permitted Values Description / Notes

Column Label ord
Typ
e
Type U* user Import record (row) type
UG* user group
UserName U* text User ID for login
UG* User record label: Username
or
User Group ID
User Group record label: Groupname
or
LDAP: DN
ShortName E CN
First Name U* text User's first name
User record label: Firstname
Last Name U* text User's first name
User record label: Lastname
Password U* text User password
Note: The users are forced to change their passwords at first
login.
Password Set E Unix timestamp
Time
Phone U text User telephone number
17-Feb-2017 84/373
Cell Phone U text User mobile telephone number

Email U* text Valid email address
User record label: email
Description U text User or User Group description or other information
UG
Active Flag U f = Disabled Note: This field is not related to GUI field "Activate Account"
t = Enabled User record label: Account Status
(Do not use
uppercase 'F'
and 'T')
GUI default
value: f
Activation U Unix timestamp Account activation date. If empty, account will be activated
Time GUI default after import.
value: 0 User record fields:
Activate Account=Later (default=Now)
...triggers display of: Account Activation (= CSV label
"Activation Time")
Last E Unix timestamp
Activation
Time
Account E Unix timestamp
Disabled Time
Expiration U Unix timestamp Account expiration date. If empty, account never expires.
Time GUI default User record label: Account Expiration
value: 0
Authenticatio U ldap User or User Group Authentication type
n UG local
radius
GUI default
value: local
Email on U text Send notification to this email address upon login by this user.
Login Contact User record label: Email on Login
Email Self on U f = Disabled Send notification to this user by email upon their login.
Login Flag t = Enabled User record label: Email Self on Login
(Do not use
uppercase 'F'
and 'T')
GUI default
value: f
Terminate U f = Disabled User record label: Terminate session upon deactivation
Session on t = Enabled
Deactivation (Do not use
Flag uppercase 'F'
and 'T')
GUI default
value: f
Access Times
17-Feb-2017 85/373
U Each entry takes the form of:

UG day=SMTWTFS where each day used is "1", each day is not used is"0"
timeFrom= minutes from midnight at start
timeTo=minutes from midnight at end
Example: day=0111110 timeFrom=480 timeTo=1080 means "Monday through
Friday, from 8:00 AM to 6:00 PM"
User record label: Access Time : Access Days + From (time) + To (time)
Group U text (Series of) Groupnames that the user is member of, where
Membership each pair of Groupnames is separated by: | (pipe)
Applet UG f = Disabled Enable/Disable the Global Settings: Warnings: Show Recording
Message t = Enabled Warning to this group
(Do not use User Group record label: Applet Recording Warning
uppercase 'F'
and 'T')
GUI default
value: f
Provision E ldap Source of record
Type local
radius
Roles U Syntax: In CSV cell, the string shown without quotes, either with value
UG substitutions as shown, or without one or more values: "roleName=roleName rol
eUserGroups=roleUserGroups roleDeviceGroups=roleDeviceGroups"
Adjacent role specifications separated by a comma.
roleName = Choose from the built-in and administrator-defined Access roles. GUI
default value: "Standard User"
roleUserGroups =
roleDeviceGroups =
Examples:
(1) roleName=Auditor roleUserGroups= roleDeviceGroups=
(2) roleName=Global Administrator roleUserGroups=ALL roleDeviceGroups=ALL
User / User Group record label: Available Roles
User Principle E Extracted from LDAP record (where applicable)
Name
PA Group U text Identifies existing (as of the earlier line item) Password
Membership (matching Management (PM) groups of which the UserName is a
existing name) member.
Each pair of Groupnames is separated by: | (pipe)
Device Groups and Devices

In Devices > Import/Export Devices, you can download a sample file and can populate it according to
the specification in the following table. In Record Type, * = required for that type of record ( Device or
Device Group).
CSV File Reco Permitted Values Description / Notes

Column rd
Label Type
17-Feb-2017 86/373
Type D* device Import record (row) type

DG* device group
DeviceNam D* text Name of the Device or Device Group
e DG* Device Group record label: Group Name
Group D text Groups that the Device is member of, separated by: |
Membershi (pipe)
p Device record label: Available Groups
Address D* IP address or FQDN Network location
Special D f = Disabled Flag to use terminal customization settings: Special
Type Flag t = Enabled Type Type through Special Type Ports
(Do not use uppercase 'F'
and 'T') If this is a Power, Console, or KVM device, enter: 't'
GUI default value: f ("true")
Special D Enumerated values (see Specify one of the CA Privileged Access Manager-
Type Type GUI list), for example: registered Special Device types. See GUI for listing.
NETKVM1/8
XControl XC412M
Tripp-Lite PDU
(and numerous others)
Special D text Special Type device login username
Type Login
Special D text Special Type device login password
Type
Password
Special D text Special Type device protocol (Telnet, SSHV1, for
Type example). Must match one of the allowed values for
Protocol Type.
Special D text Special Type Device port or ports
Type Ports
Operating D Enumerated options: Operating system of Device
System AIX BeOS FreeBSD HP-UX (Does not currently allow custom options)
Linux NetBSD OpenBSD
Other Solaris
Embedded OS
IBM AS 400
Mac OS 9
Mac OS X
IBM Mainframe
SCO UNIX
Windows 2008
Windows Vista
Windows 7
Windows Desktop
Location D text Device location (description)
FTP Mode D 1
Description D text Device or Device Group description or other
DG information
17-Feb-2017 87/373
Access D Use the following template per Access Method:

Methods 'name=Name custom_name=CustomName port=Port property=Property'
Name options: VNC Telnet SSH Serial Power RDP KVM
Name extra options if mainframe licensing is enabled: TN3270 TN3270SSL TN5250
TN5250SSL
CustomName options: (any string; optional)
Port options: One port (only), 0-65535. For VNC: port= (empty); or 0 if disabled
Property options: (empty); NULL
Separate any multiple Access Methods by: | (pipe)
DG VNC Telnet SSH Access Method category (no specific access
SSH2Telnet Serial Power information)
RDP KVM
Services D Custom Services, and Specify CA Privileged Access Manager built-in or
DG Built-in Services: custom Services. Separate any multiple Services by: |
sftpftp (pipe)
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
OOB Serial D f = do not use settings Flag to use Out-of-Band Serial Device settings:
Host Flag t = use settings OOB Serial Host through OOB Serial Port
and 'T')
GUI default value: f
OOB Serial D Text Out-of-Band Serial device name
Host
OOB Serial D Text Out-of-Band Serial device port
Port
OOB KVM D f = do not use settings Flag to use Out-of-Band KVM Device settings:
Host Flag t = use settings OOB KVM Host through OOB KVM Port
and 'T')
OOB KVM D text Out-of-Band KVM device name
Host
OOB KVM D text Out-of-Band KVM device port
Port
Power D
Term Type D ansi Specify one terminal type
ibm
scoansi
vt100
vt220
vt320
xterm
Term Key D puttyDefault.conf Specify one from allowed values
Mapping AT386.conf
vt320.conf
17-Feb-2017 88/373
Term D 0 = do not use settings Flag to use terminal customization settings:

Customizati 1 = use settings Term Character Encoding through Term End Select
on
Term D UTF-8 Terminal character encoding type. (See GUI for full list.)
Character ISO-8859-1
Encoding (many other options)
Term Font D Monospaced Select one from allowed values
Family Courier
Courier New
Term Font D 8 – 32 Terminal font size
Size
Term D RGB hex triplet Cursor foreground color
Cursor Ex: #000000 (Black)
Foreground
Term D RGB hex triplet Cursor background color
Cursor Ex: #FFFFFF (White)
Backgroun
d
Term D RGB hex triplet Foreground color
Foreground Ex: #FFFFFF (White)
Color
Term D RGB hex triplet Background color
Backgroun Ex: #000000 (Black)
d Color
Term D [width, height] in pixels Terminal window size
Terminal Ex: [80,24] Note: Include brackets in setting.
Size
Term D integer Buffer size in bytes
Buffer Size
Term Scroll D left Select one from allowed values
Position right
Term End D 0 Flag to use "End" to select
Select 1
Device D
Monitor
Tags D text Free-form text attributes (zero or more) can be
assigned to any device. Embedded spaces are allowed.
Separate each pair of tags by:
Type D f = False Marker for an Access type Device
Access t = True
Type D f = False Marker for a Password Management type Device
Password t = True
Type A2A D f = False Marker for an A2A type Device
t = True
D text If Type Password = t, this option is available
17-Feb-2017 89/373
Target
Server
Description
1
Target D text If Type Password = t, this option is available
Server
Description
2
Request D text If Type A2A = t, this option is available
Client
Description
1
Client
Description
2
Request D f = False If Type A2A = t, this option is available
Client t = True
Active
Host Name D f = False If Type A2A = t, this option is available
Preserved t = True
ProvisionTy
pe
AlternateId
Command Filter Lists

In Policy > Import/Export Command Filter Lists, you can download a sample file and can populate it
according to the specification in the following table. In Record Type, * = required.
CSV File Recor Permitted Description / Notes

Column d Type Values
Label
Type CL command Import record (row) type
filter list
Important: CSV files with this type record must be imported only
through the Policy > Import/Export Command Filter Lists page.
List Name CL* text Command Filters Lists: List template field: Name
List Type CL* white = Definitions:
whitelist Whitelist: List of commands a user can use; all other commands are
black = prohibited.
blacklist Blacklist: List of commands a user cannot use; all other commands
are permitted.
Keyword CL* text The command or command subset to be restricted.
Multiple commands for the same list are designated by multiple CSV
line items using the same List Name.
17-Feb-2017 90/373
Alert CL* f = do not Flag to:

use alert Notify (immediately) the monitoring administrator of any use of this
t = use command.
alert
Block CL* f = do not Flag to:
use block Prevent (immediately) this command from being executed.
t = use
block
Regexp CL* f = do not Flag to:
use regexp Apply the Keyword field as a regular expression to the command line
t = use for a match. If there is a match, apply any Alert or Block specified.
regexp
Socket Filter Lists

In Policy > Import/Export Socket Filter Lists, you can download a sample file and can populate it
according to the specification in the following table. In Record Type, * = required.
CSV File Reco Permitted Values Description / Notes

Column rd
Label Type
Type SL command filter list Import record (row) type
Important: CSV files with this type record must be

imported only through the Policy > Import/Export
Socket Filter Lists page.
List SL* text Socket Filters Lists: List template field: Name
Name
List Type SL* white = whitelist Definitions:
black = blacklist Whitelist: List of sockets (address-and-port
combinations) a user can use; all other sockets are
prohibited.
Blacklist: List of sockets a user cannot use; all other
sockets are permitted.
IP SL* IPv4 dotted-quad address The command or command subset to be restricted.
Address Ex: 192.0.2.1
Multiple commands for the same list are designated
by multiple CSV line items using the same List Name.
Port SL* One or more port numbers Socket to which whitelist or blacklist designation is
(comma or space separated), assigned.
or one port range
Multiple sockets for the same list are designated by
multiple CSV line items using the same List Name.
17-Feb-2017 91/373
Policy
In Policy > Import/Export Policy, you can download a sample file and can populate it according to the
specification in the following table. In Record Type, * = required.
CSV File Rec Permitted Description / Notes

Column ord Values
Label Typ
e
Type P* policy Import record (row) type
User P* text Username or (User Group:) Groupname of the User-Device pair
Device P* text Device Name or (Device Group:) Group Name of the User-Device pair
Services P Custom Specify CA Privileged Access Manager built-in or custom Services.
Services Separate any multiple Services by: | (pipe)
(text), or
Built-in
Services:
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
SSL VPN P text Specify CA Privileged Access Manager custom SSL VPN Services.
Services Separate any multiple Services by: | (pipe)
Applets P Use the following template per Access Method applet:
'name=Name custom_name=CustomName'
Name options: VNC Telnet SSH Serial Power RDP KVM
Name more options if mainframe licensing is enabled: TN3270 TN3270SSL TN5250
TN5250SSL
CustomName options: (empty); or any string
Separate any multiple applets (Access Methods) by: | (pipe)
Command P text If this policy uses one or more Command Filter Lists, enter them by
Filter name; otherwise, leave blank. If used, ensure to define CFLs (import CFL
CSV file) first.
Note: Ensure that filters are imported before policy.
Socket P text If this policy uses one or more Socket Filter Lists, enter them by name;
Filter otherwise, leave blank. If used, ensure to define SFLs (import SFL CSV
file) first.
Note: Ensure that filters are imported before policy.
Restrict P t = true Note: Only used for applets that rely on this switch: RDP, VNC, and ICA.
login if f = false
agent is (Do not use
not uppercase
running 'T' or 'F')
P
17-Feb-2017 92/373
Graphical t = true When 'true', CA Privileged Access Manager performs graphical recording
Recording f = false of every RDP or VNC session between this User(Group)-Device(Group)
(Do not use pair.
uppercase
'T' or 'F')
Command P t = true When 'true', CA Privileged Access Manager performs command line
Line f = false recording of every CLI-based session between this User(Group)-Device
Recording (Do not use (Group) pair.
uppercase
'T' or 'F')
Bidirectio P t = true When 'true' (and when Command Line Recording is 'true'), CA Privileged
nal f = false Access Manager records both the User and Device input for every CLI-
Recording (Do not use based session between this User(Group)-Device(Group) pair.
uppercase (Otherwise, only User input is recorded.)
'T' or 'F')
Web P t = true When 'true', CA Privileged Access Manager performs graphical recording
Portal f = false of every web portal session between this User(Group)-Device(Group)
Recording (Do not use pair.
uppercase
'T' or 'F')
Targets P
17-Feb-2017 93/373
Data Formats
The content in this sections describes data formats used by CA Privileged Access Manager.
Multi-Byte Character Support

Managed Object Names
Username in a User record that inherits from Import LDAP Users
Groupname in a User Group record
Device Name in a Device record
Group Name in a Device Group record
Application Name in a Target Application record
Account Name in a Target Account record
Message Templates
License acceptance (at Login) – configured in Show License Warning in Global Settings
Session recording warning – configured in Show Recording Warning in Global Settings
Blacklist violation – configured in Blacklist Violation Message in Policies > Manage Policies:
Manage Filters > Command Filter Config
Whitelist violation – configured in Whitelist Violation Message in Policies > Manage Policies:
Manage Filters > Command Filter Config
Port Numbers
General Syntax
Use the following conventions to represent port values when populating CA Privileged Access
Manager GUI fields:
All ports (or, where the port number is not relevant)
17-Feb-2017 94/373
* } = (“is equivalent to”) Ports 1 through 65535, inclusive

all
ALL
Specific ports (a sequence of one or more port numbers delimited by spaces or commas)
X Y = Ports X and Y [and Z […]]
Example: 2 3 18 39230 = Ports 2, 3, 18, and 39230
Port Forwarding (Port Mapping)
X:Y = (Remote) port X is mapped (or forwarded) to (local) port Y
Example: 345:1223 = Port 345 is forwarded to port 1223
Port Range
X-Y = Ports X through Y, inclusive
Example: 6-10 = Ports 6, 7, 8, 9, and 10
NOT PERMITTED
Combination syntax cases such as those the following examples have undefined values and, thus, are
not permitted in CA Privileged Access Manager GUI fields:
X-Y:U-V does not mean: Port X through Y -onto- port U through V
X:Y U:V does not mean: Port X onto Y -and- port U onto V
Thus, the X-Y-U-V combinations shown above must not be used.
Rules for Specific Interfaces

Access page connection-method links:
Pop-up window: Application path specification field, ports as specified in Service Definition
Global Settings editing fields:
Access Methods: Each field: One port only ● No Range, No Mapping
Services > TCP/UDP Services editing fields:
Basic Info: Specific ports -or- one Range, with 1-500 ports -or- one Mapping
> SSLVPN editing fields:
Basic Info: All ports -or- Specific ports -or- one Range, with 1-500 ports -or- one Mapping
17-Feb-2017 95/373
Devices > Manage Devices editing fields:
Special Type: Specific ports -or- one Range, with 1-500 ports ● No Mapping
Access Methods: One port only ● No Range, No Mapping
Policies > Manage Policies : Manage Filters > Socket Filter Config editing fields:
One port only ● No Range, No Mapping
> Socket Filter Lists editing fields:
All ports -or- Specific ports -or- One Range ● No Mapping
Session Recording File Names

The session recording files on a storage share are named according to the following format: H-NT.
ext
Where … Example
H = CA Privileged Access Manager Hostname: capam123
N = (Pseudorandom) ID number: 8732209813
T = Start Time of Recording: YYYYMMDDHHMMSSXXX 20120125145538987
“XXX” represents the millisecond resolution of the start time. If there is a collision with an existing
file, this number is incremented by 1 until an available filename is found.
ext = File Type Extension: for a CLI session recording: txt
for an RDP session recording: gsr
for an VNC session recording: vsr
For example, the file name capam123-873220981320120125145538987.txt identifies a CLI

recording file for appliance host capam123 that was assigned ID number 8732209813 and is
timestamped January 25, 2012 at 2:55:38.987 PM.
17-Feb-2017 96/373
Default Settings
The content in this section describes values populated in the configurable settings when CA PAM
ships. All settings not listed (for example, within managed object templates) are unpopulated (empty)
or logically “off.”
Administration Menus (see page 97)
Credential Management Menus (see page 101)
Administration Menus
The following table provides a listing of menu elements, location (menu or pane), fields, values, and
units.
Menu Menu item -or- Pane Field Value Units
Access
DEPRECATED
Monitoring
Global Settings
Basic Settings Default Auth Method Local
Default Page Size 30 lines
(Devices)
Login Timeout 10 minutes
Applet Timeout 10 minutes
Access Method Port Offset 0
Default Device Type
Access [selected]
Password Management [available when
licensed]
A2A [available when
licensed]
Passwords Security Level 0 – New Password
Min Length 6 characters
Max Length 14 characters
Change Interval 0 days
History 3 passwords
Failure Limit 0 password
attempts
17-Feb-2017 97/373

Failure Counter Reset 60 minutes
Accounts Disable Inactive After 30 days
Remove Disabled After 0 days
Forced Deactivation Alert [empty]
Access Methods GUI VNC [port] [selected] 5900
RDP [port] [selected] 3389
CLI Telnet [port] [selected] 23
SSH [port] [selected] 22
Mainframe when licensed TN3270 [port] [selected] 23
TN5250 [port] [selected] 23
TN3270SSL [port] [selected] 23
TN5250SSL [port] [selected] 992
OOB Serial [selected]
Power [selected]
KVM [selected]
Warnings Show License Warning [unselected]
(Login Page) [empty]
User must accept license [unselected]
Show Recording Warning [unselected]
(Applet) Warning …
Terminal Customization Character Encoding UTF-8
Font Family Monospaced
Font Size 11
Font Style Plain
Cursor Foreground #33ff33 RGB hex
Foreground Color #ffffff RGB hex
Background Color #000000 RGB hex
Terminal Size [80, 24] pixels wide,
high
Buffer Size 100
Scroll Position Left
Applet Copy/Paste Disable
RDP Keyframes Duration Small …
RDP Drive Mapping Disable
Manage Sessions
Sessions
Logs
Session Recordings
17-Feb-2017 98/373
Built-in services:
Services
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
TCP/UDP Services Local IP 127.0.0.1
[template]
Protocol TCP
Enable [selected]
Show in Column [unselected]
Application Protocol Disabled
RDP Applications
[template] Enable [selected]
SSL VPN Services
[template] Application Protocol Disabled
Import/Export Services
Manage Users [template] Keyboard Layout AUTO
Users
Authentication Local
Account Status Enabled
Activate Account Now
Terminate Session Upon No
Deactivation
Roles Standard User
Manage Disabled Users
Manage Groups
Applet Recording Warning No
Authentication Local
Roles Standard User
Import/Export Users
Approve CAC User
Manage Roles Administrative Auditor Deprecated Role
Auditor
17-Feb-2017 99/373

Autodiscovery
Configuration Manager
Delegated Administrator
Device/Group Manager
Global Administrator
Global Setter
Monitor
Operational Administrator
Password Manager
Policy Manager
Service Manager
Session Manager
Standard User
Troubleshooter
User/Group Manager
Import/Export Roles
Manage Devices Operating System Linux
Devices [template]
Terminal Term Type vt100
Key Mapping xterm-vt220
Manage Groups
Group Type Local
Import/Export Devices
Autodiscovery
Power Hosts
Console Servers
Socket Filter Agent
Tools
Networking Tools [Ports] 1-65535
Timeout 2 minutes
Manage Policies
17-Feb-2017 100/373

Policy
Manage Passwords
Import/Export Policy
Import/Export Command
Filter Lists
Import/Export Socket
Filter Lists
Credential Management Menus

The following table provides a listing of menu elements, location (menu or pane), fields, values, and
units.
Menu Menu Field Value Units

item -
or-
Pane
Dashb
oard
View
Dashb
oard
Repor
ts
Repor
ts
Accou
nt
Reque
sts
Output HTML
Format
Accou
nts
with
Expire
d
Passw
ords
Accoun All
t Type
All
17-Feb-2017 101/373

item -
or-
Pane
Passwo
rd
State
Admi
nistra
tive
Activit
ies
Output HTML
Format
Auto-
Conne
ct
Reque
sts
Output HTML
Format
Auto
matic
ally
Updat
ed
Expire
d
Passw
ords
Output HTML
Format
Sched
uled
Jobs
Output HTML
Format
Updat
e
Accou
nt
Passw
ords
Output HTML
Format
17-Feb-2017 102/373

item -
or-
Pane
View
Passw
ord
Reque
sts
Output HTML
Format
Sched
uled
Jobs
Sched
uled
Job
List:
Add
Date [Current]
/Time
Recurr None
ence
Comm scheduleReport
and
Report Account Requests
Name
Quick Today
Dates
Start [Current]
Date
End [Current]
Date
Output HTML
Format
Target
s
Accou
nts
Accou
nt
List:
Add
Default
17-Feb-2017 103/373

item -
or-
Pane
Passwo
rd
View
Policy
Maxim Disabled
um
Passwo
rd Age
Accoun Privileged Account
t Type
Applic
ations
Applic
ation
List:
Add
Applica Generic
tion
Type
Aliase
s
Alias
List
Target
Group
s
Group Targets [Present]
List
Proxie
s
Proxy
List:
Add
Status Inactive
Sched
uled
Job
Detail
s
Date Current date and time
/Time
17-Feb-2017 104/373

item -
or-
Pane
Comm
and
Accoun Target Group
t
Genera Yes
te
Passwo
rd
Use Yes
Same
Passwo
rd of
All
Passw
ord
Comp
ositio
n
Polici
es
Must Upper [Selected]
Conta Case
in Charac
ters
Lower [Selected]
Case
Charac
ters
Numeri [Selected]
c
Charac
ters
Special [Selected]
Charac
ters
includi
ng:
[editab !#$%()*+,-./:;=?@[\]^_`{|}~&
le
enume
ration:]
[Selected]
17-Feb-2017 105/373

item -
or-
Pane
First Upper
Must Case
Conta Charac
in ters
Lower [Selected]
Case
Charac
ters
Numeri [Selected]
c
Charac
ters
Special [Selected]
Charac
ters
includi
ng:
[editab !#$%()*+,-./:;=?@[\]^_`{|}~&
le
enume
ration:]
Must Disallo [Unselected]
Conta w
in Repeati
ng
Charac
ters
Disallo [Unselected]
w
Duplica
te
Charac
ters
Charac [Unselected]
ters to
Exclud
e
Minim 4 characters
um
Length
Maxim 16 characters
um
Length
0
17-Feb-2017 106/373

item -
or-
Pane
Minim
um
Iteratio
ns
Before
Reuse
Minim 0 days
um
Days
Before
Reuse
Enable [Unselected]
Maxim
um
Passwo
rd Age
Workf
low
Passw
ord
View
Polici
es
Requir [Selected]
es
Authen
tication
A2A
Script
s
Script Type C
Detail
s
Mappi
ngs
Autho Target Alias
rizatio
n
Detail
s
Reques Client
t
Script Individual
17-Feb-2017 107/373

item -
or-
Pane
Reque
st
Group
s
Reques [Present]
tors
Patch
Mana
geme
nt
Patch 4.2.2 [Present]
List …
4.5.0
[variou
s]
Users
User
Group
s
Standa [Present]
rd
Users
System [Present]
Admin
Group
Roles
Firecall [Present]
Approv
er
Firecall [Present]
AutoCo
nnect
Firecall [Present]
User
ReadO [Present]
nly
Reques [Present]
torAdm
in
ScriptA [Present]
uthoriz
ationA
dmin
17-Feb-2017 108/373

item -
or-
Pane
Server [Present]
Admin
System [Present]
Admin
Target [Present]
Admin
UserAd [Present]
min
ViewRe [Present]
ports
Settin
gs
Gener
al
Settin
gs
Enable [Unselected]
Static
Groups
Refuse [Unselected]
connec
tions
with
Clients
and
Proxies
not
runnin
g in
FIPS
140-2
Mode
Preserv [Unselected]
e Client
/Proxy
Host
Names
Disable [Unselected]
CLI
Host
Name
Check
[Selected]
17-Feb-2017 109/373

item -
or-
Pane
Allow
Self
Approv
al of
Passwo
rd
View
Reques
t
Maxim 1000 entries
um
Numbe
r of
Report
Entries
Passwo 30 days
rd
View
Reques
t
Delete
Interva
l Days
Autom [Unselected]
atically
Update
Expired
Passwo
rds
A2A
Settin
gs
Enable [Unselected]
Hardw
are
Fingerp
rinting
Check [Unselected]
Executi
on ID
Check [Unselected]
Executi
on
Path
[Unselected]
17-Feb-2017 110/373

item -
or-
Pane
Check
File
Path
Perfor [Unselected]
m
Script
Integrit
y
Validati
on
Email
Settin
gs
Accoun [empty]
t
Name
Host [empty]
Name
Server 25
Port
One nightly-build.xceedium.com (http://nightly-build.xceedium.com)
Click
Approv
al
Server
Host
Name
From [empty]
E-mail
Addres
s
Reques Password View Request for target account @TargetAccount.getUserName@
t
Subject
Reques Do not reply to this email. A password view request has been submitted by
t Body user @User.getUserID@ to view the password for account @TargetAccount.
getUserName@ of application @TargetApplication.getName@ on server
@TargetServer.getHostName@. The password view request reason is
@PasswordViewRequest.getReason@ (@PasswordViewRequest.
getReasonDescription@). Please login to Password Authority system and
manage this request.
Password View Request Status for account @TargetAccount.getUserName@
17-Feb-2017 111/373

item -
or-
Pane
Reques
t
Status
Update
Subject
Reques Do not reply to this email. The status of your request to view password for the
t account @TargetAccount.getUserName@ of application @TargetApplication.
Status getName@ in server @TargetServer.getHostName@ is:
Update @PasswordViewRequest.getStatusString@.
Body
Passwo Password of account @TargetAccount.getUserName@ has been accessed by
rd @User.getUserID@.
View
Subject
Passwo Do not reply to this email. The Password for the account @TargetAccount.
rd getUserName@ of application @TargetApplication.getName@ on server
View @TargetServer.getHostName@ has been accessed by user @User.getUserID@.
Body
Expired Password View Request for account @TargetAccount.getUserName@
Passwo requested by @User.getUserID@ has expired.
rd
View
Reques
t
Subject
Expired Do not reply to this email. The Password View Request for the account
Passwo @TargetAccount.getUserName@ of application @TargetApplication.
rd getName@ on server @TargetServer.getHostName@ requested by user @User.
View getUserID@ has expired.
Reques
t Body
One Password View Request for target account @TargetAccount.getUserName@
Click
Approv
al
Subject
One Do not reply to this email. A password view request has been
Click submitted with the following details: Requestor : @User.getUserID@ 
Approv Requested Account: @TargetAccount.getUserName@ Requested Account
al Target Application Name: @TargetApplication.getName@ Requested
Body Account Target Server: @TargetServer.getHostName@ Request Reason:
@PasswordViewRequest.getReason@ (@PasswordViewRequest.
getReasonDescription@) Start Date: @PasswordViewRequest.
getStartDate@ End Date: @PasswordViewRequest.
17-Feb-2017 112/373

item -
or-
Pane
getEndDate@ <a href='@PasswordViewRequestIdentifier.
getApprovalUrl@'>Click here to Approve this Request</a> <a
href='@PasswordViewRequestIdentifier.getDenialUrl@'>Click here to Deny this
Request</a>
Report Report results for @reportName@
Results
Subject
Report Do not reply to this email. The @reportName@ report has been run. The
Results attached results encompass the period from @reportStartDate@ to
Body @reportEndDate@.
UI
Settin
gs
Defau
lt
Prefer
ences
List 15
Page
Size
Home Dashboard
Page
Dashb
oard
Skins/ Current CA PAM
Them Theme
es
Disast
er
Recov
ery
Enable [Unselected]
Disaste
r
Recove
ry
Mode
17-Feb-2017 113/373
Import Export Provisioning

This section describe how to import and export data from CA Privileged Access Manager for the
purpose of provisioning.
File Imports
CA PAM-managed objects may be imported only from comma-separated value (CSV) files.
Currently, Credential Manager objects cannot be imported.
File Import Preparation

CSV files can be created in many text editors or spreadsheet programs and saved as plain text.
However, if you are handling characters that need appropriate character support – such as those
outside the ASCII character set and/or requiring UTF-8 support, for example, Cyrillic or Chinese – you
should confirm that your application supports that character set or your import may not work
properly. Note that your version of Microsoft Excel® or Google Drive for example, may or may not
have that support.
You may want to use the sample file (available on an Import/Export page) as a template and refer to
the information in the following tables to populate the fields.
File Import Process

When provisioning multiple CA PAM objects using CSV files, they should be imported in the following
order to handle attribute dependencies. Files may use any name, as long as they have been saved in
plain text and have file extension: .csv
CSV files must be imported through the matching import page (identified in the following table), as
object-specific error checking is performed. They cannot be successfully imported from other import
pages.

Services Services > Import/Export Services
Roles Users > Import/Export Roles
*All User Group records (rows) must be listed in a (Users-only) import file before all User records,
records.
17-Feb-2017 114/373

User Groups, then Users*# Users > Import/Export Users
and Devices > Import/Export Devices
Device Groups, then Devices*#

Socket Filter Lists# Policy > Import/Export Socket Filter Lists
and Policy > Import/Export Command Filter Lists
Command Filter Lists#

Policies Policy > Import/Export Policy
*All User Group records (rows) must be listed in a (Users-only) import file before all User records,
records.
File Import Content Considerations

When importing files, consider the following:
The only (field) separator permitted in a CSV file is a comma, and thus a comma cannot be used in
field content.
Not all record content must be imported to create a record – the tables identify with asterisks *
which fields are required for particular record types.
The first line in each file is for column names, which are used to identify record fields during
import.
CSV file columns may be rearranged as long as the corresponding CSV File Column Labels are
preserved.
After performing an import, you can check the results (in sum) by clicking the Download CSV
Import Results link that appears after the import, below any error messages.
File Exports
Exported File Names and Types
Each exported file is downloaded with a timestamp in the file name according to the following
syntax:
17-Feb-2017 115/373
objecttypeYYYYMMDDHHMMSS.csv
Example: devices20110715131849.csv
Exported File Content Considerations

When exporting files, consider the following:
Several informational fields are added to a Users Group/Users export file, and the export does not
preserve the import column arrangement (they are inserted between field columns). These
informational fields are identified in the tables by oblique names.
CA Privileged Access Manager does not display stored passwords in User record exports – each
cell in the Password column (which is used only for imports) is empty.
Transfers
CSV files are frequently used to transfer (export + import) from one CA Privileged Access Manager
appliance to another.
LDAP Users
LDAP user records draw data from two locations: fields from the LDAP source directory and any data
to CA PAM-specific fields the administrator may add after the LDAP import.
To perform an LDAP transfer, recreate a baseline LDAP import, and then “overlay” the CA PAM fields:
1. At the source CA PAM appliance, Export Users to a CSV file.
2. At the destination CA PAM appliance, Import LDAP Group from the source LDAP directory
(ies).
3. At the destination CA PAM appliance, Import Users with the CSV file obtained from the source
CA Privileged Access Manager.
Roles
In Users > Import/Export Roles, you can download a sample file and populate it according to the
specification in the following table.
In Record Type, * = required. Note that this import allows you to create new roles – you are not
limited to the set of preconfigured roles (“Auditor” through “User/Group Manager”).
17-Feb-2017 116/373
CSV File Permitted Description / Notes

Column Values
Label
Type role Import record (row) type
text* Name of the Role
Role
Name
Descriptio text Role description or other information
n
text Role privileges (not case-sensitive). The list of valid role privilege names can be
Role retrieved from the Manage Roles page in the GUI. Multiple privileges are
Privileges separated by: | (pipe)
User Groups and Users

Import Users and User Groups from a specially formatted User Import CSV file using the controls from
the Users, Import/Export Users page in the GUI.
Export Users and User Groups to a CSV File. (see page 117)
Download a Sample Import CSV File (see page 117)
Add Users and User Groups to the Import CSV File (see page 118)
Import Users and User Groups (see page 122)
Export Users and User Groups to a CSV File.

You can export your existing Users and User Groups to a User Import CSV file.
Follow these steps:
1. Go to Users, Import/Export Users.
2. Select Export Users.
A CSV file of existing Users and User Groups is prepared and saved to your local drive. The default
filename is users YYYYMMDDHHSS. csv
Download a Sample Import CSV File

To download a sample User Import CSV file, go to Users, Import/Export Users and select Download
Sample File.
17-Feb-2017 117/373
Add Users and User Groups to the Import CSV File

To define Users and User Groups to import, add appropriate entries to the User Import CSV file.
Note: For Users provisioned in an external repository (for example, LDAP or AWS, or
VMware), do not modify any field that was sourced from the external repository. For
example, for LDAP users, do not change the User Principle Name (or other LDAP-sourced)
fields.
The following table describes the fields in the User Import CSV file.
How to read the table:
Bold text (aside from table column labels) indicates either literal values to be entered into fields
or literal values or legends that are displayed by the GUI or present in export files.
Table Columns:
CSV File Column Label
Rows are shown here in the same order as the columns in the sample file.
Column order is not recognized by import processing – only the items in CSV File Column
Labels are.
Italic text indicates columns that are generated solely for export files – they are not
required in files for import.
Ensure that all required columns (those with a * in the Record Type column) are included
in the CSV file.
Ensure that column headers are spelled as noted in CSV File Column Label or their values
will not be imported.
Ensure that there are no (embedded) blank columns.
Record Type= Type of import record:
U = for inclusion in imported User record
UG = for inclusion in imported User Group record

E = data provided by CA Privileged Access Manager in an exported file (and not required in
the import file)
* = Indicates that this field is required to create a record of this type. (This does not
identify what is necessary to function, however.)
Description
17-Feb-2017 118/373
Description
Where the label in a GUI User or User Group record differs from the corresponding
column name for the import file, that User or User Group record label is noted here.
CSV File Record Permitted Values Description / Notes

Column Label Type
U* user, user group Import record (row) type
Type UG*
U* text User ID for login
UserName UG*
User record label: One of Username or User Group ID
User Group record label: One of Groupname or LDAP: D

ShortName E CN
First Name U* text User first name.
User record label: Firstname

Last Name U* text User last name.
User record label: Lastname

Password U* text Plain text User password.
Note: Users are forced to change their passwords at firs

Password Set E Unix timestamp
Time
Phone U text User telephone number
Cell Phone U text User mobile telephone number
Email U* text Valid email address
User record label: e-mail

Description U UG text User or User Group description or other information
Active Flag U f = Disabled Note: This field is not related to GUI field "Activate Acco
t = Enabled
(Do not use uppercase 'F' and 'T')

Activation U Unix timestamp Account activation date. If empty, account will be activa
Time
GUI default value: 0 User record fields: Activate Account=Later (default=Now
Last Activation E Unix timestamp
Time
Account E Unix timestamp
Disabled Time
17-Feb-2017 119/373

Column Label Type
Expiration U Unix timestamp Account expiration date. If empty, account never expire
Time
GUI default value: 0
U UG One of: User or User Group Authentication type
Authentication local
ldap
radius
tacacs+
GUI default value: local

Email on Login U text Send notification to this email address upon login by this
Contact
User record label: Email on Login
Email Self on U f = Disabled Send notification to this user by email upon their login.
Login Flag
t = Enabled User record label: Email Self on Login

Terminate U f = Disabled User record label: Terminate session upon deactivation
Session on
Deactivation t = Enabled
Flag

Access Times U UG Each entry takes the following form:
day=SMTWTFS timeFrom=minutes timeTo=minutes
SMTWTFS
Specifies the days of the week where access is permitted. Each day where access permitted is re
timeFrom
Specifies the number of minutes from midnight the time when access should start.
timeTo
Specifies the number of minutes from midnight to the time when access should end.
Example: An entry of day=0111110 timeFrom=480 timeTo=1080 means "Monday through Friday
User record label: Access Time : Access Days + From (time) + To (time)
U text User Group or User Groups of which the user is a memb
17-Feb-2017 120/373

Column Label Type
Group
Membership
Applet UG f = Disabled Enable/Disable the Global Settings: Warnings: Show Rec
Message
t = Enabled User Group record label: Applet Recording Warning

Provision Type E One of: Source of the User or User Group information. Do not ch
local
For new Users, use local.
ldap
virtual
radius
pki
saml
Roles U UG Syntax (in CSV cell, the string shown without quotes, either with value substitutions as shown, o
"roleName=roleName roleUserGroups=roleUserGroups roleDeviceGroups=roleDeviceGroups".
Separate adjacent role specifications with a comma.
roleName = Choose from the built-in and administrator-defined Access roles. GUI default value:
roleUserGroups =
roleDeviceGroups =
Examples:
roleName=Auditor roleUserGroups= roleDeviceGroups=
roleName=Global Administrator roleUserGroups=ALL roleDeviceGroups=ALL User / User Gro
Smart Button N/A N/A Obsolete. Maintained for backward compatibility only.
Group
User Principle E Extracted from LDAP record (where applicable)
Name
PA Group U text (matching existing name) The names of Credential Manager User Groups of which
Membership
API Keys U only Each API Key cell has values that are represented by the following fields:
name=apiKeyName
isActive=[t|f]
description=descriptionOfApiKey
roles=rolename=rolename1OfApiKey1 [, rolename=rolename2OfApiKey1 [, …]]

[#& rolename=rolename1OfApiKey1 [, rolename=rolename2OfApiKey1 [, …]]
17-Feb-2017 121/373

Column Label Type
[ … ]]
Delimited with:
"before cell string
, (space+comma) between each pair of roles in a key
/; between each pair of fields in cell API Keys
#& between each pair keys in field roles
"after cell string
EXAMPLE:
"name=test123/;isActive=t/;description=Test 123. description./;roles=rol

, roleName=Password Manager roleUserGroups=. roleDeviceGroups=#&name=tes
description=Test 234. description./;roles=roleName=Service Manager roleU
Note: In the Roles field, do not assign any User solely the role “Password Manager”. That
role does not contain sufficient privileges for CA Privileged Access Manager access. Instead,
when you intend to allow only password management privileges, add the role “Standard
User” using Credential Manager. (Standard User is the default role populated in a newly
created CA Privileged Access Manager user template.)
Import Users and User Groups

You can import Users and User Groups from an appropriately formatted User Import CSV file,
Follow these steps:
1. Go to Users, Import/Export Users.
2. Select Browse, choose the file to import, and select Open in the File Upload dialog that
appears.
3. Select Import Users.
Device Groups and Devices

In Devices > Import/Export Devices, you can download a sample file and can populate that file, as
specified in the following table. In Record Type. * = required for that type of record ( Device or Device
Group).
17-Feb-2017 122/373

Column Type
Label
Type D* device Import record (row) type

DG* device group
DeviceNam D* text Name of the Device or Device Group Device Group
e DG* record label: Group Name
Group D text Groups that the Device is member of, separated by: |
Membershi (pipe) Device record label: Available Groups
p
Address D* IP address or FQDN Network location
Special D f = Disabled Flag to use terminal customization settings:
Type Flag t = Enabled Special Type Type through Special Type Ports
(Do not use
uppercase 'F' and 'T') If this is a Power, Console, or KVM device, enter "t"
GUI default value: f ("true")
Special D Enumerated values Specify one of the CA PAM-registered Special Device
Type Type (see GUI list), for types. See GUI for listing, or Administration Guide for
example: additional information.
NETKVM1/8
XControl XC412M
Tripp-Lite PDU
(and numerous
others)
Special D text Special Type device login username
Type Login
Special D text Special Type device login password
Type
Password
Special D text Special Type device protocol (Telnet, SSHV1, for
Type example). Must match one of the allowed values for
Protocol Type.
Special D text Special Type Device port or ports
Type Ports
Operating D Enumerated options: Operating system of Device
System (Does not currently allow custom options)
AIX BeOS FreeBSD
HP-UX Linux NetBSD
OpenBSD Other
Solaris
Embedded OS
IBM AS 400
Mac OS 9
Mac OS X
IBM Mainframe
SCO UNIX
17-Feb-2017 123/373

Column Type
Label
Windows 2008
Windows Vista
Windows 7
Windows Desktop
Location D text Device location (description)
FTP Mode D 1
Description D DG text Device or Device Group description or other information
Access D Use the following template per Access Method: 'name=Name custom_name=Cus
Methods tomName port=Port property=Property'
Name options:
VNC Telnet SSH Serial Power RDP KVM Embedded VNC
Name additional options if mainframe licensing is enabled:
TN3270 TN3270SSL TN5250 TN5250SSL
CustomName options: (any string; optional)
Port options: One port (only), 0-65535. For VNC: port= (empty); or 0 if disabled
Property options: (empty); NULL
Separate any multiple Access Methods by: | (pipe)
D DG VNC Telnet SSH Serial Access Method category (no specific access information)
Power RDP KVM
Embedded VNC
Services D DG Custom Services, or Specify CA PAM built-in or custom Services. Separate any
Built-in Services: multiple Services by: | (pipe)
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
OOB Serial D f = do not use settings Flag to use Out-of-Band Serial Device settings:
Host Flag t = use settings OOB Serial Host through OOB Serial Port
(Do not use
uppercase 'F' and 'T')
OOB Serial D Text Out-of-Band Serial device name
Host
OOB Serial D Text Out-of-Band Serial device port
Port
OOB KVM D f = do not use settings Flag to use Out-of-Band KVM Device settings:
Host Flag t = use settings OOB KVM Host through OOB KVM Port
(Do not use
uppercase 'F' and 'T')
D text Out-of-Band KVM device name
17-Feb-2017 124/373

Column Type
Label
OOB KVM
Host
OOB KVM D text Out-of-Band KVM device port
Port
Power D
Term Type D ansi Specify one terminal type
ibm
scoansi
vt100
vt220
vt320
xterm
Term Key D puttyDefault.conf Specify one from allowed values
Mapping AT386.conf
vt320.conf
Term D 0 = do not use settings Flag to use terminal customization settings:
Customizati 1 = use settings Term Character Encoding through Term End Select
on
D UTF-8 Terminal character encoding type. (See GUI for full list, or
Term ISO-8859-1 Administration Guide for list and information.)
Character (many other options)
Encoding
Term Font D Monospaced Select one from allowed values
Family Courier
Courier New
Term Font D 8 – 32 Terminal font size
Size
Term D RGB hex triplet Cursor foreground color
Cursor Ex: #000000 (Black)
Foreground
Term D RGB hex triplet Cursor background color
Cursor Ex: #FFFFFF (White)
Backgroun
d
Term D RGB hex triplet Foreground color
Foreground Ex: #FFFFFF (White)
Color
Term D RGB hex triplet Background color
Backgroun Ex: #000000 (Black)
d Color
Term D [width, height] in Terminal window size NOTE: Include brackets in setting.
Terminal pixels
Size Ex: [80,24]
17-Feb-2017 125/373

Column Type
Label
Term D integer Buffer size in bytes
Buffer Size
Term Scroll D left Select one from allowed values
Position right
D 0 Flag to use “End” to select
Term End 1
Select
Device D DEPRECATED - Do not remove column, but do not use it.
Monitor Applicable to deprecated Device Monitoring feature.
Tags D text Free-form text attributes (zero or more) can be assigned
to any device. Embedded spaces are allowed. Separate
each pair of tags by: | (pipe)
Type D f = False Marker for an Access type Device
Access t = True
Type D f = False Marker for a Password Management type Device
Password t = True
Type A2A D f = False Marker for an A2A type Device
t = True
Server
Description
1
Server
Description
2
Client
Description
1
Client
Description
2
Request D f = False If Type A2A = t, this option is available
Client t = True
Active
Host Name D f = False If Type A2A = t, this option is available
Preserved t = True
ProvisionTy
pe
AlternateId
17-Feb-2017 126/373
Command Filter Lists

Use Policy, Import/Export Command Filter Lists to download a sample file and populate as specified
in the following table.
Note: In Record Type, * = required.
CSV File Record Permitted Description / Notes

Column Type Values
Label
CL command Import record (row) typeIMPORTANT: CSV files with this type record
Type filter list must be imported only through the Policy > Import/Export
Command Filter Lists page
CL* text Command Filters Lists: List template field: Name
List
Name
CL* white = Definitions:
List Type whitelistblack
= blacklist Whitelist: List of commands a user may use; all other commands are
prohibited.
Blacklist: List of commands a user may not use; all other commands
are permitted.
CL* text The command or command subset to be restricted.Multiple
Keyword commands for the same list are designated by multiple CSV line
items using the same List Name.
CL* f = do not Flag to:
Alert use alert
t = use alert Notify (immediately) the monitoring administrator of any use of this
command.
Block use block
t = use block Prevent (immediately) this command from being executed.
Regexp use regexp
t = use Apply the Keyword field as a regular expression to the command line
regexp for a match. If there is a match, apply any Alert or Block specified.
17-Feb-2017 127/373
Socket Filter Lists

Use Policy, Import/Export Socket Filter Lists to download a sample file and populate as specified in
the following table.
Note: In Record Type, * = required.

Column Type
Label
Type SL command filter list Import record (row) type
IMPORTANT: CSV files with this type record must be

imported only through the Policy > Import/Export Socket
Filter Lists page
SL* text Socket Filters Lists: List template field: Name
List
Name
SL* white = whitelistblack = Whitelist: List of sockets (address-and-port combinations)
List blacklist a user may use; all other sockets are prohibited.Blacklist:
Type List of sockets a user may not use; all other sockets are
permitted.
SL* IPv4 dotted-quad The command or command subset to be restricted.
IP address
Address Multiple commands for the same list are designated by
Example: 192.0.2.1 multiple CSV line items using the same List Name.
Port SL* One or more port Socket to which whitelist or blacklist designation is
numbers (comma or assigned.Multiple sockets for the same list are designated
space separated), or by multiple CSV line items using the same List Name.
one port range
Policy
Use Policy, Import/Export Policy, to download a sample file and populate it as specified in the the
following table.
Note: In Record Type, * = required
17-Feb-2017 128/373

Column Type Values
Label
Type P* Policy Import record (row) type.

User P* text Username or (User Group:) Groupname of the User-Device pair.
Device P* text Device Name or (Device Group:) Group Name of the User-Device
pair.
Services P Custom Specify CA PAM built-in or custom Services. Separate any
Services multiple Services by: | (pipe).
(text), and
/or Built-in
Services:
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
P text Specify CA PAM custom SSL VPN Services. Separate any multiple
SSL VPN Services by: | (pipe).
Services
'name=Name custom_name=CustomName',
Name options: VNC Telnet SSH Serial Power RDP KVM.
Name additional options if mainframe licensing is enabled: TN3270 TN3270SSL

TN5250 TN5250SSL,
CustomName options: (empty); or any string.
Separate any multiple applets (Access Methods) by: | (pipe).

