CA Privileged Access Manager - 2.8 - ENU - Implementing - 20170217 PDF

CA Privileged Access
Manager - 2.8
Implementing
Date: 17-Feb-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
17-Feb-2017 3/416
Table of Contents
Accessing Your Appliance Server ............................................................. 15

CA Privileged Access Manager Client for Alternate Appliance Access ..................................................... 15
Overview ............................................................................................................................................. 16
Configuring CA Privileged Access Manager for the CA Privileged Access Manager Client ............... 16
Global Settings ........................................................................................................................... 16
Deploy the Client ................................................................................................................................. 17
Download the CA PAM Client .................................................................................................... 17
Install the CA PAM Client ........................................................................................................... 17
Run the CA PAM Client ....................................................................................................................... 17
(Optional) Configure the CA PAM Client ............................................................................................. 19
Uninstall the CA PAM Client ............................................................................................................... 21
Windows ..................................................................................................................................... 21
Windows / Mac / Linux ............................................................................................................... 21
Serve CA PAM Client Installers .......................................................................................................... 21
Client Server Directory Structure ............................................................................................... 21
Blocked Ports ...................................................................................................................................... 22
Configure Your Server ............................................................................... 25

Configuration Overview ............................................................................................................................. 25
GUI for Configuration and Provisioning ..................................................................................................... 26
Root Accounts ..................................................................................................................................... 26
The "Config" Account ................................................................................................................. 26
The "Super" Account .................................................................................................................. 26
Master Account Security ............................................................................................................ 27
Initial Login .......................................................................................................................................... 27
Perform Initial Administrator Login ............................................................................................. 27
Configuration Settings ............................................................................................................................... 27
Configure Date and Time Settings ...................................................................................................... 28
Set the Date and Time ............................................................................................................... 28
Specify Time Servers ................................................................................................................. 28
Configure the Use of Authenticated NTP ................................................................................... 28
Configure Network Resources ............................................................................................................ 29
Authentication ............................................................................................................................ 29
Storage ....................................................................................................................................... 32
Hardware Security Modules (HSMs) .......................................................................................... 34
Implementing 4
Network-Accessible Target Devices .......................................................................................... 35
Authentication ...................................................................................................................................... 36
Kerberos with PIV/CAC .............................................................................................................. 36
LDAP .......................................................................................................................................... 37
LDAP+RADIUS in Combination ................................................................................................. 39
RADIUS or TACACS+ ................................................................................................................ 40
SAML ......................................................................................................................................... 41
AWS Coordination ............................................................................................................................... 61
AWS Coordination Stages ......................................................................................................... 61
Configure AWS Account Coordination ....................................................................................... 61
Access AWS Management Console .......................................................................................... 64
Configure Communication with AWS ......................................................................................... 65
Import Devices from AWS .......................................................................................................... 70
Configure Your Database .................................................................................................................... 70
Database Backup ....................................................................................................................... 70
Database Restoration ................................................................................................................ 74
Hardware Security Modules (HSMs) ................................................................................................... 75
SafeNet Luna SA Appliance ....................................................................................................... 75
SafeNet Luna PCI-E Card .......................................................................................................... 80
Thales nShield Connect HSM Appliance ................................................................................... 85
Common HSM Features ............................................................................................................ 93
Logging ............................................................................................................................................... 94
Splunk Server Specification ....................................................................................................... 94
Apply Firmware and Feature Licenses ................................................................................................ 94
Activation .................................................................................................................................... 94
Virtual Devices That Exceed License Limits .............................................................................. 95
Apply Feature Controls ....................................................................................................................... 95
Security Configuration ................................................................................................................ 96
Certificates Configuration ......................................................................................................... 102
Configure SSL VPN ................................................................................................................. 106
Configure Backups ................................................................................................................... 107
Power and Reboot ................................................................................................................... 109
Diagnostics and Troubleshooting ............................................................................................. 109
Cross Site Scripting Attack Checking ................................................................................................ 112
Disable Cross Site Scripting Attack Checking .......................................................................... 112
Enable Cross Site Scripting Attack Checking .......................................................................... 113
Master Provisioning Settings ................................................................................................................... 113
Apply Global Settings ........................................................................................................................ 113
Passwords ................................................................................................................................ 114
Warnings .................................................................................................................................. 114
Applet Customization ............................................................................................................... 114
Access Methods Settings ......................................................................................................... 114
Implementing 5
Branding ................................................................................................................................... 115
Identify Desired User Roles .............................................................................................................. 115
About Predefined Roles ........................................................................................................... 115
List of Privileges ....................................................................................................................... 115
Provision Your Server ............................................................................. 121

Provisioning Overview ............................................................................................................................. 121
Summary of Device Access Provisioning ................................................................................................ 122
Summary of Credential Manager Provisioning ........................................................................................ 124
A2A Provisioning ............................................................................................................................... 124
About Credential Manager Groups ................................................................................................... 125
Provisioning Devices ............................................................................................................................... 126
About Devices ................................................................................................................................... 127
Access to Devices .................................................................................................................... 127
Account Password Control ....................................................................................................... 129
Device Types ........................................................................................................................... 129
Grouping .................................................................................................................................. 129
Device Features ................................................................................................................................ 130
Device Types ........................................................................................................................... 130
Access Types ........................................................................................................................... 130
Credential Manager .................................................................................................................. 133
Device Discovery .............................................................................................................................. 136
Device Scan Profiles ................................................................................................................ 136
Discovery Jobs ......................................................................................................................... 138
Device Scan History ................................................................................................................. 138
Discovered Devices ................................................................................................................. 139
Device Setup ..................................................................................................................................... 140
Device Creation Prerequisites .................................................................................................. 140
Using the Device Template ...................................................................................................... 140
Alternative Navigation to Template .......................................................................................... 149
Navigate to Other Templates ................................................................................................... 150
Import and Export Devices ....................................................................................................... 150
Device Group Setup .......................................................................................................................... 152
Create/Edit a Device Group ..................................................................................................... 153
Create an AWS Device Group for Linux/UNIX Devices ........................................................... 153
Edit a Device Group from the Manage Policies Page .............................................................. 153
Device Groups fields ................................................................................................................ 154
Import LDAP Groups ................................................................................................................ 155
Device and Device Group Management ........................................................................................... 159
Device Record Updates ........................................................................................................... 159
Manage Tags ........................................................................................................................... 159
Implementing 6
Manage Groups ....................................................................................................................... 160
Manage Services ..................................................................................................................... 160
Device viewing .................................................................................................................................. 160
Initial Unfiltered View ................................................................................................................ 161
Unfiltered Views ....................................................................................................................... 161
Filtered Views ........................................................................................................................... 161
Saved Views ............................................................................................................................ 161
About Access Setup .......................................................................................................................... 162
Access Methods ....................................................................................................................... 162
Services ................................................................................................................................... 165
Web Portal ............................................................................................................................... 173
RDP Applications ..................................................................................................................... 176
SSL VPN Services ................................................................................................................... 177
Out-of-Band Devices ................................................................................................................ 177
Set up Socket Filter Agents ............................................................................................................... 178
Socket Filter Lists ..................................................................................................................... 179
Socket Filter Agents ................................................................................................................. 179
Socket Filter Configuration ....................................................................................................... 179
Installation and Configuration Instructions ............................................................................... 179
Socket Filter Agent Installation Requirements ......................................................................... 179
Install and Configure a Socket Filter Agent on Windows ......................................................... 181
Install and Configure a UNIX Socket Filter ............................................................................... 183
Configure Support for Socket Filter Agents .............................................................................. 186
Set up Command Filters ................................................................................................................... 189
Set up Command Filter Lists (CFL) .......................................................................................... 189
Set up Command Filter Configuration (CFC) ........................................................................... 193
Set up Transparent Login .................................................................................................................. 194
SSH Connections ..................................................................................................................... 194
RDP Connections ..................................................................................................................... 197
Set Up the AWS API Proxy ............................................................................................................... 212
Provisioning Users .................................................................................................................................. 213
About Users ...................................................................................................................................... 214
User Types ............................................................................................................................... 214
Grouping .................................................................................................................................. 215
About User Roles .............................................................................................................................. 215
Role Types ............................................................................................................................... 215
User Role Cases ...................................................................................................................... 216
User Setup ........................................................................................................................................ 217
Using the Template .................................................................................................................. 217
Using CSV Import/Export ......................................................................................................... 222
Editing LDAP/RADIUS Imports ................................................................................................ 223
User Group Setup ............................................................................................................................. 224
Implementing 7
User Group Types .................................................................................................................... 224
Local Groups ............................................................................................................................ 224
Using the Template .................................................................................................................. 225
Import an LDAP Group ............................................................................................................. 227
User / User Group management ....................................................................................................... 234
User Record Updates ............................................................................................................... 234
Approve CAC User ................................................................................................................... 235
Manage Disabled Users ........................................................................................................... 236
User viewing ...................................................................................................................................... 236
Initial View ................................................................................................................................ 236
Filtering Populated User Views ................................................................................................ 236
Provisioning Policy for Users/Devices ..................................................................................................... 236
Access Provisioning .......................................................................................................................... 237
Access Restrictions ........................................................................................................................... 237
Command Filtering ............................................................................................................................ 237
Socket Filtering ................................................................................................................................. 238
Socket Filter Lists (SFLs) ......................................................................................................... 238
Socket Filter Agents (SFAs) ..................................................................................................... 238
Socket Filter Configuration (SFC) ............................................................................................ 238
Amazon Web Services (AWS) .......................................................................................................... 239
Defining AWS Policies ............................................................................................................. 239
Specifying AWS Policies .......................................................................................................... 239
Session Recording ............................................................................................................................ 239
Set Up a Policy .................................................................................................................................. 240
Prerequisites ............................................................................................................................ 241
Policy Template ........................................................................................................................ 241
Import a CSV Policy File .......................................................................................................... 245
Set a User-Device Policy .................................................................................................................. 246
Policy inspection ............................................................................................................................... 248
View Policy ............................................................................................................................... 248
View Effective Policy ................................................................................................................ 248
Credential Manager User Interface ......................................................... 249

Set Credential Manager UI Preferences ................................................................................................. 249
Set Your Time Zone .......................................................................................................................... 249
Set a List Size ................................................................................................................................... 250
Set Your Start Page .......................................................................................................................... 250
Customize Your Dashboard .................................................................................................................... 250
Configure Credential Manager Password Policies .................................. 252
Implementing 8
Password Composition Policies .............................................................................................................. 252
Suggested Password Composition Policies ...................................................................................... 254
Create a Password Composition Policy with the GUI ....................................................................... 254
Create a Password Composition Policy with the CLI ........................................................................ 255
Maximum Password Age .................................................................................................................. 257
Set the Maximum Age of a Target Account Password with the GUI ........................................ 257
Set the Maximum Age of a Target Account Password with the CLI ......................................... 258
Automatic Updating of Expired Passwords .............................................................................. 259
Password View Policies .......................................................................................................................... 260
Create a Password View Policy ........................................................................................................ 260
Create a Password View Policy with the GUI .......................................................................... 261
Create a Password View Policy with the CLI ........................................................................... 263
Modify the Default Password View Policy ......................................................................................... 264
Customize Reasons for Viewing Password ............................................................................. 266
Change Password on View ............................................................................................................... 266
Enable Password Verification ........................................................................................................... 266
Get Authorization to View Password ................................................................................................. 266
Make a Request to View a Password Using the GUI ............................................................... 267
Grant, Deny, or Expire a Request Using the GUI .................................................................... 268
Grant or Deny a Request Without Login .................................................................................. 270
Delete a Password View Request Using the GUI .................................................................... 271
Make a Request to View a Password Using the CLI ................................................................ 272
Grant, Deny, or Expire a Request Using the CLI ..................................................................... 274
Update the Approval or Denial Reasons for a Request Using the CLI .................................... 276
Enable One Click Approval ............................................................................................................... 276
Configure Approval Role ................................................................................................................... 277
Check Out and Check In a Password ............................................................................................... 278
Check Out a Password Using the GUI ..................................................................................... 278
View the Password Check-Out User ........................................................................................ 279
Check in a Password Using the GUI ........................................................................................ 279
Force a Password Check-In Using the GUI ............................................................................. 280
Check Out a Password Using the CLI ...................................................................................... 281
Check in a Password Using the CLI ......................................................................................... 283
Force a Password Check in Using the CLI .............................................................................. 284
Enable Email Notification .................................................................................................................. 286
Configure Email Templates ............................................................................................................... 287
Configure the Email Server ...................................................................................................... 288
Configure the Request Email ................................................................................................... 289
Configure the Request Status Email ........................................................................................ 290
Configure the Password View Email ........................................................................................ 292
Configure the Expired Password View Request Email ............................................................ 293
Configure the One Click Approval Email .................................................................................. 294
Implementing 9
Configure the Report Results Email ......................................................................................... 296
SSH Key Pair Policies ............................................................................................................................. 297
Configure Credential Manager Targets ................................................... 298

Register Target Accounts ........................................................................................................................ 298
Account Discovery ................................................................................................................................... 299
Account Discovery Prerequisites ....................................................................................................... 299
Discover Accounts ............................................................................................................................ 300
Scan Profiles ..................................................................................................................................... 300
Scan Profile Jobs .............................................................................................................................. 301
Scan Profile History ........................................................................................................................... 301
View Summary Details ............................................................................................................. 302
View Account Scan Results ..................................................................................................... 302
View Scans .............................................................................................................................. 303
Discovered Accounts ........................................................................................................................ 303
Export ....................................................................................................................................... 303
View ......................................................................................................................................... 303
Manage .................................................................................................................................... 303
Services and Scheduled Tasks ......................................................................................................... 304
SSH Key Discovery ........................................................................................................................... 304
Prerequisites ............................................................................................................................ 304
Discover Keys .......................................................................................................................... 306
Scan Profiles ............................................................................................................................ 306
Scan Profile Jobs ..................................................................................................................... 307
Scan Profile History .................................................................................................................. 307
Discovered Keys ...................................................................................................................... 308
Password Synchronization ...................................................................................................................... 310
Target Connectors ................................................................................................................................... 311
Target Connector Script Processor ......................................................................................................... 314
Add Target Applications .......................................................................................................................... 315
Add Target Accounts and Aliases ........................................................................................................... 316
Random Passwords .......................................................................................................................... 316
Synchronized Accounts ..................................................................................................................... 316
Compound Accounts ......................................................................................................................... 316
Target Aliases ................................................................................................................................... 317
Password Viewing ............................................................................................................................. 317
Password Updating ........................................................................................................................... 317
Complex Passwords with Special Characters ................................................................................... 318
Add a Target Account from the GUI ......................................................................................... 318
Add a Compound Target Account from the GUI ...................................................................... 320
Implementing 10
Add an EC2 Access Key Target Account from the GUI ........................................................... 320
Add a Target Alias from the GUI .............................................................................................. 321
Add a Target Account from the CLI .......................................................................................... 322
Add a Compound Account from the CLI .................................................................................. 324
Register Windows Target Accounts ........................................................................................................ 327
Process for Registering Windows Proxy Target Accounts ................................................................ 327
Process for Registering Windows Domain Services Target Accounts .............................................. 328
Create a Windows Target Application ............................................................................................... 328
Create a Windows Target Account and Target Alias ........................................................................ 329
Discover Windows Domain Services and Scheduled Tasks ............................................................. 330
Prerequisites ............................................................................................................................ 330
Discover Windows Domain Service Target Account Services ................................................. 331
Discover Windows Domain Service Target Account Scheduled Tasks ................................... 332
Discover Windows Proxy Target Account Services and Scheduled Tasks ....................................... 333
Prerequisites ............................................................................................................................ 333
Discover Windows Proxy Target Account Services ................................................................. 333
Discover Windows Proxy Target Account Scheduled Tasks ................................................... 335
View Target Account Passwords ............................................................................................................. 336
View an Account Password from the GUI ......................................................................................... 336
View an Account Password from the Access Page .......................................................................... 337
View Password History from the GUI ................................................................................................ 337
Set Password History Compromised Flag from the GUI ................................................................... 337
View Target Passwords from the CLI ................................................................................................ 338
Verify Synchronized Target Account Passwords .................................................................................... 339
Schedule Target Account Activities ......................................................................................................... 342
Add Proxies ............................................................................................................................................. 343
Start or Stop a Windows Proxy ............................................................................................................... 344
Start the Windows Proxy ................................................................................................................... 344
Stop the Windows Proxy ................................................................................................................... 344
Configure a Windows Proxy to Use a Windows Domain Account ........................................................... 345
Modify the Windows Proxy Configuration File ......................................................................................... 345
View Windows Proxy Logs ...................................................................................................................... 347
Add Credential Manager Roles and Groups ........................................... 348

Credential Manager Grouping Terminology ............................................................................................ 348
User Groups and Roles in CA Privileged Access Manager and Credential Manager ....................... 349
Target and Requestor Group Filters for Dynamic Groups ................................................................. 350
Add Dynamic and Static Target Groups .................................................................................................. 352
Add a Dynamic Target Group ........................................................................................................... 353
View All Targets Belonging to an Existing Target Group .................................................................. 355
Implementing 11
Add a Static Target Group ................................................................................................................ 356
Add Dynamic and Static Requestor Groups ............................................................................................ 356
Add Dynamic Requestor Groups ...................................................................................................... 357
View All Requestors Belonging to an Existing Requestor Group ...................................................... 359
Add a Static Requestor Group .......................................................................................................... 360
Add or Modify Roles ................................................................................................................................ 360
Modify a Preconfigured Role ............................................................................................................. 361
Add a Role ........................................................................................................................................ 362
Add User Groups ..................................................................................................................................... 363
Add and Run Credential Manager A2A Requestors ................................ 365

A2A Client Connection Security .............................................................................................................. 365
Fingerprinting .................................................................................................................................... 366
Unique Client Token .......................................................................................................................... 366
DNS ................................................................................................................................................... 366
Request Server Auto-Registration ........................................................................................................... 366
Authorization Mapping ............................................................................................................................. 366
Integrity Verification ................................................................................................................................. 367
Example Requestors ............................................................................................................................... 368
Activate or Deactivate Request Servers .................................................................................................. 370
Add Requestors ....................................................................................................................................... 370
Add Authorization Mappings ................................................................................................................... 373
View Unsuccessful Client Requests ........................................................................................................ 376
Run an Example Application ................................................................................................................... 376
Run an Example Application on a UNIX Client ................................................................................. 376
Run an Example Application on a Windows Client ........................................................................... 377
Start or Stop an A2A Client ..................................................................................................................... 377
Start the A2A Client ........................................................................................................................... 377
Stop the A2A Client ........................................................................................................................... 378
Modify the A2A Client Configuration File ................................................................................................. 378
View A2A Client Logs .............................................................................................................................. 380
Update an A2A Client Key ....................................................................................................................... 381
Refresh All A2A Client Script Hashes ..................................................................................................... 381
Check A2A Client Connection Status ...................................................................................................... 381
Configure an A2A Client to Use Another Server ..................................................................................... 383
Configure the A2A Client Multi-Home Feature ........................................................................................ 384
Multi-Home Alternate Address Restrictions ...................................................................................... 384
Multi-Home Configuration Procedure ................................................................................................ 384
Implementing 12
Configure A2A Client Event Polling ......................................................................................................... 385
Reports .................................................................................................... 387

Report Size Limits ................................................................................................................................... 387
Available Reports .................................................................................................................................... 388
Generate Reports .................................................................................................................................... 389
Schedule Reports .................................................................................................................................... 390
Limit the Size of the Report Email Attachment .................................................................................. 391
System Properties ................................................................................... 392
Java API Example ................................................................................... 401
XML Schema for Batch Processing ......................................................... 415
Implementing 13
Implementing
This section covers the process of deployment. It describes the appliance (or cluster) placement or
installation process, the appliance (or cluster) configuration, and device-user provisioning, including
specification of custom device services, user groups, user roles; credential management groups,
applications and accounts; and user-device policy; among other objects.
Accessing Your Appliance Server (see page 15)
Configure Your Server (see page 25)
Provision Your Server (see page 121)
Credential Manager User Interface (see page 249)
Configure Credential Manager Password Policies (see page 252)
Configure Credential Manager Targets (see page 298)
Add Credential Manager Roles and Groups (see page 348)
Add and Run Credential Manager A2A Requestors (see page 365)
Reports (see page 387)
System Properties (see page 392)
Java API Example (see page 401)
XML Schema for Batch Processing (see page 415)
17-Feb-2017 14/416
Accessing Your Appliance Server

Access to the appliance server is primarily through a browser-based UI.
The full set of options currently include:
Network placement interfaces - During setup, configuration of network and appliance settings:
Hardware appliance: LCD interface on the front panel
VMware OVA appliance: Console for the VM
AWS AMI instance appliances: N/A

See Configure Network Connections for the Appliance (https://docops.ca.com/display/CAPAM28
/Configure+Network+Connections+for+the+Appliance) and Deploy the VMware OVA Template (
https://docops.ca.com/display/CAPAM28/Deploy+the+VMware+OVA+Template).
Client - Workstation (Windows, Mac, Linux) with a browser, and using the latest Oracle Java JRE
See Supported Clients (https://docops.ca.com/display/CAPAM28/Supported+Clients) for OS,

browser, and Java specifications.
Client - Workstation through the CA PAM Client
See CA PAM Client for Alternate Appliance Access (see page 15) for installation,
configuration, and use descriptions and procedures.
APIs
ExternalAPI
See ExternalAPI (https://docops.ca.com/display/CAPAM28/ExternalAPI) for installation,

configuration, and use descriptions and procedures.
Credential Manager CLI and Credential Manager Java API for Credential Manager functions
See Credential Manager APIs (https://docops.ca.com/display/CAPAM28

/Credential+Manager+APIs) installation, configuration, and use descriptions and procedures.
CA Privileged Access Manager Client for Alternate

Appliance Access
The CA Privileged Access Manager client enabled you to access the server without using a Web
browser. This section described how to prepare, install, and run a client.
17-Feb-2017 15/416
Overview
You use the client to log in to CA Privileged Access Manager and perform administrator and end-user
activities without using a customer-installed Web browser and Oracle Java engine. You can run any
CA Privileged Access Manager connection applets and can provide a complete substitute for the
traditional CA Privileged Access Manager user interface.
You download a client version compatible with your workstation OS types and install from the login
page. The JRE is downloaded with the client, CA Privileged Access Manager-served JARs are
downloaded at runtime.
Configuring CA Privileged Access Manager for the CA

Privileged Access Manager Client
The CA Privileged Access Manager appliance must have the 2.7 or later release installed.
Global Settings
You control how you use the client from the Client Settings panel on the administration menu Global
Settings page. The following table describes the options available.
The client is available for download only while client access to CA Privileged Access Manager is
enabled. It is not sufficient to enable the client download check box in the following panel.
Option Format Values Description

Operating Option Enabled Specifies whether this appliance (server) accepts and coordinates
Mode button connections from a compatible client. When set to Disabled (applet
Disabled only), the other widgets in this panel are also disabled.
(applet only)
Default:
Enabled
Distributio Option When selected, and when the user selects a client download option
n Method button from the login page, …
and
Internet (CA … CA Privileged Access Manager attempts to deliver the client
field
Delivery installer and modules from the (hard-coded) internet-based CA
Network)(De Delivery Network (CDN) location.
fault)
Intranet: … CA Privileged Access Manager attempts to deliver the client
https://addr installer and modules from a server at the designated URL (on an
ess-field/ca- available network). Use this option only when CDN is chronically
pam/ unavailable.
If selected, provide also the FQDN or IP address of the download

server in address-field.
See the Reference section for more server setup instructions.
17-Feb-2017 16/416
Download Check Enabled When set to Enabled, the client download buttons on the CA
button on box (checked) Privileged Access Manager web UI login page appear.
Login
Page Default:
Enabled
Deploy the Client

This section describes how to obtain the appropriate CA PAM Client for a workstation and install it.
Download the CA PAM Client

Download an installer from the appliance login on the workstation where you plan to use the Client.
Point to CA Privileged Access Manager from a compatible browser, and from the login page select
either Download CA PAM Client – Click to download the client installer. CA Privileged Access
Manager autoselects the correct OS version or click to open a drop-down list and select a specific
version of four OS types. The applicable OS releases for each version are identified in CA Privileged
Access Manager 2.7 Release Notes.
Install the CA PAM Client

Run the installer file to extract and open the installer wizard. Set the installation parameters
according to the InstallAnywhere interface.
Note the following items:
License Agreement – The acceptance button is activated only after you scroll the license text to
the bottom of the panel.
Choose Install Set – Choices available:
Typical - Install the client on the local workstation
Run - Extract the installer contents to a temporary location and execute the installer
Installing... – You cannot click Previous to back up in the sequence after the installer starts
installation or has completed it.
Run the CA PAM Client

From its installed menu item or shortcut, start the client. Its initial screen allows you to specify the
address of a CA Privileged Access Manager appliance or appliance cluster VIP.
Follow these steps:
1. Open the client application.

A small window appears.
17-Feb-2017 17/416
2. Enter connection parameters for your server appliance:

Address: Enter the accessible IP4 address or an assigned FQDN. You can also add an optional
port to the address, as in: ADDRESS:PORT
If you specify a location different from the default installation location, you might encounter
unexpected behavior. We recommend against moving from default locations.
Connect Mode: Select one of the following modes:
WEB – Opens a connection to the CA Privileged Access Manager server, and then opens
the CA PAM Client browser window to the UI, and closes the console.
CONNECT – Opens a connection to CA Privileged Access Manager server, and maintains a

status connection window. Optionally, the CA PAM Client browser window can be opened
from the status window.
You cannot switch the mode between WEB and CONNECT following your connection to the
appliance – you must first return to the initial connection screen by clicking Cancel and
restarting the client.
3. Optionally, click the gear icon in the lower-left corner to configure the CA Privileged Access
Manager Client (see page 19).
4. Click Connect to initiate a connection attempt.

If a client update is required, you are notified.
Click Update to update your currently installed client to the latest version automatically. If
the update requires it, you might need to restart the client.
Following client release level confirmation, a login transition screen is displayed and then the
login interface appears.
5. Follow these steps:
a. Enter your CA Privileged Access Manager Username and Password.
b. Select your applicable Authentication Type.
c. Click Login.
17-Feb-2017 18/416
6. After completing your connection:
a. If you had selected WEB, a browser window opens to the CA Privileged Access
Manager web UI.
i. If you close the browser window, you close and exit both CA Privileged Access
Manager server and client.
ii. If you Log Off, the browser window closes (you do not revert to the login page),
and you are returned to the CA PAM Client login screen.
b. If you had selected CONNECT, the client window stays open while the connection is
made. When the connection is complete, information about it is displayed in a new
screen.
i. You can use existing CA Privileged Access Manager-configured Services and

make ExternalAPI calls without launching them through the CA Privileged
Access Manager web UI.
1. The CA Privileged Access Manager administrator must provide any

needed target parameters for the service, such as its CA Privileged
Access Manager-assigned net address, to the end user.
ii. You can click the Launch Web Browser button to maintain both browser and
console windows.
1. If you close the browser window, you can Launch Web Browser later
and can return to the same web UI location. Its state is preserved.
2. If you Log Off from the web UI, the web UI window closes and the
console reverts to the CA PAM Client login screen.
iii. If you Log Off, the console reverts to the CA PAM Client login screen.
(Optional) Configure the CA PAM Client

Use the CA PAM Client Configuration Settings dialog to specify:
Proxy settings
Memory requirements
Cache settings
Certificate settings
Follow these steps:
1. Open the client application.

A small CA Privileged Access Manager window appears.
17-Feb-2017 19/416
2. Click the gear icon in the lower-left corner to open the Configuration Settings window.
3. Select the corresponding labeled tab to change the following settings.
Proxy
If a proxy server to the target CA Privileged Access Manager is needed, specify one of the
following options:
Auto-detect proxy settings for this network – for a network-managed proxy
Use system proxy settings for this network – for a workstation OS-managed proxy
Manual system proxy settings for this network – to set a custom target device as the proxy
Automatic proxy configuration URL – to specify a webserver-supplied proxy
General
Specify memory requirements for CA PAM Client.
Default (Windows, Linux x86): 1200 MB
Important! Due to a bug in the 32-bit Java Runtime Environment, for Windows this value
is considered a maximum. If the value is set here to 1201 MB or greater, the client cannot
start again. In that case, in the settings.properties file at the installation root, set memory.
max=1200 or less to recover.
Default (Mac, Linux x64): 2048 MB
Cache
Specifies the client caching controls where applicable.
Enable Caching – Specifies whether to store previous versions of CA PAM Client for reverting
to an earlier version. Default = On (checked).
Current Cache Size – Specifies the total size of the cached versions of CA PAM Client. Default:
Total size of cached prior versions.
Clear Cache – Specify to remove all cached versions. (You can remove individual versions
by using the Manage button.)
Max Cache Size, MB (0 = unlimited) – Specify the maximum size of the cache by using the
slider or the field.
Cached Versions: [quantity]
Manage – Displays details for all cached versions of CA PAM Client. You can remove any or
all versions.
17-Feb-2017 20/416
Certificate
From the table, specify a certificate authority (C.A.) certificate to be used. The CA PAM Client is
provided with a number of pre-installed C.A. certificates. You can add more certificates to serve
your needs.
Uninstall the CA PAM Client

Windows
To remove a Windows CA PAM Client, use the Windows Control Panel, Programs and Features
interface.
Windows / Mac / Linux

You can remove a CA PAM Client installation from its location in the file directory. At the root level of
your CA Privileged Access Manager installation is the directory:
_CA Privileged Access Manager Client_installation
Open this directory to execute the uninstallation wizard named:
Change CA PAM Client Installation
Serve CA PAM Client Installers

If you are setting up your own server to deliver CA PAM Client installers and modules, you must:
1. Set up the server file structure according to the following specifications.
2. Specify the server address in the Global Settings, Client Settings, Distribution Method,
Intranet option.
Client Server Directory Structure

If you run your own client server, the following directory structure is required to store the installer
and module files. The files are provided by CA through CDN.
ca-pam/
install/
linux64/
CAPAMClientInstall_V2.6.0.bin One or more 64-bit Linux installers
...
linux86/
CAPAMClientInstall_V2.6.0.bin One or more 32-bit Linux installers
...
17-Feb-2017 21/416
mac/
CAPAMClientInstall_V2.6.0.zip One or more Mac OS X installers
...
win/
CAPAMClientInstall_V2.6.0.exe One or more Windows installers
...
module/
linux64/
runtime-1.8.0_74.zip One 64-bit Linux Java JRE package
linux86/
runtime-1.8.0_74.zip One 32-bit Linux Java JRE package
mac/
runtime-1.8.0_74.zip One Mac OS X Java JRE package
win/
runtime-1.8.0_74.zip One Windows Java JRE package
Blocked Ports
The CA PAM Client cannot use many well-known ports, which are listed here. TCP and UDP are not
permitted, either for incoming or outgoing communication.
1 tcpmux
7 echo
9 discard
11 systat
13 daytime
15 netstat
17 qotd
19 chargen
20 ftp data
21 ftp access
22 ssh
23 telnet
17-Feb-2017 22/416
25 smtp
37 time
42 name
43 nicname
53 domain
77 priv-rjs
79 finger
87 ttylink
95 supdup
101 hostriame
102 iso-tsap
103 gppitnp
104 acr-nema
109 pop2
110 pop3
111 sunrpc
113 auth
115 sftp
117 uucp-path
119 nntp
123 NTP
135 loc-srv /epmap
139 netbios
143 imap2
179 BGP
389 ldap
17-Feb-2017 23/416
465 smtp+ssl
512 print / exec
513 login
514 shell
515 printer
526 tempo
530 courier
531 chat
532 netnews
540 uucp
556 remotefs
563 nntp+ssl
587
601
636 ldap+ssl
993 ldap+ssl
995 pop3+ssl
2049 nfs
3659 apple-sasl / PasswordServer
4045 lockd
6000 X11
6665 Alternate IRC [Apple addition]
6667 Standard IRC [Apple addition]
17-Feb-2017 24/416
Configure Your Server

Configuration of your CA Privileged Access Manager server involves the selection of appropriate
functions and the corresponding variable values.
Configuration Overview (see page 25)
GUI for Configuration and Provisioning (see page 26)
Configuration Settings (see page 27)
Master Provisioning Settings (see page 113)
Configuration Overview
CA Privileged Access Manager appliance access and licensing depend on your appliance form:
Hardware – A pre-licensed physical appliance. For configuration information, see Deploy the
Hardware Appliance (see page 25).
VMware OVA – Provided by your account representative with a link to download the OVA to your
vCenter location so that you can create a CA Privileged Access Manager VM, and a license to
activate it.
AWS AMI – Provided by your account representative with permission and an AMI number so that
you can create an instance within your AWS account, and a corresponding license to activate it.
Network context configuration:
Hardware – Use the LCD display on the left side of the front panel of the appliance. See Configure
Network Connections for the Hardware Appliance (see page 25).
VMware VM – After powering up your VM, use the VMware Console to access the same controls
as are provided by the LCD on a hardware device.
Continue setting up configuration interface:
Required
Date/Time – Set up your appliance to synchronize with NTP time servers
Licensing – Your appliance must be licensed for target Devices and feature use
Security – Provide a certificate; optionally, set up PKI/CAC, specify CRL, sign applets, activate
SAML use, activate API access
Optional
3rd Party – Configuration connection to these optional network resources:
17-Feb-2017 25/416
API Proxy access – AWS, VMware auto-activation whitelists
Authentication – LDAP, RADIUS, RSA, TACACS+
Credential management using HSMs – SafeNet or Thales
Services – Microsoft Office 365, Splunk
Virtualized environments – AWS, VMware
Network – extra network interfaces as needed
Logs – Configure CA Privileged Access Manager to direct log and session recording output to
external storage
SNMP – Set poll server, poll user, trap server
Synchronization – Set up a CA Privileged Access Manager cluster
Next Step:
Continue with Provisioning (see page 121).
GUI for Configuration and Provisioning

Root Accounts
CA Privileged Access Manager provides as defaults a 'config' account to access the Configuration
settings, and a 'super' account to access the full menu.
The "Config" Account

We recommend that you use this configuration account for initial setup. Change the password from
the default using the Change Password button in the Toolbar Menu.
As the username "config" is commonly used, consider also changing the Login Id in addition to the
Password using the Change Password menu.
The "Super" Account

CA Privileged Access Manager has an extra preconfigured user account: super. This superuser (or
root) account has global access to all accessible settings. The super account cannot be deleted.
17-Feb-2017 26/416
While the super account shows up in the administration user list (Administration Menu:
Users, Manage Users), the config account does not.
Master Account Security

After you set up user accounts, an account that an administrator uses can be configured for access to
the Config menu. (See field description under Local Users). If a user is granted permission to the
Config menu, the Config button appears in the administration pages. When a Config menu item is
accessed from the administration pages the user's current account credentials are used to log on
automatically. Any changes are audited with an individual user ID.The Config menu – presented to
the configuration professional during initial "config" account access – is used to configure the
appliance before it is provisioned to users and devices, or goes into service.
Although not functionally required, we recommend that you change the password from its default
value upon first logging in. When you log in to the administrator menu (using 'super'), you see a
yellow-panel warning message near the top of the Dashboard as long as the 'config' password
remains the default value (Figure 8, in shadow).
Initial Login
Perform Initial Administrator Login
All User accounts other than 'config' land initially at the My Info page, which provides basic User
account settings that the user ordinarily manages rather than by an administrator. The user must
enter a new password before leaving the page.
Configuration Settings
The Config drop-down in the Toolbar menu in the upper-right corner of the GUI window allows you
to set up your CA Privileged Access Manager appliance. Sub-menu choices vary between hardware,
AWS AMI instances, and VMware VMs.
Configure Date and Time Settings (see page 28)
Configure Network Resources (see page 29)
Authentication (see page 36)
AWS Coordination (see page 61)
Configure Your Database (see page 70)
Hardware Security Modules (HSMs) (see page 75)
Logging (see page 94)
Apply Firmware and Feature Licenses (see page 94)
Apply Feature Controls (see page 95)
Cross Site Scripting Attack Checking (see page 112)
17-Feb-2017 27/416
Configure Date and Time Settings

Change the date, time, and time zone configuration to set the appliance to a new clock value.
Important! Some processes that are running, such as Sys Info and Session Recordings
continue to use the previous clock value until the services are restarted. To ensure that all
processes become synchronized after making a time change, reboot the appliance .
Set the Date and Time

You can modify the date and time settings for the appliance. The time settings implement the
Network Time Protocol (NTP) for the appliance.
Each field in the Enter Date and Time panel is static, reflecting the clock value at the time the page
was opened. If you update the date and time manually, copy the time from a reliable source.
Alternatively, use Time Servers.
To modify the date and time settings:
1. Log in to the UI.
2. Select Config, Date/Time.
3. Enter the date and time and click Update.