P text If this policy uses one or more Command Filter Lists, enter them
Command by name; otherwise, leave blank. If used, make sure to define
Filter CFLs (import CFL CSV file) first.NOTE: Make sure that filters are
imported before policy.
P text If this policy uses one or more Socket Filter Lists, enter them by
Socket Filter name; otherwise, leave blank. If used, make sure to define SFLs
(import SFL CSV file) first.NOTE: Make sure that filters are
P NOTE: Only used for applets that rely on this switch: RDP, VNC,
and ICA.
17-Feb-2017 129/373

Column Type Values
Label
t = true
Restrict f = false
login if (Do not use
agent is not upper-case
running 'T' or 'F')
P t = true When 'true', CA PAM performs graphical recording of every RDP
Graphical f = false or VNC session between this User(Group)-Device(Group) pair.
Recording (Do not use
upper-case
'T' or 'F')
P t = true When 'true', CA PAM performs command line recording of every
Command f = false CLI-based session between this User(Group)-Device(Group) pair.
Line (Do not use
Recording upper-case
'T' or 'F')
P t = true When 'true' (and when Command Line Recording is 'true'), CA
Bidirectional f = false PAM records both the User and Device input for every CLI-based
Recording (Do not use session between this User(Group)-Device(Group) pair.
upper-case (Otherwise, only User input is recorded.)
'T' or 'F')
Web Portal P t = true When 'true', CA PAM performs graphical recording of every web
Recording f = false portal session between this User(Group)-Device(Group) pair.
(Do not use
upper-case
'T' or 'F')
Targets P targetApplicationName accountName=accountName
17-Feb-2017 130/373
Messages and Log Formats

This content in this section describes CA Privileged Access Manager messages used in log entries, real-
time UI warnings, and other informational output.
The pre-formatted messages identified herein are included in most syslog output (MSG
field), but not every message is used in a syslog emission, and not all syslog emissions
include a message. For example, some messages are used solely for user interaction.
Administration Service Layer Messages (see page 131)

Credential Manager Error Messages (see page 189)
CA-PAM Series Messages (see page 251)
Syslog Messages (see page 256)
Examples of Syslog Messages (see page 265)
Administration Service Layer Messages

This section lists administration service layer messages and the corresponding string definition
numbers used by the source code. The definition numbers are sometimes in the message output.
For Credential Manager messages, see Credential Manager Error Messages (see page 189).
00xxx - General Error Messages (see page 132)
01xxx - Network Service Messages (see page 133)
02xxx - User Management Messages (see page 138)
04xxx - User Group Management Messages (see page 144)
05xxx - Device Management Messages (see page 145)
06xxx - Roles and Privileges Management Messages (see page 154)
07xxx - Device Group Management Messages (see page 155)
08xxx - Global Settings and Device Task Messages (see page 156)
09xxx - LDAP Messages (see page 156)
10xxx - CSV Import/Export Related Messages (see page 158)
11xxx - Device Monitoring Messages, Office365 Integration Messages, SAML IdP and RP Messages
(see page 160)
12xxx - Policy Management Messages (see page 162)
13xxx - Management Console Messages (see page 164)
14xxx - Managed Server Service Messages (see page 165)
15xxx - Command and Socket Filter Management Messages (see page 165)
16xxx - Logging and Reporting Messages (see page 167)
17xxx - Policy Conflict Messages (see page 168)
18xxx - Authentication-Related Messages (see page 169)
17-Feb-2017 131/373
18xxx - Authentication-Related Messages (see page 169)

19xxx - Access Service Messages (see page 175)
20xxx - Credential Management Messages (see page 176)
21xxx - Audit Log Messages (see page 177)
22xxx - View and Search Management Messages (see page 177)
23xxx - Cluster Management Messages (see page 177)
24xxx - Login Sessions Management Messages (see page 180)
25xxx - Configuration Management Messages (see page 181)
26xxx - SafeNet HSM Configuration Messages (see page 185)
27xxx - Secondary Transparent Login Management Messages (see page 187)
28xxx - AWS and VMware Virtual Device Management Messages (see page 188)
29xxx - Credential Management API Non-devices Messages (see page 188)
30xxx - Session Recording Messages (see page 188)
31xxx - GateKeeperService Messages (see page 188)
32xxx - Upgrade, Backup, and Recovery Messages (see page 188)
33xxx - CA Threat Analytics Related Messages (see page 189)
00xxx - General Error Messages

Messages 900-999 are for message fragments used by other messages.
0000 = Error occurred while trying to complete request. (%d)
0001 = Expected an array %s, got a scalar.
0002 = Values%smust be either 't' (true) or 'f' (false).
0003 = Not authorized to perform this action.
0004 = Unable to retrieve Privilege Manager.
0005 = Privilege Manager unable to retrieve user.
0006 = Cannot build Privilege Manager with data supplied.
0007 = Invalid numeric data. %s
0008 = Invalid sort order
0009 = Your login has timed out.
0010 = Error occurred while trying to complete request.
0011 = Invalid log database type %s. Consult your system administrator
0012 = Invalid search by field %s
0013 = No more rows.
17-Feb-2017 132/373
0014 = Same origin policy violation; possible cross-site request forgery.
0015 = Too many rows to sort by. Use search criteria to narrow the result set and try again.
0016 = All Devices
0017 = All Users
0018 = Duplicate entry
0019 = Missing required field %s
0020 = Error occurred while trying to complete request. (%s)
0021 = No data returned.
0022 = SSH login to appliance from address <ip_address>.
0900 = add
0901 = update
0902 = delete
0903 = user groups
0904 = device groups
0905 = Connected
0906 = Waiting
0907 = Unknown
0908 = Detection
0909 = Intervention
0910 = Tampering
0911 = Password Authority Groups
0912 = VMware provisioning request
0913 = Activated
0914 = Deactivated
01xxx - Network Service Messages

1000 = Service name is required.
1001 = Local IP address is required.
17-Feb-2017 133/373
1001 = Local IP address is required.
1002 = Invalid IP address specified.
1003 = Protocol is required.
1004 = Invalid protocol specified.
1005 = Web Portal is required.
1006 = Invalid Web Portal value specified.
1007 = Show in Column is required.
1008 = Invalid Show in Column value specified.
1009 = Enabled is required.
1010 = Invalid Enabled value specified.
1011 = Port settings are required.
1012 = Invalid port setting(s) specified: %s.
1013 = Application protocol is required.
1014 = Invalid application protocol value specified.
1015 = Launch URL is required.
1016 = Invalid launch URL specified.
1017 = Invalid characters in comment.
1018 = Invalid characters in service name. Semicolons, commas, percent signs, and backslashes are
invalid.
1019 = Existing service could not be found.
1020 = Service %s already exists.
1021 = Service %s created.
1022 = Unable to delete service. Service does not exist.
1023 = Service deleted.
1024 = Service name cannot be changed.
1025 = SSL VPN service must have at least 1 port defined.
1026 = Invalid TCP ports value specified. Values must be valid TCP ports or TCP port ranges.
1027 = Invalid UDP ports value specified. Values must be valid UDP ports or UDP port ranges.
17-Feb-2017 134/373
1027 = Invalid UDP ports value specified. Values must be valid UDP ports or UDP port ranges.
1028 = Service not found.
1029 = Service %s updated.
1030 = Unrecognized service type.
1031 = Invalid port range specified. %s greater than %s.
1032 = Maximum number of ports in range, 500, exceeded for specified port range %s. Consider
using SSL VPN solution.
1033 = Invalid port combination/redirection %s. Combination/redirection format should be <

Remote Port>:<Local Port>.
1034 = Local IP must be on the 127 network.
1035 = Web portal TCP/UDP services must have LeapFrog Prevention disabled.
1036 = Web portal TCP/UDP services cannot have a client application.
1037 = Launch path is required.
1038 = Service not added.
1039 = Database corruption - more than one service was inserted.
1040 = Service %s not found or another user deleted it.
1041 = Database corruption - more than one service with the same id was deleted.
1042 = %d service(s) deleted
1043 = %d service(s) not deleted because not authorized.
1044 = %d service(s) not deleted because not found.
1045 = %d service(s) not deleted because of unknown error.
1046 = %d service(s) deleted %s %s %s
1047 = Only the Local IP, Port Settings, Enabled, Show in Column, Client Application, and Comments
of the standard service sftpftp can be updated.
1048 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard
service sftpftpemb can be updated.
service TSWEB can be updated.
1050 = Standard service sftpftp can not be deleted.
1051 = Standard service sftpftpemb can not be deleted.
17-Feb-2017 135/373
1051 = Standard service sftpftpemb can not be deleted.
1052 = Standard service TSWEB can not be deleted.
1053 = Standard service sftpsftp can not be deleted.
1054 = Only the Local IP, Port Settings, Enabled, Show in Column, Client Application, and Comments
of the standard service sftpsftp can be updated.
1055 = Local socket %s:%s of Web Portal %s must be unique across all web portal services. Local
socket already used by Web Portal %s.
1056 = Standard service sftpsftpemb can not be deleted.
service sftpsftpemb can be updated.
1058 = Invalid Hide Web Portal specified.
1059 = Hide Web Portal is required.
1060 = Both Show In Column and Hide Web Portal cannot be checked.
1061 = Maximum number of ports in range, 500, exceeded for the sum of all specified port ranges.
Consider using SSL VPN solution.
1062 = A web application must have an application protocol of 'Web Portal'.
1063 = Invalid web portal browser type specified. Valid types are native and xceedium.
1064 = Invalid domain in web portal access list: %s.
1065 = AWS Management Console SSO service can not be deleted.
1066 = AWS Management Console SSO is a reserved service name.
1067 = The only properties of the AWS Management Console SSO service that can be changed are
enabled, show in column, and access list.
1068 = MS Office 365 is a reserved service name.
1069 = MS Office 365 service can not be deleted.
1070 = AWS Proxy Service is a reserved service name.
1071 = The properties of the AWS proxy service can not be changed.
1072 = The only properties of the MS Office 365 service that can be changed are enabled, show in
column, and access list.
1073 = AWS Proxy service can not be deleted.
1074 = %s service cannot not be deleted.
17-Feb-2017 136/373
1075 = SAML Entity ID is a required field.
1076 = SAML PEM Certificate is a required field.
1077 = The specified SAML %s certificate is not a valid PEM encoded certificate.
1078 = The SAML encryption type is a required field.
1079 = The SAML initiating party field is invalid: Valid values are sp or idp.
1080 = Invalid SAML encryption type. Valid values are: None,NameId,Assertion.
1081 = A SAML service with an entity ID of %s already exists. SAML entity IDs must be unique.
1082 = An error occurred while parsing the SAML metadata file: %s
1083 = %s service cannot not be deleted.
1084 = Invalid SAML require signed authentication request value specified. Valid values are: t, f.
1085 = The SAML encryption certificate is required if NameId or Assertion encryption is enabled.
1086 = The SAML signing certificate is required if Require Signed Authn Requests is enabled.
1087 = There are no SAML 2.0 SPs defined with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST (SAML 1.1 SPs are not supported).
1088 = Xsuite requires an AssertionConsumerService element with binding urn:oasis:names:tc:SAML:

2.0:bindings:HTTP-POST.
1089 = SAML service %s with entity ID %s %s.
1090 = The following device(s) were %s to host the SAML assertion consumer services: %s.
1091 = Device group %s was provisioned with the provisioned assertion consumer devices as
members. This will facilitate managing policy for all SAML devices.
1092 = SAML attribute with index %s is missing the required name field.
1093 = SAML attribute with index %s is missing the required friendly name field.
1094 = There are multiple SAML attributes with the same name: %s. Names must be unique.
1095 = There are multiple SAML attributes with the same friendly name: %s. Friendly names must be
unique.
1096 = SAML attribute %s can not be deleted. It is used in the following policies: %s.
1097 = The following SAML Name Identifier Formats can not be deleted: %s. They are used in the
following policies: %s.
1098 = The auto-login method of SAML services can not be changed.
1099 = Invalid web portal auto-login method specified.
17-Feb-2017 137/373
1099 = Invalid web portal auto-login method specified.
1100 = SAML services with the Route Through Xsuite setting enabled require the browser type setting
to be set to the Xceedium Browser.
1101 = SAML services using the Xceedium browser must be IdP initiated.
1102 = VMware NSX API Proxy Service is a reserved service name.
1103 = An auto-login method was provided, but only web portals can have auto-login methods.
1104 = This service is configured to be recorded and must use the Xceedium browser type. The
service is configured to be recorded in the following policies: %s.
1105 = SAML service data is not valid
02xxx - User Management Messages

2000 = User id must be a positive integer.
2001 = User %s not found.
2002 = The super user may not be deleted.
2003 = User %s deleted.
2004 = User %s not found or another user deleted them.
2005 = Database corruption - more than one user with the same id was deleted.
2006 = User or user group %s already exists. Names must be unique.
2007 = User %s added.
2008 = User %s not added.
2009 = Database corruption - more than one user was inserted.
2010 = User %s updated.
2011 = User %s was not updated.
2012 = Database corruption - more than one user was updated.
2013 = Access time day string is 7 digits long; 1 = access permitted 0 = access forbidden.
2014 = AD Indirect Flag must be 0 or 1.
2015 = %s time invalid.
2016 = From time must be earlier than To time.
17-Feb-2017 138/373
2017 = Invalid characters in user name %s. Semicolons, commas, percent signs, single and double
quotes, and backslashes are invalid.
2018 = First name is a required field.
2019 = Last name is a required field.
2020 = Email is a required field.
2021 = Invalid email address.
2022 = Password is a required field.
2023 = Special characters quote, double quote, backslash, and percent are not allowed in the
password.
2024 = Password length must be between %d and %d characters long.
2025 = Password must include both an alphabetic and a numeric character.
2026 = Password must include both upper and lower case alphabetic characters.
2027 = Password must include a special character ~!?`@#\$^&*()_=+:;,<>{}|/-[].
2028 = Password must include at least two lowercase letters, two uppercase letters, two numbers
and two special characters.
2029 = Authorization must be Local, RSA, PKI, RADIUS, or LDAP.
2030 = Password reset flag must be set on when creating a user.
2031 = Active flag must be true or false.
2032 = Database corruption - active flag not >= -1.
2033 = Expiration date must be in the future or not set.
2034 = Role structure passed in is incorrect - missing %s.
2035 = User must belong to one of the following groups %s.
2036 = Your role does not allow you to %s this user without any groups.
2037 = You may only add users to the following groups %s.
2038 = You may not delete this user. You may only remove group assignments from it.
2039 = %d user(s) deleted.
2040 = %d user(s) deleted, %d user(s) not deleted.
2041 = User or group name may not be changed from %s.
2042 = Virtual user flag must be 1 (true), or 0 (false).
17-Feb-2017 139/373
2042 = Virtual user flag must be 1 (true), or 0 (false).
2043 = Invalid access time passed in. Missing a required key field.
2044 = Malformed user group structure. See log for details.
2045 = Invalid provisioning type %s.
2046 = User super may not have its roles changed.
2047 = Non-local users may not have passwords defined in CA Privileged Access Manager.
2048 = %d users attempted, %d users successfully added, %d users not added.
2049 = Short name may only be used for users with provision type of LDAP or PKI.
2050 = Short name required for an LDAP provisioned user.
2051 = Provision type may not be changed.
2052 = Invalid user type.
2053 = Active flag is required.
2054 = PAP/CHAP must be specified for RADIUS authentication and only for RADIUS authentication.
2055 = Warning: Global administrators may not have limited access times - any such settings will be
ignored.
2056 = %d user(s) were requested to be enabled, %d user(s) were actually enabled.
2057 = An invisible (shadow) user named %s already exists. Please choose another name.
2058 = A user or group named %s already exists. Please contact your system administrator.
2059 = %d user(s) not deleted because not authorized.
2060 = %d user(s) not deleted because not found.
2061 = %d user(s) not deleted because of unknown error.
2062 = %d user(s) deleted %s %s %s
2063 = Can't specify the user as their own login contact. Use the Email Self on Login checkbox.
2064 = Login contact %s not found.
2065 = Users provisioned from LDAP may not be deleted directly, only by deleting their LDAP group.
2066 = %d LDAP users not deleted
2067 = User names, group names, and short names may not be the same.
2068 = Inconsistent provision and authentication types.
17-Feb-2017 140/373
2068 = Inconsistent provision and authentication types.
2069 = Inconsistent data - a source user cannot be provided on an update.
2070 = Invalid User Id provided for copy
2071 = Unauthorized attempt to retrieve the list of users.
2072 = Unauthorized attempt to add a user.
2073 = Unauthorized attempt to assign a user to a group.
2074 = Unauthorized attempt to retrieve user details.
2075 = Unauthorized attempt to delete user from group(s).
2076 = Unauthorized attempt to delete user.
2077 = Unauthorized attempt to update global administrator account.
2078 = Unauthorized attempt to update a user.
2079 = Unauthorized attempt to update user's properties.
2080 = Unauthorized attempt to reactivate user(s).
2081 = Invalid RDP user name %s.
2082 = Invalid mainframe display name
2083 = Unauthorized attempt to view the effective policy of user %s.
2084 = An LDAP provisioned user may not be added directly, only imported via LDAP.
2085 = LDAP-provisioned user %s's LDAP groups may not be changed except via LDAP import or
refresh.
2086 = Shadow user %s's membership in RADIUS group %s may not be changed.
2087 = A shadow user may not be added directly, only created via logon.
2088 = User %s may not be added to RADIUS group %s.
2089 = Duplicate Password Authority username %s. User not added. Please contact your system
administrator.
2090 = User add failed. Please contact your system administrator.
2091 = User is not allowed to manage the Password Authority group %s.
2092 = Roles with the Manage Credential privilege must have at least one Password Authority group
to manage.
2093 = Password Authority user group name %s not found.
17-Feb-2017 141/373
2093 = Password Authority user group name %s not found.
2094 = Super user cannot change Password Authority user groups.
2095 = User %s cannot be deleted because of a Password Authority error.
2096 = Duplicate user principal name %s. User cannot be %s.
2097 = Devices provisioned from LDAP may not be deleted directly, only by deleting their LDAP
group.
2098 = The user has been configured to manage a Password Authority group but does not have a role
with sufficient privileges.
2099 = Maximum of %d AWS API Proxy users licensed. Please remove that privilege from one or more
users before proceeding to add this one.
2100 = API keys must be an array of arrays of individual API keys containing id, name, target account
id, active status and set of roles.
2101 = Required API key array element client name not found.
2102 = Required API key array element target account id not found.
2103 = Required API key array element isActive not found.
2104 = Required API key array element roles not found.
2105 = API key array element roles must be an array.
2106 = API keys must be deleted before the rest of the user.
2107 = Existing API key %s either does not belong to user %s or does not exist at all.
2108 = Users with provision type %s can not be added to LDAP groups: %s.
2109 = The following user ids are not valid: %s.
2110 = You cannot specify an API key id when creating a user.
2111 = Pap/Chap must be null if authentication type is not radius.
2112 = A user may not be locally added to an LDAP provisoned group.
2113 = The following user fields may not be changed locally for an ldap user: activationDate,
authType, description, email, expiration, firstName, lastName, password, phone, resetPasswordFlag.
2114 = A valid password is required. Empty passwords not allowed.
2115 = User not found.
2116 = Maximum length of email field is 60 characters.
2117 = The super user account's authentication method cannot be set to SAML.
17-Feb-2017 142/373
2117 = The super user account's authentication method cannot be set to SAML.
2118 = A user may not have two API keys with the same name. Change the API keys so that only one
is named %s.
2119 = User with local authentication must have a password set.
2120 = Password has been already used. You have to enter a new password.
2121 = Invalid old password.
2122 = Password must be new
2123 = Special characters \ ' % and \ are not allowed in the password
2124 = Password length must be \%s\ - \%s\ characters.
2125 = Must include both an alphabetic and numeric character.
2126 = Must include both upper and lower case alphabetic characters.
2127 = Must include a special character ~!?`@#\$^&*()_=+:;,<.>{}|/-[]
2128 = Password must include at least two lowercase letters, two uppercase letters, two numbers
and two special characters.
2129 = User %s must be associated with Password Authority user group %s.
2130 = The old password you entered is not correct.
2131 = Password change failed. Unknown error.
2132 = User groups for a SAML JIT user can only be changed by SAML.
2133 = A %s provisioned user must belong to at least one group.
2134 = A SAML JIT user such as %s can only have their user groups changed by SAML.
2135 = A SAML JIT user like %s may not be added directly, only loaded from an identity provider on
login.
2136 = User %s cannot be deleted because it is configured as the login contact for the following list of
users: %s.
2137 = %d user(s) configured as login contact(s) not deleted
2138 = The user has been assigned a role which requires a password authority user group to be
associated with it, but no such group was specified.
17-Feb-2017 143/373
04xxx - User Group Management Messages

4000 = User group id must be a positive integer.
4001 = User group not found.
4003 = User group %s deleted.
4004 = User group %s not found or another user deleted it.
4005 = Database corruption - more than one user group with the same id was deleted.
4006 = User group or user %s already exists. Names must be unique.
4007 = User group %s added.
4008 = User group %s not inserted.
4009 = Database corruption - more than one user group with the same id was inserted.
4010 = User group %s updated.
4011 = User group %s was not updated.
4012 = Database corruption - more than one user group with the same id was updated.
4013 = Invalid user group type.
4014 = User group name may not be blank.
4015 = %d user group(s) deleted.
4016 = %d user group(s) deleted, %d user group(s) not deleted.
4017 = User group not deleted.
4018 = %d user group(s) not deleted because not authorized.
4019 = %d user group(s) not deleted because not found.
4020 = %d user group(s) not deleted because of unknown error,
4021 = %d user group(s) deleted. %s %s %s
4022 = Unspecified user group name.
4023 = Invalid SAML attribute specified. Valid values are: %s.
4024 = Locally provisioned user groups can not have an authentication type of RSA.
4025 = Locally provisioned user groups can not have an authentication type of LDAP+RSA.
17-Feb-2017 144/373
4026 = Invalid network range. %s
4027 = Locally provisioned user groups can not have an authentication type of LDAP+RADIUS.
4028 = The following user group ids are not valid: %s.
4029 = Auth type %s not supported.
4030 = User %s not successfully added to user group. No other users added.
4031 = The following user fields may not be changed locally for an ldap user group: description,
shortName.
4032 = Group id is required for an update and must be an integer > 0.
05xxx - Device Management Messages

5001 = Power must be On, Off, or Unknown.
5002 = Device %s not found.
5003 = Device task enabled must be On or Off.
5004 = Device property terminal customization must be 0 or 1.
5005 = Device property endselect must be 0 or 1.
5006 = Device console type must be KDM, PPP, or Serial.
5007 = Device service enabled must be On or Off.
5008 = Device %s deleted.
5009 = Device %s not found or another user deleted them.
5010 = Database corruption - more than one device with the same id was deleted.
5011 = Device ore device group name %s already exists. Names must be unique.
5012 = Device %s added.
5013 = Device %s not added.
5014 = Database corruption - more than one device with the same id was inserted.
5015 = Device %s updated.
5016 = Device %s was not updated due to Password Authority authorization errors.
5017 = Database corruption - more than one device with the same id was updated.
5018 = Device %s power status updated.
17-Feb-2017 145/373
5018 = Device %s power status updated.
5019 = Device %s power status was not updated.
5020 = Database corruption - more than one device's power status was updated.
5021 = %s %s %s Failed.
5022 = %s %s %s Successful.
5023 = Unknown power status of %s: multiple power ports do not match.
5024 = Unsuccessful checking power status of %s.
5025 = Special type device %s already exists.
5026 = Special type device not found.
5027 = Special type device %s not inserted.
5028 = Database corruption - more than one special type device was inserted.
5029 = Special type device %s was not updated.
5030 = Database corruption - more than one special type device was updated.
5031 = Device group name is required.
5032 = Device domain name is required.
5033 = A device must belong to one of the following groups %s.
5034 = Your role does not allow you to %s this device without any groups.
5035 = You may only add or delete device membership from the following groups %s.
5036 = You may not delete this device, only remove group assignments from it.
5037 = Device name may not be blank.
5039 = %d device(s) deleted.
5040 = %d device(s) deleted, %d device(s) not deleted.
5041 = Device special type must be specified.
5042 = Invalid device special type specified.
5043 = Operating System is a required field.
5044 = Invalid operating system specified.
5045 = Invalid device id(s) %s.
17-Feb-2017 146/373
5046 = Device terminal data is required.
5047 = Device terminal type is required.
5048 = Device terminal type is invalid: %s.
5049 = Device terminal type was not added.
5050 = Configuring device %s as a %s device will exceed the number of licensed %s devices.
5051 = Expect string must be specified for all expect/response pairs.
5052 = User requires Device/Group Manager or Delegated Administrator role to add discovered
devices to CA Privileged Access Manager.
5053 = Device cannot have both sftpftp and sftpftpemb services.
5054 = %d device(s) not deleted because not authorized.
5055 = %d device(s) not deleted because not found.
5056 = %d device(s) not deleted because of unknown error.
5057 = %d device(s) deleted %s %s %s
5058 = Invalid characters in device name %s. Semicolons, commas, apostrophes and backslashes are
invalid.
5059 = Task %s port setting, %s, already in use on device.
5060 = Mainframe access methods are not permitted without a Mainframe-capable license.
5061 = Access method %s has duplicate name %s.
5062 = Multiple access methods of type %s must have different names.
5063 = Device cannot have both sftpsftp and sftpsftpemb services.
5064 = A custom name for a device task may not have colons, semicolons, commas, or backslashes.
5065 = Device cannot have both telnet and ssh2telnet access methods.
5066 = Invalid tag format
5067 = Tag %s deleted
5068 = %d Tags deleted out of %d requested
5069 = Tag %s was NOT renamed to %s
5070 = Maximum number of ports in range, 500, exceeded for specified port range %s.
5071 = Port %s out of range. Must be less than %d.
17-Feb-2017 147/373
5072 = Port %s out of range. Must be greater than %d.
5073 = No access is currently permitted because this CA Privileged Access Manager appliance is over-
provisioned. Please contact your systems administrator.
5074 = This Xceedium appliance currently has more Devices defined than the configured license
permits. Please either obtain a new license from Xceedium or delete devices to bring this appliance
back within its license constraints. Access is disabled until this is remediated.
5075 = Each power task must have a unique combination of power device and port.
5076 = Maximum number of ports in range, 500, exceeded for all specified port ranges.
5077 = Invalid value for device type Access.
5078 = Invalid value for device type Password Management.
5079 = Invalid value for device type A2A.
5080 = Request server type must be CLIENT or AGENT.
5081 = Invalid value for host name preserved.
5082 = Invalid value for autopatch.
5083 = Invalid value for request server active flag.
5084 = Invalid value for device type search.
5085 = Invalid value for request server id.
5086 = Request server id required for autoregistration.
5087 = Can't assign request server id to a device that is not a request server.
5088 = Operation aborted because Password Authority request server cannot be deleted. See log for
details.
5089 = Operation aborted because Password Authority target server cannot be deleted. See log for
details.
5090 = Device %s not deleted because of Password Authority errors.
5091 = Device Import cannot add virtual devices only update them. Device Name = %s.
5092 = Failed to connect to %s.
5093 = Invalid definition of virtual device %s.
5094 = Physical device %s may not have an alternate id.
5095 = Virtual device not available.
5096 = Target Application %s was not added or updated due to Password Authority authorization
17-Feb-2017 148/373
5096 = Target Application %s was not added or updated due to Password Authority authorization
errors.
5097 = Device group must have a provision type.
5098 = A device group's provision type may not be changed. Delete and recreate the group.
5099 = %s device refresh failed due to error. See log for details.
5100 = Target server %s not found.
5101 = Request server not found.
5102 = Special device %s may not be changed.
5103 = Connection error - is DNS working? See log for details.
5104 = A target server with the address %s already exists. Target server %s not added.
5105 = A request server with the address %s already exists. Request server %s not added.
5106 = Invalid device type (access, password, a2a) specified.
5107 = %s provisioning already in progress. Please wait.
5108 = Terminal type VT100 is not compatible with TN5250 or TN5250SSL access methods.
5109 = Device import cannot add VMware device groups only update them. Group name = %s.
5110 = Could not reassign user to PA user.
5111 = General error with password checkin. See log for details.
5112 = %s is a reserved %s name. Please use another name.
5113 = %s is a reserved device address. Please use another address.
5114 = Device may not have applets if not of typeAccess.
5115 = Device may not have services if not of typeAccess.
5116 = Target server fields may not be defined if device is not of typePassword.
5117 = Request server fields may not be defined if device is not of typeA2A.
5118 = Device import cannot add VMware Device Groups, it may only update them (Group name = %
s).
5119 = Configuring device %s as a %s device will exceed the number of licensed %s devices. Device
added without the type.
5120 = Internal error occurred while updating the runtime status of a device.
5121 = Service AWS Management Console SSO can not be added to a device.
17-Feb-2017 149/373
5121 = Service AWS Management Console SSO can not be added to a device.
5122 = %d VMware devices were not deleted. See logs for details. VMware credentials are kept but
the configuration is now inactive.
5123 = %d AWS devices were not deleted. See logs for details. AWS credentials are kept but the
configuration is now inactive.
5124 = AWS region code may not be changed on update. Delete this row and enter a new one.
5125 = AWS region code required.
5126 = Invalid AWS region code %s.
5127 = This AWS access key and region are already provisioned.
5128 = The access key id must reference an actual Access Key target account.
5129 = The active checkbox must have a value of t or f.
5130 = Target application %s from device %s was not deleted.
5131 = Target application %s was deleted from device %s.;
5132 = Service AWS API Proxy can not be added to a device.
5133 = Target group %s not added to Password Authority. Error Message: %s.
5134 = Unable to delete target group %s from Password Authority. Error Message: %s.
5135 = Request group %s not added to Password Authority. Error Message: %s.
5136 = Unable to delete request group %s from Password Authority. Error Message: %s.
5137 = AWS Proxy client authorization mapping failed. Error Message: %s.
5138 = Deleting the AWS Proxy client authorization mapping failed. Error Message: %s.
5139 = AWS Access key not found.
5140 = No such credential source as %s. Device group %s was added without it.
5141 = No such credential source as %s. Device group %s was updated, but the old credential was left
in place.
5142 = Invalid value for password push flag.
5143 = %s device group membership may not be changed locally. The %s device groups were
restored.
5144 = A target server with the device name %s already exists. Target server not added.
5145 = A request server with the device name %s already exists. Request server not added.
17-Feb-2017 150/373
5146 = A Password Authority problem prevented completing the request. %s Check log for details.
5147 = The tag \%s\ has a length greater than %d
5148 = Command %s not supported for transparent login. Only the commands %s are supported.
5149 = Password prompt for %s command may not contain equals sign or semi-colon.
5150 = Password prompt is required for transparent login.
5151 = Full path must begin with a forward slash (/).
5152 = Must specify both full path and prompt or neither.
5153 = The same user may not be assigned twice to the same vCenter for provisioning.
5154 = Target account id is required for update of target account %s.
5155 = Either the hostname and the target application application name, or the target application id
is required to add the target account %s.
5156 = Target account id and user name are both required to update a target account.
5157 = VMware URL most commonly should be in the form https://<domain>[:port]/sdk. Please
enter a URL.
5158 = Provision id required.
5159 = Only the url or the active status may be changed, and one of them must be changed on an
update.
5160 = Device must be at least of type Access, Password, or A2A.
5161 = Invalid device group ids specified. The array must contain only numeric ids.
5162 = The following ids are not ids of existing device groups: %s.
5163 = Invalid device service ids specified. The array must contain only numeric ids.
5164 = The following ids are not ids of valid TCP/UDP or RDP application services: %s.
5165 = Invalid device VPN service ids specified. The array must contain only numeric ids.
5166 = The following ids are not ids of valid VPN services: %s.
5167 = The following ids are not ids of valid TCP/UDP services: %s.
5168 = The following ids are not ids of valid RDP application services: %s.
5169 = Invalid device credential source ids specified. The array must contain only numeric ids.
5170 = The following ids are not ids of valid password devices: %s.
5171 = Invalid device group service ids specified. The array must contain only numeric ids.
17-Feb-2017 151/373
5171 = Invalid device group service ids specified. The array must contain only numeric ids.
5172 = Invalid device group VPN service ids specified. The array must contain only numeric ids.
5173 = Invalid device ids specified. The array must contain only numeric ids.
5174 = The following ids are not ids of existing devices: %s.
5175 = Target application %s was not found.
5176 = X11 Forwarding can only be applied to the SSH applet.
5177 = Only X11 Forwarding (x11forwarding) is a valid task property.
5178 = A virtual device may not be added via local means.
5179 = Device name and domain name of a virtual device may not be changed via local means.
5180 = Virtual device %s may not be deleted via local means.
5181 = Special device %s may not be deleted.
5182 = Device was not found.
5183 = The specified device is not a password type device.
5184 = A target application with the specified id was not found or does not belong to the specified
device.
5185 = Target account not found.
5186 = Device was not found or was not a target server.
5187 = Target application does not belong to device.
5188 = A target application with the same name already exists for the device.
5189 = Invalid target application type specified. Valid types are: Generic, UnixII.
5190 = Error occurred provisioning the target account.
5191 = A target account with the specified id was not found or does not belong to the specified
device or target application.
5192 = Error occurred updating the target account.
5193 = Tags must be an array of tag names.
5194 = The device already has the following %s services: %s.
5195 = Tag id must be an integer.
17-Feb-2017 152/373
5196 = Transparent login parameters must be in the form command;prompt|command;prompt.

Semicolon, comma, and pipe may not be used as part of the command or the prompt.
5197 = Invalid transparent login type.
5198 = Transparent login type and parameters out of sync.
5199 = Secondary SSO must be defined as <Device Name>|<TargetApplication

Name>|<TargetAccount user name>.
5200 = Failed to assign '%s' tag to device. '%s' tag prefix is reserved for vSphere NSX Security %s.
5201 = Service VMware NSX API Proxy can not be added to a device.
5202 = NSX Proxy is a reserved %s name. Please use another name.
5203 = xceedium.nsx.vmware.com (http://xceedium.nsx.vmware.com) is a reserved device address.

Please use another address.
5204 = Tags may not be defined on non-local groups.
5205 = Invalid value for Override Address.
5206 = Cannot delete Password Management device %s because it is configured as a VMware

vCenter device for Xsuite.
5207 = Command string %s begins with a forward slash (/), which is not allowed in transparent login
command strings.
5208 = Invalid value for Handle Legal Notice flag.
5209 = Cannot get name for a target or request group if no group ID is supplied.
5210 = Device %s had missing terminal data; default terminal data has been assigned.
5211 = Device name %s was successfully managed.
5212 = %d device(s) not deleted because they are in use.
5213 = Device Manager user couldn't delete device %s because it is a Password Management or A2A
device and the user lacks privileges to delete those types of device.
5214 = Device Manager user couldn't change name of device %s because it is a Password
Management or A2A device and the user lacks privileges to rename those types of device.
5215 = Device Manager user couldn't change domain name of device %s because it is a Password
Management or A2A device and the user lacks privileges to change domain names for those types of
device.
5216 = Role was not found.
17-Feb-2017 153/373
06xxx - Roles and Privileges Management Messages

6001 = Update of role %s failed. No matching id.
6002 = Role requested to be assigned a non-existent privilege.
6003 = Role id must be an integer, not %s.
6004 = Default roles may not be deleted or updated.
6005 = Role not found to %s.
6006 = Role not deleted because there are still users assigned to it.
6007 = Role id required when updating a role.
6008 = Role id already assigned at start of add. Role was not added.
6009 = Duplicate role name %s.
6010 = Create role failed for role %s.
6011 = Role name may not be changed.
6012 = Role %s missing required %s.
6013 = Role %s with these groups may not be added to a user by this user.
6014 = Role %s may not have its %s changed by this user.
6015 = The Autodiscovery role requires Device/Group Manager role or the Delegated Administrator
Role as well.
6016 = A role must contain at least one privilege.
6017 = Due to role restrictions, group %s may not be added to a user except by a Global
Administrator.
6018 = Roles containing the AWS API Proxy privilege may not be added to groups.
6019 = Role with id %s not found.
6020 = The following user groups for role %s do not exist: %s.
6021 = The following device groups for role %s do not exist: %s.
6022 = The API key %s for user %s has privileges the user does not. The API key will be disabled until
this is fixed.
17-Feb-2017 154/373
07xxx - Device Group Management Messages

7001 = Device group name is required.
7002 = Invalid device group name specified.
7003 = Invalid device group description specified.
7004 = Invalid device group id specified.
7005 = Device group name %s already exists.
7006 = Device group with name %s not found.
7007 = Device group with id %d not found.
7008 = %s field must be an array.
7009 = Device group %s not inserted.
7010 = Database corruption - more than one device group with the same id was inserted.
7011 = Device group %s not updated.
7012 = Database corruption - more than one device group with the same id was updated.
7013 = Device group %s not deleted.
7014 = Database corruption - more than one device group with the same id was deleted.
7015 = %d device group(s) deleted.
7016 = %d device group(s) deleted, %d user group(s) not deleted.
7017 = Device group cannot have both sftpftp and sftpftpemb services.
7018 = %d device group(s) not deleted because not authorized.
7019 = %d device group(s) not deleted because not found.
7020 = %d device group(s) not deleted because of unknown error.
7021 = %d device group(s) deleted. %s %s %s
7022 = Device group cannot have both sftpsftp and sftpsftpemb services.
7023 = A device group with a network address cannot have services or access methods defined.
7024 = Invalid network address %s.
7025 = The following device groups do not exist: %s.
17-Feb-2017 155/373
7026 = VMware device group %s may not be deleted locally.
7027 = Device group not found.
7028 = The device group already has the following access methods: %s.
7029 = The device group already has the following %s services: %s.
7030 = The specified access method id does not belong to the device group or is invalid.
7031 = The specified service id does not belong to the device group or is invalid.
7032 = The specified VPN service id does not belong to the device group or is invalid.
08xxx - Global Settings and Device Task Messages

8001 = Task name or id is required.
8002 = Invalid task port specified.
8003 = Task enabled is required.
8004 = Invalid task enabled specified.
8005 = Invalid task id specified.
8006 = Task not found.
8007 = Invalid task name specified.
8008 = Device group contains invalid task name(s): %s.
8009 = Device group contains invalid service name(s): %s.
8010 = Device group contains invalid SSL VPN service name(s): %s.
8011 = Device group contains invalid device name(s): %s.
8012 = Device group cannot contain other device groups: %s.
8013 = Access method may not be defined twice on the same device.
8014 = Invalid access method type(s) %s.
09xxx - LDAP Messages

9000 = LDAP entry must be of type UserGroupType to retrieve group users.
9001 = LDAP user group does not contain any users.
17-Feb-2017 156/373
9001 = LDAP user group does not contain any users.
9002 = LDAP connection failure: %s.
9003 = LDAP bind failure: %s.
9004 = LDAP query failure: %s.
9005 = Starting point for browsing LDAP directory is not under configured browse points.
9006 = LDAP domain not found.
9007 = LDAP update in progress, please try again later.
9008 = LDAP Group %s imported into Xsuite. %s Users Processed: %s New Users, %s Updated Users, %
s Deleted Users, %s Failed New Users, %s Failed Updated Users, %s Failed Deleted Users.
9009 = LDAP import failed: %s
9010 = %s LDAP group(s) completed with errors. Please check the audit log on the cluster master for
more details.
9011 = There are no imported LDAP groups to refresh.
9012 = Warning: user %s from LDAP group %s has same short name, %s, as user %s from LDAP group
%s. RADIUS authentication process will not be able to differentiate between the two users. Both user
accounts will be deactivated.
9013 = Unauthorized attempt to retrieve the configuration for LDAP domains.
9014 = Connection failed to LDAP domain %s using server %s. Failing over to the next configured
LDAP server.
9015 = Import Warning For LDAP Group %s: %s
9016 = Import Error For LDAP Group %s: %s
9017 = Invalid LDAP group(s) specified: %s.
9018 = LDAP Group %s imported into Xsuite. %s Devices Processed: %s New Devices, %s Updated
Devices, %s Deleted Devices, %s Failed New Devices, %s Failed Updated Devices, %s Failed Deleted
Devices.
9019 = Adding LDAP group %s aborted. The LDAP group and all its registered members will be
deleted.
9020 = STARTTLS LDAP connection made to %s.
9021 = LDAP connection made to %s.
9022 = An LDAP operation is in progress.
17-Feb-2017 157/373
9024 = LDAP is configured but the appliance is unlicensed. License the appliance before launching the
LDAP browser.
10xxx - CSV Import/Export Related Messages

10001 = Invalid file type of %s. Import supports only CSV files of types: %s.
10002 = Import file cannot be found.
10003 = Invalid CSV row type %s on line %s.
10004 = Error importing user on line %s:
10005 = User group %s does not exist.
10006 = Role %s, does not exist: %s.
10007 = Role user group, %s, does not exist: %s.
10008 = Role device group, %s, does not exist: %s.
10009 = Invalid import file. CSV headers are missing.
10010 = Unrecognized CSV header: %s.
10011 = Number of CSV data fields (%s) does not match CSV header count (%s) on line %s.
10012 = First CSV header must be Type not %s.
10013 = User created successfully.
10014 = User updated successfully.
10015 = User Group created successfully.
10016 = User Group updated successfully.
10017 = Error occurred during import.
10018 = Device Group %s does not exist.
10019 = Device created successfully.
10020 = Device updated successfully.
10021 = Device Group created successfully.
10022 = Device Group updated successfully.
10023 = Invalid task name specified: %s.
10024 = Console device %s does not exist.
17-Feb-2017 158/373
10024 = Console device %s does not exist.
10025 = Power device %s does not exist: %s.
10026 = Device access method types do not exist: %s.
10027 = Device services do not exist: %s.
10028 = TCP/UDP services with both TCP and UDP ports defined must have the same port value(s).
10029 = Service created successfully.
10030 = Service updated successfully.
10031 = Invalid role privileges: %s.
10032 = Role created successfully.
10033 = Role updated successfully.
10034 = Policy created successfully.
10035 = Policy updated successfully.
10036 = Device %s does not have access method %s.
10037 = Device %s does not have access method %s, with name %s.
10038 = Device %s does not have service %s.
10039 = Device %s does not have VPN service %s.
10040 = Invalid %s value. Valid values are: t, f.
10041 = Socket filter list entry created successfully.
10042 = Socket filter list entry updated successfully.
10043 = Command filter list entry created successfully.
10044 = Command filter list entry updated successfully.
10045 = Import failed: CSV file not specified.
10046 = Device %s does not have target application %s.
10047 = Device %s does not have target account %s.
10048 = Target account %s does not have the correct id.
10049 = Socket filter list entry already exists and therefore will not be added.
10054 = CSV import of type $type initiated.
17-Feb-2017 159/373
11xxx - Device Monitoring Messages, Office365 Integration

Messages, SAML IdP and RP Messages
11000 = Default default contact user %s does not exist.
11001 = Invalid default contact method %s specified.
11002 = Device monitor protocol required.
11003 = Device monitor port required for protocol %s.
11004 = Device monitor contact required for protocol %s.
11005 = Device monitor contact method required for protocol %s.
11006 = Invalid device monitor protocol specified.
11007 = Invalid device monitor port %s specified for protocol %s.
11008 = Invalid device contact method specified for protocol %s.
11009 = Device monitor contact %s does not exist.
11010 = Maximum buffer size is 8192.
11011 = Invalid web session recording quality specified. Valid values are high and low.
11012 = Unauthorized attempt to delete policies associated with the Office365 service.
11013 = Calculating the certificate fingerprint for IdP %s failed. The IdP configuration will not be
saved.
11014 = The SAML RP's %s is a required field. Please enter a valid value.
11015 = The SAML RP's Fully Qualified Hostname is not a valid hostname.
11016 = The %s of Identity Provider %s is a required field. Please enter a valid value.
11017 = Invalid Identity Provider SSO binding specified for Identity Provider %s. Valid values are: %s.
11018 = The Single Sign On Service URL for Identity Provider %s is not a valid HTTP URL.
11019 = The specified %s of Identity Provider %s is invalid. Valid values are: true or false.
11020 = The specified certificate for Identity Provider %s is not a valid PEM certificate.
11021 = Invalid Signature Algorithm specified for Identity Provider %s. Valid values are: %s.
11022 = Invalid Name ID Formats specified for Identity Provider %s. Valid values are: %s.
11023 = Invalid Authentication Contexts specified for Identity Provider %s. Valid values are: %s.
17-Feb-2017 160/373
11023 = Invalid Authentication Contexts specified for Identity Provider %s. Valid values are: %s.
11024 = Identity Provider entity IDs must be unique. The are multiple identity providers with the
following entity ID(s): %s.;
11025 = Invalid SAML version specified for Identity Provider %s. Valid values are: 1.1, 2.0;
11026 = Xsuite as SAML RP configuration updated.;
11027 = Identity Provider friendly names must be unique. The are multiple identity providers with the
following friendly name(s): %s.;
11028 = Invalid vulnerability reporting level specified. Valid values are 'Log' or 'Log And Warn'.
11029 = Invalid vulnerability enabled specified.
11030 = The following required fields in the SAML RP configuration must be specified before the
configuration can be saved or an IdP can be configured: Entity ID, Fully Qualified Hostname,
Certificate Key Pair.
11031 = The required field, 'Fully Qualified Hostname', in the SAML configuration on cluster member
%s has not been defined. Please specify a value for the field before downloading metadata.
11032 = SAML SP metadata for remote IdP %s downloaded.
11033 = An attempt was made to access the SAML IdP Proxy service when Xsuite is not deployed in a
cluster.
11034 = An error occurred while completing this request. Please contact your administrator for
further assistance.
11035 = An attempt was made to access the SAML IdP Proxy service on this node but this node is not
the cluster master.
11036 = The following remote IdP(s) have been deleted: %s.
11037 = The following remote IdP(s) have been added: %s.
11038 = The id of identity provider %s is not a valid id: %s.
11039 = Invalid value specified (%s). Integer expected.
11040 = Invalid value specified for SAML Accept RSA-SHA1 Signed Responses. Valid values are: t,f.
11041 = Invalid value specified for Client Distribution Intranet URL. Only domain names and IP
addresses are allowed.
11042 = Invalid port specified for Client Distribution Intranet URL.
17-Feb-2017 161/373
12xxx - Policy Management Messages

12000 = Unexpected from location for policy request of %s.
12001 = Invalid service specified in policy.
12002 = Invalid task specified in policy.
12003 = Invalid socket filter specified in policy.
12004 = Invalid command filter specified in policy.
12005 = Invalid CLI session recording flag in policy.
12006 = Invalid graphical session recording flag in policy.
12007 = Invalid bidirectional flag in policy.
12008 = Invalid VPN service specified in policy.
12009 = Invalid restrict login if agent is not running value. Valid values are: t, f.
12010 = RDP applications with <AWSURL> in the launch path must have policies, and no others may.
12011 = Unable to display credentials. See log for details.
12012 = Web portal recording can only be enabled for policies that contain a web portal services
utilizing the Xceedium browser. Please set the browser type property of the service to Xceedium.
12013 = Policies involving xceedium.aws.amazon.com may not be imported or exported via csv.
12014 = Attempt to add a target account %s to a policy that does not have access to it.
12015 = There is credentials conflict in Transparent Login Window with title '%s' ('%s' and '%s' RDP
Applications).
12016 = The policy data structure specified is invalid. %s.
12017 = The specified device does not offer any access methods for policy. Please add access
methods to the device first.
12018 = The specified device does not offer device access methods with the following id(s): %s.
12019 = The specified device does not offer any TCP/UDP nor RDP application services for policy.
Please add services to the device first.
12020 = The specified device does not offer TCP/UDP nor RDP application services with the following
id(s): %s.
12021 = The specified device does not offer any VPN services for policy. Please add VPN services to
the device first.
17-Feb-2017 162/373
12022 = The specified device does not offer VPN services with the following id(s): %s.
12023 = The specified target account id is invalid: %s.
12024 = The restrict login flag requires a socket filter list to be set for this policy.
12025 = No applets or services which support CLI recording are selected.
12026 = No applets or services which support graphical recording are selected.
12027 = No applets or services which support bidrectional CLI recording are selected.
12028 = The specified device does not offer any target accounts for viewing. Please add target
accounts to the device first.
12029 = A policy must specify either an access method, a service, a vpn service, or target accounts.
12030 = The bidirectional flag may only be set on if CLI recording is selected.
12031 = Transparent login not defined for any selected access method or service.
12032 = A policy association between user (group) %s and device (group) %s doesn't exist.
12033 = No such policy exists.
12034 = The specified user or user group id was not found.
12035 = The specified device or device group id was not found.
12036 = The specified account id is not selected in the policy for viewing.
12037 = The policy does not contain the access method with id %s. Use POST for adding.
12038 = The policy already contains the access method with id %s. Use PUT for updates.
12039 = The policy does not contain the service with id %s. Use POST for adding.
12040 = The policy already contains the service with id %s. Use PUT for updates.
12041 = The policy already contains the SSLVPN service with id %s.
12042 = The policy is already configured to allow viewing the password for the account with id %s.
12043 = The following account id(s) do not belong to the specified device: %s.
12044 = A policy association between the specified user (group) and device (group) already exists.
12045 = A mapping for the required SAML attribute, %s, for users with provision type %s must be
defined.
12046 = The following SAML attributes have not been mapped to a valid value: %s.
17-Feb-2017 163/373
12047 = The following provision types have multiple Subject Name Identifier mappings defined: %s.
There can only be one mapping defined per provision type.
12048 = The following SAML requested attribute ids for SAML resolved attributes are invalid: %s.
12049 = The format for the following SAML attribute is invalid: %s. Expected format is: %s.
12050 = Requested SAML attribute with name %s doesn't exist.
12051 = Target servers and all associated applications and accounts were deleted from policies.
12052 = Target applications and all associated accounts were deleted from policies.
12053 = Target accounts were deleted from policies.
12054 = Target account belonging to device %s for target application %s with user name %s not
found.
12055 = Policies involving xceedium.nsx.vmware.com (http://xceedium.nsx.vmware.com) may not be

imported or exported via csv.
12056 = AWS Policy value is not specified for AWS service.
12057 = ssoWindow winId %s is not valid for RDP Application service id %s. Either the winId doesn't
exist or it is not assigned to the service.
13xxx - Management Console Messages

13001 = Invalid policy name specified. Policy name must be alpha-numeric.
13002 = Policy name required.
13003 = Invalid policy version specified.
13004 = Invalid policy description specified.
13005 = CA Privileged Access Manager appliance already imported into management console.
13006 = Working set with the specified name already exists.
13007 = Invalid policy module specified.
13008 = A policy must contain at least one module before associating it with an CA Privileged Access
Manager appliance.
13009 = Unable to successfully authenticate to server %s.
13010 = Invalid policy specified.
17-Feb-2017 164/373
13011 = CA Privileged Access Manager credentials not specified. Please set the credentials for the
server or set the default credentials for all servers.
13012 = Unable to establish connection to CA Privileged Access Manager appliance %s.
14xxx - Managed Server Service Messages

14000 = CA Privileged Access Manager appliance is already being managed by a management
console.
14001 = Apply policy %s failed.
15xxx - Command and Socket Filter Management Messages

15000 = Violations before action value must be a positive number.
15001 = Violations before action value must be greater than 0.
15002 = Invalid intervention action specified.
15003 = Invalid agent listening port. Port must be a valid TCP port.
15004 = Invalid CA Privileged Access Manager appliance ID. . ID must be numeric and between 1 and
254.
15005 = SFA Monitoring is required.
15006 = Socket filter list name required.
15007 = Socket filter list type required.
15008 = Invalid characters in socket filter list name. Semicolons, commas, percent signs, and
backslashes are invalid.
15009 = Invalid socket filter list type. Valid types are: black, white.
15010 = Socket filter host address required.
15011 = Invalid socket filter host address. Address must be a valid IP address.
15012 = Socket filter port required.
15013 = Invalid socket filter port %s. Port must be a valid TCP port.
15014 = A socket filter list with name %s already exists.
15015 = Socket filter list not found.
15016 = Command filter list name required.
17-Feb-2017 165/373
15017 = Command filter list type required.
15018 = Invalid characters in command filter list name. Semicolons, commas, percent signs, and
backslashes are invalid.
15019 = Invalid command filter list type. Valid types are: black, white.
15020 = Invalid command filter alert value. Valid values are: t, f.
15021 = Invalid command filter block value. Valid values are: t, f.
15022 = Invalid command filter regular expression value. Valid values are: t, f.
15023 = Command filter keyword required.
15024 = A command filter list with name %s already exists.
15025 = Socket filter list id must be a positive integer.
15026 = Command filter list id must be a positive integer.
15027 = Command filter list not found.
15028 = Duplicate entry, %s, defined for socket filter list.
15029 = Duplicate keyword, %s, defined for command filter list.
15030 = Duplicate ports %s for socket filter host %s.
15031 = SFA Log All Access value required.
15032 = Either (comma delimited) individual ports or a single port range must be specified, not (%s).
15033 = A comma delimited port string cannot be more than 512 characters long.
15034 = Invalid AWS policy name %s. Name must only have alphanumeric characters and =,.@ or -.
15035 = AWS policy not found.
15036 = AWS policy name cannot be longer than 128 characters.
15037 = AWS policy name %s must be unique.
15038 = AWS policy is in use and may not be deleted.
15039 = AWS session duration invalid.
15040 = JSON for AWS policy invalid.
15041 = AWS policy too large to compile. See log for details.
15042 = AWS policy invalid. See log for details.
15043 = AWS policy required.
17-Feb-2017 166/373
15043 = AWS policy required.
15044 = In order to create an AWS policy at least one Access Key must be defined in Password
Authority.
15045 = Invalid filter list type specified. Valid values are: white, black.
15046 = The enabled filter is not supported for SSLVPN service type.
15047 = The command filter %s has been deleted.
15048 = The socket filter %s has been deleted.
16xxx - Logging and Reporting Messages

16000 = Cannot add an existing report.
16001 = Report name required.
16002 = Choose either relative or absolute date range.
16003 = Badly formed relative date interval.
16004 = Invalid relative date reporting interval.
16005 = Invalid relative date reporting amount.
16006 = At least one column must be specified for a report.
16007 = Invalid email address specified. Multiple addresses must be separated by a comma.
16008 = Email address required.
16009 = The interval between emails is not defined properly.
16010 = The time to send the email is not defined properly.
16011 = Email send interval required.
16012 = Only the original author of a report or a Global Administrator may update or delete it.
16013 = Relative report dates must specify the number of days, weeks or months to include in the
report.
16014 = Log report not found.
16015 = Invalid date range format.
16016 = Start date must be before end date.
16017 = Invalid list of columns for report.
17-Feb-2017 167/373
16018 = Unable to locate recording data. The file may have been removed, or the mount may be
down.
16019 = Session Recording Integrity Failure: This session recording appears to have been modified
since it was recorded. Proceed at your own risk.
16020 = A report named %s already exists for this user.
16021 = startDate must be specified if endDate is specified.
16022 = endDate must be specified if startDate is specified.
16023 = Session recording can not be started for '%s' in %s safe mode because mount is down.
16024 = Session recording can not be started for '%s' because %s session recording is disabled.
16025 = Network mount for session recording unavailable.
16026 = Invalid format of Start Date.
16027 = Invalid format of End Date.
16028 = Invalid selected range type format.
16029 = Email daily time required.
17xxx - Policy Conflict Messages

17000 = Updating the group membership for %s will cause a %s filter policy conflict for %s from the
following policies:
17001 = Socket filter %s list policy %s from association between user %s and device %s.
17002 = Command filter %s list policy %s from association between user %s and device %s.
17003 = Adding %s to group %s will cause a %s filter policy conflict for %s from the following policies:
17004 = Adding device %s to %s will cause a %s filter policy conflict for %s from the following policies:
17005 = Adding %s to group %s will cause a %s filter policy conflict for %s from the following policies:
17006 = Policy settings for association will cause a %s filter policy conflict for %s and %s from the
following policies:
17007 = Not authorized to retrieve policy conflicts.
17008 = Policy conflicts exist in CA Privileged Access Manager.. Navigate to the policy conflict page to
view the conflicts.
17009 = Credential %s from association between user %s and device %s.
17-Feb-2017 168/373
17010 = Updating the group membership for %s will cause a credential policy conflict for access
method %s on %s from the following policies:
17011 = Adding %s to group %s will cause a credential policy conflict for access method %s on %s
from the following policies:
17012 = Adding device %s to %s will cause a credential policy conflict for %s for access method %s
17013 = Adding access method %s to %s will cause a credential policy conflict for %s from the
following policies:
17014 = Adding %s to group %s will cause a credential policy conflict for %s for access method %s
17015 = Adding access method %s to group %s will cause a credential policy conflict for %s on %s
17016 = Policy settings for association will cause a credential policy conflict for %s and access method
%s on %s from the following policies:
17017 = Policy settings cause a credential conflict for secondary login. See your Xsuite Administrator
and check the log for details.
18xxx - Authentication-Related Messages

18001 = Invalid authentication method: <name>.
18002 = Bad User ID (<name>) or Password.
18003 = You are not allowed to login at this time.
18004 = To login you have to accept the terms of the license.
18005 = This account is deactivated. See your CA Privileged Access Manager Administrator.
18006 = No Email Contact to Alert: <name>
18007 = Email alert sent to user: <name>
18008 = User <name> deactivated due to reaching the password failure limit.
18009 = Account <name> has expired. See your CA Privileged Access Manager Administrator.
18010 = Account <name> is not yet activated. See your CA Privileged Access Manager Administrator.
18011 = Account <name> has been deactivated due to extended inactivity. See your CA Privileged
Access Manager Administrator.
18012 = Unable to create security context for user <name>.
17-Feb-2017 169/373
18013 = Due to account modifications, please change your password.
18014 = Due to password timeout, please change your password.
18015 = Due to increased password security, please change your password.
18016 = User <name> has logged into the Xceedium CA Privileged Access Manager appliance device.
18017 = User <name> logged in.
18018 = This Xsuite appliance is in maintenance mode. Only admin level users can login.
18019 = User <name> logged in successfully via <local_auth_method> authentication.
18020 = User deactivated.
18021 = Deactivated account %s. Exceeded inactivity limit.
18022 = Deactivated account %s. Account expired.
18023 = Single Sign On authentication failed. Please retry login.
18024 = You are logged out of CA Privileged Access Manager.
18025 = Single sign-on session expired. Please re-login.
18026 = Multiple CA Privileged Access Manager user accounts have the same SAML user name <
name>. %s. Rejecting the SAML authentication request and deactivating all user accounts with SAML
user name <name>.
18027 = User <name> from SAML enabled group <name> has the same SAML user name <name>
from SAML attribute %s. User account deactivated.
18028 = Single sign-on authentication failed. Please contact your system administrator.
18029 = SAML user <name> not found in CA Privileged Access Manager or does not belong to a SAML
enabled group.
18030 = SAML assertion %s timestamp exceeds validity window by approximately %s minutes.

Assertion Issued: %s.
18031 = SAML assertion issuer, %s, does not match configured issuer %s.
18032 = Invalid SAML assertion recipient URL: %s.
18033 = SAML assertion recipient, %s, not recognized. Valid recipients are: %s.
18034 = SAML assertion received by authentication service at time %s is before SAML Not-Before
Condition %s.
18035 = SAML assertion received by authentication service at time %s is after SAML Not-On-Or-After
Condition %s.
18036 = SAML assertion received with a non-successful status code %s.
17-Feb-2017 170/373
18036 = SAML assertion received with a non-successful status code %s.
18037 = CA Privileged Access Manager appliance in FIPS mode. SAML SSO disabled.
18038 = User attempted to login via SAML SSO but SAML SSO is not enabled.
18039 = SAML assertion not found in request.
18040 = Unable to decode SAML assertion.
18041 = SAML assertion failed schema validation.
18042 = Verification of SAML assertion failed: Certificate of SAML assertion producer has not been
uploaded to CA Privileged Access Manager.
18043 = Saving the SAML assertion to a temporary file failed.
18044 = SAML assertion failed signature verification.
18045 = There are no user groups configured for SAML SSO.
18046 = Login failed for user <name> due to multiple active RADIUS users having the same login
name. All RADIUS users with login name <name> will be deactivated.
18047 = Login Failed. Please contact your system administrator for further assistance.
18048 = GK Authentication Daemon communication failure: %s
18049 = GK Authentication Daemon access rejected message: %s
18050 = GK Authentication Daemon General Error occurred (%s). Please check if the GK auth daemon
is properly set up.
18051 = RADIUS user <name> is not registered. Contact your CA Privileged Access Manager
Administrator.
18052 = Authentication failed for RADIUS user %s. RADIUS authentication succeeded but unable to
retrieve the user's RADIUS group.
18053 = Authentication failed for RADIUS user %s. RADIUS authentication succeeded but the user's
RADIUS group changed from %s to %s. The new RADIUS group is not registered with CA Privileged
Access Manager. User account deleted.
18054 = RADIUS user %s moved from RADIUS group <name> to RADIUS group <name>.
18055 = Authentication failed for RADIUS user <name>. RADIUS authentication succeeded but the
user's RADIUS group, <name>, is not registered. User will be logged out.
18056 = Adding RADIUS user <name> to CA Privileged Access Manager failed with message(s): %s.
18057 = Authentication user <name> returned an invalid %s challenge response for %s

authentication. Authentication request denied.
18058 = Unrecognized RADIUS challenge type %s. Authentication request for user < name> denied.
17-Feb-2017 171/373
18058 = Unrecognized RADIUS challenge type %s. Authentication request for user < name> denied.
18059 = SAML RADIUS authentication succeeded but the RADIUS group was not passed to CA
Privileged Access Manager. User will be deleted and logged out.
18060 = Cisco SSO RADIUS user <name> moved to registered RADIUS group %s.
18061 = User is not logged in.
18062 = Verify user credentials does not support the authentication method configured for the user.
18063 = User not found.
18064 = Determining the least-loaded CA Privileged Access Manager appliance for user (< name>)'s
session failed. Granting the user a session on this appliance.
18065 = Invalid attempt to acquire a session on this CA Privileged Access Manager appliance as user <
name> via CA Privileged Access Manager load balance redirect.
18066 = Login failed for user <name> due to multiple active RSA users having the same login name.
All RSA users with login name <name> will be deactivated.
18068 = User %s selected to authenticate via %s but the configured authentication method for the
user is %s.
18069 = The Active Directory user with user principal name <name> or samAccountName %s is not
registered with Xsuite.
18070 = The LDAP user with attribute %s=%s is not registered with CA Privileged Access Manager
18071 = User <name> session is set for post-authentication load balancing to member %s. The user's
session will be destroyed on this member and resumed on member %s.
18072 = User <name> session has been post-authentication load balanced to this member. The user's
session will be resumed on this member.
18073 = User <name> failed LDAP+RSA authentication. The LDAP authentication failed.
18074 = User <name> failed LDAP+RSA authentication. The RSA authentication failed with RSA user
name <name>.
18075 = User <name> attempted to access from an unauthorized IP: %s. The only authorized
networks are [%s].
18076 = You have attempted to gain access from an invalid network. Please contact your
administrator.
18077 = You have not been authorized to connect.
18078 = User <name> attempted an invalid PKI authentication.
18079 = PKI authentication failed with error: %s
17-Feb-2017 172/373
18079 = PKI authentication failed with error: %s
18080 = PKI user <name> not approved for access.
18081 = LDAP authentication failed for user <name> with error code (%s) and error string (%s). The
user entered an incorrect password.
18082 = Your LDAP password has been reset. You are required to change your password.
18083 = Your LDAP password has expired. You are required to change your password.
18084 = The user's LDAP domain is not configured with CA Privileged Access Manager to use TLS and
therefore CA Privileged Access Manager will not enable the user to change their password.
18085 = User <name> logged in successfully via %s authentication but will be required to change
their password.
18086 = A user authenticated with login name <name> but a user with the specified login name is not
registered with CA Privileged Access Manager.
18087 = User <name> failed LDAP+RADIUS authentication. The LDAP authentication failed.
18088 = User <name> failed LDAP+RADIUS authentication. The RADIUS authentication failed with
RADIUS user name <name>.
18089 = PKI user(s) <name> not approved for access.
18090 = Invalid pending PKI user ids specified: %s.
18091 = PKI user(s) <name> approved for access.
18092 = Unable to approve the pending PKI user <name> for access: %s.
18100 = User $name logged in successfully via local authentication but will be required to change
their password.
18101 = A user authenticated with login name $name but a user with the specified login name is not
registered with CA Privileged Access Manager.
18103 = User $user failed LDAP+RADIUS authentication. The RADIUS authentication failed with
RADIUS user name $name2.
18104 = PKI user(s) <name> not approved for access.
18105 = Invalid pending PKI user ids specified: %s.
18106 = PKI user(s) <name> approved for access.
18107 = Unable to approve the pending PKI user <name> for access: %s.
18108 = Xsuite as a SAML RP received an authentication request for uknown SAML identity provider %
s.
18109 = An error occurred while processing SAML assertion: %s.
17-Feb-2017 173/373
18109 = An error occurred while processing SAML assertion: %s.
18110 = SAML SSO Authentication Failure: The received assertion did not include a subject name
identifier nor the userName SAML attribute.
18111 = SAML password view request out-of-sync (%s != %s): The user's internal id did not match the
id contained in the user's session.
18112 = Please accept the license to proceed.
18113 = The user was required to accept the license but canceled. Access denied.
18114 = The following group names contained in the SAML assertion do not exist in Xsuite and will be
ignored in the Just In Time provisioning of the user user_name: %s.
18115 = User <name> re-logged in successfully via %s authentication.
18116 = User <name> failed %s re-authentication.
18117 = Authentication type mismatch on re-authentication.
18118 = User mismatch on re-authentication.
18119 = Proxy authentication failed. Cannot find corresponding Xsuite user.
18120 = Configuration Password is still the default value.
18121 = PKI user <name> approved. User was created.
18122 = Attempt to approve PKI user <name> failed. Message was %s.
18123 = SAML SSO of Just-In-Time provisioned user <name> failed due to missing required attribute %
s.
18124 = SAML SSO of Just-In-Time provisioned user <name> failed because the userGroup attribute
of the SAML assertion does not contain a valid Xsuite user group name. The groups specified in the
SAML assertion were: %s.
18125 = The user groups of the Just-In-Time provisioned user <name> has been updated: %s.
18126 = The user groups of the Just-In-Time provisioned user <name> has been updated: %s. The
following user groups contained in the assertion are not valid Xsuite user groups and will be ignored:
%s.
18127 = SAML SSO Authentication Failed: Updating the user groups of SAML SSO Just-In-Time
provisioned user <name> failed: %s
18128 = SAML SSO of Just-In-Time provisioned user <name> succeeded. The user's group
membership has not changed. The assertion also contained the following group names that do not
exist in Xsuite: %s.
18129 = LDAP user account <name> is disabled in Active Directory.
17-Feb-2017 174/373
19xxx - Access Service Messages

19001 = Task not enabled.
19002 = Unexpected command filter policy conflict - launch aborted.
19003 = Unexpected socket filter policy conflict - launch aborted.
19004 = Missing required device data - launch aborted.
19005 = Unauthorized attempt by user %s to view the access page for user %s.
19006 = Unexpected filter policy conflict - launch aborted.
19007 = Unexpected credential conflict - launch aborted.
19008 = Unauthorized attempt to set LDAP browser port.
19009 = Unauthorized attempt to update LDAP browser domain destination.
19010 = Unexpected AWS policy conflict - launch aborted.
19011 = AWS Policy %s missing.
19012 = Unable to launch AWS Management Console. If this problem persists then ask your
Administrator to investigate.
19013 = User %s attempted to launch recorded web portal %s but the mount is down. Due to the
configured security safe policy, the user's connection attempt will be denied;
19014 = User %s attempted to launch recorded web portal %s but the mount is down. Due to the
configured operational safe policy, the user's connection attempt will be granted but not recorded.;
19015 = CA Privileged Access Manager denied web portal %s's connection to host %s because it does
not match an entry in the web portal's access list.
19016 = CA Privileged Access Manager denied a request to proxy an HTTP connection to host %s
because the request could not be verified to have originated from an Xceedium browser instance.
19017 = CA Privileged Access Manager denied the user's access to web portal %s. The Xceedium
browser is not supported on the %s operating system.
19018 = CA Privileged Access Manager denied user's unauthorized access to web portal %s on host %
s.
19019 = CA Privileged Access Manager unable to find connection data authorizing service %s's access
to host %s.
19020 = CA Privileged Access Manager denied the user's access to web portal %s. The Xceedium
browser requires a 32-bit JRE.
19021 = CA Privileged Access Manager denied the user's SSO access to the AWS Management
17-Feb-2017 175/373
19021 = CA Privileged Access Manager denied the user's SSO access to the AWS Management
Console with: invalid SSO credentials specified.
19022 = No Office365 HTML was generated.
19023 = Unable to launch Office 365 portal: Error code %s: %s.
19024 = Unable to launch Office 365 portal: Office 365 parameters are not configured.
19025 = Unable to launch Office 365 portal: Login credential not found.
19100 = Access to credential denied because authorization is required. Authorization request sent.
Try again later.
19101 = Access to credential denied because the credential is already checked out by someone else.
Try again later.
19102 = Access to credential denied because authorization request is still pending. Try again later.
19103 = Unable to generate AWS proxy account. Please contact Xsuite administrator
19104 = Unable to generate NSX proxy account. Please contact Xsuite administrator
19105 = The session URL does not match with the URL triggered by the UI
19106 = Access denied because of internal failure. Please contact Xsuite administrator.
19107 = Access denied because a credential was not chosen or is not available. Please launch the
service and choose an available credential.
19108 = Access denied because dual authorization is required. If a password view request is not
pending please launch the service to create one.
19109 = Proxy was not launched because the user failed to correctly respond to the pop up in time.
20xxx - Credential Management Messages

20000 = Credential daemon is not available.
20001 = Credential id not found.
20002 = No credential sources available.
20003 = Could not update or save credential. Check that the title is not already in use.
20004 = Password Authority invalid authentication.
20005 = Password Authority unavailable.
20006 = Unexpected error in source response.
20007 = This password is a privileged password; it cannot be used for single sign-on for target device.
17-Feb-2017 176/373
20007 = This password is a privileged password; it cannot be used for single sign-on for target device.
20008 = No Password Authority username and password provided.
20009 = The credential service did not find a cryptographic encryption key. Regenerating key; existing
credentials will be lost.
20010 = The credential service was not able to contact database.
20011 = The internal credential source storage is currently disabled by administrator.
20012 = The credential daemon has been given an invalid input.
20013 = The requested credential is corrupted or cannot be decrypted.
20014 = Unexpected error sent by credential daemon; please contact your administrator.
20015 = Credential not available. Please contact your administrator.
21xxx - Audit Log Messages

21000 = Unauthorized attempt to add a message to the audit log: %s
22xxx - View and Search Management Messages

22000 = Badly formed data - operation not performed
22001 = This view should be updated, not added.
22002 = View %s not added.
22003 = Invalid search specified for view.
22004 = Duplicate view name.
23xxx - Cluster Management Messages

23000 = Unauthorized access to cluster configuration.
23001 = Passphrase is required to generate the shared cluster key.
23002 = Cluster shared key is required.
23003 = Cluster shared key must be a 40-character-long hexadecimal string.
23004 = The interface to use for cluster communications must be specified.
23005 = Invalid cluster interface specified. Valid values are %s.
17-Feb-2017 177/373
23006 = Virtual Management IP Address is required.
23007 = Virtual Management IP Address must be a valid IP address.
23008 = Virtual Management IP Domain Name must be a valid hostname.
23009 = Invalid cluster member list specified.
23010 = Cluster must contain at least two members, including this CA Privileged Access Manager
appliance.
23011 = The IP address specified for this CA Privileged Access Manager appliance in the cluster
member list cannot be assigned to the cluster interface.
23012 = This CA Privileged Access Manager appliance must be a member of the cluster.
23013 = The subnet of the CA Privileged Access Manager appliance cluster interface is required.
23014 = Invalid cluster subnet format specified.
23015 = Invalid cluster subnet network address %s.
23016 = Invalid cluster subnet network mask %s.
23017 = The specified cluster subnet does not have enough host addresses (%s) for all cluster
members (%s).
23018 = The specified NAT address %s is not a valid IP address or hostname.
23019 = The specified PAT address %s is not a valid IP address or hostname.
23020 = The specified PAT port %s is not a valid port number.
23021 = Failed to authenticate to cluster member %s. Please confirm that the shared key has been
configured on the cluster member.
23022 = Failed to save the cluster configuration on member %s. Error(s) received: %s
23023 = Failed to save the cluster configuration on member %s. Unable to establish a connection to
the CA Privileged Access Manager appliance.
23024 = Failed to start the cluster due to configuration errors.
23025 = The cluster configuration values do not match for fields: %s.
23026 = Failed to start the cluster. The cluster configuration on members %s and %s are not the
same. The errors reported by %s are: %s.
23027 = Failed to start the cluster. Unable to check for consistent cluster configuration on member %
s. The remote errors reported are: %s.
23028 = Failed to start the cluster. Unable to establish a connection to member %s.
23029 = Failed to start the cluster. Configuring the replication interface on member %s failed.
17-Feb-2017 178/373
23029 = Failed to start the cluster. Configuring the replication interface on member %s failed.
23030 = Failed to start the cluster. Unable to successfully ping cluster member %s.
23031 = Failed to start the cluster. Unable to retrieve hostname data from cluster member %s.
23032 = Failed to start the cluster. Unable to save hostname data on cluster member %s.
23033 = Failed to stop the cluster on member %s: %s
23034 = Failed to stop the cluster due to configuration errors.
23035 = Failed to start the cluster. Unable to configure and start the cluster runtime.
23036 = Failed to configure the cluster runtime on member %s.
23037 = Starting the cluster runtime has failed.
23038 = Starting the cluster runtime on member %s has failed.
23039 = Unable to start cluster members %s.
23040 = The specified CA Privileged Access Manager appliance is not a member of the cluster.
23041 = Failed to stop cluster member %s due to configuration errors.
23042 = Failed to start cluster member %s: %s
23043 = The cluster interface, %s, is already in use on cluster member %s.
23044 = Unable to make a connection to the remote CA Privileged Access Manager appliance %s.
23045 = The cluster must be enabled before starting or stopping individual cluster members.
23046 = Starting the cluster ...
23047 = Checking the consistency of the cluster configuration across all members ...
23048 = Starting the cluster failed. Checking the cluster configuration consistency failed for %s
member(s): %s.
23049 = Computing the addresses to assign to the cluster interfaces ...
23050 = Assigning computed addresses to the cluster interfaces ...
23051 = Assigning computed addresses to the cluster interface failed for member(s): %s.
23052 = Verifying that all cluster interfaces have been properly configured ...
23053 = Pinging all cluster members using the configured cluster interface failed for member(s): %s.
23054 = Assigning internal hostnames to cluster members ...
23055 = Assigning internal hostnames to cluster members failed for member(s): %s.
17-Feb-2017 179/373
23055 = Assigning internal hostnames to cluster members failed for member(s): %s.
23056 = Configuring the cluster runtime ...
23057 = Starting the cluster runtime ...
23058 = The cluster is online.
23059 = Starting the cluster master on member %s ...
23060 = Attempt %s/%s: Checking if the master is online ...
23061 = The cluster master is online. Starting the remaining cluster member(s) ...
23062 = Starting the cluster has failed. Unable to start the cluster master %s.
23063 = Attempt %s/%s: Waiting for %s/%s member(s) to come online ...
23064 = Cluster member %s is now online.
23065 = Cluster member %s failed.
23066 = Starting the cluster has failed: Unable to start cluster member(s): %s.
23067 = Stopping the cluster ...
23068 = Stopping the cluster on member %s...
23069 = Cluster member %s stopped.
23070 = Stopping the cluster failed on %s/%s member(s): %s.
23071 = Cluster successfully stopped.
23072 = Starting cluster member %s ...
23073 = Cluster started on member %s.
23074 = Attempt %s/%s: Waiting for member to come online ...
23075 = The cluster is currently out of sync, or a node is missing. Please go to the Synchronization
page for more information.
23076 = This cluster node received a remote API call from source %s with an incorrect shared key: %s.
23077 = Unauthorized attempt to retrieve cluster logs on this node. The shared key did not match.
24xxx - Login Sessions Management Messages

24000 = Keystroke %s Notice: %s
24001 = Date/Time: %s \n User ID : %s \n User Source IP: %s \n Violation on: %s \n Captured
17-Feb-2017 180/373
24001 = Date/Time: %s \n User ID : %s \n User Source IP: %s \n Violation on: %s \n Captured

Keystrokes: %s \n\n %s
24002 = Unauthorized attempt by user %s to deactivate user account %s.
24003 = A potential tampering attempt has been detected, the end-user's local system may be
compromised. Account deactivated.
24004 = User %s terminated login session for user %s.
24005 = Failed to terminate the %s connection to %s for user %s.
24006 = User %s terminated the %s connection to %s for user %s.
24007 = Exceeded the maximum number of allowed violations. Account deactivated.
24008 = Your session has been terminated by an CA Privileged Access Manager administrator.
24009 = Your connection to %s on %s has been terminated by an CA Privileged Access Manager

administrator.
24010 = Your account has been deactivated. See your CA Privileged Access Manager administrator.
24011 = Exceeded the maximum number of allowed violations. Session terminated.
24012 = A potential tampering attempt has been detected, the end-user's local system may be
compromised. Session will be terminated.
24013 = Exceeded the maximum number of allowed violations but since this is a global administrator
account, the account will not be deactivated.
24014 = A potential tampering attempt has been detected on your system. Your session will be
terminated.
24015 = User %s requested re-authentication for user %s.
24016 = Invalid action or filter criteria..
24017 = Your session has been terminated. Please re-authenticate to Xsuite.
24018 = SAML session types cannot be re-authenticated.
25xxx - Configuration Management Messages

25001 = CA Privileged Access Manager is not provisioned with a valid license.
25002 = CA Privileged Access Manager license will expire on %s.
25003 = CA Privileged Access Manager license will expire today.
25004 = CA Privileged Access Manager license has expired and access services will be disabled on %s.
Please contact your Xceedium Account Representative.
17-Feb-2017 181/373
25005 = CA Privileged Access Manager license has expired and access services are now disabled.
Please contact your Xceedium Account Representative.
25010 = Version value not numeric.
25011 = Hardware ID not a string.
25012 = Access license not an integer.
25013 = Password license not an integer.
25014 = A2A license not an integer.
25015 = Invalid value for mainframe license.
25016 = Invalid value for AWS license.
25017 = Invalid value for perpetual license.
25018 = Invalid value for start date.
25019 = Invalid value for end date.
25020 = Invalid value for spike license.
25021 = Invalid value for eval license.
25022 = Start date is in the future.
25023 = End date is greater than start date.
25024 = End date is in the past.
25025 = End date required but not specified.
25026 = Updated license.
25027 = Insufficient permissions to update license.
25028 = Insufficient permissions to set hardware serial.
25029 = License file contains invalid parameters
25030 = Hardware in the license does not match the appliance.
25031 = There are more CA Privileged Access Manager devices than this license permits.
25032 = There are more Password devices than this license permits.
25033 = There are more A2A devices than this license permits.
25034 = New license does not permit AWS. Clear your AWS configuration before continuing.
25035 = New license does not permit mainframe access. Remove existing mainframe Access Methods
17-Feb-2017 182/373
25035 = New license does not permit mainframe access. Remove existing mainframe Access Methods
before continuing.
25036 = CA Privileged Access Manager license is invalid and access services are now disabled. Please
contact your Xceedium Account Representative.
25037 = AWS license requires Access and Password license nodes.
25038 = The license was not updated. There was a failure deleting the Office365 device. See the audit
log for more details.
25039 = The license was not updated. There was an error provisioning the Office365 device. See the
audit log for more details.
25040 = The license was not updated. There was a failure deleting the AWS device. See the audit log
for more details.
25041 = The license was not updated. There was an error provisioning the AWS device. See the audit
log for more details.
25042 = New license does not permit Office365. Clear your Office365 configuration before
continuing.
25043 = There are more AWS Proxy users than this license permits.
25044 = AWS Proxy license requires Access, Password, and A2A nodes.
25045 = CA Privileged Access Manager evaluation license will expire today.
25046 = CA Privileged Access Manager evaluation license has expired and access services will be
disabled on %s. Please contact your Xceedium Account Representative.
25047 = CA Privileged Access Manager evaluation license has expired and access services are now
disabled. Please contact your Xceedium Account Representative.
25048 = Spike (temporary) CA Privileged Access Manager license will expire on %s.
25049 = Spike CA Privileged Access Manager license will expire today.
25050 = Spike CA Privileged Access Manager license has expired and access services will be disabled
on %s. Please contact your Xceedium Account Representative.
25051 = Spike CA Privileged Access Manager license has expired and access services are now
disabled. Please contact your Xceedium Account Representative.
25052 = CA Privileged Access Manager license is invalid: %s
25053 = New license does not permit VMware. Clear your VMware configuration before continuing.
25054 = VMware license requires at least one PA license node.
25060 = Invalid license file
25061 = Invalid start date
17-Feb-2017 183/373
25061 = Invalid start date
25062 = Invalid end date
25063 = Start date in the future.
25064 = More GateKeeper Devices are provisioned than are permitted by this CA Privileged Access
Manager license.
25065 = More Password Devices are provisioned than are permitted by this CA Privileged Access
Manager license.
25066 = More A2A Devices are provisioned than are permitted by this CA Privileged Access Manager
license.
25067 = AWS capabilities in use, but not permitted by license.
25068 = Mainframe access method policies found, but not permitted by license.
25069 = Unable to determine license type.
25070 = VMware capabilities in use, but not permitted by license.
25071 = Office365 capabilities in use, but not permitted by license.
25072 = AWS API Proxy license not an integer.
25073 = AWS API Proxy license cannot be removed. There are %s user(s) with the AwsApiProxy
privilege.
25074 = AWS API Proxy capabilities in use, but not permitted by license.
25075 = Failed to update AWS API Proxy whitelist: %s.
25076 = Invalid action issued to AWS API Proxy whitelist: %s.
25077 = Invalid subnet %s. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx).
25078 = HSM capabilities in use, but not permitted by license.
25079 = Invalid permission to activate admin mode.
25080 = Web SSO not enabled.
25081 = SafeNet HSM must be removed before Thales HSM may be licensed.
25082 = Thales HSM must be removed before SafeNet HSM may be licensed.
25083 = Only one type of HSM (SafeNet, Thales) may be specified in a license.
25084 = The license was not updated. There was a failure setting up VMware. See the audit log for
more details.
25085 = The license was not updated. There was a failure shutting down VMware. See the audit log
17-Feb-2017 184/373
25085 = The license was not updated. There was a failure shutting down VMware. See the audit log
for more details.
25086 = Upgrade failed. Please review the audit log and then perform a system recovery.
25087 = Failed to install API key infrastructure. Please check the logs to find the problem and reapply
the license.
25088 = The license was not updated. External API feature was not added. Please check the logs to
find the problem and reapply the license.
25089 = The license was not updated. External API feature not removed. Existing client API keys may
need to be deleted.
25090 = Invalid value for External API license.
25091 = Failed to update Proxy whitelist: %s.
25092 = Invalid action issued to Proxy whitelist: %s.
25093 = Invalid subnet %s. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx).
25094 = AWS Proxy Account cannot be generated. There are more AWS proxy accounts than license
permits;
25095 = NSX Proxy Account cannot be generated. There are more NSX proxy accounts than license
permits;
25096 = The license was not updated. Uploaded license file could not be verified or read.
25097 = BAP license requires that External API also be licensed.
25098 = The BAP special user is deleted when the BAP is no longer licensed, and may not be deleted
otherwise.
25099 = Invalid value for Behavior Analytics license.
25100 = The license was not updated. Behavior Analytics feature was not added. Please check the
logs to find the problem and reapply the license.
25101 = The license was not updated. Behavior Analytics feature not removed. Please check the logs
to find the problem and reapply the license.
26xxx - SafeNet HSM Configuration Messages

26001 = CA Privileged Access Manager is not provisioned to use an HSM
26002 = Error trying to provision CA Privileged Access Manager for SafeNet HSM.
26003 = SafeNet HSM with address %s added.
17-Feb-2017 185/373
26004 = Attempt to remove the SafeNet HSM configuration failed due to the passwords currently
being re-encrypted
26005 = HSM with address %s removed.
26006 = Attempt to initialize LUNA PCI has failed
26007 = LUNA PCI has been initialized successfully
26008 = Attempt to activate LUNA PCI has failed
26009 = LUNA PCI has been activated
26010 = Attempt to extract LUNA PCI Key has failed
26011 = LUNA PCI Key extracted
26012 = Failed to securely insert the cipher key
26013 = Success inserting the encrypted cipher key into the LunaPCI-E device
26014 = Failed to initialize the internal LunaPCI-E device
26015 = Failed to create a partition on the internal LunaPCI-E device
26016 = Success initializing the internal LunaPCI-E device
26017 = Failed to securely extract the cipher key
26018 = Failed to PED activate the LunaPCI-E partition
26019 = Failed to secure the partition password for the LunaPCI-E partition
26020 = Failed to log into the partition with the supplied password
26021 = Failed to generate the cypher key during the initial activation
26022 = Success activating the LunaPCI-E device on this non primary clustered CA Privileged Access
Manager
26023 = Success activating the LunaPCI-E device on this primary clustered CA Privileged Access
Manager
26024 = Success activating the LunaPCI-E device on this standalone CA Privileged Access Manager
26025 = Error HSM script arguments are incomplete
26026 = Error CA Privileged Access Manager is not configured to use an HSM
26027 = Error the HSM password is incorrect
26028 = Success updating the HSM password
17-Feb-2017 186/373
27xxx - Secondary Transparent Login Management

Messages
27001 = Transparent Login Configuration name is empty.
27002 = Transparent Login Configuration invalid. See log for details.
27003 = Transparent Login Configuration name cannot be longer than 128 characters.
27004 = XML for Transparent Login Configuration invalid.
27005 = Transparent Login Configuration not found.
27006 = Transparent Login Configuration name %s must be unique.
27007 = The given Transparent Login Configuration is used by one or several RDP applications.
27008 = Hide from user is required.
27009 = Transparent Login Enabled is required.
27010 = Invalid data 'Hide From User'.
27011 = Invalid data 'Transparent Login Enabled'.
27012 = Transparent Login window is required.
27013 = Invalid Transparent Login Window.
27014 = Application Fingerprint must consist of 40 characters.
27015 = Invalid Application Fingerprint. Only the following characters are allowed for fingerprint: 0-9
A-F.
27016 = Transparent Login Configurations for RDP Application %s do not exist, or the Transparent
Login section contains invalid data (Window Titles: %s).
27017 = Transparent Login Window with the title '%s' already exists for this RDP application.
27018 = Login failed for user %s due to multiple active TACACS+ users having the same login name.
All TACACS+ users with login name %s will be deactivated.
27020 = TACACS+ user %s moved from TACACS+ group %s to TACACS+ group %s.
27021 = Authentication failed for TACACS+ user %s. TACACS+ authentication succeeded but the user's
TACACS+ group changed from %s to %s. The new TACACS+ group is not registered with Xsuite. User
account deleted.
27022 = TACACS+ user %s is not registered. Contact your Xsuite Administrator.
17-Feb-2017 187/373
27023 = Authentication failed for TACACS+ user %s. TACACS+ authentication succeeded but unable to
retrieve the user's TACACS+ group.
28xxx - AWS and VMware Virtual Device Management

Messages
28001 = Duplicate %s Provision is not allowed.
28002 = Unable to retrieve AWS proxy account. Please contact Xsuite administrator.
28003 = Unable to retrieve NSX proxy account. Please contact Xsuite administrator.
28004 = There was an error during proxy account deletion.
29xxx - Credential Management API Non-devices Messages

29001 = Role description may not be longer than 100 characters.
29002 = Invalid target account id specified.
29003 = Invalid target application id specified.
29004 = The password request failed: %s
29005 = Invalid type %s for listing password view requests.
30xxx - Session Recording Messages

30001 = Session recording mount not available. The reconciliation process was not launched.
31xxx - GateKeeperService Messages

31001 = This Xsuite appliance is in maintenance mode. Only admin users will be able to login.
32xxx - Upgrade, Backup, and Recovery Messages

32001 = Applied patch '%s': %s
32002 = Upgrading to the same version could cause unexpected result
32003 = Problem applying the upgrade package
32004 = This upgrade requires a reboot of the system. Please stop the cluster before proceeding with
the upgrade
17-Feb-2017 188/373
32005 = Upgrade package has been applied successfully
32006 = Backup of the appliance takes time. Please be patient and wait until it reboots. The LCD
will show the message System backup! Please wait! Wait until the normal operation
message shows on the LCD then log in again and resume work in your browser.
32007 = Recover of the appliance takes time. Please be patient and wait until it reboots. The LCD
will show the message System backup! Please wait! Wait until the normal operation
message shows on the LCD then log in again and resume work in your browser.
32008 = An error occurred while running the backup
32009 = An error occurred while running recovery
32010 = Configuration-Upgrade: Performing Backup
32011 = Configuration-Recovery: Performing Recovery
32012 = An error occurred while trying to delete the staging file
33xxx - CA Threat Analytics Related Messages

33001 = BAP update failed. Message (if any) was %s;
33002 = BAP update succeeded in part and failed in part.
33003 = BAP get failed.
33004 = CA Privileged Access Manager is collecting and analyzing limited information about your
client system and sessions
Credential Manager Error Messages

The Credential Manager CLI returns an XML string for each command. The return string includes a
status code, a status description, and a result comprised of each of the parameters associated with
the object of the command. The following is an example:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
</CommandResult>
Log Formats
Metric Log Entries
Metric log entries represent functions that take non-trivial time and must be recorded as successes or
failures, such as login attempts and password changes.
17-Feb-2017 189/373
Each metric log entry contains an object that has a number of built-in fields. These fields are applied
as tag names. They might also, and usually do, have 'extended' attributes that are object specific. For
example, target accounts uses extended attributes to store information that depends on the type of
account, while fields are used to store information common to all target accounts. Extended
attributes are stored within a tag with 'k' and 'v' pairs. The 'k' element identifies the attribute name
while the 'v' element identifies the attribute value.
Note the following fields in the Metric log entry:
type: Type of metric, for example: login, password change. This also determines what the
'description' field contains.
level: (Not currently used: It is always 1.)
errorCode: If the operation failed, the error code identifying the reason for the failure is identified
here. 0 = Success
adminUserId: This identifies the user (not necessarily an administrator) that performed the
activity in question.
success: This identifies whether the operation was successful. If not, the errorCode field identifies
why not.
description: This field contains an embedded field (typically a hashmap) representing details
specific to the type of metric.
An example Credential Management metric log entry that ordinarily appears as a string:
Sep 7 07:09:07 Xsuite <Metric><type>login</type><level>1</level><description><hashmap><k>
This entry may be reformatting to display its structure:
Sep 7 07:09:07 Xsuite

<Metric>
<type>login</type>
<level>1</level>
<description>
<hashmap>
<k>adminUserID</k>
<v>super</v>
</hashmap>
</description>
<errorCode>0</errorCode>
<userID>super</userID>
<success>true</success>
<originatingIPAddress>127.0.0.1</originatingIPAddress>
<originatingHostName>localhost</originatingHostName>
<extensionType></extensionType>
</Metric>
Audit Log Entries

An example Credential Management audit log entry that ordinarily appears as a string:
Sep 7 07:09:07 Xsuite <c.cw.m.ts><bm.id (http://bm.id)>1004</bm.id (http://bm.id)><bm.cd (htt
This entry may be reformatting to display its structure:
17-Feb-2017 190/373
Sep 7 07:09:07 Xsuite

<c.cw.m.ts>
<bm.id (http://bm.id)>1004</bm.id (http://bm.id)>
<bm.cd (http://bm.cd)>1473152059000</bm.cd (http://bm.cd)>
<bm.cu (http://bm.cu)>super</bm.cu (http://bm.cu)>
<bm.ud>1473234607186</bm.ud>
<bm.uu>super</bm.uu>
<bm.ha>FUwULFPtQlT4wj3Jf+AwUW4Ha8k=</bm.ha>
<bm.at.li (http://bm.at.li)>
<c.cw.m.at (http://c.cw.m.at)>
<bm.ud>1473152881000</bm.ud>
<bm.ha>Wpkmh+aP00rWk/Are28s57Mjowo=</bm.ha>
<at.na (http://at.na)>descriptor1</at.na (http://at.na)>
<at.ob.id (http://at.ob.id)>1004</at.ob.id (http://at.ob.id)>
<at.ob.cl (http://at.ob.cl)>c.cw.m.ts</at.ob.cl (http://at.ob.cl)>
</c.cw.m.at (http://c.cw.m.at)>
<c.cw.m.at (http://c.cw.m.at)>
<bm.ud>1473152881000</bm.ud>
<bm.ha>Wpkmh+aP00rWk/Are28s57Mjowo=</bm.ha>
<at.na (http://at.na)>descriptor2</at.na (http://at.na)>
<at.ob.id (http://at.ob.id)>1004</at.ob.id (http://at.ob.id)>
<at.ob.cl (http://at.ob.cl)>c.cw.m.ts</at.ob.cl (http://at.ob.cl)>
</c.cw.m.at (http://c.cw.m.at)>
</bm.at.li (http://bm.at.li)>
<hn>123.123.123.000</hn>
<ip>123.123.124.000</ip>
<dn>redhat</dn>
</c.cw.m.ts>
Audit Log Tag Interpretation

These log entries are wrapped by <c.cw.m...> tags composed of the elements identified here.
Primary Tag Elements

c.cw.m = com.cloakware.model. "Cloakware" is the name of the original developer of the
Credential Management function.
bm = baseModel, which is the parent of all object types. This is found in all objects for their
common attributes.
id = identification number for this object
For example, this may be a target account id or the target server id or the PVR id.
The name of a target account may change but its id doesn't.
A log of metric entries only specify the id but not the name. The session log entries are
comprehensive, so you can find an id when given the name.
17-Feb-2017 191/373
Common Tag Elements
This is not currently a complete list of elements.
gr = Group (Target or Requestor)
po = Password Composition Policy
pvp = Password View Policy
pvr = Password View Request
ts = Target server
tp = Target application
rs = Request server
sc = Script
sp = System property
us = User
Message Lists
Message Codes Listed in Documentation
The code list at the last update is provided in Credential Manager Error Codes and Messages (see
page 193).
Message Code List Available from Server

Use the getErrorCodes CLI command to output a complete list of Credential Manager error
codes. It takes no parameters. It outputs an XML structure listing each error code and its description.
For improved readability of the output, CA Technologies, Inc. recommends that you direct the XML
structure to a separate file and then open it with an XML editor.
Example
This example directs the output of the getErrorCodes CLI command to a file called
error_codes.xml.
To output a complete list of Credential Manager error codes:
1. Use the following command:
17-Feb-2017 192/373
1. CA Privileged Access Manager - 2.8
capam_command -u admin -p password capam=mycompany.com cmdName=getErrorCodes > erro
Where password is the password of the admin account.