After you click Update, all its current field values are copied back onto the appliance clock.
Specify Time Servers

To set the time of the appliance, specify time servers. Two public servers are provided by default.
Follow these steps:
1. To specify time servers, enter the fully qualified domain name of each time server you want to
use to obtain the current time.
2. Optionally, select the Synchronize at boot check box to synchronize the time upon startup or
a reboot of the appliance.
3. Click Save.
Configure the Use of Authenticated NTP

If you are using NTP servers to set the time clock, you can configure NTP authentication so that the
appliance can authenticate the time source.
Configure the list of NTP servers in the Authenticated NTP section of the Date/Time screen.
Follow these steps:
17-Feb-2017 28/416
1. Paste the autokey obtained from each NTP server into this section.
2. Select one of the radio buttons for the security policy to indicate whether authenticated
servers are required.
3. Click Save.
The NTP Status window displays the status output from the NTP server.
Configure Network Resources

This content describes how to configure network resources for the following items:
Authentication (see page 29)

Storage (see page 32)
Hardware Security Modules (HSMs) (see page 34)
Network-Accessible Target Devices (see page 35)
Authentication
You can configure CA Privileged Access Manager to authenticate users against the following identity
sources:
Local authentication by CA Privileged Access Manager. Configure in Global Settings, and provision
through CA Privileged Access Manager local Users.
LDAP – includes Microsoft Active Directory (AD), OpenLDAP, and allows other conforming brands.
Set up in Config, 3rd Party, Add LDAP Domain panel.
LDAP+RADIUS – sequential verification from both sources. User enters credentials for both.
RADIUS – Set up server connection in Config, 3rd Party, RADIUS, and TACACS+ Configuration
panel.
RSA – Set up server connection in Config, 3rd Party, RSA Authentication Manager Configuration
panel.
SAML – Set up CA Privileged Access Manager as one or both:
IdP (Identify Provider) – Set up in Config, Security, CA Privileged Access Manager SAML IdP
Configuration. Configure more Global Settings. Import coordinated SP metadata.
SP (Service Provider) – Set up in Config, Security, CA Privileged Access Manager SAML RP

Configuration. Configure more Global Settings. Import coordinated IdP metadata.
TACACS+ – Set up server connection in Config, 3rd Party, RADIUS, and TACACS+ Configuration
panel.
17-Feb-2017 29/416
Configuration settings for external authentication (except SAML) are made on Toolbar: Config, 3rd
Party page.
Third-party servers can separately be sources for user enumeration and authentication.
RADIUS Servers
Configure CA Privileged Access Manager to make queries to a RADIUS server.
When a RADIUS server is used specifically to identify users for a User Group, CA Privileged Access
Manager first attempts to match the User Group: Groupname to the designated Attribute 25.
Important! During RADIUS authentication, if CA Privileged Access Manager finds multiple

user records with the same RADIUS login name, it prevents login and it deactivates all
those users. The administrator explicitly enables exactly one of these users. When
importing LDAP users with the authentication type RADIUS, all these LDAP RADIUS users
are deactivated when either of the following conditions exist:
If multiple LDAP users have the same RADIUS login name
If any of the LDAP user login names match an existing RADIUS user in CA Privileged
Access Manager
Note: CA Privileged Access Manager supports both PAP and CHAP authentication for
RADIUS.
LDAP Servers
Configure LDAP or Active Directory (AD)
As an Administrator, you must have an account that is configured on the LDAP or Active Directory
Server you connect to. This account must have read access to the tree from which you want to pull
Administrators.
Follow these steps:
1. Navigate to Config, 3rd Party to display the 3rd Party screen.
2. Scroll down to the Add LDAP Domain section.
3. Enter the server details.
4. Click Add when completed.
17-Feb-2017 30/416
The newly added LDAP domain appears in the LDAP Domains panel above the Add LDAP Domain
panel. Once the connection to the LDAP server has been configured, LDAP users are imported
through the Users, Manage Groups interface.
Configure Multiple LDAP Servers

You can add multiple LDAP server for the same or different domains. Users select the correct domain
during authentication. If the primary server is unavailable, CA Privileged Access Manager connects to
any backups if listed. All Associations and user policies will be maintained after connection to the
new server.
Configure RSA SecurID

Configure CA Privileged Access Manager to make queries to RSA SecurID servers.
RSA SecurID authentication requires advance preparation by the SecurID administrator. Indicated in
Preparation / Authentication.
Use Browse to locate the sdconf.rec file, and Upload. After the first successful user authentication,
the Node secret will be populated.
RSA SecurID 800 Hybrid Authenticator

Configure CA Privileged Access Manager to allow authentication using RSA USB token.
RSA SecurID 800 authentication requires advance preparation by the SecurID administrator. Indicated
in Preparation / Authentication.
LDAP and RSA Composite Authentication

CA Privileged Access Manager allows a user at login to authenticate to CA Privileged Access Manager
against the combination of LDAP credentials paired with an RSA PIN and tokencode readout from an
RSA SecurID hardware authenticator (fob).
Use the following procedure to allow composite LDAP+RSA authentication for a CA Privileged Access
Manager user named "User123".
Follow these steps:
1. Provision both:
a. An RSA server with an account that is uniquely named "User123", and
b. An LDAP directory with a record that uniquely has the value of "User123" for a certain
LDAP attribute. You specify the name of this LDAP attribute using the Unique Attribute
field when configuring CA Privileged Access Manager communication to the LDAP
directory. (See step 2.)
For example:
i. sAMAccountName or userPrincipalName is ordinarily used for for Active

Directory
ii. UID is ordinarily used for OpenLDAP
17-Feb-2017 31/416
ii. UID is ordinarily used for OpenLDAP
2. Configure CA Privileged Access Manager to communicate with the RSA server and the LDAP
directory:
a. Upload the sdconf.rec or sdopts.rec file in: Config, 3rd Party, RSA Authentication
Manager Configuration.
b. Communicate with the LDAP directory by specifying its server and bind credentials in:
Config, 3rd Party, Add LDAP Domain. The Unique Attribute field (as described in step
1) is required.
3. Import the LDAP user record identified as "User123":
a. Use the LDAP Browser to register an LDAP user group containing the user identified by
"User123", and Select Authentication Type as "LDAP+RSA" (Figure 16).
b. After import, users in that group will have been provisioned to apply both
authentication tests when logging in.
Then, when "User123" logs in:
1. This User specifies the composite authentication scheme (Authentication Type: LDAP+RSA),
and enters credentials consisting of:
a. User name string that is matched as noted ("User123")
b. LDAP authentication credentials: Password and Domain
c. RSA authentication credentials: Passcode (PIN+Tokencode)
2. Upon login, User123 is authenticated first against the (time sensitive) RSA server, and if
successful, against the LDAP directory before being logged into CA Privileged Access Manager.
SAML on CA Privileged Access Manager as IdP

SAML authentication is provided by CA Privileged Access Manager as a SAML IdP (Identify Provider).
CA Privileged Access Manager can also act as a SAML Service Provider (SP). Configuration of either or
both is managed primarily from the Config, Security page.
For detailed configuration instructions, see SAML. (see page 41)
Storage
Logs
The Config, Logs menu provides settings for storing audit material, logs, and session recordings:
For Logs
To Specify: Storage locations; Automatic Purge schedule
To Perform: Manual Purge
17-Feb-2017 32/416
For Session Recording
To Specify: On / Off; Text and Graphics media; Storage locations; Storage connection-attempt
preferences
Syslog
You can configure syslog servers to store either logs or session recordings.
Important! To ensure that all CA Privileged Access Manager components immediately

begin sending logs to syslog, do the following steps after any changes to your Syslog
Settings:
1. Click Update.
2. Reboot CA Privileged Access Manager.
External Log Server

An optional external log server can be used to store CA Privileged Access Manager logs in a MySQL®
database. The external database is accessible through the CA Privileged Access Manager
Administrator interface for viewing and reporting.
MySQL Server
The MySQL Server panel completes a specification for an external server (initiated in the External Log
Server panel) by providing access credentials for the specific server.
Session Recordings
Configure these recording settings before using CA Privileged Access Manager in production include:
Session Recording – If recording to NFS/CIFS mounted directory is not already selected
NFS/CIFS Settings – To identify and provide access to (mount) a share
Session Recording Preference – to prioritize security as opposed to operational integrity
You can specify session recording for both command line (using "Text based recording"), graphical
(either RDP (Remote Desktop Protocol) or VNC (Virtual Network Computing) (using "Graphical
Session recording") applets.
Best Practices
We strongly recommend that both text and graphical recordings be assigned to a mounted directory
rather than syslog. The reasons for this recommendation include:
The amount of data that a session recording generates can easily overwhelm a syslog server
17-Feb-2017 33/416
The amount of data that a session recording generates can easily overwhelm a syslog server
Writing to syslog is likely to be slower than writing to the mount
Recordings are not available for CA Privileged Access Manager playback
Syslog is a UDP protocol, so it is not as reliable
NFS/CIFS/S3 Settings
Create a mount for a specified NFS, CIFS, or Amazon AWS S3 location to store session recordings.
The recorded sessions can be sent to an external syslog server and written as files on a mounted
drive. Use a mounted directory to a Windows or UNIX server to ensure that the session recording is
available through the CA Privileged Access Manager administration interface.
Note: Consider the following important points when configuring S3 mounts:
Use S3 mounts only when your CA Privileged Access Manager is an Amazon Machine
Image (AMI) instance, not a hardware appliance.
S3 mounts depend on your access credentials. If you change (and Save) either your
Access Key ID and Secret Access Key, communication with AWS is broken.
Reestablishment with AWS is attempted at the next sync time (or when you click
Refresh AWS Devices on the Manage Devices page). This reset connection results in CA
Privileged Access Manager dropping any S3 mount.
This reset connection also results in deletion of Device records for any AWS devices
that cannot be accessed when the new connection is attempted. See "Amazon Web
Services (AWS) Configuration" for more information.
Note
CA Privileged Access Manager supports SMB signing for added CIFS mount security.
Session Recording Preference

Specify whether continuous Operation or maximal Security takes priority in this context.
Hardware Security Modules (HSMs)

CA Privileged Access Manager allows you to use an HSM to manage credentials independently. The
supported models include:
SafeNet Luna SA
SafeNet Luna PCI-E
Thales nShield Connect
17-Feb-2017 34/416
HSM Licensing
License your CA Privileged Access Manager instance for either SafeNet or Thales use. Contact your CA
representative or CA Privileged Access Manager Support to add this license to your CA Privileged
Access Manager installation.
Configuration
Configuration is performed on the Config, 3rd Party page. See the "HSMs" section in the CA Privileged
Access Manager Implementation Guide.
Network-Accessible Target Devices

CA Privileged Access Manager Device records that point to network-accessible local target devices
can be created:
Manually using Devices, Manage Devices templates
Batched using Devices, Import/Export Devices CSV files
Automatically using Devices, Autodiscovery
Device target information can also be imported to create Device records from:
LDAP directories:
1. a. Specify LDAP servers in Config, 3rd Party, Add LDAP Domain
b. Open Xceedium LDAP Browser from Devices, Manage Groups
c. Select and import LDAP groups from LDAP browser
AWS Management Console:
1. a. Specify access access credentials as an AWS Management Console target account.
b. Specify account, and initiate Device imports, in Config, 3rd Party, Add AWS
Configuration.
VMware vCenter:
1. a. Specify authentication Device, User, and access credentials as a Generic application

target account
b. Specify Device/User, and initiate imports, in Config, 3rd Party, Add VMware vCenter
In each case, imported Device Groups are populated in Manage Groups, and their constituent
Devices are in Manage Devices.
Details about these configuration interfaces are provided in the Provisioning Devices (see page 126)
section.
17-Feb-2017 35/416
Authentication
CA Privileged Access Manager provides for several methods of authenticating imported users:
Kerberos with PIV/CAC (see page 36)
LDAP (see page 37)
LDAP+RADIUS in Combination (see page 39)
RADIUS or TACACS+ (see page 40)
SAML (see page 41)
Kerberos with PIV/CAC

Kerberos authentication can be implemented for CA Privileged Access Manager Users with PIV/CAC
smart cards to log in to LDAP imported Windows target Devices. Configure Kerberos KDC in CA
Privileged Access Manager for an LDAP domain. Enable NLA and RDP connection capability in the
target Windows RDP server. The PIV/CAC User reauthenticates at the target using PIV/CAC
credentials. A pop-up window is presented to the User.
Prerequisites
The applicable client workstations must have the approved PIV/CAC hardware and software. Only
one smart card reader can be used for each workstation. See Supported Clients (https://docops.ca.
com/display/CAPAM28/Supported+Clients).
Network Level Authentication (NLA) must be enabled on the applicable Windows RDP server
target Devices. See Windows OS (https://docops.ca.com/display/CAPAM28/Windows+OS).
A Kerberos Key Distribution Center server (KDC) that is maintained by an LDAP domain server,
from which CA Privileged Access Manager imports Devices.
Configure Link to the KDC Server

The KDC server must be specified in the CA Privileged Access Manager LDAP configuration panel for
the linked AD server.
Follow this procedure:
1. Navigate to Config, 3rd Party, Add LDAP Domain.
2. Populate the panel as you would an ordinary LDAP server.
3. In Kerberos KDC Server, enter its IP address or FQDN.
4. In Kerberos KDC Port, enter the Kerberos port for that server (typically 88).
5. Click Update to register the LDAP server with linked KDC.
17-Feb-2017 36/416
LDAP
Provisioning
Use the CA Privileged Access Manager LDAP Browser for importing LDAP users.
View Records Through AD Cross-Domain Trusts

Using the LDAP Browser, you can view the Distinguished Name (DN) for records of a foreign
Microsoft Active Directory (AD) domain from another domain that has access to it through a cross-
domain trust.
Every domain that supplies Users or Devices for import must be configured using the CA Privileged
Access Manager LDAP configuration (on the Config, 3rd Party page). After that configuration, you are
then able to use the LDAP Browser to view and import records from those domains.
Note
AD cross-domain trusts allow administrators to share accounts across AD domains. This

relationship allows a domain to "contain" users, devices, user groups, and device groups
that are foreign to it. "Foreign" means authoritatively maintained by a separate, second
domain.
1. Log in as an administrator with User management privileges (such as "super").
2. Configure CA Privileged Access Manager for access to each AD domain that is involved in the
relevant cross-domain trust.
3. Navigate to Users, Manage Groups.
4. Click Import LDAP Group to open the LDAP Browser.
5. When this browser opens, you are presented with the pop-up window choice of the cross-
domain participants (and any other LDAP domains that have been configured for CA Privileged
Access Manager use) – select one of these from the Select LDAP Domain drop-down list.
6. From the LDAP browser, select a group that contains members in this cross-domain.
Initially – without SID resolution – the browser displays SID (Security Identifier) numbers
corresponding to the entities. Members that are contained in the foreign domain are not
resolved for the external domain. They are presented relative to the current local domain.
7. To enable the cross-domain SID resolution as fully qualified DN, select Options, Enable Group
Member SID Resolution. This menu item is a switch that can be turned on or off at any time.
8. Select a different browser tree item. After it has settled, return back to the previous group.
The browser now builds its tree and Entry Attributes display by resolving the SIDs. This might
take longer than previously to perform this access and present the resolved DNs for each
record.
9. If you now select the updated menu item, Options, Disable Group Member SID Resolution,
17-Feb-2017 37/416
9. If you now select the updated menu item, Options, Disable Group Member SID Resolution,
and move back and forth between tree items, you see that the resolved members have been
cached. This cache persists while you are logged in, whether you are using the LDAP browser.
This resolution does not affect how groups are imported into CA Privileged Access Manager. Whether
the SIDs are resolved in the LDAP browser, foreign members are resolved by the LDAP browser to
create CA Privileged Access Manager Users.
Tasks
AD Password Updating Through CA Privileged Access Manager Login

When a CA Privileged Access Manager User that has been imported from AD attempts to log in
following expiration or temporary replacement of an AD password, the next screen that is presented
is the My Info page. The user then must use thispage to change the password, which then silently
propagates the update to AD.
AD Provisioning
The AD account to be used by CA Privileged Access Manager for directory synchronization must have
sufficient privileges to reset the passwords of all AD users that are imported into CA Privileged Access
Manager. If this is not done, a CA Privileged Access Manager User imported from AD is not able to
change a password if it becomes invalid.
To grant the AD synchronization account minimal privileges to reset user account passwords, issue
the following command (or its GUI equivalent):
dsacls "%DOMAIN%" /I:S /G "%USERDOMAIN%\xsuiteLookup:CA;Reset Password;user"
DOMAIN is the DN (Distinguished Name) for the domain, for example: DC=exampledomain,
DC=com
USERDOMAIN is the short name for the Windows domain
xsuiteLookup is the account Username
With this command, the AD synchronization user is not granted (full) domain admin rights to the AD,
but only reset-password permissions (in addition to the "read-only" permissions).
CA Privileged Access Manager Configuration

The AD-to-CA Privileged Access Manager connection (synchronization) specification, set using Config,
3rd Party, Add LDAP Domain, must:
Be configured with the checkbox: Use TLS selected.
Use an AD account that has sufficient privileges to reset other AD users passwords (as noted in
Active Directory Provisioning).
AD Updates
Two use cases for user-activated password change are each triggered by an event in AD:
17-Feb-2017 38/416
The AD administrator creates or resets the AD user password to a new (intended temporary)
value (and provides that value to the user), and the AD option: New Object - User or Reset
Password, User must change password at next logon is selected.
The AD user password expires.
When authentication is later requested from AD for that user (during login), AD requires the user to
update the password immediately.
User Experience
The User logs in using Authentication Type="LDAP" and the applicable Domain. Corresponding to
which AD event has occurred, that User provides either of:
The temporary password that the user received from the AD administrator
The recently expired user password
After either type of login, the CA Privileged Access Manager User is presented with the My Info page,
with a message that the password must be change. After the password update (old and new
passwords), is provided:
The old and new values are silently passed on for authentication to, and updating in, the AD
server.
The User is relocated to wherever the user ordinarily lands (when no password change is
required).
The Session, Logs are updated.
Logs
Sessions, Logs has entries corresponding to the password update request and confirmation of the AD
record update.
LDAP+RADIUS in Combination
CA Privileged Access Manager allows the requirement of both an LDAP server and RADIUS server for
authentication.
Configuration
Configure CA Privileged Access Manager as you currently do for LDAP access and RADIUS
authentication, so that you have active servers available for both.
User Experience
When logging on to CA Privileged Access Manager, the user should:
1. Enter the LDAP User name and Password.
2. Select Authentication Type = LDAP+RADIUS.
17-Feb-2017 39/416
2. Select Authentication Type = LDAP+RADIUS.
The Domain and RADIUS Password fields then appear.
1. Select the applicable Domain from the drop-down list.
2. Enter the RADIUS Password for this User, and click ENTER.
You are silently logged in through both LDAP and RADIUS authentication.
RADIUS or TACACS+
As a CA Privileged Access Manager administrator, you can authenticate with RADIUS and TACACS+
servers. Configure the RADIUS and TACACS+ Configuration panel on the 3rd party page, resulting in
corresponding User imports.
As with Users imported from LDAP, RADIUS and TACACS+ users are imported as User Groups. The
Users can be refreshed manually through a link that appears on the User Group page.
Requirements
TACACS+ server product support
tac_plus
Cisco ACS 4 or 5
Configuration
To set up the connection to a RADIUS or TACACS+ server, follow these steps:
1. Go to Config, 3rd Party, RADIUS and TACACS+ Configuration panel.
2. Enter the information for your RADIUS or TACACS+ server in the Add New Server fields:
a. Server: the IPv4 address of the server.
b. Port: the server port. The IANA-registered RADIUS authentication port is 1812. Somme
servers might us 49 or 1645.
c. Type: Select RADIUS or TACACS from the list box.
d. Shared Secret: a text string that is used as a password for RADIUS server connectivity
3. Click Add.
After a successful Add, a confirmation in red text appears.
4. Set the optional Timeout. Enter a number of seconds. The default is 60.
5. Click Save to update the timeout value.
17-Feb-2017 40/416
SAML
CA Privileged Access Manager supports Security Assertion Markup Language (SAML) as an
authentication option. SAML is an XML-based open standard data format for exchanging
authentication and authorization data between two entities.
Two SAML operational modes are applicable for CA Privileged Access Manager use:
SAML-specific Identity Provider (IdP) – Authenticator of user identity
Service Provider (SP, which acts as a SAML Relying Party, or RP) – Consumer of identity
authentication and provider of a service
CA Privileged Access Manager can operate either as an IdP or an SP in a Web Portal SSO connection
using SAML 2.0. Depending on the CA Privileged Access Manager role, certain commercial services
are available to assume the complementary role:
CA Privileged Access Manager as IdP – The entity interacting with CA Privileged Access Manager
is an RP (ordinarily, an SP).
IdP-initiated connections – The user is provided direct access to CA Privileged Access

Manager. During a user login, CA Privileged Access Manager authenticates the user. After
login, the user is able to launch a Web Portal to the SP (AWS Management Console) without
requiring authentication. The user then has access to the SP (AWS) facilities.
Case: AWS Management Console
SP-initiated connections: The user is provided direct access to the SP, wherein the SP
redirects the user to CA Privileged Access Manager for authentication. After the user is
successfully authenticated, the user is redirected back to the SP Web Portal post-login landing
page.
Case: Google Apps
CA Privileged Access Manager as SP – The entity interacting with this CA Privileged Access
Manager is an IdP.
SP-initiated connections
Case: CA Privileged Access Manager (second CA Privileged Access Manager acts here as
IdP)
Act as an Identity Provider (IdP) (see page 41)
Act as a Service Provider (SP) (see page 52)
Act as an Identity Provider (IdP)

CA Privileged Access Manager can be configured as the Identity Provider (IdP) that provides
authentication services to a Relying Party (RP). In our cases, the RP is a Service Provider (SP).
Authentication passes through an HTTP POST binding, which is the communication mechanism for an
IdP to pass a SAML assertion to an RP.
17-Feb-2017 41/416
Administrator Tasks
Configure Global Settings
User Authentication Method Inheritance
When the Authentication method for a User Group is set to "SAML", that setting inheritance can be
forced on (all) User members of the group whether (all) their (individual) Authentication settings are
set to "SAML". To make this enforcement, select Global Settings, SAML, Require Inherited SAML
Auth. This setting is selected by default.
IdP Session Reauthorization Period
If you want to change the amount of time that a SAML session is open to the CA Privileged Access
Manager IdP, during which repeated SAML authentication is provided without repeated credential
submission, edit the Global Settings, SAML: SAML Reauth Period setting. The preconfigured default
is 60 minutes.
Configure CA Privileged Access Manager IdP Certificate
You must have an SSL certificate for your FQDN properly prepared and applied to your CA Privileged
Access Manager:
1. Create a CSR and private key in Config, Security.
2. Use the CSR to obtain a certificate, CA chain, and CRL from your applicable Certificate
Authority.
3. Upload these files in Config, Security, then apply Set Certificate.
Configure IdP-SP Communication

Example A: Using SAML Metadata (AWS Management Console)
Apply CA Privileged Access Manager IdP metadata to AWS SP.
To prepare and download an IdP metadata file from CA Privileged Access Manager, follow these
steps:
1. Log in to CA Privileged Access Manager as a Configuration Administrator.
2. Navigate to Config, Security, Set SAML IdP Certificate.
3. Following a change in the CA Privileged Access Manager appliance hostname or the default
certificate, update the IdP Metadata file as follows:
a. In Entity ID, assign a name that can be used to identify this CA Privileged Access
Manager in this SAML ecosystem.
This ID is included in the metadata file. This IdP includes it in assertions that it
generates to identify itself.
b. In Fully Qualified Hostname, enter the value used for this CA Privileged Access
Manager, such as: xsuite.example.com (http://xsuite.example.com) 1
c.
17-Feb-2017 42/416
c. From the drop-down list to the right of IdP Certificate, select the certificate+key you
are currently using for CA Privileged Access Manager.
d. Click Update IdP Metadata to apply the current certificate, hostname, and your
assigned ID.
You receive a red confirmation message at the top of the page.
4. Click Download IdP Metadata to save the CA Privileged Access Manager-specific "idp-
metadata.xml" file locally.
"idp-metadata.xml" is a CA Privileged Access Manager configuration file that describes the SAML
services supported by the IdP. The file also contains information about how an SP can send
authentication requests to the CA Privileged Access Manager IdP. It contains the certificate
containing the public key that CA Privileged Access Manager uses to sign all assertions. It also
includes the FQDN (or IP) of your CA Privileged Access Manager. Therefore, any time the FQDN or
the certificate is changed, the IdP metadata must be updated, downloaded, and uploaded to SPs.
Upon changing your hostname, click Accept IdP Certificate in that panel and re-download the CA
Privileged Access Manager SAML metadata file. Ensure that the service provider is provided with
the new CA Privileged Access Manager SAML metadata file.
After obtaining the metadata that defines the IdP (CA Privileged Access Manager SAML
authentication function), you upload it to the SP (AWS Management Console).
Case Procedure: AWS. Put IdP metadata on SP.
Caution
The procedure in this section describes a product that is independent of CA Technologies. It

is provided only as an example. You might encounter different features or appearance.
1. Log in to the AWS Management Console site (https://console.aws.amazon.com).
2. Navigate to Services, IAM, Identity Providers.
3. Click Create Provider.
a. In Provider Type, select "SAML".
b. In Provider Name, enter a handle to identify your CA Privileged Access Manager as

IdP.
c. In Metadata Document, locate the metadata file that you downloaded earlier from CA
Privileged Access Manager. This provides the necessary information for CA Privileged
Access Manager to make authentication requests to CA Privileged Access Manager.
d. Click Next Step at the bottom right.

You are then asked to confirm.
e. Click Create.
17-Feb-2017 43/416
e. Click Create.
4. In the left menu, select Roles.
5. Click Create New Role.

A Create Role shadow window opens.
a. Enter a Role Name, and click Next Step.

You see a new screen labeled Select Role Type.
i. Select the third listed category, labeled Role for Identity Provider Access.
ii. To the right of Grant Web Single Sign-On (WebSSO) access to SAML providers,
click Select.
You see a new screen with the first paragraph beginning "Select the SAML
provider …"
b. From the drop-down list, select the SAML provider that you created during the
previous steps (here, Xsuite_IdP), then click Next Step.
You are in the Verify Role Trust screen. In our example, you do not need to edit the
Verify Role Trust: Policy Document. Click Next Step.
c. You see an Attach Policy screen.
i. To keep your configuration simple, we recommend that you use one of the pre-
built templates listed under Select Policy Template. For example, scroll down
that section to find Amazon EC2 Read Only Access. (If you are testing on a
public EC2 instance, do not let others from login to your box.)
ii. Click Next Step. You see a new screen labeled Review for your confirmation.
d. Click Create Role.
e. Click Create Role. The shadow window disappears, and your new role appears in the
roles list.
Your AWS account is now configured to use CA Privileged Access Manager for IdP using SAML.
Apply AWS SP Metadata to CA Privileged Access Manager IdP
As an SP, AWS provides a SAML metadata file that defines how it communicates with the SP for an
IdP. The file also includes the attributes the SP expects in a successful IdP authentication response.
AWS uses the concept of roles for authorization. It thus needs an IdP SAML response to contain role
data of the user being authenticated. The role definition is provided in the AWS SAML metadata.
Case Procedure: AWS
Caution

17-Feb-2017 44/416
The AWS SAML metadata file is available at:

https://signin.aws.amazon.com/static/saml-metadata.xml
Procedure
After obtaining the AWS (SP) metadata file, import it into CA Privileged Access Manager so that a
conforming Service configuration can be prepared for communicating with the SP (Target Device).
1. Log in to CA Privileged Access Manager as a Configuration Administrator.
2. Select Services, Import SAML 2 SP Metadata.
3. Browse to the SAML metadata file you previously downloaded from your SP, then click Import
SAML 2.0 SP Metadata.
Following this upload, you find:
a. A confirmation message at the bottom of the import page
b. a new Service of Protocol Web Portal with a Service Name matching the "entityID" of
the SP as identified in the "md:EntityDescriptor" element of the metadata file. In our
AWS example, this is the new Service: AWS Management Console Single Sign-On
c. a new Device with an Address containing the web location of the Assertion consumer
service for the SP.
4. Navigate to Services, TCP/UDP Services, locate the new service, and open it.
5. In the SAML SSO panel, for Initiating Party, select IdP Initiated.
Note: This option is not part of SAML 2.0 metadata.
6. In the SAML SSO panel, clear the Require Signed Authn Requests checkbox if it is selected.
7. Note: This option might be selected by default. We do not want a Relying Party to determine
IdP (CA Privileged Access Manager) security parameters unilaterally.
SAML SSO Web Portal Service: SAML-related Fields
Panel and Description

Field Names Example
Service Required fields for all types of Services.
Name
Local IP
Ports
Administration
Application Select: "Web Portal"
Protocol
Auto-Login Select: "SAML 2.0 SSO POST"
Method
Web Portal
17-Feb-2017 45/416
Assertion (1) CA Privileged Access Manager Web Portal URL root

Consumer +
Service URL (2) Path from:
<md:EntityDescriptor … >
<md:SPSSODescriptor … >
<md:AttributeConsumerService Location=" locationAddress " … >
Example:
CA Privileged Access Manager Web Portal URL root template: https://<Local IP><First
Port>/
ACS Location:https://xsuiteAsSp.example.com/samlsp/module.php/saml/sp/saml2-acs.
php/xsuite-default-sp
(1)+(2):
https://<Local IP><First Port>/samlsp/module.php/saml/sp/ saml2-acs.php/xsuite-
default-sp
Route When selected, this option directs all traffic through CA Privileged Access Manager.
Through CA When this option is not selected, traffic goes directly to the web service from the client
Privileged workstation. Default: [selected]
Access
Manager
SAML SSO Info
SAML Entity Required field
ID <md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Initiating SP Initiated (default) – The actor or user logs in to the Service Provider or SP (as the
Party Relying Party or RP) and requests a Service. The SP initiates a SAML query to the
Identity Provider or IdP to obtain a SAML Assertion, allowing the SP to make a service
access decision. (SAML 2.0 only)
IdP Initiated – The actor or user logs in to an IdP to initiate connection to, and obtain a
SAML Assertion for, a Service at an SP.
Require Use the (supplied) PEM Signing Certificate to sign authorization requests. Default:
Signed [selected]
Authn
Requests
PEM Signing <md:EntityDescriptor … >
Certificate <md:SPSSODescriptor … >
<md:KeyDescriptor use="signing" … >
<ds:KeyInfo … >
<ds:X509Data> <ds:X509Certificate> encodedContent </ds:X509Certificate>
Example:
MIIGhzCCBG+gAwIBAgIKYQrABAAAAAAAajANBgkqhkiG9w0BABGMRMwEQYK
...
0VyUrN0fafQmeuYITYzUoOt88LFClepqhrjn2s0AVoBLxcnmuemkw7nfgw==
Encryption None (default) – Do not use encryption
NameId
Assertion
PEM If Encryption="NameId" or "Assertion", use:
Encryption <md:EntityDescriptor … >
Certificate <md:SPSSODescriptor … >
17-Feb-2017 46/416
<md:KeyDescriptor use="encryption" … >

<ds:KeyInfo … >
Example:
...
SAML SSO Subject Name Identifier Formats
Select which of the five currently CA Privileged Access Manager-permitted URI-based Name Identifier
Format Identifiers are to be used by the SP from:
<md:NameIDFormat> NameIDFormat </md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SAML SSO Attributes
Click the + (under Name) to open an Attribute line item with fields for the following labels. To delete
an item, click the X that appears to the left of the line when you mouse over it.
Name <md:EntityDescriptor … >
<md:AttributeConsumingService … >
<md:RequestedAttribute Name=" nameOfAttribute "/ >
Friendly Assign a recognizable name or tag for CA Privileged Access Manager use. (When not
Name provided by imported SP metadata, Name is used.)
Required Select if the SP requires this Attribute.
Example B: Using Means Other Than Metadata Files (Google Apps)
You can work with an SP that does not provide an SP metadata for your use or does not ingest your
IdP metadata. Google is a popular service that does not use metadata for either purpose.
Apply CA Privileged Access Manager IdP Certificate Key to Google SP
Import the CA Privileged Access Manager IdP certificate key and configure Google to redirect to your
CA Privileged Access Manager.
Note

Case Procedure: Google SAML SSO
17-Feb-2017 47/416
Case Procedure: Google SAML SSO
1. Log in to the Google administration site: https://admin.google.com/a/
2. At the bottom of the screen, click on More Controls and then click on Security.
3. Select Advanced Settings and select Set up single sign-on (SSO).
4. On the newly loaded page click Enable Single Sign-on.
5. In the Sign-in page URL, put the following URL with your CA Privileged Access Manager
address.
https://YOUR_CAPAM_IP_OR_HOSTNAME/idp/profile/SAML2/Redirect/SSO/
6. In this pilot release, we do not currently support Single Sign-Out. You can input the following
URL into the Sign-out page URL field as a placeholder:
https://YOUR_CAPAM_IP_OR_HOSTNAME/
7. In this pilot release, we do not currently support changing passwords. You can input the
logout URL from the previous step into Change password URL as a temporary placeholder.
https://YOUR_CAPAM_IP_OR_HOSTNAME/
8. In Verification certificate, upload the certificate being used by the CA Privileged Access
Manager IdP. This certificate can be downloaded from CA Privileged Access Manager through
the Config, Security, Download Certificate or CSR panel, or copied from the CA Privileged
Access Manager IdP metadata file. Either can be provided here.
9. Click SAVE CHANGES.
Manually Configure CA Privileged Access Manager IdP to Accept Google SP
You can set up the SAML authorization Service even when no metadata file is provided by the SP, as
is the case for Google. Edit the CA Privileged Access Manager Service definition from documentation
provided elsewhere by the SP organization and trusted third parties. For Google, examples of
supporting documentation are provided in the links embedded in the procedure.
With this information, create a metadata file yourself and import it to create the Service, or edit a
Service template. Template editing is described in the following procedure.
Create a CA Privileged Access Manager IdP Service for the Google SSO SAML feature.
Procedure
1. Review the overview SAML SSO documentation provided by the SP organization, Google:
https://developers.google.com/google-apps/sso/saml_reference_implementation
2. Navigate to Services, TCP/UDP Services.
3. Click Create TCP/UDP Service to open a new Service template.
4. In the Basic Info panel:
a.
17-Feb-2017 48/416
4.
a. The Service Name must match the SAML entityID of the SP. See the SP documentation
to determine the entityID of the SP.
entityID example source for Google applicability: https://developers.google.com
/google-apps/help/faq/saml-sso#recipient
b. Enter the Service a Local IP address and the Port(s) (for example, 127.0.0.5 and a
mapping of 443:4430).
5. In the Administration panel:
a. For Application Protocol, select "Web Portal". This action updates the Service
template widgets to those required for a Web Portal.
The Auto-Login Method drop-down list appears in the lower-left corner of the panel.
b. For the Auto-Login Method, select "SAML 2.0 SSO POST", because this is the only
version that is accepted by Google.
SAML version example source for Google applicability: https://developers.google.com
/google-apps/help/faq/saml-sso#samlversion
This action further updates the Service template widgets to those required for a SAML
SP.
6. In the Web Portal panel:
a. Enter the following URL in the Assertion Consumer Service URL:

https://<Local IP>:<First Port>/a/YOUR_GOOGLE_DOMAIN/acs
"YOUR_GOOGLE_DOMAIN" is the domain that you have assigned for your Google
(such as calendar, documents, or email) services. This is the location of the SP at which
they consume SAML assertions. Your SP provides this location.
Assertion Consumer Service URL example source for Google applicability:
https://developers.google.com/google-apps/help/faq/saml-sso#recipient
b. For the other widgets, you can use the default values.
7. In the SAML SSO Info panel:
a. Enter into the SAML Entity ID field:

google.com (http://google.com)
entityID example source for Google applicability: https://developers.google.com
/google-apps/help/articles/shibboleth2.0#addgooglemetadata
b. For the Initiating Party drop-down list, select whether you want it to be "IdP Initiated"
or "SP initiated". The SP documentation specifies whether it requires IdP initiated or
SP initiated SAML. For Google, use the default value "SP initiated".
c. Clear the Require Signed Authn Requests checkbox.
d. For Encryption, select "None", as Google Apps does not support encrypted assertions.
e. In the PEM Signing Certificate field, paste the base64 translation of X.509 certificate to
sign the SAML request.
f.
17-Feb-2017 49/416
f. If Encryption for "NameId" or "Assertion" has been selected, enter the PEM
Encryption Certificate field, paste the base64 translation of X.509 certificate to
encrypt the SAML request.
8. In the panel SAML SSO Subject Name Identifier Formats, select the checkbox to the left of:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
9. Click Save.
Create IdP Device Hosting the IdP Service
Create a corresponding CA Privileged Access Manager Device that hosts the Assertion Consumer
Service (the CA Privileged Access Manager Service labeled "Google") you created.
The Device Address is the FQDN of the server hosting the Assertion Consumer Service extracted
from the SAML Assertion Consumer URL. In this case, the Assertion Consumer Service URL format
for Google is:
https://www.google.com/a/YOUR_GOOGLE_DOMAIN/acs
So, the device address that is provisioned in CA Privileged Access Manager is:
www.google.com (http://www.google.com)
The Device Services includes the Web Portal SAML SSO you prepared, namely:
Google
Create IdP User Matching the SP User
Create a CA Privileged Access Manager User with a Username matching a (nonprimary account)
Google User Name that is used for login.
Provision SSO Access Policy
To activate the connection Service for a particular User, first enable a policy for that User and target
Device (SP).
To AWS Management Console
Procedure
1. Create a policy for a User with the SAML SP target Device, "signin.aws.amazon.com (
http://signin.aws.amazon.com)".
2. Select the corresponding SP communication Service, "AWS Management Console Single Sign-
On".
The three SAML attributes that are required (as specified in the Service definition) are
prepopulated:
a. Subject Name Identifier – always required for SAML, as indicated in the associated
Service definition
b. RoleEntitlement
c. RoleSessionName
The following steps revise the SAML attributes identified by the Service from the SP metadata
17-Feb-2017 50/416
The following steps revise the SAML attributes identified by the Service from the SP metadata
to deliver values that are accepted by AWS (instead of storage elsewhere in CA Privileged
Access Manager), as specified in the Amazon documentation at:
http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html#configuring-
saml-response
3. In the SAML panel, in the attribute group for SAML Requested Attribute=
"RoleSessionName", for xAttribute, assign a label. You can use any identifier, for example, you
can use "Email".
4. In the SAML panel, in the attribute group for SAML Requested Attribute= "RoleEntitlement",
for xAttribute, select "Constant", and assign to this content (in the field to the right) the
concatenated AWS ARNs for the IAM Role and the Identity Provider.
Example:
arn:aws:iam::123456789012:role/MyAWSroleForMyIDP,arn:aws:iam::123456789012:saml-
provider/AWSstoredMetadataForMyIDP
The Service assignment now appears.
5. Select Save.
To Google Apps
Procedure
1. Create a policy for a User with the SAML SP target Device, "www.google.com (http://www.
google.com)".
2. Select the corresponding SP communication Service, "GoogleApps".

The SAML attributes that are required (as specified in the Service definition) are
prepopulated. Here, this includes only:
Subject Name Identifier – always required for SAML, as indicated in the associated Service
definition
3. In the drop-down list for SAML Name Identifier Format, select the (one) available item, "urn:
oasis:names:tc:SAML:1.1:nameid-format:unspecified".
The xAttribute widget then appears.
4. In the drop-down list for xAttribute, select "Email".
5. Save the policy.

This User can now use SAML for SSO access to this Web Portal.
User Experience
When a user attempts to connect to the SP, access procedure depends on the type of connection. If
the user explicitly navigates through an IdP gateway portal, it is IdP-initiated. If it is SP-initiated,
authentication with the IdP occurs behind the scenes.
For example, here the Access page provides only a link to AWS Management Console – not to Google.
This is because Google access is SP-initiated. The User starts first by logging in to Google, and only
then is asked to submit credentials to CA Privileged Access Manager.
IdP-initiated Connection Example A: AWS Management Console
In an CA Privileged Access Manager IdP-initiated connection, you initiate access to the SP from the CA
17-Feb-2017 51/416
In an CA Privileged Access Manager IdP-initiated connection, you initiate access to the SP from the CA
Privileged Access Manager Access page.
1. Navigate your browser to your CA Privileged Access Manager access URL.
2. Enter your CA Privileged Access Manager credentials, and click Enter.
3. After the CA Privileged Access Manager Access page has loaded, click the AWS service "AWS
Management Console Single Sign-On" to be SSO'd silently into the AWS Management
Console.
SP-Initiated Connection (SAML 2.0 Only) Example B: Google Apps
If you configured CA Privileged Access Manager to work with SP-initiated communication in the
Service record, you can initiate connection at the SP. Alternatively, you create another web portal
service that launches the user into the SP web portal.
You have been provided the access URL from the SP (Google).
Case Procedure: Google
Caution

1. Navigate your browser to your SP-designated access URL; for Google, of the form:
https://accounts.google.com/a/
2. Enter your user credentials
3. After brief initial processing, you see a prompt.

After you complete the prompt, the SP redirects you to the CA Privileged Access Manager
address. If you are not already authenticated to CA Privileged Access Manager, you are
presented with the CA Privileged Access Manager login page.
4. Enter your CA Privileged Access Manager credentials, and click Enter.