Credential Manager outputs an XML command string to the error_codes.xml file.
2. Open the error_codes.xml file with an XML editor, such as Notepad++.
Credential Manager Error Codes and Messages

Message Headers
error.validation.header=Validation Error:
error.exception=Exception occurred {0} in {1}
error.loadingEntity=Unable to load entity of type {0} with id {1}
error.entityDoesNotExist=The entity of type {0} with id {1} does not exist
error.entityNotCorrectType=The retrieved entity of type {0} does not match the expected type of
{1}
Error Codes and Associated Messages

General Messages
error.code.0=Success.
error.code.1=Application error occurred.
error.code.2=Failed to connect to database.
error.code.3=Database version does not match application version.
error.code.4=A database error occurred.
error.code.5=Request failed. The Xsuite cluster is in stopped mode.
error.code.10=Invalid user ID.
error.code.11=Invalid password.
error.code.12=Login failed.
error.code.13=User ID/password combination does not exist.
error.code.14=User session has not been authenticated. Please login.
error.code.15=Account suspended.
error.code.16=Missing login digest values.
17-Feb-2017 193/373
error.code.17=Missing login digest.
error.code.18=Cannot login to secondary site.
error.code.19=User is authenticated, but credential must be reset.
error.code.20=User ID must have 3 to 16 characters.
error.code.21=Password must have 6 to 16 characters.
error.code.22=Authorization failed. User {0} does not have permission for this action.
error.code.23=Password must contain at least one alpha character (a-z, A-Z).
error.code.24=Password must contain at least one numeric character (0-9).
error.code.25=Password must contain at least one special character (~!@#$%^&*()_+=-`;:|?/,.).
error.code.26=Authorization failed. User {0} does not have permission for this entity.
error.code.27=Invalid password specified.
error.code.30=Invalid license has been registered. Unable to complete request.
error.code.31=License limit has been exceeded. Unable to complete request.
error.code.32=Success. {Warning: Approaching license limit; you may need to upgrade your
license.}
error.code.33=Unlimited license error.
error.code.34=Limited license error.
error.code.35=Failed to register error. Error code already defined.
error.code.36=Not authorized for updating the license. Permission required: setSystemProperty
Client Error Messages

error.code.400=Success.
error.code.401=Failed to authenticate with the Password Authority service.
error.code.402=Unable to establish connection with client daemon.
error.code.403=Not authorized (for client daemon).
error.code.404=Unable to establish connection with Password Authority Server.
error.code.405=No data found for specified target alias.
17-Feb-2017 194/373
error.code.406=An error occurred; if this problem persists then please ask your Administrator to
investigate.
error.code.407=Invalid parameters specified.
error.code.408=Missing required parameter: {0}
error.code.409=Unauthorized script name.
error.code.410=Unauthorized execution path.
error.code.411=Unauthorized execution user ID.
error.code.412=Unauthorized request server.
error.code.413=Error. Attempt to create a duplicate entry.
error.code.414=Invalid target server specified.
error.code.415=Invalid target application specified.
error.code.416=Invalid account specified.
error.code.417=Invalid request server specified.
error.code.418=Invalid script specified.
error.code.419=Invalid target alias specified.
error.code.420=Invalid host name specified.
error.code.421=Invalid IP address specified.
error.code.422=Invalid port number specified. Unable to connect.
error.code.423=Invalid execution path specified.
error.code.424=Invalid script type specified.
error.code.425=Invalid script name specified.
error.code.426=Invalid execution user ID specified.
error.code.427=Cannot update a new target alias.
error.code.428=Maximum length of target alias exceeded.
error.code.429=Application already exists for this server.
error.code.430=No patch found.
error.code.431=Patch found, but must be applied manually.
17-Feb-2017 195/373
error.code.432=Patch has already been processed.
error.code.433=Privileged account cannot be used to create target alias.
error.code.434=Invalid username.
error.code.435=Invalid or no extension/application type specified.
error.code.436=Security exception. Script integrity check failed.
error.code.437=Security exception. Data tampering detected. Request denied.
error.code.438=Unauthorized request server. Fingerprint has changed.
error.code.439=Invalid XML definition.
error.code.440=Password Authority Windows Proxy operation failed.
error.code.441=Invalid file path specified.
error.code.442=Unsupported command specified.
error.code.446=Authorization mapping validation error. Invalid execution path specified for

request script.
error.code.447=Authorization mapping validation error. Invalid file path specified for request
script.
error.code.448=Authorization mapping validation error. Missing request script information.
error.code.449=Authorization mapping validation error. Missing hash value for request script.
error.code.450=Unsupported OS platform specified.
error.code.451=Command cannot be executed because the primary site is unavailable.
error.code.452=Primary site is unavailable. Any workflow tasks associated with the account's
password view policy (dual authorization, change password, or checkin/checkout) have not been
performed.
error.code.460=Data source has not been initialized.
error.code.461=Data source is not configured for clustering.
error.code.462=Connection with client daemon timed out.
error.code.463=Connection with Password Authority Server timed out.
error.code.464=No data found for specified User.
error.code.465=Invalid version specified.
error.code.466=Invalid proxy server specified.
17-Feb-2017 196/373
error.code.467=Invalid proxy application specified.
error.code.468=Invalid proxy account specified.
error.code.515=Invalid account password specified.
error.code.800=Invalid identifier, approver is suspended or database is unavailable.
error.code.801=Invalid status.
error.code.802=Approval process failure. Please ask your Administrator to investigate the issue.
error.code.803=Unable to verify success or failure. Please ask your Administrator to investigate

the issue.
error.code.900=Invalid group ID.
error.code.901=Invalid group name.
error.code.902=Invalid filter ID.
error.code.903=Invalid filter name.
error.code.904=Invalid target group.
error.code.905=Invalid request group.
error.code.906=Invalid filter object class ID specified for a target group.
error.code.907=Invalid filter object class ID specified for a requestor group.
error.code.960=Delete failed. The role is in use by a user group.
error.code.970=Delete failed. The request server is in use by an authorization mapping.
error.code.971=Delete failed. The request server is in use by a request script.
error.code.980=Delete failed. The request script is in use by an authorization mapping.
error.code.990=Delete failed. The group is in use by a scheduled job.
error.code.991=Delete failed. The group is in use by an authorization mapping.
error.code.992=Delete failed. The group is in use by a user group.
error.code.993=Delete failed. No user group would leave users without user groups or roles.
error.code.1001=Delete failed. The target alias is in use by an authorization mapping.
error.code.1002=Invalid user ID.
error.code.1003=Invalid account password specified.
17-Feb-2017 197/373
error.code.1005=Invalid account access type specified.
error.code.1006=Invalid account name specified.
error.code.1007=Invalid application name specified.
error.code.1008=Invalid cache duration specified.
error.code.1009=Cannot make account privileged with active target alias.
error.code.1010=Number of assigned user groups cannot exceed {0}.
error.code.1011=Duplicate host name.
error.code.1012=Duplicate IP address.
error.code.1013=Duplicate device name.
error.code.1015=Request server not found.
error.code.1016=Invalid request server ID specified.
error.code.1017=Invalid script authorization mapping ID specified.
error.code.1018=Invalid request script ID specified.
error.code.1019=Invalid target alias ID specified.
error.code.1020=Invalid target server specified.
error.code.1021=Invalid application specified.
error.code.1022=Invalid account ID specified.
error.code.1023=Invalid application type specified.
error.code.1024=Account password too long.
error.code.1025=Key has already been changed. Waiting for request server to accept new key.
error.code.1026=Invalid pending fingerprint value.
error.code.1027=Invalid account history ID.
error.code.1028=Invalid account history compromised flag.
error.code.1029=One or more user groups must be specified.
error.code.1030=Delete failed. The target server is in use by a target alias.
error.code.1031=Delete failed. The target application is in use by a target alias.
17-Feb-2017 198/373
error.code.1033=Cannot change the request server for this request script. Existing authorizations
reference this script.
error.code.1034=E-mail address length exceeded.
error.code.1035=The specified user is an approver of a password view policy and cannot be

deleted.
error.code.1036=Cannot verify password for unsynchronized account.
error.code.1037=E-mail server/account has not been set.
error.code.1038=E-mail from address has not been set.
error.code.1039=Invalid Authentication Type.
error.code.1040=Invalid user view type specified. Valid values are admin or general.
error.code.1041=Delete account failed. Target account in use by other account(s).
error.code.1054=Delete account failed. Target account in use by other application(s).
error.code.1042=Delete account failed. Target account ID does not exist.
error.code.1043=Delete account failed. Target account is used for e-mails.
error.code.1044=The specified user is an email notifier of a password view policy and cannot be
deleted.
error.code.1045=Failed to send email to one or more recipients.
error.code.1046=An error occurred sending the email.
error.code.1047=One click approval host name is not valid.
error.code.1048=Application error.
error.code.1049=User.userID parameter not specified.
error.code.1050=User.newUserID parameter not specified.
error.code.1051=User to be renamed does not exist.
error.code.1052=Error renaming user.
error.code.1053=User to be deleted not found.
error.code.1055=Failed to evaluate email template token {0} due to error: {1}
error.code.1056=User.gkUserId value must be an integer greater than 0.
error.code.1057=User.gkUserId parameter is mandatory for internal requests.
error.code.1058=User.gkUserId parameter is not allowed for external requests.
17-Feb-2017 199/373
error.code.1058=User.gkUserId parameter is not allowed for external requests.
error.code.1059=The approver permission cannot be removed; the specified user is an approver

of {0} password view policy(ies) and email notifier of {1} password view policy(ies).
error.code.1060=User.gkUserId authentication value is not valid.
error.code.1062=Application error. Attempt to create duplicate entry.
error.code.1063=Invalid page number. Page numbers start at 1.
error.code.1064=Target server not found.
error.code.1065=Target application not found.
error.code.1066=TargetAccount.userId value must be an integer greater than 0.
error.code.1067=Target account cannot be deleted because it is owned by a user.
error.code.1068=Target application cannot be deleted because it has target account(s) owned by

user(s).
error.code.1069=Target server cannot be deleted because it has target account(s) owned by user
(s).
error.code.1070=Could not generate Xsuite login token.
error.code.1071=Error sending message to Xsuite.
error.code.1072=Could not parse Xsuite response.
error.code.1073=Xsuite returned an error response.
error.code.1080=Database ID not specified.
error.code.1081=active parameter not specified, or is incorrect. Valid values are true or false.
error.code.1082=Specified database ID does not exist.
error.code.1083=An error occurred when updating the database cluster.
error.code.1084=At least one cluster member must remain active.
error.code.1085=Invalid synchronization strategy specified.
error.code.1086=Delete application failed. Target application in use by other application(s).
error.code.1087=Delete server failed. Target server in use by application(s).
error.code.1088=Delete account failed. Target account in use by password view policy(s).
error.code.1089=Delete application failed. Target application in use by password view policy(s).
error.code.1090=Delete server failed. Target server in use by password view policy(s).
17-Feb-2017 200/373
error.code.1090=Delete server failed. Target server in use by password view policy(s).
error.code.1100=User email address is mandatory.
error.code.1101=User email address is invalid.
error.code.1102=Cannot assign user(s) for email notification if they are missing an email address.
error.code.1169=SQL error. Attempt to create duplicate entry.
error.code.1200=Report contains no data.
error.code.1201=Invalid format for start date.
error.code.1202=Invalid format for end date.
error.code.1203=List of report recipients not specified.
error.code.1204=Report dates not selected.
error.code.1205=Report result too large to attach to email.
error.code.1300=Invalid host specified for LDAP authentication.
error.code.1301=Invalid port specified for LDAP authentication.
error.code.1302=Could not connect to LDAP Directory for authentication.
error.code.1303=Invalid LDAP certificate.
error.code.1304=Target application not specified.
error.code.1305=Account discovery has been disabled for this application type.
error.code.1306=Account discovery service class not found in target application configuration file.
error.code.1307=Proxy must be specified.
error.code.1308=Service host must be specified.
error.code.1309=Target account must be specified.
error.code.1310=List of discovered accounts must be specified.
error.code.1311=Target account details must be specified.
error.code.1312=Target application must be specified.
error.code.1313=Target account must be specified.
error.code.1314=Proxy must be specified.
error.code.1315=Service host must be specified.
17-Feb-2017 201/373
Native Call Application Error Messages

error.code.1400=Application JNI error - maximum length exceeded.
error.code.1401=Application JNI error - null value.
error.code.1500=Maximum retries exceeded.
error.code.1501=No data found.
error.code.1502=A problem occurred during archive. Not all records were archived. Please run
the command again.
Target Manager Error Messages

error.code.1600=Failed to synchronize password with target. If this problem persists then please
ask your Administrator to investigate.
error.code.1601=Failed to verify password with target. If this problem persists then please ask
your Administrator to investigate.
error.code.1602=Target server application is not responding!
error.code.1603=Insufficient permission to change password on target application.
error.code.1604=Authentication failed.
error.code.1605=Database driver class not found.
error.code.1606=Account is unsynchronized.
error.code.1650=Unable to establish connection with target application!
error.code.1651=Remote host closed connection during handshake. Possible invalid SSL

certificate or port.
error.code.1652=Invalid SSL Certificate.
error.code.1660=Lock timeout, unable to process request.
error.code.1661=Account update in progress, unable to process request.
error.code.1662=The view password module did not respond.
Role Error Messages

error.code.1700=Invalid role specified.
error.code.1701=Role is read-only.
Update User Password Error Messages

error.code.1703=Invalid user password specified.
17-Feb-2017 202/373
error.code.1704=Invalid user authentication type.
Client Error Messages

error.code.1800=Client is unable to process the request.
error.code.1801=Unable to connect to client.
error.code.1900=Invalid metric ID.
Batch Sequence Error Messages

error.code.1910=Invalid parameters.
error.code.1911=Invalid batch command.
error.code.1912=Unable to commit transaction in database.
error.code.1913=Unable to rollback transaction in database.
error.code.1914=Unable to start a transaction in database.
error.code.1930=Unable to upgrade database. Unsupported minimum release.
error.code.1950=Invalid file name.
error.code.1951=Invalid file path.
error.code.1952=Invalid file permissions.
error.code.1953=Invalid file size.
error.code.1954=Invalid version when running in FIPS mode.
Extension Manager: General Error Messages

error.code.2001=The password change process was not specified. The value assigned to the
'useOtherAccountToChangePassword' attribute must be 'true' or 'false'.
error.code.2002=An invalid port number was specified.
error.code.2003=An invalid Target Account ID was assigned to the 'otherAccount' attribute.
error.code.2006=An invalid Target Account ID was assigned to the 'otherPrivilegedAccount'

attribute.
error.code.2007=The value assigned to the 'useOtherPrivilegedAccount' attribute must be 'true'

or 'false'.
Extension Manager: Oracle Error Messages

error.code.2011=Invalid database name.
17-Feb-2017 203/373
Extension Manager: Unix Error Messages

error.code.2031=The specified other account has an incompatible protocol
LDAP Error Messages

error.code.2041=No LDAP DN specified.
Database Password Change Error Messages

error.code.2101=Invalid database username.
error.code.2102=Invalid database password.
error.code.2103=Invalid database host name.
error.code.2104=Invalid database user type.
error.code.2150=Failed to update database admin account.
Enable Change-Password-On-View Error Messages

error.code.2201=Invalid interval parameter.
Scheduling Error Messages

error.code.2301=Invalid schedule time.
error.code.2302=This job will never run, the specified start date/time is in the past.
error.code.2303=Failed to save job.
error.code.2304=A Job already exist with this name.
Constraint Error Messages

error.code.3000=Constraint manager parse error.
error.code.3100=Invalid target server parameters.
error.code.3200=Invalid target application parameters.
error.code.3201=Cannot add a target application of a deprecated type.
Account Error Messages

error.code.3301=Exceeded maximum length of access type parameter.
error.code.3302=Account username may not contain whitespace characters.
error.code.3303=Exceeded maximum length for username parameter.
17-Feb-2017 204/373
error.code.3304=Exceeded maximum length for password parameter.
error.code.3305=The specified password view policy has "change password on view" enabled, but
the account is unsynchronized.
error.code.3306=The specified password view policy ID is invalid.
error.code.3307=Duplicate compound servers are not allowed for compound account.
error.code.3308=Circular reference. Account cannot refer to itself for "other account".
error.code.3309=Target Server is not allowed to be added as compound server.
error.code.3310=Compound account must be added as unsynchronized.
error.code.3311=Servers not specified for compound account.
error.code.3312=Target server cannot be specified as a compound server.
error.code.3313=Invalid target account ID.
error.code.3314=User does not have listOtherAccounts permission.
error.code.3315=The specified password view policy has "change password on SSO" enabled, but
the account is unsynchronized.
error.code.3350=Password and confirm password do not match.
error.code.3351=Account not specified.
error.code.3360=Cannot update account password of unsynchronized account.
Target Alias Error Messages

error.code.3401=Target alias name must consist only of characters [a-z A-Z 0-9 ~ \! @ \# $ % ^ . \:
_ - + = \\ /].
error.code.3500=Invalid request server parameters.
error.code.3501=Request Server does not exist or has never connected to Password Authority
Server.
error.code.3502=Connection status checking is not supported on light clients.
error.code.3503=Event polling is enabled or client port is invalid.
error.code.3504=Invalid status code received from client ping.
error.code.3505=Connection status checking is not supported on proxies.
error.code.3506=Proxy cannot be deleted because it is in use.
17-Feb-2017 205/373
error.code.3507=Adding windows agent via CLI command is not supported in Xsuite.
error.code.3508=Add request server failed.
error.code.3600=Invalid script parameters.
error.code.3700=Invalid script authorization parameters.
error.code.3701=Invalid script authorization execution user maximum length exceeded.
error.code.3702=Invalid script. It is on a different client than the one specified.
error.code.3800=Invalid user parameters.
Role Error Messages

error.code.3901=Exceeded maximum length of role name.
error.code.3902=Role name must consist of characters [a-z, A-Z, 0-9].
error.code.3903=Invalid role name.
error.code.3904=Exceeded maximum length of role description.
error.code.3905=Role description must consist of characters [a-z, A-Z, 0-9].
error.code.3906=Invalid role ID.
error.code.3907=Role is read-only.
Group Error Messages

error.code.3951=Exceeded maximum length of group name.
error.code.3952=Group name must consist of characters [a-z, A-Z, 0-9].
error.code.3953=Invalid group name.
error.code.3954=Exceeded maximum length of group description.
error.code.3955=Group description must consist of characters [a-z, A-Z, 0-9].
error.code.3956=Invalid group ID specified.
error.code.3957=Invalid permission specified.
error.code.3958=Invalid object class ID.
error.code.3959=Group is read-only.
17-Feb-2017 206/373
error.code.3960=Invalid group type.
User Group Error Messages

error.code.3971=Exceeded maximum length of user group name.
error.code.3972=User group name must consist of characters [a-z, A-Z, 0-9].
error.code.3973=Invalid user group name.
error.code.3974=Exceeded maximum length of user group description.
error.code.3975=User group description must consist of characters [a-z, A-Z, 0-9].
error.code.3976=Invalid user group ID.
error.code.3977=Invalid group IDs.
error.code.3978=Invalid role ID.
error.code.3979=User group is read-only.
error.code.3980=Invalid read only.
Report Error Messages

System Property Error Messages

error.code.4100=Invalid property name specified.
error.code.4101=Exceeded maximum length of property name.
error.code.4102=Property name must consist of characters [a-z, A-Z, 0-9].
error.code.4103=Invalid property value specified.
E-mail Properties Validation Error Messages

error.code.4105=Invalid e-mail target account.
error.code.4106=Invalid e-mail server host name.
error.code.4107=Invalid e-mail server port.
error.code.4108=Invalid e-mail address.
error.code.4109=Invalid e-mail subject.
error.code.4110=Invalid e-mail body.
17-Feb-2017 207/373
error.code.4111=Invalid e-mail subject for update.
error.code.4112=Invalid e-mail body for update.
error.code.4113=Target account not specified.
error.code.4114=Requesting user not specified.
error.code.4115=Password view policy not specified.
error.code.4116=Password view request not specified.
error.code.4117=Approver not specified.
US 121 Messages
error.code.4118=Invalid e-mail subject for Password View.
error.code.4119=Invalid e-mail body for Password View.
US 120 Messages
error.code.4120=Invalid e-mail subject for Expired Password View Request.
error.code.4121=Invalid e-mail body for Expired Password View Request.
error.code.4122=Invalid e-mail subject for External Password Approvals.
error.code.4123=Invalid e-mail body for External Password Approvals.
US 91 Messages
error.code.4124=Invalid e-mail subject for Report Results.
error.code.4125=Invalid e-mail body for Report Results.
error.code.4126=Max User Group Limit cannot be more than 25.
Initial Property Error Messages

error.code.4150=Invalid property name specified.
Patch Error Messages

error.code.4200=Invalid patch ID.
error.code.4201=Invalid request server ID.
error.code.4202=Invalid patch detail ID.
error.code.4203=Invalid activate all flag.
error.code.4204=Patch already exist.
17-Feb-2017 208/373
error.code.4205=Patch deployment disabled.
error.code.4206=Invalid Request Server connection status.
error.code.4207=Release now only supported for request servers of version 4.5.2 and up.
Password Policy Error Messages

error.code.4300=Invalid password policy ID.
error.code.4301=Invalid password policy name.
error.code.4302=Invalid password policy name.
error.code.4303=Exceeded maximum length of password policy name.
error.code.4304=Password policy name must consist of characters [a-z, A-Z, 0-9].
error.code.4305=Exceeded maximum length of password policy description.
error.code.4306=Password policy description must consist of characters [a-z, A-Z, 0-9].
error.code.4307=Invalid password policy type, this is a required value.
error.code.4308=Invalid password policy type value. Valid values [passwordPolicy].
error.code.4309=Password policy special characters cannot contain XML characters (> < & ' ").
error.code.4310=Password policy minimum length is too small.
error.code.4311=Password policy maximum length is too small.
error.code.4312=Minimum length must be less than the maximum length.
error.code.4313=Policy validation error.
error.code.4314=Password policy cannot be null.
error.code.4315=Repeats cannot be allowed if duplicates are disallowed.
error.code.4316=Select at least one character set in the 'Must Contain' category.
error.code.4317=Select at least one character set in the 'First Must Contain' category.
error.code.4318=First upper case character conflicts with no upper case characters anywhere.
error.code.4319=First lower case character conflicts with no lower case characters anywhere.
error.code.4320=First numeric character conflicts with no numeric characters anywhere.
error.code.4321=First special character conflicts with no special characters anywhere.
error.code.4322=Exclude characters, but none specified.
17-Feb-2017 209/373
error.code.4323=Include special characters, but none specified.
error.code.4324=Include special first characters, but none specified.
error.code.4325=Invalid special characters were specified anywhere in the password.
error.code.4326=Invalid special characters were specified at the start of the password.
error.code.4327=Excluded special characters were specified anywhere in the password.
error.code.4328=Excluded special characters were specified at the start of the password.
error.code.4329=Some first special characters are not allowed anywhere in the password.
error.code.4330=No valid characters available. All have been excluded.
error.code.4331=No valid first characters available. All have been excluded.
error.code.4332=No valid first upper case characters available. All have been excluded.
error.code.4333=No valid first lower case characters available. All have been excluded.
error.code.4334=No valid first numeric characters available. All have been excluded.
error.code.4335=No valid first special characters available. All have been excluded.
error.code.4336=No valid upper case characters available. All have been excluded.
error.code.4337=No valid lower case characters available. All have been excluded.
error.code.4338=No valid numeric characters available. All have been excluded.
error.code.4339=No valid special characters available. All have been excluded.
error.code.4340=Password prefix contains excluded first character.
error.code.4341=Password prefix contains excluded characters.
error.code.4342=Password prefix cannot contain duplicate characters.
error.code.4343=Password prefix cannot contain repeating adjacent characters.
error.code.4344=Invalid policy type.
error.code.4345=Unrecognized policy type.
error.code.4346=Must specify a Policy ID or Name but not both.
error.code.4347=No policies were deleted.
error.code.4348=No policies were found.
error.code.4350=Specified password does not conform to the set password policy.
17-Feb-2017 210/373
error.code.4351=Password policy could not be found for parent application.
error.code.4352=Failed to generate a password for the specified policy!
error.code.4353=Password does not meet the minimum length requirement.
error.code.4354=Password exceeds the maximum allowed length.
error.code.4355=Password does not contain any uppercase characters. See password policy.
error.code.4356=Password does not contain any lowercase case characters. See password policy.
error.code.4357=Password does not contain any numeric characters. See password policy.
error.code.4358=Password does not contain any special characters. See password policy.
error.code.4359=Password contains uppercase characters in contrast of password policy.
error.code.4360=Password contains lowercase characters in contrast of password policy.
error.code.4361=Password contains numeric characters in contrast of password policy.
error.code.4362=Password contains special characters prohibited by password composition

policy.
error.code.4363=Password contains excluded first character. See password policy.
error.code.4364=Password contains excluded character. See password policy.
error.code.4365=Password prefix mismatch. See password policy.
error.code.4366=Password cannot contain duplicate characters. See password policy.
error.code.4367=Password cannot contain repeating adjacent characters. See password policy.
error.code.4368=Password cannot start with {#} pattern.
error.code.4369=Password cannot start with spaces.
error.code.4370=Password cannot end with spaces.
error.code.4371=Cannot reuse the existing password.
error.code.4372=Cannot reuse the last number of passwords specified in password policy.
error.code.4373=Cannot reuse a password from the last number of days specified in password
policy.
error.code.4374=Need to add a required character of a specific type, but not enough characters
available.
error.code.4375=Not enough characters available to avoid repeats.
error.code.4376=Password policy does not exist.
17-Feb-2017 211/373
error.code.4376=Password policy does not exist.
error.code.4377=Not enough characters available to avoid duplicates.
error.code.4401=Invalid minimum length specified.
error.code.4402=Invalid maximum length specified.
error.code.4403=Exceeded maximum length of password policy special characters list.
error.code.4404=Password policy special characters list must consist of characters [ \!"\#$%&()*+,

-./\:;<\=>?[]^_{|}~ ].
error.code.4405=Invalid minimum iterations before password can be reused.
error.code.4406=Invalid minimum days before password can be reused.
error.code.4407=Invalid value for 'Must contain upper case characters' boolean.
error.code.4408=Invalid value for 'Must contain lower case characters' boolean.
error.code.4409=Invalid value for 'Must contain numeric characters' boolean.
error.code.4410=Invalid value for 'Must contain special characters' boolean.
error.code.4411=Invalid value for 'First must contain upper case characters' boolean.
error.code.4412=Invalid value for 'First must contain lower case characters' boolean.
error.code.4413=Invalid value for 'First must contain numeric characters' boolean.
error.code.4414=Invalid value for 'First must contain special characters' boolean.
error.code.4415=Invalid value for 'Must not contain repeating characters' boolean.
error.code.4416=Invalid value for 'Must not contain duplicates characters' boolean.
error.code.4417=Invalid value for 'Must not contain characters' boolean.
error.code.4418=Password policy is in use and cannot be deleted.
error.code.4419=Invalid maximum password age specified.
error.code.4420=Requestor ID is too long.
error.code.4421=Requestor ID contains invalid characters.
error.code.4422=Password view request status is too long.
error.code.4423=Password view request status is invalid.
error.code.4424=Approver ID is too long.
error.code.4425=Approver ID contains invalid characters.
17-Feb-2017 212/373
error.code.4425=Approver ID contains invalid characters.
error.code.4426=Request start date format is invalid.
error.code.4427=Request end date format is invalid.
error.code.4428=Checked out parameter is invalid.
error.code.4429=Password view request ID is invalid.
error.code.4431=Password view request is expired.
error.code.4432=Password view request has already been approved.
error.code.4433=Password view request has already been denied.
error.code.4434=Password view request does not require approval.
error.code.4435=You are not authorized to update this password view request.
error.code.4436=The specified account ID is invalid.
error.code.4437=You are not allowed to update your own password view request.
error.code.4438=Reason must not exceed 256 characters.
error.code.4439=Reason description must not exceed 1024 characters.
error.code.4440=Password view request ID is invalid.
error.code.4441=Unable to retrieve password view request identifier.
error.code.4442=Invalid approver list specified.
error.code.4443=Could not create password view request identifiers.
error.code.4444=The Approval Reason can only be changed when approving or denying a

request.
error.code.4445=The Approval Reason Description can only be changed when approving or

denying a request.
error.code.4446=You are not authorized to expire this password view request.
error.code.4447=SSO type value is not supported. Valid values are 'Any', 'WebBrowser', 'SSH',
'RDP', 'VNC', 'AWSAPI', 'NSXAPI', 'Telnet', or 'Other'.
error.code.4500=Authentication module configuration error.
error.code.4501=Authentication module not found.
error.code.4502=Authentication XML invalid.
error.code.4600=Password view policy name is invalid.
17-Feb-2017 213/373
error.code.4600=Password view policy name is invalid.
error.code.4601=Password view policy name is too long.
error.code.4602=Password view policy name contains invalid characters.
error.code.4603=Password view policy description is too long.
error.code.4604=Password view policy description contains invalid characters.
error.code.4605=Invalid value for change password on view was specified. Valid values are "true"
or "false".
error.code.4606=Invalid value for change password interval was specified. Numeric value
between 1 and 525600 must be specified.
error.code.4607=Invalid value for checkout / checkin required was specified. Valid values are
"true" or "false".
error.code.4608=Invalid value for checkout / checkin interval was specified. Numeric value
error.code.4609=Invalid value for dual authorization required was specified. Valid values are
"true" or "false".
error.code.4610=Invalid value for dual authorization interval was specified. Numeric value
error.code.4611=Invalid PasswordViewPolicy.ID was specified.
error.code.4612=Approvers must be specified if dual authorization is enabled in the policy.
error.code.4613=Invalid list of approvers was specified.
error.code.4614=Password view policy is read-only.
error.code.4615=The specified password view policy name is already in use.
error.code.4616=Password view policy approvers are not able to access the target account(s) that
use this policy.
error.code.4617=One or more of the approvers in this policy are unable to update password view
requests.
error.code.4618=This account is checked out by another user.
error.code.4619=This account is checked out and cannot be updated.
error.code.4620=This account is checked out by a different user.
error.code.4621=You have this account checked out.
error.code.4622=The specified password view request does not exist.
17-Feb-2017 214/373
error.code.4623=The password request dates specified are invalid.
error.code.4624=You have a pending request to view this account password that has not been
approved yet.
error.code.4625=This account has dual authorization enabled. A request for authorization to view
the password has been e-mailed to the approvers of this account on your behalf.
error.code.4626=Password view policy is in use and cannot be deleted.
error.code.4627=Your account password request has been approved, but you are outside the
approval period.
error.code.4628=Password view policy has "change password on view" enabled, but the account
is unsynchronized. Password will not be changed.
error.code.4629=The specified status is invalid. Allowed values for Dual Authorization are
approved(1), denied(2), pending(3), expiredapproved(6), or expiredpending(8). For Check-out/
Check-in the values are checkout(4), checkedin(5).
error.code.4630=Invalid value for authentication required was specified. Valid values are "true"
or "false".
error.code.4631=The above error occurred updating the account password, but the account has
still been checked in.
error.code.4632=Cannot check out synchronized accounts that are unverified.
error.code.4633=Users must be specified if Email notification is enabled in the policy.
error.code.4634=Invalid value for email notification required was specified. Valid values are
"true" or "false".
error.code.4635=Email notification failed to some of the Users.
error.code.4636=Checkin/checkout interval should be less than or equal to Dual authorization

interval.
error.code.4637=Start and/or end date is outside the maximum allowable request period.
Requests cannot be made more than {0} days in the future.
error.code.4638=Max duration is {0} minutes.
error.code.4639=Invalid Enable One Click Approval Value.
error.code.4640=The default password view request interval must be equal or less than the
maximum password view request interval.
error.code.4641=Missing start date parameter.
error.code.4642=Missing end date parameter.
error.code.4643=Start date must not be in the past by up to 10 minutes.
17-Feb-2017 215/373
error.code.4644=End date must not be in the past.
error.code.4645=Start date must be before end date.
error.code.4646=Start date cannot be the same as end date.
error.code.4647=Start date is beyond view password policy max interval days.
error.code.4648=End date is beyond view password policy max interval minutes.
error.code.4649=SSO type parameter not allowed for external CLI requests.
error.code.4650=The specified account does not define any services.
error.code.4651=The specified account is not a Windows domain service account.
error.code.4652=Error communicating with proxy.
error.code.4653=Invalid domain specified.
error.code.4654=Failed to connect to Password Authority Windows Proxy.
error.code.4655=Computer name is invalid.
error.code.4656=The operation is allowed only on the primary domain controller of the domain.
error.code.4657=Username could not be found.
error.code.4658=Windows password is too short.
error.code.4659=Validation failed. Password is invalid.
error.code.4660=Could not find the domain controller for the domain.
error.code.4661=Unable to update the password. The provided new password does not meet the
length, complexity, or history requirement of the domain.
error.code.4662=Login failure: unknown username or bad password.
error.code.4663=Configuration information could not be read from the domain controller, either
because the machine is unavailable, or access has been denied.
error.code.4664=The specified network account name or password is not correct.
error.code.4664=The specified network account name or password is not correct.
error.code.4665=Password Authority Windows Proxy is not active.
error.code.4666=Password Authority Windows Proxy is not responding.
error.code.4667=Failed to update the services.
error.code.4668=Password Authority Windows Proxy reports invalid operation.
17-Feb-2017 216/373
error.code.4669=Password Authority Windows Proxy has never registered.
error.code.4670=The specified service does not exist as an installed service.
error.code.4671=Password Authority Windows Proxy error - Invalid handle.
error.code.4672=Password Authority Windows Proxy error - Specified database does not exist.
error.code.4673=Password Authority Windows Proxy error - Data area passed to a system call is
too small.
error.code.4674=Could not connect to server.
error.code.4675=Password verification failed. Failed to connect to user account.
error.code.4676=Password verification failed. Failed to set security.
error.code.4677=No such login session.
error.code.4678=Bad net path.
error.code.4679=Service rollback failed.
error.code.4680=Service rollback successful.
error.code.4681=Proxy unable to access host.
error.code.4682=Invalid operation at proxy.
error.code.4683=Service login failed.
error.code.4684=Could not find any domain controllers.
error.code.4685=No proxies are defined for the target application.
error.code.4686=Account is locked out.
error.code.4690=Password request is only approved for View (not Auto-Connect).
error.code.4691=Password request is only approved for Auto-Connect (not View).
error.code.4692=Password request is only approved for different Auto-Connect type.
error.code.4693=Invalid value for "Reason Required For View" was specified. Valid values are
"true" or "false".
error.code.4694=Invalid value for "Reason Required For Auto-Connect" was specified. Valid
values are "true" or "false".
error.code.4695=Invalid Service Desk Type specified.
error.code.4696=Reason Required For View and Reason Required For Auto-Connect are required
when Service Desk integration is specified.
17-Feb-2017 217/373
error.code.4698=Password view policy has "Change Password on Auto-Connect" enabled, but the
account is unsynchronized. Password will not be changed.
error.code.4699=Invalid value for allow "Change Password on Auto-Connect" was specified. Valid
values are "true" or "false".
error.code.4700=Crypto Application error.
error.code.4701=Failed to find crypto provider class.
error.code.4702=Failed to instantiate crypto provider class.
error.code.4703=Failed to retrieve server encryption key.
error.code.4704=Failed to set server encryption key.
error.code.4705=Failed to generate a server key.
error.code.4706=Failed to decrypt ciphertext.
error.code.4707=Failed to encrypt cleartext.
error.code.4708=Failed to retrieve current server key.
error.code.4709=Application error - Object does not contain cspm_serverkey attribute.
error.code.4710=Need to decrypt prior to encrypting.
error.code.4711=Key change in progress
error.code.4712=Invalid key
error.code.4850=Auto-Connect validation unknown error.
error.code.4851=Auto-Connect validation permission error.
error.code.4852=Auto-Connect validation rollback error.
error.code.4853=Auto-Connect invocation unknown error.
error.code.4854=Auto-Connect invocation permission error.
error.code.4855=Auto-Connect invocation rollback error.
error.code.4856=Auto-Connect denied by target connector.
error.code.4857=Auto-Connect user does not match target account.
error.code.4858=Auto-Connect parameter is missing.
error.code.4859=Auto-Connect parameter is not editable.
error.code.4860=Auto-Connect port range is 1-65535.
17-Feb-2017 218/373
error.code.4861=Auto-Connect denied by target application.
error.code.4862=Auto-Connect SSO type unknown for target application.
error.code.4800=Invalid interval for change password.
error.code.4801=Invalid List Page Size.
error.code.4900=Must specify site name, site type and host name.
error.code.4901=Must specify one of site name, site type, or host name.
error.code.4902=Only one primary site can be provisioned in the system.
error.code.4903=A site with the specified name already exists.
error.code.4904=The specified site is not in the database.
error.code.4905=The site ID to delete was not specified.
error.code.4906=The specified site type is invalid.
error.code.4907=The site ID to update was not specified.
error.code.4908=Only this site can be set as the primary site.
error.code.4909=Failed to retrieve local site information.
error.code.4910=Failed to retrieve local site name.
error.code.4911=Cannot provision a secondary site until the primary site has been provisioned.
error.code.4912=Primary site cannot be deleted while secondary sites exist.
error.code.4913=No changes to the primary site may be performed.
error.code.4950=An error occurred during replication; please ask your Administrator to

investigate.
error.code.4951=Secondary site out of sync with primary. Secondary site has higher replication
record than primary.
error.code.4952=Secondary site does not have minimum replication record.
error.code.4953=Primary site error while processing secondary site request (serialization).
error.code.4954=Primary site error while processing secondary site request (I/O).
error.code.4955=Primary site error while processing secondary site request (class not found).
error.code.4956=Primary site error while processing secondary site request (execute command
request).
error.code.4957=Primary site error while processing secondary site request (proxy command
17-Feb-2017 219/373
error.code.4957=Primary site error while processing secondary site request (proxy command
requests).
error.code.4960=Host name checking has not been disabled.
error.code.4965=The Row Limit provided is invalid.
error.code.4970= Password View Request Delete Interval Days is invalid.
error.code.4980=The client is offline.
error.code.4981=Unable to confirm whether or not the client is online.
error.code.4982=The client is online.
error.code.4984=Invalid current password specified.
error.code.4985=The password confirm field doesn't match the new password.
error.code.4986=The new password is the same as current password.
Error Code Messages Common to Multiple Target Connectors and Authenticators

error.code.5000=Account is disabled
error.code.5001=Account is locked
error.code.5002=Account's password is expired on target
error.code.5003=Account is expired
error.code.5004=Must reset the password
error.code.5005=Account not found
error.code.5006=Not permitted to logon from workstation
<error code="5050">Internal target connector error.</error>
<error code="5051">Change process not specified.</error>
<error code="5052">No agent specified.</error>
<error code="5053">Invalid domain specified.</error>
<error code="5054">Failed to connect to agent.</error>
<error code="5055">The computer name is invalid.</error>
<error code="5056">The operation is allowed only on the primary domain controller of the
domain.</error>
<error code="5057">The user name could not be found.</error>
17-Feb-2017 220/373
<error code="5058">Password error. (The password could be too short, be too long, be too
recent in its change history, not have enough unique characters, or not meet another password
policy requirement.)</error>
<error code="5059">Validation failed. The password is invalid.</error>
<error code="5060">Could not find the domain controller for the domain.</error>
<error code="5061">Unable to update the password. The value provided for the new password
does not meet the length, complexity, or history requirement of the domain.</error>
<error code="5062">Logon failure: unknown user name or bad password.</error>
<error code="5063">Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied.</error>
<error code="5064">The specified network account name or password is not correct.</error>
<error code="5064">The specified network account name or password is not correct.</error>
<error code="5065">The CSPM Windows Agent is not active.</error>
<error code="5066">The CSPM Windows Agent is not responding.</error>
<error code="5067">Failed to update the services.</error>
<error code="5068">Agent reports invalid operation.</error>
<error code="5069">Agent has never registered.</error>
<error code="5070">The specified service does not exist as an installed service.</error>
<error code="5071">Agent error - Invalid handle.</error>
<error code="5072">Agent error - The specified database does not exist.</error>
<error code="5073">Agent error - The data area passed to a system call is too small.</error>
<error code="5074">The RPC server is unavailable.</error>
<error code="5075">Password verification failed. Failed to connect to user account.</error>
<error code="5076">Password verification failed. Failed to set security.</error>
<error code="5077">No such login session.</error>
<error code="5078">Bad net path.</error>
<error code="5079">Service rollback failed.</error>
<error code="5080">Service rollback successful.</error>
17-Feb-2017 221/373
<error code="5081">Host name and service name must have 1 to 100 characters and must not
contain special characters.</error>
<error code="5082">Force password change attribute is incorrect.</error>
<error code="5083">Administrator account not specified.</error>
<error code="5100">An unknown error occurred. Review the log file for further information or
else contact your Administrator.</error>
<error code="5101">Failed to load the default or revised update script file.</error>
<error code="5102">Failed to load the default or revised verify script file.</error>
<error code="5103">Failed to update the account credentials. Review the log file for further
information or else contact your Administrator.</error>
<error code="5104">Failed to verify the account credentials. Review the log file for further
<error code="5105">Cannot use another account's credentials to verify this account's credentials;
the operation is not supported.</error>
<error code="5106">Failed to enter into privileged EXEC mode. Review the log file for further
<error code="5107">Failed to commit running configuration; the password has changed in

running configuration only. Review the log file for further information or else contact your
Administrator.</error>
<error code="5108">Failed to restore running configuration from start up configuration. Review

the log file for further information or else contact your Administrator.</error>
<error code="5110">The private key is missing from the request.</error>
<error code="5111">An invalid private key was specified.</error>
<error code="5112">The public key is missing from the request.</error>
<error code="5113">An invalid public key was specified.</error>
<error code="5120">An invalid Cisco variant was specified.</error>
<error code="5121">Must specify a host key.</error>
<error code="5122">An invalid SSH port number was specified; the value must be in the range 0..
65535.</error>
<error code="5123">The value assigned to the 'sshUseDefaultKeyExchangeAlgorithms' attribute

must be 'true' or 'false'.</error>
17-Feb-2017 222/373
<error code="5124">Must NOT specify list of key exchange algorithms because default algorithms
will be used instead.</error>
<error code="5125">The value assigned to the 'sshUseDefaultCompressionAlgorithms' attribute

<error code="5126">Must NOT specify list of compression algorithms because default algorithms
will be used instead.</error>
<error code="5127">The value assigned to the 'sshUseDefaultServerHostKeyAlgorithms' attribute

<error code="5128">Must NOT specify list of server host key algorithms because default
algorithms will be used instead.</error>
<error code="5129">An invalid Telnet port number was specified; the value must be in the range
0..65535.</error>
<error code="5130">An invalid SSH communication timeout was specified; the value must be in
the range 1000..99999.</error>
<error code="5132">An invalid script processor read timeout was specified; the value must be in
<error code="5133">The value assigned to the 'sshStrictHostKeyCheckingEnabled' attribute must

be 'true' or 'false'.</error>
<error code="5135">The value assigned to the 'useUpdateScriptType' attribute must be

'DEFAULT', 'REVISED' or 'REPLACEMENT'.</error>
<error code="5136">The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT',

'REVISED' or 'REPLACEMENT'.</error>
<error code="5137">The value assigned to the 'sshUseDefaultCiphers' attribute must be 'true' or

'false'.</error>
<error code="5138">Must NOT specify list of ciphers because default ciphers will be used instead.
</error>
<error code="5139">An invalid Telnet communication timeout was specified; the value must be
in the range 1000..99999.</error>
<error code="5140">The value assigned to the 'sshUseDefaultHashes' attribute must be 'true' or

'false'.</error>
<error code="5141">Must NOT specify list of hashes because default ciphers will be used instead.
</error>
<error code="5170">An invalid protocol was specified.</error>
<error code="5171">Must specify a protocol.</error>
<error code="5172">Must specify a password type.</error>
17-Feb-2017 223/373
<error code="5172">Must specify a password type.</error>
<error code="5173">The value assigned to the 'pwType' attribute must be 'user' or 'privileged'.<
/error>
<error code="5174">Must specify whether or not to change the AUX password.</error>
<error code="5175">The value assigned to the 'changeAuxLoginPassword' must be 'true' or 'false'.

</error>
<error code="5176">Must specify whether or not the change the Console password.</error>
<error code="5177">The value assigned to the 'changeConsoleLoginPassword' must be 'true' or

'false'.</error>
<error code="5178">Must specify whether or not to change the VTY password.</error>
<error code="5179">The value assigned to the 'changeVtyLoginPassword' must be 'true' or 'false'.

</error>
<error code="5180">Must specify the number of VTY ports.</error>
<error code="5181">The value assigned to the 'numVTYPorts' attribute must be an integer in the
range 1..15.</error>
<error code="5241">Must specify an 'other account'.</error>
<error code="5242">Must specify whether the account will be verified through another account.<
/error>
<error code="5243">The value assigned to the 'verifyThroughOtherAccount' attribute must be

'true' or 'false'.</error>
<error code="5251">An invalid LDAP connect timeout was specified; the value must be in the
range 1000..99999.</error>
<error code="5252">An invalid LDAP read timeout was specified; the value must be in the range
1000..99999.</error>
<error code="5254">An invalid protocol was specified.</error>
<error code="5255">An invalid port number was specified; the value must be in the range 0..
65535.</error>
17-Feb-2017 224/373
<error code="5256">You must specify an SSL certificate.</error>
<error code="5301">An invalid port number was specified; the value must be in the range 0..
65535.</error>
<error code="5302">Schema not specified.</error>
<error code="5304">Incorrect value specified for racService attribute. Valid values are true or
false.</error>
<error code="5305">Incorrect value specified for sysdbaAccount attribute. Valid values are true
or false.</error>
<error code="5306">Incorrect value specified for replaceSyntax attribute. Valid values are true or
false.</error>
<error code="5307">Invalid value for SSL Enabled</error>
<error code="5308">Invalid Crystal Reports database list specified.</error>
<error code="5310">Failed to synchronize/verify account. See logs for details.</error>
<error code="5311">Account locked.</error>
<error code="5312">Failed to connect to host.</error>
<error code="5313">Invalid schema/SID specified.</error>
<error code="5314">Failed to synchronize/verify account. Login failed.</error>
<error code="5315">Failed to synchronize Crystal Reports credentials. See logs for details.<
/error>
<error code="5500">Invalid port number.</error>
<error code="5511">Failed to connect to database. Connection refused.</error>
<error code="5512">Failed to connect to database. Unknown host.</error>
<error code="5513">Communication failure. The target server must be SQL Server 2000 or later.<
/error>
<error code="5514">Invalid character in password. Single quotation mark (') is not a valid
password character.</error>
<error code="5515">Failed to connect to database. Login failed.</error>
17-Feb-2017 225/373
<error code="5515">Failed to connect to database. Login failed.</error>
<error code="5504">Invalid Crystal Reports Server host name specified.</error>
<error code="5505">Invalid Crystal Reports Server port specified.</error>
<error code="5506">Invalid Crystal Reports Server application name specified.</error>
<error code="5507">Invalid Crystal Reports Server account name specified.</error>
<error code="5511">Failed to connect to database. Connection refused.</error>
<error code="5512">Failed to connect to database. Unknown host.</error>
<error code="5513">Communication failure. The target server must be SQL Server 2000 or later.<
/error>
<error code="5514">Invalid character in password. Single quotation mark (') is not a valid
password character.</error>
/error>
<error code="5550">Domain name must be specified</error>
<error code="5551">Cannot retrieve Distinguished Name (DN)</error>
<error code="5552">Distinguished Name (DN) must be specified</error>
<error code="5553">Cannot retrieve list of DNS servers</error>
<error code="5554">Could not find any host name</error>
<error code="5555">Cannot connect to a domain controller on specified domain</error>
<error code="5556">Value for 'getDNS' attribute must be specified</error>
<error code="5557">Unknown option specified for protocol</error>
<error code="5558">SSL certificate must be specified</error>
<error code="5559">Value for 'useDN' attribute must be specified</error>
<error code="5560">Invalid value for 'appendDC' attribute</error>
17-Feb-2017 226/373
<error code="5331">An 'other account' must be specified.</error>
<error code="5340">Unable to verify the password due to an error.</error>
<error code="5341">Unable to verify the password because the account is locked.</error>
<error code="5342">Unable to verify the password; failed to connect to the target server.<
/error>
<error code="5343">Verification failed because the password was not accepted.</error>
<error code="5344">Unable to update the password due to an error.</error>
<error code="5401">Invalid port specified.</error>
<error code="5411">Failed to connect to database.</error>
<error code="5601">Invalid port specified in target application for update script.</error>
<error code="5602">Invalid login account specified in target application.</error>
<error code="5603">Expect script for updating not specified in target application.</error>
<error code="5604">Invalid timeout value specified for update script in target application.<
/error>
<error code="5605">Invalid port specified in target application for verify script.</error>
<error code="5606">Expect script for verification not specified in target application.</error>
<error code="5607">Invalid timeout value specified for verify script in target application.</error>
<error code="5611">Failed to synchronize.</error>
<error code="5612">Unexpected error.</error>
17-Feb-2017 227/373
<error code="5651">Database name not specified.</error>
<error code="5750">Domain name must be specified</error>
<error code="5753">Cannot connect to a domain controller on the specified domain</error>
<error code="5754">Certificate cannot be retrieved from the domain controller</error>
<error code="5755">Error storing certificate in certificate store</error>
<error code="5756">Proxy host name is invalid:</error>
<error code="5757">Error updating service credentials. See log for more information</error>
<error code="5758">Services could not be restarted</error>
<error code="5759">Error updating password in Active Directory. Service credentials for this
account (if any) were not updated.</error>
<error code="5760">Error verifying services</error>
<error code="5761">Cannot retrieve DNS host name(s)</error>
<error code="5762">Unknown option specified for "useDNS" attribute</error>
<error code="5763">DNS server name not specified</error>
<error code="5765">Failed to update the services.</error>
<error code="5766">Invalid boolean value for Disable Auto-Connect Target Account.</error>
<error code="5767">Domain controller's root distinguished name could not be found.</error>
<error code="5768">One or more groups could not be found on domain controller.</error>
<error code="5769">An error occurred when discovering accounts on the domain controller.<
/error>
<error code="5770">Group names not specified.</error>
<error code="5771">Login account not specified.</error>
17-Feb-2017 228/373
<error code="5772">Error updating task credentials. See log for more information</error>
<error code="5773">An invalid LDAP connect timeout was specified; the value must be in the
range 1000..99999.</error>
<error code="5774">An invalid LDAP read timeout was specified; the value must be in the range
1000..99999.</error>
Error Code Messages for Remedy Target Manager Connector (5800 through 5819)
error.code.5801=Change process not specified.
error.code.5802=Internal target connector error.
error.code.5803=Failed to synchronize password with target.
error.code.5804=Failed to verify password with target.
error.code.5805=Remedy server specified in the target application could not be found.
error.code.5806=A port must be specified.
error.code.5807=A BMCRemedyClientURL must be specified.
error.code.5808=Required Remedy licensed files could not be found.
error.code.5809=Could not log into Remedy server.
<error code="5820">Failed to verify account in CSPM.</error>
<error code="5821">Failed to update account in CSPM.</error>
<error code="5822">Account password does not adhere to password policy</error>
<error code="5823">User not found</error>
<error code="5824">User uses external authentication. Password can not be updated.</error>
<error code="5825">Failed to connect to CSPM Server</error>
<error code="5850">System Number not specified</error>
<error code="5851">Invalid numeric value for System Number</error>
<error code="5852">Client not specified</error>
<error code="5853">Invalid numeric value for Client</error>
<error code="5854">Additional Parameters must be a list of name=value pairs separated by

semicolon</error>
<error code="5860">Internal target connector error</error>
17-Feb-2017 229/373
<error code="5860">Internal target connector error</error>
<error code="5861">Failed to synchronize password with target</error>
<error code="5862">Failed to verify password with target</error>
<error code="5863">Failed to load native library</error>
<error code="5864">Failed to connect to target system. Communication error</error>
<error code="5865">BAPI User Change Function not found</error>
<error code="5866">BAPI User Change Password Function not found</error>
<error code="5867">Login Failure. See logs for details</error>
<error code="5900">Telnet host name not specified.</error>
<error code="5901">Invalid port.</error>
<error code="5902">Invalid login account specified in target application.</error>
<error code="5903">Java not specified.</error>
<error code="5911">Failed to synchronize.</error>
<error code="5912">Unexpected error.</error>
<error code="5913">Script evaluation error. See logs for details</error>
<error code="5954">Invalid Crystal Reports Server host name specified.</error>
<error code="5955">Invalid Crystal Reports Server port specified.</error>
<error code="5956">Invalid Crystal Reports Server application name specified.</error>
<error code="5957">Invalid Crystal Reports Server account name specified.</error>
<error code="5959">Invalid database port specified.</error>
<error code="5960">Invalid database specified.</error>
<error code="5962">Invalid value for 'isRootAccount'.</error>
17-Feb-2017 230/373
<error code="5965">The value assigned to the 'sshStrictHostKeyCheckingEnabled' attribute must

be 'true' or 'false'.</error>
<error code="5966">An invalid UID/GID number was specified; the value must be in the range 0..
65535.</error>
/error>
<error code="5976">Must specify whether the account will be verified through another account.<
/error>
<error code="5977">The value assigned to the 'verifyThroughOtherAccount' attribute must be

'true' or 'false'.</error>


<error code="5984">Must specify an 'other account'.</error>
<error code="5987">The value assigned to the 'sshUseDefaultCiphers' attribute must be 'true' or

'false'.</error>
<error code="5988">Must NOT specify list of ciphers because default ciphers will be used instead.
</error>
<error code="5989">The value assigned to the 'enableChannelDebugging' attribute must be 'true'

or 'false'.</error>
<error code="5990">An invalid Telnet communication timeout was specified; the value must be
in the range 1000..99999.</error>
<error code="5995">Failed to update the account credentials. Review the log file for further
<error code="5996">Failed to verify the account credentials. Review the log file for further
<error code="5997">The value assigned to the 'sshUseDefaultHashes' attribute must be 'true' or

'false'.</error>
17-Feb-2017 231/373
<error code="5998">Must NOT specify list of hashes because default ciphers will be used instead.
</error>
<error code="6002">Database name not specified.</error>
<error code="6003">Invalid host_name qualifier.</error>
<error code="6004">Max length exceeded for field sampleProperty</error>
<error code="6005">Field useOtherAccount is mandatory</error>
<error code="6006">SampleProperty is mandatory</error>
<error code="6007">Max length exceeded for field sampleProperty</error>
<error code="6008">Custom error message</error>
<error code="6011">Account locked.</error>
<error code="6014">Failed to update account. Access violation for account. Check target server
or host_name qualifier.</error>
<error code="6101">A Credential Type must be specified.</error>
<error code="6102">An unrecognized Credential Type was specified.</error>
<error code="6103">A Secret Access Key is required.</error>
<error code="6104">The Access Key ID must be composed with upper case letters, digits and
must be 20 characters in length.</error>
<error code="6105">The Secret Access Key must composed with alphanumeric, "+", "/"
characters and must be 40 characters in length.</error>
<error code="6106">The uploaded EC2 Private Key file does not contain a PEM-formatted
certificate.</error>
<error code="6107">An Access Key ID is required.</error>
<error code="6108">An X.509 certificate file name is required.</error>
17-Feb-2017 232/373
<error code="6109">The X.509 certificate file name must match the pattern "pk-[A-Z0-9]{32}.
pem". Example: "pk-4QUDAEWQENET2S22ABOOJ4BMUN6AUZY5.pem"</error>
<error code="6110">A PEM-formatted certificate file containing the EC2 Private Key must be
uploaded.</error>
<error code="6111">An EC2 Instance User Name is required.</error>
<error code="6113">The IAM User Name is formatted incorrectly.</error>
<error code="6114">A Key Pair Name may be specified only when the Credential Type is EC2
Private Key.</error>
<error code="6115">A Key Pair Name is required.</error>
<error code="6116">The EC2 Instance User Name is formatted incorrectly or it contains the
disallowed "@" character.</error>
<error code="6117">The Key Pair Name may not contain the "@" character.</error>
<error code="6118">An User Friendly Account Name is required.</error>
<error code="6119">Duplicated User Friendly Account Name.</error>
<error code="6120">Maximum length of AWS access role name exceeded.</error>
<error code="6121">AWS access role name only allows alphanumeric and '+=,.@-' characters<
/error>
<error code="6122">The AWS Cloud Type must be specified.</error>
<error code="6123">The maximum length of AWS Cloud Type exceeded.</error>
<error code="6124">The valid AWS Cloud Type is government or commercial</error>
<error code="6125">Failed update AWS Access credentials. Please contact your Administrator.<
/error>
<error code="6126">Failed verify AWS Access credentials. Please contact your Administrator.<
/error>
<error code="6131">Attempted to create resources beyond the current AWS account limits.
Please contact your system administrator.</error>
<error code="6132">AWS Key Pair can be changed only by random generation.</error>
<error code="6201">AWS Master Account Name is an email address.</error>
<error code="6280">Invalid or missing port number.</error>
17-Feb-2017 233/373
<error code="6301">Domain not specified</error>
<error code="6302">Invalid port number</error>
<error code="6303">Login account not found. Check login info specified in nisConnector.
properties.</error>
<error code="6311">Failed to connect to host</error>
<error code="6312">Failed to initialize change password process</error>
<error code="6313">Password update failed</error>
<error code="6314">Password verify failed</error>
<error code="6315">Failed to load nisConnector.properties file</error>
<error code="6316">Invalid Verify Timeout specified in nisConnector.properties file</error>
<error code="6317">Invalid Update Timeout specified in nisConnector.properties file</error>
<error code="6402">Realm not specified.</error>
<error code="6411">Invalid account specified.</error>
<error code="6413">Invalid Realm specified.</error>
<error code="6450">Invalid or missing port number.</error>
<error code="6452">Invalid value specified for the disableAutoConnectTargetAccount parameter.

</error>
<error code="6470">Cannot connect to ESX/ESXi host.</error>
<error code="6471">Invalid login, username or password is incorrect.</error>
<error code="6472">No permission to update credentials.</error>
<error code="6473">User not found.</error>
<error code="6474">Remote system error.</error>
17-Feb-2017 234/373
<error code="6475">Invalid request.</error>
<error code="6476">User not authenticated.</error>
<error code="6477">Remote security error.</error>
<error code="6500">An SSH port number must be specified.</error>
<error code="6501">A connection timeout must be specified.</error>
<error code="6502">A read timeout must be specified.</error>
<error code="6503">Invalid change process specified</error>
<error code="6504">An invalid connection timeout value was specified.</error>
<error code="6505">An invalid read timeout value was specified.</error>
<error code="6506">An invalid SSH port number was specified.</error>
<error code="6525">Failed to verify account.</error>
<error code="6526">Failed to update account.</error>
<error code="6527">An unknown error occurred; please consult the server log or contact your
Administrator.</error>
<error code="6528">User not found.</error>
<error code="6529">Failed to update password; the target device is currently in use by another
user.</error>
<error code="6530">Failed to connect to the target device; a timeout occured while waiting to
connect.</error>
<error code="6531">Failed to authenticate to the target device due to invalid credentials.<

/error>
<error code="6532">A communications error occurred while receiving data from the target
device.</error>
<error code="6533">User has insufficient permissions.</error>
<error code="6554">Failed to update account credentials. Review the log file for further
<error code="6555">Failed to verify account credentials. Review the log file for further
17-Feb-2017 235/373
65535.</error>
<error code="6603">Failed to enter privilege mode. Review the log file for further information or
<error code="6605">Failed to enter configuration mode. Please try again. If problem persist
contact your Administrator.</error>
65535.</error>
<error code="6670">Failed update AWS account credentials. Please contact your Administrator.<
/error>
<error code="6671">Failed verify AWS account credentials. Please contact your Administrator.<
/error>
<error code="6672">Password did not meet the requirements imposed by the account password
policy. Please contact your Administrator.</error>
<error code="6673">Account is temporarily unmodifiable. Please try again after waiting several
minutes or contact your Administrator.</error>
<error code="6674">Current account does not exist. Please contact your Administrator.</error>
<error code="6675">Trying to create resources beyond the current AWS account limits. Please
contact your Administrator.</error>
<error code="6680">AWS Access Account must be specified.</error>
17-Feb-2017 236/373
<error code="6705">Cannot verify account's credentials for non Privilege account type; the
operation is not supported.</error>
<error code="6706">Cannot update account's credentials for non Privilege account type; the
operation is not supported.</error>
<error code="6707">Cannot change password. Please enter a password with 1 to 15 characters.<

/error>
65535.</error>


<error code="8001">LDAP authentication module configuration error.</error>
<error code="8006">Failed to connect to LDAP server.</error>
<error code="8007">LDAP authentication module commit error.</error>
<error code="8008">LDAP authentication failed.</error>
<error code="8009">LDAP authentication failed.</error>
<error code="8201">Kerberos authentication module configuration error.</error>
17-Feb-2017 237/373
<error code="8202">Kerberos authentication module error - clock skew too great.</error>
<error code="8203">Kerberos authentication module error - Communication Timeout.</error>
<error code="8301">X509 authentication module invalid credentials.</error>
<error code="8302">X509 authentication module error - expired certificate.</error>
<error code="8303">X509 authentication module error - certificate not yet valid.</error>
<error code="8304">X509 authentication module error - certificate revoked.</error>
<error code="8305">X509 authentication module error - root CA invalid.</error>
<error code="8306">X509 authentication module error - invalid certificate signature.</error>
<error code="8307">X509 authentication module error - invalid configuration.</error>
<error code="8308">X509 authentication module error - invalid certificate store file.</error>
<error code="8309">X509 authentication module error - invalid certificate store.</error>
<error code="8310">X509 authentication module error - invalid LDAP port.</error>
<error code="8311">X509 authentication module error - invalid LDAP certificate store.</error>
<error code="8401">x509Ldap authentication module invalid credentials.</error>
<error code="8402">x509Ldap authentication module error - expired certificate.</error>
<error code="8403">x509Ldap authentication module error - certificate not yet valid.</error>
<error code="8404">x509Ldap authentication module error - certificate revoked.</error>
<error code="8405">x509Ldap authentication module error - root CA invalid.</error>
<error code="8406">x509Ldap authentication module error - invalid certificate signature.</error>
<error code="8407">x509Ldap authentication module error - invalid configuration.</error>
<error code="8408">x509Ldap authentication module error - invalid certificate store file.</error>
<error code="8409">x509Ldap authentication module error - invalid certificate store.</error>
<error code="8410">x509Ldap authentication module error - invalid LDAP port.</error>
<error code="8411">x509Ldap authentication module error - invalid LDAP certificate store.<

/error>
<error code="8501">Active Directory authentication module configuration error.</error>
17-Feb-2017 238/373
<error code="8506">Failed to connect to Active Directory server.</error>
<error code="10001">Failed to log into the LunaSA Module</error>
<error code="10002">Failed to retrieve key from LunaSA Module</error>
<error code="10003">Failed to persist key in LunaSA Module</error>
<error code="10004">Failed to generate key in LunaSA Module</error>
<error code="10101">Failed to login to the LunaSA Module</error>
<error code="10201">Failed to log into the LunaSA Module</error>
<error code="12000">targetServerHostName property not found in authorization.xml</error>
<error code="12001">Target Server named in authorization.xml not found in Password Authority<

/error>
<error code="12002">targetApplication property not found in authorization.xml</error>
<error code="12003">Target Application named in authorization.xml not found in Password

Authority</error>
<error code="12004">targetAccount property not found in authorization.xml</error>
<error code="12005">Target Account named in authorization.xml not found in Password

Authority</error>
<error code="12006">groupClassMemberList property not found in authorization.xml</error>
<error code="12007">userSearchFilter property not found in authorization.xml</error>
17-Feb-2017 239/373
<error code="12050">Error communicating with the LDAP server</error>
<error code="12051">Error authenticating with the LDAP server</error>
<error code="12052">Target account/application in authorization.xml file must be of type LDAP

or Windows Domain Service</error>
<error code="12053">Cannot retrieve DNS host name(s)</error>
<error code="12054">DNS server name not specified</error>
<error code="12100">targetServerHostName property not found in authorization.xml</error>
<error code="12101">Target Server named in authorization.xml not found in Password Authority<

/error>
<error code="12102">targetApplication property not found in authorization.xml</error>
<error code="12103">Target Application named in authorization.xml not found in Password

Authority</error>
<error code="12104">targetAccount property not found in authorization.xml</error>
<error code="12105">Target Account named in authorization.xml not found in Password

Authority</error>
<error code="12107">Error communicating with the Active Directory server</error>
<error code="12108">Error authenticating with the Active Directory server</error>
Error Code Messages for Remedy View Password Plugin (13000 - 13099)
error.code.13000=A Remedy server must be specified.
error.code.13001=A Remedy application must be specified.
error.code.13002=A Remedy account must be specified.
error.code.13003=Remedy ticket number is not specified, or incorrect.
error.code.13004=Could not log into Remedy server.
error.code.13005=Remedy server specified in the password view policy could not be found.
error.code.13006=Remedy application specified in the password view policy could not be found.
error.code.13007=Remedy account specified in the password view policy could not be found.
error.code.13008=The CA NIM SM target server could not be found.
17-Feb-2017 240/373
error.code.13009=The CA NIM SM target application could not be found.
error.code.13010=The CA NIM SM target account could not be found.
error.code.13011=Could not retrieve the ticket from the Remedy system.
error.code.13012=Required Remedy licensed files could not be found.
Error Code Messages for ServiceNow View Password Plugin (13100 - 13199)
error.code.13100=A ServiceNow server must be specified.
error.code.13101=A ServiceNow application must be specified.
error.code.13102=A ServiceNow account must be specified.
error.code.13103=ServiceNow ticket number is not specified, or incorrect.
error.code.13104=Could not log into ServiceNow server.
error.code.13105=ServiceNow server specified in the password view policy could not be found.
error.code.13106=ServiceNow application specified in the password view policy could not be

found.
error.code.13107=ServiceNow account specified in the password view policy could not be found.
error.code.13111=Could not retrieve the ticket from the ServiceNow system.
Error Code Messages for CA SDM View Password Plugin (13200 - 13299)
error.code.13200=A CA SDM server must be specified.
error.code.13201=A CA SDM application (type: Generic) must be specified.
error.code.13202=A CA SDM account must be specified.
error.code.13207=CA SDM ticket number is not specified, or incorrect.
error.code.13208=Could not log into CA SDM server.
error.code.13209=CA SDM server specified in the password view policy could not be found.
error.code.13210=CA SDM application specified in the password view policy could not be found.
17-Feb-2017 241/373
error.code.13211=CA SDM account specified in the password view policy could not be found.
error.code.13215=Could not retrieve the ticket from the CA SDM system.
Error Code Messages for Salesforce Service Cloud View Password Plugin (13400 - 13499)
error.code.13400=A Salesforce Service Cloud server must be specified.
error.code.13401=A Salesforce Service Cloud application (type: Generic) must be specified.
error.code.13402=A Salesforce Service Cloud account must be specified.
error.code.13403=A SFDC Login Endpoint must be specified.
error.code.13404=A SFDC Service Cloud Client URL must be specified.
error.code.13405=A DateFormat must be specified.
error.code.13406=A CaseObject must be specified.
error.code.13407=A CaseCommentObject must be specified.
error.code.13408=An AttachmentObject must be specified.
error.code.13409=Salesforce Service Cloud ticket number is not specified, or incorrect.
error.code.13410=Could not log into Salesforce Service Cloud server.
error.code.13411=Salesforce Service Cloud server specified in the password view policy could not
be found.
error.code.13412=Salesforce Service Cloud application specified in the password view policy

could not be found.
error.code.13413=Salesforce Service Cloud account specified in the password view policy could
not be found.
error.code.13417=Could not retrieve the ticket from the Salesforce Service Cloud system.
17-Feb-2017 242/373
Error Code Messages for HP Service Manager View Password Plugin (13500 - 13599)
error.code.13500=An HP Service Manager server must be specified.
error.code.13501=An HP Service Manager application (type: Generic) must be specified.
error.code.13502=An HP Service Manager account must be specified.
error.code.13506=HP Service Manager ticket number is not specified, or incorrect.
error.code.13507=Could not log into HP Service Manager server.
error.code.13508=HP Service Manager server specified in the password view policy could not be
found.
error.code.13509=HP Service Manager application specified in the password view policy could not
be found.
error.code.13510=HP Service Manager account specified in the password view policy could not be
found.
error.code.13514=Could not retrieve the ticket from the HP Service Manager system.
Custom View Password Module Error Code Messages (14000 - 14999)

error.code.14000=The specified CA Normalized Integration Management account is in use and
can't be deleted.
error.code.14001=The requested operation is not allowed on the CA Normalized Integration

Management Target Account.
error.code.14002=The requested operation is not allowed on the CA Normalized Integration

Management Target Application.
error.code.14003=The requested operation is not allowed on the 'nim.pam.ca.com (http://nim.pam.

ca.com)' Target Server.
error.code.14004=The requested operation is not allowed on the selected application type.
error.code.15000=An invalid issuer URL was specified.
error.code.15001=An invalid console URL was specified.
error.code.15002=An invalid sign-in URL was specified.
error.code.15003=Exceeded maximum length for URL parameter.
17-Feb-2017 243/373
error.code.15003=Exceeded maximum length for URL parameter.
error.code.15004=The specified URL is not formatted correctly.
error.code.15005=An invalid session duration was specified; the allowed range is 3600 - 129600
seconds.
error.code.15006=An invalid policy was specified.
error.code.15007=Exceeded maximum length for policy parameter.
error.code.15008=The specified policy is not formatted correctly.
error.code.15009=The AWS client reports that corrupted data was received from the AWS server;
the error message is: {0}
error.code.15010=The AWS client reports that communications with the AWS server failed; the
error message is: {0}
error.code.15011=An invalid session URL encoding option was specified.
error.code.15012=The AWS service reported a problem; the error message is: {0}
error.code.15013=The requested operation is not allowed on the AWS Access Credentials Target
Application.
error.code.15014=The requested operation is not allowed on the 'xceedium.aws.amazon.com (

http://xceedium.aws.amazon.com)' Target Server.
error.code.15015=The requested command cannot be invoked from a remote host.
error.code.15016=The specified federated user name is incompatible with AWS; it contains too
few characters.
error.code.15017=The specified federated user name is incompatible with AWS; it contains too
many characters.
error.code.15018=The federated user name is missing from the request.
error.code.15019=The specified federated user name is incompatible with AWS.
error.code.15020=The specified AWS access account is in use and can't be deleted.
error.code.15021=The requested operation is not allowed on the AWS API Proxy Credentials
Target Account.
error.code.15022=The requested operation cannot be performed by user with the specified

target application type.
error.code.15023=The requested operation is not allowed
error.code.15099=The specified VMware access account is in use and can't be deleted.
error.code.15100=Delete Check: the requested operation would delete an existing Target Server
17-Feb-2017 244/373
error.code.15100=Delete Check: the requested operation would delete an existing Target Server
with ID: {0}
error.code.15101=Delete Check: the specified host name corresponds to one or more deleted
Target Server(s): {0}
error.code.15102=Delete Check: the specified host name does not correspond to any existing or
deleted Target Server(s): {0}
error.code.15103=Delete Check: the specified ID corresponds to a deleted Target Server: {0}
error.code.15104=Delete Check: the specified ID does not correspond to an existing or deleted

Target Server: {0}
error.code.15105=Delete Check: the requested operation would delete an existing Request Server
of type CLIENT or AGENT with ID: {0}
error.code.15106=Delete Check: the specified host name corresponds to one or more deleted
Request Server(s) of type {1}: {0}
error.code.15107=Delete Check: the specified host name does not correspond to any existing or
deleted Request Server(s) of type {1}: {0}
error.code.15108=Delete Check: the specified ID corresponds to a deleted Request Server of type

CLIENT or AGENT: {0}
error.code.15109=Delete Check: the specified ID does not correspond to an existing or deleted

Request Server of type CLIENT or AGENT: {0}
error.code.15110=Delete Check: the specified ID corresponds to one or more deleted Target

Server(s): {0}
error.code.15111=Delete Check: the specified ID does not correspond to any existing or deleted
Target Server(s): {0}
Extension Manager: Common Channel and Processor Target Connector API (15200 - 15299)
error.code.15200=Failed to process a target connector script. Refer to the log file for further
information.
error.code.15201=Failed to store an object in script processor memory.
error.code.15202=Failed to retrieve an object from storage in script processor memory.
error.code.15203=Failed to reset the script processor.
error.code.15204=An error occurred while processing a target connector script. The Target
Account specifies an unrecognized password change method.
error.code.15205=An error occurred while processing a target connector script. The Target
Account specifies an unsupported protocol.
17-Feb-2017 245/373
error.code.15206=An error occurred while configuring the communications channel. The Target
Account specifies an unsupported protocol.
error.code.15207=Failed to find {0} pattern(s) while reading from the communications channel:
{1}
error.code.15208=An error occurred while configuring the script processor. Failed to retrieve a
Target Account with ID {0}.
error.code.15209=An error occurred while configuring the script processor. The Target Account
specifies another account should be used for authentication and/or verification but no value is
assigned to the other account attribute.
error.code.15210=An error occurred while configuring the communications channel. The

specified and calculated known host key fingerprints do not match.
error.code.15211=An error occurred while configuring the communications channel. Failed to

decode the known host key.
error.code.15212=Failed to establish a communications channel to the remote host.
error.code.15213=An error occurred while configuring the script processor. An invalid pattern
was specified for the password entry prompt.
was specified for the password confirmation prompt.
was specified for the password change prompt.
was specified for the user name entry prompt.
error.code.15217=Failed to remove an object from storage in script processor memory.
error.code.15218=An error occurred while configuring the script processor. Failed to retrieve a
Target Account with ID {0}.
error.code.15219=An error occurred while configuring the script processor. The Target Account
specifies another privileged account should be used but no value is assigned to the other
privileged account attribute.
error.code.15220=A problem occurred while executing the script processor. Please try your
request again or contact your Administrator.
error.code.15221=A problem occurred while executing the script processor. Failed to

automatically derive a public key. Specify the public key and try again or else contact your
Administrator.
17-Feb-2017 246/373
Extension Manager: Common Channel and Processor Target Connector UI (15300 - 15399)
error.code.15300=Cannot read the revised update script file. Verify the filename and ensure the
patch obtained from Customer Support has been applied.
error.code.15301=Cannot read the revised verify script file. Verify the filename and ensure the
patch obtained from Customer Support has been applied.
error.code.15302=An invalid filename was specified for the revised update script file. Verify the
filename or else contact Customer Support to obtain the correct filename.
error.code.15303=An invalid filename was specified for the revised verify script file. Verify the
filename or else contact Customer Support to obtain the correct filename.
error.code.15304=Must choose the filename of the revised update script if any are available. Only
use this field if instructed to do so by Customer Support.
error.code.15305=Must choose the filename of the revised verify script if any are available. Only
use this field if instructed to do so by Customer Support.
error.code.15306=An invalid regular expression was specified to match the Password Change
prompt.
error.code.15307=An invalid list of server host key types was specified.
error.code.15308=An invalid list of inbound compression methods was specified.
error.code.15309=An invalid list of key exchange algorithms was specified.
error.code.15310=An invalid list of outbound compression methods was specified.
error.code.15311=An invalid list of inbound hashes was specified.
error.code.15312=An invalid list of outbound hashes was specified.
error.code.15313=An invalid list of inbound ciphers was specified.
error.code.15314=An invalid list of outbound ciphers was specified.
error.code.15315=Must specify a replacement update script. Only use this field if instructed to do
so by Customer Support.
error.code.15316=Must specify a replacement verify script. Only use this field if instructed to do
so by Customer Support.
error.code.15317=An invalid list of ciphers to detect was specified.
error.code.15318=An invalid regular expression was specified to match the Password

Confirmation prompt.
error.code.15319=An invalid regular expression was specified to match the Password Entry
prompt.
17-Feb-2017 247/373
error.code.15320=An invalid regular expression was specified to match the User Name Entry
prompt.
error.code.15400=The portal URL is missing from the request.
error.code.15401=The specified portal URL is invalid.
error.code.15402=The Security Token Service endpoint URL is missing from the request.
error.code.15403=The specified Security Token Service endpoint URL is invalid.
error.code.15404=The Security Token Service endpoint reference URI is missing from the request.
error.code.15405=The specified Security Token Service endpoint reference URI is invalid.
error.code.15408=The context (wctx) parameter is missing from the request.
error.code.15409=The specified context (wctx) parameter is invalid.
error.code.15410=Failed to load the token request template.
error.code.15411=Failed to initiate federated session.
error.code.15412=Failed to retrieve token request response from the Security Token Service.
error.code.15413=Failed to load the federated session request template.
error.code.15414=Failed to retrieve target account password.
error.code.15415=The target account ID is missing from the request.
error.code.15416=The specified target account ID is invalid.
error.code.15419=The reason parameter is missing from the request.
error.code.15421=The specified start date is invalid.
error.code.15423=The specified end date is invalid.
error.code.15424=The specified compound server ID is invalid.
error.code.15425=Failed to encode the specified context (wctx) parameter.
error.code.15500=The SSH Key Pair Policy ID is missing.
error.code.15501=The specified SSH Key Pair Policy ID is invalid; it must be an integer greater
than zero.
error.code.15502=The SSH Key Pair Policy name is missing.
error.code.15503=The specified SSH Key Pair Policy name is invalid; it must consist of characters
[a-z, A-Z, 0-9].
error.code.15504=The specified SSH Key Pair Policy name is too long; reduce the number of
17-Feb-2017 248/373
error.code.15504=The specified SSH Key Pair Policy name is too long; reduce the number of
characters that it contains.
error.code.15505=The SSH Key Pair Policy description is missing.
error.code.15506=The SSH Key Pair Policy description is invalid; it must consist of characters [a-z,
A-Z, 0-9].
error.code.15507=The SSH Key Pair Policy description is too long; reduce the number of
characters that it contains.
error.code.15508=The SSH Key Pair Policy key type is missing.
error.code.15509=The specified SSH Key Pair Policy key type is invalid; it must be RSA or DSA.
error.code.15510=The SSH Key Pair Policy key length is missing.
error.code.15511=The specified SSH Key Pair Policy key length is invalid.
error.code.15512=Failed to add SSH Key Pair Policy due to error: {0}
error.code.15513=Failed SSH Key Pair generation test due to error: {0}
error.code.15514=The specified SSH Key Pair type and length are not compatible.
error.code.15515=An SSH Key Pair Policy ID or Name must be specified.
error.code.15516=Failed to load an SSH Key Pair Policy having the specified ID or Name.
error.code.15517=Must specify either an SSH Key Pair Policy ID or a Name but not both.
error.code.15600=Invalid subnet x.x.x.x. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx)
error.code.15700=The specified VMware target account is in use and can't be deleted.
Error messages for CA NIM SM target manager connector (15700 - 15719)

Error Code Messages for CA NIM UM Target Manager Connector (15720 - 15739)
17-Feb-2017 249/373
Error Code Messages for ServiceNow Target Manager Connector (15740 - 15759)
error.code.15745=A ServiceNow URL must be specified.
error.code.15746=A ServiceNowClientURL must be specified.
error.code.15747=Could not log into ServiceNow server.
Basic error messages for Service Desk connector (15760 - 15779)

error.code.15760=Error retrieving Service Desk user credentials.
error.code.15761=The CA NIM UM target server could not be found.
error.code.15762=The CA NIM UM target application specified in the password view policy could
not be found.
error.code.15763=The CA NIM UM target account specified in the password view policy could not
be found.
Error messages for HP Service Manager target manager connector (15780 - 15799)
error.code.15784=A port must be specified.
error.code.15785=A HPSMClientURL must be specified.
error.code.15786=An Enabled Protocol must be specified.
error.code.15787=Could not log into HP Service Manager server.
17-Feb-2017 250/373
Error Code Messages for CA SDM Target Manager Connector (15800 - 15819)
error.code.15802=SOAP Protocol must be specified.
error.code.15803=SOAP Port must be specified.
error.code.15804=REST Protocol must be specified.
error.code.15805=REST Port must be specified.
error.code.15806=Could not log into CA SDM server.
CA-PAM Series Messages

General Messages
deviceScanProfileCreated=CA-PAM-1201: Device Scan Profile {0} created.
deviceScanProfileDeleted=CA-PAM-1202: Device Scan Profile {0} deleted.
deviceScanProfileUpdated=CA-PAM-1203: Device Scan Profile {0} updated.
deviceManaged=CA-PAM-1204: Device {0} managed.
jobCanceled=CA-PAM-2201: Job {0} cancelled.
jobDeleted=CA-PAM-2202: Job {0} deleted.
notPermitted=CA-PAM-2202: You do not have sufficient permissions to perform this operation.
manageFailed=CA-PAM-2203: Account management failed for account {0} with the following
error: {1}
unableToParseGKObject=CA-PAM-2204: Unable to Parse the Gatekeeper object: {0}
accountScanProfileCreated=CA-PAM-6001: Account Scan Profile {0} created.
accountScanProfileDeleted=CA-PAM-6002: Account Scan Profile {0} deleted.
accountScanProfileUpdated=CA-PAM-6003: Account Scan Profile {0} updated.
accountManaged=CA-PAM-6004: Account {0} managed.
17-Feb-2017 251/373
Account Discovery (AD) Messages

accountDiscoveryStarted=CA-PAM-AD-1001: Account Discovery Started
accountDiscoveryFoundAccount=CA-PAM-AD-1002: Account Discovery found account {0}
accountDiscoveryResults=CA-PAM-AD-1003: Account Discovery added {0} new accounts,

removed {1} accounts
accountDiscoveryDatabaseAccessError=CA-PAM-AD-1004: An error occurred accessing the

database. Scan canceled.
accountDiscoveryApplicationError=CA-PAM-AD-1005: No Account Discovery support for

application type {0}. Application skipped.
Device Discovery (DD) Messages

deviceDiscoveryStarted=CA-PAM-DD-1001: Device Discovery Started
deviceDiscoveryFoundHost=CA-PAM-DD-1002: Device Discovery found host {0}
deviceDiscoveryFoundService=CA-PAM-DD-1003: Device Discovery found service {0} on host {1}
Key Discovery (KD) Messages

invalidSshKey=CA-PAM-KD-0001 Invalid SSH key found in file {0} of device {1}: {2}
invalidDiscoveryResponse=CA-PAM-KD-0002 Invalid discovery response from device {0}; first line :

{1}
invalidUserToKey=CA-PAM-KD-0003 Invalid discovery response from device {0}; expected user-to-

key relationship but instead received {1}
expectingEmbeddedKeys=CA-PAM-KD-0004 Invalid discovery response from device {0} for file {1};
expected embedded keys but instead received {2}
expectingEmbeddedKey=CA-PAM-KD-0005 Invalid discovery response from device {0} for file {1};
expected embedded key but instead received {2}
emptyEmbeddedKey=CA-PAM-KD-0006 Invalid discovery response from device {0} for file {1};
embedded key was empty.
nonNumericBits=CA-PAM-KD-0007 Invalid discovery response from device {0} for file {1}; bits
portion of protocol version 1 key non-numeric: {2}
nonNumericFingerprintKeySize=CA-PAM-KD-0008 Invalid discovery response from device {0} for

file {1}; key size from fingerprint non-numeric: {2}
17-Feb-2017 252/373
cannotProcessCommands=CA-PAM-KD-0009 Device {0} cannot process SSH commands; error

from device: {1}
keyDiscoveryFoundSshKey=CA-PAM-KD-1002: SSH Key Discovery found {0,number} {0,choice,

0#keys|1#key|1<keys} in file {1} on host {2}.
keyDiscoveryResults=CA-PAM-KD-1003: SSH Key Discovery added {0} new {0,choice,

0#keys|1#key|1<keys}, removed {1} {1,choice,0#keys|1#key|1<keys}
REST (RST) Messages

notFound=CA-PAM-RST-0000: Object not found: {0}
emptyObject=CA-PAM-RST-0001: Object empty: {0}
invalidId=CA-PAM-RST-0002: Payload id does not match url id: {0} != {1}
invalidFilterParameters=CA-PAM-RST-0003: Must specify all filter parameters (column, op, value)

or none
invalidFilterOperator=CA-PAM-RST-0004: Invalid Operator filter. Valid values = EQ, NE
errorRetrievingObjectById=CA-PAM-RST-0005: Error retrieving object by id: {0}
errorRetrievingObjectByName=CA-PAM-RST-0006: Error retrieving object by name: {0}
errorRetrievingObjects=CA-PAM-RST-0007: Error retrieving objects: {0}
errorCreatingObject=CA-PAM-RST-0008: Error creating object: {0}
errorUpdatingObject=CA-PAM-RST-0009: Error updating object: {0}
errorDeletingObject=CA-PAM-RST-0010: Error deleting object: {0}
errorRetrievingObjectByUniqueKey=CA-PAM-RST-0011: Error retrieving object by unique key: {0}
errorUpdatingGroup=CA-PAM-RST-0012: Error updating group: {0}
errorCallingGK=CA-PAM-RST-0013: Call to Gatekeeper service controller failed: {0}
errorDatabaseConnection=CA-PAM-RST-0014: Error connecting to the database. Transaction

canceled
errorTransaction=CA-PAM-RST-0015: Transaction error with the database. Transaction canceled
targetServerNotFound=CA-PAM-RST-0016: Target Server not found for host: {0}
unableToManageDevice=CA-PAM-RST-0017: Unable to managed the Device: {0}
successfullyManaged=CA-PAM-RST-0018: Successfully managed host: {0}
unableToAddTA=CA-PAM-RST-0019: Unable to add Target Application {0} for Device {1}
17-Feb-2017 253/373
unableToAddTA=CA-PAM-RST-0019: Unable to add Target Application {0} for Device {1}
successfullyAddedTA=CA-PAM-RST-0020: Target Application {0} was successfully added to the

Device {1}
successfulBulkManaged=CA-PAM-RST-0021: Number of devices that were successfully managed:

{0}
unsuccessfulBulkManaged=CA-PAM-RST-0022: Number of devices that were NOT successfully

managed: {0}
errorManagingDevice=CA-PAM-RST-0023: Error managing device: {0}
targetAppNotFound=CA-PAM-RST-0024: Target Application not found: {0}
targetAccountExists=CA-PAM-RST-0025: Target Account {0} already exists. No modifications

made.
notValidIp=CA-PAM-RST-0026: {0} is not a valid {1} IP Address.
missingProfileName=CA-PAM-RST-0027: Profile name is not defined.
successfulBulkManagedAccount=CA-PAM-RST-0028: Number of accounts that were successfully

managed: {0}
unsuccessfulBulkManagedAccount=CA-PAM-RST-0029: Number of accounts that were NOT

successfully managed: {0}
duplicateObjectName=CA-PAM-RST-0030: {0} name {1} already exists.
unableToPerformTheOperation=CA-PAM-RST-0031: Unable to perform the operation. Please

contact System Administrator.
methodNotImplemented=CA-PAM-RST-0032: This method is not implemented.
invalidParameter=CA-PAM-RST-0033: {0} is not a valid parameter.
Scanning (SC) Messages

noCredentials=CA-PAM-SC-1001: No discovery credentials available for application {0}. Discovery
unsuccessful.
scanError=CA-PAM-SC-1002: An error occurred during discovery. Details: {0}
noCredentialsWithSufficientPermissions=CA-PAM-SC-1003: No discovery credentials with

sufficient permissions available for application {0}. Discovery unsuccessful.
scanInternalErrorWithoutExceptionMessage=CA-PAM-SC-1004: An internal exception ({0})

occurred during discovery of device "{1}" with application "{2}".
scanInternalErrorWithExceptionMessage=CA-PAM-SC-1004: An internal exception ({0}) occurred

during discovery of device "{1}" with application "{2}": {3}
17-Feb-2017 254/373
Scheduling (SH) Messages

scheduleTimeErrorMessage=CA-PAM-SH-9001: Schedule Time should be greater than current
time.
scheduleEndDateErrorMessage=CA-PAM-SH-9002: Schedule End Date should be greater than or

equal to Begin Date.
invalidDate=CA-PAM-SH-9003: The time provided is not in the format DD/MM/YYYY HH:mm:

ssAM.
invalidBeginDate=CA-PAM-SH-9004: The begin date provided is not in the format DD/MM/YYYY.
invalidEndDate=CA-PAM-SH-9005: The end date provided is not in the format DD/MM/YYYY.
daysRequired=CA-PAM-SH-9006: Days is required.
selectSchedule=CA-PAM-SH-9007: Frequency is required. The task is not scheduled.
profileAlreadyScheduled=CA-PAM-SH-9008: The current schedule is shown below. Changes to the

schedule will be reflected in the profile.
jobNameEmpty=CA-PAM-SH-9009: Job name supply is empty!
triggerWillNeverFire=CA-PAM-SH-9010: Based on configured schedule, the given trigger will never

fire.
invalidSchedulingFrequency=CA-PAM-SH-9010: Invalid Scheduling Frequency: {0}
noDaysSpecifiedForTrigger=CA-PAM-SH-9011: No days specified for trigger.
noDatesSpecifiedForTrigger=CA-PAM-SH-9012: No dates specified for trigger.
unknownFrequency=CA-PAM-SH-9013: Unknown Frequency: {0}
endDateWillNeverTrigger=CA-PAM-SH-9014: Invalid end date. Schedule will never trigger.
invalidEndTime=CA-PAM-SH-9015: Invalid end date.
invaliSchedTime=CA-PAM-SH-9016: The specified time has already passed. Schedule will never
trigger.
triggerMisfired=CA-PAM-SH-9017: Scheduled job \"{0}\" in group \"{1}\" on {2} was skipped

because an instance of that job was already running.
triggerMisfired2=CA-PAM-SH-9018: Scheduled job \"{0}\" in group \"{1}\" on {2} missed a

scheduled fire-time and was launched now.
17-Feb-2017 255/373
Syslog Messages
The following list is representative of syslog messages generated by CA Privileged Access Manager.
The messages are organized into the following categories:
The documented messages use the following conventions:
$variable– Serves as a place-holder for the actual value.
( option1 | option2) – Indicates mutually exclusive options.
Configuration Messages
Updating LDAP Group $name failed. Connection to all configured LDAP servers failed. 0 New
Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 0 Failed Updated Users, 0 Failed
Deleted Users, 0 Users Retrieved From LDAP Directory Server
RADIUS Configuration Updated Successfully! Added server $host:$port
This RADIUS server already exists
Remote Xceedium Debugging Services turned (ON | OFF)
Updated Syslog Settings. Status: Enabled, Remote Server(s): $address with default port Settings.
Status: Enabled
Remote Server(s):$address with default port
SMB Settings saved successfully. Mount point: $name Hostname:
Activated FIPS Mode
Deactivated FIPS Mode
Uploaded CA Bundles $name
Uploaded Certificate with Private Key $name
Downloaded Certificate $certificate_name
Run Port Scan on IP address: $address. Ports: $ports
Problem uploading the upgrade package
Xsuite Upgrade: Patch uploaded, going to perform upgrade; Filename: $filename
Xsuite applets successfully signed with $certificate and domain(s) $domains
Applied patch '$name': Upgrade Successful. There is no need to reboot.
CA PAM database restored successfully from file $name
17-Feb-2017 256/373
CA PAM database restored successfully from file $name
CIFS directory already mounted. Mount point: $name Hostname:
CIFS mounting performed successfully. Mount point: $name Hostname:
Keystroke Logging configuration updated successfully. Syslog: $state NFS/CIFS/S3 (CLI | Graphical)
Recording: $state
An exception (details) occurred while processing LDAP group name. LDAP sync for this group will
be aborted.
Database dumped successfully to $file1 CA PAM configuration saved successfully to $file2
Downloaded database file $name
Created CSR $file
Going to perform upgrade; Filename: $name
Uploaded license file ""$filename.xcdlic""
Xsuite Config Login OK.
Downloaded $file_path from $filepath as root user.
Maintenance mode has been enabled for this appliance
Run nslookup on host $name
Run ping on host $ipaddress
Unable to scan the host!IP address: Ports: $port
Uploaded $file to $directory
Database file $file deleted successfully
The CA PAM database has been reset successfully
Error when attempting to add target account for username $name – error was Failed to verify
password with target. If this problem persists then please ask your Administrator to investigate.
AddTargetAccountCmd.invoke: Failed to verify password with target
Error when attempting to add target account for username $name – error was Error. Attempt to
create a duplicate entry. Account with same userName already exists for same application
Successfully restarted networking.
Run traceroute on host $name
Custom Roles export completed.
17-Feb-2017 257/373
Cluster Messages
Saved cluster config to all cluster members.
Saved cluster config locally
Appliance attempted sync, not part of cluster
Cluster off was in bad state
SEVERE: Unable to turn on the cluster because one or more cluster members failed cluster start
checks.
External synchronization unlocked while in cluster-stopped mode
Turned cluster on
Turned cluster off
SEVERE: Turning the cluster on failed.
SEVERE: Turned cluster off. The cluster was in a bad state. The administrator who performed this
action was given guidance regarding how to remedy this, and those recommendations were
acknowledged before the cluster was stopped.
The user has acknowledged the warnings related to rebooting an appliance while the cluster is
running. The will appliance will now be rebooted.
Cluster tuning mode turned off
User Messages
User $name successfully added. Activation: $when1; Expiration: $when2; Roles: $roles Groups:
$groups; API keys: $apikeys; User $user added to PA with group membership: $pagroup
User $name successfully deleted. User $name deleted from Password Authority
User $name successfully updated. $what; Roles: $roles; Groups: $groups; API keys: $apikeys PA
User group membership: $pagroup
Created CA Threat Analytics API user $name user id 2
User $name switched to Configuration Section
User $name switched to Administration Section
$user connected to $host:$port; Idle time out: $idle;
17-Feb-2017 258/373
Association between user $name and device $name deleted.
User $name deleted from LDAP group $group but is a member of other registered LDAP groups.
User $apiid using API key Orchestrator called $file via HTTP DELETE (user issued a DELETE on a
device)
User apiid using API key Orchestrator called $file via HTTP GET (user issued a GET on a device)
User apiid using API key Orchestrator called $file via HTTP POST (user issued a POST on a device)
User apiid using API key Orchestrator called $file via HTTP PUT (user issued a PUT on a device)
Successfully changed PA user $ (mailto:GaryAguilar@adhcscint.net)name to $ (mailto:gaguilar@hscil.

com)name
An exception ( [LDAP: error code 32 - 0000208D: NameErr: $ID, problem 2001 (NO_OBJECT), data
0, best match of:
User Delete successfully updated.API keys: None
Could not rename user $name Err (mailto:chris_ryder@bcbsil.comErr)or was Error. Attempt to create
a duplicate entry. User already exists
18002 = Bad User ID ($name) or Password.
18081 = LDAP authentication failed for user <name> with error code (%s) and error string (%s).
The user entered an incorrect password.
18018 = This Xsuite appliance is in maintenance mode. Only admin level users can login.
18019 = User $name logged in successfully via $local_auth_method authentication.
18069 = The Active Directory user with user principal name $name or samAccountName %s is not
registered with Xsuite.
18100 = User $name logged in successfully via local authentication but will be required to change
their password.
18021 = Deactivated account %s. Exceeded inactivity limit.
User Group Messages

User group $name successfully added. Roles: $roles;
User group $name successfully deleted
Group $name Devices updated successfully. Devices in group updated.
User group $name not updated
17-Feb-2017 259/373
LDAP Group $name. 0 New Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 0 Failed
Updated Users, 0 Failed Deleted Users, $number Users Retrieved From LDAP Directory Server
9008 = LDAP Group %s imported into Xsuite. %s Users Processed: %s New Users, %s Updated
Users, %s Deleted Users, %s Failed New Users, %s Failed Updated Users, %s Failed Deleted Users.
Device Messages
Device xxx added successfully. Access Methods: $method; Services: $services; VPN Services:
$sslvpn; Groups: $groups; Tags: $tags
$sslvpn; Groups: $groups; Tags: $tags; Target Server xxx added to Password Authority
$sslvpn; Groups: $groups; Tags: $tags; Request Server xxx added to A2A
$sslvpn; Groups: $groups; Tags: $tags; Target Server xxx Request Server xxx added to A2A via
autoregistration
Device xxx updated successfully Access Methods: SSH:22; Services: None; VPN Services: None;
Groups: $groups; Target server xxx updated.
Device xxx updated successfully Access Methods: $method; Target server xxx updated; Request
server xxx updated.
Device xxx updated successfully Access Methods: $method; Target server xxx updated.
Device xxx updated successfully Services: $service
Device xxx updated successfully; Target server xxx updated.
Device xxx updated successfully; Target server xxx updated; Request server xxx updated.
Device xxx updated successfully; Target server xxx updated and renamed to $name; Request
server xxx updated. Request server $name changed to $name.
Device xxx updated successfully; Target server xxx added to Password Authority; Request server
xxx updated.
Device xxx updated successfully; Target server xxx deleted; Request server xxx updated.
Target Server $name not added to Password Authority. Error Message Duplicate host name.
AddTargetServer.invoke HostName '$address' already exists.
Target Server $name not updated. Error message was Duplicate host name $name.
updateTargetServer HostName already exists.
(Users | Devices) export completed.
Could not successfully retrieve Password Authority Managed Data for Dashboard
17-Feb-2017 260/373
Could not successfully retrieve Password Authority Managed Data for Dashboard
Device xxx successfully deleted
Error adding target account for username,AddTargetAccountCmd.invoke: Failed to verify

password with target.
Error resolving $device
Imported Devices from file $filename
Rebooted the appliance
Powered off the appliance
5131 = Target application %s was deleted from device %s.;
Service Messages
Service $name (added | updated) successfully. Launch Path: $launchpath; Enabled: (on | off);
Service $name (added | updated) successfully. Local IP: $address; Ports: $ports; Protocol: $proto;
Application Protocol: $appproto; Enabled: (on | off);
Service $name (added | updated) successfully. Local IP: $address; Ports: $ports; Protocol: tcp;
Application Protocol: WEB; Web Portal Launch URL: $launchurl; Browser Type: $type; Access List:
$acl; Enabled: (on | off);
Service $name (added | updated) successfully. Local IP: $address; Ports: $ports; Protocol: tcp;
Application Protocol: (RDP | SSH | TELNET); Client Application: $launchpath; Enabled: (on | off);
(Added | Updated) Transparent Login Configuration $name
Credential Service daemon is either not running or not reachable.
Policy Messages
(Created | Updated) policy. User: $user; Host: $host; Applets: $applets, Credential(s): $creds;
Services: $services, Credential: $creds; SSL VPN Services: $ssl_vpn; Target Applications:
$applications; Updated filters and session recording: ; Filtering: Command Filtering: $cf; Socket
Filtering: $sf; Session Recording: CLI Session Recording: (on | off); Graphical Session Recording:
(on | off); Web Session Recording: (on | off); Transparent Login: (on | off); Server Control Login:
(on | off)
Created policy. User: super; Host: xxx Applets: RDP
Created policy. User: super; Host: xxx Applets: SSH
Unable to retrieve target account list for policies - error was No response from Password
Authority.
17-Feb-2017 261/373
Accounts deleted
Policy export completed
12053 = Target accounts were deleted from policies.
Command Filter Messages

Command Filter Configuration Updated. Blacklist Violation Message: $message1 Violation
Additional e-mail Message: $message2 Violations Before Action: $violations Action After Limit
Exceeded: $action
Command Filter List (Created | Updated). Name: $name: $type Keywords: Keyword: $keyword
Alert: (On | Off) Regex: (On | Off) Block: (On | Off);
Unauthorized word $word
Exceeded the maximum number of allowed violations. Session terminated
Socket Filter Messages

Socket Filter List Created. Name: $name Type: (black | white) Hosts: $hosts
Socket Filter List $name Updated. Name: $name Type: (black | white) Hosts: $hosts
Blocked Access to Host host:port - Blacklist policy violation.
Imported Socket Filter Lists from file $name Imported: $number
Socket Filter Configuration Updated. Agent Port:$port SFA Monitoring: Enabled Gatekeeper ID: 1
Violation Message: Access denied. Violation Additional e-mail Message: Violations Before Action:
3 Action After Limit Exceeded: take no action
Login Connection Messages

There was a problem with Xsuite's connection to this client. There may be network issues, or the
client may have gone away without properly logging out. This session will be cleaned up.
This client has not responded to Xsuite messages. We have assumed the client has gone away,
and the session is being reaped.
Your Login has Timed Out.
Device Connection Messages

17-Feb-2017 262/373
Connection closed; Duration: $duration
Xsuite user transparently logged into RDP Application "$application" to "Login" window as
"$user" user transparently logged into RDP Application "$application" to "Login" window as
"$user"
Auto login timeout expired, possibly due to wrong credentials.
User switched to Administration Section
User $name switched to Configuration Section
Xsuite Config Login OK.
Log records viewed
Downloaded log records
Session recording '$filename' was viewed
Logout OK
A problem occurred while executing the script processor
External synchronization unlocked while in cluster-stopped mode
Failed to establish a communications channel to the remote host. AddTargetAccountCmd.invoke:

Failed to verify password with target
Target server $name unexpectedly not found
0022 = SSH login to appliance from address <ip_address>.
Violation Messages
Unauthorized word $keyword typed;
No email contact to alert
Exceeded the maximum number of allowed violations. Session terminated
A potential tampering attempt has been detected, and the end-user's local system may be
compromised. Account deactivated.
Exceeded the maximum number of allowed violations. Account deactivated
Blocked Access to Host ".$_GET["host"].":".$_GET["port"] ." - Blacklist policy violation.
Granted Access to Host ".$_GET["host"].":".$_GET["port"] ." - Blacklist policy allowed host and
port.
Blocked Access to Host ".$_GET["host"].":".$_GET["port"] ." - Whitelist policy violation.
17-Feb-2017 263/373
Granted Access to Host ".$_GET["host"].":".$_GET["port"] ." - Whitelist policy allowed host and
port.
User $user attempted to access the unauthorized page: $page
Details: Unauthorized access to service controller.
Xsuite denied unauthorized JAR download request to $jarfile_directory
Connection Timeout Messages

xsuite[%d]: %s connected to %s:%s; Idle time out: %d;%s"
xsuite[%d]: %s initialized SSLVPN; %s
xsuite[%d]: Connection closed; Duration: %s;%s
xsuite[%d]: Connection timed out after %d minutes of idle time; Duration: %s;%s
xsuite[%d]: Connection terminated; Duration: %s;%s
Global Settings Messages

Updates in Global Settings: accessType ($access_type)
Updates in Global Settings: Applet Timeout (0)
Updates in Global Settings: Login Timeout (0)
Session Manager Messages

Messages generated by the Session Manager component that monitors active PAM sessions:
Closed expired session for user $name.
Terminating session for user %s, as it is timed out!
SAML session timed-out for user %s
Session login timed-out for user %s
Session expired
Session recording '$filename' was viewed
17-Feb-2017 264/373
Examples of Syslog Messages

The following are a few examples of Syslog entries:
<85>gkpsyslog[11217]: Private IP: , Public IP: , Nat/Proxy IP: x.x.111.22, User:
unknown, Transaction: login, Address: - -, Device Name: - -,
User Group: --Port: - -, Access/Protocol: - -, Service/App: - -, Details: Message
9021: LDAP connection made to myldap.abcint.net:389.