Following IdP (CA Privileged Access Manager) authentication, a new window or tab is opened.
You are logged in to the target SP at your landing page in that window tab. If you access
another Google application, you can reuse your existing CA Privileged Access Manager session
for SSO. You do not need to reauthenticate.
Act as a Service Provider (SP)

CA Privileged Access Manager can be configured as a Service Provider (SP), the consumer of identity
authentication and provider of a service. An SP can also be a Relying Party (RP). In our use cases, the
RP is a Service Provider (SP).
17-Feb-2017 52/416
Administrator Tasks
The CA Privileged Access Manager administrator:
Confirms default settings for SAML for all Users or reconfigure them in Global Settings (see page
53)
Confirms or updates the CA Privileged Access Manager certificate (see page 53) so that it is
sufficient for SP use
Configures SAML communication (see page 53) between the IdP and SP:
Configures the CA Privileged Access Manager to function as an SP
Configures another device (in this example, another CA Privileged Access Manager is used) to
function as an IdP for this SP
Provision User accounts on both the SP and the IdP (with matching usernames), and provision
policies on the IdP that permit those User accounts to access the Device/Service on the SP.
Configure Global Settings

User Authentication Method Inheritance
When the Authentication method for a User Group is set to "SAML," that setting inheritance can be
forced on (all) User members of the group whether (all) their (individual) Authentication settings are
set to "SAML". To make this enforcement, select Global Settings, SAML, Require Inherited SAML
Auth. This setting is selected by default.
SAML Reauth Period
(This setting applies only to CA Privileged Access Manager when it is used as IdP. See IdP session
reauthorization period (see page ) on page.)
Configure CA Privileged Access Manager SP Certificate

You must have an SSL certificate for your CA Privileged Access Manager FQDN properly prepared and
applied to your CA Privileged Access Manager:
1. Create a CSR and private key in Config, Security.
2. Use the CSR to obtain a certificate, CA chain, and CRL from your applicable Certificate
Authority.
3. Upload these files in Config, Security, then apply Set Certificate.
Configure SP-IdP Communication

Configuration of an CA Privileged Access Manager as a Relying Party (RP), most typically acting as
Service Provider (SP), is performed in the CA Privileged Access Manager SAML RP Configuration
panel on the Config, Security page. There are two parts:
An RP definition or not (to this CA Privileged Access Manager) – upper portion of panel
17-Feb-2017 53/416
An RP definition or not (to this CA Privileged Access Manager) – upper portion of panel
Zero or more IdP definitions (identifying and describing external IdPs serving this CA Privileged
Access Manager when it is operating as an RP) – lower portion of panel
Panel and Description

Field Names Example
Entity ID * REQUIRED
<md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Friendly Assign a name to be used by CA Privileged Access Manager to identify this SAML RP
Name Entity.
Fully REQUIRED
Qualified FQDN of CA Privileged Access Manager RP, where FQDN is specified in location:
Hostname * <md:EntityDescriptor … >
<md:AttributeConsumerService Location=" location " … >
Example:
xsuite-sp.example.com (http://xsuite-sp.example.com)
Description Description for this CA Privileged Access Manager RP.
Organization Name of the company or other organization responsible for this CA Privileged Access
Name Manager RP:
<md:Organization … >
<md:OrganizationName> organizationName </md:OrganizationName>
Organization URL for the company or other organization responsible for this CA Privileged Access
URL Manager RP.
<md:OrganizationURL> organizationURL </md:OrganizationURL>
Administrativ Administrative contact for this CA Privileged Access Manager RP.
e Contact <md:EntityDescriptor … >
Name <md:ContactPerson … >
<md:GivenName> givenName </md:GivenName>
Administrativ Email for administrative contact for this CA Privileged Access Manager RP.
e Contact <md:EntityDescriptor … >
Email <md:ContactPerson … >
<md:EmailAddress> emailAddress </md:EmailAddress>
Certificate REQUIRED
Key Pair * Select from the certificate files currently uploaded to this CA Privileged Access
Manager-as-RP (through Config, Security, Upload Certificate or Private Key) the
desired SSL certificate + private key concatenated file.
Accept RSA- Select if you want to accept RSA SHA1 signature method when presented.
SHA1 Signed
Responses
Configured Remote SAML Identity Providers
17-Feb-2017 54/416
The buttons are activated when, at minimum, the required RP components (indicated by *) have
been populated and Save Configuration has been successfully performed:
Add An Manually create an Identity Provider (IdP) record in the template that opens below the
Identity button. After you populate the template, click Save Configuration to create the IdP
Provider record, create a line item in this panel, and close the template.
Upload An Upload an Identity Provider (IdP) metadata file to CA Privileged Access Manager and
Identity create a new IdP record with a corresponding line item in this panel.
Provider
Metadata
The fields below are displayed (above the link buttons) for an Identify Provider (IdP) record that has
been successfully populated from either of the Identity Provider creation link buttons:
Friendly Assign a name for this IdP for use by CA Privileged Access Manager
Name
EntityID <md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Metadata Click the Download link to get the RP metadata file for this IdP. You can then import it
into the IdP and establish trust of this CA Privileged Access Manager RP.
Edit Click the Edit button to open the editing template for the associated IdP record. Its
fields are identified in the next section of this table.
Delete Click the Delete button to remove the line item and associated IdP record.
Test Click the Test button to test the connection to the associated IdP.
Identity Provider (IdP) template
Friendly REQUIRED
Name * Assign a name for this IdP for use by CA Privileged Access Manager
Organization Name of the company or other organization responsible for this IdP:
Name <md:EntityDescriptor … >
<md:OrganizationName> organizationName </md:OrganizationName>
Entity ID * REQUIRED
SAML ID for this IdP that is unique for this SAML space:
<md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Description Description for this IdP.
Single Sign REQUIRED
On Protocol Applicable protocol binding for this IdP:
Binding * <md:EntityDescriptor … >
<md:IDPSSODescriptor … >
<md:SingleSignOnService … Binding=" urn:oasis:names:tc:SAML:2.0:bindings:binding "
…/>
Options:
SAML:2.0:bindings:HTTP-Redirect
SAML:2.0:bindings:HTTP-POST
Single Sign
On Service *
17-Feb-2017 55/416
REQUIRED
Service location for this IdP:
<md:SingleSignOnService … Location=" location " … / >
Example:https://rp.example.com/idp/profile/SAML2/Redirect/SSO
Allow Just In Select this checkbox to enable CA Privileged Access Manager to provision a User
Time account for an asserted SAML user if the account does not already exist on the SP.
Provisioning
Include this User also in all existing User Groups on the SP as designated by the
‘userGroup’ attribute in the SAML assertion.
If an asserted User Group does not exist on the SP, do not create it.
Certificate * REQUIRED
<md:KeyDescriptor use="signing" … >
<ds:KeyInfo … >
Example:
----BEGIN CERTIFICATE----
...
-----END CERTIFICATE-----
Sign Select this checkbox if authentication requests must be signed.
Authenticatio
n Requests
Signature Select the signature algorithm to be applied.
Algorithm Options:
RSA-SHA1
RSA-SHA256
RSA-SHA384
RSA-SHA512
Authenticatio Identify the applicable authentication contexts for this IdP.
n Contexts Options:
SAML:2.0:ac:classes:Kerberos
SAML:2.0:ac:classes:PasswordProtectedTransport
SAML:2.0:ac:classes:X509
SAML:2.0:ac:classes:SmartcardPKI
SAML:2.0:ac:classes:TLSClient
SAML:2.0:ac:classes:TimeSyncToken
SAML:2.0:ac:classes:unspecified
Require Select this checkbox if this requires encrypted assertions.
Encrypted
Assertions
Enable Select this checkbox if you require CA Privileged Access Manager to be configured for
Holder of smartcard authentication.
Key Support
17-Feb-2017 56/416
Example: Using SAML Metadata from the IdP (a second CA Privileged Access Manager)
Configure CA Privileged Access Manager 2 as an SP.
Specify your CA Privileged Access Manager to perform as a Service Provider (SP) (the most typical
type of SAML Relying Party, or RP).
1. Log in to your CA Privileged Access Manager SP as (at least) a Configuration Administrator.
2. Navigate to Config, Security, CA Privileged Access Manager SAML RP Configuration.
a. For Entity ID, provide an Entity ID for this CA Privileged Access Manager that is unique
in this SAML environment (all IdP and RP devices that communicate with each other in
this environment).
b. For Fully Qualified Hostname, provide the FQDN that is used for SAML on this CA
Privileged Access Manager SP.
c. From the drop-down list next to Certificate Key Pair, select the certificate-key file that
you had prepared earlier.
d. The other fields are optional.
3. Click Save Configuration. A small pop-up acknowledgment appears over a shadowed page;
click OK.
After the pop-up disappears, you see that the phrases below have changed to links, indicating
that your CA Privileged Access Manager is now configured for operation as an SP.
Provide to this CA Privileged Access Manager SP the identifying information of (at least one)
corresponding IdP. This can be done in one of two ways, either:
a. Manually, by clicking Add An Identity Provider to open a template to define the IdP
yourself.
b. Semi-automatically, by clicking Upload An Identity Provider Metadata to apply a

metadata file you have obtained from an IdP (Figure 82).
In this example, we use another CA Privileged Access Manager as the IdP, and we use
the second option (upload its metadata file).
4. Continue with the next section to obtain and apply the IdP metadata.
Apply CA Privileged Access Manager 1 IdP Metadata to CA Privileged Access Manager 2 SP
Get IdP metadata.
Prepare and download an IdP metadata file from the CA Privileged Access Manager that is the IdP.
1. Log in to your CA Privileged Access Manager IdP as (at least) a Configuration Administrator.
2. Navigate to Config, Security, Set SAML IdP Certificate.
3. Following a change in the CA Privileged Access Manager appliance hostname or the CA

Privileged Access Manager default certificate, you must update the CA Privileged Access
Manager IdP Metadata file as follows:
17-Feb-2017 57/416
3.
a. In Entity ID, assign a name that can be used to identify this CA Privileged Access
Manager in this SAML ecosystem.
This ID is included in the metadata file. This IdP includes it in assertions that it
generates to identify itself.
b. In Fully Qualified Hostname, enter the value used for this CA Privileged Access
Manager, such as: xsuite.example.com (http://xsuite.example.com)
c. From the drop-down list to the right of IdP Certificate, select the certificate+key you
are currently using for CA Privileged Access Manager.
d. Click Update IdP Metadata to apply the current certificate, hostname, and your
assigned ID.
You receive a red confirmation message at the top of the page.
4. Click Download IdP Metadata to save the CA Privileged Access Manager-specific "idp-
metadata.xml" file locally.
"idp-metadata.xml" is a CA Privileged Access Manager configuration file that describes the SAML
services supported by the IdP. It also contains information about how an SP can send
authentication requests to the CA Privileged Access Manager IdP. It contains the certificate
containing the public key that CA Privileged Access Manager uses to sign all assertions. It also
includes the FQDN (or IP) of your CA Privileged Access Manager. Therefore, any time the FQDN or
the certificate is changed, the IdP metadata must be updated, downloaded, and uploaded to SPs.
Upon changing your hostname, click Accept IdP Certificate in that panel and download the CA
Privileged Access Manager SAML metadata file. Ensure that the service provider is provided with
the new CA Privileged Access Manager SAML metadata file.
After obtaining the metadata that defines the IdP (CA Privileged Access Manager SAML
authentication function), you upload it to the SP (the second CA Privileged Access Manager).
Put IdP metadata on SP.
Upload the IdP metadata file (that you obtained from your first CA Privileged Access Manager) to the
second CA Privileged Access Manager (that is performing as an SP).
1. Log in to your CA Privileged Access Manager SP as (at least) a Configuration Administrator.
2. Navigate to Config, Security, CA Privileged Access Manager SAML RP Configuration.

Near the lower portion of the panel, you see the link: Upload An Identity Provider Metadata.
a. Browse to locate the "idp-metadata.xml" file that you obtained from the CA Privileged
Access Manager IdP.
b. Upload it to (this) CA Privileged Access Manager SP.

At the top of the page, you receive an acknowledgment (or an error message if the file
cannot be interpreted as SAML metadata):
SAML Remote IdPs added: [IdP Entity ID]
3.
17-Feb-2017 58/416
3. Scroll the page back down to the CA Privileged Access Manager SAML RP Configuration panel.
In the Configured Remote SAML Identity Providers section, the IdP is now identified by its
Friendly Name (if any, or by its Entity ID) and its Entity ID.
You now apply the SP metadata that corresponds to this IdP back on the IdP.
4. Stay at this location (on the CA Privileged Access Manager Config, Security page), and
continue with the next section.
Apply CA Privileged Access Manager 2 SP Metadata to CA Privileged Access Manager 1 IdP
Now that this CA Privileged Access Manager SP has been configured as a SAML RP and has been
informed of the IdP characteristics (by way of the IdP metadata file), you use an SP metadata file to
inform the IdP. In this way, both the SAML RP and the SAML IdP know – and are thus authorized to
communicate with – each other.
Get (IdP-informed) SP metadata:
1. If you are not already there, navigate to Config, Security, CA Privileged Access Manager SAML
RP Configuration pane, Configured Remote SAML Identity Providers section.
2. Identify the line item for the IdP that you are looking for (if there are multiple IdPs).
3. Under the Metadata column, locate the blue Download link (for this Identity Provider (IdP)
line item, if there are more than one), and click it to save this CA Privileged Access Manager SP
metadata file (for this Identity Provider) locally, named "XsuiteMetadataFor_IdP-EntityID.xml"
by default.
Put SP metadata on IdP:
1. Log in to your CA Privileged Access Manager IdP as (at least) a Configuration Administrator.
2. Select Services, Import SAML 2 SP Metadata to open the import page.
a. Browse to locate the "XsuiteMetadataFor_EntityID.xml" file that you obtained from

the CA Privileged Access Manager SP.
b. Click the Import SAML 2.0 SP Metadata button it to upload it to CA Privileged Access
Manager IdP.
After you do so, you will see several acknowledgment messages in green (below the
button). If there are errors, they are noted in red.
Uploading the SP metadata results in identification of the SP authorization function as a

Service, and the SP server as a Device, as you will confirm in the next step.
3. Confirm:
a. In Services, TCP/UDP Services, a populated Service record with a Service Name

matching the IdP SAML Entity ID has been created.
he record has prepopulated:
i.
17-Feb-2017 59/416
a.
i. the typical Service specifications for a Web Portal (Basic Info, Administration,
Web Portal panels), with Auto-Login Method="SAML 2.0 SSO POST", and SAML
elements:
1. Assertion Consumer Service URL
ii. new SAML SSO specific panels:
1. SAML SSO Info:
2. SAML SSO Subject Name Identifier Formats
3. SAML SSO Attributes
b. In Devices, Manage Devices, a populated Device record with Device Name (and
Address) matching the IdP SAML-applicable FQDN has been created.
Provision SSO Access Policy

To CA Privileged Access Manager SP Using CA Privileged Access Manager IdP
Now that the SP and IdP have been configured to trust each other, you can provision the IdP to
permit its Users to access the SP services.
When you open a policy template for the SP Device (for a particular User or User Group), select the
corresponding SP Service (identified by Entity ID). This opens the SAML panel so that its attributes can
be specified.
Note
You might need to revise the SAML attributes so that they are sufficiently identified. The
SAML Name Identifier Format is originally not specified. If this occurs, specify it from the
available selections so that xAttribute appears and can be specified.
User Experience
SP-Initiated Connection
1. The User here first points to the Service Provider destination, the CA Privileged Access
Manager SP.
2. However, rather than use the primary login interface, the User bypasses it by selecting Single
Sign On , an interface option that was activated as a result of the configuration of this CA
Privileged Access Manager as an SP (or RP).
3. The User is alerted that the login proceeds with authentication at a different target, the IdP. If
there are multiple IdP targets, the User must select one from the drop-down list, then click
ENTER.
The User is then brought to the login page for the IdP.
In this example, both SP and IdP are CA Privileged Access Manager devices. However, note the
17-Feb-2017 60/416
3.
In this example, both SP and IdP are CA Privileged Access Manager devices. However, note the
changed browser address and that the IdP is not configured as an SP, and so does not provide
a Single Sign On link as did the initial SP.
4. The User enters User and Password credentials as required by the IdP.
Because the User target is the SP, when the IdP has authenticated the User, its task is
complete. Control is handed back to the SP, where the login proceeds to finish at the
applicable landing page.
AWS Coordination
CA Privileged Access Manager administrators can preconfigure access to one or more regions in one
or more Amazon Web Services (AWS) accounts. Administrators can use this access both to import
AWS instances as CA Privileged Access Manager Devices from that region and provide controlled
(account-obfuscated) end-user access to the AWS Management Console.
Credentials for a particular AWS account are now stored as an individual target account in Credential
Manager. Using an enhanced configuration interface that you can provision any number of AWS
account / AWS region combinations for concurrent connection.
AWS Coordination Stages

1. Configure CA Privileged Access Manager to communicate
2. Access AWS from CA Privileged Access Manager
API access
AWS Management Console access
3. Import Devices from CA Privileged Access Manager
Next Steps:
Configure AWS Account Coordination (see page 61)

Access AWS Management Console (see page 64)
Configure Communication with AWS (see page 65)
Import Devices from AWS (see page 70)
Configure AWS Account Coordination

As a CA Privileged Access Manager Administrator, you can configure the appliance to coordinate with
an Amazon Web Services (AWS) account. Configuration allows these types of coordination:
Pre-configuration of restricted access to the AWS Management Console website for any policy-
enabled CA Privileged Access Manager user
17-Feb-2017 61/416
Import, and regular refresh, of all active AWS devices (in the configured AWS region) as CA
Privileged Access Manager devices
Follow these procedures:
1. Obtain an AWS account (see page 62)
2. Store AWS Account Credentials in a CA Privileged Access Manager CM (see page 62)
3. (Optional) Configure AWS Connection (see page 63)
4. (Optional) Provision AWS Management Console Access (see page 63)
Obtain an AWS Account

You identify an accessible AWS account before configuring CA Privileged Access Manager to
communicate with it. Your organization might already have such an account, or you can set one up at
https://aws.amazon.com (https://aws.amazon.com/). Note the character strings for these AWS objects:
Access Key ID
Secret Access Key
Select and note the following AWS view:
AWS (geographical) region - for example, US East (N. Virginia)
Store AWS Account Credentials in CA Privileged Access Manager CM

So that CA Privileged Access Manager can coordinate with AWS, first store your AWS account
credentials in a target account record in CA Privileged Access Manager Credential Manager.
Follow these steps:
1. Select Policy, Manage Passwords. The Credential Manager menu opens in a separate tab or
window.
2. Select Targets, Accounts. The Application List page opens.
3. In the lower right, click Add.
4. Begin typing AWS in the Application Name field, and select AWS Access Credential Accounts
from the drop-down list. (Optional) Alternatively, click the magnifying glass icon to open a
modal window to select this application. The target account window changes form, and the
Host Name and Device Name are also populated with the AWS-specific names.
5. In User Friendly Account Name, assign a unique label for your AWS account.
6. Fill in the Access Key ID and Secret Access Key you collected from AWS.
7. (Optional) If applicable, assign an Access Role Name.
8. (Optional) If you using AWS GovCloud, in AWS Cloud Type select Government.
17-Feb-2017 62/416
9. Do not populate any other fields or change any other settings.
10. Click Save.
CA Privileged Access Manager can now use your AWS access credentials for auto-connection in
multiple scenarios.
Configure AWS Connection

After you have stored your account credentials, you point to them in your CA Privileged Access
Manager-to-AWS configuration settings and activate a connection.
Follow these steps:
1. Select Config, 3rd Party. The 3rd Party page opens.
2. In the Add AWS Connection panel, select your previously-set User Friendly Account Name in
Access Key Alias.
3. In the AWS Region panel, select your applicable geographical region. If desired, you can
coordinate with multiple account-region pairs.
4. (Optional) Select the Active checkbox to prompt device import. Otherwise, only the validity of
your stored account-region pair is tested.
5. Click Add to confirm the connection, and if activated, perform the initial account-region
device import from AWS. You receive a confirmation at the top of the page that the
connection has been validated, and the Amazon Web Services (AWS) Configuration panel
displays an account-region line item.
Your CA Privileged Access Manager connection to this AWS account is now activated for the selected
region. The connection is available for access to AWS Management Console and is used for device
import. The imported devices are visible and available for use on the Devices, Manage Devices page,
where the CA Privileged Access Manager-applied (not the imported) fields can also be edited.
Provision AWS Management Console Access

After you have stored your account credentials, you can set a user policy with a controlled-access
web portal that opens the AWS Management Console.
Follow these steps:
1. Select Policy, Manage Passwords. The policy page opens.
2. In the User (Group) field, start typing the User or User Group you want the policy to apply to,
and select the matching full name from drop-down filtered list.
3. In the Device (Group) field, select xceedium.aws.amazon.com from the drop-down filtered
list.
4. In the upper-right corner of the page body, click the Create Policy link. A policy template
opens.
5. Set up the policy link:
17-Feb-2017 63/416
5. Set up the policy link:
a. Click Add to the right of Services, an d from the pop-up window select AWS
Management Console SSO. Two fields open to the right of that name.
b. Click in the field marked Credential, and select AWS Access Credential Accounts - User
Friendly Account Name.
c. Click in the field marked AWS Policy, and select an available setting, such as
IAMUserAccess.
6. Click Save.
On their Access page, this user now has a web portal type link AWS Management Console SSO for
(placeholder) device xceedium.aws.amazon.com.
Access AWS Management Console

In CA Privileged Access Manager, you can provision AWS Management Console auto-connection
access for an AWS account in the Policy template.
A User or User Group can have an auto-connection policy to the AWS Management Console using
only one AWS account. However, a user can be a member of multiple user groups, each of which has
a transparent login policy to the AWS console using different AWS access credentials. When a User
with access privileges to multiple AWS accounts attempts to access the AWS Management Console
web portal, a shadow box is presented for the User to select an account, and then automatically log
in.
AWS Management Console

To ensure transparent login access to this site from CA Privileged Access Manager, the AWS
Management Console requires a current, appropriate AWS policy. The default settings and any
custom settings require communication with AWS.
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html
Work-around
1. In Policy, Manage Policy, click the AWS Policies link.
2. Select an existing, or create a new, AWS Policy.
3. Apply the following AWS AIM policy settings to its Policy field, and click Save:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
4. Be sure to use this revised AWS Policy in the Services policy template for an applicable User
17-Feb-2017 64/416
4. Be sure to use this revised AWS Policy in the Services policy template for an applicable User
with xceedium.aws.amazon.com. (http://xceedium.aws.amazon.com)
Configure Communication with AWS

This CA Privileged Access Manager interface accepts AWS account parameters and provides the
"main switch" that connects CA Privileged Access Manager to the specified AWS accounts and
regions. After this panel is fully configured, CA Privileged Access Manager will periodically pull in all
running AWS instances associated with that account, and create corresponding CA Privileged Access
Manager Device records.
CA Privileged Access Manager can be configured to store information for more than one AWS
account, and any number of stored accounts may be activated for Device import. The Access Key ID
and Secret Access Key for (each) account are stored as CA Privileged Access Manager target account
parameters.
Prerequisites
Establish AWS administrative accounts, with knowledge of Access Credentials.
License
To use CA Privileged Access Manager with AWS, you apply a license with AWS Capability = Enabled.
You can check this on the Config, Licensing page.
Specify AWS Accounts and Regions

Perform the following procedure in order to provision CA Privileged Access Manager for access to
AWS account(s).
1. Log in to CA Privileged Access Manager as an administrator (for example, as "super").
2. Confirm that you have installed a CA Privileged Access Manager license that has AWS access
activated: On the Licensing page, the AWS Capability line item will indicate "Enabled."
Meanwhile, the following user-visible objects and interfaces for the following AWS-interacting
features will have been created in CA Privileged Access Manager:
On the Config, 3rd Party page, you will see the Amazon Web Services (AWS) Configuration
and Add AWS Connection panels as shown in Figure 105.
On the Config, Logs page, in the NFS/CIFS/S3 Settings panel, the Amazon S3 storage
option is activated.
On the Config, Synchronization page, in the Shared Key panel, the AWS Provision option
is activated.
On the Users, Manage Users page, on the User template, the (preconfigured) Role AWS
API Proxy User is a new Available Roles option. On the Users, Manage Roles page, that
Role, as well as the new AwsApiProxy privilege, are now provided.
On the Devices, Manage Devices page, the Device xceedium.aws.amazon.com (

http://xceedium.aws.amazon.com) is created and populated.
On the Services, TCP/UDPServices page, the service AWS Management Console SSO is
17-Feb-2017 65/416
On the Services, TCP/UDPServices page, the service AWS Management Console SSO is
created and populated. This service is automatically activated on Device xceedium.aws.
amazon.com (http://xceedium.aws.amazon.com).
On the Policies, Manage Passwords, Targets, Applications page, the target application
AWS Access Credential Accounts is created and populated. This application resides on
Device xceedium.aws.amazon.com (http://xceedium.aws.amazon.com). Any number of target
accounts can now be created, each of which stores access credentials for a specific AWS
Account.
3. To configure CA Privileged Access Manager for interaction with (one or more) AWS account(s),
we must first store credentials (passwords) for each account in a Password Management
record. These credentials will be used whenever CA Privileged Access Manager connects to
AWS – to import/synchronize devices, to log in to the AWS Management Console, or perform
other activity.
a. Navigate to Policy, Manage Passwords, Targets, Accounts, and click Add.
b. To the right of Application Name, click the magnifying glass and select "AWS Access
Credential Accounts". Both the Host Name and Application Name are then populated
with the CA Privileged Access Manager abstract host (xceedium.aws.amazon.com) and
application (AWS Access Credential Accounts) representations for AWS.
c. Populate this target account with credentials for a specific AWS account:
i. Select AWS Access Credential Type: "Access Key".
ii. Paste your AWS Access Key ID and corresponding Secret Access Key in the
labeled fields.
iii. Enter an easily identifiable name or tag for this account into User Friendly Key
Name. This name will be used to identify the account when you configure CA
Privileged Access Manager to communicate with AWS in Step 4.
d. Click Save to store the record and return to the Account List view. Note that the
Account List is ordered by Access Key ID, while the Access Key Alias field is not visible –
so be sure to record or remember the Access Key ID.
e. Repeat this target account creation procedure to store any additional AWS account
credentials.
4. Return now to Config, 3rd Party, Add AWS Connection. Using this panel, you will provision
each specific AWS connection (Access Key Alias – AWS Region combination) from which you
want to import devices
a. Under Access Key Alias, select (one of) the drop-down option(s) for the available
account(s) that you provisioned in Credential Manager (as User Friendly Key Name).
b. Select the AWS Region of this account that has the devices you want to import.
c.
17-Feb-2017 66/416
c. If selected, the checkbox Active directs CA Privileged Access Manager to import all
devices from this connection immediately, and at the end of each AWS Refresh
Interval cycle. You may have connections that are populated, but may not want to
import at this time. You can leave this box unchecked if you do not want to import the
devices currently, but would like to "stage" the connection so that it is visible.
d. Click Add to provision the connection. When you do so:
i. If Active has been selected:
1. You will see an acknowledgment pop-up window that allows you to

confirm or cancel the impending import.
2. CA Privileged Access Manager begins an import of all devices (except

those marked with an AWS tag of "XsuiteIgnore") from that connection.
After successful provisioning, you will see a green confirmation message at the
top of the page. New Device records will be visible on the Devices, Manage
Devices page.
ii. A new line item representing the connection will appear in the Amazon Web
Services (AWS) Configuration panel.
e. Repeat steps a – d to provision additional connections.
5. For any existing configured records in the Amazon Web Services (AWS) Configuration panel:
a. To apply an update interval (to all connections), select an AWS Refresh Interval. This
parameter specifies the length of a repeating cycle, immediately following which CA
Privileged Access Manager performs an import from each connection provisioned
Active=YES.
b. To update a record, click the Edit button for the connection line item you wish to
change. This action re-stages the connection record into the Edit AWS Connection
panel: In this state, the Access Key Alias and AWS Region are not editable.
In the Edit AWS Connection panel:
i. If desired, toggle Active from its current state.
ii. Click Save to preserve the currently staged settings (that is, a potential change
to/from the Active state) and return the record to Amazon Web Services (AWS)
Configuration, or click Cancel to return the panel to its default state.
Saving a newly-Active AWS connection record triggers configuration results in
the import of AWS AMI instances associated with that account (just as happens
during an initial Add operation).
c. To remove or test a connection:
i. Click Remove to completely remove the record from the configuration. (You
will receive a confirmation pop-up, from which you can also cancel the
removal.)
ii. Click Test to make a test connection to verify that the credentials can be used
17-Feb-2017 67/416
c.
ii. Click Test to make a test connection to verify that the credentials can be used
to log in to AWS and the specified region. (You will receive a confirmation
message at the top of the page.)
Amazon Web Services (AWS) Configuration panel

Column Name Format Options Description
/Example
This panel presents the set of connections (Access Key Alias –
Region combinations) currently configured for communication
with AWS. Only connections configured as Active have their
corresponding AWS AMI instances imported as CA Privileged
Access Manager Devices. See also Table 2.
AWS Refresh enume 5 minutes Specifies the frequency with which CA Privileged Access
Interval rated 15 Manager synchronizes its set of Devices with the set of AWS
list minutes instances. Applies to all configured connections.
30
minutes
default:
60
minutes
For each line item
below AWS
Configured
Connections and
the following
labels:
Access Key Alias string ExampleC The User Friendly Key Name value of an AWS Access
orp1 Credential Accounts target account provisioned in Credential
Manager.
Region string US East An AWS Region of the AWS Access Credentials target account
(Virginia) identified in the Access Key Alias column.
Active string YES | NO The import status of this connection (as identified in the
previous two columns).
When Active = "YES", CA Privileged Access Manager imports
all (AWS) State="running" devices (that do not have an AWS
tag of "XsuiteIgnore") from the specified Access Key Alias –
Region combination at the end of each AWS Refresh Interval.
Edit button Stages this connection into the Add AWS Connection panel so
you can change its Active status.
Remove button Using the Remove button has these effects on this connection:
(1) You are required through a dialog (pop-up) window to
acknowledge your selection of Remove before the following
((2) and (3)) take effect:
(2) Removes all AWS-imported Devices and their associated
password applications and accounts, as well as associated
policies, for the selected connection. Exception: No Devices
that have been assigned authorization mappings are deleted.
(3) Removes the current connection line item from this panel.
17-Feb-2017 68/416
Column Name Format Options Description

/Example
Test button Attempts a communication to AWS with the credentials of the
account for this connection, and confirms or denies its
success.
Add AWS Connection panel

Field Type Options Description
/Button /Format /Example
Name
This panel is the staging area for creating or editing a connection, which
is used by CA Privileged Access Manager to communicate to a specific
regional subset (AWS Region) of an AWS account (which is provisioned
as a target account that is identified by its Access Key Alias).
Access enumer Choose from a list of User Friendly Key Name values from all target
Key ated accounts with an Application Name of "AWS Access Credential Accounts"
Alias and with an AWS Access Credential Type of "Access Key".
Active checkbo Activates this connection for importing devices.
x Initial import is made at the time (1) this option has been selected, (2)
the Add button is clicked, and (3) the import pop-up is acknowledged.
Subsequent synchronization (refresh) is then made after each AWS
Refresh Interval completes.
AWS enumer Choose the AWS Region this connection will apply to.
Region ated Note: If a region has already been used (in a previously provisioned
connection) for the currently selected Access Key Alias, it will be disabled
(and "grayed out").
Add button Saves the current settings as a connection record that is displayed in the
Amazon Web Services (AWS) Configuration panel. If the Active checkbox
has been selected, communicates with AWS for import (after a pop-up is
acknowledged).
Additional Account/Region Specific Configuration
S3 Mounts
Because S3 mounts can no longer be assumed in the (sole) AWS Account and Region specified in the
release 2.2.0 3rd Party page configuration, in Config, Logs, NFS/CIFS/S3 Settings you must explicitly
identify which AWS Provision (Account and Region) is to be used.
Warning
17-Feb-2017 69/416
Regarding S3 storage mounts: If there is an active S3 mount using a particular Config, Logs,
NFS/CIFS/S3 Settings, AWS Provision setting at the time you attempt to remove its
corresponding connection from Config, 3rd Party, Amazon Web Services (AWS)
Configuration, the connection will not be dropped, the mount will remain intact, and an
error message will be displayed on the 3rd Party page.
Synchronization
The members of a CA Privileged Access Manager synchronization cluster created within AWS must be
located within the same AWS VPC subnet.
Because synchronization can no longer be assumed in the (sole) AWS Account and Region specified in
the release 2.2.0 3rd Party page configuration, on the Config, Synchronization page you must
explicitly identify which AWS Provision (Account and Region) is being used.
Import Devices from AWS

NOTE Import can be configured to occur either manually or automatically.
See step 4 in Specify AWS Accounts and Regions (see page 65).
Configure Your Database

CA Privileged Access Manager contains two databases – one database for configuration, and another
for provisioning.
Configuration (.cfg) files can only be used on the appliance where they were created.
Database (.gz) files can be used to recreate provisioning on other units: Services, Users, Devices,
Command Filter Lists, Socket Filter Lists, Policies.
Features that allow the administrator to view and manipulate these databases are on the Config,
Database page.
Database Backup (see page 70)
Schedule a Database Backup (see page 71)
Database Restoration (see page 74)
Database Backup
CA Privileged Access Manager administrators can copy data currently in use to internal or external
secondary-drive storage. You can manually back up the database and configuration internally or
schedule a backup to an external server. The backup saves the provisioning Database for Access and
Credential Manager with or without A2A, and the appliance Configuration files. These files are
offloaded to an external server hosting either an SFTP or SCP server. CA Privileged Access Manager
uses public key authentication to encrypt communication and must use a non-interactive login for
authentication.
From the Toolbar, go to the Config menu, select Database, then use the Schedule Backup, Save
Configuration and Database or Reset Database panel.
17-Feb-2017 70/416
Manual Database Backup

Backup to internal storage can be performed immediately at any time by clicking the Save Database
and Configuration button.
Scheduled (Automated) Database Backup

Configure scheduled, automated backups by clicking the Schedule Backup button to invoke the
Database Backup Scheduler window. Populate the fields according to Schedule a Database Backup
(see page 71).
Best Practice
Schedule the database for backups as soon and as frequently as practical. The backup is then
available in case emergency recovery is needed.
Schedule a Database Backup

You can configure a scheduled backup of the CA Privileged Access Manager database to internal
storage. Use the Schedule Backup button on the Database Configuration page to invoke the
Database Backup Scheduler window. Populate the fields according to the information in the table.
Name Data Ex Description / Formula

am
ple
s
Current The (single) currently stored schedule.
Schedule
(Time Set an automated backup:
options) Select any single value (or range of values) for Month, Day, Weekday, Hour,
and Minute that should be set as a constraint.
Select All for any field that should not be a constraint to the schedule. (Any
value is allowed.)
Example: To schedule a backup that begins every night at 11PM, set Month,
Day, and Weekday each to All, the Hour to 23, and the Min to 00.
Timezone UT (As specified in Date/Time settings. Cannot be edited here.)
C
Protocol s Specify whether SCP or SFTP is used to transfer the files, or they are written to
c an NFS, CIFS, or Amazon (AWS) S3 mount.
p
sf
t
p
N
F
S
CI
F
S
17-Feb-2017 71/416
A
m
a
z
o
n
S
3
Select d Set the key file for use in authentication.
Authoriza s
tion File a.
k
e
y
rs
a.
k
e
y
If the protocol = SCP or SFTP:
<user>@< Set the authentication and path with the syntax provided.
server>:
/path
Port Change the port on the destination server as needed. Default = 22
If the
protocol =
NFS:
Share Path on server: /<path>
Path
Hostname FQDN or IP address
If the
protocol =
CIFS:
Share Path on server: \\<hostname>\<share>
Path
Username Username of the share access account
Password Password for account specified by Username
Domain FQDN or IP address
If the
protocol =
Amazon
S3:
Bucket Name of AWS S3 bucket
AWS Name of CA PAM AWS provision as set in Config, 3rd Party: Access Key Alias –
Provision Region combination
17-Feb-2017 72/416
Select d Set the key file for use in authentication.