Sep 9 12:24:17 capam.example.com gkpsyslog[2445]: Private IP: 122.122.0.1, Public IP:
111.111.111.000,
Nat/Proxy IP: 111.111.111.000, User: super, Transaction: system, Address: - -, Device
Name: google.com.ua,
User Group: --Port: - -, Access/Protocol: - -, Service/App: google, Details: Message
19015: Xsuite denied web
portal connection to host www.google.com.ua because it does not match an entry in the
web portal's access list.

Sep 9 11:48:22 ec2-54-209-99-172.compute-1.amazonaws.com gkpsyslog[2179]: Private IP:
, Public IP: ,
Nat/Proxy IP: 111.111.111.000, User: super, Transaction: admin, Address: - -, Device
Name: - -, User Group:
--Port: - -, Access/Protocol: - -, Service/App: - -, Details: Message 10054: CSV
import of type Devices initiated.

Sep 9 12:24:17 capam.example.com gkpsyslog[2445]: Private IP: 192.168.0.1, Public IP:
111.111.111.000,
Nat/Proxy IP: 111.111.111.000, User: super, Transaction: system, Address: - -, Device
Name: google.com.ua,
User Group: --Port: - -, Access/Protocol: - -, Service/App: google, Details: Message
19015: Xsuite denied web
portal google's connection to host www.google.com.ua because it does not match an
entry in the web portal's
access list.

Sep 12 06:20:13 capam.example.com gkpsyslog[1944]: Private IP: , Public IP: , Nat
/Proxy IP: 111.111.111.000,
User: super, Transaction: config, Address: - -, Device Name: - -, User Group: --Port:
- -, Access/Protocol: - -,
Service/App: - -, Details: Database dumped successfully to gkdatabase20160912061951
CA PAM
configuration saved successfully to gk20160912061952.cfg

Sep 12 13:54:30 capam.example.com gkpsyslog[21756]: Private IP: , Public IP: , Nat
/Proxy IP: , User: system,
Transaction: system, Address: - -, Device Name: - -, User Group: --Port: - -, Access
/Protocol: - -, Service/App: - -,
Details: Message 22: SSH login to appliance from address 111.111.111.000.
17-Feb-2017 265/373
Credential Manager Terms and Concepts

The following terms and concepts, defined here, are used throughout the CA Privileged Access
Manager documentation regarding Credential Manager.
Application-to-application (A2A) accounts: A2A accounts are accessed by applications in addition

to users. For example, database accounts are used by web pages to retrieve information from the
database.
Batch processing: The Credential Manager CLI feature that lets you read an XML formatted file as
input to a registration activity.
Credentials: User name and password or RSA key that is associated with an account
Master account: A target account that is used to change another account. This account must have
the ability to change another account password, such as root or sudo-enabled accounts in
UNIX. See also Slave account.
Privileged accounts: Accounts that have elevated privileges; for example, UNIX root accounts and
database administrator accounts. Attended privileged accounts are associated with people.
Unattended privileged accounts are associated with automated applications or machines.
Privileged accounts can usually affect multiple users. Privileged accounts are often used for access
and password viewing. See also Unprivileged accounts.
Registration: The act of adding data to the CA Privileged Access Manager appliance
Remote account: An account on or accessible by a remote host. Some accounts can be

considered to be on multiple hosts. For example, an account is stored in a directory, such as AD or
LDAP. The account can be managed in the directory server or on a remote host when the account
is typically used, such as a user desktop. There can be multiple target application types that
manage a given remote account although typically not. This situation usually occurs for Windows
accounts or account in a directory server.
Remote application: An application on a remote host, such as the OS or a Database Management

System (DBMS)
Remote host: A computing platform other than the CA Privileged Access Manager appliance.
Examples include servers, laptops, desktops, and routers.
Roles: A collection of actions that can be performed on the GUI and CLI. Roles can be built for
each series of permissions you want to assign to Credential Manager administrators. Credential
Manager roles are distinct and separate from CA Privileged Access Manager roles. See Credential
Manager Grouping Terminology (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Grouping+Terminology).
Slave account: A target account whose password is changed by a master account. See also Master
account.
17-Feb-2017 266/373
Synchronized credentials:The ability of Credential Manager to renew credentials on target

applications using a predetermined process to keep the CA Privileged Access Manager appliance
and requestor synchronized.
Target: General term for a target account, target application, and target server.
Target account: An account that is located on a remote host and is managed by Credential
Manager.
Target applications: Applications on a remote host that require credentials for access. Examples
include a databases or the remote host OS. A target application can contain one or more target
accounts. Multiple target application types exist, each corresponding to a different target
connector.
Target connector: Code and extensions that are applied to the Credential Manager target
application and target account details pages that communicate with a given type of remote
application. Each target connector is associated with a target application.
Target group: A collection of target servers, target applications, or target accounts that meet
specific filter criteria; for example, all target servers that have the identifier London in the
descriptor field. A single target can belong to multiple target groups. When a target group
consists of target servers, all applications and accounts on that server are automatically within
that target group.
Target server: A server hosting one or more target applications. In the CA Privileged Access
Manager appliance, it is configured as a Device of type Password Management.
Unprivileged accounts: Accounts that have restricted privileges, usually allowing a user to read or
affect only their own data. See also privileged accounts. See also Privileged accounts.
User group: A collection of one target group, one requestor group, and one role. Credential
Manager user groups are distinct and separate from CA Privileged Access Manager User Groups.
See Credential Manager Grouping Terminology (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Grouping+Terminology).
Users: Users are people that access and operate Credential Manager. Each user belongs to one or
more user groups. The user groups define what targets and requestors the user can see and what
actions the user can perform on the Credential Manager interfaces.
In addition, the following terms and concepts apply when referring to Application-to-application
(A2A) functionality:
Client: A program that identifies information about the invoking program or script (such as its
name, path, hash, and userId). For UNIX and Linux, the client stub is cspmclient. For Windows,
the client stub is cspmclient.exe. For Java programs, the client stub is cspmclient.jar.
Client daemon or service: A UNIX daemon or Windows service that caches credentials from the
CA Privileged Access Manager appliance. The A2A Client requests credentials from it. If the
credentials are not cached, it requests the credentials from the CA Privileged Access Manager
appliance. It then caches them before returning the credentials to the client.
17-Feb-2017 267/373
Requestor application: Applications that initiate communications with target applications using
target credentials. Requestor applications invoke a client stub to communicate to the CA
Privileged Access Manager appliance to get the required credentials.
Requestor group: A collection of requestors or requestor servers that meet specific filter criteria;
for example, all requestor servers that have the identifier London in the descriptor field. A single
requestor can belong to multiple requestor groups. When a requestor group consists of requestor
servers, all requestors on that server are automatically within that requestor group.
Requestor script: A Perl, Python, PHP, sh, ksh, or csh script that invokes a client stub to get
credentials.
Requestor server: A server hosting one or more requestors
17-Feb-2017 268/373
Web GUI
This section describes the Web GUI for the CA Privileged Access Manager software environment. The
Access window is made up of the following parts:
Toolbar (see page 269)
Admin (see page 270)
My Info (see page 271)
System Info (see page 273)
Config (see page 273)
3rd Party (see page 274)
Certificate Info (see page 286)
Database (see page 286)
Date and Time (see page 288)
Diagnostics (see page 290)
Licensing (see page 293)
Logs (see page 294)
Monitor (see page 297)
Network (see page 298)
Security (see page 298)
SNMP (see page 306)
SSL VPN (see page 307)
Synchronization (see page 307)
Menu Bar (see page 310)
Global Settings Menu Bar Reference (see page 310)
Sessions Menu Bar Reference (see page 318)
Services Menu Bar Reference (see page 318)
Users Menu Bar Reference (see page 322)
Devices Menu Bar Reference (see page 328)
Policy Menu Bar and Dialogs Reference (see page 332)
Manage Policies (see page 332)
Manage Passwords (see page 340)
Import and Export Policy (see page 370)
Import and Export Socket Filter Lists (see page 372)
This document shows the appropriate UI pane and provides a table that identifies each component in
that pane, including a brief explanation. For more information click the links.
Toolbar
The following sections document toolbar features:
Admin (see page 270)
17-Feb-2017 269/373

System Info (see page 273)
Config (see page 273)
This document provides tables that identify each component, including a brief explanation. For more
information see either the Planning Guide or the Implementation Guide.
Toolbar showing Admin tab
Toolbar showing API Doc tab
Dashboard Toolbar
Toolbar
Toolbar Components
Switch to administration mode.

Admin (see
page 270)
Switch to configuration mode.
Config (see
page 273)
View information about the user.
My Info (see
page 271)
View (memory, storage, license, and other) information about this physical CA PAM
Sys Info (see appliance in new browser tab.
page 273)
View context-sensitive online help (or the Help index if context-sensitive Help is not
Help available for the current page) in new browser window or tab.
Exit all CA PAM functions.
Log Off
The Toolbar tabs listed in the table are described in the following sections.
Admin
Admin Button
This button allows you to get back to the Administration GUI, which shows the menu bar, used
mostly for provisioning.
Admin mode is used to:
17-Feb-2017 270/373
Provision users, privileged user password management, A2A access, target devices, and access
control policies;
Enable management of active sessions
Provide access to session recordings, audit logs, and associated metrics
Admin View Window Fields

The Save as View link allows you to save the current view to a specific name. That view can
Save as be unfiltered, or filtered by the Search link on the Device Name, or filtered by Device OS,
View Location, or Tag.
Clicking on the OOB Devices link toggles the Access and OOB Devices view. The OOB Devices
non- view shows all devices that have been configured for Out of Band access by this user. Each
OOB row represents a device on your network that you are permitted to manage. The list of
Devices devices that you are permitted to manage is defined by your Administrator. If you need to
manage a device that does not appear on this list, see your CA PAM Administrator. The
available Access Methods, which represent the possible methods of managing each device,
include:
Serial - Provides access to Serial Port consoles or Terminal Servers
KVM - Certain KVM over IP network appliances have integrated support and can be used
to limit access to only certain connected devices. Other KVM over IP devices can be
supported via their web interface.
Power - Controls a smart power switch that is capable of powering the device on or off.
When a host is connected to a smart power switch, CA PAM can be used to control the
switch via the Power button. The Power button light indicates the last power status CA PAM
is aware of. Red indicates power off, green indicates power on, and no light indicates that
CA PAM cannot determine the Power Status of that device. Clicking the Power button
launches a popup that gives you choices for that device. The buttons perform the
straightforward function of power Turn device on, power Turn device off, and Reset device.
The Restart Session link is used to refresh your access page matrix. If your systems
Restart administrator has made policy changes, click this link, or log out then back in again, for them
Session to be reflected in your session. Clicking Restart Session forcibly closes any sessions that you
are currently running.
The My Views link allows you to select from preconfigured, filtered views. You create a
My named filtered view (for use in My Views) through the Save as View link.
Views
My Info
Account Information Fields (see page 271)
Contact Information Fields (see page 272)
Account Information Fields

The Account Information menu identifies required and optional information for the User to provide.
Account Information Fields
17-Feb-2017 271/373
Use this To…

option…
Used by the RDP applet in credentials for access to remote Windows device.RDP
RDP Username will accept a name with embedded backslash so that it can be used to log in
Username to a domain account.
Display Name used by the AS/400 applets TN3270, TN3270SSL, TN5250, TN5250SSL.
Mainframe
Display
Name
Conforms CA PAM keyboard input to native keyboard output.
Keyboard
Layout Options:
AUTO – Default – CA PAM selects a layout (from this version list)
DA – Danish
DE – German
EN-GB – English (UK)
EN-US – English (US)
FI – Finnish
FR – French
FR-BE – French (Belgium)
FR-CH – French (Switzerland)
HU – Hungarian
IW-IL – Hebrew (Israel)
NO – Norwegian
PL – Polish
RU – Russian
SV – Swedish
FI – Finnish
FR – French
FR-BE – French (Belgium)
FR-CH – French (Switzerland)
HU – Hungarian
IW-IL – Hebrew (Israel)
NO – Norwegian
PL – Polish
RU – Russian
SV – Swedish
Contact Information Fields

The Contact Information menu identifies required and optional information for the User to provide.
Contact Information Fields
17-Feb-2017 272/373
Use this To…

option…
Enable an email to be sent to the defined email address. Alerts the user if their account
Email self on is being used by another person.
login
System Info
Sys Info Link
Sys Info Components
Firmware version number and whether the appliance has been preconfigured in FIPS
Basic Info mode.
Current CPU usage, Disk total/used/free storage, and total/used/free Memory Usage
System statistics.
Resources
Identifies the continuous uptime since the last appliance boot, the number of Users that
System are currently logged in (Active Logins), the number of connection sessions currently
Activity underway by those Users (Active Sessions).
Current quantities of [Devices defined]/[Devices licensed] for each license type; whether
Licensing a Mainframe option has been applied to the Access license (if any); and the license string
for Access (if any).
Firmware serial number and the hardware serial number (if assigned).
Serial
Numbers
Identifies any Hotfixes applied to this installation of CA PAM.
Hotfixes
Refreshes the data in the screen.
Refresh
Creates a text file of the sys info data.
Download
Config
The CA Privileged Access Manager Config panel is home to settings for optional features, connections
to external systems, diagnostics, and security methods.
3rd Party (see page 274)
Date and Time (see page 288)
Diagnostics (see page 290)
Licensing (see page 293)
Logs (see page 294)
17-Feb-2017 273/373
Logs (see page 294)

Monitor (see page 297)
Network (see page 298)
Security (see page 298)
SNMP (see page 306)
SSL VPN (see page 307)
Synchronization (see page 307)
3rd Party
Configure servers that provide provisioning and authentication resources, encryption services,
account access specifications, and other services to CA Privileged Access Manager.
The following panels appear only when explicitly licensed from CA Privileged Access Manager (as
specified on the Config, Licensing page):
AWS API Proxy Users license: AWS API Proxy Auto-Activation Whitelist panel
AWS Capability license: Amazon Web Services (AWS) Configuration panel; Add/Edit AWS
Connection panel
HSM license, either SafeNet HSM Capability for SafeNet HSM or Thales HSM Capability: Network
Attached HSMs panel; LUNA PCI-E Configuration; SafeNet HSM Configuration; Thales HSM
Configuration
Office365 Capability license: Microsoft Office 365 Configuration panel
VMware Capability license: VMware Configuration, Add VMware vCenter, VMware NSX panels
HSM Configuration Panels
Network Attached HSMs

When CA Privileged Access Manager is not configured with an internal SafeNet Luna PCI-E card, this
panel is populated with zero or more line items identifying any (network attached) SafeNet or Thales
HSM that have been specified one-by-one by using the lower configuration panel. If there are any
HSM records (line items), each has:
HSM - IP address of this HSM
Status - "Online" or "Offline", depending on whether the HSM can be reached by CA Privileged
Access Manager.
Action - Specified by labeled button in the line item:
Remove - Removes the HSM configuration specified by this line item.
When CA Privileged Access Manager is configured with an internal SafeNet Luna PCI-E card, this panel
is populated with a single line item identifying that internal HSM:
HSM - "LunaPCI-E"
17-Feb-2017 274/373
HSM - "LunaPCI-E"
Status - "Initialized" or "Uninitialized", depending on whether HSM initialization (activation) has

been completed and is ready for use.
Action - Specified by labeled button in the line item:
Initialize button - Initializes the Luna PCI-E in this appliance.
SafeNet HSM Configuration or Thales HSM Configuration

One of two panels (SafeNet or Thales) appears only when a SafeNet Luna PCI-E card is not installed.
The following fields and buttons appear when SafeNet is licensed:
Security Principal Username - Enter the name that you set when configuring the Luna
administrative account.
Security Principal Password - Enter the password that you set when configuring the Luna
administrative account.
Partition Password - Enter the password that you set when creating storage during your Luna
configuration procedure earlier.
Address - Enter the IP address or FQDN of the Luna HSM.
Add button - Configure CA Privileged Access Manager to use the Luna HSM specified by these
fields. After configuration is established, the HSM is listed in the Network Attached HSMs panel.
Partition Password (2nd) - Enter a new partition password. Set the new password on the Luna
before entering it here.
Update & Activate button - After clicking this button, CA Privileged Access Manager:
1. a. Attempts communication to (primary) HSM
b. If successful, confirms that the new Partition Password is in HSM.
c. If successful, stores the new password in CA Privileged Access Manager.
The following fields and buttons appear when Thales is licensed:
Token Label - Enter the name of the applicable OCS (Operator Card Set) you created when
configuring the nShield appliance.
Remote File System - Enter the IP address of the Remote File System (RFS) used. Note: For Thales
HSMs, a DNS name is not permitted.
Token Password - Enter the password of the applicable OCS (Operator Card Set) you created
when configuring the nShield appliance.
Address - Enter the IP address of the nShield Connect. Note: For Thales HSMs, a DNS name is not
permitted.
Add button - Configure CA Privileged Access Manager to use the Thales HSM specified by these
17-Feb-2017 275/373
Add button - Configure CA Privileged Access Manager to use the Thales HSM specified by these
fields. After configuration is established, the HSM is listed in the Network Attached HSMs panel.
Token Password (2nd) - Enter a new token password for the applicable OCS (Operator Card Set)
you set when configuring the nShield appliance. Set the new password on the nShield before
entering it here.
Update & Activate button - After clicking this button, CA Privileged Access Manager:
1. a. Attempts communication to (primary) HSM
b. If successful, confirms that the new Token Password is in HSM.
c. If successful, stores the new password in CA Privileged Access Manager.
LUNA PCI-E Configuration
This panel appears only when a Luna PCI-E card is installed.
Password - Enter the challenge string that you obtained from the PED when configuring the Luna
card.
Public Key - During PCI cluster configuration, use this field either to (1) see the key in the field
after pressing Get Public Key on a non-primary, or (2) paste the key (after obtaining it from a non-
primary) into the field on the primary.
Encrypted Key - During PCI cluster configuration, use this field either to (1) see the key in the field
after pressing Extract Key on the primary, or (2) paste the key (after obtaining it from the
primary) into the field on the non-primary.
Activate button - Following an initialization process using the Luna PED and PED Keys, click this
button to switch over from built-in CA Privileged Access Manager cryptography to Luna
cryptography.
Note: This activation cannot be reversed - your appliance will be configured permanently to use
Luna PCI-E.
Get Public Key button - During PCI cluster configuration, you use this button to see and copy the
Public Key from a non-primary appliance.
Extract Key button - During PCI cluster configuration, you use this button to extract the Public Key
from a primary appliance. The result appears in the Encrypted Key field.
Insert Key button - During PCI cluster configuration, you will use this button on a non-primary to
insert from the Encrypted Key field, after generating at (using Extract Key) and copying from a
primary appliance and then pasting into the corresponding field in a non-primary appliance.
17-Feb-2017 276/373
Microsoft Office 365 Configuration

The URL of the Security Token Service (STS) endpoint from which the security
Security Token token is requested.
Service (STS) In general, specify the appropriate URL that is exposed by your organization
Endpoint URL Active Directory Federation Service (AD FS). The endpoint must support the WS-
Trust 2005 (username mixed mode) protocol. For example:
https://<ADFS Server FQDN>/adfs/services/trust/2005/usernamemixed.
This value is user-supplied and might change.

The reference URI to which the security token request applies. When AD FS is
Security Token federated with Microsoft Online (MSOL), this value is typicallyurn:federation:
Service (STS) MicrosoftOnline.
Endpoint
Reference URI This value is a Microsoft URI and should not change.
The URL of the MSOL portal. For example:
Microsoft Online
Portal URL https://login.microsoftonline.com/login.srf. (https://logi.microsoftonline.com/login.srf
)
This value is a Microsoft URL and should not change.

This parameter contains context information that is relevant to MSOL. Its value
Microsoft Online should be derived by following the procedure for "creating a smart link" as
Portal Context described in documentation from Microsoft. For more instructions, refer to:
Data
http://community.office365.com/en-us/wikis/sso/
using-smart-links-or-idp-initiated-authentication-with-office-365.aspx. (http://com
munity.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-
with-office-365.aspx)
Be sure to read the section at the end of the article, "For Reference: Smart Link
URL template. The following sample shows how you might create your URL:
wctx=wa=wsignin1.0&rpsnv=2&ct=1372192193&rver=
6.1.6206.0&wp=MCMBI&wreply=https:%2F%
2Fportal.microsoftonline.com%2Flanding.aspx%
3Ftarget%3D%252fdefault.aspx&lc=
1033&id=271346
Decoding the smart link is not a listed step in the Microsoft procedure, but should
be done. A useful link for decoding is:
http://coderstoolbox.net/string/#!encoding=
url&action=decode&charset=us_ascii. (http://coderstoolbox.net/string#!
encoding=url&action=decode&charset=us_ascii)
This value is user-supplied and might change.
17-Feb-2017 277/373
Amazon Web Services (AWS) Configuration

Column Format Options Description
Name /Example
enume 5 Specifies the frequency with which CA PAM synchronizes its set of
AWS rated minutes Devices with the set of AWS instances. Applies to all provisioned
Refresh list connections.
Interval 15
minutes
30
minutes
default:
60
minutes
For each line item below the following labels:

string ExampleC The Access Key Alias value of an AWS Access Credentials target account
Access orp1 provisioned in Credential Manager.
Key
Alias
string US East An AWS Region of the AWS Access Credentials target account identified
Region (Virginia) in the Access Key Alias column.
string YES | NO The import status of this connection (as identified in the previous two
Active columns). When Active = YES, CA PAM imports all (AWS) State=running
devices (that do not have an AWS tag of “XsuiteIgnore”) from the
specified Access Key Alias - Region combination at the end of each AWS
Refresh Interval.
button Stages this connection in the Amazon Web Services (AWS) Configuration
Edit to change the Active status.
button Using the Remove button has these effects on this connection:
Remove
1. You are required through a dialog (pop-up) window to
acknowledge your selection of Remove before the following takes
effect.
2. Removes all AWS-imported Devices and their associated
password applications and accounts, and associated policies, for
the selected connection. Exception: No Devices that have been
assigned authorization mappings are deleted.
3. Removes the current connection line item from this panel
button Attempts a connection to AWS with the credentials of the account for
Test this connection, and confirms or denies success.
17-Feb-2017 278/373
Add AWS Connection

Field Type Options Description
/Button /Format /Example
Name
enumer Select from a list of Access Key Alias values from all target accounts with
Access ated an Application Name of “AWS Access Credentials” and with a Credential
Key Type of “Access Key”.
Alias
Depending on whether this value designates an AWS commercial or a
GovCloud account, a list of only the applicable AWS Regions (see field) is
displayed.
checkbo Activates this connection to import devices.
Active x
Initial import is made at the time (1) this option has been selected, (2)
the Add button is clicked, and (3) the import pop-up is acknowledged.
Subsequent synchronization (refresh) is then made after each AWS

Refresh Interval completes.
enumer Select an AWS Region in which you operate your devices.
AWS ated
Region The region selections that are listed correspond to your current Access
Key Alias selection: Either a list of commercial regions is shown, or a list
of GovCloud regions is shown.
Note: If a region has previously been provisioned for the currently

selected Access Key Alias, it is disabled (and unavailable).
Note: The CA PAM AWS API Proxy 2.0 can now be used with CA PAM to
successfully reach AWS GovCloud accounts to execute API calls.
GovCloud accounts can already be configured for use with CA PAM.
button Saves the current settings as a provisioning record that is displayed in
Add the AWS Provisioning pane. Does not make connection to AWS.
VMware vCenter Configuration

Name Format Options Description
vCenter Enume 5 Specifies the elapsed time between each import refresh and the previous
Refresh rated min refresh. All active provisions are refreshed simultaneously.
Interval utes
The four options correspond to fixed times on the clock (as set in Config,
15
Date/Time):
min
utes For a setting of 5 minutes, if a provision was made Active=”YES” (or
checked) at, for example, 11:12, it is then refreshed at the next time
30
marker used by this option: 11:15, then again at 11:20, then at 11:25,
min
and so on
utes
For 15 minutes, refresh would occur at 11:15, then at 11:30, then at 11:
45, and so on.
17-Feb-2017 279/373

60 When a provision has been made Active, or has been Added with Device
min Sync selected, it is imported immediately. Then the first refresh occurs at
utes the first time marker, rather than following a full-length interval.
Default: A provision is refreshed until it is Removed or you set Active=”NO”.

60
minutes
Global Checkb Unc Forces all vCenter Account combinations to the Active=”YES” (refresh = on)
VMwar ox heck state. When selected, import of newly active provisions occurs at the next
e Sync ed fixed refresh time marker, not immediately.
(off)
Che
cked
(on)
Default:
Unchec
ked
(off)
List of configured vCenter provisions:
Edit Button Edit Toggles the edit mode of this line item:
column butt The Edit button opens the line item for editing (turns on edit mode).
on The Save button saves any changes to the currently staged line item
values (URL and Active widgets), and closes the line item for editing
-or- (turns off edit mode).
Save
butt Initially, the edit mode is turned off.
on
vCenter String Displays the vCenter Authentication Device – vCenter User combination
Accoun
t
column
URL String Edit Displays the previously saved URL for this line item.
column in URL mode
format on:
URL
string
can be
edited.
Active Edit Edit Edit mode off:
column mode mode
off: off: YES: Configuration is scheduled to sync periodically (to import from
vCenter) after each vCenter Refresh Interval.
Enume YES -or-
rated NO NO: Configuration is not scheduled to sync periodically (will not import
from vCenter).
17-Feb-2017 280/373

Edit Edit Edit mode on:
mode mode
on: on: Checked: After clicking Save button, configuration will periodically sync
Checkb (import from vCenter) after each vCenter Refresh Interval.
ox checked
-or- Unchecked: After clicking Save button, configuration will not periodically
sync (import from vCenter).
uncheck
ed
Remov Button Click to Removes this entire provisioning line item.
e execute
column .
Test Button Click to Tests the connection for this line item provision to the Authentication
column execute Device and vCenter URL.
.
Add VMware vCenter

Column Name Format Options Description
When NSX has been registered for this CA Privileged Access Manager:
The message “Multi vCenter Servers are not supported when NSX is configured” appears in this
panel. No widgets are available.
When NSX has not been registered for this CA Privileged Access Manager (through the VMware NSX
panel):
vCenter Enume Drop-down list of Choose the Device that hosts the authentication server
Authentication rated all provisioned CA for this account (from all currently provisioned CA
Device Privileged Access Privileged Access Manager Devices), either a targeted
Manager Devices vCenter or an external server such as LDAP that
authenticates vCenter users.
vCenter User Enume Drop-down list of Choose a VMware vCenter user account from those
This field appears rated all provisioned that have been provisioned in Credential Manager as
only after vCenter target accounts in the vCenter Authentication Device.
‘vCenter Authentication
Authentication Device target
Device’ is accounts
populated.
URL String Properly formed Enter the vCenter URL, ordinarily – but not exclusively
URL – of the form:
https://address[:port]/sdk
Examples:
https://vcenter.example.com/sdk
https://192.0.2.1:55555/sdk
https://vcenter2.example.com:77777/
17-Feb-2017 281/373

Device Sync Checkb checked -or- Check the box if you want all (non-XsuiteIgnore tagged)
ox unchecked virtual machines (VMs) to be imported immediately,
and then after each Global VMware vCenter Sync
period.
Add Button Click to execute Click to load this currently staged vCenter specification
to the VMware vCenter Configuration list.
VMware NSX
The VMware NSX fields are not populated unless VMware NSX is licensed.

When a vCenter has not been configured for this CA Privileged Access Manager:
The message “VMware vCenter Server is not configured” appears in this panel. No widgets are
visible.
When a vCenter has been configured for this CA Privileged Access Manager (through the Add
VMware vCenter panel):
Access page runtime Checkbox checked Update the Access page as policy is
updates -or- updated from NSX and propagated to CA
uncheck Privileged Access Manager. [?]
ed
Background updates Checkbox checked Update CA Privileged Access Manager as
-or- NSX settings are updated. [?]
uncheck
ed
Register Button Click to Register this currently staged NSX
execute specification.
Save Click to
Returns (at top of page) one of:
This label appears only execute
after an NSX VMware NSX configuration
registration attempt. successfully updated. VMware NSX
partner service was successfully
registered.
VMware NSX partner service was not
registered. See log for details.
Returns (at top of page):

VMware NSX configuration
successfully updated.
Disable Button Click to Resets all widgets to default values (empty
This option appears only This button appears execute the fields).
after a failed NSX only after an NSX
registration attempt. registration attempt. Returns (at top of page) one of:
VMware NSX partner service was
successfully unregistered.
17-Feb-2017 282/373

Unregister Click to Unregisters this NSX, and Resets all
This option appears only execute widgets to default values (empty the
after a successful NSX fields).
registration.
VMware NSX configuration
successfully updated. VMware NSX
partner service was successfully
unregistered.
Test Button Click to Test that CA Privileged Access Manager
This button appears execute can communicate with the configured NSX
only after an NSX Manager.
registration attempt.
Connected successfully to NSX
Manager
RADIUS and TACACS+ Configuration

Name Description
Current Servers
Server IPv4 IP address or DNS name of the RADIUS server.
addr
ess
Port Corresponding port for the RADIUS server. Note: The IANA-registered RADIUS
[1812 authentication port = 1812. Some RADIUS servers might be configured to use a
] former, unofficial port = 1645.
Type Lists RADIUS or TACACS+ servers.
Share A shared secret is a text string used as a password between a RADIUS client and
d RADIUS server, a RADIUS client and a RADIUS proxy, or a RADIUS proxy and a
Secret RADIUS server.
Add New Servers
Server IPv4 IP address or DNS name of the RADIUS server.
addr
ess
Port Corresponding port for the RADIUS server. Note: The IANA-registered RADIUS
[1812 authentication port = 1812. Some RADIUS servers might be configured to use a
] former, unofficial port = 1645
Type Select RADIUS or TACACS from the list box.
Share A shared secret is a text string that is used as a password between a RADIUS client
d and RADIUS server, a RADIUS client and a RADIUS proxy, or a RADIUS proxy and a
Secret RADIUS server.
Add butt Add server specified by current values in data entry fields. After a successful Add,
on confirmation in red text.
17-Feb-2017 283/373
Name Description
The following Edit and Delete buttons are displayed only after a server is added.
Edit butt Move record to editing fields.
on (After editing, re-Add.)
Delet butt Remove access to selected RADIUS server (and delete line item from this list).
e on
Timeo int Defa Optional
ut (seco ult:
nds) 60
Check Down LDAP Servers Interval

Sets the interval, in minutes, at which CA PAM checks whether a currently down LDAP
Interval server is available as long as that server is in current priority.
Upates the time interval in minutes.
Update
Add LDAP Domain

Name Values Description
Server Format: Identify the IP address or DNS name of the directory. Note:
IPv4 address Confirm (independently) that the IP address is valid.
A simple LDAP bind operation can be used to authenticate to the Directory Server:
Bind Example: LDAP: Distinguished Name to be used for authentication.
Crede
ntials User@ca.local AD: User Principal Name is used for authentication.
Note: This account must have read access to the Directory.

Bind User account password.
Passw
ord
Other Checkbox Use TLS (LDAPv3 Only).
Optio
ns:
Updat Units: minutes Set the period (minutes) for which that CA PAM synchronizes with
e the directory. IMPORTANT: If you set a small value - for example,
Interv 10 minutes - you might experience unreasonably high LDAP update
al: traffic. This is known to interfere with, or disable, cluster
Every functioning. Administrators with access to the Users tab can force
_ synchronization on demand by using the menu item Refresh LDAP
Minut Groups on the Manage Users page.
es
The Unique Attribute of the directory can be set to customize communication. The Group
ObjectClass and the Group Member Attr. are directory-type specific. When a Unique Attribute is set,
CA PAM uses it and the user login id to fetch the user Distinguished Name (DN) during
authentication.
17-Feb-2017 284/373

Uniqu Unique Attribute is used for two purposes:
e Attr
1. Display name: The user is displayed using this value.
2. Split authentication - for example, LDAP/RSA. The value of
the unique attribute for the LDAP user is used to
authenticate to the secondary authentication server, in this
case, RSA server.
User Define which attribute is used to specify user groups.

Group
Object
Class
Group Specify the attribute in the group object class that has the names
Memb of the group members.
er
Attr.
Group (Do not use - Deprecated)
Searc
h
Filter
RSA Authentication Manager Configuration

To configure RSA SecurID authentication, the SecurID administrator first registers CA Privileged
Access Manager as an authenticating device on the RSA ACE server. The SecurID administrator then
generates the sdconf.rec file (containing connection and encryption information) and forwards that
file to the CA Privileged Access Manager administrator. The sdconf.rec file is then later uploaded to
CA Privileged Access Manager by the administrator. If necessary, an optional configuration file can be
used.
Current mandatory RSA configuration file - sdconf.rec
Current optional RSA configuration file - sdopts.rec
Node secret
Upload RSA authentication manager configuration files (sdconf.rec or sdopts.rec):
1. Choose File
2. Upload
AWS API Proxy Auto-Activation Whitelist

The AWS API Proxy Auto-Activation Whitelist panel appears only when AWS API Proxy Users have
been licensed on this appliance.
Whitelisted Subnets: (separated by commas or newlines) - Enter the subnets containing the AWS
API Proxy instances.
17-Feb-2017 285/373
VMware NSX API Proxy Auto-Activation Whitelist

The VMware NSX API Proxy Auto-Activation Whitelist panel appears only when VMware NSX API
Proxy Users have been licensed on this appliance.
Whitelisted Subnets: (separated by commas or newlines) - Enter the subnets containing the
VMware NSX API Proxy instances.
Remedy Service Desk Configuration

Before you configure the settings for BMC Remedy ITSM, copy the SDK JAR files from the BMC
Remedy System. These files enable communication between CA Privileged Access Manager and BMC
Remedy.
Follow these steps:
1. On the BMC Remedy system, go to the following directory:

\\bmc\Software\ARSystem\Arserver\api\lib
2. Copy the following SDK JAR files:
arapi8*.jar
arutil81*.jar
3. Save the copied JAR files to a location accessible to the CA Privileged Access Manager system.
4. Use the Choose File button to browse for the JAR files individually. Use the Upload button to
upload each file, one at a time.
Note: If you are load balancing, you have to upload the JAR files to each server. The files are
the same for Windows and Linux.
5. Restart the app server by clicking the Restart Tomcat button. Wait until the process completes.
A message displays: "Tomcat restarted successfully."
Certificate Info
Certificate Info
Certificate Info
The Certificate Revocation List shows all existing Certificate Revocation List (CRL) files
Certificate currently on CA PAM, with the status of each.
Info
Database
Schedule Backup, Save Configuration and Database, or Reset Database (see page 287)
Schedule Backup (see page 287)
17-Feb-2017 286/373
Database
Schedule Backup, Save Configuration and Database, or Reset Database

Schedule Backup, Save Configuration and Database, and Reset Database
Invoke new window implementing scheduling widget.

Schedule Backup
Dump to separate files:
Save Database and
Configuration 1. The currently active database (users, devices, policy) [File format:
gkdatabaseYYYYMMDDHHMMSS] , and
2. The currently active CA PAM configuration settings [File format:
gkYYYYMMDDHHMMSS.cfg]
3. Acknowledge this action, along with the respective filenames, at the
top of the page window.
Reset database to empty and default values

Reset Database
Schedule Backup
Schedule Backup, Save Configuration and Database, or Reset Database
Name Description / Formula

Current The currently stored schedule.
schedule
Set an automated backup:
Time
options Select any single value or range of values for Month, Day, Weekday, Hour, and Minute
that should be set as a constraint.
Select All for any field that should not be a constraint to the schedule. (Any value will be
allowed.)
Example: To schedule a backup that begins every night at 11PM, set Month, Day, and W
eekday each to All , the Hour to 23, and the Min to 00.
Displays the timezone for the system.
Timezone
Path The authentication and path are set with the syntax provided - <user>@<server>:
/<path>
Port Change the port on the destination serverDefault = 22
Select Define the key file for use in authentication
authorizatio
n file
Check this box if the Configuration and Database backup files should be deleted from
local storage on CA PAM.
17-Feb-2017 287/373
Name Description / Formula

Delete
after
successful
send
Maximum Set the number of Configuration and Database backup files that are stored on CA PAM.
files to Database and Configuration files created by the Scheduled Backup are available for
keep locally download in the File Operations area.
Date and Time

Enter Date and Time (see page 288)
Time Servers (see page 288)
Authenticated NTP (see page 289)
NTP Status (see page 290)
Date/Time Configuration
Allows you to enter date and time.

Enter Date and Time
List of time servers that are queried by CA PAM to (re)set CA PAM clock.
Time Servers
Lists available NTP v4 Autokeys. Also allows a choice to authenticate or not.
Authenticated NTP
Displays the output of the authenticated NTP server.
NTP Status
Enter Date and Time

Name Type Enum Description/Notes
/Format /Example
Updat button Manually updates the CA PAM server date/time to that date/time
e currently shown in the widget fields. NOTE: Use only when Time Servers
are unavailable. (See section below.)
Time Servers
/Format /Example
[untitl enumer defaults: List of time servers that are queried by CA PAM to set CA PAM clock.
ed] ated IMPORTANT: DNS must be set to reliable DNS servers in Config, Network.
0.pool. If DNS is known not to be set properly and cannot practically be fixed, the
ntp.org time server names should be changed to their current IP addresses.
1.pool.
ntp.org
17-Feb-2017 288/373

/Format /Example
2.pool.
ntp.org
3.pool.
ntp.org
Synch checkbo Sets CA PAM to execute a timeservers query and CA PAM clock reset
ronize x during CA PAM boot. IMPORTANT: If CA PAM does not have access to an
at NTP server (or does not have access to DNS), Time Servers should be
boot disabled by clearing this checkbox.
Save button Upon clicking Save:
If “Synchronize at boot” is selected:
1. Queries the timeserver(s) currently listed in the field immediately above

(in order). (Re)sets CA PAM clock to the results of the (first successful)
query.
CA PAM continuously queries the timeserver(s).
CA PAM queries the timeserver(s) on boot.
2. If the time server DNS addresses displayed are not the most recently
held in storage, storage is updated to reflect displayed values.
If “Synchronize at boot” is not selected:
1. Stops any currently running NTP polling.
You can set time to any value using the “Enter Date and Time” widget.
CA PAM does not query upon reboot.
Authenticated NTP
Name Type Enum/Example Description/Notes
/Format
NTPv4 text Copy and paste into this text box the NTP v4 autokey
Autok you obtain from your NTP v4 server. After you click Sa
ey ve, this autokey is applied.
Securi 2- Only use authenticated NTP, When selected, CA PAM will implement
ty option do not communicate with Authenticated NTP using the autokey copied into the
Policy option unauthenticated peers. text box above.
button
Authentication not required. When selected, CA PAM will not use NTP.
17-Feb-2017 289/373
NTP Status
text Displays the output of the authenticated NTP server.
Button Update the NTP status output (shown immediately above).
Refresh
Diagnostics
Diagnostics Fields (see page 290)
System Diagnostic (see page 291)
Tomcat Logs (see page 291)
Applet Log Level (see page 291)
Xsuite As SAML RP Log Level Fields (see page 291)
Xsuite As SAML IdP Log Level (see page 291)
Maintenance Mode (Off) (see page 292)
Remote Xceedium Debugging Services (Off) (see page 292)
Performance Graphs (see page 292)
Diagnostics Fields
The System Diagnostic tool gathers information about specified CA Privileged
System Diagnostic Access Manager file versions. The tool provides a listing of filenames, showing
(see page 291) the dates they were modified and their file versions.
Maintenance Mode prevents new logins so that an administrator can make
Maintenance Mode configuration changes without user activity interference.
(Off) (see page 292)
Maintenance Mode does not disable the Credential Manager CLI.
To disable the Credential Manager CLI manually, follow these steps:
1. Access the Credential Manager GUI.
2. Go to Settings, General Settings.
3. Clear "Enable External CLI".
4. Save the change.
You might need to restart the CA Privileged Access Manager box.

CA PAM activity can be graphed for the following dimensions:
Performance CPU Utilization
Graphs (see page
Outgoing Network Activity DD/MM/YYYY
292)
Incoming Network Activity DD/MM/YYYY
17-Feb-2017 290/373
System Diagnostic
CA Support provides this file.
Configuration File
This command creates an encrypted file for review by CA Support.
Run System Diagnostic
Tomcat Logs
Downloads the "catalina.out" logfiles from the appliance to CA Technologies, Inc.
Download Support's local client access computer.
Tomcat Log File
Applet Log Level

Always set to 0.
Current Log Level
Xsuite As SAML RP Log Level Fields

Default is: Normal.
Current Log Levels
Displays the RP Log pane.
View Recent Entries
Xsuite As SAML IdP Log Level

Default is: Normal.
Current Log Levels
Displays the IdP Process Log pane.
Review Recent Entries
17-Feb-2017 291/373
Maintenance Mode (Off)

Setting Maintenance Mode to On prevents new CA Privileged Access
Turn On Maintenance Manager logins.
mode
Maintenance Mode does not disable the Credential Manager CLI.
To disable the Credential Manager CLI manually, follow these steps:
1. Access the Credential Manager GUI.
2. Go to Settings, General Settings.
3. Clear "Enable External CLI".
4. Save the change.
Users might need to restart the CA Privileged Access Manager box.
Remote Xceedium Debugging Services (Off)

Remote Xceedium Debugging Services (Off)
Always set this mode to Off.

Turn On Remote Xceedium Debugging Mode
Performance Graphs
Performance Graphs
This option produces graphs of the following performance items:

Turn graphing on CPU Utilization
Outgoing Network Activity DD/MM/YYYY
Incoming Network Activity DD/MM/YYYY
17-Feb-2017 292/373
Licensing
Maximum number of Access Devices that can be used.
Access
Devices
Maximum number of Credential Manager Devices that can be used.
Current Password
License Devices
Maximum number of A2A Devices that can be used.
A2A
Devices
Enabled or Disabled for use of mainframe access methods: TN3270,
Mainframe TN3270SSL, TN5250, and TN5250SSL.
Capability
Enabled or Disabled for device import and AWS Management Console access
AWS to Amazon Web Services (AWS) accounts. Requires more configuration in
Capability Config, 3rd Party.
Number of CA PAM Users who can simultaneously access AWS through CA
AWS API PAM using AWS API requests. Requires more configuration in Config, 3rd
Proxy Party and deployment of AWS API Proxy devices in an AWS environment.
Users
Number of CA PAM Users who can simultaneously access VMware NSX API
VMware through CA PAM using NSX API requests. Requires more configuration in
NSX API Config, 3rd Party and deployment of NSX API Proxy devices in a VMware
Proxy environment.
Users
Enabled or Disabled for access to a VMware account. Requires more
VMware configuration in Config, 3rd Party.
Capability
Enabled indicates that the External Rest API is licensed. To activate this
External feature, you must also select Enable External Rest API in
API Config>Security>External API Access.
Capability
Enabled or Disabled for access to a Microsoft Office 365 administrative
Office365 account. Requires more configuration in Config >3rd Party.
Capability
Enabled or Disabled for access to SafeNet Luna SA or SafeNet Luna PCI-E
SafeNet HSMs (hardware security modules). Requires more configuration in Config,
HSM 3rd Party. NOTE: If Enabled, Thales HSM Capability must be Disabled.
Capability
Enabled or Disabled for access to Thales nShield Connect HSMs (hardware
Thales security modules). Requires more configuration in Config, 3rd Party. NOTE: If
HSM Enabled, SafeNet HSM Capability must be Disabled.
Capability
Date on which (at 12:00AM) the license is active.
Start Date
17-Feb-2017 293/373
If present: Date on which (at 11:59PM) the license is no longer active.

End Date
Perpetual or Temporary (with End Date) license.
Type
CA Technologies, Inc. serial number for this appliance
Hardware
ID
Used to select and upload a new license file.
Install
New
License
Logs
Manual Logs (see page 294)
Automatic Log Purge Settings (see page 294)
Sys Logs Settings (see page 295)
External Log Server (see page 296)
Session Recording (see page 296)
Session Recording Preference (see page 297)
Manual Logs
Up 'till [Month] Enumerate Set an end date for a batch operation by the Save to file or Purge
[DD][YYYY] d lists buttons.
Save to file Button Save all logs up to the specified date to a single file.
Purge Button Delete all logs up to the specified date.
Purge All Button Delete all logs in CA PAM internal storage.
Reset Button Resets the date for the manual log purge.
Pick a filename. Enumerate Drop-down list list of log files that are batched through previous
d list (manual and automatic) log purges.
Download Button Download selected log file through browser from CA PAM internal
storage.(secondary drive)
Delete Button Delete selected log file from CA PAM internal storage (secondary
drive).
Automatic Log Purge Settings

Enable _ as Checkbox Activate automation (upon clicking “Update”).
scheduled below
Purge interval Enumerated range: 1 hour Time that elapses between each purge.
through 24 hours; 2, 7, 14, 30,
60, 90, or 120 days
17-Feb-2017 294/373

Email logs _ [checkbox] PREREQUISITE: This option can only be enabled
require email be if you have already provided valid settings for
sent before purge. the following:
Admin Email
SMTP Server
Appliance From Address
…configured in the Config > Monitor screen.
---------------------------------
Forces email with log attachment to be sent to

(specified Monitor – see below) administrator
before doing purge.
Email size _ MB Options in MB: 1 — 10 Maximum allowed size per email. If the log is
larger than the setting, it is separated into
multiple maximum-sized emails.
Update Button Update (and activate, if applicable) stored
settings from current settings
Reset Button Populate with the most recently saved
(previously “Updated”) settings. (Does not
return to original CA PAM settings.)
Sys Logs Settings

Enable _ syslog Checkbox Activate server (upon clicking Update).
to the specified
server IMPORTANT: To take effect, this selection must always be followed by
clicking Update.
Remote Server IPv4 192.0.2.34 | syslog.example.com.
(2 max, addresses
delimited by a -and/or-
‘|’) machine
names
Remote Port NOTE: Default IANA registered port = 514.
(leave blank if
default)
Update Button Update (and activate, if applicable) stored settings with current settings. I
MPORTANT: If you enable a server, ensure that “Enable _ syslog” has
already been selected.
Reset Button Populated with the most recently saved (previously “Updated”) settings.
(Does not return to original CA PAM settings.)
17-Feb-2017 295/373
External Log Server

Enable logging Check Turn on the function to send events to an external (MySQL) database.NOTE:
to the external box A copy of each log message is automatically kept on the local CA PAM.
server
Show _ logs as Enume Specify which storage view is shown by default:
default rated:
Local: Logs on to the local internal CA PAM database
Local
External: Logs on the external database (specified in MySQL Server
Extern Settings).
al
Allow user to Check If set, standard user is able to switch between local and external storage
change view box views.
My SQL Server Settings - Enabled when 'Enable_Logging to the External Server' checkbox is checked.
Server IP IPv4 IP address of the MySQL server.
addres
s
Port [3306] Text Default registered port (prepopulated in CA PAM): 3306.
DB Username Username must have both read and write access.
DB Password Password.
Database Name Name of the MySQL database storing the logs
Update Button Update (and activate, if applicable) stored settings with current settings. IM
PORTANT: If you enable a server, ensure that Enable _ syslog has already
been selected.
Reset Button Populated with the most recently saved (previously “Updated”) settings.
(Does not return to original CA PAM settings.)
Session Recording
Text based Defaul Send the command line session recordings (ASCII text) to the syslog
recording to the t: server.PREREQUISITE: The syslog server hostname or IP address must
syslog server [unche have been added to the “Syslog” settings with the appropriate options
cked] enabled.
Text based Defaul Store the command line session recordings (ASCII text) on a mounted
recording to NFS t: file system. Includes NFS, CIFS, or Amazon S3.
/CIFS/S3 mounted [unche
directory cked] PREREQUISITE: The mount must have been enabled in “NFS/CIFS/S3
Settings.”
IMPORTANT: To prevent failures, clear when share is near full.

Store the RDP or VNC session recording data (in any proprietary format)
on a mounted file system. Includes NFS, CIFS, or Amazon S3.
17-Feb-2017 296/373

Graphical Session Defaul PREREQUISITE: The mount must have been enabled in NFS/CIFS/S3
recording to NFS t: Settings.
/CIFS/S3 mounted [unche
directory cked] IMPORTANT: To prevent failures, clear when share is near full.
Update Button Record and activate the recording storage settings.
Session Recording Preference

Applicable when either of the following are selected
If session recording mount is in Session Recording:
unavailable? Text based recording to NFS/CIFS/ …
Graphical Session recording to NFS/CIFS/ …
Option If selected, CA PAM will not let users connect.
_ Present an error and do not button
connect. (Security Safe)
If selected, CA PAM will let users connect even
_ Connect anyway. (Operationally though it cannot record them.
Safe)
Text Message to provide user if mount is determined to
Error message field be unavailable.
Button Record connection preference.
Submit
Monitor
Admin Example: Email address for the CA PAM administrator account
Email NOTE: This setting allows specification of a single
admin1@example.com account. It might work better as a role account to allow
multiple recipients.
SMTP IPv4 address Server address of the SMTP server that delivers alerts.
Server PREREQUISITE: If relay is necessary, it must be configured
-or- correctly on the SMTP server.
FQDN hostname
Appliance Example: Address that is inserted into “From” field of any
From monitoring email sent by CA PAM.
Address xsuiteadmin@example.com
IMPORTANT: This is not a “dummy” field – the address
MUST be properly formed, for example:
<mailbox>@<domain>.<tld>
Otherwise, settings are not saved correctly. (After you

attempt to Save in such case, the acknowledgment page
will display an error message.)
17-Feb-2017 297/373

NOTE: A trailing or leading space also causes an error.
Re-check (seconds) Default: 10 Reporting cycle between alerts.
Time
DNS Test FQDN Run DNS status test queries to confirm that DNS is
Query available and operating correctly.
Example:
PREREQUISITE: DNS must be configured on the Toolbar: C
smpt1.example.com onfig, Network page and working for the monitoring
function to run.
Network
Configuration settings for the default
Network Configuration (see page 298) network.
Lists IP or CIDR blocked addresses.
Administrative Access Restriction Table (see page 298)
Network Configuration
Name Type Enum Description
/Format /Example
Hostn DNS- Default: CA Important: When configuring multiple appliances for a CA PAM cluster,
ame conform Privileged use different Hostnames to distinguish the appliances from each other.
ing char Access The IP address is not sufficient.
string Manager
Defau IPv4 192.0.2.1 Routing device to which CA PAM sends all packets to destinations
lt address without an explicit route. This is necessary (at least) when sending
Gate traffic to the Internet, to remotely managed devices or for any other
way resource access.
Doma domain. example. Top-level and second-level domains.
in tld com
Name
DNS IPv4 dns1. Proximate DNS servers.
Server address example.
s com192.
0.2.11
Administrative Access Restriction Table

Add an IP or CIDR blocked address to the IP or CIDR block list
Add new IP Address/CIDR block
Security
The following topics explain the configurable security settings.
Create Certificate or CSR Settings (see page 299)
17-Feb-2017 298/373
Create Certificate or CSR Settings (see page 299)
Upload Certificate or Private Key Settings (see page 299)
Download Certificate or CSR Settings (see page 300)
Set Certificate (see page 300)
CRL Options (see page 300)
PKI Options (see page 301)
Sign CA Privileged Access Manager Applets (see page 301)
CA Privileged Access Manager SAML RP Configuration (see page 302)
Create Certificate or CSR Settings

Use this To…
option
(field) ….
Provides a choice between Self-Signed Certificate or CSR.
Type
Key Size 1024 or 2048.Default: 1024.
Common Set the DNS or IP address of CA PAM in the certificate.
Name
Country Set the country for the certificate.
State Set the state or province for the certificate.Note: Use full name rather than
abbreviations.
City Set the city of the certificate.
Organizati Set the organization (typically a company or agency name) of the certificate.
on
Org. Unit Set the organizational unit name (typically a subdivision or location of the Organization)
for the certificate.
Days Set the validity time-period. The current CA PAM appliance date becomes the “Not Valid
Before” date for the certificate. The “Days” field is then used to determine the “Not Valid
After” date.
Alternate Optional setting, but required if more than one address is to be used:
Subject List FQDN and/or IP address aliases to the Common Name, one to a line, and this list must
Names include the Common Name.
Notes:
Do not add a newline (line feed) after the last entry.
Refer to: X.509 Subject Alternative Name
Filename Create a name for the certificate.
Upload Certificate or Private Key Settings

Field Description
Choose the type of certificate or private key.
Type
Choose whichever format is applicable (PKCS 11 or X.509) format for the certificate(s)
to be uploaded.
17-Feb-2017 299/373
Field Description
Other
Options
Create a name for the certificate.
Filename
May be used to change the filename of the certificate. This field may be left blank if the
Dest. name will stay the same. NOTE: If CA PAM generated the CSR, the “Destination
Filename Filename” must match the name of the CSR in order to match the private key properly.
Enter the passphrase, then re-enter in Confirm, when necessary for the certificate.
Passphrase
/Confirm NOTE: A passphrase is probably necessary, and will have been set by the third-party
[Passphrase] CA.
Download Certificate or CSR Settings

Select a filename from the list.
Pick a Filename
Set Certificate
Set Certificate
Confirms that CA PAM accepts the certificate.

Verify Certificate
Stages the new certificate for activation.
Accept Certificate
CRL Options
CA PAM sends an Online Certificate Status Protocol (OCSP) request to the OCSP server to
Use validate client certificates.
OCSP
CA PAM updates the relevant CRL file by copying from the URL location at the interval
Use CRL specified in the Time setting.
URL
17-Feb-2017 300/373
PKI Options
The PKI/Smartcard User Logon checkbox is used to enable/disable PKI authentication. With
PKI/CAC this option checked, the browser prompts for a client-side certificate upon locating the URL
User of the configured CA PAM.
Login
Enable
The Login Page Without CAC checkbox provides the ability to enable/disable username
Login /password-based logons. When this box is checked and if a smartcard is not present, users
Page will not be able to log onto CA PAM. If the box is unchecked, users will have the option of
Without authenticating via username and password or other configured authentication methods. In
CAC No the event that users are not able to authenticate via smart-card, the configuration page is
Login always available via a known username and password.
Page
Sign CA Privileged Access Manager Applets
Enable/Disable Config User

Enable/Disable Config User Field
Disables the built-in "config" user account (or that of any substitute name that was set
Disable through the Change Password page on initial login).
config user
17-Feb-2017 301/373
CA Privileged Access Manager SAML RP Configuration

Panel and DescriptionExample
Field Names
Entity ID * REQUIRED
<md:EntityDescriptor … entityID="entityIdName" … >
Example:
ABCserver123
Friendly Assign a name to be used by CA Privileged Access Manager to identify this SAML RP
Name Entity.
Fully REQUIRED
Qualified
Hostname * FQDN of CA Privileged Access Manager RP, where FQDN is specified in location:
<md:EntityDescriptor … >
<md:SPSSODescriptor … >
<md:AttributeConsumerService Location="location" … >
Example:
xsuite-sp.example.com
Description Description for this CA Privileged Access Manager RP.
Organization Name of the company or other organization responsible for this CA Privileged Access
Name Manager RP:
<md:Organization … >
<md:OrganizationName>organizationName</md:OrganizationName>
Organization URL for the company or other organization responsible for this CA Privileged Access
URL Manager RP.
<md:OrganizationURL>organizationURL</md:OrganizationURL>
Administrativ Administrative contact for this CA Privileged Access Manager RP.
e Contact
Name <md:EntityDescriptor … >
<md:ContactPerson … >
17-Feb-2017 302/373
<md:GivenName>givenName</md:GivenName>
Administrativ Email for administrative contact for this CA Privileged Access Manager RP.
e Contact
Email <md:EntityDescriptor … >
<md:ContactPerson … >
<md:EmailAddress>emailAddress</md:EmailAddress>
Certificate REQUIREDSelect from the certificate files currently uploaded to this CA Privileged
Key Pair * Access Manager-as-RP (through Config > Security > Upload Certificate or Private Key)
the desired SSL certificate + private key concatenated file.
Accept RSA- Select if you wish to accept RSA SHA1 signature method when presented.
SHA1 Signed
Responses
Configured Remote SAML Identity Providers
The buttons below are activated when, at minimum, the required RP components (indicated by *)
have been populated and Save Configuration has been successfully performed:
Add An Manually create an Identity Provider (IdP) record in the template that opens below the
Identity button. After populating the template, click Save Configuration to create the IdP
Provider record, create a line item in this panel, and close the template.
Upload An Upload an Identity Provider (IdP) metadata file to CA Privileged Access Manager and
Identity create a new IdP record with a corresponding line item in this panel.
Provider
Metadata
The fields below are displayed (above the link buttons) for an Identify Provider (IdP) record that has
been successfully populated from either of the Identity Provider creation link buttons:
Friendly Assign a name for this IdP for use by CA Privileged Access Manager
Name
EntityID <md:EntityDescriptor … entityID="entityIdName" … >
Example:
ABCserver123
Metadata Click the Download link to get the RP metadata file for this IdP so that you can import
it into the IdP and establish trust of this CA Privileged Access Manager RP.
Edit Click the Edit button to open the editing template for the associated IdP record. Its
fields are identified in the next section of this table.
Delete Click the Delete button to remove the line item and associated IdP record.
Test Click the Test button to test the connection to the associated IdP.
Identity Provider (IdP) template
Friendly REQUIREDAssign a name for this IdP for use by CA Privileged Access Manager
Name *
Organization Name of the company or other organization responsible for this IdP:
Name
17-Feb-2017 303/373
<md:OrganizationName>organizationName</md:OrganizationName>
Entity ID * REQUIRED
SAML ID for this IdP that is unique for this SAML space:
<md:EntityDescriptor … entityID="entityIdName" … >
Example:
ABCserver123
Description Description for this IdP.
Single Sign REQUIRED
On Protocol
Binding * Applicable protocol binding for this IdP:
<md:IDPSSODescriptor … >
<md:SingleSignOnService … Binding=" urn:oasis:names:tc:SAML:2.0:bindings:binding"

…/>
Options:
SAML:2.0:bindings:HTTP-Redirect
SAML:2.0:bindings:HTTP-POST
Single Sign REQUIRED
On Service *
Service location for this IdP:
<md:SingleSignOnService … Location="location" … / >
Example:
https://rp.example.com/idp/profile/SAML2/Redirect/SSO
Allow Just In Select this checkbox to enable CA PAM to provision a User account for an asserted
Time SAML user if the account doesn’t already exist on the SP.
Provisioning
Include this User also in all existing User Groups on the SP as designated by the
‘userGroup’ attribute in the SAML assertion.
• If an asserted User Group does not exist on the SP, do not create it.
Certificate * REQUIRED
17-Feb-2017 304/373
<md:KeyDescriptor use="signing" … >
<ds:KeyInfo … >
<ds:X509Data> <ds:X509Certificate>encodedContent</ds:X509Certificate>
Example:
-----BEGIN CERTIFICATE-----
MIIGhzCCBG+gAwIBAgIKYQrABAAAAAAAajANBgkqhkiG9w0BABGMRMwEQYK
...
0VyUrN0fafQmeuYITYzUoOt88LFClepqhrjn2s0AVoBLxcnmuemkw7nfgw==
------END CERTIFICATE------
Sign Select this checkbox if authentication requests must be signed.
Authenticatio
n Requests
Signature Select the signature algorithm to be applied.
Algorithm
Options:
RSA-SHA1
RSA-SHA256
RSA-SHA384
RSA-SHA512
Authenticatio Identify the applicable authentication contexts for this IdP.
n Contexts
Options:
SAML:2.0:ac:classes:Kerberos
SAML:2.0:ac:classes:PasswordProtectedTransport
SAML:2.0:ac:classes:X509
SAML:2.0:ac:classes:SmartcardPKI
SAML:2.0:ac:classes:TLSClient
SAML:2.0:ac:classes:TimeSyncToken
SAML:2.0:ac:classes:unspecified
Require Select this checkbox if this requires encrypted assertions.
Encrypted
Assertions
Enable Select this checkbox if you requireCA PAM to be configured for smartcard
Holder of authentication.
Key Support
Maintenance Mode does not disable the CM CLI.
To manually disable the CM CLI, users need to:
17-Feb-2017 305/373
1. Access the CM GUI.
2. Go to Settings > General Settings.
3. Uncheck "Enable External CLI".
4. Save the change.
Users may need to restart the CA Privileged Access Manager box.
SNMP
SNMP Configuration
Used to authorize SNMP polling of CA PAM.
Poll Server Configuration (see page 306)
Provides parameters of, and user credentials for, NMS
Trap Server Configuration (see page 307) server.
Poll Server Configuration

Poll Server Configuration

SNMP Version __ v3 only Checkb Exclude SNMP version 2c polling and use only version 3, if
ox desired.
NOTES:
SNMP Version 2c does not implement encryption.
SNMP v3 is required for FIPS mode.
Read-only Community String If using SNMP v2c, enter the SNMP Community String for
authentication purposes.
Start at boot Checkb Check this checkbox to start a poll server upon boot.
ox
Server Status Enume Current status of polling
rated:
Not
runnin
g
Runnin
g
SNMPv3 Add/Update Poll User
Username Text Specify the account username authorized to allow Polling.NOTE:
Do not use the name “CA Technologies, Inc.,” as it is reserved.
text Specify the public passphrase for Polling, and retype for error
checking
17-Feb-2017 306/373

Authentication
Passphrase /Confirm Auth
Passphrase
Private Passphrase text Specify the private passphrase for Polling, and retype for error
/Confirm Private checking
Passphrase
Select User text Allows selection of previously entered user data from stored list
(Populates Username field, but not the Passphrase fields.)
Delete User button Delete stored account record(Active when fields are populated
from retrieved Username from Select User list)
Update User /Add User button Save current field data to stored Username /Create new
(toggle Username record from current field data
)
Reset button Delete current contents of fields
Trap Server Configuration

Trap Destination text Address of the Network Management Server.
SSL VPN
SSL VPN Configuration
Identifies a device-routable IP address on the internal network.
Virtual Network
Enables/disables split tunneling to an internal network and a public network.
Enable Split
Tunneling
SSL VPN Service

Provides a client that can be downloaded for use with Windows 7 and
Download SSL VPN Windows XP client computers.
Service Installer
Synchronization
This content describes synchronization fields.

Generate or otherwise provide here a key to be used in common between
Shared Keysection cluster members.
text
Passphrase
17-Feb-2017 307/373

Use (create) a strong Passphrase in order to generate the Shared Key. An
example of a strong passphrase is one that combines upper and lower case
letters, digits, and special characters; and is at least 8 characters long.
Button Uses the Passphrase to generate and display its corresponding 32-character
Generate Key key in the field below.
text The Shared Key may be
[Shared Key] generated by CA PAM from the Passphrase, or
result
created from another source and copied into this field.
It will be used as a cryptographic key used to ensure secure communications

between the clustered CA PAM machines. All nodes (machines) in the cluster
must be configured with the same key value. Ensures secure communication
between the clustered machines.
Interface
radio Select the interface that will be used when the device is the cluster
GB1 button management node and has the Virtual IP.
set
The specified interface will be used for communications between the
GB2 …
clustered CA PAMs.
NOTE: The same interface must be used in all the clustered members.
Cluster Settings
IPv4 Enter the virtual IP address that will be used to access the cluster. NOTE: The
Virtual addres cluster will always be available for all users, through this virtual IP address. The
Management s Master CA PAM will have the virtual management IP address defined for it,
IP and will redirect user requests to the least-loaded member of the cluster.
FQDN Enter the fully qualified domain name string that will be used to access the
Virtual cluster. Example: CA PAM.example.com IMPORTANT: This setting should be
Management used only when configuring a cluster that is using DNS.
IP Domain
Name
List of all known cluster member IP addresses.
Cluster Members
All cluster members are synchronized automatically.
The list is prioritized:

The first member is the primary source of data during the initial
synchronization and overwrites any data in the other members.
If the first member ever fails, the second member in the list becomes the
new primary source.
With each click, Move Up and Move Down will move the selected IP
address one position in the order of the list.
Remove IP immediately deletes the selected IP address.
[list controls]
17-Feb-2017 308/373

current
list
IPv4
Add IP addres
s
button
Remove IP
button
Move Up
button
Move Down
Cluster Control
button Saves the current configuration to the local CA PAM exclusively.
Save Config
Locally
button Saves the current configuration to all cluster members.
Save To
Cluster
radio Immediately activate synchronization.
Turn Cluster button
On s
Immediately deactivate synchronization.
Turn Cluster
Off
Status
This toggle button is available to unlock or lock the Credential Management
Unlock Me button database while the cluster is fully configured but is in the stopped state.
| Lock Me Locking a member prevents database changes from being written to it. Locking
is useful if that member will be a secondary upon cluster restart, because in
that case any new data would be overwritten when propagated from the
primary.
When an administrator clicks the Unlock button, a flag is set that permits
writing to the Credential Management database, the Credential
Management function is restarted, and the button changes to Lock.
When an administrator clicks the Lock button, that flag is cleared, writing
to the Credential Management database is no longer permitted, and the
button changes to Unlock.
The flag is also cleared when the appliance is factory reset
The flag is also cleared on all members during cluster start and stop
Default: Locked state (Unlock button available)
17-Feb-2017 309/373
Menu Bar
Menu Bar
Menu Bar Components

Tabs Description
View accessible devices, corresponding access
Access methods.
Edit settings that apply by default to all users.
Global Settings (see page 310)
View status, and control (potentially terminate)
Sessions (see page 318) current logins/sessions.
Create or edit regular services.
Services (https://docops.ca.com/display/CAPAM28
/Services)
Create or edit access user accounts.
Users (https://docops.ca.com/display/CAPAM28
/About+Users)
Create or edit records of accessible devices.
Devices (https://docops.ca.com/display/CAPAM28
/Provisioning+Devices)
Create or edit policies between Users and Devices.
Policy (see page 128)
Global Settings Menu Bar Reference

Use the Global Settings screen to set global options.
Basic Settings (see page 311)

Passwords (see page 313)
Accounts (see page 314)
Access Methods (see page 314)
Warnings (see page 315)
Applet Customization (see page 315)
Configure Terminal Settings (see page 315)
Branding (see page 317)
Update /Revert Logo Window (see page 317)
17-Feb-2017 310/373
Basic Settings
Option Default Units Description
0 Generally: A value of zero (0) removes the restrictions that the
particular setting is intended to enforce.
Local Select from a drop-down list the default authentication method that
Default Auth appears on the login page.
Method
Options: LOCAL, LDAP, RSA, RADIUS, TACACS+, LDAP+RSA,
LDAP+RADIUS
Note: At least one user must be created with the chosen authentication
method before this option is available.
30 Devic Number of device line items to display on Access page (immediately
Default Page es following login).
Size
Table 60 Seco The default refresh interval for Discovery Scan tables. 0 indicates no
Refresh nds refresh.
Interval
Scan Purge 30 Days Number of days to keep Discovery scans.
Interval
10 minu Set the maximum length of login inactivity before a login session closes
Login tes out and requires reauthentication from the login page. (“Inactivity”
Timeout refers to a lack of data communication between the User client and the
CA PAM appliance, or idle time.)
If this value is not zero, every CA PAM User login begins a countdown at
the start of the session. While this User maintains active (live)
connections to back-end (target) devices, the timeout stops counting
down and resets itself to the Login Timeout value. When (all)
connections are closed, the countdown starts again from that value.
To turn off the timeout feature, set this value to zero.
Note: Login as opposed to Connection Sessions: Do not confuse a “login

session” with a “connection session." A Login Session is when a User
logs in to CA PAM (to perform either connection or administrative
activity). A Connection Session is when a User connects (and logs in) to
a back-end or target device.
The Credential Manager activity timeout is:
Unconfigurable - Credential Manager menus currently have a fixed

timeout of 30 minutes. Regardless of the Login Timeout setting here, or
activity in the rest of the menu, a Credential Manager menu tab closes
after 30 minutes.
17-Feb-2017 311/373
Independent of Login Timeout - When the Login Timeout value is non-

zero (in other words, is operational), and when you perform activity
exclusively in the Credential Manager menu for a time exceeding that
value, CA PAM will log you out (of all activity) as if your session had
been idle. In other words, Credential Manager activity is not recognized
against the Login Timeout clock.
10 minu Set the maximum length of connection inactivity during an applet
Applet tes session to a backend (target) device before the User session is logged
Timeout out.
If this value is not zero, every CA PAM User login begins a countdown at
the start of the session. While this User maintains active (live)
connections to back-end (target) device, this timeout counts down.
When its value becomes zero, the applet provides a popup message to
the user.
Note: Login as opposed to Connection Sessions: Do not confuse a “login

session” with a “connection session." A Login Session is when a User
logs in to CA PAM (to perform either connection or administrative
activity). A Connection Session is when a User connects (and logs in) to
a back-end or target device.
Defines the Device template fields that are available when creating a
Default Device. The choices can be overridden on the template itself.
Device Type Options that are currently licensed have active (usable) checkboxes.
An exception to this rule is that initially (at CA PAM first use), Access
is active and checked even before it is licensed.
Active options that are currently being used have checked
checkboxes.
As shown in the example in Basic Settings:

Access is being used by default; its options are always available in
the Manage Devices template.
Password Management is available for default use (because it is
licensed), but is not currently being used. It also shows up as an
(unselected) option on the Manage Devices template.
A2A is not available because it is not licensed. It does not appear as
an item at all in the Manage Devices page.
Initially: Checkbox is active and checked.
Access
Checkbox is active only when a Password Management license has been
Password activated in Config, License.
Management
Checkbox is active only when an A2A license has been activated in
A2A Config, License.
Enables External API. Checking Enable turns on the Try It Out button in
External API the API documentation interface.
Buttons
17-Feb-2017 312/373
Passwords
0 Generally: A value of zero (0) removes the restrictions that the particular
setting is intended to enforce.
2 Set the level of complexity required in user passwords. Default is Level 2.
Security
Level 0 – New Password … The New Password (only) must be different from the
previous password.
1 – 0+ Length Constraints … Level 0 characteristics, and in addition, Password

length must be as defined by the Min Length and Max Length fields.
2 – 1+ Require [a-zA-Z0-9] … All Levels 0, 1 characteristic, and in addition

Password must have at least one alphabet character and at least one-digit
character.
3 – 2+ Both Upper and Lower Case … All Levels 0, 1, 2 characteristics, and in

addition Password must have at least one Upper Case and at least one Lower
Case alphabetic character.
4 – 3+ Special Character … All Levels 0, 1, 2, 3 characteristics, and in addition,

Password must contain at least one special character from among: ! @ # $ %
^ & * ( ).
5 – DoD Strong Password … All Levels 0, 1, 2, 3 characteristics, and in

addition Password must meet DoD requirements:
at least 15 characters total
at least two uppercase alphabetic characters (A B C …)
at least two lowercase alphabetic characters (a b c …)
at least two integers (1, 2, 3 …)
at least two special characters (! @ # …)
6 Char Set the mandatory minimum length of a password. Note: Password Security
Min acter Level must be set to Level 1 or higher.
Length s
14 Char Set the mandatory maximum length of a password. Note: Password Security
Max acter Level must be set to Level 1 or higher.
Length s
0 Days Set the number of days between forced password changes for all users.Note:
Change Set this value to zero (0) if the user is not be required to change their
Interval password.
3 Set the number of most recent passwords that cannot be reused. Example:
History Assume History = 3, and a series of five (5) passwords is used over time.
When the most recently used password in that series is about to expire, it can
be reset using one of the two oldest passwords, but not using any of the
three most recent ones.
0
17-Feb-2017 313/373

Failure Sets the number of failed login attempts before a user account is deactivated.
Limit Note: Set this value to zero if account deactivation is not to be enforced.
60 minu Window of time for the counter subject to Failure Limit.
Failure tes
Counter
Reset
Accounts
0 Generally: A value of zero (0) removes the restrictions that the
particular setting is intended to enforce.
30 Days Deactivate inactive user accounts after a set number of days
Disable
Inactive When restoring a database from a backup, accounts are disabled
After if the backup is older than the time limit.
0 Days Remove disabled user accounts after a specified number of days.
Remove
Disabled This function is not available with LDAP users.
After
(empty User name, Identify the administrator who is notified (through the email
Forced ) by specified in his/her user record) that a user has been
Deactivation autosuggest deactivated.
Alert
Access Methods
Access Default Description
Method Port
5900 Graphical desktop remote access application that enables access to the device.
VNC A Windows, Unix, Mac, or X Windows desktop can be accessed directly using
this feature. VNC sessions can be graphically recorded. Note: This feature
requires installation of the VNC (Virtual Network Computing) service on each of
the devices/servers being accessed.
3389 Remote Desktop Protocol (RDP) is an access method for connecting to Microsoft
RDP Terminal Services and is commonly used for administration of Windows servers.
RDP sessions can be graphically recorded.
23 Standard Telnet access to a host. The Telnet service on the device being
Telnet accessed must be running for this to work. See the specific device manufacturer
documentation on how to set it up. Note: CA PAM does not support Telnet
sessions to itself.
22 Supports SSH Versions 1 and 2. SSH must be running on the device being
SSH accessed for this to work. See the specific device or system manufacturer
documentation on how set it up.
Mainframe Access Methods appear only if licensed.
Mainframe
17-Feb-2017 314/373
Access Default Description

Method Port
23 TN3270 is a Telnet client for the IBM AS/400 that emulates 5250 terminals and
TN3270 printers.
23 TN5250 is a Telnet client for the IBM AS/400 that emulate 5250 terminals and
TN5250 printers.
23 TN3270SSL provides SSL/TLS as a Telnet client for the IBM AS/400 that emulate
TN3270SSL 5250 terminals and printers.
992 TN5250SSL provides SSL/TLS as a Telnet client for the IBM AS/400 that emulate
TN5250SSL 5250 terminals and printers.
Serial console is used for the administration of network equipment and Unix
Serial servers using an RS-232 interface. Because it does not rely on IP connectivity,
operations such as upgrades can be performed without loss of connectivity.
Enables remote power on/off/reboot of the device being managed.
Power
Captures the video, keyboard, and mouse signals and converts them into
KVM packets allowing remote console access to administrators.
Warnings
Option Description
Display a message to all users at the login page.
Show
License Use the text box to type the message that appears.
Warning
Login page Note: Double-byte characters such as those used for traditional Chinese are supported.
Display a message at the top of any Telnet or ssh applet to warn users that they are
Show being monitored through alert, intervention, keyboard logging, session recording, or
Recording socket filtering features of CA PAM. Use the text box to type the message that appears.
Warning
Applet
Applet Customization
Opens the Configure Terminal Settings pane.
Configure Terminal Settings
Configure Terminal Settings

Option Description
Enable the use of copy and paste within any applet: In the applet window, this feature
Applet Copy activates an Edit menu with Copy and Paste commands. When this option is disabled,
/Paste the Edit tab is still visible but dimmed.
Options: Disable | Enable
Default: Disable
17-Feb-2017 315/373
This factor determines how RDP is compressed: A small keyframe duration is equivalent
RDP to more frequent full frames of video data, which results in a large file, but allows more
Keyframes a rapid seek in the RDP viewer. For sessions using RDP 6.1, file size can be reduced
Duration significantly by increasing the keyframe duration. Reductions to about half the size have
been observed.
Options:
Small (Fast Seek/Large File) – Recommended for all RDP versions except 6.1
Medium
Large
X Large (Slow Seek / Small File)
Default: Small (Fast Seek/Large File)

Enable a mouseover pop-up window for RDP connections, to display drives mapped to
RDP Drive the local (RDP client) computer for possible drive mapping on the remote (RDP server)
Mapping computer before or while invoking the connection. Each available drive can be selected
using a checkbox for mapping.
Default: Disable
When "Enable SCP/SFTP" is selected, the MindTerm-based SSH Access Method applet
SSH provides the menu items Plugins, SFTP File Transfer and Plugins, SCP File Transfer.
Terminal When one of those menu items is selected, it invokes a new applet window that allows
File you to operate the corresponding transfer method (SCP or SFTP) that provides a file
Transfer transfer interface.
Options: Disable SCP/SFTP | Enable SCP/SFTP
Default: Disable SCP/SFTP
CAUTION: Due to logging and recording limitations of the SCP/SFTP window activity, CA
PAM MindTerm-based SSH Access Method file transfer feature is disabled by default.
However, should the Administrator determine this functionality is to be activated, it is
recommended that the following limitations and the security implications of an
incomplete audit trail are fully appreciated and accepted.
For Files transferred, CA PAM Session Logs will identify the name of the file or folder
in addition to the User client computer location from which the transfer was
initiated as illustrated below:
Upload C:\Downloads\XS_CUSTOM_CSS.230.01.p.bin (17k) as jsmith
Logs will not identify the location on the target device to which the files were
transferred
When a file or folder is renamed using the “rename” command this activity is not
recorded in the Session Logs.
17-Feb-2017 316/373
Option Description
When a file or folder is deleted, this activity is not recorded in the Session Logs.
When a user changes directory (cd command) on the target this activity is not
recorded in the Session Logs.
Even when session recording is provisioned, neither SFTP nor SCP windows are
recorded.
Specifies the color depth and frame rate to use when recording a web portal session.
Web Options:
Recording High (= 24 bits per pixel / 7 frames per second)
Quality Medium (= 16 BPP / 5 FPS)
Low (= 8 BPP / 3 FPS)
Default: High
Sets the application cache for secondary transparent login on Windows targets.
Transparent
Login Cache When Enabled, the Windows target caches the Transparent Login Agent (TLA), Learn
Tool, and Control Viewer that are downloaded during connection from CA PAM when
transparent login has been configured, provisioned, and activated. On subsequent
connections to that Windows target, the load times for these applications are reduced.
The data used by these applications (for example, the transparent login configuration
files) is stored only on CA PAM.
Default: Disable
Lets an administrator to enable or disable the Java applet Access Agent from retrieving
Retrieve the user's public address. After a user logs in to CA PAM, the Java Applet Access Agent
Public is downloaded to the user desktop. The applet tries to retrieve the address of the
Address gateway used for external access for auditing and for the VMware NSX feature. In some
environments, this behavior is not desirable. The Retrieve Public Address setting lets
administrators disable this feature.
Options: Enable | Disable
Default: Enable
Branding
Allows you to use your company logo in the place of the CA PAM logo.
Update/Revert Logo
Update /Revert Logo Window

Select your company logo.
Upload Custom Logo
Reverts to the CA PAM logo.
Revert Logo
17-Feb-2017 317/373
Sessions Menu Bar Reference

Manage Sessions
Manage Sessions Fields
Field Definition
/Column
Timeout Time remaining until the Login Session times out, at which point the User will be
automatically logged out.
Idle time corresponds to the duration for which no communication has been made
between the client GUI with CA PAM.
If Global Settings: Login Timeout has been set to “0” at the time the Login Session is
established, the Timeout value for that sessions is always “NEVER”.
When the corresponding Login Session begins an active Connection Session(s), the
Timeout countdown is suspended; in place of the current value of Timeout, you will see
a “UNDVC” placeholder. When every active session for this Login has closed, the
Timeout countdown is reset back to the Global Login Timeout value, and begins a new
countdown.
When Timeout is changed while a Login Session is active, that Login Session will
continue to use the previous Timeout value.
Services Menu Bar Reference

Services (see page 318)
TCP/UDP Services (see page 318)
Basic Info (see page 318)
Administration (see page 319)
Web Portal (see page 320)
Create RDP Applications (see page 321)
Services
TCP/UDP Services
TCP/UDP Services Fields
Opens the Create TCP/UDP Services . New services can be created by an CA PAM
Create administration user on known ports and to specific applications. These services may
TCP include: fat client access such as SQL query frontends, mainframe clients, or any proprietary
/UDP applications, which use TCP or UDP connections.
Services
Basic Info
Basic Info Fields
17-Feb-2017 318/373
Use To…
this
field…
Define all ports that the client application will open to gain access to the device, using:
Port(s) Port combination/redirection syntax is: RemotePort:LocalPort (separated by a colon)
where:
RemotePort is on the destination device
LocalPort is where the CA PAM listener will wait for (connections on) the local user’s
desktop.
Multiple ports: Each pair of ports is separated by a space, comma, or comma and space.
Example: 67 3450 23
Example: 5740, 3221, 31225

Port range: FirstPort–LastPort (min value and max value separated by dash) (500 port
range limit: Single range allowed)
Example: 14575–15004
IMPORTANT: Do not combine Multiple Ports syntax with Port Range syntax - use only one or
the other. Thus the following example usage is incorrect: 51000-51002, 55555
Administration
Administration Fields
Use To…
this
field…
Administration
Enabl Select the checkbox to enable the service and allow it to be displayed. If it is disabled, it shows
e up lightly shaded in the Devices screens. Disabled services do not work for any user, including
super.
Show On the Access page, display the Service as a button instead of a drop-down list box.
in
Colum
n
Client In this field, you can pre-load the path to the local application for automatic launching once
Applic the Service is initiated. This can also be set or overridden by the user at launch time through a
ation pop-up window that appears on the Access page.
IMPORTANT: To use a path that requires embedded spaces, enclose the path up to and
including the application executable filename in double quotes, as shown in this example:
"C:\Program Files\PuTTY.exe" -ssh <Local IP> <First Port>
However, do not enclose the entire string in quotes, or the command will not execute.
17-Feb-2017 319/373
Web Portal
Web Portal Fields
Use this To…

field…
PREREQUISITE: You must first select Web Portal from the Application Protocol: to enable the fields in
this .
Launch This field allows specification of a local URL that is launched when the portal service is
URL accessed. Enter the following string (bold = literal):
[http | https]://<Local IP>:<First Port>/[path_to_target_page]

First, specify which protocol, HTTP or HTTPS
The <Local IP> and <First Port> are automatically populated from the Basic Info fields
Local IP (constructing the full IP from 127 + three fields) and Port(s) (using the first port
specified), respectively.
Finally, specify a [path…] to restrict access to a specific landing page.
The user is automatically connected to the web service.

Specifies which browser to use to access the web portal:
Browser Native Browser - Current Browser
Type
CA PAM Browser - CA PAM-customized browser
NOTE: CA PAM Browser is required if you intent to record the web portal session.
(Otherwise, you will not be able to assign Recording Web Portal on the Policy page.)
If Browser Type = Native Browser

Host Specify the FQDN of the target website in this field.
Header
Per HTTP 1.1, if the web portal resides on a single IP address which hosts several websites
(such as Apache NameVirtualHost or IIS Host Header Access), this setting is used to identify
the correct website target
Example: www.example.com
Aliases Specify any strings which can be used as a substitute portal target, separated by commas.
If the target web portal is referred to by several different names, enter those names here.
Example: If Host Header contains www.example.com (http://www.example.com) , while some

links on the portal page point to example.com, enter example.comhere so that requests to
that site will be successfully handled.
Hide If this portal is not intended to be user-facing, select this checkbox so as not to display an
From access link for the user on the Access page.Use Case: When multiple internal servers are to
User be identified as portals so they can be accessed to meet a user’s portal request, not all
servers may need to be exposed to the end user. For example, multiple local servers may
17-Feb-2017 320/373
Use this To…

field…
provide content to serve a particular HTTP request – HTML page, graphic files, CGI
processing – but only the original web page needs to be public. Without this “off” switch,
server portals that are inappropriate for an end user will nevertheless be displayed on the
Access page.
If Browser Type = CA PAM Browser

(a) The Access list can be obtained by initially running the CA PAM Browser without a list,
Access then examining the session logs for each access attempt that was blocked. An example of
List the log entry for blocked access is the following:
Message 19015: CA PAM denied web portal AWS Management Console SSO's connection to
the host amazonwebservices.d2.sc.omtrdc.net because it does not match an entry in the
web portal's access list.
Each host (in the above example, "amazonwebservices.d2.sc.omtrdc.net") that you want to
allow access to should be included in the Access List field, one line per host. Exclude any
hosts that pose security risks.
(b) Alternatively, all hosts...

for a particular domain may be permitted by entering an asterisk and the domain: *.
example.com
for all domains may be permitted by entering just an asterisk
NOTE: This is not a secure solution, but permits rapid activation of a web portal.
Create RDP Applications

Create RDP Applications Fields
RDP Specifies a unique name for this CA PAM Service record identifying an application hosted on a
App Windows device with RDP access enabled.
Nam
e
Launc Provides the full path to the RDP application that will run (without the Windows shell) when
h the user connects.
path Example: C:\Windows\System32\notepad.exe
Com Additional information about the application can be noted here.
ment
s
Enabl Make this application available for use by CA PAM Devices.
e
This allows an application to be provisioned with any number of Devices, but switched on or
off with one step.
Default: checked
Opens the Transparent Login configuration pane (description follows). Default: unchecked
17-Feb-2017 321/373
Trans
paren
t
Login
Hide Do not display an RDP Application link to the User on the Access page.
From
User This is particularly relevant to transparent login: While a direct link to the RDP Application
(which bypasses the Windows shell) is prevented, transparent login credentials handling
(automatic login to the application target) for this application in an RDP session is still
enforced.
Default: unchecked
Users Menu Bar Reference

Manage Users Dialog (see page 322)
Create User (see page 322)
Administration (see page 323)
Roles (see page 324)
Access Time (see page 325)
API Keys (see page 325)
Manage Groups Dialog (see page 326)
Manage Users Dialog

Create User
Create User Fields
Buttons available when Creating or Editing a User record:

Save Create or update, and close, the current User record. Settings are effective immediately.
Cancel Close the current User record without saving it. Any changes entered are discarded; if the
record is new, it also is discarded.
Buttons available (only) when Editing a User record:
Delete Remove the User record. NOTE: This differs from Account Status: Disabled, in which the
account record is preserved.
Manag Navigate to the Policy page, populating the User(Group) field there with the current
e Username.NOTE: Any changes made to the User record will be lost upon selecting this
Policy button.
View Display a list of Devices and the associated policies that are currently active for this User.
Policy Known as Effective Policy, this list includes policy inherited by this user from User Groups.
Basic Info
Basic Info Fields
17-Feb-2017 322/373
Username Enter the Username that is presented at login.

Required This name will be referenced in configuring user access policy and will appear in logs and
recordings to provide a means of identifying specific user activities.
Users of AWS: Note that the Username must be between 2 and 32 characters inclusive in
order to work in AWS.
Keyboard The type of character set mapping to keyboard.Default: AUTO – Keyboard mapping is the
LayoutReq current system default.
uired
Password R Select the Password used for the initial sign in. The User is automatically forced to
equired change the password at first connection. The minimum password strength can be set on
the Global Settings page.
RDP Used by the RDP applet in credentials for access to remote Windows device.
Username
Mainframe Display Name used by the AS/400 applets TN5250 and TN5250SSL.
Display
Name
Description Specify any optional information pertaining to this user.
Administration
Administration Fields
Authenticatio Select an authentication method:

n
Local: Authentication data (password) stored inside CA PAM.
RADIUS: Authentication to a RADIUS server.
RSA: Authentication with RSA SecurID.

Account Enable or Disable the user account.
Status
Activate Set time frame windows when user is allowed to access the system.
Account
Now - User account will be activated once it’s created.
Later – Set user account activation date and time.

Terminate Specify whether a Users login and all current sessions are to be terminated if that user
Session Upon account reaches expiration date/time or exceeds the violation limit.
Account
Expiration NOTE: If this checkbox is selected and a user's account gets deactivated while that
user is logged in to CA PAM, his or her session will be terminated. This termination can
occur upon any of the following:
- upon reaching this account's Account Expiration date-time setting (if any),
- upon the day-time moving outside the account's Access Time (if any)
- an administrator's manual account disabling by setting Account Status="Disabled".
17-Feb-2017 323/373
Account Set date at which account is permanently deactivated.

Expiration
Email on CA PAM (administration) user account to which an email notice will be sent whenever
Login the current account logs in.
Email Self on Send email to e-mail account in Contact Info whenever current account logs in to CA
Login PAM.
Login IP Network access definition:
Ranges
Identify source IP address range(s), if any, required for CA PAM login client.
Formats:
Single IP192.0.2.1
CIDR192.0.2.0/28
Range192.0.2.1-32
Delimiters permitted between ranges: space, comma, semicolon, newline

Example:192.0.2.0/28,192.0.3.234/32
If left empty, no IP address restrictions are applied.
NOTE: User definition overrides (any) User Group definition, for either more or less
restrictive rules. Also, if no User policy is defined, but that User is a member of
multiple User Groups with different rules, the group permissions are additive (less
restrictive).
Roles
Roles Fields
Field Description
Avail Select the Access Roles (indicated in the drop-down list) for which this user should have
able authorization.
Role
s IMPORTANT: Do not assign any User solely the role Password Manager.
This role does not contain sufficient privileges for CA PAM access. Instead, keep the default role
Standard User – and then add Password Manager as well – when you intend to allow only
password management privileges.
Roles are defined in terms of privilege sets specified per role as identified in Users > Manage
Roles. A set of about 15 roles is preset at installation, while other, user-defined, roles may have
been added in Manage Roles.
User roles Standard User (for the Access page) is the default set for a new user. The user roles
specified allow for configuration and administration of various functional components of CA
PAM. A Role can be removed (made unassigned) by clicking Remove next to the name
/description of the role.
PM Appears, and is required, only when role(s) are selected with password managing capacities
Grou
ps
If above-selected Role is credential-management related:
17-Feb-2017 324/373
Field Description
Avail Provides drop-down menu of Password Management User Groups available that are applicable
able to the selected Role.
Grou
ps
Access Time
NOTE When Terminate Session Upon Account Expiration="Yes", login termination can occur by any
of the following:
upon reaching an account's Account Expiration date-time setting (if any)
upon the day-time moving outside the accounts Access Time as set here (if any, as set here)
an administrator's manual account disabling by setting Account Status="Disabled"
Access Time Fields
Add Button that expands the current User specification window, providing the two widgets below
Rules for access time rules specification.
Access Time Add Rules
Access Time Add Rules
Access Days Select one or more days for which the User is permitted access.
From _ To _ Select a time range within the Access Days specified during which the User is
permitted access.
Displays Add New Rule .
Add New Rule
Removes existing rules from CA PAM.
Remove All
Rules
API Keys
Create New API Keys
Create New API Keys
Assign a name for this key. The name will also be available to this User. This option allows
Name you to store keys continuously for this user, but activate or deactivate the keys as desired.
required
Allows named key to be the active key.
Active
required
Select a role from the drop-down menu, which includes only roles available to you, the
editing administrator. You may also assign no role if your are not currently using the key.
17-Feb-2017 325/373
Available
Roles
If the User has inherited roles from a User Group, clicking this link will identify them.
View
Inherited
Roles
Click this link to create another API Key.
Create
New API
Key
Manage Groups Dialog

Manage Groups Fields
Create or edit groups of access user accounts.

Create Local Groups
Basic Info
Basic Info Fields
Groupname Name you wish to assign to this group.
Format if imported (using Import LDAP Group) from Active Directory:

LDAPsourceGroupName + “@” + LDAPdomain
Format if imported (using Import LDAP Group) from other than Active Directory (for
example, from SunOne, OpenLDAP, or other):
LDAPsourceGroupName
Double-byte characters are permitted, for example:
NOTE: LDAPdomain = Base DN as specified in Bind Credentials in Config > 3 rd Party

Applet This option allows you to toggle on ("Yes") or off ("No") the Global Settings > Show
Recording Recording Warning setting. Note that it is set off by default when a group is created.
Warning
Description Provide your custom definition for the group, or:Format if imported (when using Import
LDAP Group) from an LDAP server:
“LDAP Group” + LDAPsourceGroupName + “from” + LDAPsourceDistinguishedName
Authentication
Authentication Fields
Authentication method to be used during User login. The options available depend on which
type group is being created (Local, RADIUS, or imported LDAP)
17-Feb-2017 326/373
Auth
entic
ation
Select either Local or SAML.
Local
SAML Enumerated:
Attri
bute If the User provisioning source was an LDAP directory Active Directory:
Distinguished Name
User Principal Name
SAM Account Name
If the User provisioning source was an LDAP directory of type OpenLDAP, SunOne, or other:
Distinguished Name
Unique Attribute
If Authentication = Local, or RADIUS, or PKI:
User Name
Login Network access definition:
IP Identify source IP address range(s), if any, required for CA PAM login client.
Rang
es Formats:
Single IP192.0.2.1
CIDR192.0.2.0/28
Range192.0.2.1-32
Delimiters permitted between ranges: space,comma,semicolon,newline

Example:192.0.2.0/28,192.0.3.234/32
If left empty, no IP address restrictions are applied.
NOTE: User definition overrides (any) User Group definition, for either more or less restrictive
rules. Also, if no User policy is defined but that User is a member of multiple User Groups with
different rules, the group permissions are additive (less restrictive).
Roles
Roles Fields
Avai Drop-down list of CA PAM User Roles available through previous provisioning. Multiple roles
lable can be assigned per group (or for an individual user through an individual user record).
Role
s Default: Standard User.
17-Feb-2017 327/373
IMPORTANT: The "credentialsManage" privilege is not currently propagated to member Users.

Thus, User Group roles of Global Administrator, Operational Administrator, and/or Password
Manager must also be applied in the individual record of each member User who is managing
passwords.
Add Rules
Add Rules Fields
Access Days Select one or more days for which the User is permitted access.
From _ To _ Select a time range within the Access Days specified during which the User is
permitted access.
Displays Add New Rule .
Add New Rule
Removes existing rules from CA PAM.
Remove All
Rules
Users
Users Fields
Displays a sequence of the Usernames that are members of this User Group.
Users
For Local groups: Set of all member usernames; usernames can be added or removed.
For Imported LDAP groups: Set of all member usernames; usernames cannot be added or
removed – that editing must be accomplished in the source LDAP directory.
Devices Menu Bar Reference

Create Device (see page 328)
Manage Groups (see page 330)
Create Device
Basic Info
Create Device Basic Info Fields
Basic Info
The user specified name of the device. Users see this name on the access page. NOTE:
Device Double-byte characters such as those used for traditional Chinese are supported.
Name
Required
17-Feb-2017 328/373
Basic Info
The device’s IP or DNS name (DNS must be set up properly under the Config>Network
Address screen)
Required
The utility that executes a port scan to detect services that have been configured.
Scan
Select one or more of the listed device type designations to provision their functionality
Device in this device:
Type Access
Password Management
A2A
Each device type prompts its own fields – these are each indicated below by white prefix
letters in each header.
Choose the radio button Special Type = yes only for KVM over IP, intelligent power, or
Special serial console devices.
Type
Access: Special Type: Special Type DeviceAppears only upon selection “yes” for above radio
button: Special Type
Choose from an enumerated list of the CA PAM-aware device types.
Type
Required
If required by Device: Username for access.
Login
If required by Device: Password for the identified Username.
Password
Opens a shadow window to allow specification.

Manage
Custom
Types
A2A: Request Client

Activation (authorization) status in CA PAM for communication with (this) A2A Client
Active device.
true or false (Binary)
Default: false
Prevents the request server host name from being overwritten each time this A2A Client
Preserve registers.Default: When left empty, existing hostname value is not changed.
Hostname
17-Feb-2017 329/373
Tags
Tags Fields
Specification of label attributes for the current Device.