Authoriza s
tion File a.
k
e
y
rs
a.
k
e
y
Download Open pop-window to view or copy the key file locally.
Delete Select this box if the Configuration and Database backup files will be deleted
After from local storage on CA Privileged Access Manager
Successful
Send
Maximum Set the number of Configuration and Database backup files that are stored on
Files to CA Privileged Access Manager. Database and Configuration files that are created
Keep by the Scheduled Backup are available for download in the File Operations area.
Locally
Back to
Schedule
Save Save and enable the configured schedule
Schedule
Delete Remove the automated backup
Schedule
Unmount One of the labels displays the active mount state, while the other is a button for
[ed] switching to the specified state.
Mount
[ed]
Best Practices
The database can be scheduled for backups as soon and as frequently as practical so that it is
available in case emergency recovery is needed.
Name Value Description

s
Schedule Backup Butto Invoke new window implementing scheduling widget.
n
Save Database and Butto Dump to separate files:
Configuration n (1) the currently active database (users, devices, policy), and
(2) the currently active CA Privileged Access Manager configuration
settings
and acknowledge this action, with the respective filenames, at the
top of the page window.
Reset Database Reset database to empty and default values
17-Feb-2017 73/416
Butto
n
To set a database backup schedule and location:
1. Open the Database Backup Scheduler by selecting: Config, Schedule Backup, Save
Configuration and Database or Reset Database, Schedule Backup.
In the Database Backup Scheduler panel, the Current schedule pane will, by default, indicate
"None": This means that no scheduled backup is performed. When configured however,
Current Schedule pane displays the Month, Day, Weekday, and time of the active scheduled
backup.
2. Populate fields as specified.
3. Set up the receiving server or share for one of: scp, sftp, NFS, CIFS, or Amazon S3.
4. To establish a secure communication that does not require an interactive login:
a. Download the key files from Select authorization file.
b. Copy these key files to the destination server, into the home directory of the user who
represents CA Privileged Access Manager for authentication.
c. In the destination server ".ssh" directory, import/append the contents of the (CA
Privileged Access Manager) key files into the "authorized_keys" file.
If an "authorized_keys" file does not exist, create one for this purpose.
5. After clicking Save Schedule, backup will be activated.
Database Restoration
As a CA Privileged Access Manager administrator, you can restore the database or configuration file
using a previously saved file. You can also return the database to its original state.
Restore an Earlier Database File

Replace the current database on CA Privileged Access Manager with a previously saved data set.
Restoring a file from a previously saved version will overwrite any changes since the selected backup
was performed. This is a destructive process that should only happen during a scheduled
maintenance window.
To restore the database, follow these steps:
1. Go to Config, Database. Use the Configuration and Database File Operations panel.
2. If no backup has been made, the Database File Operations buttons are not active. Instead of a
"Pick a filename" heading and a list of files, a message appears: " No files found in the storage
directory ." There is nothing to download, delete or restore until a backup exists.
3. Select the file to restore. CFG files are configuration files. GZ files are database files.
4. Select Restore to restore the files.
17-Feb-2017 74/416
Reset the Database to Factory Defaults

Replace the current database with one containing CA Privileged Access Manager factory default
values. This is a destructive process that should only happen during a scheduled maintenance
window.
To reset the database, follow these steps:
1. Go to Config, Database. Use the Schedule Backup, Save Configuration and Database or Reset
Database panel.
2. Select Reset Database to reset the database.
Hardware Security Modules (HSMs)

CA Privileged Access Manager Credential Manager uses a software encryption module that is
validated to FIPS 140-2 Level 1 (CMVP certificate 1443) to encrypt and decrypt stored credentials. An
optional software encryption module that is validated to FIPS 140-2 (CMVP certificate 1743) is also
available.
To provide hardware-based encryption to encrypt and decrypt stored credentials, configure one of
the following Hardware Security Modules (HSMs):
SafeNet Luna SA Appliance (see page 75)
SafeNet Luna PCI-E Card (see page 80)
Thales nShield Connect HSM Appliance (see page 85)
Common HSM Features (see page 93)
SafeNet Luna SA Appliance

CA Privileged Access Manager can use the SafeNet Luna SA HSM (Hardware Security Module)
appliance for encryption and decryption of its stored credentials in place of its built-in cryptographic
engine.
Prerequisites: SafeNet Luna SA hardware appliance, version 5.2.x, 5.3.x, or 5.4.x. (For the Luna PCI
card, see SafeNet Luna PCI-E Card (see page 80).)
License requirements: No special CA Privileged Access Manager license is required to configure
connection to a Luna HSM.
Note: If the Luna appliance is unreachable from CA Privileged Access Manager,

administrators and end users cannot manage or use passwords or invoke some applicable
GUI pages.
Configure Luna
Before you can configure CA Privileged Access Manager to communicate with the Luna HSM
appliance, you must prepare the appliance to recognize CA Privileged Access Manager.
Example
17-Feb-2017 75/416
The following procedures describe a third-party environment (SafeNet Luna SA 4.3) that is outside CA
Technologies control. They should be considered only representative of the interface that
encountered and procedures that may be required. See the manufacturer documentation for your
SafeNet Luna.
Follow these steps:
1. Configure a network connection. The Luna appliance must be configured to be visible on the
network, and must be visible to CA Privileged Access Manager using IP addressing or machine
name (FQDN). When you do this, you establish an administrative account and password.
These are used later as the SafeNet Principle Username and SafeNet Principal Password. For
details and instructions, consult the SafeNet documentation.
2. Do the following steps to Initialize the PCI Card:
a. Log in to the console. The console is a shell that is called "Lush" that you can log into
using SSH (for example, using ssh or PuTTY).
Upon login, you are presented with the Lush prompt:
Luna Command Line Shell v4.3.2-3 - (c) 2001 - 2008 SafeNet, Inc. All
rights reserved.
[luna] lunash:>
b. The internal PCI card is in its factory state and must be initialized for use. Type the
following command to Initialize the PCI card.
[luna] lunash:> hsm init -d xsuite -l xsuite –s<password>–f
As shown, you must use the string "xsuite" for the "-d" and the "-l" (lower case el)
options. The "-s" option specifies the mandatory "security officer" password and is
user-selectable.
Example:
[luna] lunash:> hsm init -d xsuite -l xsuite –s xD6@8iJkd!F –f
3. Storage must be initialized once on each Luna appliance (up to 3) that integrates with CA
Privileged Access Manager. Once initialized, the storage element on each SA appliance can be
shared by multiple instances of CA Privileged Access Manager.
a. Log in to the internal PCI card:

[luna] lunash:> hsm login
Use the "xsuite" administrator password that you created.
b. Create Storage:
[luna] lunash:> partition create -par xsuite -pas<password>–f
As shown, you must use the string "xsuite" for the "-par" option. The "-pas" option is
the user-selectable storage password.
Example:
[luna] lunash:> partition create -par xsuite -pas 3e)kuuI%6j –f
c. Confirm Storage – You can confirm the creation of the storage and can show the
contents by issuing the following command:
17-Feb-2017 76/416
c. CA Privileged Access Manager - 2.8
[luna] lunash:> partition showC -par xsuite -pas<password>
Configure CA Privileged Access Manager

Although not required, it is recommended that you configure Luna appliances in CA Privileged Access
Manager only during CA Privileged Access Manager downtime. If your CA Privileged Access Manager
is a production appliance, plan a maintenance window.
Note: When tested for CA Privileged Access Manager 2.3, 5000 target account records took
approximately 10 minutes to process.
Once the SafeNet Luna HSM appliance is prepared to receive communication from CA Privileged
Access Manager, you can configure CA Privileged Access Manager to initiate and establish use of up
to three Luna appliances of the same release level (for example, all 4.3).
Backup the Database

Before configuring CA Privileged Access Manager to engage with the Luna appliance, back up the CA
Privileged Access Manager database.
Follow these steps:
2. Navigate to Config, Database.
3. In the Schedule Backup, Save Configuration and Database or Reset Database panel, click
Save Database and Configuration.
The page updates with a confirmation of the backup creation along with the database (and
configuration) filenames. Note the database filename, which should be similar to:
gkdatabase20130714124622.gz
4. In the Configuration and Database File Operations panel, select the database filename from
the drop-down menu, and click Download.
The database is saved to your local workstation (or other location you choose).
5. Use this file if you must recover your CA Privileged Access Manager database.
Configure the HSM

The following procedure assumes configuration to one Luna appliance, and SafeNet HSM licensing for
CA Privileged Access Manager. See the section on "Scaling" later in this content for information on
changing the number of HSM or CA Privileged Access Manager appliances.
Follow these steps:
2. Navigate to Config, 3rd Party.
3. In the second panel, SafeNet HSM Configuration, enter the Luna credentials that you
17-Feb-2017 77/416
3. In the second panel, SafeNet HSM Configuration, enter the Luna credentials that you
established when setting up the device.
a. Enter the Security Principal Username you set when configuring the Luna
administrative account.
b. Enter the Security Principal Password you set when configuring the Luna
c. Enter the Partition Name as specified during Luna (5.2 or later) configuration.
d. Enter the PartitionPassword you set in the "Create Storage" step during your Luna
configuration procedure earlier.
e. Enter the Address (IP address or FQDN) assigned to the Luna appliance.
4. Click Add to initiate the configuration. After successful account access to the Luna appliance,
the page refreshes, returning with a confirmation message, an updated Network Attached
HSMs panel with the address (labeled HSM), Status(showing as PartitionName :
ConnectionStatus), and permitted Action (Remove button is available) of the configured
appliance, and an empty configuration panel (Figure 184).
6. Log back in to CA Privileged Access Manager, and navigate to the 3rd Party page.
7. To initiate the required re-encryption of passwords, navigate to Policy, Manage Passwords,

Credential Manager GUI and wait for the page to load.
Note: This re encryption also occurs immediately following a password request

from an A2A Client, if that occurs earlier.
Scaling
Although not required, we recommend that you configure Luna appliances in CA Privileged Access
Manager only during CA Privileged Access Manager downtime. If your CA Privileged Access Manager
is a production appliance, plan a maintenance window.
Note: When tested for CA Privileged Access Manager 2.3, 5000 target account records took
approximately 10 minutes to process.
Add a Luna Appliance
You can add a second and a third Luna appliance to the CA Privileged Access Manager configuration.
When doing so, repeat the procedures in "Configure Luna" and "ConfigureCA Privileged Access
Manager."
17-Feb-2017 78/416
Requirement: Use the same password for the storage element that you assigned in the Create
Storage procedure for each Luna appliance.
Remove a Luna Appliance
You can remove a Luna appliance from an existing CA Privileged Access Manager configuration.
Follow these steps:
3. In the SafeNet HSM panel (as in Figure 184), click the Remove button of a Luna appliance you
want to remove.
The page refreshes to show removal of the selected appliance.
4. If you have removed the only (remaining) appliance, reboot CA Privileged Access Manager.
6. If you have removed the only (remaining) appliance, then to initiate the required re-
encryption of passwords, navigate to Policy, Manage Passwords, Credential Manager GUI and
wait for the page to load.
Note: This reencryption also occurs immediately following a password request from
an A2A Client, if that occurs earlier.
Share a Luna (Group) Among Multiple CA Privileged Access Manager Appliances
A Luna HSM appliance or appliance group that has been configured on one CA Privileged Access
Manager appliance may then be configured on extra CA Privileged Access Manager appliances by
following the procedure in "CA Privileged Access Manager Configuration" earlier in this content.
Requirements: Each CA Privileged Access Manager appliance must use the same encryption
/decryption key.
Share a Luna Group Within a CA Privileged Access Manager Cluster
A Luna appliance group may be configured for use in an existing CA Privileged Access Manager
synchronized cluster by configuring the devices in the following sequence.
Important!: Each member of a CA Privileged Access Manager cluster must use the same
HSM installations – that is, an identical set of Address and Partition Name combinations
should be configured on each CA Privileged Access Manager.
Assumptions:
17-Feb-2017 79/416
Assumptions:
An existing CA Privileged Access Manager cluster:
Primary CA Privileged Access Manager member (Call this device X1)
First Secondary CA Privileged Access Manager member (X2)
Second Secondary CA Privileged Access Manager member (X3)
Three Luna HSM appliances (of the same release level):
First HSM (H1)
Second HSM (H2)
Third HSM (H3)
Follow these steps:
1. If the CA Privileged Access Manager cluster is active, stop it. Per the following steps, do not
restart the cluster again until after all HSMs have been configured on each CA Privileged
Access Manager device.
2. In the SafeNet HSM Configuration panel on X1, fill in and Add H1.
Do not reboot (until after all HSMs – H1, H2, and H3 – have been configured on X1).
The encryption key must be generated one time only on H1, and then must be copied to
H2 and H3.
3. After CA Privileged Access Manager X1 has successfully connected to H1, fill in and Add H2. Do
not reboot.
4. After CA Privileged Access Manager X1 has successfully connected to H2, fill in and Add H3. Do
not reboot.
5. Now, reboot (primary cluster member) X1.
6. For (secondary cluster member) X2, repeat steps 2 through 5.
7. For (secondary cluster member) X3, repeat steps 2 through 5.
8. Restart the CA Privileged Access Manager cluster.
SafeNet Luna PCI-E Card

CA Privileged Access Manager can use the SafeNet Luna PCI-E HSM card for encryption and
decryption of its stored credentials in place of its built-in cryptographic engine. The following HSM
version is supported:
Model: K6 Base
Firmware Version: 6.2.1
17-Feb-2017 80/416
Firmware Version: 6.2.1
Configuration: Luna PCI (PED) Signing with Cloning Mode
Luna Preparation
The Luna PCI-E card is already installed and configured for CA Privileged Access Manager and a
SafeNet Luna PED (PIN Entry Device). During the "Configure CA Privileged Access Manager to Support
a Luna PCI-E Card" procedure, you provide further configuration through the PED. Do the following
preparation tasks before that time:
Read at least the following sections in the SafeNet Luna PCI-E (here, 5.0) online help from their
DVD: On the "START_HERE.html" page, select Product Documentation, Luna PCI 5.0 Help System,
then navigating from the left Table of Contents:
Review the concepts about Trusted Path Authentication, and information about the PED and
PED (USB) Keys. See E – Concepts, Trusted Path Authentication (options).
Note: Determine how many (of the 10 supplied) PED Keys to use.
Review the steps that you take at the PED with the PED Keys. See A – Configuration, PED
Authentication (Trusted Path) version.
Note: Procedures that describe interaction with the lunacm utility are no longer applicable –
instead,CA Privileged Access Manager handles these steps. "Configure to Support a Luna PCI-E
Card" describes theCA Privileged Access Manager GUI steps that you use in place of that CLI,
with your PED and PED Key responses.
Ensure that you have physical access to your CA Privileged Access Manager appliances.
Ensure that you have your PED and blue, red, and black PED Keys available when you perform
HSM configuration.
Configure CA Privileged Access Manager to Support a Luna PCI-E Card
Database Backup
Before configuring CA Privileged Access Manager to engage with the Luna appliance, back up the CA
Privileged Access Manager database.
17-Feb-2017 81/416
The page updates with a confirmation of the backup creation with the database (and
configuration) filenames. Note the database filename, which is similar to:
the drop-down list, and click Download.
The database is saved to your local workstation (or other location you select).
Use this file if you must recover your CA Privileged Access Manager database.
HSM Configuration
Use this procedure to prepare one Luna PCI-E equipped CA Privileged Access Manager appliance for
SafeNet encryption use.
Important! After activation (as outlined in the following steps), the Luna PCI-E card is
permanently configured for that CA Privileged Access Manager appliance. You cannot
disengage an activated Luna card and start using the built-in Credential Manager
cryptography instead.
Note: To cluster the use of PCI-E cards in a CA Privileged Access Manager appliance cluster,
the following conditions must be true:
All CA Privileged Access Manager appliances must be PCI-E equipped
You must cluster the PCI-E cards according to "Scaling: Configuring a Cluster of CA
Privileged Access Manager/PCI-E Appliances" on this page.
Follow these steps:
1. Plug the PED device into the corresponding outlet on the PCI card interface in the back of the
appliance.
2. At the CA Privileged Access Manager GUI:
a. Log in to CA Privileged Access Manager as an administrator (for example, as "super").
b. Navigate to Config, 3rd Party.

The top panels of the page appear.
Note: If CA Privileged Access Manager does not recognize a PCI card in the
17-Feb-2017 82/416
b.
Note: If CA Privileged Access Manager does not recognize a PCI card in the
appliance (or if the appliance is a VMware VM or AWS AMI instance), the
SafeNet panels look different.
c. You see a pop-up warning that you are about to erase the contents of the PCI card.
d. When you are ready to continue with following the PED instructions, click OK.
3. With your PED Keys, go back to where the PED interface is visible (attached to the PCI card on
the CA Privileged Access Manager appliance) to perform the following SafeNet-specific steps:
Important! Take care in performing each step. The procedure is not reversible, and
recovery can only be accomplished by repeating the entire procedure
a. You are prompted several times for individual PED Keys. Perform key insertions and
data entry as requested:
Creation of one (or more) Security Officer (SO) keys, each using a blue PED Key
Creation of a cloning domain key, using a red PED Key. The cloning feature is not
used by CA Privileged Access Manager.
Creation of a user partition, using a black PED Key
When the PED steps are complete, you are presented with a 16-byte challenge
string.
b. Copy (by hand) the challenge string to a secure location.
Important! Be careful when copying this string – it is required to complete

configuration in the CA Privileged Access Manager GUI. If you make a
mistake copying this string or lose it, you cannot recover it. You must then
repeat the key creation procedures.
c. Click Enter, and then return to the CA Privileged Access Manager GUI.
4. Return to the CA Privileged Access Manager GUI
5. Verify on the 3rd Party page that you see the following information:
At the top of the page, the response message: "Success initializing the internal LunaPCI-E
device"
In the SafeNet HSMs panel, the Status is now "Initialized".
6. Begin activation of the HSM:
17-Feb-2017 83/416
6. Begin activation of the HSM:
a. In the LUNA PCI-E Configuration panel, carefully enter the challenge key into the
Password field.
b. Click Activate.
A warning dialog appears, informing you that you are about to activate the Luna PCI-E
device, and need your black PED Key ready.
c. When you are ready to proceed, click OK.
7. Return to the PED interface with your black PED Key and attach it to complete activation of
the HSM.
8. At the CA Privileged Access Manager GUI, verify on the 3rd Party page that you see the
following items:
At the top of the page appears the response message: "Success activating the LunaPCI-E
device on this [[primary | non primary] clustered | standalone] CA Privileged Access
Manager".
In the LUNA PCI-E Configuration panel, the Password field is blank.
Scaling: Configure a Cluster of CA Privileged Access Manager/PCI-E Appliances

Multiple CA Privileged Access Manager appliances, each with a preinstalled Luna PCI-E card, can be
clustered together. To do so:
1. Perform a complete CA Privileged Access Manager clustering procedure. See the online help
at the Synchronization page for details.
Note: During configuration of PCI-E functionality, each appliance knows whether it

is a CA Privileged Access Manager standalone device, primary cluster member, or
non-primary cluster member, and configures its HSM accordingly.
2. On the primary cluster member GUI and appliance, initialize and activate the Luna PCI-E as
outlined in HSM Configuration.
3. For a non-primary cluster member, at the GUI:
a. Initialize and activate the Luna PCI-E as outlined in "HSM Configuration."
b. In the LUNA PCI-E Configuration panel, click Get Public Key.
c. In a moment, the key is displayed in the Public Key field.
d. Copy (to the buffer or a file location) the full content of the Public Key field. (You
might need to scroll the field to capture the full key.)
e. Log out from this non-primary.
17-Feb-2017 84/416
4. For the primary member:
a. With the copied key (in your buffer or a file), log in to the (primary member) GUI:
i. Navigate to Config, 3rd Party.
ii. In the LUNA PCI-E Configuration panel, paste the buffer in the Public Key field.
iii. Click Extract Key.

You see a pop-up window that you are about to "securely extract the
encryption key", and advising you to be ready with the blue (SO) PED Key
b. Go to the back of the appliance, attach the PED, and follow the instructions, including
plugging in the blue key.
c. Return to the (primary member) GUI:
i. Confirm that content now appears in the Encrypted Key field.
ii. Copy (to the buffer or a file location) the full content of the Encrypted Key
field. (You might need to scroll the field to capture the full key.)
iii. Log out from the primary.
5. For the same non-primary member that was used in step 3, and with the copied key (in your
buffer or a file), log in to the GUI:
a. Navigate to Config, 3rd Party.
b. In the LUNA PCI-E Configuration panel, paste the copied key into the Encrypted Key
field.
a. Click Insert Key.
b. You see these responses:
At the top of the page, the response message: "Success inserting the encrypted
cipher key into the LunaPCI-E device"
The LUNA PCI-E Configuration fields are once again blank.
For each other member of the cluster, repeat Steps 3 through 5.
Thales nShield Connect HSM Appliance

This content describes how to integrate one nShield appliance with one CA Privileged Access
Manager (hardware or VMWare OVA) appliance.
Prerequisites: nShield Connect hardware appliance
License: A CA Privileged Access Manager "Thales HSM Capability" license is required to configure
connection to an nShield HSM.
17-Feb-2017 85/416
Limitations: Note the following status for the current release:
CA Technologies has verified compatibility with Thales nShield Connect 1500, with client
software, SecWorld-linux-user-11.62.00, version 11.62.00. This client can be used with nShield
Connect versions: 500, 6000, and 6000+.
CA Technologies has verified compatibility with one nShield appliance. However, CA Privileged
Access Manager can accommodate up to three nShield appliances.
Integration with nShield encryption is supported with CA Privileged Access Manager deployed as
a hardware appliance or as a VMware OVA. It is not supported with an AWS AMI deployment.
If the nShield appliance is unreachable from CA Privileged Access Manager, administrators and end
users are unable to manage or use passwords and cannot invoke some applicable GUI pages. (There
is no failover to Credential Manager.)
Configure nShield
Before you can configure communication with the nShield HSM appliance, prepare the HSM to
recognize CA Privileged Access Manager.
Note: The following procedures describe a third-party environment (Thales nShield

Connect 7.1) that is outside CA Technologies control. For information about nShield, see
the manufacturer documentation.
Install and configure the nShield appliance according to the Thales product documentation.
Follow these steps:
1. Install and configure the nShield appliance.

Make note of the nShield appliance Ethernet interface IP address. This is entered in the CA
Privileged Access Manager configuration Address field. You cannot use an FQDN (or other
DNS name).
2. Create a Security World.
3. Create an Operator Card Set.

An Operator Card Set ("OCS") contains one or more smart cards that are used by the nShield
Security World. These cards protect all cryptographic secrets that a client like CA Privileged
Access Manager can create.
Important! When creating an operator card set with more than one card, each card
must have the same OCS name and password. This allows a CA Privileged Access
Manager appliance to use multiple nShield HSMs as a failover group. In addition, CA
Privileged Access Manager searches the nShield appliance for the operator card
based on this name. Both the name and password are user selectable.
This OCS must be a "1 of N" set, where N is at least the number of HSMs. N can be
17-Feb-2017 86/416
This OCS must be a "1 of N" set, where N is at least the number of HSMs. N can be
greater than that number, but the OCS must be 1 of N.
Make note of the OCS name. This is entered in the Token Label field.
Make note of the OCS pass phrase. This is entered in the Token Password field.
4. Create the Remote File System.
The Remote File System ("RFS") is used to store configuration data and shared secrets for
clients (in this case, CA Privileged Access Manager appliances) that are configured in a
clustered environment to share an HSM or group of HSMs.
Make note of the IP address of the client computer on which you set up the RFS. This is
entered in the Remote File System field. Do not use an FQDN.
5. Register your CA Privileged Access Manager (or each member in your cluster) as a client of:
1. a. The nShield appliance. During this process, configure the client as a "non-privileged"
client that does not use an nToken device.
b. The RFS.
c. Type the following command:

rfs-setup --gang-client --write-noauth Xsuite_IP_address
Configure CA Privileged Access Manager

Once a Thales nShield Connect HSM appliance is prepared to receive communication from CA
Privileged Access Manager, configure CA Privileged Access Manager to initiate and establish use of up
to three nShield appliances of the same release.
Important! We strongly recommended that you configure nShield appliances in CA

Privileged Access Manager only during downtime. For an appliance in production
appliance, plan a maintenance window.
License Installation
Prior to configuring CA Privileged Access Manager to communicate with your HSMs, license CA
Privileged Access Manager for HSM use.
Back Up the Database

Before configuring CA Privileged Access Manager to engage with the nShield appliance, back up the
CA Privileged Access Manager database.
17-Feb-2017 87/416
The page updates with a confirmation of the backup creation along with the database (and
configuration) filenames. Note the database filename, which is similar to:
the drop-down menu, and click Download.
The database is saved to your local workstation (or other location you choose).
Use this file if you must ever recover your CA Privileged Access Manager database.
Specify and Integrate the HSM

The following procedure assumes configuration to one nShield HSM appliance. See Configuration
Options (see page 91)for information on changing the number of HSM or CA Privileged Access
Manager appliances.
3. In the Thales HSM Configuration panel, enter the nShield credentials that you established
when setting up that appliance:
a. Enter the name of the applicable OCS you set when configuring the nShield appliance
in the Token Label field.
b. Enter IP address (not a DNS name) of the client computer on which you set up the RFS
when configuring the nShield appliance as the Remote File System.
Note: The standard port that is used with the two nShield address
parameters is 9004, but it does not need to be specified here explicitly.
However, if you are not using this default port number, you must identify
any alternate port in a full socket declaration – for example, as: 192.168.0.2:
9999
c. Enter the password of the applicable OCS you set when configuring the nShield
appliance as the Token Password.
d. Enter the Address (IP address only, not a DNS name) assigned to the nShield
appliance.
4. Click Add to initiate the configuration.

If you are configuring a first HSM, all passwords in the database are reencrypted. A dialog
appears, warning you of this effect and allowing you to cancel.
If this is the configuration of a second or third HSM, no reencryption or dialog occurs.
During the process of changing from native CA Privileged Access Manager to nShield
encryption, the Credential Manager database is copied to the nShield appliance. During this
time, which for several thousand records should last about 10 minutes or less, the existing
17-Feb-2017 88/416
4.
time, which for several thousand records should last about 10 minutes or less, the existing
Credential Manager database is still available for use by CA Privileged Access Manager for
other purposes.
After successful account access to the nShield appliance, the page refreshes, returning with a
confirmation message and an updated Networked Attached HSMs panel with the address and
status of the appliance, and a now empty configuration panel.
6. Log back in and navigate back to the 3rd Party page.
7. To confirm the required reencryption of passwords, navigate to the Policy, Manage Passwords
, Credential Manager GUI and wait for that page to load.
This reencryption also occurs immediately following a password request from an A2A Client, if
that occurs earlier.
The following table provides reference material for the configuration panels that are displayed when
configuring Thales nShield:
Column Name Fo Options Description

r /Exam
m ple
at
The Network Attached HSMs and Thales HSM Configuration panels
are the status and staging areas, respectively, for configuring CA
Privileged Access Manager to use HSM(s) for managed password
encryption.
Networked
Attached HSMs
panel, per line item,
when one or more
HSMs are
configured:
HSM IP Dotted Indicates the IP address of an nShield Connect HSM appliance that is
v4 quad, configured in CA Privileged Access Manager .
ad as in:
dr 192.16
es 8.0.2
s
Status En online For the configured HSM in this HSM line item, indicates the status of
u | its communication with CA Privileged Access Manager (or the
m offline applicable CA Privileged Access Manager cluster).
er
at
ed
Action Bu Remov For the configured HSM in this HSM line item, remove the HSM
tt e from configuration. This can be initiated whether the HSM is online
on or offline.
If this is the last HSM in the list, then after selection of the Remove
command a pop-up appears to warn the administrator that the re
encryption (to native Credential Manager encryption) will occur.
17-Feb-2017 89/416
Thales HSM
Configuration panel
allows you to stage
HSM parameters as
follows:
Token Label St As set Enter the name of the applicable OCS (Operator Card Set) you
ri during created when configuring the nShield appliance.
ng nShield
configu
ration
Remote File System IP Dotted Enter the IP address of the Remote File System (RFS) used. NOTE:
v4 quad, For Thales HSMs, a DNS name is not permitted.
ad as in:
dr 192.16
es 8.0.2
s
Token Password St As set Enter the password of the applicable OCS (Operator Card Set) you
ri during created when configuring the nShield appliance.
ng nShield
configu
ration
Address IP Dotted Enter the IP address of the nShield Connect. NOTE: For Thales HSMs,
v4 quad, a DNS name is not permitted.
ad as in:
dr 192.16
es 8.0.2
s
Add Bu Activates CA Privileged Access Manager use of the HSM.
tt If this is the first HSM staged, then after initiation of this Add
on command, a pop-up appears to (1) warn the administrator that
"Adding this HSM configuration will trigger reencryption of all
passwords in the database", and (2) advise the administrator to do a
password database backup first.
After completion of this Add command, a (green) confirmation
message along with the instruction to reboot, or a (red) error
message, appears at the top of the page.
Token Password St As set Enter a new password for the applicable OCS (Operator Card Set)
ri during you set when configuring the nShield appliance. Set the new
ng nShield password on the nShield before entering it here.
configu
ration
Update & Activate Bu After you click this button, CA Privileged Access Manager does the
tt following operations:
on Attempts communication to (primary) HSM.
If successful, confirms that the new Token Password is in HSM.
If successful, stores the new password in CA Privileged Access
Manager .
17-Feb-2017 90/416
Configuration Options
You can change the CA Privileged Access Manager configuration of HSMs to add or remove one or
more HSMs, and/or update the stored OCS password.
Important! We strongly recommended that you configure nShield appliances in CA

Privileged Access Manager only during CA Privileged Access Manager downtime. If your CA
Privileged Access Manager is a production appliance, plan a maintenance window.
Add HSMs
You can connect (Add) one or two more HSMs, for a maximum of three (3) HSMs.
Follow these steps:
1. Log in to CA Privileged Access Manageras an administrator (for example, as "super").
3. In the second panel, enter the credentials that you established when setting up the device.
a. Enter the Security Principal Username you set when configuring the nShield
b. Enter the Security Principal Password you set when configuring the nShield
c. Enter the Partition Name as specified during nShield (5.2 or later) configuration.
d. Enter the PartitionPassword you set in the "Create Storage" step during your nShield
configuration procedure earlier.
e. Enter the Address (IP address or FQDN) assigned to the nShield appliance.
4. Click Add to initiate the configuration. After successful account access to the nShield
appliance, the page refreshes, returning with a confirmation message, an updated Network
Attached HSMs panel with the address (labeled HSM), Status (showing as PartitionName :
ConnectionStatus), and permitted Action (Remove button is available) of the configured
appliance, and an empty configuration panel (Figure 184).
7. To initiate the required re-encryption of passwords, navigate to Policy, Manage Passwords,

Credential Manager GUI and wait for the page to load.
17-Feb-2017 91/416
7.

from an A2A Client, if that occurs earlier.
The Token Password value should be the same as that used for the first HSM – otherwise, you need
to reconfigure your (additional) HSM OCS.
Remove HSMs
You can Remove any number of HSMs (one-by-one), and (eventually) reverse the encryption
mechanism back to native Credential Manager. To do so:

The Networked Attached HSMs panel at the top of the page should show one or more HSMs,
as in Figure 191.
3. Confirm that the HSM or HSMs are online.
4. At the right-hand side of the line item of the HSM you want to remove from CA Privileged
Access Manager integration, click Remove.
If this is the only HSM currently configured, you see a pop-up message warning you that
removal triggers reencryption of all passwords in the database (as they are reassigned to
native Credential Manager).
5. Following the re-encryption process, you see a green "Success …" (or a red "Error …")
message.
7. Log back in to CA Privileged Access Manager, and navigate back to the 3rd Party page.
You should see the same page as shown in Figure 189, except that the "Success …" message is
gone, confirming that the HSM is no longer being used.
8. To confirm the required re-encryption of passwords, navigate to the Policy, Manage

Passwords, Credential Manager GUI and wait for that page to load.
This reencryption also occurs immediately following a password request from an A2A Client, if
that occurs earlier.
CA Privileged Access Manager Cluster / nShield Group
An nShield HSM or HSM group can be configured for use in an existing CA Privileged Access Manager
synchronized cluster.
Assumptions:
An existing n-member CA Privileged Access Manager cluster:
Primary CA Privileged Access Manager member (X1)
First Secondary CA Privileged Access Manager member (X2)
Last Secondary CA Privileged Access Manager member (Xn)
17-Feb-2017 92/416
Last Secondary CA Privileged Access Manager member (Xn)
Up to three nShield HSM appliances (of the same release level):
First HSM (H1)
Second HSM (H2), if any
Third HSM (H3), if any
Follow these steps:
1. On X1:
a. Perform preliminary procedures, if needed: database backup and/or license

installation.
b. Specify and integrate (see page 88)H1.
c. If there is an H2, specify and integrate (see page 88) it.
d. If there is an H3, specify and integrate (see page 88) for it.
2. On each of (X2 … Xn), repeat substeps a-d.
Common HSM Features

The following features apply to all brands of HSMs.
Updating Passwords
You can update the Token Password of an installed Thales nShield HSM, or the Partition Password of
an installed SafeNet Luna SA HSM, without taking the HSM offline.
1. On the HSM appliance or appliances, change the relevant HSM password. (See the
manufacturer documentation.)
2. In CA Privileged Access Manager Web UI or Client, navigate to the Config, 3rd Party, Network
Attached HSMs panel and confirm that the HSM Status field at the top of the panel shows
"online."
For example, for a Thales HSM:
In the Thales HSM Configuration staging panel, enter the new password in the second Token
Password field at the bottom of the panel (beside the Update and Activate button).
Note: Because the password field characters are hidden, you can copy and paste
the password instead of typing the password to avoid data entry errors. If you have
multiple HSMs, the Token Password is the same on each, so you do not have to
identify the specific appliance.
3. To the right of that field, click Update & Activate.
17-Feb-2017 93/416
3. To the right of that field, click Update & Activate.

A response is presented at the top of the 3rd Party page:
If the password is correct, you the following response appears:

"Success updating the HSM password."
If the password is not correct, or if there was a problem communicating with the HSM, the
following response appears:
"Error the HSM password is incorrect."
Logging
Splunk endpoints can be specified as resources for CA Privileged Access Manager.
Splunk Server Specification

Splunk Forwarder 6.2 is preinstalled in CA Privileged Access Manager 2.5 and later, with more Splunk
system software updates. Splunk endpoints can now be configured as resources for CA Privileged
Access Manager. (No license is required.)
To add Splunk servers as resources, follow these steps:
1. Go to Config, 3rd Party.
2. Find the Splunk Configuration section.
3. Go to the Add New Server fields.
4. Enter the server IP address or FQDN port in the left and right fields, respectively.
5. Click Add to engage the server and include it in the Current Servers list.
6. Repeat for each server.
Apply Firmware and Feature Licenses

Activation
The CA Privileged Access Manager Licensing page, available at Config, Licensing, reports on these
capabilities and limitations:
Maximum number of Access Devices that can be used
Maximum number of Credential Manager, or Password Devices that can be used
Maximum number of A2A Devices that can be used
Whether Mainframe Capability is enabled or disabled
Whether AWS connection Capability is enabled or disabled
17-Feb-2017 94/416
Whether AWS connection Capability is enabled or disabled
Maximum number of AWS API Proxy Users that can be provisioned
Maximum number of VMware NSX API Proxy Users that can be provisioned
Whether VMware connection Capability is enabled or disabled
Whether External REST API Capability is enabled or disabled
Whether Office365 administrative account Capability is enabled or disabled
Whether SafeNet HSM Capability is enabled or disabled. If SafeNet is enabled, Thales cannot be
enabled.
Whether Thales HSM Capability is enabled or disabled. If Thales is enabled, SafeNet cannot be
enabled.
A Start Date
For CA Privileged Access Manager as an AWS AMI instance only: An End Date
Type of license: Perpetual (no end date), Temporary, or Evaluation (also temporary)
A license file is prepared by CA Technologies and installed with your appliance. An update is provided
to you to use to overwrite an existing license through the Install New License pane.
Virtual Devices That Exceed License Limits

A fixed number of Device permits for each Device Type is created with each license. When a Device is
created rather than imported, that Device is saved only if there is an available license permit.
If an imported Device exceeds the permit count, it is provided a Device record, but it is not
provisioned. It does not have Access or Password Management capability. The Device thus has a
placeholder but is not operational. If you attempt to assign and Save a Device Type, the attempt is
rejected. Later, when either a permit is freed up or another Device permit is added, the Device record
can be used.
Apply Feature Controls

The CA Privileged Access Manager Security Configuration page allows the administrator to change or
edit information about:
SSL certificate that CA Privileged Access Manager uses for encryption
PKI, which involves the items to enable smartcard authentication, including Certificate Revocation
Lists (CRLs)
SAML SSO settings
Also on the Config menu you find settings for SSL VPN, and backups. This section also includes
information on troubleshooting.
17-Feb-2017 95/416
Security Configuration (see page 96)

Certificates Configuration (see page 102)
Configure SSL VPN (see page 106)
Configure Backups (see page 107)
Power and Reboot (see page 109)
Diagnostics and Troubleshooting (see page 109)
Security Configuration
The CA Privileged Access Manager Security Configuration page allows the administrator to change or
edit information about:
Cryptography
CA PAM uses TLS 1.0, TLS 1.1, or TLS 1.2 to protect communications that it manages. Client
connection sessions are protected using AES256 or AES128 encryption with SHA128 or SHA1 hashing.
An AES key can also be obtained using a SHA1 hash (which FIPS permits).
Note: Java does not currently support Diffie Hellman (DH) Key Agreement using key sizes of
2048 bits or more. As a result, if a server generates a DH key size 2048 bits or larger, Java
throws an exception and the SSH connection fails.
CA PAM generates certificate requests and self-signed certificates using RSA 2048 or RSA 4096
certificates with SHA512 hashing. Certificates can also be uploaded to CA PAM in PEM and DER
formats. CA PAM also supports Public Key Infrastructure (PKI) authentication by using X.509
certificates. Clients present their certificates to CA PAM, which uses its internal certificate chain and a
certificate revocation list (CRL) or OCSP to validate the client.
Session keys are destroyed by zeroing memory after the user disconnects from the session. Key
generation includes public-private RSA keys and an AES-256 credential storage key. RSA keys are
provided upon request of the user. A credential storage key is created on initial boot.
An authorized administrator sets the encryption policy through options provided on the Security page
as described here.
Credential Manager Security

CA PAM encrypts target credentials before storing them. Through a cryptographic connector,
Credential Manager allows you to customize how your credentials are encrypted in the secure
database. CA PAM provides a cryptographic connector that uses a robust 256-bit cryptographic
kernel for maximum security.
A2A Client Connection Security

When an A2A Client registers with CA PAM, it identifies the client by the following data, in the order
listed:
1. The fingerprint for the host on which the client resides, if fingerprinting is enabled
17-Feb-2017 96/416
2. A unique client token
3. DNS
When a requestor application requests credentials, the credentials remain encrypted as they are
transferred over the network. The A2A Client decrypts the credentials before passing them to the
requestor.
PKI Smartcard Authentication

CA PAM accepts certificates that are loaded on a Smartcard or in a browser for authentication. A
working Public Key Infrastructure must be present. FIPS mode is fully compatible with PKI smartcard
use, including the US DOD CAC system.
Setting the Certificate Check Method

Under the Choose a CRL Option, one of the two options must be specified and correctly configured.
For CA PAM to authenticate a user with a PKI/smartcard, it must be able to validate the client
certificate against the Certificate Chain. The Certificate Chain must be uploaded to CA PAM in the
proper order for this validation to take place. Two options are available for the certificate status
check:
Use downloaded Certificate Revocation List (CRL)
Use Online Certificate Status Protocol (OCSP)

Option A: CRL
The administrator manually updates the intermediate CRL periodically before it expires. Select "Use
downloaded CRL" in the CRL Options.
In the Upload Certificate or Private Key area, perform the following steps:
1. Upload the Root Certificate: Upload the Root Certificates of each Chain to be used in CA PAM.
The root certificate must be downloaded from the Certificate Authority (CA). It must match
with the Certification path of the user certificates.
Option Description
CA Bundles Upload the root certificate.
Other Options Select either PKCS 11 or X.509 format for the certificates to be uploaded.
Filename Browse to the certificate to be uploaded.
Destination Change the filename of the certificate. The filename can be left blank if the
Filename name stays the same.
Passphrase Enter the password if necessary for the certificate.
2. Upload the Root CRL
Option Description
Certificate Upload the root certificate CRL.
Revocation List
Other Options This field does not apply to the CRL and does not require a change.
17-Feb-2017 97/416
Filename Browse to the CRL to be uploaded.