Tags
A tag can be applied to a Device record in one of two ways:
When the tag already exists in at least one Device record:
Selection from drop-down list of existing tags that is generated by autosuggestion upon
typing.
When the tag does not yet exist in any Device record:
Typing the tag name, then pressing Enter (<CR>).
Terminal
Terminal Fields
ansi
Term Type
ibm – allows punch-through (only) to an AS/400 target device using an CA PAM
provisioned credential
scoansi
vt100 – Default
vt220
vt320
xterm
None selected
Key Mapping
AT 386
xterm-vt220 – Default
vt320
NOTE: This function is deprecated.
“End” to Select
Triggers Terminal Customization expansion (See the following section).
Terminal
Customization
Manage Groups
Create Device Groups
Basic Info
Basic Info Fields
The user specified name of the device group. This is the name that the users will see on
the access page. NOTE: Double-byte characters such as those used for traditional Chinese
are supported.
17-Feb-2017 330/373
Group
NameRequ
ired
Group If this appliance/instance has been configured for AWS Use, two options are available:
TypeRequi “Local” and “AWS”. If “AWS” is selected, this Device Group will act as a container for CA
red PAM Device records that are created as a result of an import of AWS devices.
From a drop-down menu of CA PAM Devices, specify one or more Password Management
Credential Device(s) (for example, a Windows domain controller) that will be used to provide a
Source domain account for each policy used to provide SSO to any member of this Device Group.
NOTE: When a Device specified as a Credential Source is deleted or has Device Type:
“Password Management” unchecked, that Device is removed from any and all Credential
Source specification(s). This action is noted in the logs.
NOTE: This Device may be at the same time a member of the Device Group.
NOTE: As of 2.4 FP3, you can specify a Credential Source that uses the SSH Access
Method. This was previously available only for the RDP Access Method.
Descriptio This field is used for any additional information the administrator wishes to add to this
n record.
Devices
Device Fields
The new Device Group is populated here with (existing) Devices.To add a Device: Start typing
[List] its name until it appears in a dialog box list. Then select it (its line item) to populate the Devices
field.
Access Methods
Access Methods Fields
VNC Checkbox (for each method) indicates that each member of the Device Group is capable of,
and authorized to use (respond to), the specified Access Method.
Telne
t
SSH
Serial
Powe
r
RDP
KVM
TN32
70
17-Feb-2017 331/373
TN52
50
TN32
70SSL
TN52
50SSL
Enable
Enable
If checked, provides credentials when prompted for

Provide Credentials for "Always Prompt for password.
Password"
Autodiscovery Choose Default Parameters

Autodiscovery Choose Default CA PAM Parameters Fields
Include the following: target applications: SSH (22), LDAP (389), MSSQL (1433), Oracle
Target (1521) and Sysbase (5000).
Applications
The scan compares the number of defined and undefined hosts scanned with the
Scan license quota, and displays the number of licensed nodes available.
Policy Menu Bar and Dialogs Reference

Manage Policies (see page 332)
Import and Export Policy (see page 370)
Import and Export Socket Filter Lists (see page 372)
Manage Policies
Create Policy (see page 333)
Access Methods (see page 333)
Services (see page 333)
Passwords (see page 333)
OOB & Power (see page 333)
Filters (see page 334)
Recording (see page 335)
Manage Filters (see page 335)
Command Filters Config (see page 336)
Command Filters Lists (see page 336)
Socket Filters Config (see page 337)
17-Feb-2017 332/373
Socket Filters Config (see page 337)

Socket Filters Lists (see page 339)
AWS Policies (see page 340)
Create AWS Policies (see page 340)
Create Policy
Access Methods
During configuration, options for Access Methods were selected. This list displays those
Add selected Access Methods.
Services
Depending upon the Device (Group) selected, the options available vary. For instance, if the
Add Device (Group) selected is: xxxxx.aws.amazon.com, a dialog such as the one shown here
displays.If AWS Management Console SSO is checked, the following dialog displays.
Passwords
Select from Target Application [+ (optional) Target Account] sets as previously activated for this
Add Device.
NOTE: For AWS AMI instance UNIX and Linux Devices, only EC2 keys autopopulate as options
EXAMPLE: The "Administrator" account for the OS ("Win 2k8 R2 S1") application is available for
management by User ("super").
OOB & Power

(See Access Methods description)
As previously activated for this Device. Checkbox (for each method) indicates that each
KVM member of the Device Group is authorized to use the specified Access Method.
Power
Serial
17-Feb-2017 333/373
Filters
Select one or no Command Filter, and one or no Socket Filter. The available filters have been
previously set in the Manage Filters interface for this User + Device.
As previously defined for this User + Device.
Command Filters
Through Policy, these restrictions to Device or Device Group access can be
imposed on a particular User or User Group:
Command Filtering
Socket Filtering
As previously defined for this User + Device
Socket Filters EXAMPLE: The "PrimaryBlacklist" filter has been selected from the drop-down
list, and is applied to the login session.
PREREQUISITE: Populated Socket Filters
Restrict Login if
agent is not When selected: If CA PAM cannot detect a running Socket Filter Agent on this
running device and a SFA monitored connection is being attempted, the login is rejected.
NOTE: For connection types that are not monitored by CA PAM socket filtering,
connection instances are not rejected by this feature.
NOTE:
Connections that SFAs monitor include: Access Method GUI, CLI, and
mainframe applets; and RDP, VNC, and ICA Services.
Connections that SFAs do not monitor include: standard (customized) Services
and Web Portal Services.
17-Feb-2017 334/373
Recording
The options that are provided in the lists have been previously set in the configuration record for this
Device. See Provisioning: Devices for more information.
PREREQUISITE: RDP and VNC are permitted (listed in Selected Access Methods).
Graphicals
Select if you want this User activity on this Device to be recorded graphically: Graphical
session recording is available for the RDP and VNC applets.
EXAMPLE: In the example below, this option has been selected, so the RDP session are
recorded and saved.
CAUTION: VNC access by Service (rather than VNC Access Method) cannot be recorded.
PREREQUISITE: TELNET, SSH, and Console are permitted (listed in Selected Access
Command Methods).
Line
Select if you want this User command line activity on this Device to be recorded (as
plain text): TELNET, SSH, and Console user keystrokes can be recorded.
CAUTION: To text search capability in your CLI recording, use an Access Method applet
for access, not a native application Service. Text search does not work in recordings of
native applications (such as PuTTY).
PREREQUISITE: Command Line option has been selected.
Bidirectional
Select if you want Device command line output to be recorded in addition to the User
command line entries.
NOTE: All mainframe-access applets (TN3270, TN3270SSL, TN5250, TN5250SSL) apply

bidirectional session recording (when session recording is enabled).
PREREQUISITE: A Web Portal is permitted (selected and listed in Services) using the CA
Web Portal PAM Browser.
Select if you want this User activity on this Device Web Portal to be recorded
graphically.
NOTE: If your policy applies to multiple Web Portal type Services, and some of those
Services use the Native Browser and some use the CA PAM Browser, this checkbox is
available, but will only apply.
Displays the On Violation pane.
On Violation
Manage Filters
Blacklist and Whitelist violation messages display. Also, email violation messages.
Messages
Defines the number of violations before action taken and the type of action to be taken.
Actions
17-Feb-2017 335/373
Command Filters Config

Messages
Blacklist The default that is provided is:
Violation
Message WARNING: [command] is an unauthorized command.[newline]You have [violations]
violations. Your session is terminated or account deactivated if violations continue.
[newline] Please contact the administrator if you have any questions.
… where “[command]” is substituted during execution with the string (keyword) used,
and “[violations]” is substituted during execution with the number of (including the
current) occurrences of this violation by this user (and “[newline]” is substituted with a
line feed).
NOTE: Double-byte characters such as those used for traditional Chinese are permitted.
Whitelist The default that is provided is:
Violation
Message WARNING: [command] is an unauthorized command.[newline][newline]Please contact
the administrator if you have any questions.
… where “[command]” is substituted during execution with the string (keyword) used
(and “[newline]” is substituted with a line feed).
NOTE: Double-byte characters such as those used for traditional Chinese are permitted.
Violation This area is provided for information that is sent to 'super' if violations occur.
Additional
email (No default is provided.)
Message
NOTE: Double-byte characters are NOT permitted in email messages. (They are permitted
only in screen messages.)
Action
# The numerical value of the number of violations that are permitted to occur. When the
Violations violation count matches the threshold, the action in Action After Limit Exceeded is taken.
Before Set this value to zero (0) for no count to be enforced. The count of violations is on a per
Action device basis regardless of how many times the user connects.
Action Select the appropriate action that complies with policy when the user exceeds the
After number of violations.
Limit
Exceeded
Saves Command Filter Config file.
Save
Command
Filter
Config
Command Filters Lists

Command Filters List Fields
Displays the Create List.
17-Feb-2017 336/373
Create List
Create List
Create List Fields

Column Type Values
Label
CL command Import record (row) type.IMPORTANT: CSV files with this type
Type filter list record must be imported only through the Policy > Import/Export
Command Filter Lists page.
CL* text Command Filters Lists: List template field: Name
List
Name
CL* white = Definitions:
List Type whitelistblack
= blacklist Whitelist: List of commands a user can use; all other commands are
prohibited.
Blacklist: List of commands a user cannot use; all other commands

are permitted.
CL* text The command or command subset to be restricted.Multiple
Keyword commands for the same list are designated by multiple CSV line
items using the same List Name.
Add a keyword.
Add
Keyword
Alert CL* f = do not Flag to:
use alert
t = use alert Notify (immediately) the monitoring administrator of any use of this
command.
Block CL* f = do not Flag to:
use block
t = use block Prevent (immediately) this command from being executed.
Regexp CL* f = do not Flag to:
use regexp
t = use Apply the Keyword field as a regular expression to the command line
regexp for a match. If there is a match, apply any Alert or Block specified.
Socket Filters Config

Socket Filters Config Fields
Provides basic socket filter config information.

Basic Info (see page
338)
Provides violation and email violation messages.
17-Feb-2017 337/373
Messages (see page

338)
Provides for the number of violations before action is taken and specifies the
Action (see page 338) action to be taken.
Basic Info
Basic Info Fields
Agent The default is 8550. The value must match the port where the agents are listening. NOTE:
Port The socket filter agents must be configured to use the same port.
SFA IMPORTANT: This checkbox must be selected for filters to be monitored (in addition to
Monito device filter specification on the specific device page). Enable this option if the policies
ring include disallowing users to log on to a device if the agent is not running. Agent status also
appears in the Devices menu button under Socket Filter Agent.
Applian This is a unique number that refers to each physical appliance, and must be set when using
ce ID SFAs with Windows. Thus when CA PAMs are clustered, each member must have a unique
ID.
Logs all White and Black list.
Log All
(White
and
Black
list)
Messages
Messages Fields
Violation Message Provides ability for customization of the message that appears to the User
when a policy is violated.
When the following strings (including brackets) are used in a Socket Filter
Config message, they are substituted as specified:
[host] - Replaced by the IP address of the blocked host.
[port] - Replaced by the port of the blocked connection.
NOTE: Double-byte characters such as those used for traditional Chinese are
permitted.
Violation Additional The area for information that is sent to "super" if violations occur.
email Message
PREREQUISITE: Administrator email must be configured.
NOTE: Double-byte characters are NOT permitted in email messages. (They are
permitted only in screen messages.)
Action
Action Fields
17-Feb-2017 338/373
# The numerical value of the number of violations that are permitted to occur. When the
Viola violation count matches this threshold, the action that is specified in Action After Limit
tions Exceeded is taken. Set this value to zero (0) for no count to be enforced. NOTE: The count of
Befor violations is persistent per user-device basis regardless of how many times the user connects.
e Thus a user is not permitted to “re-zero” the count by reconnecting and trying again.
Actio
n
Actio Select the appropriate action that complies with policy when the user exceeds the number of
n violations.
After
Limit
Exce
eded
Socket Filters Lists

Socket Filters List Fields
Provides basic information.

Identifies the Host IP address/Netmask and Ports.
Hosts (see page 339)
Basic Info
Basic Info Fields

Column Type Values
Label
Name SL* text Socket Filters Lists: List template field: Name
Type SL* white = Whitelist: List of sockets (address-and-port combinations) a user can
whitelistbla use; all other sockets are prohibited.Blacklist: List of sockets a user
ck = cannot use; all other sockets are permitted.
blacklist
Hosts
Host Fields

Column Type
Label
SL* IPv4 dotted-quad address The socket filter or socket filter subset to be restricted.
IP Ex: 192.0.2.1 Multiple socket filters for the same list are designated by
Address multiple CSV line items using the same List Name.
SL*
Port
17-Feb-2017 339/373

Column Type
Label
One or more port Socket to which whitelist or blacklist designation is
numbers (comma or assigned.Multiple sockets for the same list are
space separated), or one designated by multiple CSV line items using the same List
port range Name.
Add more hosts.
Add
Host
AWS Policies
Manage AWS Policies Fields
Opens the Create AWS Policy pane.

Create AWS Policy
Create AWS Policies

Create AWS Policies Fields
Field Description
Name Assign a policy name. (This is a tag that is used only in CA PAM.)
Access Assign an Access Key Alias from this drop-down list composed from the corresponding fields
Key in target accounts specified for use with the AWS Access Credential Accounts target
Alias application.
Session Designates the amount of time that is permitted for the policy to be applied before
Timeou disconnection.
t
Policy The IAM Policy content to be applied.
Manage Passwords
Targets (see page 341)
Accounts (see page 341)
AWS API Proxy Access Credentials (see page 342)
Proxies (see page 364)
Password Composition Policies (see page 364)
SSH Key Pair Policies (see page 364)
Workflow Menu (see page 364)
A2A Menu (see page 364)
Scripts (see page 364)
Clients (see page 364)
Mappings (see page 364)
Request Groups (see page 365)
Groups (see page 366)
17-Feb-2017 340/373
Groups (see page 366)

User Groups (see page 366)
Roles (see page 366)
Settings Menu (see page 366)
General Settings (see page 366)
Request Server Settings (see page 367)
Email Settings Pop-up (see page 367)
UI Settings (see page 369)
Disaster Recovery (see page 370)
Manage Passwords
Targets
Accounts
AWS Access Credentials
Use this Application Type, along with Host Name “xceedium.aws.amazon.com”, when creating target
accounts that are applicable only to AWS access.
AWS Access Credentials Fields
A string that functions in CA PAM like a username for AWS Account + Region access.
User
Friendly
Account
Name
An alphabetic string that functions in AWS like a username for AWS account access.
Access Key
ID
The longer string corresponding to the Access Key ID that functions like a password
Secret with the above ID.
Access Key
Select this checkbox to reveal the Secret Access Key characters (which are otherwise
View obfuscated).
Private Key
Assign a short “name” to this credential pair so that you can easily identify and select it
Key Alias when required elsewhere in the GUI.
Provide this if these credentials are applicable to an AWS API Proxy account.
Access Role
Name
Select Commercial if these credentials are applicable to a regular AWS account, or Gove
AWS Cloud rnment if applicable to a United States government authorized AWS GovCloud (US)
Type Region account.
AWS Access Credentials Access Key Tab
AWS Access Credentials Access Key Tab Fields
17-Feb-2017 341/373
For most AWS Linux instances, this is pre-assigned: “ec2-user”.

EC2
Instance
User Name
Displays the private key file after you upload it using the Choose File and Upload
EC2 buttons.
Private
Key
Click Choose File to select the public+private key “*.pem” file you downloaded while
Upload creating it in the AWS interface. Click Upload to stage the content of this file into the EC2
Key File Private Key field above.
This checkbox must be selected to activate the Choose File and Upload buttons above.
Enable Key
Upload
If you assigned a passphrase when creating the EC2 Private Key, enter it here.
Passphrase
Select this checkbox to reveal the Passphrase characters (which are otherwise
Show obfuscated).
Passphrase
Assign a short “name” to this key pair so that you can easily identify and select it when
Key Pair required elsewhere in the GUI.
Name
AWS API Proxy Access Credentials
Use this Application Type, along with Host Name “xceedium.aws.amazon.com”, when creating target
accounts that are applicable only to the AWS API access.
(There are no special fields for this Target Account type.)
Application Type
The following expansion windows, populated with default values, are provided to allow option
specification for the corresponding account types.
For most Target Account types, a Change Process option specifies whether the account being
managed can change its own password or whether another, higher-privilege account must be
specified to do that. When the latter option is selected (Use the following account to change
password), a field appears below the legend so that you can enter the password-changing account.
Application Types
Generic (see page 343)
AS400 (see page 343)
Cisco (see page 353)
Juniper Junos (see page 356)
17-Feb-2017 342/373
LDAP (see page 356)
MSSQL (see page 356)
MySQL (see page 357)
Oracle (see page 357)
SPML V.2 (see page 357)
UNIX (see page 357)
VMware ESX/ESXi
VMware NSX Controller (see page 361)
VMware NSX Manager (see page 361)
VMware NSX Proxy (see page 362)
WebLogic 1.0 (see page 362)
Windows Domain Services (see page 362)
Window Proxy (see page 363)
API Key (see page 340)
Generic
No requirement.
AS400
No requirement.
Cisco
Cisco Application Type Fields
Fields are initially “populated” with (invisible) default values. When a field is empty, the default value
identified below that field is in effect. CA PAM will accept a regular expression in those field which
end in "Prompt".
Cisco Script Processor Dialog BoxFields
Settings applied to use of an Update or Verify script.

Script
Processor
Specifies the amount of time in milliseconds that CA PAM will wait to receive some
Script expected input from the remote host.
Timeout
Optional
Default: 5000
17-Feb-2017 343/373
Valid values: An integer between 5000 and 59999

When specified, the following prompts and commands will be substituted into
Script appropriate locations (variables) in the default script(s)Prompts from Cisco device to
variable be recognized by the script. You may enter a substitute string.
prompts
A regular expression that matches the prompt produced by the remote host when it
Password requests that a password be changed because it has expired.Regex match:
Change (?si).*?old password:.*?
Prompt
Password requests a password be confirmed.Regex match:
Confirmation (?si).*?new password confirmation:.*?
Prompt
Password requests a password.Regex match:
Entry (?si)(.*?password:.*?)
Prompt
User Name requests a user name.Regex match:
Entry (?si).*?username:.*?
Prompt
Specify the script to be used for updating credentials.Customers should use the default
Update script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
Use the default script – Indicates that CA PAM will use the default script provided
Use which with the release.
type of
script? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Use a revised default script (requires patch) - Specifies the name of the file
containing the revised update script. The contents of the file will be used as the
revised script. When selected, opens a field with a drop-down list of available
scripts, each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement update script. When selected,
this option opens a text field in which to insert the replacement script.
Verify Specify the script to be used for verifying credentials.
Credentials
Script Customers should use the default script and contact CA Technologies, Inc. Support if a
revised script is needed.
type of
Support:
17-Feb-2017 344/373
Use a revised default script (requires patch) -- Specifies the name of the file
containing the revised verify script. The contents of the file will be used as the
Use a replacement script -- Specifies a replacement verify script. When selected,
Use of the Cisco application type displays the following drop-down menu. The second displays these
fields expanded.
The port used to connect to the Cisco host using SSH.

Port
Specifies the amount of time to wait for the SSH communication with the target
Communication server before ending the connection.
Timeout
When checked, expands into additional widgets. See the table that follows.
Enable strict
hosting key
checking?
When unchecked, expands into additional widgets. See the table that follows.
Use default
ciphers?
Use default key
exchange
methods?
Use default
compression
methods?
Use default
server host key
types?
The port used to connect to the UNIX host using Telnet.Default: 23
Port
When using the Telnet communication channel, specifies the amount of time in
Communication milliseconds that CA PAM should wait for the remote host to respond.Default:
Timeout 60000
Juniper Junos
Use of the Junos connector requires specification of the following parameters.
Juniper Details Fields
Milliseconds
Connect timeout
17-Feb-2017 345/373
Optional. Default: 60000

Milliseconds
Read timeout
Optional. Default: 5000
Required. Default: 22
SSH Port
LDAP
Use of the LDAP connector requires specification of the following parameters. Accounts must support
the Open LDAP v3 protocol.
LDAP Details Fields
SSL certificate.Required if Protocol is SSL.

Base-64 encoded x.509 Certificate
MSSQL
Use of the MSSQL connector requires specification of the following parameters (unless marked
“optional”) for Microsoft SQL Server 2000 and later.
MSSQL Details Fields
MS SQL Server instance name

Instance (Optional)
MYSQL
Use of the MYSQL connector requires specification of the following parameters.
MYSQL Application Type Dialog Box Fields
MYSQL database listener port.

DB Port Required Default: 3306.
Oracle
Use of the Oracle connector requires specification of the following parameters.
Oracle Details Fields
Check this box if SSL is to be enabled.

SSL Enabled
Default:False (Not enabled)
Oracle database listener port
DB Port
Required. Default: 1521.
SPML V.2
17-Feb-2017 346/373
SPML V.2
Use of the SPML (Service Provisioning Markup Language) v2.0 connector requires specification of the
following parameters. When the path is specified, along with the target server host name, port
attribute and protocol attribute, a valid URL is formed.
UNIX
identified below that field is in effect. CA PAM will accept a regular expression in those fieldwhich
end in "Prompt".
Unix - Script Processor Dialog Box Fields

Script
Processor
Specifies the type of UNIX system that is installed on the Target Server. This option
UNIX Variant adapts the connection script used to that version.
AIX | HPUX | Linux | Solaris – Choose as applicable to your target, or:
Generic – Choose if UNIX type is unknown.
Other – Choose if UNIX type is known but not listed.

Timeout
Optional
Default: 5000

Script appropriate locations (variables) in the default script(s)
variables
Prompts from UNIX to be recognized by the script. You may enter a substitute string.
Prompts
Change (?si).*?change your password.*?
Prompt
Password requests a password be confirmed.
Confirmation
Prompt Regex match in AIX:
(?si).*?new password.*?
Regex match in any other platform: (?si).*?password.*?
17-Feb-2017 347/373
Entry Prompt (?si)(.*?password(\sfor|:).*?)
Entry Prompt (?si).*?login:.*?
UNIX Commands to be called by the script. You may enter a substitute string.
Commands
The command on the remote host that is used to change a password.Default: passwd
Change
Password
Command
The command on the remote host that is used to repeat a sequence of characters to
Echo the standard output, that is, the console.Default: echo
Command
Policy
Management Default on AIX: pwdadm
Command
Default on any other platform: (none)
Privilege Default: sudo
Elevation
Command
The command on the remote host that is used to act as another user.Default: su
Substitute
User
Command
Default: uname
System
Information
Command
The command on the remote host that is used to retrieve the effective ID of the
Who Am I currently logged-in user. Default: whoami
Command
Specify the script to be used for updating credentials.Customers should use the
Update default script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
type of
script?? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
17-Feb-2017 348/373

Specify the script to be used for verifying credentials.Customers should use the default
Verify script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
type of
Support:
Use of the UNIX application type displays the following drop-down menu. The second displays these
fields expanded.
User supplied port or use default.

Port
Set the timeout period in milliseconds
Communication
Timeout
From the drop-down menu, select an SSH Key Pair Policy
SSH Key Pair
Policy
Checking this checkbox displays drop-down boxes for: Known Host Key and Known
Enable strict Host Key Fingerprint. (See the following table for information.)
hosting key
checking?
(See the following table for information.)
Use default
ciphers?
Specifies whether the default hashes should be used when CA PAM makes an SSH
Use default connection to the remote host.
hashes?
Use default key
exchange
methods?
Use default
compression
methods?
17-Feb-2017 349/373
Use default
server host key
types?
Settings applicable to Telnet
Telnet
Communication
Channel
Port
Timeout 60000
VMware NSX Controller
VMware NSX Controller Dialog Application Type Boxes Fields
Script Processor
Specifies the amount of time in milliseconds that Credential Manager waits to
Script Timeout receive some expected input from the remote host.
Valid values are 5000-99999.
Default: 5000
SSH-2 Communications Channel

Port
Default: 22
When using the SSH communication channel, specifies the amount of time in
Communications milliseconds that Credential Manager waits for the remote host to respond.
Timeout
Default: 5000
VMware NSX Manager
VMware NSX Manager Application Type Dialog Boxes Fields
Script Processor
Default: 5000
17-Feb-2017 350/373

Port
Default: 22
Communications milliseconds that Credential Manager should wait for the remote host to respond.
Timeout
Default: 5000
VMware NSX Proxy
No requirements.
WebLogic 1.0
WebLogic10 Application Type Dialog Box Fields

Server Port
The Credential Manager GUI uses default value 7001.

[TBD]
MBean
Windows Domain Services
Windows Domain Services Fields
Specifies the DNS method to use:

Domain Controller Do not use DNS (target server is domain controller)
Lookup
Retrieve DNS list – retrieves the domain controller’s name from the DNS
server used by the CA PAM server.
Use the following DNS server
Specifies the Windows domain to which accounts managed by this application
Domain Name are members.
Specifies the port used to connect to the Domain Controller. Default: 636
Domain Controller
Port (SSL)
This is only used if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory following DNS server.
Site
17-Feb-2017 351/373
If a value is given, CA PAM will use the value to narrow the search for domain
controllers based on the specified name.
If empty, CA PAM will search for all domain controllers in DNS.
Window Proxy
Windows Proxy Application Details Fields
Specifies which system is authoritative for this application’s accounts:

[Windows Proxy Local Account (verified against target server)
Application type]
Domain Account (verified against domain controller)
If Local Account:
(no further specification is required)
If Domain Account:
Domain Controller Do not use DNS (connect to target server)
Lookup
Do not use DNS (connect to specified servers) – If selected, populate
“Specified Server(s)” below
Retrieve DNS list – Retrieves the Domain Controller’s name from the DNS
Use specified DNS server(s) – If selected, populate “Specified DNS Server
(s)” immediately below
Use following server(s) (comma-separated):
Specified Server(s)
Use following DNS server(s) (comma-separated): Retrieves the Domain
Specified DNS Server Controller’s name from a specified list of DNS servers.
(s)
Specifies the Windows domain of the managed account.
Domain Name
This is used only if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory Site specified DNS server(s).
If empty, CA PAM searches for all domain controllers in DNS.

Select the proxy installation(s) that will be applicable for proxy to this target
Available Proxies ßà
Selected Proxies
CA PAM API Key
No Requirement.
17-Feb-2017 352/373
Application Types
Generic (see page 343)
AS400 (see page 343)
Cisco (see page 353)
Juniper Junos (see page 356)
LDAP (see page 356)
MSSQL (see page 356)
MySQL (see page 357)
Oracle (see page 357)
SPML V.2 (see page 357)
UNIX (see page 357)
VMware ESX/ESXi
VMware NSX Controller (see page 361)
VMware NSX Manager (see page 361)
VMware NSX Proxy (see page 362)
WebLogic 1.0 (see page 362)
Windows Domain Services (see page 362)
Window Proxy (see page 363)
API Key (see page 340)
Cisco
Script Processor
identified below that field is in effect. CA PAM will accept a regular expression in those field which
end in "Prompt".
Cisco Script Processor Dialog Box Fields

Script
Processor
Timeout
Optional
17-Feb-2017 353/373
Default: 5000

Script appropriate locations (variables) in the default script(s)Prompts from Cisco device to
variable be recognized by the script. You may enter a substitute string.
prompts
Change (?si).*?old password:.*?
Prompt
Password requests a password be confirmed.Regex match:
Confirmation (?si).*?new password confirmation:.*?
Prompt
Entry (?si)(.*?password:.*?)
Prompt
Entry (?si).*?username:.*?
Prompt
Update Credentials Script
Specify the script to be used for updating credentials.Customers should use the default
Update script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
type of
Support:
revised script. When selected, opens a field with a drop-down list of available scripts,
each of which has been uploaded from a patch supplied by Support.
Verify Credentials Script
script and contact CA Technologies, Inc. Support if a revised script is needed.
17-Feb-2017 354/373
Verify
Credentials
Script
type of
Support:
revised script. When selected, opens a field with a drop-down list of available scripts,
each of which has been uploaded from a patch supplied by Support.
Use a replacement script -- Specifies a replacement verify script. When selected, this
option opens a text field in which to insert the replacement script.
Use of the Cisco application type displays the following drop-down menu. The second displays these
fields expanded.
The port used to connect to the Cisco host using SSH.

Port
Specifies the amount of time to wait for the SSH communication with the
Communication target server before ending the connection.
Timeout
(When checked, expands into additional widgets. See the table that follows.)
Enable strict hosting
key checking?
(When unchecked, expands into additional widgets. See the table that
Use default ciphers? follows.)
Use default key follows.)
exchange methods?
Use default follows.)
compression
methods?
Use default server follows.)
host key types?
Telnet Communications Channel
17-Feb-2017 355/373
Telnet
Communication
Channel
Port
Timeout 60000
Juniper Junos
Use of the Junos connector requires specification of the parameters shown here.
Juniper Details Fields
Milliseconds Optional. Default: 60000

Connect timeout
Milliseconds Optional. Default: 5000
Read timeout
Required. Default: 22
SSH Port
LDAP
Use of the LDAP connector requires specification of the following parameters. Accounts must support
the Open LDAP v3 protocol.
LDAP Details Fields
Port used to connect to the LDAP (for example, Active Directory or AD)
Port server.Required. Default: 389
The protocol used to connect to the LDAP server.
Protocol
Non-SSL –or– SSL
Default: Non-SSL
SSL certificate.Required if Protocol is SSL.
Base-64 encoded x.509
Certificate
MSSQL
Use of the MSSQL connector requires specification of the following parameters (unless marked
“optional”) for Microsoft SQL Server 2000 and later.
MSSQL Details Fields
Check this box if SSL is to be enabled. Default: False (Not enabled)
17-Feb-2017 356/373
SSL Enabled
MS SQL Port Default: 1433
Port (Optional, default 1433)
MS SQL Server instance name
Instance (Optional)
MYSQL
Use of the MYSQL connector requires specification of the following parameters.
MYSQL Application Type Dialog Box Fields
MYSQL database listener port.

DB Port Required Default: 3306.
Oracle
Use of the Oracle connector requires specification of the following parameters.
Oracle Details Fields
Check this box if SSL is to be enabled. Default:False (Not enabled)

SSL Enabled
Oracle database listener port Required. Default: 1521.
DB Port
SPML V.2
Use of the SPML (Service Provisioning Markup Language) v2.0 connector requires specification of the
following parameters. When the path is specified, along with the target server host name, port
attribute and protocol attribute, a valid URL is formed.
SPML v2.0 Details Fields
Port used to connect to the SPML server.

Port
Required.
Default: 8080
SPML path CA PAM connects to. Optional.
Path
Protocol used to connect to the SPML server.
Protocol Non-SSL –or– SSL
Default: Non-SSL
SSL certificateRequired if SSL is used.
Base-64 encoded x.509 Certificate
UNIX
17-Feb-2017 357/373
identified below that field is in effect. CA PAM will accept a regular expression in those fieldwhich
end in "Prompt".
Unix - Script Processor Dialog Box Fields

Script
Processor
Specifies the type of UNIX system that is installed on the Target Server. This option
UNIX Variant adapts the connection script used to that version.
AIX | HPUX | Linux | Solaris – Choose as applicable to your target, or:
Generic – Choose if UNIX type is unknown.
Other – Choose if UNIX type is known but not listed.

Timeout
Optional
Default: 5000

Script appropriate locations (variables) in the default script(s)
variables
Prompts from UNIX to be recognized by the script. You may enter a substitute string.
Prompts
Change (?si).*?change your password.*?
Prompt
Password requests a password be confirmed.
Confirmation
Prompt Regex match in AIX:
(?si).*?new password.*?
Regex match in any other platform: (?si).*?password.*?

Entry Prompt (?si)(.*?password(\sfor|:).*?)
Entry Prompt (?si).*?login:.*?
UNIX Commands to be called by the script. You may enter a substitute string.
17-Feb-2017 358/373
Commands
The command on the remote host that is used to change a password.Default: passwd
Change
Password
Command
The command on the remote host that is used to repeat a sequence of characters to
Echo the standard output, that is, the console.Default: echo
Command
Policy
Management Default on AIX: pwdadm
Command
Default on any other platform: (none)
Privilege Default: sudo
Elevation
Command
The command on the remote host that is used to act as another user.Default: su
Substitute
User
Command
Default: uname
System
Information
Command
The command on the remote host that is used to retrieve the effective ID of the
Who Am I currently logged-in user. Default: whoami
Command
Specify the script to be used for updating credentials.Customers should use the
Update default script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
type of
script?? The following two options are only for use coordinated with CA Technologies, Inc.
Support:
Verify script and contact CA Technologies, Inc. Support if a revised script is needed.
Credentials
Script
17-Feb-2017 359/373
type of
Support:
Use of the UNIX application type displays the following drop-down menu. The second displays these
fields expanded.
User supplied port or use default.

Port
Set the timeout period in milliseconds
Communication
Timeout
From the drop-down menu, select an SSH Key Pair Policy
SSH Key Pair
Policy
Checking this checkbox displays drop-down boxes for: Known Host Key and Known
Enable strict Host Key Fingerprint. (See the following table for information.)
hosting key
checking?
Use default
ciphers?
Specifies whether the default hashes should be used when CA PAM makes an SSH
Use default connection to the remote host.
hashes?
Use default key
exchange
methods?
Use default
compression
methods?
Use default
server host key
types?
17-Feb-2017 360/373
Telnet
Communication
Channel
Port
Timeout 60000
VMware ESX/ESXi
Use of the VMware connector requires specification of the following parameters.
VMware ESX/ESXi Application Type Dialog BoxesFields
Default: 443
SSL Port
VMware NSX Controller
VMware NSX Controller Dialog Application Type Boxes Fields
Script Processor
Default: 5000

Port
Default: 22
Communications milliseconds that Credential Manager waits for the remote host to respond.
Timeout
Default: 5000
VMware NSX Manager
VMware NSX Manager Application Type Dialog Boxes Fields
17-Feb-2017 361/373
Script Processor
Default: 5000

Port
Default: 22
Communications milliseconds that Credential Manager should wait for the remote host to respond.
Timeout
Default: 5000
VMware NSX Proxy
No requirements.
WebLogic 1.0
WebLogic10 Application Type Dialog Box Fields

Server Port
The Credential Manager GUI uses default value 7001.

[TBD]
MBean
Windows Domain Services
Windows Domain Services Fields

Domain Controller Do not use DNS (target server is domain controller)
Lookup
Retrieve DNS list – retrieves the domain controller’s name from the DNS
Use the following DNS server
Specifies the Windows domain to which accounts managed by this application
Domain Name are members.
17-Feb-2017 362/373
Specifies the port used to connect to the Domain Controller. Default: 636
Domain Controller
Port (SSL)
This is only used if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory following DNS server.
Site
If empty, CA PAM will search for all domain controllers in DNS.
Window Proxy
Windows Proxy Application Details Fields
Specifies which system is authoritative for this application’s accounts:

[Windows Proxy Local Account (verified against target server)
Application type]
Domain Account (verified against domain controller)
If Local Account:
(no further specification is required)
If Domain Account:
Domain Controller Do not use DNS (connect to target server)
Lookup
Do not use DNS (connect to specified servers) – If selected, populate
“Specified Server(s)” below
Retrieve DNS list – Retrieves the Domain Controller’s name from the DNS
Use specified DNS server(s) – If selected, populate “Specified DNS Server
(s)” immediately below
Use following server(s) (comma-separated):
Specified Server(s)
Use following DNS server(s) (comma-separated): Retrieves the Domain
Specified DNS Server Controller’s name from a specified list of DNS servers.
(s)
Specifies the Windows domain of the managed account.
Domain Name
This is used only if Domain Controller Lookup is set to Retrieve DNS list or Use
Active Directory Site specified DNS server(s).
If empty, CA PAM searches for all domain controllers in DNS.

Select the proxy installation(s) that will be applicable for proxy to this target
17-Feb-2017 363/373
Available Proxies ßà
Selected Proxies
Proxies
Password Composition Policies
Password Composition Policy Details
Password Composition Policy Details Fields
Type of character that must start the password.

First Must Contain
Do not allow the reuse of any of the previous [specified number of]
Minimum Iterations passwords.
Before Reuse
This option does not allow the reuse of any password used within the last
Minimum Days Before [specified number of] days.
Reuse
SSH Key Pair Policies
SSH Key Pair Policies Details
SSH Key Pair Policies Details Fields
Field Name Format Example Description

string ExampleC Assign a useful nametag to easily identify the policy where it is
Name orp2-B requested in other locations of the GUI.
string (Optional) Provide a useful description for the policy.
Description
enumer RSA Choose one of two types of standard SSH key available.
SSH Key ated DSA
Type
enumer RSA DSA 512, 1024, 2048, or 4096 Choose a key length.
SSH Key ated:
512 or 1024.Choose a key length.
Length
Workflow Menu
A2A Menu
Scripts
Scripts Details
Clients
Mappings
Mappings Fields
17-Feb-2017 364/373
Mappings Fields
Select All or Filter By. If filtering, select from the list or use Search.
Show
Opens the Authorization Details .
Add
Authorization Details
Authorization Details Fields
Select Group or Alias. Use Search to locate a specific group or alias.

Target
Select Group or Client. Use Search to locate a specific A2A Requestor
Request Group or client.
Select All or Individual. Use Search to locate a specific script.
Script
Check if appropriate.
Check Execution User ID
Enter one or more execution user IDs. Separate multiple user IDs with
Execution User Ids commas.
Selecting this checkbox restricts the authorization to provisioned scripts
Check Execution Path only.
Selecting this checkbox restricts the authorization to provisioned scripts
Check File Path only.
Check if appropriate.
Perform Script Integrity
Validation
Request Groups
Request Groups Fields
Select All or Filter By. If filtering, select from the list or use Search.
Show
Opens the Group Details (Type = Dynamic) pane.
Add Dynamic Group
Opens the Group Details (Type = Static) pane.
Add Static Group
Group Details Static
Group Details Static Fields
Provide Static Group name.

Name
Provide description for the Static Group.
Description
17-Feb-2017 365/373
Type is pre-defined as 'Static'.

Type
Lists available group Clients. Use + and x to add or delete group servers.
Group Clients
Lists available group scripts. Use + and x to add or delete group applications.
Group Scripts
Groups
Groups Menu Fields
Opens the User Group.

User Groups
Opens the Roles.
Roles
User Groups
Roles
Settings Menu
General Settings
General Settings Fields
This setting is used to override a check that verifies that the CA PAM appliance host
Disable CLI name is correct in the certificate used by a server executing CLI commands.
Host Name
Check
When a password view request requires approval, and the User requesting approval
Allow Self is an authorized approver, this specifies whether the User should be allowed to
Approval of approve his or her own requests. Default: Checked ( = Allow self-approval)
Password View
Request
Specify the maximum number of rows to generate when a Credential Manager
Maximum report (in Reports > Reports) is generated.
Number of
Report Entries Default: 5000
Specifies the number of days after which a password view request expires.
Password View
Request Delete Example: If you set this field to “12”, the password view requests are deleted
Interval Days automatically from the My Approval List when they become 12 days old. NOTE:
More information on My Approval List can be found in Workflow>My Approval List.
Default: 30.
Enables automatic updates to the passwords for synchronized accounts when the
Automatically password age exceeds that specified in the associated Password Composition Policy.
Update Expired Default: Unchecked
Passwords
17-Feb-2017 366/373
Request Server Settings
Request Server Settings Fields
Use this option …. To…

A2A Global Settings
Check Execution Sets default credential request checking to validate the execution user ID. Default:
ID Unchecked ( = Execution ID is not validated by default).
Check Execution Sets default credential request checking to validate the execution path.Default:
Path Unchecked ( = Execution path is not validated by default).
Check File Path Sets default credential request checking to validate the file path.Default:
Unchecked ( = File path is not validated by default).
Perform Script Sets default credential request checking to perform script integrity validation.Defa
Integrity ult: Unchecked ( = Script integrity is not validated by default).
Validation
Request Server Global Settings

Enable Hardware Enable hardware fingerprinting for request servers (hosting A2A Clients).Default:
Fingerprinting Unchecked ( = hardware fingerprinting is not enabled).
Auto-registered Request Server Settings by Subnet
Add Opens the Request Server Subnet pane.
Email Settings Pop-up
Email Settings Fields
Use this option For …

….
Your email account. The account must be added as a target account of a target
Account Name application where the target server is the host name of the mail server. The target
application can be generic.Default: (empty)
Host name of the mail server, which is automatically populated with the host name
Host Name of the email Account Name.Default: (automatically populated with the name of the
target server)
Email server port number.Default:25
Server Port
Select to enable SMTP Server Authentication.
Enable SMTP
Server
Authentication
Select to enable SMTP Server debugging.
Enable SMTP
Server Debug
Server host name to be used in the approve or deny URL.
17-Feb-2017 367/373

….
Default:CA Privileged Access Manager
One Click
Approval IMPORTANT: The above default value must be reset to that of your CA PAM server.
Server Host
Name
To be used in the email “From” field for emails generated by CA PAM Default:
From E-mail (empty)
Address
Password view request email template: For email to be sent on behalf of a requestor
Request email to a list of approvers.
fields:
To be used in the email Subject field.Default:Password View Request for target
Request account @Ta-rgetAccount.getUserName@
Subject
To be used in the email body.Default:Do not reply to this email. A password view
Request Body request has been sub-mitted by user @User.getUserID@ to view the password for
account @TargetAccount.getUserName@ of application @Ta-rgetApplication.
getName@ on server @Ta-rgetServer.getHostName@. The password view request
reason is @PasswordViewRequest.getReason@ (@PasswordViewRequest.
getReasonDescription@). Please login to Password Authority system and manage
this request.
Request status email template:For email to be sent by CA PAM from an approver to
Request status a requestor informing them whether the request was approved or denied.
update email
fields:
To be used in the email Subject field.Default: Password View Request Status for
Request Status account @Ta-rgetAccount.getUserName@
Update
Subject
To be used in the email body.Default:Do not reply to this email. The status of your
Request Status request to view pass-word for the account @TargetAccount.getUserName@ of
Update Body application @TargetApplication.getName@ in server @TargetServer.getHostName@
is: @Pas-swordViewRequest.getStatusString@.
Password view Password view email template: For email to be sent by CA PAM to a set of users
email fields: when a password is viewed.
To be used in the email Subject field.Default: Password of account @TargetAccount.
Password getUserName@ has been accessed by @User.getUserID@.
View Subject
To be used in the email body.Default: Do not reply to this email. The Password for
Password the account @Ta-rgetAccount.getUserName@ of application @Ta-rgetApplication.
View Body getName@ on server @TargetServer.getHostName@ has been accessed by user
@User.-getUserID@.
Expired password view requests email template:
For email sent by CA PAM to a requestor and the other approvers in dual
authorization list when expiring the password view request.
17-Feb-2017 368/373

….
-or-
Expired
password view Auto generated email (when a request in Pending status expires) from Credential
Requests Manager to a requestor and the approvers in dual authorization list.
email fields
To be used in the email Subject field.
Expired
Password
View Requests
Subject
To be used in the email body.
Expired
Password
View Requests
Body
One Click Approval email template: For email to be sent by CA PAM on behalf of a
One Click requestor to a list of approvers.
Approval
email fields:
One Click
Approval
Subject
One Click
Approval Body
Report Results email template: For email to be sent by CA PAM on behalf of a
Report Results requestor to a list of approvers.
email fields:
Report Results
Subject
Report Results
Body
UI Settings
UI Settings Fields
Displays the Default Preferences tab.

Default Preferences (see page 369)
Displays the Dashboard tab.
Dashboard (see page 370)
Default Preferences Tab
17-Feb-2017 369/373
Default Preferences Tab Fields
Use this For...

optiion....
Part of the world in which the server is home.Default: (empty)
Time Zone
Region
Time Zone in which the server is home.
Time Zone
List a subset of the world time zones contained in the Time Zone Region, the choice of
which is prerequisite.
IMPORTANT:Make sure to synchronize your Time Zone setting with the corresponding
setting in Config > Date/Time > Change Timezone.
Number or items to display on a page.
List Page
Size
Enables graphical charts in the Dashboard reports.
Enable
Charts
Dashboard Tab
Dashboard Tab Fields
+ Use the + icon to add new items to the list.
Disaster Recovery
Dashboard Recovery Fields
Use the checkbox to enable/disable Disaster Reovery Mode.

Enable Disaster Recovery Mode
Import and Export Policy

Import/Export Policy
Import/Export Policy Fields

Column Type Values
Label
Type P* Policy Import record (row) type.
User P* text Username or (User Group:) Groupname of the User-Device pair.
Device P* text Device Name or (Device Group:) Group Name of the User-Device
pair.
17-Feb-2017 370/373

Column Type Values
Label
Services P Custom Specify CA PAM built-in or custom Services. Separate any
Services multiple Services by: | (pipe).
(text), and
/or Built-in
Services:
sftpftp
sftpftpemb
sftpsftp
sftpsftpemb
TSWEB
P text Specify CA PAM custom SSL VPN Services. Separate any multiple
SSL VPN Services by: | (pipe).
Services
'name=Namecustom_name=CustomName',
Name options: VNC Telnet SSH Serial Power RDP KVM.
Name additional options if mainframe licensing is enabled: TN3270 TN3270SSL

TN5250 TN5250SSL,
CustomName options: (empty); or any string.
Separate any multiple applets (Access Methods) by: | (pipe).

P text If this policy uses one or more Command Filter Lists, enter them
Command by name; otherwise, leave blank. If used, make sure to define
Filter CFLs (import CFL CSV file) first.NOTE: Make sure that filters are
P text If this policy uses one or more Socket Filter Lists, enter them by
Socket Filter name; otherwise, leave blank. If used, make sure to define SFLs
(import SFL CSV file) first.NOTE: Make sure that filters are
P t = true NOTE: Only used for applets that rely on this switch: RDP, VNC,
Restrict f = false and ICA.
login if (Do not use
agent is not upper-case
running 'T' or 'F')
P When 'true', CA PAM performs graphical recording of every RDP
Graphical or VNC session between this User(Group)-Device(Group) pair.
Recording
17-Feb-2017 371/373

Column Type Values
Label
t = true
f = false
(Do not use
upper-case
'T' or 'F')
P t = true When 'true', CA PAM performs command line recording of every
Command f = false CLI-based session between this User(Group)-Device(Group) pair.
Line (Do not use
Recording upper-case
'T' or 'F')
P t = true When 'true' (and when Command Line Recording is 'true'), CA
Bidirectional f = false PAM records both the User and Device input for every CLI-based
Recording (Do not use session between this User(Group)-Device(Group) pair.
upper-case (Otherwise, only User input is recorded.)
'T' or 'F')
Web Portal P t = true When 'true', CA PAM performs graphical recording of every web
Recording f = false portal session between this User(Group)-Device(Group) pair.
(Do not use
upper-case
'T' or 'F')
Targets P [TBD] [TBD]
Import and Export Socket Filter Lists

Import/Export Socket Filter Lists (see page 372)
Import/Export Socket Filter Lists

Import/Export Socket Filter Lists

Column Type
Label
Type SL Command Filter List Import record (row) type.IMPORTANT: CSV files with this
type record must be imported only through the Policy >
Import/Export Socket Filter Lists page.
SL* text Socket Filters Lists: List template field: Name
List
Name
SL* white = whitelistblack = Whitelist: List of sockets (address-and-port combinations)
List blacklist a user may use; all other sockets are prohibited.Blacklist:
Type List of sockets a user may not use; all other sockets are
permitted.
SL* IPv4 dotted-quad The command or command subset to be restricted.
IP addressEx: 192.0.2.1 Multiple commands for the same list are designated by
Address multiple CSV line items using the same List Name.
17-Feb-2017 372/373

Column Type
Label
SL* One or more port Socket to which whitelist or blacklist designation is
Port numbers (comma or assigned.Multiple sockets for the same list are designated
space separated), or by multiple CSV line items using the same List Name.
one port range
17-Feb-2017 373/373

CA Privileged Access Manager - 2.8 - ENU - Reference - 20170217 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CA Privileged Access Manager - 2.8 - ENU - Reference - 20170217 PDF

Transféré par

Droits d'auteur :

Formats disponibles

CA Privileged Access

The manufacturer of this Documentation is CA.

CA Privileged Access Manager Client Reference ..................................... 18

Credential Manager Target Connector Settings ........................................ 21

Communication Settings ........................................................................... 77

CSVs for Import and Export ...................................................................... 79

Data Formats ............................................................................................. 94

Default Settings ......................................................................................... 97

Import Export Provisioning ...................................................................... 114

Messages and Log Formats .................................................................... 131

Credential Manager Terms and Concepts .............................................. 266

CA Privileged Access Manager Client

Choose Install Set – Select one of the following:

Typical: install the client on the local workstation or

Proxy - When applicable, identify the client proxy.

Cache - Set the client cache size.

Certificate - Choose an applicable security certificate.

You cannot have both windows open at the same time.

establishing a connection using WEB, or

selecting Launch Web Browser from the console window

Credential Manager Target Connector Settings

AS400 Target Connector

AS400 CLI Example

AS400 Add Target Application CLI Parameters

Required Default Value Valid Values

AS400 Add Target Account CLI Parameters

Required Default Value Valid Values

Required Default Valid Values

AWS Access Credentials Target Connector

AWS Access Credentials CLI Example

AWS Access Credentials Add Target Application CLI

Required Default Value Valid Values

AWS Access Credentials Add Target Account CLI Parameters

Req Default Valid Values

yes EC2_PRI SECRET_ACCESS_KEY,CLOUDFRONT_PRIVATE_KEY,EC2_PRIVATE_KEY,

Required Default Value Valid Values

Required Default Valid Values

Required Default Valid Values

Required Default Valid Values

Required Default Value Valid Values

AWS Proxy Credentials Target Connector

AWS API Proxy Access Credentials CLI Example

AWS API Proxy Access Credentials Add Target Application

Required Default Value Valid Values

AWS API Proxy Access Credentials Add Target Account CLI

Cisco Target Connector

Cisco CLI Example

Cisco Add Target Application CLI Parameters

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

Required Default Value Valid Values

All other platforms: (?si).?password:.?)