Destination Change the filename of the CRL. The filename can be left blank if the
Filename name stays the same.
Passphrase Enter the password if necessary for the CRL.
Note: Passwords are not typically required for CRLs.
a. Select the Upload button.
3. Upload the Intermediate Certificates: Intermediate certificates might be necessary

depending on the PKI in the environment. It must match with the Certification path of the
user certificates.
a. Fill out fields
Option Description
Intermediate Upload the intermediate certificate.
Certificate
Other Options Select either PKCS 11 or X.509 format for the certificates to be
uploaded.
Destination Change the filename of the certificate. The filename can be left blank
Filename if the name stays the same.
b. Select the Upload button.
4. Upload the Intermediate certificate CRL
1. a. Fill out fields.
Option Description
Revocation List
Destination Change the filename of the CRL. The filename can be left blank if
Filename the name stays the same.
Option B: OCSP
17-Feb-2017 98/416
CA PAM sends an Online Certificate Status Protocol (OCSP) request to the OCSP server to validate
client certificates. OCSP server information is included in the client certificate. Select "Use
downloaded CRL "in the CRL Options while uploading the certificates and root CRLs.
1. Upload the Root Certificate

Upload the Root Certificates of each Chain to be used in CA PAM. The root certificate must be
downloaded from the Certificate Authority (CA). It must match with the Certification path of
the user certificates.
a. Enter field options
Option Description
CA Bundles Upload the root certificate.
uploaded.
Destination Change the filename of the certificate. The filename can be left blank if
2. Upload the Root CRL
a. Fill out fields
Option Description
Revocation List
3. Upload the Intermediate Certificates: Intermediate certificates might be necessary

depending on the PKI in the environment. It must match with the Certification path of the
user certificates.
a. Fill out fields
Option Description
Upload the intermediate certificate.
17-Feb-2017 99/416
a.
Intermediate
Certificate
uploaded.
Destination Change the filename of the certificate. The filename can be left blank
Filename if the name stays the same.
4. Upload the Intermediate certificate CRL
a. Fill out fields
Option Description
Revocation List
5. Set OCSP certificate status checking

Select "Use OCSP in the CRL Options."
Enable Smartcard Authentication

Smartcard authentication for CA PAM must be enabled before the authentication method is available
to the users.
The PKI/Smartcard User Logon checkbox is used to enable/disable PKI authentication. With this
option checked, the browser prompts for a client-side certificate upon locating the URL of the
configured CA PAM.
The Login Page Without CAC checkbox lets you enable/disable username/password-based
logons. When this box is checked and if a smartcard is not present, users are not able to log in to
CA PAM. If the box is unchecked, users have the option of authenticating using username and
password or other configured authentication methods. If users are unable to authenticate using
smartcard, the configuration page is always available using a known username and password.
Important
17-Feb-2017 100/416
The ActivID ActivClient attempts to send the Smartcard certificate to the log in page. The
user must either disable ActivClient or select cancel when prompted.
Registering and Enabling Users

The first time that a smartcard user accesses CA PAM, certificate information is registered with CA
PAM. The administrator must approve the user and must enable the account with the correct
associations before access is granted.
User Procedure on Client
1. Ensure that ActiveID 6.0 or 6.1 is properly configured to read the card if the contents of the
certificate can be viewed in ActiveClient Agent.
2. Open an Internet Explorer 6 or higher browser and point the URL to that of CA PAM. You are
then required to enter the PIN of the card. Enter the appropriate PIN.
3. Select the appropriate certificate from the browser store. In environments with multiple
certificates, either the identity or the dual-purpose certificates can be used to authenticate to
CA PAM. Once the certificate is chosen, it is verified against its Certificate Chain in CA PAM.
4. The first time that you access a CA PAM appliance using PKI, you receive a message that the
Client certificate is in the registration process.
5. After a CA PAM administrator approves your account and provides the correct associations,
you can then log in to CA PAM with a smartcard.
Administrator Procedure On CA PAM
1. Select Users, Approve CAC User.
2. Approve or delete each smartcard User.
3. Set policy and otherwise configure the User as appropriate.
SAML IdP and SP

SAML authentication is provided by CA PAM as a SAML IdP (Identify Provider). CA Privileged Access
Manager can also provide services subject to SAML authentication (provided by another server) by
acting as a SAML Service Provider (SP). Configuration of either or both is managed primarily from the
Config, Security page.
See SAML (see page 41) for detailed setup instructions.
Enable/Disable Config User

Clicking the (default) Disable config user button disables the built-in "config" user account (or
substituted name, if changed using the Change Password page), toggling to an Enable config user
button to reverse the action (if desired) later.
When a user then attempts to log in the config account (through the/ config/ login interface), the
credentials are rejected. The pop-up credentials prompt is returned.
17-Feb-2017 101/416
Certificates Configuration
A CA Privileged Access Manager administrator can create a certificate or a certificate-signing request
(CSR) on the Config, Security page. These procedures create either a self-signed SSL certificate or a
CSR with the DNS name. This procedure is recommended to prevent extra pop-up windows
generated by Microsoft Windows when not using a "trusted" SSL certificate.
Important! The certificate Subject attribute must contain a Common Name (CN) attribute
that matches the FQDN (Fully Qualified Domain Name) or the IP Address of the CA
Privileged Access Manager host.
Create Certificate or CSR

Option 1 (see page 102) (create self-signed certificate): Recommended as the minimal
requirement to prevent security risk; also useful for testing environments. It is available at no cost
.
Option 2 (see page 103) (generate a CSR): Requires more steps and might involve a cost.
Ordinarily used when an organization requires it.
Option 1: Create a Self-Signed Certificate

1. In the Type pane of the Create Certificate or CSR panel, select the Self-Signed Certificate
option button. Enter information for the fields. Do not use special characters.
Option Description
Key Size 1024 or 2048
Default: 1024
Common Set the DNS or IP address of CA Privileged Access Manager in the certificate
Name
Country Set the country of the certificate.
State Set the state of the certificate.
Note: Use full name rather than abbreviations.
City Set the city of the certificate.
Organiza Set the organization (typically a company or agency name) of the certificate.
tion
Org. Set the organizational unit name (typically a subdivision or location of the
Unit Organization) for the certificate.
Days Set the validity time-period. The current CA Privileged Access Manager appliance
date becomes the "Not Valid Before" date for the certificate. The "Days" field is
then used to determine the "Not Valid After" date.
Alternate
Subject
Names
17-Feb-2017 102/416
Optional setting, but required if more than one address is to be used: List FQDN and
IP address aliases to the Common Name, one to a line. This list must include the
Common Name.
Notes:
Do not add a newline (line feed) after the last entry.
Refer to: X.509 Subject Alternative Name
Filename Create a name for the certificate.
2. Select Create.
Stage certificate for use
3. In the Set Certificate panel, select the filename of the certificate previously created.
4. Click Verify Certificate to confirm that this certificate is acceptable by CA Privileged Access
Manager.
5. Select Accept Certificate to switch to the new certificate.
6. Important: Reboot the CA Privileged Access Manager appliance for the new certificate to take
effect.
Install the certificate as a trusted root certificate in a browser
7. When the Security Alert pop-up window appears, select View Certificate.
8. When the Certificate pop-up window appears, select Install Certificate.
Important
The Issued to field must match the URL that is used to access CA Privileged Access
Manager.
The Microsoft Certificate Import correctly installs the certificate when choosing the
automatic selection of the certificate store.
Because the certificate is a root certificate, an extra Security Warning is displayed.
This warning can be safely bypassed.
9. Click the (non-default) Yes button.
Option 2 - Request a Certificate from a Third Party

To build certificate request, follow these steps:
1. In the Type pane of the Create Certificate or CSR panel:
a. Select the CSR option button.
b. Enter information for the fields as identified in Table. Do not use special characters.
17-Feb-2017 103/416
b.
Field Description
Type As noted in procedure
Key 1024 or 2048
Size Default: 1024
Comm Set the DNS or IP address of CA Privileged Access Manager to the certificate
on request. (This field maps to the CN field of the X.509 certificate.)
Name
Countr Set the country of the certificate request.
y (This field maps to C value/ two-letter country code designation.)
State Set the state of the certificate. (This field maps to ST value/ State designation.)
City Set the city of the certificate. (This field maps to L value/ Locality or city
designation.)
Organi Set the organization (typically a company or agency name) of the certificate.
zation (This field maps to O value/ Organization designation.)
Org. Set the organizational unit name (typically a subdivision or location of the
Unit Organization) for the certificate. (This field maps to OU value/Organizational
Unit designation.)
Days Set the validity time-period. The current CA Privileged Access Manager
appliance date becomes the "Not Valid Before" date for the certificate. The
"Days" field is then used to determine the "Not Valid After" date. Only used
for self-signed certificates
Alterna Optional setting, but required if more than one address is to be used: List
te FQDN and IP address aliases to the Common Name, one to a line. This list
Subject must include the Common Name.
Names Notes:
Do not add a newline (line feed) after the last entry
Refer to: X.509 Subject Alternative Name
Filena Create a name for the certificate.
me Note: This is also the name of the private key that is generated. It must exactly
match the name of the certificate when uploaded.
2. In the Pick a file drop-down list of the Download Certificate or CSR panel, select the filename
of the CSR you created, and click Download.
This *.pem (PEM) file is used to request a certificate from a third party Certificate Authority
(CA) such as VeriSign. An advantage to this approach is that users do not have to install root
certificates because the third party validates the site and already has a trust relationship with
the browser.
Obtain new certificate
3. Follow instructions from the chosen third-party CA (certificate authority) and receive a
certificate.
Upload new certificate
4. As necessary, rename the certificate received from the third party so that:
a. Its base name is the same as the one that originally generated.
17-Feb-2017 104/416
4.
a. Its base name is the same as the one that originally generated.
b. Its new extension is: .crt

Example: If the original PEM name was abc.pem, the uploaded file must be (re)named
abc.crt
5. In the Upload Certificate or Private Key panel:
a. Select the certificate by browsing to the applicable Filename.
b. In the Type pane, select:
i. Certificate if the CSR was generated by CA Privileged Access Manager
ii. Certificate with Private Key if the CSR was not generated by CA Privileged
Access Manager
c. Enter information for the fields. Do not use special characters.
Field Description
Type As noted in procedure
Other Select whichever format is applicable (PKCS 11 or X.509) format for the
Options certificates to be uploaded.
Filename As noted in procedure
Dest. Can be used to change the filename of the certificate. This field can be left
Filename blank if the name stays the same.
Note: If CA Privileged Access Manager generated the CSR, the "Destination
Filename" must match the name of the CSR to match the private key
properly.
Passphras Enter the passphrase, then re-enter in Confirm, when necessary for the
e/ certificate.
Confirm Note: A passphrase is probably necessary, and has been set by the third-
[Passphra party CA.
se]
Stage new certificate
6. In the Set Certificate panel:
a. Pick a filename to select the certificate generated by the third-party CA.
b. Click Verify Certificate to ensure that CA Privileged Access Manager accepts the
certificate.
Either a confirmation phrase or error message is provided at the top of the page.
a. After certificate confirmation, select Accept Certificate to stage the new certificate for
activation (following a reboot).
7. Important: To activate the new certificate, reboot CA Privileged Access Manager.
8.
17-Feb-2017 105/416
8. After reboot, return to the Security page. To the right of System Certification, the newly
activated certificate name appears.
Certificate Revocation List

The Certificate Revocation List is available on the Certificate Info page accessible from the Config
menu. The list shows all existing Certificate Revocation List (CRL) files currently on CA Privileged
Access Manager, with the status of each.
This option only appears if smartcard authentication is enabled with CRL.
Configure SSL VPN

CA Privileged Access Manager allows you to configure SSL VPN for access methods. SSL VPN provides
to the User access device a routable IP address on the internal network, rather than using CA
Privileged Access Manager to broker connections to the target resource device.
Caution
Verify that your IP address allocation does not conflict with what is configured by default
for SSL VPN (10.8.0.0/16).
Workaround: If there is a conflict with your existing network, change the SSL VPN address
space to an unused netblock. The smallest subnet that is permitted is a /29.
Example Use Cases

Consider using SSL VPN when the application:
Uses server-to-client communication rather than only the client-to-server direction
Sends an IP address or name that the client tries to connect to
Cannot be forced to use a local loopback address
Note
This connection method requires the installation of a device driver and VPN Ethernet
adapter on the client computer. Use this method only when the application is not able to
use the default method.
17-Feb-2017 106/416
Split Tunneling
"Split tunneling" occurs when a user connects through the VPN to an internal network and can
directly access the public network. By default, split tunneling is disabled. This is a best-practices case
for users connecting to the internal network as it protects them from external attacks. However,
sometimes – as when using CA Privileged Access Manager with Citrix Access Gateway – split
tunneling is required to allow communication to pass correctly.
Routing Configuration
When using the SSL VPN, user traffic leaving CA Privileged Access Manager has an IP address as
defined in the Virtual Network pane of the SSL VPN Configuration panel. This network must be
configured to use the CA Privileged Access Manager IP address as the default gateway to reach the
defined network.
Client Installation
At each User computer, you must install an SSL VPN client.
In the SSL VPN Service panel, select Download.
You might need to wait a few moments before download begins. CA Privileged Access Manager is
determining the appropriate file for your local OS.
Configure Backups
CA Privileged Access Manager administrators can schedule a backup to save both the Database and
the Configuration files simultaneously. These files are offloaded to an external server hosting either
an SFTP server or SCP. CA Privileged Access Manager uses public key authentication to encrypt
communication and must use a non-interactive login for authentication.
More Information
For information about downloading, deleting, or putting a CA Privileged Access Manager-

stored file into production, see Database Restoration (see page 74) .
Best Practices
Schedule the database for backups as soon as possible. Make them as frequently as practical so that
it is available in case emergency recovery is needed.
Name Valu Description

es
Schedule Backup Butto Invoke new window implementing scheduling widget.
n
Save Database and Butto Dump to separate files:
Configuration n
1.
17-Feb-2017 107/416
1. The currently active database (users, devices, policy), and

2. The currently active CA Privileged Access Manager
configuration settings
3. Acknowledge this action, with the respective filenames, at the
top of the page window.
Reset Database Butto Reset database to empty and default values.

n
Database Backup Scheduler

To set a database backup schedule and location:
1. Open the Database Backup Scheduler by selecting: Config, Schedule Backup, Save
Configuration and Database or Reset Database, Schedule Backup.
In the Database Backup Scheduler panel, the Current schedule pane will, by default, indicate
"None": This means that no scheduled backup is performed. When configured however, the
Current Schedule pane displays the Month, Day, Weekday, and time of the active scheduled
backup.
2. Populate fields as specified in table.
3. Set up the receiving server.

To establish a secure communication that does not require an interactive login:
a. Download the key files from the Select authorization file.
b. Copy these key files to the destination server, and into the home directory of the user
who represents CA Privileged Access Manager for authentication.
c. In the destination server ".ssh" directory:
i. Import/append the contents of the (CA Privileged Access Manager) key files
into the authorized_keys file. NOTE: If an authorized_keys file does not exist,
create one for this purpose.
ii. Apply 700 (drwx------) permissions to the .ssh directory.
iii. Apply 600 (rw------) permissions to the authorized_keys file.
Important
If these permissions are not applied, the backup fails.
4. After clicking Save Schedule, backup is activated.
17-Feb-2017 108/416
Power and Reboot

As a CA Privileged Access Manager administrator, you can shut down or reboot your instance from
the Config menu, on the Power page.
Physical Appliance
This page provides two buttons that allow an administrator to:
Power Off Appliance – shuts down the appliance remotely.
The physical power switch on the appliance remains in the "on" position
The GUI screen appears "frozen," as it does not update (beyond an initial "Powering down"
acknowledgment) or disappear.
Reboot Appliance – shuts down, and then reboots, the appliance remotely.
AWS Instances and VMware VMs

Instead of Power Off Appliance, you can Stop Instance. (This is equivalent to Instance Action,
Stop in the AWS Management Console.)
Instead of Reboot Appliance, you can Reboot Instance. (This is equivalent to Instance Action,
Reboot in the AWS Management Console.)
Diagnostics and Troubleshooting

The CA Privileged Access Manager Diagnostics page is available from the Config menu. The
information that is collected there is used for CA Technologies Support analysis of CA Privileged
Access Manager operation.
Important
When preparing a diagnostics package, use these functions only under the direction of CA
Technologies Support staff.
Diagnostics
System Diagnostic
The System Diagnostic tool gathers information about specific CA Privileged Access Manager file
versions. The tool provides a listing of filenames, showing the dates they were modified and their file
versions. To run the system diagnostic, follow these steps:
1. Obtain a configuration file from CA Technologies Support.
2. Save the file in a location accessible to the CA Privileged Access Manager appliance.
3. Click Choose File to access the configuration file.
17-Feb-2017 109/416
3. Click Choose File to access the configuration file.
4. Click Run System Diagnostic.
5. Follow any further instructions from CA Technologies Support.
System Monitor
The System Monitor tool provides encrypted output of system diagnostics information.
System Diagnostics
This panel is to be used with the aid of CA Technologies Support. If Support asks for System Log Files,
use the button in this panel to download them. If core dumps are being collected, they are contained
in this download.
SPFD Logs
Click Download SPFD Log File to save the log for the service provider daemon for this appliance to
your local client access computer.
Tomcat Logs
Click View recent entries to open a dialog showing recent unfiltered log entries. Click Download
Tomcat Log File to save the Credential Management "catalina.out" logfile for this appliance to your
local client access computer. Use the drop-down list to filter by log level, such as "Warning."
Applet Debugging
This panel is to be used with the aid of CA Technologies CA Privileged Access Manager Support.
Applet Log Level

Otherwise, set the Current Log Level to "Error".
Note
Log files can grow rapidly if you set the log level to "Debug." Restore it to a lower level as
soon as practical. Monitor the disk usage ("System Info"), and if it is high, reboot CA
Privileged Access Manager. Rebooting will clear these logs.
Web Services Log Level

Otherwise, set the Current Log Level to "Error".
17-Feb-2017 110/416
LDAP Sync Log Level

Otherwise, set the Current Log Level to "Normal".
Xsuite As SAML RP Log Level

Otherwise, set the Current Log Level to "Normal". To see the most recent entries in a pop-up
window, click the View recent entries button.
Xsuite As SAML IdP Log Level

Otherwise, set the Current Log Level to "Normal". To see the most recent entries in a pop-up
window, click the View recent entries button.
Maintenance Mode
Maintenance Mode provides a way to prevent new CA Privileged Access Manager logins so that an
administrator can perform configuration changes. These changes might otherwise disrupt or be
disrupted by user activity. This mode can simply be toggled on or off.
When a user who is not a Global Administrator tries to log in to CA Privileged Access Manager while
in Maintenance Mode, the user sees an updated login page displaying an error message: "This CA
Privileged Access Manager is in maintenance mode. Only admin level users can log in."
Note
Although new logins are prevented, current user logins are not disconnected at the time
Maintenance Mode is set. The administrator might, for example, send an email requesting
currently connected users log out, or when necessary, force disconnections through the
Sessions, Manage Sessions interface. Maintenance Mode also does not disable the
Credential Manager CLI.
To disable the Credential Manager CLI manually, follow these steps:
1. Access the Credential Manager GUI.
2. Go to Settings, General Settings.
3. Clear "Enable External CLI".
4. Save the change.

You might need to restart the CA Privileged Access Manager appliance.
17-Feb-2017 111/416
Remote Xceedium Debugging Services

Otherwise, this setting should always be in the (Off) state as shown in the panel header.
Cluster Tuning Mode

Otherwise, this setting should always be in the (Off) state as shown in the panel header.
Performance Graphs
CA Privileged Access Manager activity can be graphed for the following dimensions by clicking Turn
graphing on. Graphics take about 20 minutes or so to be displayed.
CPU Utilization
Outgoing Network Activity DD/MM/YYYY
Incoming Network Activity DD/MM/YYYY
Tools
On the Config menu, on the Tools page, CA Privileged Access Manager provides network diagnostic
tools. Use these tools to check device connectivity and troubleshoot communication from the CA
Privileged Access Manager appliance. Test networking with the standard ping, traceroute, DNS
resolution, and port scan. These settings define attributes to provisioned objects such as Users,
Devices, and passwords, but are not derived from or attached to any specific objects.
Cross Site Scripting Attack Checking

By default, CA Privileged Access Manager checks for and prevents cross site scripting (XSS) attacks in
all HTTPS requests received from any client source. In particular, the server attempts to prevent the
following attack types:
Reflected cross site scripting attacks when the browser fails to do so.
Persisted cross site scripting attacks (where a script is persisted in the database or logs and then
played back to an unsuspecting user who later logs in to CA Privileged Access Manager)
If CA Privileged Access Manager is blocking excessive events that are known not to be XSS attacks,
disable cross site scripting attack checking and contact CA Support.
To identify requests that are being blocked, search the session logs for the following message:
Preventing Cross Site Scripting Attempt
Disable Cross Site Scripting Attack Checking

Use this procedure to disable cross site scripting checking.
Follow these steps:
17-Feb-2017 112/416
Follow these steps:
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
2. Select Config, Security.

The Security dialog appears.
3. Scroll down to the Cross Site Scripting Checks panel.
4. Select the Disable option.
5. Reboot the server to implement the change.
Enable Cross Site Scripting Attack Checking

Use this procedure to re-enable cross site scripting checking after it has been disabled.
Follow these steps:
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
2. Select Config, Security.

The Security dialog appears.
3. Scroll down to the Cross Site Scripting Checks panel.
4. Select the Enable option.
5. Reboot the server to implement the change.
Master Provisioning Settings

Master provisioning settings refer to CA Privileged Access Manager settings that are configured
independent of specific managed objects such as Users and Devices, but are applied to those objects.
Apply Global Settings

The Global Settings page includes the master provisioning settings for CA Privileged Access Manager.
Credential Manager specific settings, however, are in a separate location. See Customize the Global
Default Preferences (https://docops.ca.com/display/CAPAM28/Customize+the+Global+Default+Preferences)
for more information.
The CA Privileged Access Manager Administration menu Global Settings tab contains options that
provide for customization of how CA Privileged Access Manager functions for all Users and Devices.
This tab invokes the Global Settings, Configure page, which has several sections that allow
customization of global user policies such as timeouts, passwords, access methods, and terminal
settings.
17-Feb-2017 113/416
To save the settings, select the Save Global Settings button at either the top or the bottom of the
screen. The screen refreshes to display the updated configuration and the 'Configurations updated'
text appears on the screen. The login page has a non-configurable timeout of 3 minutes. This time is
for the life of the page itself, not the Login Timeout setting measuring logged-in idle time. After that
time, the page must be refreshed before CA Privileged Access Manager accepts a login.
Passwords
For Local users, the password characteristics can be customized by changing these fields. Other
authentication method password policies are enforced by their infrastructure and CA Privileged
Access Manager cannot control them. Unlike other accounts, the super account never expires and is
not deactivated even if the password failures limit is activated.
Warnings
Two optional warning messages can be applied to users. They can be customized to reflect individual
company policies. The License Warning box scrolls to accommodate a long message. Upon selecting
the checkboxes, you are provided with editing boxes.
Applet Customization
The Applet Customization pane allows specification (for all users and all devices) of the default
terminal display characteristics for Telnet and SSH applets, and a switch to allow or disallow copy-and-
paste text buffering.
An administrator can override the defaults on a device basis by changing the Terminal Type, Key
Mapping, and Xceedium Terminal Customization settings for individual devices.
A user can override the defaults by changing the Xceedium Terminal Customization under the
My Info button.
RDP Drive Mapping

A pop-up window appears upon mouseover of the RDP link for selection of (RDP window resolution
and) drives to map from the local RDP client to the remote RDP server. After resolution or drive
selection, click Launch (not the RDP link) to open the RDP connection.
After you make a connection, you can still add a drive by using the interface provided by the applet
window.
Access Methods Settings (see page 114)
Branding (see page 115)
Access Methods Settings

You can customize the types of access methods available to devices to change the default port and to
disable globally. If disabled, the associated CA Privileged Access Manager applet is not available.
Set the access methods that CA Privileged Access Manager can perform when available for, and
allowed by a particular user policy on a particular device. If you do not use Telnet, for instance, you
can clear it to disable CA Privileged Access Manager from allowing any Telnet sessions.
The set of Access Methods available and shown depends upon which license the CA Privileged Access
17-Feb-2017 114/416
The set of Access Methods available and shown depends upon which license the CA Privileged Access
Manager appliance is using. If it is a mainframe license, the TN* applets are available. Otherwise,
those applets are not available, and do not appear as options here. Here are some typical Access
Methods, which are grouped by category:
GUI: VNC, RDP, Embedded VNC
CLI: Telnet, SSH
Mainframe: TN3270, TN5250, TN3270SSL, TN5250SSL
OOB: Serial, Power, KVM
Branding
A custom logo for your organization can be used in the CA Privileged Access Manager GUI in place of
the CA Technologies logo. Browse to the desired logo graphics file to stage it in the Upload Custom
Logo field and click Save Global Settings (at either the center top or bottom of page).
Identify Desired User Roles

CA Privileged Access Manager provides a preconfigured set of User roles. You can also configure your
own roles from the set of available CA Privileged Access Manager User privilege options.
About Predefined Roles

A predefined set of 17 Roles is provided with the CA Privileged Access Manager installation. These
Roles (and any other Roles that have been defined) can be viewed by invoking Users, Manage Roles.
This set pre-packages the Privileges that are required to perform various common activities.
Roles are assigned to Users and User Groups during their creation and editing. See Provisioning Users
(see page 213) for more information.
Note
The predefined Auditor role allows read-only access to settings on the Global Settings
page.
List of Privileges
In addition to the set of Predefined Roles that are described, administrators can also create Custom
Roles. A Role is constructed by selecting from a list of Privileges, described in the following table.
Privilege Category / Definition: The Privilege that is named at left allows the Role that has it to:
Name
Standard User
17-Feb-2017 115/416
accessAll Use the access page to connect to remote machines.

manageAll Use the manage devices page to perform actions like power cycling remote
machines.
Monitoring
monitorAll Use the monitor page to view the status of remote devices.
Sessions
sessionRead Look at the manage sessions/logins page.
sessionManage Use the manage sessions/logins page to kill sessions and logins
overviewRead Examine devices, out of band devices, and connections.
Tools
toolsAll Use configuration tools such as ping and traceroute.
Logging / Recordings
loggingAll Look at the log page and execute reports.
sessionRecordingRead Replay session recordings
Global Settings
globalSettingsRead See global settings.
globalSettingsManage Alter global settings
Services
servicesRead See details of all services, of any type (TCP, RDP Application, SSL VPN)
servicesManage Add or change any existing services of any type (TCP, RDP Application, SSL
VPN)
servicesDelete Delete any existing services of any type
Users (1 of 2)
usersRead See details of all users. Allows export of users.
usersManage Create or change users including export. Allows import of users.
usersDelete Delete any non-LDAP users
usersAssign Assign a user to a user group or a user group to a user.
userGroupRead See details of user groups.
userGroupUpdate Change existing user groups, but not their memberships.
cacUserApproval Approve candidate CAC users.
Socket Filters (1 of 2)
socketFilterAgentRead View socket filter agents
socketFilterAgentDelete Delete socket filter agents
Devices (1 of 2)
devicesRead See details of all devices, including power hosts and consoles. Allows
export.
devicesManage Create and change devices and their memberships. Allows import.
devicesDelete Delete any devices
17-Feb-2017 116/416
devicesAssign Assign a device to a device group or assign a device group to a device.

deviceGroupRead See details of device groups.
deviceGroupUpdate Change existing device groups, but not their memberships
Policy (1 of 2)
policyRead See policies. Does not allow export.
policyManage Change or remove policies. Does not allow import.
Socket Filters (2 of 2)
socketFiltersRead See socket filter lists and configuration.
socketFiltersManage Change or remove socket filter lists and configurations.
Command Filters
commandFiltersRead See command recording lists and configuration.
commandFiltersManage Change or remove command filter lists and configurations.
Policy (2 of 2)
policyImport Import all kinds of associations.
policyExport Export all kinds of associations.
Configuration
configurationManage Use the Access configuration tab.
Users (2 of 2)
rolesRead Read roles and privilege definitions.
Devices (2 of 2)
autodiscovery Find devices on the network.
Passwords
credentialsManage Create and update credential definitions for password chaining.
Name Admi A Aut Config Delega Device Globa Glo M Operat Pass Poli Serv Sessi Sta Tro User
nistra u odi uratio ted /Grou l bal o ional word cy ice on nda ubl /Grou
tive di sco n Admin p Admi Set ni Admini Man Ma Man Man rd esh p
Audit to ver Mana istrato Mana nistra ter to strator ager nag ager ager Use oot Mana
or r y ger r ger tor r er r er ger
acces √ √ √
sAll
mana √ √ √
geAll
monit √ √ √
orAll
sessio √ √ √
nRead
sessio √ √ √
nMan
age
√ √ √
17-Feb-2017 117/416
overvi
ewRe
ad
toolsA √ √ √
ll
loggin √ √ √
gAll
sessio √ √ √
nReco
rding
Read
global √* √ √ √ √
Settin
gsRea
d
global ** √ √ √ √
Settin
gsMa
nage
servic √ √ √ √
esRea
d
servic √ √ √
esMa
nage
servic √ √ √
esDel
ete
users √ √ √ √ √
Read
users √ √ √ √
Mana
ge
users √ √ √ √
Delet
e
users √ √ √ √
Assign
userG √ √ √ √ √
roupR
ead
userG √ √ √ √
roupU
pdate
cacUs √ √ √ √
erApp
roval
17-Feb-2017 118/416
socke √ √ √ √ √ √
tFilter
Agent
Read
socke √ √ √ √ √
tFilter
Agent
Delet
e
devic √ √ √ √ √
esRea
d
devic √ √ √ √
esMa
nage
devic √ √ √ √
esDel
ete
devic √ √ √ √
esAssi
gn
devic √ √ √ √ √
eGrou
pRead
devic √ √ √ √
eGrou
pUpd
ate
policy √ √ √ √ √
Read
policy √ √ √ √
Mana
ge
socke √ √ √ √ √
tFilter
sRead
socke √ √ √ √
tFilter
sMan
age
comm √ √ √ √ √
andFil
tersR
ead
comm √ √ √ √
andFil
tersM
anage
17-Feb-2017 119/416
policy √ √
Impor
t
policy √ √
Expor
t
config √ √
uratio
nMan
age
rolesR √ √ √
ead
autod √ √ √
iscove
ry
crede √ √ √
ntials
Mana
ge
Auditors have read-only access to Global Settings to inspect settings that have impact on log data.
17-Feb-2017 120/416
Provision Your Server

Provisioning CA Privileged Access Manager involves creating records that represent your managed
objects. At the top level, provisioning includes the devices that you manage (and their properties)
and ser accounts.
Provisioning is, for CA PAM purposes, about the management of connections. A network is composed
of computational devices that have various users. The point of this management is to monitor,
control, and track, in various ways these users access to these devices.
Thus, the baseline-managed objects in CA PAM are devices and users. A policy is the relationship
between a device (or device group) and a user (or user group). In other words, a policy is the
specification of what each user is permitted to do with each device. It can also capture (in recordings)
all that the User does with the device, permitted or not.
CA PAM provisioning starts with device definition. CA PAM is licensed by device, and the type of each
device determines the provisioning path to its definition. CA PAM users access devices in various
ways. The rules governing the relationships between users and devices constitute policies.
Provisioning Overview (see page 121)
Summary of Device Access Provisioning (see page 122)
Summary of Credential Manager Provisioning (see page 124)
Provisioning Devices (see page 126)
Provisioning Users (see page 213)
Provisioning Policy for Users/Devices (see page 236)
Provisioning Overview
We recommend that you perform provisioning, and configuration that is directly related to
provisioning, in the following order. Configure the Global Settings first: These circumscribe available
options or create default settings for User accounts, Access Methods, and Terminal Customization.
1. Configure the following User parameters before provisioning any managed objects:
Global Settings
Users – Login and Password parameters; default GUI appearance
Access Methods – global switches determining which CA Privileged Access Manager

applets are available
User Roles
Credential Manager – See Customize the Global Default Preferences (https://docops.ca.com

/display/CAPAM28/Customize+the+Global+Default+Preferences).
2. Configure Socket Filter Agents on devices that use Socket Filters.
17-Feb-2017 121/416
3. Provision Services for Devices – These objects instruct CA Privileged Access Manager to invoke
communication applications resident on a local user computer or use prepacked [S]FTP or TS
Web, and provide them with destination configuration, sometimes including auto-login
credentials. This category also includes RDP applications, SSL VPN, and web portals.
4. Provision Filters for Devices – Two methods are available to screen device access:
Socket Filter – prevents the unauthorized leapfrogging or springboarding from one

computer to another by preventing access to unauthorized IP sockets. Implementation
requires installation of CA Technologies agent software (SFA) on the target device.
Command Filter – prevents commands (that you specify) from executing. (These filters do
not have to be provisioned early in the order.)
5. Provision Access Methods for Devices – These applets are downloaded from the appliance to
a user computer. They support several popular graphical and CLI protocols (for example, RDP
and SSH), and AS/400 mainframe (TN3270 and others), and out-of-band protocols.
6. Provision Devices and Device Groups – set up the CA Privileged Access Manager Device
records that point to actual devices. Complete provisioning of CA Privileged Access Manager
Devices requires prior specification of the Services and Access Methods that are used to
communicate with them.
7. Provision Credentials (Target Accounts in Target Applications on Target Servers) – provision

the Credential Manager database, coordinating with target Device communication as needed.
8. Provision Users and User Groups – set up the CA Privileged Access Manager User records that
represent their human users and their roles. You can determine which and how many Users
are required, based on which Device resources require User access, and of what kind.
9. Provision Policy – specifies which managed objects are available to which Users, for what
purposes, and what type of controls are applied. Complete provisioning requires prior
complete specification of Devices and Users.
Summary of Device Access Provisioning

CA Technologies recommends that you perform provisioning, and configuration that is directly
related to provisioning, in the following order. Complete the configuration of Global Settings first:
These circumscribe options available and create default settings for User accounts, Access Methods,
and Terminal Customization.
1. Configure the following parameters before provisioning any managed objects:
Global Settings
Users – Login and Password parameters; default GUI appearance
Access Methods (see below) – global switches determining which CA Privileged Access
Manager applets are available
CA Privileged Access Manager User Roles
17-Feb-2017 122/416
CA Privileged Access Manager User Roles
2. Configure target devices:
CA Privileged Access Manager Socket Filter Agents on devices that use Socket Filters (see
below)
3. Provision Services – These objects instruct CA Privileged Access Manager to invoke

communication applications resident on a user's local computer or use CA Privileged Access
Manager-prepacked [S]FTP or TS Web, and provide them with destination configuration,
sometimes including SSO credentials. This category also includes RDP applications, SSL VPN,
and web portals.
Specification relies on your local network composition; you might need to obtain and
deploy non-CA Technologies software.
Specification relies on your local network composition; you might need to obtain and
deploy non-CA Technologies software.
4. Provision Filters – Two methods are available to screen device access:
Socket Filter – Prevents the unauthorized leapfrogging or springboarding from one

computer to another by preventing access to unauthorized IP sockets. Implementation
requires installation of CA Technologies agent software (SFA) on the target device.
Command Filter – Prevents commands (that you specify) from executing. (These do not
have to be provisioned early in the order.)
5. Provision Access Methods – These CA Privileged Access Manager applets are downloaded
from the product appliance to the computer of the user. They support several popular
graphical and CLI protocols (for example, RDP and SSH), AS/400 mainframe (TN3270 and
others), and out-of-band protocols.
6. Provision Devices, and Device Groups
Complete provisioning of CA Privileged Access Manager Devices requires prior

specification of the Services and Access Methods that are used to communicate with
them.
7. Provision Users, and User Groups
You can determine which and how many Users are required, based on which Device
resources require User access, and of what kind.
8. Provision Policy
9.
Specifies which managed objects will interwork. Complete provisioning requires prior
complete specification of Devices and Users.
17-Feb-2017 123/416
Summary of Credential Manager Provisioning

Provisioning a password in CA Privileged Access Manager Password Management has three, nested
object-definition stages:
Provisioning of a Device managed object, of type Password Management, representing the target
server hosting the target account bearing that password.
Association to that Device of the target application in which that account is defined.
Association to that Device and target application of the target account itself.
Typically, there are specific complexity requirements for passwords, specific rules on how and when
the password can be retrieved, and rules governing who can view password-related data.
1. Configure Credential Manager for Password Management
Set Password Composition Policies
Set Password View Policies
Set Credential Manager User Roles
2. Provision Password Targets
Provision Target Servers: Provision Devices of type Password Management
Provision Target Applications
Provision Target Accounts
3. Provision Password Users
4. Provision CA Privileged Access Manager Users with Credential Manager Groups
A2A Provisioning
Request scripts are applications that require credentials for target accounts that have been
provisioned on Devices of type Password Management. These scripts request the managed
credentials by way of the A2A Client, which runs on a request server. This request server is – like a
target server – a CA Privileged Access Manager Device, and its Device type is A2A.
Because the A2A Client is not part of the CA Privileged Access Manager appliance and must be
installed on a host in the customer's environment, the process for A2A provisioning consists of steps
executed on the A2A Client host and on the CA Privileged Access Manager appliance.
1. Prepare Devices of type Password Management (as described in the previous section) that
host target accounts for use by request servers.
2. Prepare the A2A Client host
17-Feb-2017 124/416
2. Prepare the A2A Client host
Install the A2A Client
Start the A2A Client
3. Using the CA Privileged Access Manager GUI, integrate the A2A Client with the CA Privileged
Access Manager server
Verify that the A2A Client has registered with the CA Privileged Access Manager server as
a Device of type A2A.
Activate this Device.
4. Prepare the requestor on the A2A Client host
Integrate the A2A request scripts on that host
5. Using the CA Privileged Access Manager GUI, integrate the request server with the CA
Privileged Access Manager server
Specify the A2A request scripts
Specify authorization mappings
About Credential Manager Groups

Either a User through a password request, or a request script, following execution of a request to the
A2A client, can access a target account password from Credential Manager. To filter this access to
passwords, both target accounts and request scripts can be partitioned, respectively, into target
groups and request groups. Credential Manager user groups can then be defined that permit only
selected operations on a target group and a request group.
Credential Manager groups include:
Target Groups – A target group is a collection of target servers, target applications, or target
accounts that meet specific filter criteria – for example, this filter could be the string "London" in
the Descriptor2 field.
Request Groups – A request group is a collection of request servers ("Clients") or requestors

("Scripts") that meet specific filter criteria – for example, this filter could be the string "New York"
in the Descriptor1 field.
Credential Manager User Groups – A Credential Manager user group is a collection of one target
group and, one requestor group, and one Credential Manager role.
NOTE If the Target Group is not specified, then members of this group do not have access to any
target servers, target applications, or target accounts. If the Request Group is not specified, then
members of this group do not have access to any clients or scripts.
IMPORTANT Do not confuse Credential Manager User Groups with CA Privileged Access Manager
User Groups.
A CA Privileged Access Manager User Group is:
A static association of specific CA Privileged Access Manager Users.
17-Feb-2017 125/416
A static association of specific CA Privileged Access Manager Users.
Listed on the Users, Manage Groups page, and created/edited from a template opened on that
page.
A CA Privileged Access Manager Credential Manager User Group is:
A mapping of a single target group, requestor group, and role.
Listed on the Policy, Manage Passwords >> Groups, User Groups page, and created/edited from a
template opened on that page.
Can be assigned to a CA Privileged Access Manager User that has a CA Privileged Access Manager
Role with the "credentialsManage" privilege. Once a CA Privileged Access Manager user has
credentials Manage privilege, the user can be assigned a Credential Manager group on User
template on the Users, Manage Users page where a "PM Group" pull-down menu is presented.
Preset CA Privileged Access Manager Roles with credentials Manage privilege include:
Global Administrator
Operational Administrator
Password Manager
Provisioning Devices
A Device is a CA Privileged Access Manager-managed, IP-addressable network node that is the
potential access or password target of a CA Privileged Access Manager User (as defined above).
Devices are displayed, defined, and otherwise managed through the Devices menu on the CA
Privileged Access Manager menu bar.
A device that serves a CA Privileged Access Manager system is not necessarily an access target in that
system. For example, a RADIUS authentication server or syslog storage that provides resources to CA
Privileged Access Manager – but is managed by external administrators – is not listed or managed as
a CA Privileged Access Manager Device. However, the attributes of that device are specified in the
appliance configuration settings.
About Devices (see page 127)
Device Features (see page 130)
Device Discovery (see page 136)
Device Setup (see page 140)
Device Group Setup (see page 152)
Device and Device Group Management (see page 159)
Device viewing (see page 160)
About Access Setup (see page 162)
Set up Socket Filter Agents (see page 178)
Set up Command Filters (see page 189)
Set up Transparent Login (see page 194)
Set Up the AWS API Proxy (see page 212)
17-Feb-2017 126/416
About Devices
A Device is the CA Privileged Access Manager representation of a CA Privileged Access Manager-
managed, IP-addressable network node. A Device is a potential target for access or password
management by a CA Privileged Access Manager User. It is a potential request server in an A2A
system. Devices are displayed, defined, and otherwise managed through the Devices menu on the CA
Privileged Access Manager Administration menu bar.
Note
"Device" (capitalized) is used in the product documentation to refer to a managed object in

CA Privileged Access Manager. The physical counterpart in the network is referred to as
"device" (not capitalized).
A device that serves a CA Privileged Access Manager system is not necessarily an Access or Password
Management target in that system. For example, a RADIUS authentication server or syslog server that
provides resources to CA Privileged Access Manager – but that is not an access target – is not listed or
managed as a CA Privileged Access Manager Device, even while it is specified in product configuration
settings.
Access to Devices
CA Privileged Access Manager enables secure access to devices. It does not allow connection to any
device until it has been approved at the device level. To complete this approval, access methods must
be chosen. This can be done either when initially creating the device, finishing edits before access is
enabled, or to change methods for existing devices.
Access Types
CA Privileged Access Manager Software: Access Methods

The first way that CA Privileged Access Manager provides controlled access is to specify fully the
communication software that is used to implement a connection. CA Privileged Access Manager
downloads communication executables (implemented as Java applets) from the CA Privileged Access
Manager server to the user workstation or other local computer that wraps the user communication
within CA Privileged Access Manager-controlled communication channels.
One of these applets is a master communication applet named the UP (Universal Ports). UP is
customized by the policy for each user, and is always downloaded at each CA Privileged Access
Manager User login session. Meanwhile, the user can download other applets to communicate with
the UP to set up and maintain controlled communication to a device through CA Privileged Access
Manager. These applets also have CA Privileged Access Manager-custom features, such as command
filtering capability. When the session is finished, the applet disappears. These applets are known as
CA Privileged Access Manager Access Methods.
17-Feb-2017 127/416
CA Privileged Access Manager-Controlled Local Software: Services

Another approach is to use ordinary (third party) communication software users have on their
computers. This software might already be installed, or CA Privileged Access Manager can supply it
(temporarily). Using parameters that are configured by the CA Privileged Access Manager
administrator, the product directs that software to communicate with the UP so that, like an Access
Method, a controlled session can be implemented. These are known as CA Privileged Access Manager
Services.
A CA Privileged Access Manager administration user on known ports and to specific applications can
create new services. These services can include: fat client access such as SQL query front-ends,
mainframe clients, and any proprietary applications, which use TCP or UDP connections. CA Privileged
Access Manager has several ways to do this:
Download CA Privileged Access Manager packaged third-party software, such as a commercial

SFTP/FTP package.
Use a local software installation; for example, PuTTY can be available to implement SSH.
Use Microsoft Windows RDP if the local computer is a Windows device.
Establish a console.
Access a web portal using the local default browser.
Restrict Access to a Windows Application: RDP Applications

With Microsoft Terminal Services, single target hosted applications can be published through RDP
instead of allowing access to the entire target device desktop.
Set Up a CA Privileged Access Manager SSL VPN Service

An SSL VPN Service can be set up by CA Privileged Access Manager with the local Web browser. This
eliminates the need for particular communication software to be specified by the CA Privileged
Access Manager administrator.
Terminal Configuration for Device Access

For line-mode communication, you have a range of options to package the interface. These can be
imposed generally, and then specifically for each Device Group or individual Device.
Monitoring Devices
Monitoring allows the administrator to know which physical devices are available for certain types of
communication, or whether an unknown communication problem is based at that device. CA
Privileged Access Manager provides protocol-based device monitoring.
17-Feb-2017 128/416
Account Password Control

Access to a Device is like a route to a house, while a password is like a door key to that house. CA
Privileged Access Manager provides control of both these stages in its end-to-end communication,
and for passwords, manages these data objects themselves.
CA Privileged Access Manager recognizes and comprehensively manages two types of password
users:
The privileged user - A person with a high-level responsibility for a target device or target
application, and who uses a shared, centrally stored password for access to a master or otherwise
high-privilege target account.
A request script - A script or application that requires a centrally stored password login to an
application using a high-privilege account.
From these users and their actions, two device-oriented activities can be identified:
CA Privileged Access Manager Password Management manages target devices that process or
consume submitted passwords. Privileged users interact with target devices, and
CA Privileged Access Manager A2A manages requestor-hosting devices that obtain passwords
(through CA Privileged Access Manager) and submit them to targets.
These device-oriented activities, and other non-device activities (such as managing the viewing of
passwords), come under the umbrella of CA Privileged Access Manager Credential Manager.
Device Types
From these features come these Device types, each with separate functionality and licensing:
Access Devices
Password Management Devices
A2A Devices
Grouping
The provisioning and management of Devices are made easier by relying on mechanisms that allow
two varieties of group treatment:
Device Groups – These objects provide for inheritance of Device attributes from the group to its
members.
Tags – These Device attributes allow a potentially large number of arbitrary labels to be assigned
for any particular device, and shared across many devices. The labels can then be filtered to
identify sets of sharing devices.
17-Feb-2017 129/416
Device Features
Device Types
Devices in CA Privileged Access Manager are categorized into three types. A Device object can
represent any physical device logically using one or more of these types:
Device Licenses (on Licensing page):
Access Device – Computing or out-of-band, network-addressable Device (identified by the label

"Access" in Global Settings and in a Device template)
PasswordDevice – Device for which passwords are managed (pushed fromCA Privileged Access
Manager) (identified by the label "Password Management" in Global Settings and in a Device
template)
A2ADevice – Device running application clients that connect to CA Privileged Access Manager to
retrieve passwords (identified by the label "A2A" in Global Settings and in a Device template).
A Device Type license permits a maximum number of Devices for each Device Type. The maximum
number and the current count of each Device Type appear on the Access Dashboard under License
Usage. The same numbers also appear on the Sys Info dialog.
License Usage (on Dashboard page):
Session Management license – for an Access Device (can co-exist with Credential Manager
Device)
Credential Manager license – for a Credential Manager Device (can co-exist with Access Device)
A2A Management license – for an A2A Device
Access Types
CA Privileged Access Manager enables secure access to devices. It does not allow connection to any
device until it has been approved at the device level. To complete this approval, access methods must
be chosen. This can be done either when initially creating the device, finishing edits before access is
enabled, or to change methods for existing devices.
Prepackaged - Standard access methods that are used by most administrators have been built as
Access Method applets and do not require any additional software to be installed on a user
desktop.
Custom - In addition to the default applet access, virtually any connection application can be
configured to allow access by configuring local CA Privileged Access Manager Services.
Access Methods
CA Privileged Access Manager provides several prepackaged Access Method applets, with support for
VNC, TELNET, SSH, RDP, and serial connections. Default ports can be modified if the application is
running on a different port from the one indicated.
17-Feb-2017 130/416
Configuration is required at:

Global-level - For an access method to be available (at all) through CA Privileged Access Manager, it
must first be permitted (or "switched on") through the Global Settings interface.
Device-level - In addition to the default applet access, CA Privileged Access Manager can be
configured to allow access to virtually any connection application.
Graphical and CLI Applets

VNC - VNC (Virtual Networking Computing) is a graphical desktop remote access application that
transmits keyboard and mouse movements. VNC applet access requires a VNC server to be
running on the destination device. To use CA Privileged Access Manager recording, the VNC
server must be set in basic unencrypted mode.
Telnet - Administrators often use this tool to connect to UNIX hosts running the TELNET daemon.
SSH - Secure Shell protocol. The SSH applet connects to servers running the SSH daemon and
does not require the client end user to have SSH client software such as Putty loaded.
RDP - RDP (Remote Desktop Protocol) is an access method for connecting to Microsoft Terminal
Services and is commonly used for administration of Windows servers. The RDP applet is
optimized to take advantage of RDP 6.x compression types, with noticeable reductions in file size
in comparison with RDP 5.2.
Important
RDP remote device usernames are not prepopulated from CA Privileged Access Manager
login usernames. Instead, the CA Privileged Access Manager User can populate this name
through a field on the My Info page
Important
Due to limitations in XRDP compression support, RDP-to-XRDP sessions use more

bandwidth. Session recordings can be larger (sometimes by 1 or 2 orders of magnitude)
than recordings for RDP-to-RDP sessions. Encryption support requires a setting in the xrdp.
ini file on the XRDP host.
TLS levels - As of release 2.6, the RDP client (the applet) supports TLS 1.2 connections and
supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite.
Performance - Sometimes, it is not possible to write an RDP recording to storage as fast as it is

being created. In such cases, CA Privileged Access Manager will throttle interaction. From the
User point of view, it "slows down." The overall data transfer rate is reduced and writing to the
share can be completed.
XRDP - The CA Privileged Access Manager RDP client applet can also be used to connect with an
XRDP server running on a managed Linux Device.
17-Feb-2017 131/416
OOB Applets
For Out of Band access under the Manage screen, KVM, serial console, and power are available. CA
Privileged Access Manager adds a layer of security to the out of band devices by allowing user access
to only certain servers.
KVM - KVM captures the keyboard, video, and mouse signals and converts them into packets
allowing remote console access to administrators.
Serial - Serial console is used for the administration of network equipment and Unix servers.
Because it does not rely on IP connectivity, operations such as upgrades can be performed
without loss of connectivity.
Power - This enables administrators to control the power of intelligent-power remote devices.
Mainframe Applets
TN3270 and TN5250 are Telnet clients for the IBM AS/400 that emulate 5250 terminals and printers.
SSL versions are available to provide SSL/TLS support.
NOTESupport for AS/400-class applet Display Names (TN5250 and TN5250SSL only) is provided on
the My Info page with the Mainframe Display Name field.
TN3270 - IBM 3270 Telnet class
TN3270SSL - IBM 3270 Telnet class with SSL
TN5250 - IBM 5250 Telnet class
TN5250SSL - IBM 5250 Telnet class with SSL
Services
Services are a way to customize access to the devices. A CA Privileged Access Manager administrator
can create new services on known ports and to specific applications. These services can include: fat
client access such as SQL query frontends, mainframe clients, or any proprietary applications, which
use TCP or UDP connections.
Prepackaged Services
Services that are prepackaged with CA Privileged Access Manager are identified here.
Important
CA Privileged Access Manager ships with several preconfigured SFTP/FTP Services. These
services currently support several SFTP/FTP servers including OpenSSH-derived Linux, AIX,
and Solaris SFTP implementations. Microsoft IIS SFTP/FTP implementations are also
supported with a known limitation when multiple hard drives are present.
17-Feb-2017 132/416
While other FTP servers might be compatible, CA Privileged Access Manager does not test or verify
them. The preconfigured services must be used to track SFTP/FTP activity associated with target
devices as per the compliance requirements of many of our clients. The activity is tracked in CA
Privileged Access Manager session logs. The service names that are suffixed with "emb" provide the
WinSCP client to users without any FTP client application installed. We encourages input on any FTP
servers that appear to be incompatible with our current offering, and consider adding support for
more FTP servers as business needs permit. It is our goal to provide the most comprehensive access
solution for our customers while balancing the need for Access Control and Audit.
Types
sftpftp With use of an SFTP client, transports files to and from FTP servers.
sftpsftp With use of an SFTP client, transports files to and from SFTP servers.
sftpftpemb - This service downloads an WinSCP client to the user desktop. WinSCP (Windows
Secure CoPy) is a free and open source SFTP and FTP client for Microsoft Windows.
sftpsftpemb - This service downloads the WinSCP client to the user desktop.
Caution
When running SFTPFTPemb or SFTPSFTPemb, a default option for WinSCP file transfer
causes the resulting file to be partially saved. Change the setting for Preferences, Other
general options: Preferences, Transfer: Endurance, Enabl e transfer resume/transfer to
temporary filename for. Change the default setting of "Files above: 100KB" to "Disable",
then users can successfully "PUT" files onto the remote server.
RDP Applications
With Microsoft Terminal Services, single target-hosted applications can be published through RDP
instead of allowing access to the entire desktop. This functionality is only available to servers running
Microsoft Terminal Server . On Windows Server 2008, more setup is required.
SSL VPN Services

A CA Privileged Access Manager SSL VPN Service can be made available by identifying it with a name
and the TCP/UDP ports it uses.
Credential Manager
Passwords are managed by CA Privileged Access Manager Credential Manager component. Each
Credential Manager password is uniquely identified, and maintained, after it is registered.
Target Registration
Register both new and updated target accounts in the GUI. Credential Manager divides the target
application registration into four levels:
17-Feb-2017 133/416
For Password Management and A2A

Devices - The CA Privileged Access Manager Device – or "target server" – is an application server
that hosts one or more target applications that require access credentials. Credential Manager
requires that you register the Device before registering target applications and target accounts.
Device names must be unique.
Target Applications - The target application is a container for all managed accounts of a single
application, such as all privileged users of an Oracle database. A target application contains one or
more target accounts. The target application also defines the connector for password
synchronization, that is, the mechanism for accessing target accounts. The target application is a
conceptual division of the target data. It allows for multiple applications or entities within the
same server to contain the same account user name. For example, if a given server hosts two
databases, then each database is a unique target application, and each database could have a
uniquely identified user account dbasys. Target application names must be unique within a given
Device.
Target Accounts - The target account is the specific set of credentials (that is, user name and
password). Target account user names must be unique for a given target application.
For A2A
Target Aliases. Target aliases provide a mechanism to identify uniquely a specific target account
with an alias name. This alias name is referenced by any requesting application when requesting
credentials. Target aliases provide an extra level of security by eliminating the need to hard-code
the name of privileged accounts.
Password Synchronization
For each target account, you can update the secure Credential Manager database only, or update
both Credential Manager and the target system.
Password synchronization is the process of synchronizing the password stored in Credential Manager
with the same credentials in the target application. When passwords are synchronized, credentials
are pulled from the Credential Manager database to send to the target system, which attempts to
verify the credentials.
For a Windows target account, Credential Manager directs the Password Management Windows
Proxy to perform the password verification and update.
By using password synchronization, you can configure Credential Manager to update the target
account password immediately or on a schedule. If there is an associated password composition
policy, Credential Manager generates a password that meets the policy criteria. You can also update
passwords for a group of target accounts, which then have their password update schedules
synchronized. A compound account allows you to update a series of replicated databases with the
same password, and to keep their passwords synchronized with each other.
When you activate password synchronization, the communication protocol between Credential
Manager and managed Devices depends on the target application type. Every application type has a
corresponding target connector, which implements the communication protocol for that type of
target application.
Password synchronization is not available for the Generic application type.
17-Feb-2017 134/416
Target Connectors
The following list describes the target connectors (or application types) supported by Password
Management.
AS400 - Use the AS/400 connector to manage user accounts on AS/400 iSeries IBM midrange
systems.
AWS Access Credentials - This target connector provides a placeholder application for AWS
Access Keys. It can be associated only with the target server xceedium.aws.amazon.com.
Cisco SSH - Use the Cisco SSH connector to manage accounts on a Cisco router. This Cisco SSH
connector uses the SSH or Telnet protocols for communication. The Cisco SSH target connector
supports SSH v2, and not SSH v1.
Junos - Use the Junos connector to manage any Juniper JUNOS® accounts.
LDAP - Use the LDAP connector to manage any accounts that support the OpenLDAP V3 protocol.
Optionally, you can configure the LDAP connector to use LDAP over an SSL connection.
MSSQL - Use the MSSQL connector to manage Microsoft SQL accounts. The MSSQL connector
uses JDBC for communication.
Oracle - Use the Oracle connector to manage Oracle accounts. The Oracle connector uses JDBC
for communication.
SPML - Use the SPML connector to manage any Service Provisioning Markup Language (SPML)
accounts.The UNIX target connector supports SSH v2, and not SSH v1.
UNIX (Advanced) - Use the UNIX (Advanced) connector to manage UNIX-based privileged
accounts. The UNIX (Advanced) target connector allows for greater customization of the earlier
UNIX target connector.
VMWare - This target connector uses WSDL using SSL to support ESX/ESXi target account
password synchronization.
Windows Domain Services - The Windows Domain Services connector and the Windows Proxy
connector both manage Windows accounts. Use the Windows Domain Services connector to
update the password of Active Directory accounts. This connector uses the LDAP interface to
Active Directory to update account passwords. You can also use this connector to update
Windows services and scheduled tasks if the connector communicates with a deployed Windows
Proxy. The connector performs the following activities:
Verifies and synchronizes the password against an Active Directory database
Queries one or more DNS servers to find domain controllers (optional)
Uses LDAP to connect to the domain controller
If the domain account is used for a service or scheduled task, it uses one or more Password
Management Windows Proxies to update service or scheduled task credentials and restart
services
Uses HTTPS and AES encryption for secure communications
17-Feb-2017 135/416
Uses HTTPS and AES encryption for secure communications
Important
The Active Directory must support secure LDAPS connections (typically on port 636).
The Windows Domain Services target connector does not support unencrypted LDAP
connections, only LDAPS (LDAP over SSL). The "Domain Controller Port (SSL)" field in
the Windows Domain Services application details can be left blank if the LDAPS port is
the default 636. Otherwise, the port must be populated.
Port 389 is often used for unencrypted LDAP. CA Privileged Access Manager does not
synchronize AD target accounts using unencrypted LDAP.
Windows Proxy - The Windows Proxy connector and the Windows Domain Services connector
both manage Windows accounts. Use the Windows Proxy connector to manage both the
Active Directory and Local Windows accounts, and the passwords for Windows services and
scheduled tasks. This connector uses the Windows APIs to make updates to the account,
services, and scheduled tasks passwords. The connector can optionally query one or more
DNS servers to find domain controllers. The Windows Proxy connector uses HTTPS and AES
encryption for secure communications.
In addition to the provided target connectors, Credential Manager provides a Generic application
type, which permits credential requests. However, Generic applications do not support password
synchronization.
Device Discovery
As a CA Privileged Access Manager administrator, you want to add devices easily. CA Privileged
Access Manager provides a feature that discovers and registers devices. Discovery is an alternative to
manually adding target devices.
To perform discovery of Devices, follow these steps:
1. Select Autodiscovery from the Devices Menu.

The Discovery panel appears with four tabs.
2. Create a Device Scan Profile.
3. Run the Device Scan.
4. View Scan Results.
5. Bring Devices under management.
6. (Optional) Export the results to a CSV file.
Device Scan Profiles

Start by adding a Device Scan Profile. Follow these steps:
1. Select the Device Scan Profiles tab and click the Add button.
17-Feb-2017 136/416
1. Select the Device Scan Profiles tab and click the Add button.
2. On the Profile tab, name the profile, and enter an optional description.
3. If you want to put all discovered devices under CA Privileged Access Manager management,
select Auto-manage devices.
4. Select a Default OS from the list in case Discovery does not determine an OS.
5. Purge Interval sets the number of days after which devices discovered by this scan are deleted
(if not also discovered by another profile). The Purge Interval default is set on the Global
Settings page, under Basic Settings, as Scan Purge Interval.
6. Enter an optional Default Location in case Discovery does not determine a location.
7. On the Inclusions tab, identify at least one Target IP Address or one Device Name to include in
the Discovery. You can include multiple of each type of target. Click the appropriate button to
add Inclusions. Once a target type is added, its button displays as asterisk.
a. Specify IP addresses slash notation (192.168.2.0/24). All subordinate addresses are

included as part of the scan unless there is a corresponding Exclusion address. Wild
cards and address range notation is allowed for IPv4 addresses. Use asterisks as wild
cards in the format 192.169.0.*. Specify ranges in the format x.x.x.x-x.
b. Device name discovery requires configuration of a DNS server in CA Privileged Access

Manager. Add DNS Servers in the Network Configuration section accessible from the
Config menu.
8. The Exclusions tab enables you to specify IP addresses to exclude from the Scan. Use the same
notation as for Inclusions.
9. The Access Methods tab enables selection from Default Access Methods which have been
enabled on the Global Settings page.
10. The Services tab enables you to select Services to scan. These Services are the same Services
(along with their descriptions and port numbers) listed on the Services menu.
11. If Device Groups have been created (see Devices, Manage Groups), you can select them on
the Device Groups tab.
12. The Tags tab allows you to add Tags to the discovered devices. Tags are freeform labels that
are added on the Manage Devices page. If any Tags have been created, they appear in the
Available column. You can add new Tags in Tag Name section below the selection columns.
13. The Target Applications tab lists available application such as SSH, LDAP, and MSSQL. Select
applications to scan from this list.
14. Create a schedule to run the scan or run it on demand.
a. Use the Schedule tab to create an optional schedule. Once you select a frequency,
other fields appear. Select the appropriate time intervals. Click OK to save the Scan
Profile.
b. To run the scan on demand rather than on a schedule, click OK to save it. Select the
17-Feb-2017 137/416
14.
Scan Profile from the Scan Profiles list, and click the Run button above the list.
Note
Clicking Delete for a highlighted Device Scan Profile will delete its Device Scan History. It
will also delete any Devices associated with that Profile unless they are associated with
another Profile.
Discovery Jobs
Once a scan is running, check its progress on the Discovery Jobs tab. You can also cancel the job on
this panel by clicking Cancel Job. Once it is complete, view a summary of its results on the Device
Scan History tab.
Note
The Discovery Jobs and other tables are refreshed according to the default set on the
Global Settings page. Table Refresh Interval is in the Basic Settings section, and defaults to
60 seconds.
Device Scan History

Select the Device Scan History tab to view the results of a device discovery scan. This tab defaults to
showing Most Recent Scans for each Profile. Each row shows a Scan Profile, its latest discovery date
and time, and a summary of the scan results. The summary shows a count of discovered devices, how
many are new, and not found. "Not found" devices were discovered by a previous run of the same
Scan Profile, but are now missing. These numbers refer only to the latest run of this scan profile.
Clicking the Summary numbers opens the Scan Results window with focus on that category tab.
The Most Recent Scans page has a filter capability and three buttons: View Summary Details, View
Scan Results, and View Scans.
View Summary Details

The View Summary Details button opens the Scan Results window. The Scan Information tab displays
the Scan Profile name and the Job Time. The Discovered Devices, New Devices, and Not Found
Devices tabs list the Device Names of each respective category. The Logs tab displays a table
including each action taken regarding this scan.
View Scan Results

On the Device Scan History tab, click a Scan Profile row, then on View Scan Results to see information
about the discovered devices. The device name, its Operating System, and its scan status are
displayed. A checkbox indicates whether CA Privileged Access Manager manages the device. To
manage a device, select it by clicking its row or checking the box to the left of its device name. The
Manage button above the Is Managed column activates. Click Manage, and answer the dialog box.
17-Feb-2017 138/416
You can also click the Manage All button to manage all listed devices. The Export button sends
detailed information on each discovered device to a CSV file. The Logs button displays a window with
a log table including each action taken regarding this scan. The Update button is active for one device
at a time. It allows you to change the management, access methods, services, and applications
associated with the selected device.
View Scans
To see all scans that are run for a given Profile, click the View Scans button above the Summary. The
resulting table lists each Scan Discovery Time and the number of Discovered, New, and Not Found
Devices for each Scan Job. Select a Scan Discovery Time and either the View Summary Details for lists
of Device Names discovered, or View Scan Results button for detailed, updatable information. See
View Summary Details or View Scan Results for more information.
To see all discovered devices rather than just those for a given scan, select the Discovered Devices
tabs at the top of the Discovery area.
Note: The number of items in the Device Scan Results is controlled by the Global Settings page.
Default Page Size, under Basic Settings, defaults to 30. This option also controls the number of items
shown in the Device discovery lists.
Discovered Devices
The Discovered Devices tab on the Autodiscovery panel displays a list of all devices that it has ever
discovered, their Operating Systems, their scan status, and Latest Discovery Time. A checkbox
indicates whether CA Privileged Access Manager manages the device.
Manage
To manage a device, select it by clicking its row or checking the box to the left of its device name. The
You can also click the Manage All button to manage all listed devices.
Export
The Export button sends detailed information on each discovered device to a CSV file.
Update
The Update button is active for one device at a time. Click Update to display the Update Discovered
Device window. The various tabs allow you to change the management, access methods, services,
and applications associated with the selected device. The Device Information tab provides details
such as IP address, OS detail, status, and the profile name and its discovery time.
Note
The number of items in the Discovered Devices is controlled by the Global Settings page.
Default Page Size, under Basic Settings, defaults to 30. This option also controls the number
of items shown in the Device discovery lists.
17-Feb-2017 139/416
Device Setup
In addition to Device Discovery (see page 136) (Autodiscovery), CA Privileged Access Manager Devices
can be created using the Device Templates or using CSV import.
Device Creation Prerequisites

Access types might need to be set up before Device setup. These types include:
Access Methods – invoke CA Privileged Access Manager proprietary Java applet downloaded from
CA Privileged Access Manager to a local Client computer
TCP/UDP Services
Native Services – invoke a resident application on a local Client computer
Web Portals – invoke an HTTP/HTTPS website
RDP Applications – invoke resident application on target RDP Device
Using the Device Template

From the Menu Bar Devices, Manage Devices menu, select Create Device to add a new device.
Required fields are highlighted in the GUI with red text. An expansion pane opens in a gray border.
Some panels in that pane are associated with specific Device Types, and only appear if that Device
Type selected.
Extra button controls appear in the following cases:
When editing a previously created record: Copy and Delete buttons
When one or more policies have been defined: Link to Manage Policy
Link to the Target Application List for provisioning Target Applications and Target Accounts
Device Template Fields

Device template fields are described in the following table.
Fields To Configure
Basic Info
Device The user specified name of the device. Users see this name on the access page.
Name Note: Double-byte characters such as those used for traditional Chinese are supported.
Required
Address The device IP address or FQDN (DNS must be set up properly under the Configuration
Required login Network screen).
Note: Beginning with version 2.2.0 and SFA 2.x, communication is possible whether an IP
address or FQDN is used.
Scan The Utility that executes a port scan to detect services that have been configured.
17-Feb-2017 140/416
Operating The Device OS that can be chosen from the drop-down list.
System
Location The Physical device location that can be chosen from the drop-down list
Device Select one or more of the listed device type designations to provision their functionality
Type in this device:
Access
Password Management
A2A
Each device type prompts its own panel fields. These fields are each indicated in this table
by bold headings.
Descriptio The Field used for additional information
n
Special Click the option button Special Type = yes only for KVM over IP, intelligent power, or
Type serial console devices.
Access: Sp Appears only upon selection "yes" for the option button: Special Type
ecial
Type:
Special
Type
Device
Type Select from an enumerated list of the CA Privileged Access Manager-aware device types.
(Required)
Login If required by Device: Username for access.
Password If required by Device: Password for the identified Username.
Protocol
(Required)
Ports
Manage Opens a shadow window to allow specification.
Custom
Types
Password Management: Target Server
Descriptio Custom description category 1
n1
n2
A2A: Request Client
n1
n2
Active Activation status to permit the A2A client to receive credentials from CA Privileged Access
Manager
True or false
Default: false
17-Feb-2017 141/416
Preserve Prevents the request server host name from being overwritten each time this A2A Client
Hostname registers
Default: When left empty, existing hostname value is not changed.
Tags
Specification of label attributes for the current Device.
A tag can be applied to a Device record in one of two ways:
When the tag already exists in at least one Device record: Selection from drop-down
list of existing tags generated by autosuggestion upon typing
When the tag does not yet exist in any Device record: Typing the tag name, then
pressing Enter.
Access: Access Methods
Available The permitted methods that users can employ to gain access to the device.
Methods For the current release, these methods include: VNC, Telnet, SSH, Serial, Power, RDP,
KVM.
Mainframe licenses provide (in addition): TN3270, TN3270SSL, TN5250, TN5250SSL.
When certain Access Methods are selected, an expansion pane provides additional
information. For example, Name appears to label the Access Method, or a Port to assign.
Ap Field1 Field2 Field3 Port Specification Rules

plet with
(GU defaults (if
I any)
ord
er)
VN Name Port 5900 Single port
C
Tel Name Port 23 Single port
net
SSH Name Port 22 Single port
X11 The SSH Access Method can provide X11 (X Windows v11) forwarding tunneled
For within SSH when: (1) the X11 Forward checkbox (which appears after choosing SSH
war from the drop-down) is selected, and (2) the user client computer has been
d configured with an X11 server (such as Xming, or OpenText (Hummingbird) Exceed).
Note: The product supports keystroke logging and command filtering for all activities
conducted within the SSH applet. However, because the X11 server is running on the
local client, it cannot provide graphical session recording , or command filtering for
actions taken within the forwarded graphical application.
Note: The X11 feature cannot currently be applied to device groups.

Seri Port OOB Host
al (Available
Devices)
Po Port OOB Host No. of [After first entry, values to left are preserved in
wer (Available Tries the template for subsequent entries.]
On Delay Devices)
(seconds) Off Delay
(seconds)
17-Feb-2017 142/416
Ap Field1 Field2 Field3 Port Specification Rules

plet with
(GU defaults (if
I any)
ord
er)
RD Name Port 3389 Consol Single port
P e
KV Port OOB Host
M (Available
Devices)
Em Name Port 5900 Single port
bed
ded
VN
C
TN Name Port 23 Single port
327
0
525
0
327
0SS
L
525
0SS
S
Add Confirms the selected Access Method.

Identifies the now-available Access Method in a list to the right in the pane.
Access: Services
TCP/UDP Lists: sftpftp, sftpftpemb, sftpsftp, sftpsftpemb, TSWEB
& APP
Services
Add Confirms the selected TCP/UDP service or Application.
Identifies the now-available service in a list to the right in the pane.
SSLVPN Lists the available services as defined in Config: SSL VPN menu.
Services
Add Confirms the selected SSL VPN service.
Identifies the now-available service in a list to the right in the pane.
Access: Options appear only upon selection of the blue link button: Configure Device Monitoring
Monitorin
g
Protocol
17-Feb-2017 143/416
Port
Contact
Add
Access: Terminal
Term ansi
Type ibm – allows punch-through (only) to an AS/400 target device using a CA Privileged Access
Manager provisioned credential.
scoansi
vt100 – Default
vt220
vt320
xterm
Key None selected
Mapping AT 386
xterm-vt220 – Default
vt320
"End" to Note: This function is deprecated.
Select
Terminal Triggers Terminal Customization expansion pane
Customiza
tion
Access: Terminal Customization appears only upon selection of above checkbox: Terminal
Terminal Customization
Customiza
tion
Character Default: UTF-8
Encoding
Font Default: Monospaced
Family
Font Size Default: 11
Cursor Default: #000000
Foregroun
d
Foregroun Default: #ffffff
d Color
Backgroun Default: #000000
d Color
Terminal Default: [80,24]
Size
Buffer Default: 100
Size
Scroll Default: Right
Position
Groups
17-Feb-2017 144/416
Available Allows Device to be associated with a Device Group. Available groups are listed in drop-
Groups down list.
Add Confirms the selected Device Group.
Identifies the now-available Device Group in a list to the right in the pane.
Special Type Device Specification

Special Type Devices provide remote terminal server or power control functions to other Devices.
Special Type Devices support an out-of-band (OOB) "access method" of Power, KVM, or Serial
connection. Special Type Devices are thus specified as intermediary Devices between a User and
another Device that is the target of that access method.
OOB Host Specification

An out-of-band device that is used with a target device has its own Device record, which is then
referenced when the out-of-band access method is specified for the target.
1. Click the Yes option button for the Special Type option.
An expansion pane to provide configuration details appear s.
2. From the Type drop-down list, select the correct KVM, power, or serial console and Access
Methods.
Note: Select Generic Terminal Server to configure any device that uses reverse Telnet.
3. If a Login and Password are supplied here, Users are not prompted.
4. The Ports field allows:
Zero or more ports, each pair separated (consistently) by either a comma, a space, or a comma
and a space; and in any order
Example: 78, 8902,1333

Example: 3245, 3320
or
Zero or one port range with 500 or fewer ports.
Example: 5-15
Example: 14575-15020
No port mapping
Note: Some Device Types pre-populate the Ports field with the expected default port numbers.
OOB Target Specification

After preparing a record for an OOB host, you can apply that host to a target device that uses the
OOB access method.
1. In the target Device record, select the expansion template link for the OOB method that is
used: Serial, Power, or KVM
A set of configuration fields to provide configuration details appear.
17-Feb-2017 145/416
2. In the drop-down list for OOB Host, select the Special Type Device that you prepared as an
OOB Host.
3. Repeat the specification for any additional OOB methods that are to be used.
Multiple Power configurations can be made using different OOB power devices, or the same OOB
power device using different ports, or those options in combination.
Define a Custom Special Type

The CA Privileged Access Manager administrator can create and edit a new Special Type through the
shadow window template available through the Manage Custom Types button below the Type drop-
down list, to display a shadow pop-up window.
Create a custom Special Type by specifying a Device [Type] Name, the Protocol Telnet or SSH,
and (a series of) command/response pairs, and click Save This Device.The new, custom Special
Type appears both in the Existing Custom Devices [Types] at the bottom of the shadow window,
and on the Special Type: Type drop-down list on the main Manage Devices page.
Edit a custom Special Type by clicking it from the Existing Custom Devices list, changing any fields,
and then saving it again.
Note: Although the custom Special Type record can be edited, it cannot be deleted.
Tag Creation and Assignment

Device tags are text strings (of any form and length) that can be used arbitrarily to group, and search
for, Devices independently of the (predefined) Device attributes and without the functions and
restrictions of Device Groups. A Device tag is created within a specific Device record, but once
created it can be copied to other Devices. Tags have no dependence on any other characteristics of
those Devices. Multiple tags can be assigned to a Device, so it is possible to create a wide variety of
groupings.
The Tags field allows you to either select an existing tag (from a drop-down list) or create a new tag
(by typing it and then pressing Enter), and in so doing assign it to the current Device. When you start
typing into the Tags field, a list of currently available tags appears in the multiselection autosuggest
drop-down list.
See Manage Tags (see page 159) for more information.
Example
You might have a number of devices that use Windows operation system, but also a number that do
not. For some network maintenance purpose, you collect all Windows – whether Windows XP,
Windows Server 2008, or others into one group. In that case, you can tag all Devices with Windows.
On the Manage Devices and Access pages, you can then search for "windows" to collect all instances.
Access Methods and Services Specification

To specify Access Methods or Services on this device:
1. In the panel Access Methods, and to the right of Add, click on the blue name-link of a desired
Access Method.
This expands the Create Device pane so that further definition can be applied to the Device
Access Method specification.
17-Feb-2017 146/416
1.
For each provisioned Access Method, specify an (optional) Custom Name, and a Port
number. The Port field is pre-populated with the default value for the corresponding
Access Method.
For each OOB device, identify the applicable OOB Host, and apply an (optional, single) Port
number.
Repeat as desired.
2. At the right-hand side of the panel Services, click Add on its blue name-link.
This invokes a pop-up pane from which you can select from the set of defined services.
3.
For each desired Service, click the checkbox.
The selected service is immediately specified directly to the right of the Services label.
Now that at least one Service is listed, the Add button changes to Edit .
Repeat as desired.
4. Click Save to save the (full page) specification and close the editing panel and return to the
Manage Devices page (or continue with other edits in this pane).
Note: If you return to this Device record, you see that the selected items in the Access
Methods pane are collapsed in a similar way to those in the Services pane.
Click Edit to re-open the Access Method editing environment.
Monitoring Specification
Important
We recommend that you inquire about your organization policies as these network
heartbeat checks might not be permitted.
A Device can be configured to monitor protocol availability. This functionality allows the security
team to see the status of the devices to which they are providing access. When monitoring is
configured for a device, the users are able to see the status of the protocol at the Device under the
Monitoring menu button. To use monitoring options, the Monitoring pane is expanded.
A Protocol must be specified from the drop-down list, and a single Port can be designated. Available
types of monitoring and ports in brackets are ICMP (ping), verification of TELNET (23), ftp (21), http
(80), SMTP (25), IMAP (143), POP2 (110), SSH (22), DNS (53), NTP (123), and custom TCP (any port).
The Contact User (CA Privileged Access Manager administrator) must be provided: An email alert is
sent to this User in the event of a protocol contact failure.
After the monitored protocol is Added and thus registered, it appears to the left of the widget .
Terminal Customization Specification

Terminal access to a Device can be specified so that any User receives an administrator-
recommended screen presentation. This can be helpful for Users who do not know the ideal settings.
17-Feb-2017 147/416
Note: A User can override this customization by specifying user-based Terminal Settings.
Cases
Multiple Credential Sources

An administrator can specify a managed Device as a Credential Source in a Device Group.
Credentials from that source can be used to make an RDP auto-connection to a (different) target
Device.
More than one Credential Source can be used for a particular Device Group.
When configuring policy for that Device Group, all accounts of the multiple Credential Sources are
available for selection. When a User initiates a connection, these administrator-selected options
are presented so that the User can select one.
All Access Methods and Services that are supported for the Devices in a Device Group that has
one or more Credential Sources can be used.
Provisioning Multiple Credential Sources
To set up CA Privileged Access Manager records that allow multiple credential sources to provide
optional credentials to Users to access Devices:
Note: Where not already proper nouns, capitalized names refer to CA Privileged Access Manager
objects. For example, "User" refers to a User account, and "Device" refers to a Device record.
1. Create, or identify from existing Devices, a set of desired target Devices for which you use CA
Privileged Access Manager auto-connection to make connections (Devices, Manage Devices).
In the example that is used for this procedure, these targets are named:
TargetDevice1
TargetDevice2
TargetDevice3
2. Create or identify existing Devices to be used as Credential Sources (Devices, Manage Devices
).
To recap the relationships:
A Credential Source Device is a Target Server for Target Applications and their dependent
Target Accounts, maintained in CA Privileged Access Manager Credential Manager, that
can be used to access other Devices.
The actual device that each Credential Source Device represents maintains access
credentials for other (target) devices. For example, it might host a Windows Active
Directory (AD) Domain Controller, or some other LDAP-based server.
The accounts that are maintained by those servers are represented by corresponding
Credential Manager Target Account records. Those CA Privileged Access Manager
records can be configured to periodically synchronize with the directory servers to
maintain an accurate representation.
17-Feb-2017 148/416
The purpose of designating a Credential Source is to be able to associate its Target

Accounts to other Devices, by specifying both types of Devices in a particular Device
Group.
The member Credential Sources in a Device Group determine the full range of
credentials that are available for CA Privileged Access Manager auto-connection use by
members of that group.
You can use the credentials from any Target Account of any member Credential Source
to access any member Device.
In the example that is used for this procedure, these Devices are named:
CredSourceDevice1
CredSourceDevice2
and each maintains a portion of the credentials managed for TargetDevice1, TargetDevice2,
and TargetDevice3.
3. Create a Local Device Group (Devices, Manage Groups):
DeviceGroup1
that uses the specified Credential Sources for access to the specified target Devices.
4. Create the Target Applications and Target Accounts that are used to manage those access
credentials (Policy, Manage Passwords, [Credential Manager menu], Targets, Applications,
and Accounts).
In the example, access credential accounts are set up as follows:
On CredSourceDevice1: CredSourceDevice1_App1_Acct1
CredSourceDevice1_App1_Acct2
On CredSourceDevice2: CredSourceDevice2_App1_Acct1
Again, each of these credentials is applicable for access to all three example Devices.
5. Set up a policy for a User/User Group with this Device Group ( Policy, Manage Policies).
You can now select for auto-connection from the list of all credentials maintained by these
Credential Sources.
Alternative Navigation to Template

Edit a Device from a Policy Record
An administrator can edit a Device record by invoking it directly from the Manage Policies page.
1. Open the Policy, Manage Policies page.
2. Populate the Device (Group) field with a record name.
3. Double-click the name to display its editing template in a shadow box window.
17-Feb-2017 149/416
4. When finished, click Save (or Cancel) to return to the Manage Policies page.
Navigate to Other Templates

Edit Targets from the Manage Devices Page
An administrator can edit a Password Management Device Target Application or Target Account
record by invoking the Application List directly from the Manage Devices page:
1. Click either the Save and Add Target Applications or the Manage Target Applications button
to hover an Application List shadow box above the Device record.
2. From within the shadow box page, you can switch between the Target Application List and
the Target Account List. The GUI controls are presented as they would be when named
instead from Targets, Target Applications:
Edit a Target Application by clicking on its Application Name.
Edit a Target Account by first clicking Go to Accounts List in the upper-left corner, then
clicking on its Account Name.
3. When finished, exit the shadow box by clicking the blue X at the upper right.
More Information:
For information about importing Devices using a CSV file, and importing AWS and VMware
Devices, see Import and Export Devices (see page 150).
Import and Export Devices

As a CA Privileged Access Manager Administrator, you can import a device list in CSV format as an
alternative to adding the devices individually. You can also export Devices and Device Groups. You
can import AWS and VMware Devices.
Import Devices and Device Groups

You can import a CSV file with a list of Devices. A sample file can be downloaded by selecting Devices,
Import/Export Devices, Download Sample File. The sample file lists all of the required fields. You can
use the format to manipulate an existing device list from another source, such as an inventory control
database.
Configure Internet Explorer

To use the Import/Export functions with Internet Explorer (IE), changes might need to be made to the
security settings. To establish IE security settings:
1. Open IE browser.
2. Select Tools, Internet Options.
17-Feb-2017 150/416
3. In the Internet Options pop-up window, select the Security tab.
4. Select the slider zone
5. Click Custom level. Scroll to Downloads. For File download, select the Enable option.
6. Click OK to save changes.
Export Devices and Device Groups

A CSV list of all configured devices can be downloaded by choosing Export Devices. This exported file
can be used to make a revised version, and then imported back into CA Privileged Access Manager.
Special Type Device Passwords
Important
If you export a device file containing Special Type devices, does not contain the password.
Therefore, if you import that file back into CA Privileged Access Manager, the passwords
are not present in the import.
Import from AWS

After CA Privileged Access Manager is configured in Config, 3rd Party to access an AWS account and
Enable Syncing is activated, the instances that are contained in that account (for the configured
Region) with State green/"running" are imported as CA Privileged Access Manager Devices. Instances
that have been tagged (in AWS) with the tag Key xsuiteignore are not imported. The list is cyclically
refreshed according Config, 3rd Party parameter Enable Syncing, or upon clicking the Refresh AWS
Devices link at the top of the list.
The Device records created cannot be deleted except upon disconnection from AWS.
The following CA Privileged Access Manager Device attributes are populated from AWS instance
attributes, and cannot be edited:
The AWS Name and AWS Instance ID are combined to create a CA Privileged Access Manager
Device Name of "awsName (awsInstance)".
The Device Address is populated with the AWS Public DNS.
The Device Operating System is populated.
The following CA Privileged Access Manager Device attributes are populated from AWS instance
attributes, and can be edited in the Device record:
Access Methods are populated with:
RDP using port 3389 for Windows OS
17-Feb-2017 151/416
RDP using port 3389 for Windows OS
SSH using port 22 for UNIX and Linux OS
The device xceedium.aws.amazon.com is a Credentials Management placeholder Device that is

created at the time AWS is configured to manage AWS access keys in CA Privileged Access Manager.
It cannot be edited, but is created/removed in synch with an AWS configuration Save.
Import from VMware

After CA Privileged Access Manager is configured in Config, 3rd Party to access a VMware account and
Enable Syncing is activated, the instances that are contained in that account are imported as Devices.
Instances that have been tagged in the VMware appliance Summary, Annotations, Notes field with
the string: XsuiteIgnore (anywhere in the field) are not imported.
The list is cyclically refreshed according Config, 3rd Party parameter Enable Syncing, or upon clicking
the Refresh AWS Devices link at the top of the Manage Devices list.
During import, each virtual machine (instance) in VMware results in the creation of a Device
The Name of the Device that is created is the combination: "VMwareInstanceName – vm-nn"
where "nn" is a VMware assigned number.
When available, the internal Address of each Device is provided; otherwise it is marked as "
Not-Active-VmwareDeviceName - vmnn". You cannot edit it.
The discovered IP Address cannot be edited.
During import, each folder in VMware results in the creation of a Device Group
The Name of the Device Group that is created is the combination: "VMwareFolderName -
group-vnn" where "nn" is VMware assigned number. You can edit it.
The Group Type is "VMware", and cannot be edited.
The Description is "VMware derived group", and can be edited.
All VMware imported Devices are members of a VMware-determined CA Privileged Access

Manager Device Group. For VMware instances with no containing folder (in VMware), the Device
Group named "VM" is used.
Device Group Setup

For ease in administration, Devices can be added to groups. Devices in a Device Group share common
access methods and functionality. Though any Devices can be members, to take advantage of
grouping it is best to aggregate functionally similar devices.
When using Device Groups, unless otherwise specified, the concept of deny takes precedence. If the
service is not defined as available at the device level, it is not available at the group level. In other
words, the most restrictive policy is used when a conflict arises.
17-Feb-2017 152/416
Create/Edit a Device Group

1. On the Devices, Manage Groups page, select Create Device Group.
The Device Group template opens.
2. Enter a Group Name and Description. If licensed for AWS, Select a Group Type.
3. To propagate Access Methods and Services (to only the Access Type members), select Access
Methods and Services to enable in those group members.
4. Identify the member Devices from the drop-down list that appears when you select the field.
Create an AWS Device Group for Linux/UNIX Devices

In AWS, Linux and UNIX instances use AWS Key Pairs. If all instances in a planned Device Group use
the same key pair, group policy can be provisioned to use that key pair for auto-connection.
1. Create an AWS-type Device Group.
2. Assign AWS instance imported Devices to it, all of which use the same key pair.
3. Create a policy with that Device Group.
4. From the SSH applet credential pop-up box, select the key pair held in common.
This key pair is used for auto-connection for any Device in the group.
Edit a Device Group from the Manage Policies Page

An administrator can edit a Device Group record by invoking it directly from the Manage Policies
page.
2. Populate the Device (Group) field with a record name.
17-Feb-2017 153/416
Device Groups fields

Field To Configure
s
Basic Info
Grou The user specified name of the device group that the users see on the access page.
p Note: Double-byte characters such as those used for traditional Chinese are supported.
Nam
e
Requ
ired
Grou If this appliance/instance has been configured for AWS use, two options are available: "Local"
p and "AWS".
Type If "AWS" is selected, this Device Group acts as a container for Devices that are created as a
Requ result of an import of AWS devices, where each device has a tag of Key = "XsuiteGroups" and
ired Value = "[CA Privileged Access Manager Group Name]". Following import, the group cannot be
deleted unless 3rd party, AWS Configuration is cleared or the group becomes empty. The group
is updated according to the schedule in AWS Configuration.
Desc This field is used for any additional information the administrator wishes to add to this record.
ripti
on
Access Methods
VNC Checkbox (for each method) indicates that each member of the Device Group can respond to
Teln the specified Access Method.
et
SSH
Seria
l
Pow
er
RDP
KVM
TN3
270
TN5
250
TN3
270S
SL
TN5
250S
SL
Services
Selection (post-Add button) indicates that each member of the Device Group ca respond to the
specified Service or Application.
Enumerated list: TCP/UDP, sftpftp, sftpftpemb, sftpsftp, sftpsftpemb, Web Portal, TSWEB
17-Feb-2017 154/416
TCP
/UD
P&
APP
Servi
ces
Add Allows the selected TCP/UDP service or Application to be used by the Device Group.
Identifies the now-applicable service in a list to the right in the pane.
SSLV Selection (post-Add button) indicates that each member of the Device Group can respond to
PN the specified SSL VPN Service.
Servi Lists the available services as defined in Config: SSL VPN menu.
ces
Add Allows the selected SSL VPN service to be used by the Device Group.
Identifies the now- applicable service in a list to the right in the pane.
Devices
[List] The new Device Group is populated here with (existing) Devices.
To add a Device: Start typing its name until it appears in a pop-up drop-down list. Then select it
(its line item) to populate the Devices field.
More Information:
For information about importing an LDAP Group, see Import LDAP Groups (see page 155).
Import LDAP Groups

As an administrator, you can import an LDAP Group to CA Privileged Access Manager. This feature
allows you to create a CA Privileged Access Manager Device Group which refers to a group
maintained on an LDAP server. The CA Privileged Access Manager appliance must have been
previously licensed through the Config, Upgrade page, and configured through the Config, 3rd Party
to access the LDAP server. After the LDAP server has been thus provisioned, LDAP groups are
available for importing through the Devices, Manage Groups page:
To launch the LDAP Browser from the Manage Groups page, click the link Import LDAP Group .
Your CA Privileged Access Manager must be licensed for the LDAP Browser to launch.
In the LDAP Browser

Near the top of the left pane, under the tab Explore, a graphical representation of an LDAP DIT is
displayed. When you select an item or node in the left pane, you see that object attributes on the
right. In this example, the LDAP attributes for the selected item System are shown. This LDAP entry
has a checkbox so that you can potentially select it and its members for import.
Menu Item Definition

Copy the Distinguished Name of selected entry to the Clipboard.
17-Feb-2017 155/416
Copy icon (No

Text-Menu item)
Group icon (No Display all the groups in this container.
Text-Menu item) After selecting an object in the tree under the Explore tab, click this button. You
then switch to the Results tab, under which you see a fully expanded tree of all
groups (objectClass: group) contained within the selected object.
File
Connect Log in to an LDAP database. Invokes a pop-up window from which you can select
from currently accessible domains.
Disconnect Log out from the current LDAP domain.
Print Print currently selected node.
Exit Close browser window.
Note: Browser continues running while connection is active, and during that time
can be invoked again from the Devices, Manage Groups: Import LDAP Group
button.
View Viewing options for graphical menu items below the main menu
Show Button Bar Icon-based menu
Location: Below the main menu bar, at the left side
Default: On
Show Search Bar Location: Below the main menu bar, at the right side
Default: On
Options
Set LDAP Maximum time (seconds) before a connection attempt is canceled. This is useful
Connection when multiple servers are specified for a particular LDAP domain in Config, 3 rd
Timeout Party configuration.
Default: 60 seconds
Set Result Set Maximum number of records in an LDAP directory before pagination is triggered
Page Size for representation in the browser tree.
Number of records in each page of a paginated subtree.
Default: 1000
Bookmark A bookmark can be made on any leaf (directory, group, device, or other object) in
a tree so that it can later be selected directly from the menu. Bookmarks are saved
for each domain, and appear only when the browser is connected to that domain.
Add Bookmark Opens an editing window for bookmarking currently selected leaf:
DN – pre-populated with the current Distinguished Name (DN)
Bookmark Name – pre-populated with the current Common Name (CN)
Description – (blank)
Edit Bookmark Opens a bookmark selection window. Selection in turn opens a bookmark editing
window (see Add Bookmark).
Delete Bookmark Opens a bookmark selection window. Selection in turn deletes and confirms
deletion of the bookmark.
Search
Search Dialog Opens a detailed search specification window. (Contrast to Quick Search.)
Delete Filter Opens a window with a list of filters for selection and deletion.
17-Feb-2017 156/416
Return Attribute
Lists
Paged Results
Next Page of Retrieve next page of results and display page wrapper in the Explore tree (when
Results green; otherwise, gray when inapplicable).
Tools
Stop Action Suspends current LDAP request. This is useful when the page size is large and the
browser is searching a large database.
CA Privileged CA Privileged Access Manager-specific menu items
Access Manager
Groups
Manage selected Lists all items that are currently selected (or staged) for import to CA Privileged
groups to Access Manager.
register with the
appliance.
Register selected Perform the input operation on the items that are selected, which are listed in
groups with the Manage selected groups to register with the CA Privileged Access Manager
appliance appliance.
Icons appear in the Button Bar menu when that menu is active (or "on"). By default, the Button Bar is
on.
Import LDAP Group Procedure

1. Confirm that you have configured the desired LDAP repository in Config, 3rd Party.
2. On the Devices, Manage Groups page, click the Import LDAP Group link.
This link triggers launch of the LDAP browser, which immediately prompts for an LDAP domain
selection.
3. In the browser pop-up window, select the domain from which you import devices.
The browser connects and displays all records below that domain (restricted by the
pagination option you have previously requested).
4. Open nested folders until a device group that you want to import is visible, and select its
checkbox.
5. Repeat the step above for each group you want to import. You can traverse the tree in any
order or direction.
6. (Optional) Once you have selected all the groups that you want to import, you can review
them CA Privileged Access Manager Groups, Manage selected groups to register with the CA
Privileged Access Manager appliance.
This opens a new pop-up window in which the Distinguished Names for all selected groups
are visible. You can select and edit any group DN, or remove it from the staging list.
7. Import the selected groups by selecting CA Privileged Access Manager Groups, Register
selected groups with the CA Privileged Access Manager appliance.
A new window presents the staged groups in a list. You can watch their progress and status,
and can display any messages associated with the actions.
17-Feb-2017 157/416
8. When ready to import the groups, click Register Groups in the lower-left corner.
CA Privileged Access Manager imports the groups in the order that is presented, and the
browser provides feedback and cancellation options throughout the process.
While a group is imported, there is a progress bar (labeled Registering Group) to the right of
its Group Name. You can cancel registration of the current group (and continue with
subsequent groups), or you can cancel the registration of all groups, even after they have
started. In the latter case, CA Privileged Access Manager "reverses" the import process so that
all groups and their members are removed.
When the imports are finished, each line item in the registration window shows either a green
checkmark for success or a red cross for import failure/cancellation. You can review the status
of the full list and each individual group by selecting its line item. If you made any changes or
any errors occurred during the import, the lower Messages panel provides details after you
select the specific group of interest.
9. In the GUI, confirm that the imported groups now appear on the Devices, Manage Groups
page.
10. You can open the Device Group or Device records to examine more fields.
Notes on the Import LDAP Group Procedure

In each Device Group record:
The Description field is: "LDAP Group" + SourceGroupName + "from" + SourceDistinguishedName
Example: LDAP Group United States IT from DC=mycorp,DC=com
In each Device record of an LDAP-imported group:
An LDAP Device record cannot be deleted
Each LDAP-imported field cannot be edited.
The Device Name field is displayed as:
dNSHostName
Example: itComputer01.mycorp.com (http://itComputer01.mycorp.com)
The Description field is:
"LDAP device" + DistingushedName

Example: LDAP device CN=ITComputer01,OU=United States IT,DC=mycorp,DC=com
About Nested Groups

Where one LDAP group is contained within another by being an element in a parent group member
attribute, then when the parent group is imported, all devices that are contained in either the parent
or the child is imported.
17-Feb-2017 158/416
Refresh LDAP Groups

Click this link button to revise the user list for the LDAP user groups previously imported.
Device and Device Group Management

The following functions are available for all devices configured for use with CA Privileged Access
Manager.
Device Record Updates

Editing a Device
To edit the information of a device, select the Device from the Manage Devices page. In the device
information screen, update the device information as needed, and select the Save button.
Copying a Device
The permissions and policies of an existing device can be copied to create a device with the same
access.
To create a new Device ID by copying an existing device, select the Copy button next to the Device ID
intended to be used as a template. A copy of the device information is displayed. Add the required
fields and make any appropriate changes. Select the Save button to create the Device. Associations
and policies can be changed after the device is created.
Deleting a Device
To delete a particular device, select the Device from the Manage Devices page. In the device
information screen, select the Delete button and select the appropriate response on the subsequent
confirmation screen.
Manage Tags
Tags, which are created within a Device create/edit template, are compiled by CA Privileged Access
Manager into a list which spans all Devices.
View Tags
Click the Devices, Manage Devices , Manage Tags link to display the Manage Tags shadow window.
All tags are shown (paginated, if needed) with the number of occurrences in the right column.
Search tags on the Tag Name (alphabetically).
Sort tags on the Tag Name (results list alphabetically) or on #Used (occurrences) (results list from
low to high).
17-Feb-2017 159/416
Edit Tags
Each tag can be edited or deleted in the Manage Tags window (not in the Create Device / Edit Device
template). Select the Tag line item to open an editing box.
Manage Groups
The Manage Groups page displays all the groups which have been configured.
Manage Services
In the Services tab, the following management options are available.
Editing a Service
To change a setting on a service:
1. Select the Edit button next to the service.
An Update service screen appears to allow parameters other than the name to be changed.
To change the name of a service:
1. Use Copy to clone the service attributes (while allowing the Service Name to be filled in).
2. Delete the original.
Copying a Service
1. From the list in Services, TCP/UDP Services, open the record of an existing Service.
2. At the bottom of the record, click the Copy button.

A new record is created, populated with a copy of the original Services information except for
the Service Name.
This new record opens immediately below the record of the copied Service. The record of the
copied Service is closed. To confirm this, look at the Service list above the new record editing
pane. It should show the line item of the original Service.
3. Enter (the required) Service Name for the new Service. Edit other fields as desired, and select
the Save button to create the new Service.
Deleting a Service
Select the checkbox next to the service, and click the Delete button at the bottom of the screen. The
Service is immediately removed, and the remaining Service list appears.
Device viewing
As a CA Privileged Access Manager administrator, you can view a list of Device records on the Devices
, Manage Devices page.
17-Feb-2017 160/416
Initial Unfiltered View

The first time that you access Manage Devices, you see an empty-list page view. The page is labeled
"Unfiltered" because the list (initially empty) is shown without filters applied.
See Filtered Views (see page 161) for information about filtering.
Unfiltered Views
From the Devices, Manage Devices menu, all current devices (initially) appear in alphabetical order
by Device Name. You can also sort the list by clicking on any of the displayed field names: Name,
Address, OS, Description, or Location; or by applying filters.
Global Settings, Default Page Size determines how many Devices are listed on each Manage Devices
page. If there are more Device records than this value, the Manage Device list is paginated, with
navigation controls at the bottom of the page.
Filtered Views
The gray-field Search function in the upper-right corner of the page body accepts a (non- case
sensitive) string and match it to the beginning of the Name field across all Device records, and replace
what was an Unfiltered list with a new list, now labeled "Filtered."
Fields Available for Filtering

When the Search box is clicked, a set of three pop-up windows appears at the right under the Search
field. Each window contains a list of the unique values (in alphanumerical order) for each of the
following Device record fields:
Device Type
OS (Operating System field)
Location
Tags
If no item is selected, no value is filtered against that field, so all records are shown. Selecting a value
in the field, however, filters the set of Device records against that value. Only those records with the
selected value are (immediately) shown in a revised list. If multiple values are selected, records that
match any of the selected values is included.
Any combination of the checkbox selections or strings from each Device field list can be selected for
any particular search. For string selections in OS, Location and Tags:
To select a sequence of values in one category: Select the first entry, then while holding the Shift
key, select the last entry.
To select any combination of individual values in one category: Select one entry after another
while holding the Ctrl key.
Saved Views
The filtering that you apply can be saved as a View, and used either by default or selected from a
menu.
17-Feb-2017 161/416
1. After applying desired list filtering, near the top left (to the right of "Unfiltered"), click Save as
View. The Save View pop-up window appears.
2. Specify a label (View Name) to use.
3. Select Set as Default if you want the Manage Devices page to always open to this view.
4. Click Save New View.
The view is relabeled to the saved view name, and the view can be selected at any time from the My
Views menu to the left of the Search box.
About Access Setup

You can access a target Device from CA Privileged Access Manager in one of these ways:
Access Method – CA Privileged Access Manager invokes a proprietary Java applet to make a
connection using one of several standard protocols (SSH, RDP, others)
Service – CA Privileged Access Manager invokes a local third-party application from your client
(for example, PuTTY on a Windows PC) to handle the connection
RDP Application – CA Privileged Access Manager uses the RDP protocol to invoke a specific
application on a target Windows OS Device
Set up access before setting up individual Devices.

Access Methods (see page 162)
Services (see page 165)
Web Portal (see page 173)
RDP Applications (see page 176)
SSL VPN Services (see page 177)
Out-of-Band Devices (see page 177)
Access Methods
A CA Privileged Access Manager Access Method is a Java connection applet for a particular
communication protocol. You activate Access Methods in Global Settings and then assign them to
Devices.
Prerequisites
RDP
The RDP client applet supports TLS 1.2 connections and supports the
TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. For best security, ensure your RDP server (target
Windows Device) is configured for TLS 1.2 communication.
17-Feb-2017 162/416
Using Global Settings and the Device Template

Access Method applets can be manually enabled using a two-stage process.
Allow the Access Method Through CA Privileged Access Manager

1. Select Global Settings.
2. Scroll page to the Access Methods section.
3. Select the methods to be made generally available for device configuration.
This setting configures the "outer boundaries" of available methods. If any particular method is not
selected (its box is not selected), it is not available on any device.
Configure Access Method on a Specific Device

Assuming you have already configured the specific Device in CA Privileged Access Manager:
1. Select Devices, Manage Devices.
2. Locate desired device, and click on its line item to open its record.
3. In the Access Methods pane: From the Available Methods links, click a desired applet, add an
optional Custom Name, and click Save. Repeat as necessary to allow more methods to be
used.
As each method is added, it appears in a vertical list below the Add links. Any previously
configured method can be removed by clicking its Remove link.
4. When you are finished adding methods (and making any other changes to the Device record),
click the Save button at the top or bottom of the record. CA Privileged Access Manager saves
these settings and collapse the record back to a line item.
When you open the record again, you see a line; click Edit to return to an editing view.
Optional Features
SSH SCP and SFTP File Transfer
You can configure CA Privileged Access Manager to allow Users to SCP or SFTP files while connected
through the SSH Access Method. The SSH Access Method uses the CA Privileged Access Manager
client MindTerm applet, and can record these transactions.
Administrator Setup
To provide every user that has a provisioned SSH Access Method applet the ability to SCP or SFTP file
transfer:
2. Navigate to Global Settings.
3. In the Applet Customization panel, click Configure Terminal Settings to open its interface.
4. In the SSH Terminal File Transfer drop-down list, select Enable SCP/SFTP.
17-Feb-2017 163/416
4. In the SSH Terminal File Transfer drop-down list, select Enable SCP/SFTP.
5. At the bottom of the page, click Save Global Settings.
6. Set up Policy for User that permits use of the SSH Access Method to applicable target Devices.
User Experience
When SSH Terminal File Transfer has been enabled as noted in Administrator Setup , the user has
access to the SCP and SFTP file transfer features as described in the following procedure:
1. Log in to CA Privileged Access Manager as a User permitted to execute the SSH Access
Method.
2. Navigate (if necessary) to the Access page.
3. Click an SSH Access Method to open a MindTerm applet to its configured target Device.
4. In the MindTerm Java applet window (labeled with your Device Name), select Plugins, SCP
File Transfer to open a file transfer window. See right-hand side of Figure 5.
5. Use the MindTerm – SCP (Internal_IP_address) applet file transfer window to perform any of
these functions:
Use arrow buttons between directory content lists to move files between the Local System
(your client computer) to the Remote System (target Device).
For each of the two system directories:
Double-click: [..] to jump to the parent directory, or [directory_name] to enter it
ChDir – for a pop-up window allowing you to specify a directory to jump to
MkDir – for a pop-up window allowing you to make a new directory
Rename – for a pop-up window allowing you to change the name of the selected directory
Delete – to delete the currently selected file or directory
Refresh – to reload the current directory

Logging
This table describes the types of log entries now effected by file transfer transactions.
Log Entries for File Transfer Transactions
GUI Log Entry Syntax

Button
Transa Details
ction
--> put Upload localpath/filename* (size) to remotepath/filename as user remoteuser
<-- get Download localpath/filename* (size) from remotepath/filename as user remoteuser
17-Feb-2017 164/416
GUI Log Entry Syntax

Button
*A directory (with or without files) can also be copied, but that action is not logged.
Files within copied directories are each copied and logged.
ChDir (no log entry)
Delete alert [ Remote | Local ] [ file | folder ] path/name has been deleted by user remoteuser
MkDir alert [ Remote | Local ] folder path/name has been created by user remoteuser
Refres (no log entry)
h
Renam alert [ Remote | Local ] [ file | folder ] path/oldname has been renamed to path/newname
e by user remoteuser
Services
A CA Privileged Access Manager Service invokes a connection mechanism that is external to the CA
Privileged Access Manager server, such as a website portal or an application that resides on a user
workstation.
Using a Service Template

To create or edit Services from a GUI template:
1. From the Menu bar, select Services, TCP/UDP Services.
2. Open the right template:
New Service: In the upper right of the window to the left of the Search field, click Create
TCP/UDP Service.
Many services require access to specific ports only.
Existing Service: To edit an existing Service, click on a Service line item.
3. Edit the template fields.For information about the fields, refer to the following Create TCP
/UDP Service Expansion Panel Fields table.
If the Application Protocol is a Web Portal, refer also to Web Portal (see page 173) .
17-Feb-2017 165/416
Create TCP/UDP Service Expansion Panel Fields

Fiel Description
d
Basic Info
Ser Specify a unique name for the customized service.
vic
e
Na
me
Loc Specify the value of the Local IPv4 address defined for this service.
al Note: The Local IP values for other services are visible in the right-hand list column. See lower
IP right-hand corner of Figure 106.
Por Define all ports that the client application opens to gain access to the device, using:
t(s) Port combination/redirection syntax is: RemotePort:LocalPort (separated by a colon)
where:
RemotePort is on the destination device
LocalPort is where the listener waits for [connections on] the local user desktop.
Multiple ports: Each pair of ports is separated by a space, comma, or comma and space.
Example: 67 3450 23
Example: 5740, 3221, 31225
Port range syntax is: FirstPort–LastPort (min value and max value separated by dash) 500-
port range limit: Single range allowed
Example: 14575–15004
Pro Select TCP, UDP, or TCP and UDP. Defines the type of protocol that the service uses for
toc transport.
ol
Co Provide additional information.
m
me
nts
Administration
En Select the check box to enable the service and allow it to be displayed. If it is disabled, it shows
abl up lightly shaded in the Devices screens. Disabled services do not work for any user, including
e super.
Sh On the Access page, display the Service as a button instead of a drop-down list.
ow
in
Col
um
n
Ap Specify a protocol from this list if it is applicable:
plic ICA = Citrix
ati
RDP
VNC
17-Feb-2017 166/416
on Console
Pro Web Portal
toc Otherwise, use the selection: Disabled
ol
Cli Preload the path to the local app for auto-launch once the service is initiated. The user can also
ent set or override this path at launch time.
Ap
plic
ati
on
We Prerequisite: First select Web Portal from the Application Protocol: to enable the fields in this
b pane.
Por
tal
Lau This field allows specification of a local URL that is launched when the portal service is accessed.
nch Enter the following string (bold = literal):
UR [http | https]://<Local IP>:<First Port>/[path_to_target_page]
L First, specify which protocol, HTTP, or HTTPS
The <Local IP> and <First Port> are automatically populated from the Basic Info fields Local IP
(constructing the full IP from 127 + three fields) and Port(s) (using the first port specified),
respectively
Finally, specify a [path…] to restrict access to a specific landing page
The user is automatically connected to the web service.
Ho Specify the FQDN of the target website in this field.
st Per HTTP 1.1, if the web portal resides on a single IP address which hosts several websites
He (such as Apache NameVirtualHost or IIS Host Header Access), this setting is used to identify the
ad correct website target.
er Example: www.example.com
Ali Specify any strings which can be used as a substitute portal target, which is separated by
ase commas.
s If the target web portal is referred to by several different names, enter those names here.
Example: If Host Header contains www.example.com , while some links on the portal page
point to example.com, enter example.com here so that requests to that site are handled
successfully.
Hid If this portal is not intended to be user-facing, select this checkbox so as not to display an
e access link for the user on the Access page.
Fro Use Case: When multiple internal servers are to be identified as portals so they can be
m accessed to meet a user portal request, not all servers might need to be exposed to the end
Us user. For example, multiple local servers might provide content to serve a particular HTTP
er request – HTML page, graphic files, CGI processing – but only the original web page needs to be
public. Without this "off" switch, server portals that are inappropriate for an end user are
nevertheless displayed on the Access page.
You can also import Services in batch mode using a CSV file. See Import or Export Services (see page
172) for instructions.
17-Feb-2017 167/416
Web Portal Setup

The Service template Application Protocol="Web Portal" option allows the CA Privileged Access
Manager user to access to an HTTP/HTTPS website by automatically launching a new browser
window and navigating to a pre-set local IP and launch path.
Note
Note: Establish a portal for every web server that the user accesses. However, some
servers provide content to the web pages that call them (through embedded links) but do
not face users. See the following description for the option Hide From User.
Refer to the field descriptions in the preceding table.
1. In the Basic Info pane (continuing from Set up Service using the GUI, step 3):
In Service Name, enter a name for the portal.
In Local IP, enter a (currently valid) local loopback address.
Important
If you are setting up a Web Portal to access Microsoft SharePoint® and Mac clients
access it, you must set Local IP to: 127.0.0.1 (and must provide a valid Host Header
– see the following).
In Port(s), enter:
80 (for HTTP) or 443 (for HTTPS)
Optionally, a specific local port mapping. :LocalPort

For example, you can add ":8080" to map "Remote:Local" as: 80:8080
2. In the Administration pane:
Select the Enable checkbox.
For Application Protocol, select the Web Portal option from the drop-down list.
3. In the Web Portal pane:
When you chose Application Protocol: Web Portal above, the Launch URL field became
available and must now be used.
The other fields in that pane – Host Header, Aliases, and Hide from User – are each
optional. See Table 48 for information.
17-Feb-2017 168/416
Fill the Launch URL field:
The URL specified here is launched when the web portal enabled service is accessed. Use
the syntax shown in the example line below the text box (indicated by "Ex."), using and
substituting the tags as identified below.
https://<Local IP>:<First Port>/page.html
For: https://, provide the web scheme, either http:// or https://

For: <LocalIP>:<FirstPort>/, add this literal sequence, where:
The tag "<Local IP>" is substituted with the IP address designated in the Local IP.
The tag "<FirstPort>" is substituted with the value of the first local port to be defined for
this service as specified in Ports.
For: page.html, add any actual path component of the URL.
More specifically, in place of "page.html", string together components to create any legal
subdirectory path, including:
[directory/[subdirectory/[…]]] - optional directory path
[terminalComponent.ext]- optional terminal page/program
Examples (of a complete literal string entered) for Launch URL specification:
http://<Local IP>:<First Port>/index.html

https://<Local IP>:<First Port>/
http://<Local IP>:<First Port>/home/
https://<Local IP>:<First Port>/dashboard.jspa
http://<Local IP>:<First Port>/content/cgi/entrypoint.pl
4. Specify the applicable FQDN hostname in Host Header so that the portal is able to distinguish
between multiple hosted websites, for example "www.example.com". If the IP address of the
server hosts only one (FQDN) site, this field is not required; however, it is good practice to
specify it explicitly.
Host Header is required for Microsoft SharePoint sites.
Host Header is not applicable to HTTPS (SSL) sites.
5. If any alias hostnames are used to reach the portal: Enter these in Aliases (separated by
commas). These aliases are mapped by CA Privileged Access Manager to the true host (see
Host Header).
6. If the portal is to be used in the background: Hide From User specifies that a server is available
for CA Privileged Access Manager-internal access, but is not to be accessible to an end user.
An example use is for a server that delivers graphic files that are requested from a browser
after a baseline website delivers an HTML page.
7. Click Save.
8. Create a Device that corresponds to the web server you are aiming to reach. In Devices,
Manage Devices, create a Device with the web server IP address (do not use FQDN) in the
Address field.
Native SSH Client Setup

Native SSH Client support extends the access controls featured with Access Methods to any native
SSH client, including session recording, socket filtering, and command filtering, and autoconnection
with the target account setup.
17-Feb-2017 169/416
Important
When a native SSH client service is marked in a policy for session recording, the
Bidirectional checkbox must be selected for the recording to work.
Refer to the preceding field description table.
1. In the Basic Info pane (continuing from Set up Service using the GUI, step 3):
In Service Name, enter a name for the portal.
In Local IP, enter a (currently valid) local loopback address.
In Port(s), enter both:
22 (for SSH)
A specific local port mapping.

:LocalPort
For example, you can add ":12345" to map "Remote:Local" as: 22:12345
2. In the Administration pane:
Select the Enable checkbox.
For Application Protocol, select the SSH option from the drop-down list.
For Client Application, fill in the path if you want to invoke the client automatically.
Fill the field:

The path that is specified here is launched when the enabled SSH service is accessed. Use the
syntax shown in the example line below the text box, using or substituting the tags as
identified here.
Windows
C:path{}clientApp.exe [options] username@<Local IP> firstPort

where:
<LocalIP>… add this literal string
The tag "<Local IP>" is substituted with the IP address designated in the Local IP.
firstPort… add the local port
Example for Client Application specification:
C:\Downloads\PuTTY\putty.exe –ssh user123@<Local IP> 12345
3. Click Save.
4. Create a Device that corresponds to the SSH target you are aiming to reach. In Devices,
Manage Devices, create a Device with the target IP address (do not use FQDN) in the Address
field.
17-Feb-2017 170/416
Note
When launching your SSH client, you must specify a username component. For example:
$ ssh –l username 127.0.0.1
Optional Features
X11 Forwarding and Command Execution

X Window System (X11) forwarding and command execution can now be accomplished not only
through an Access Method (applet), but now also through a CA Privileged Access Manager Service
using a native SSH application.
Note
Session recording is not activated when either of these features are invoked.
Administrator Setup
You can set up your native SSH Service to allow either:
Automatic invocation of the SSH application with options (switches) through the CA Privileged
Access Manager Service command line specification (in the Client Application field)
Manual invocation of the SSH application by the User, who applies commands at execution (after
the secure tunnel has been established by CA Privileged Access Manager by clicking the Service
link on the Access page)
Prerequisites
To use X11 forwarding, the target Device must have X11 applications that are installed and its SSH
server configured (where necessary) to provide X11 forwarding, while the User workstation must run
an X11 server to display the output.
Note: When used on UNIX, Linux, and other UNIX-like systems, the SSH Access Method requires the
socat relay utility.
Automatic Invocation
In Figure 12, a CA Privileged Access Manager Service has been configured to use SSH by automatically
invoking a Client Application, PuTTY (on a Windows client), and applying its –ssh option.
To effect X11 forwarding, the –X option is also applied (Figure 12). When the User clicks this
Service from the Access page, PuTTY is automatically invoked and connects using those options.
To effect command execution, a (target OS) command is placed after the "<Local IP> <First Port>"
string.
Manual Invocation
17-Feb-2017 171/416
Alternatively, if a CA Privileged Access Manager Service has been configured to use SSH but without
specifying the Client Application, the User can manually invoke (any installed) application (such as
PuTTY), and successfully use the X11 forwarding or command execution options available to that
application.
User Experience
Automatic Invocation
When a User (on a properly configured client) invokes an Access page Service link, the SSH client
(here, PuTTY) is automatically executed with the specified (for example, -X) switches or commands.
After logging in or auto-connecting to the target, the User can immediately run X11 applications
on the target and their output will be forwarded to the workstation.
If a command is specified, the session immediately closes when the command is finished
executing.
Manual Invocation
If the CA Privileged Access Manager Service Client Application setting is empty, the User must start a
local SSH client application manually to execute the SSH connection, and use that application X11
forwarding or command execution features. For example, after invoking PuTTY on a Windows
workstation, you would use PuTTY Connection, SSH, X11, Enable X11 forwarding or Connection, SSH,
Remote options, respectively. If a command is specified (using the latter option), the session
immediately closes when the command is finished executing.
Log Entries
After X11 forward is performed or whenever a command is executed under this feature, one of the
corresponding CA Privileged Access Manager session log entries is written.
Import or Export Services

As a CA Privileged Access Manager administrator, you can import or export Services using a CSV file.
To create or edit services by importing a CSV file:
1. From the Menu bar, select Services, Import/Export Services.

The Services, Import/Export Services window appears.
At the right side of the pane, you can click a button to obtaining a sample CSV services.
2. Click Download Sample File to save the template file to a convenient editing location.
3. Copy the sample to a new file, and open it in a spreadsheet program or a plain-text editor.
Caution
17-Feb-2017 172/416
Microsoft Excel incorrectly interprets the colon-embedded fields that are intended
to be used as RemotePort:LocalPort representation. Cell E7 contains "4.815972…"
This is an Excel conversion of the original plain-text CSV content provided in the file,
namely, "23:5555". Even if adjustments are made to the Excel and file save-as
settings, this behavior persists in reading or writing the file.
Workarounds
a. Always use plain-text editor (for example, Notepad) to prevent conversions from
occurring.
b. Use Excel first for most editing. As a final editing stage, open the file in a plain-text
editor, and delete any conversions. Repopulate those cells with colon-embedded
values such as RemotePort:LocalPort.
4. Edit or add line items for each service desired. For descriptions of each field, see CSV File Types
(https://docops.ca.com/display/CAPAM28/CSV+File+Types).
Note
Do not to alter the first (header) line.
Web Portal
Auto-connection is the automatic, silent, and invisible, supply of, and consumption by a target
Device, of credentials managed by CA Privileged Access Manager. This process was referred to as
"SSO" ("Single Sign-On") in previous product documentation.
Several methods for automated website login (auto-connection) are now provided by CA Privileged
Access Manager to access websites with many types of login methods.
Auto-connect Methods Supported

Previously, CA Privileged Access Manager provided a preconfigured auto-login mechanism through
the Browser for the web portals (when licensed) to AWS Management Console and Microsoft Office
365. However, it was not possible to apply CA Privileged Access Manager-managed credentials to
your own target web portal for auto-login access in the manner of an Access Method applet.
Websites differ in their login mechanisms and no general facility was provided for this.
With CA Privileged Access Manager 2.4, an enhanced Xceedium Browser allows you to apply one of
several specific methods of automatically logging in to a target web portal of your choice, through the
new Auto-Login Method facility. The methods now provided include:
CA Privileged Access Manager HTML WebSSO – Use this option when the login method that is
employed by the web portal is HTML-based. (This is the most common method.) It employs
JavaScript injection to provide credentials to a web page's HTML as it is being loaded into the
Xceedium Browser, and then execute the login. When using this method, the CA Privileged Access
Manager administrator first "teaches" CA Privileged Access Manager which login page widgets are
17-Feb-2017 173/416
Manager administrator first "teaches" CA Privileged Access Manager which login page widgets are
used to capture the username and the password, and which is used as the login trigger. (This
simple process is described in step 8 of an example illustrated in the next section.) Examples of
web portals that use this method include Dropbox and Google.
CA Privileged Access Manager HTTP WebSSO – Use this option when the login method that is
employed by the web portal is HTTP protocol authentication. In this case, CA Privileged Access
Manager encodes login credentials and inserts them into a header, which is appended onto each
HTTP or HTTPS request. Examples of web portals that use this method include Microsoft
SharePoint installations.
There are also built-in CA Privileged Access Manager Auto-Login Methods that are designed to
allow interaction with the login functionality of specific brand web portals. These methods are
also referred to as "plug-ins." The following methods are provided to access the following web
portal types:
VMware vCloud Director
VMware vShield Manager
VMware vSphere Web Client
Administrator Setup
2. Navigate to Services, TCP/UDP Services.
3. Near the upper-right corner, click Create TCP/UDP Service to open a Service template.
4. Populate the Service template fields as follows:
a. In the Administration panel, click the Application Protocol drop-down menu, and
select the "Web Portal" option.
b. In the Web Portal panel, click the Browser Type drop-down menu, and select the
"Xceedium Browser" option.
In the Administration panel, the Auto-Login Method drop-down menu appears at
right.
c. Click the Auto-Login Method drop-down menu, and select the appropriate option for
your target website. In the example, we use "CA Privileged Access Manager HTML
WebSSO" option.
d. In the Web Portal panel, in the Launch URL field, enter the CA Privileged Access
Manager template that corresponds to the login address.
In the example, we are setting up access to the Dropbox site. The Dropbox login
address is (currently): https://www.dropbox.com/login
After you substitute the target Device (www.dropbox.com) with the target template
(<Local IP>:<First Port>), you have the CA Privileged Access Manager template for this
login address:https://<Local IP>:<First Port>/login
e. Populate the other fields as needed. The Service Name and Port fields are required.
17-Feb-2017 174/416
f. Save the Service.
5. Set up a Device that corresponds to the Web Portal target (here, www.dropbox.com), and
select the Dropbox-service Service for that Device.
6. Set up a Target Application of type "Generic" for this Device (for example, named: Dropbox-
login), and set up a Target Account for this Target Application with the access credentials.
Here, your Dropbox Account Email and Password. Example, user@example.com and
p@$$w0rd that you want to use.
7. Set up a Policy that associates a User (for example, named: XsuiteUser) to this Device, and
when doing so, select the Service (here, Dropbox-service) you created and associate to that
Service the Target Application – Target Account combination (for example, Dropbox-service:
Dropbox-login – user@example.com) needed.
8. If your target website uses the "CA Privileged Access Manager HTML WebSSO" method (such
as the Dropbox example illustrated), you now perform a "learn" procedure to activate the
portal for end users:
a. Open the Access page, and recognize that a drop-down Web Portal is now available
with two Service listing options for this Device (here, Dropbox-service (Learn) and
Dropbox-service).
i. The first of these, the learn option, shows a red X to its left. This option is used
by the CA Privileged Access Manager administrator to contact the login address
and set up CA Privileged Access Manager to recognize the target widgets, as
described in the next step. After successful setup, this red "X" changes to a
green checkmark, indicating that access to the Web Portal has been activated
and is ready to use.
ii. The second Web Portal option is the login option for actual login entry. As
noted above, the administrator must successfully apply the learning mode first
for this Service to function.
b. Select the "(Learn)" link option.

When you do so, a Web Portal window opens and its target website loads. Unlike an
ordinary activated Web Portal Service, however, you are not able to log in with it. The
browser window name is prefaced with "Learn mode for Web SSO."
An HTML auto-connection portal requires that HTML field and button widgets be
identified that:
i. Capture a login username.
ii. Capture the password associated with that username.
iii. Activate the browser to submit the username and password for login
processing.
(The identification process that you must perform is described in the next step.)
For the CA Privileged Access Manager Service to use these widgets for an auto-
connection, it has to be "taught" where they are:
c. To teach the Service:
17-Feb-2017 175/416
c.
i. Move your mouse into the username (or other login name identifier) field
(here, Email), right-click to open the learning menu, and select Mark
Accountname Field.
After you do this, the field is populated with the placeholder field
"accountname", the outline of the field is now green, and there is now a green
checkmark at the right-hand side of the field.
ii. Move your mouse to the password field, right-click, and select Mark Password
Field.
The field is populated with an obfuscated password "••••••••",the outline of
the field is now green, and there is now a green checkmark at the right-hand
side of the field.
iii. Move your mouse so that it is over the login (or other submit identifier) button,
right-click, and select Mark Submit Button. (There is no change in marking.)
iv. For any other required widgets for your particular portal, simply perform the
required action for each widget. (There is no right-click menu item to select,
and there is no feedback, but all action is recorded.)
For example, if you want to teach this CA Privileged Access Manager to learn
the interface to another, target CA Privileged Access Manager portal that
requires LDAP authentication, do this: In addition to teaching it the above three
widgets, select "LDAP" for Authentication Type, and select the appropriate
configured Domain from its pop-up below. All these actions are preserved for
auto-connection use when you save them, as described in the next step.
d. In the upper-right corner of the browser window is the "Save auto-login template"
(floppy disk image) button. Click that button to save your settings, close the learn-
mode browser, and activate use of this Web Portal.
Following activation, you see a pop-up window telling you that the configuration is
now saved, and upon your confirmation, the browser will close. You can repeat the
learning process at any time and can save new results.
e. On the Access page menu, you see that the learning option now has the green
checkbox mentioned earlier. This means that the login option is available for use.
On the end user Access page, there is the single access link, without the learn-mode
option. See user access described in the following User Experience section.
User Experience
Upon logging in (or, if applicable, navigating to the Access page) an end user is presented with an
access link.
If learn mode is applicable to the Web Portal, only CA Privileged Access Manager users who have
Device management privileges (such as "super") see the learn option that is described in the
Administrator Setup.
Upon opening the portal link, the User sees a splash page while CA Privileged Access Manager
negotiates with the portal to provide the username and password. It then executes the login submit
button. Following the splash page, the User is logged in.
RDP Applications
To activate an RDP Application in CA Privileged Access Manager, set it up in an RDP Application
template. Assign that template to a Device.
17-Feb-2017 176/416
Using the RDP Applications Template

To create a new published application:
1. Select Services, RDP Applications to show the RDP Applications List.
2. Click Create RDP Application to open the template, and complete the following information:
RDP App Name - Specifies a unique name for the RDP application service
Launch path - Provides the full path to the RDP application that runs when the user connects. For
example: C:\Windows\System32\notepad.exe
For use with AWS (Amazon Web Services) only:
<AWSURL> - When this string (including brackets) is used, it specifies the AWS Management
Console home page. This token is used as the target address of a browser on a recording-
designated Windows “jumpbox.”
Comments - Allows additional information to be added.
SSL VPN Services

To use SSL VPN Services as a CA Privileged Access Manager Access Method, use the SSL VPN
Template. First, SSL VPN must be set up on the Config, SSL VPN (https://docops.ca.com/display/CAPAM28
/SSL+VPN) page.
To set up an SSL VPN Service, follow these steps:
1. Select Services, SSL VPN Services to show the Applications List.
2. Enter Service name, a unique name for the service.
3. Enter TCP Ports and UDP Ports. The SSL VPN service is created for specific ports separated by
commas, or for All ports.
4. Click Save.
Out-of-Band Devices
The OOB Devices button is used for non-login management of out-of-band devices and power
control. Out-of-Band, or "Lights Out," Management allows a system administrator to monitor and
manage devices by remote control regardless of whether the device is on. CA Privileged Access
Manager supports Serial Console, Terminal Servers, and KVM over IP and Power Management.
Each row in the access list represents a device on the network that a CA Privileged Access Manager
username is permitted to manage. This list of permitted devices is defined by policy as applied
through CA Privileged Access Manager associations. It dynamically reflects access policy as it is
applied by a CA Privileged Access Manager administrator to a user or group.
Control Indicators include:
17-Feb-2017 177/416
Serial – Serial consoles are intended for use when the device is not functional or when network
connectivity is lost due to a reboot or upgrade. Supported out-of-band access methods include
Serial Port consoles and Terminal Servers.
Serial console access can be recorded and command controls can be enforced. All managed access
creates an event.
KVM – Certain KVM over IP network appliances have integrated support and can be used to limit
access to only certain devices connected. Other KVM over IP devices can be supported using their
web interface.
Power – Controls a smart power switch that is capable of powering the device on or off. CA
Privileged Access Manager can be used to restrict access to certain devices on the switch.
Status is shown for each device with an icon with a color dot at the lower right:
Green indicates that the device is ON
Red indicates that the device is OFF.
Yellow indicates that the device is new – or has failed to reply – and the status is unknown.
Setting Power On/Off

To change the Power status for a device:
1. Select the Power button. This brings up a pop-up window showing power options.
2. Select power option ON, OFF, or RESET. Or, to exit without making changes, select the Cancel
button.
Set up Socket Filter Agents

Socket Filter Agents (SFAs) are CA Privileged Access Manager components used to restrict access
either to server-based devices or from server-based devices. Socket filters provide a different kind of
access control than devices with finite command sets, such as routers and switches, for which
command filtering is applied.
The following components are required:
Socket Filter Lists (SFLs): Define either a socket blacklist or whitelist. Blacklists specify only
devices and ports that a user cannot access. Whitelist specify only devices and ports that a user
can connect to.
Socket Filter Agents (SFAs): Apply rules that are specified by Socket Filter Lists and used in access
policies.
Socket Filter Configuration (SFC): Defines and applies agent behavior across all CA Privileged
Access Manager managed devices using Socket Filter Agents.
17-Feb-2017 178/416
Socket Filter Lists

SFLs are used to define groups of servers or networks that can be applied to an access policy.
Socket Filter Agents

Once an SFA has been deployed and a user connects through CA Privileged Access Manager to a host
Device, the SFA downloads that user policy and enforces, at the Device, any blacklist or whitelist
filters. The SFA does not inspect or disturb any other connections to that Device, such as production
web traffic or CA Privileged Access Manager users who are not restricted. SFAs are available for
Windows and Linux installations.
For the purposes of Common Criteria testing, and when in FIPS mode, use version 2.5.5 or later of the
SFAs. Versions 2.5.5 and later only use TLS 1.2 with approved algorithms to communicate with the CA
Privileged Access Manager server.
Socket Filter Configuration

SFC is accessed through the Policies menu. SFC controls global values that affect the behavior of all
SFAs.
Socket filtering uses network heartbeat checks. We recommend that you verify your policies before
setting up socket filtering. Your organization might not allow network heartbeat checks.
Installation and Configuration Instructions

For instructions on the installation and configuration of SFAs in your environments, see the following
pages:
Socket Filter Agent Installation Requirements (see page 179)
Install and Configure a Socket Filter Agent on Windows (see page 181)
Install and Configure a UNIX Socket Filter (see page 183)
Configure Support for Socket Filter Agents (see page 186)
Socket Filter Agent Installation Requirements

This content describes SFA installation requirements in terms of network connectivity, CA Privileged
Access Manager support, device support, and permission level.
Network Connectivity
Use of any SFA requires that the following network connectivity prerequisites be met:
Port 8550 or a configured substitute must be allowed between the target host containing the SFA
and the CA Privileged Access Manager appliance.
Port 443 must also be open to allow communication back to CA Privileged Access Manager,
including messages for CA Privileged Access Manager log entries.
Use the following optional procedure to monitor the status of SFA agents from the CA Privileged
Access Manager web interface.
17-Feb-2017 179/416
Follow these steps:
1. Navigate to Policy, Manage Policies, Manage Filters, Socket Filter Config
2. Select SFA Monitoring and save your settings.
CA Privileged Access Manager and Earlier Product Release Support

CA Privileged Access Manager supports SFAs with the currently recommended combination of
upgrades.
To accommodate earlier product releases, refer to the Release Notes for your product.
Permission Level
SFA installation requires administration privileges, such as those provided by the Windows default
Administrator account or the UNIX root account.
Windows OS Support
You can install Windows SFAs on a target device that has one of the following Microsoft Windows
operating systems:
Windows Server 2008, 32-bit, or 64-bit
Windows Server 2008 R2, 64-bit
Windows Server 2012 R2, 64-bit
To accommodate other target device operating systems with previous releases of SFAs, refer to the
Release Notes for your product.
UNIX OS Support
You can install UNIX SFAs on a target device that has one of the following operating systems:
AIX 7
Debian 7, 32-bit, or 64-bit
Red Hat Enterprise Linux (EL) 6, 32-bit or 64-bit
Red Hat EL 5, 32-bitbit, or 64-bit
SuSE Linux 11, 32-bitbit, or 64-bit
SuSE Linux 10, 32-bitbit, or 64-bit
To accommodate other target device operating systems with previous releases of SFAs, refer to the
Release Notes for your product.
17-Feb-2017 180/416
Install and Configure a Socket Filter Agent on Windows

This content describes how to install and configure Windows Socket Filter Agents (SFAs) for CA
Privileged Access Manager.
Install a Windows SFA on the Device

Windows SFAs are provided as MSI self-extracting packages.
Follow these steps:
1. Ensure that all installation prerequisites are met. See Installation Requirements (see page 179)
.
2. Log in to the target Windows device as a local administrator. Do not log in using a domain-
based user account.
3. Use the Add/Remove Programs window (or equivalent) to remove any existing Windows SFA
from the target device.
4. From the target device, log in to the CA Technologies Support website, and navigate to
Knowledge Base, Downloads > Socket Filter Agent Packages.
5. Select the SFA installer to open its download page.
6. After downloading the .zip file, uncompress it.

The .zip file contains the SFA configuration utility (SFAConfig.exe) and the SFA installer (
WinSFA.msi).
7. Start the installer by double-clicking the WinSFA.msi file.
8. When requested, supply a destination folder to install the SFA.

The installer requests the installation parameters that are listed in the following table.
Option Default Values Description

Port 8550
Service Name Xceedium Windows service setting
Socket Filter
Service Description Xceedium Windows Service setting
Socket Filter
Start server after the On
installation
Run Agent in Verbose Off When enabled, produces detailed log messages for
mode diagnostic purposes.
To change values after installation, use the configuration utility. See Configuration and Operation of
Windows SFAs (see page ).
17-Feb-2017 181/416
The SFA works with Socket Filter Lists (SFLs) configured on the CA Privileged Access Manager
appliance. For details, see Configure the Appliance for SFAs (see page 186).
Install an SFA Silently on Windows

Windows SFAs can be installed silently with automatic startup.
Follow these steps:
.
2. Log in to the target Windows device as a local administrator. Do not log in using a domain-
based user account.
3. Use the Add/Remove Programs window (or equivalent) to remove any existing Windows SFA
from the target device.
Knowledge Base, Downloads > Socket Filter Agent Packages.

The .zip file contains the SFA configuration utility (SFAConfig.exe) and the SFA installer (
WinSFA.msi).
7. Open a Command Prompt window:

For Windows 2008 or Windows 2012, right-click on the Command Prompt icon and select Run
as Administrator.
8. In the Command Prompt window, enter the following text:

msiexec.exe /i path\WinSFA.msi /qb /liwe XCDM_SFA.log
Where path is the path where the WinSFA.msi file is located.

The /q and /l options and parameters are recommended but not required.
To change values after installation, use the configuration utility. See Configuration and Operation of
Windows SFAs (see page ).
appliance. For details, see Configure the Appliance for SFAs (see page ).
Configure and Operate Windows SFAs

The SFA runs only as a background Windows service. Use the local Windows Services interface for
service settings and control.
Windows SFA Configuration Utility

Use the SFA Configuration Utility (SFAConfig.exe) to change your SFA configuration after
installation.
17-Feb-2017 182/416
Launching the utility displays a dialog with the field described in the following table. (see page )
Option Default Values Description

Port 8550
Service Name Xceedium Socket Windows service setting
Filter
Service Description Xceedium Socket Windows Service setting
Filter
Start server after the On
installation
Run Agent in Verbose Off When enabled, produces detailed log messages for
mode diagnostic purposes.
After you save the new settings, the SFA restarts.
Troubleshoot a Windows SFA

Turn on Verbose mode with the configuration utility to generate detailed log messages. See Windows
SFA Configuration Utility (see page 182) for details.
Log messages are stored in the log.txt file that is located in the installation directory.
Uninstall a Windows SFA

To uninstall a Windows SFA, do one of the following steps:
Access the Windows Control Panel and use the Add/Remove Programs window (or equivalent).
Open a Command Prompt window and enter the following text:

msiexec.exe /x path\WinSFA.msi
Where path is the path where the WinSFA.msi file is located.
Install and Configure a UNIX Socket Filter

This content describes how to install a Socket Filter Agent on UNIX.
Install a UNIX SFA on the Device (see page 183)

Configuration and Operation of UNIX SFAs (see page 185)
Troubleshoot a UNIX SFA (see page 186)
Uninstall a UNIX SFA (see page 186)
Install a UNIX SFA on the Device

Each UNIX SFA installer is shipped as a shell script for a specific operating system. Each script has a
descriptive filename of the following format:
gksfd_sfa-version_os-version[_64]_linux_install.sh
Where sfa-version is the SFA release version and os-version is the UNIX version.
17-Feb-2017 183/416
Where sfa-version is the SFA release version and os-version is the UNIX version.
For example:
gksfd_2.70_debian6_64_linux_install.sh for a Release 2.7 SFA for Debian 6 (64-

bit)
gksfd_2.70_rh6_linux_install.sh for a Release 2.7 SFA for Red Hat EL 6 (32-bit)
Depending on the OS, there are different methods of deploying the SFAs. Because minimal
configuration is required on the managed target device, an SFA can be deployed through preexisting
software delivery mechanisms.
Note
On UNIX and Linux targets, the Socket Filter Agent only filters non-root users.
Follow these steps:
.
2. Log in to the target device as a local administrator.
3. Remove any existing UNIX SFA from the target device.
Knowledge Base, Downloads, Socket Filter Agent Packages.

The .zip file contains each possible installer script for UNIX SFAs.
7. In the directory you want to install the SFA, run the appropriate installer script for your target
Device OS:
[root]# sh download-loc/gksfd_sfa-version_os-version[_64] _linux_install.sh
A terminal window opens, allowing you to interact with the installer script.
8. Follow the online directions. When requested, supply a destination directory to install the
SFA. The default is /usr/sbin.
For AIX, the control script is installed in /etc/rc.d/init.d/. For all other versions of
UNIX, the control script is installed in /etc/init.d/.
If you specify a location different from the default installation location, you might encounter
unexpected behavior. CA Technologies recommend against moving from default locations.
appliance. For details, see Configure the Appliance for SFAs (see page 186).
17-Feb-2017 184/416
Configuration and Operation of UNIX SFAs

A configuration file (/etc/gksfd.cfg) and a control script control UNIX SFA operation. For Linux,
the control script is located at /etc/init.d/rc.gksfd. Other OS versions store this script in
corresponding locations.
The following table describes key settings in the gksfd.cfg configuration file.
Name Setting Description

Login SECURE_LOGIN=[0|1] 0: Allow login from outside CA Privileged Access Manager
contr
ol 1: Allow login only from a CA Privileged Access
Managerconnection
Secur SECURE_USER=<usernam Specifies every SFA superuser; that is, every device login user that
e e_1>,<username_2>, … is not to be subject to any socket filter policy applied during a CA
user <username_N> Privileged Access Manager.
list
Each username is delimited with comma (,) with no spaces
permitted.
The syntax to run the control script is as follows:
rc.gksfd { start | stop | restart | reload }
The syntax for the UNIX SFA executable is as follows:
gksfd [-options]
The following table describes the options.
Option Default values when option is Description

not set
-h Display online help.
-l /var/log/gksfd.log. Specify the log file used.
logfile
-p 8550 Set the port to communicate with the CA Privileged Access
port# Managerappliance.
-v info Set log-level to Verbose mode. The following is an example:
/usr/sbin/gksfd –v >> /var/log

/gksfdmessages
Set this option only when extra logging is required.

-ver Display the version number.
To apply persistent changes, set the UNIX SFA options in the rc.gksfd file.
17-Feb-2017 185/416
Troubleshoot a UNIX SFA

Use the -v option to turn on Verbose mode to generate detailed log messages.
The default location for log messages is /var/log/gksfd.log.
Uninstall a UNIX SFA

Follow these steps:
1. Stop the gksfd daemon from the directory where the executable was installed. The
following is an example for Red Hat 5 Linux:
[root]# /etc/init.d/rc.gksfd stop
2. Delete the following files:
The executable, typically located at /usr/sbin/gksfd
The control script, typically located at /etc/init.d/rc.gksfd
Configure Support for Socket Filter Agents

This content describes how to configure CA Privileged Access Manager to support Socket Filter
Agents. Configure a Socket Filter Agent by using a Socket Filter List (SFL) that is prepared using the CA
Privileged Access Manager interface.
To configure an SFA, do the following procedures:
Create a Socket Filter List

A Socket Filter List (SFL) defines the sockets to which a Socket Filter Agent allows or denies access. An
SFL can be either a whitelist or a blacklist.
Note: To ensure proper performance, define no more than 8000 sockets in each SFL.
Create SFLs using one of the following methods:
Create an SFL Using the SFL Template

Use the following procedure to create and manage Socket Filter Lists using the SFL template.
Follow these steps:
1. Select from the Menu Bar: Policy, Manage Policies.

The Manage Policies page appears.
2. Select the blue link Manage Filters button in the top right corner.
The Manage Filters overlay window appears (showing the Command Filter Config template).
17-Feb-2017 186/416
3. Select the gray link button Socket Filter Lists.

The Socket Filter Lists pane appears.
Initially, the pane display “No Results.” Created lists can be selected here for editing.
4. To left of the Search field, click the blue link Create List.
The Create Socket Filter List pane replaces the Socket Filter Lists pane.
5. Enter a (useful) Name for this socket filter list.
6. Specify the Type of list:
A blacklist denies access only to the listed services and ports.

When a CA Privileged Access Manager user requests access to a device, and the policy
specific to this user and device combination specifies this blacklist, then any socket
requested by the user that is on this list is denied. Requests for all sockets that are not on
the blacklist are allowed.
A whitelist allows access only to the specified servers and ports.

When a CA Privileged Access Manager user requests access to a device, and the policy
specific to this user and device combination specifies this whitelist, then any socket
requested by the user that is on this list is allowed. Requests for sockets that are not on
the whitelist are denied.
When used against LDAP users, socket filter whitelists must also include IP addresses of the
relevant domain controller or controllers. Because IP addresses can change in your
environment, whitelists can require relatively active management (that is, updating) of the
filters.
7. Edit the fields where needed.

The Port(s) field is limited to 512 characters.
8. Click the Save button to save the settings and close the editing pane.
For PKI smartcard users, socket filters must be actively managed.
The list is now effective, and available for inspection or editing with the Socket Filter Lists pane.
Create SFLs by Importing an SFL CSV File

Use the following procedure to create and manage socket filter lists using an SFL CSV file.
Follow these steps:
1. Select from the Menu Bar: Policy, Import/Export Socket Filter Lists.
The Import/Export Socket Filter Lists page appears.
This page allows you to create SFLs by importing a CSV file. A sample file is available by
selecting the Download Sample File button. See Figure 7 (see page ) and Table 4 (see page
).
2. Use the Browse button to select the CSV file for import and select Import Socket Filter Lists to
upload.
3.
17-Feb-2017 187/416
3. Optionally use the Export Socket Filter Lists button to export existing SFLs from CA Privileged
Access Manager to a CSV file. These lists can be stored, modified and imported or reimported
later.
Socket Filter specification type for import file IP Address Ports

Single IP and single port 10.1.10.94 5555
Single IP and range of ports (with dash) 192.168.1.14 0-65535
Single IP and multiple ports (separate by comma) 10.1.10.94 5555, 7777
Single IP and "*" for ports (all ports) 192.168.1.14 *
IP subnet/mask and port 192.168.1.14/24 23
IP subnet/mask and range of ports (use dash) 192.168.1.14/24 0-65535
IP subnet/mask and multiple ports (separate by comma) 192.168.1.14/24: 21,22,23
IP subnet/mask and "*" for ports (all ports) 192.168.1.14/24:*
Configure a Socket Filter on the CA Privileged Access Manager Appliance

Follow these steps:
1. Select from the Menu Bar: Policy, Manage Policies.

2. Select the blue link Manage Filters button in the top right corner.
Select the gray link button Socket Filter Config.
The Socket Filter Config pane appears. prepopulated with default values.
3. Adjust where necessary the fields and click the Save Socket Filter Config button to save the
settings.
Field Description
Basic Info
Agent Port The default is 8550. The value must match the port where the agents are listening.
NOTE:The socket filter agents must be configured to use the same port.
SFA IMPORTANT: This check box must be selected for filters to be monitored (in addition
Monitoring to device filter specification on the specific device page).
Enable this option if the policies include disallowing users to log on to a device if the
agent is not running. Agent status also appears in the Devices menu button under
Socket Filter Agent.
Appliance ID A unique number that refers to each physical appliance, and must be set when using
SFA agents with Windows. Thus when CA Privileged Access Managers are clustered,
each member must have a unique ID.
Log All When selected, logs all access activity (whether device is an entry on a whitelist or is
Access missing from a blacklist).
17-Feb-2017 188/416
Field Description
PREREQUISITE: Second-generation Socket Filter Agent installation is required.
Messages
Violation Provides the ability to customize the message that appears to the user when a policy is
Message violated.
When the following strings (including brackets) are used in a Socket Filter Config
message, they are substituted as specified:
[host] - Replaced by the IP address of the blocked host
[port] - Replaced by the port of the blocked connection
NOTE: Double-byte characters such as those used for traditional Chinese are
permitted.
Violation The area for information that is sent to "super" if violations occur.
Additional e-
mail Message PREREQUISITE: Administrator email must be configured.
NOTE: Double-byte characters are NOT permitted in email messages. (They are
permitted only in screen messages.)
Action
# Violations The number of violations that are permitted to occur. When the violation count
Before matches this threshold, the action that is specified in Action After Limit Exceeded is
Action taken. Set this value to zero (0) if no count should be enforced.
NOTE: The count of violations is persistent per user-device basis regardless of how
many times the user connects. Thus a user is not permitted to reset the count by
reconnecting and trying again.
Action After Select the appropriate action to comply with policy when the user exceeds the number
Limit of violations.
Exceeded
Set up Command Filters

Command filters are CA Privileged Access Manager access restrictions that prevent commands that
you specify from executing. Command filter lists can be used to enforce policy in the command line
applets TELNET, SSH, and serial consoles. Command filters are not intended to be used with, and do
not work on, Windows Devices.
Set up Command Filter Lists (CFL) (see page 189)
Set up Command Filter Configuration (CFC) (see page 193)
Set up Command Filter Lists (CFL)

Command Filtering in CA Privileged Access Manager, like Socket Filters, uses whitelists and blacklists
to set the appropriate policy.
17-Feb-2017 189/416
A command-filtering blacklist is a list of commands that a user cannot type. If the user attempts to
type the command, CA Privileged Access Manager can flag (log), alert, remediate, and stop the
command from being processed. All other commands are allowed.
A command filtering whitelist is a list of the commands that a user can type. All other commands are
prohibited.
Note
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250
applets.
Use the CFL Template

This screen is used to create and manage command filter lists.
1. Select from the Menu Bar: Policy , Manage Policies.

2. In the upper corner of the white page body, select the Manage Filters link.
3. Near the top of this window, select the gray link button Command Filter Lists .
The Command Filter Lists pane appears.
Note: Before you set up lists, the field displays "No Results." After you set up lists, a list can be
selected here and edited.
4. To left of Search field, click the Create List link.

The Create Command Filter List expansion pane replaces the Command Filter Lists pane.
5. Enter a Name you want to use for this list.
6. The Type of list is either:
a. A blacklist, which denies only the listed command strings.

When a CA Privileged Access Manager user submits a CLI command to a device, and
when the policy specific to this user-device combination specifies this blacklist, then
any command that this user requests that is on this list – and only those on this list – is
denied.
This denial applies per character: After sufficient characters (literal Keyword or
Regexp) have been entered to match a violation criterion, the specified action (Alert
/Block) is applied. (See the following control definitions for more information).
b. A whitelist, which allows only the listed command strings.
When a CA Privileged Access Manager user submits a CLI command to a device, and
when the policy specific to this user-device combination specifies this whitelist, then
any command that this user requests that is on this list – and only those on this list – is
allowed.
17-Feb-2017 190/416
b.
allowed.
Note: Command filter whitelists cannot be configured for Mainframe TN3270 and
TN5250 applets.
This allowance applies per line string entered (that is, the permission test is made
following a linefeed/Enter/carriage return).
7. Into the Keyword field, enter a command string. Depending on which type of list you are
creating:
If you are creating a blacklist, then for each Keyword to test, you must select one or more
controls:
a. Alert – If you want the Monitoring administrator to be notified immediately by email

of each instance of Keyword violation.
b. Block – If you want the command line containing the Keyword to be canceled
immediately (prevented from executing).
c. Regexp – If the Keyword field specifies a regular expression to be applied to the actual
command line entered. Whenever a command that is entered by the User conforms to
the regexp, the command is flagged as a violation.
d. When both Regexp and Alert are selected, then for security reasons the body of the
alert message that is sent does not include the regular expression string (Keyword).
At least one of these three options must be chosen. Otherwise, the Keyword has no
effect.
Important: When populating the Keyword field for a blacklist using Regexp, begin with
a start-of-line metacharacter (ordinarily: ^). However, because a blacklist keyword
string is evaluated character by character, the end-of-line metacharacter (ordinarily: $)
is never interpreted and is therefore unnecessary.
Example:
To match (prevent) a user key entry of exactly who -a
Fill the Keyword field with one of the following regular expressions:
Correct: ^who -a
Correct: ^who -a$
However, each of the following regular expressions do not work correctly:
a. Incorrect: who -a
Incorrect: who -a$
If you are creating a whitelist, then for each Keyword to test, you can select:
a. Regexp – If the Keyword field specifies a regular expression to be applied to the actual
command line entered. The regular expressions that are permitted follow the syntax
supported by the (Perl-based) Oracle® java.util.regex API. Only when a command that
is entered by the User conforms to one or more of the regexp or commands in this
whitelist is the command allowed.
Important: When populating the Keyword field for a whitelist when using Regexp, it
does not matter whether you do or do not include the start-of-line (ordinarily: ^) or
end-of-line (ordinarily: $) metacharacters. Because these metacharacters are implied,
17-Feb-2017 191/416
end-of-line (ordinarily: $) metacharacters. Because these metacharacters are implied,

the string that the user enters is automatically anchored by both of these
metacharacters.
Example:
To match (allow) a user entry of exactly: who
Enter Keyword field content of any of the following regular expressions:
Correct: who
^who
^who$
who$
Example:
[Li][Ss] +
This is a regular expression that permits variations of upper or lower case on the Unix
command ls, but requires a space be added for the expression to be accepted.
Example:
[Li][Ss] +\-[LlAa][LlAa]?
This is a variant of the previous example, based on ls -al, in which upper and lower
case are again permitted. But the order of the two characters al is arbitrary, and two
or more spaces are required between the command and its argument. Because the
entered command filter string is anchored by start-of-line and end-of-line
metacharacters, in this example trailing spaces are prohibited.
8. To add another Keyword specification, click the Add Keyword button to open the template
for a new specification line, and fill in the fields for that line.
9. Click the Save button to save the settings.

The list is now effective in CA Privileged Access Manager, and available for inspection or
editing to the Command Filter Lists pane.
10. Click the X (close) button to exit the overlay window and return to the Manage Policies page.
Use CFL CSV Files

On this page, you are provided with the ability to Import Command Filter Lists from a CSV file.
A sample file is available by selecting the Download Sample File button.
Copy the sample file to a new file, and edit it for your use.
Note: In an imported CSV file, if you include a blacklist line with the same key fields ( Type, List
Name, List Type, and Keyword) as those of an earlier line in that file, the latter line effectively
replaces the earlier line. In other words, the values that are applied for Alert, Block, and
Regexp are the last values read, or those in the latest key-matching line.
Use the Browse button to select the CSV file for import and select Import Command Filter
Lists to upload.
17-Feb-2017 192/416
Also, Export Command Filter Lists allows users to export existing lists from CA Privileged Access
Manager to a CSV file. These lists can be stored, modified and imported.
Search Command Filter Lists

You can search existing command filter lists for matches to a character substring by using the Search
field. This search not only flags a list when there is a match in its Name field, but also flags a list when
there is a match in any of the Keyword fields for that list.
Set up Command Filter Configuration (CFC)

This screen is used to create and manage command filtering.
1. Select from the Menu Bar: Policy , Manage Policies.

2. In the upper corner of the white page body, select the Manage Filters link .
The Manage Filters overlay window appears, showing the Command Filter Config template.
3. Adjust the fields where necessary, and click the Save Command Filter Config button to save
the settings.
17-Feb-2017 193/416
Command Filter Configuration Pane

Field Description
Messages
Blacklist The default is:
Violation Warning: [command] is an unauthorized command.
Message You have [violations] violations. Your session will be terminated and account deactivated
should violations continue.
Please contact the administrator if you have any questions
… where "[command]" is substituted during execution with the string (keyword) used, and
"[violations]" is substituted during execution with the number of (including the current)
occurrences of this violation by this user (and "[newline]" is substituted with a line feed).
NOTE Double-byte characters such as those used for traditional Chinese are permitted.
Whitelist The default is:
Violation Warning: [command] is an unauthorized command.
Message
Please contact the administrator if you have any questions
… where "[command]" is substituted during execution with the string (keyword) used (and
"[newline]" is substituted with a line feed).
NOTE Double-byte characters such as those used for traditional Chinese are permitted.
Violation This area is provided for information that is sent to the configured administrator if
Addition violations occur.
al e-mail (No default is provided.)
Message NOTE Double-byte characters are NOT permitted in email messages. (They are permitted
only in screen messages.)
Action
# The numerical value of the number of violations that are permitted to occur. When the
Violation violation count matches the threshold, the action in the Action After Limit Exceeded is
s Before taken. Set this value to zero (0) if no count is enforced. The count of violations is on a per
Action device basis regardless of how many times the user connects.
Action Select the appropriate action that complies with policy when the user exceeds the number
After of violations.
Limit
Exceeded
Set up Transparent Login

Transparent Login is the automated access to a target application through auto-connect using CA
Privileged Access Manager.
SSH Connections (see page 194)
RDP Connections (see page 197)
SSH Connections
You can provision a CA Privileged Access Manager device to permit execution of sudo or BeyondTrust
PowerBroker pbrun using the login password for the device from the SSH Access Method applet.
17-Feb-2017 194/416
Important
Configuration
Security Requirement: Configure sudo or pbrun on the target so that each execution
requires a password from the client. Otherwise, security can be compromised.
Transparent login cannot be applied to Device Groups.
Usage
Unexpected behavior: In some uncommon scenarios, transparent login does not

behave as intended, and the user experiences unexpected behavior. For example, a
token ("XGK####") is visible or a password prompt might appear. In these cases, exit
the application by entering a return, or if necessary Control-C. Retry the command,
taking care to apply the correct syntax.
Target Support
OS versions:Unix and Linux
Shell types: bash, csh, and tcsh
Applications:sudo and PowerBroker pbrun
Unix/Linux Configuration
Configure sudo or pbrun for target Devices to request a password (to which CA Privileged Access
Manager responds transparently) every time that it is invoked. For example, set
timestamp_timeout=0 so that there is no time gap during which sudo execution requires no
password. Otherwise, CA Privileged Access Manager security can be compromised.
CA Privileged Access Manager Provisioning

To configure a CA Privileged Access Manager Device to allow secondary transparent login, follow
these steps:
1. Create or open an existing Device record on the Devices, Manage Devices page.
a. If this is a new Device record, populate at least the required attributes (entitled in red).
b. In the Access Methods panel, select SSH.
c. Scroll to the Transparent Login panel near the bottom the record. Depending on
whether you want to use sudo or pbrun (or both), fill in:
i. Full Path to … to identify the directory location of the sudo or pbrun

executable on the target Device.
ii. Password Prompt with the prompt (or a fully static substring) for user
17-Feb-2017 195/416
c.
ii. Password Prompt with the prompt (or a fully static substring) for user
password input that is presented immediately upon executing sudo/pbrun.
The longer or more complete a literal string match you provide, the greater the
security you have. The full prompt that is experienced by the user might be
"[sudo] password for user: ", where "user" represents the dynamically applied
actual username. The maximum string that can be applied here is then: "[sudo]
password for ", so use that string.
d. Complete provisioning of other Device fields as needed or desired, and click Save.
2. Create or open an existing policy record on the Policy, Manage Policies page.
a. Scroll to the Transparent Login panel near the bottom the record, and select its
checkbox.This option allows you to turn transparent login on and off for a particular
User/User Group (analogous to the on/off communication method selections in Access
)
b. Complete the provisioning of other Policy fields as needed or desired, and click Save.
Transparent login is now ready for Access use to this Device.
User Experience
The User logs in as usual to the target Device using the SSH Access Method applet. When sudo or
pbrun is invoked, the normal response (prompting the User to enter a password) is not displayed.
Meanwhile, CA Privileged Access Manager supplies the password passed in during auto-connection.
Instead, sudo/pbrun continues directly into executing the sudo-argument commands.
Complex Commands
You can use a configured privileged command (sudo or pbrun) anywhere, and multiple times, on a
command line while CA Privileged Access Manager provides the login user password for
uninterrupted completion.
Examples:
$ for i in $(cat newusers.txt); do sudo useradd $i; done

$ sudo vi /etc/ssh/sshd_config && sudo /etc/init.d/ssh restart
You can also use a configured privileged command (sudo or pbrun) on multiple lines while CA
Privileged Access Manager provides the login user password for uninterrupted completion.
Example:
$ *for i in $(cat a_remote_location/deep_in_some_subdirectory/*

> newusers.txt); do sudo useradd $i;\
> done
Unsupported Syntax
We do not support the following uses:
Sending a sudo command argument to the background, as in: $ sudo updatedb &
Stringing a sudo command directly after vi exit commands, as in: :wq sudo updatedb, before
exiting vi with the Enter key.
17-Feb-2017 196/416
Best Practices
If a password prompt ever appears during execution of a sudo or pbrun command in a Windows
Device that is configured for secondary transparent login, exit using Ctrl-C. Any other response
might trigger a password lockout. Example: Pressing Enter or another key entry.
Audit Logs
Following each invocation of sudo or pbrun, an audit log entry like the following example is made:
2016-03-11 01:16:27 user xsso ubuntu Executed "sudo pwd" using transparent
RDP Connections
You can implement transparent login for a Windows RDP server for secondary access through an
application on that Device. As with CA Privileged Access Manager HTML WebSSO, the administrator
uses "Learn Mode" to teach the product to recognize the relevant access interface of a target
application. In this case, it is a CA Privileged Access Manager-configured RDP Application.
A significant feature of this implementation is that no storage of credentials or software is needed on
the target RDP server side. No installation of agents is needed on the access client or the RDP server.
Optionally, these applications can be cached for improved load times.
No special configuration is required on CA Privileged Access Manager or the target Device. The
provisioning process as described here embodies the required setup.
Target Support
OS versions: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012; x86 and x64
versions for each
Applications: VMware vSphere Client and vSphere Client console; Microsoft SQL Server
Management Studio; WinSCP; Dell Toad; PuTTY; Oracle SQL*Plus
Windows Configuration
Windows (RDP server) devices that are the targets of CA Privileged Access Manager transparent login
require the following configuration to work properly.
On All Supported Windows Devices

Certificates
If you are using a signed certificate on CA Privileged Access Manager, you must install the CA
certificate on each Windows target Device. Import this certificate as a Trusted Root.
Session Recording
For transparent login activity to be successfully recorded when using Internet Explorer, the
administrator must configure all equivalent CA Privileged Access Manager addresses. For example, a
cluster VIP name and VIP address in the browser security settings:
1. In Internet Explorer, select Tools, Internet Options.
2. Click the Security tab, then on Trusted Sites, and then the Sites button.
17-Feb-2017 197/416
3. In the Trusted sites dialog window, key in and Add each equivalent CA Privileged Access
Manager address in use. Click Close to exit Trusted sites.
4. Click OK to save and exit Internet Options.
This setting might not work fully. If that is the case, try this additional configuration in Internet
Options:
1. Click the Connections tab, then on LAN settings. If the Proxy server checkbox is selected, click
the Advanced button.
2. In the Exceptions section, remove any "127.*" or equivalent construct
3. Click OK to save and exit Proxy Settings, then click OK again to save and exit Local Area
Network (LAN) Settings, and then OK again to save and exit Internet Options.
On Windows Server 2008

1. Install the Terminal Server role using the following advice:
http://technet.microsoft.com/library/cc730673%28v=WS.10%29.
aspx#BKMK_InstallTerminalServerRole
2. Configure cmd.exe as Remote App using the following advice:

http://technet.microsoft.com/en-us/library/cc753610.aspx
3. For security reasons: In the RemoteApp Properties dialog, Command-line arguments option
buttons, select "Always use the following command-line arguments". Set its arguments to use
the following string.
Note: Whether you copy-and-paste this string or enter it in manually, ensure that you do not
introduce any additional hidden characters or white space. Otherwise, the command might
not work.
/C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"
On Windows Server 2008 R2

1. Install Microsoft hotfix kb978869 according to advice provided in the following link. If the
latest Windows updates are already installed, this step can be skipped because this hotfix is
included in those updates.
http://support.microsoft.com/kb/978869
2. Install the Remote Desktop Session Host role using the following advice:

button, select the Always use the following command-line arguments option. Set its
arguments to use the following string.
Note: Whether you copy-and-paste this string or enter it in manually, ensure that you do not
not work.
17-Feb-2017 198/416
/C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"\\
On Windows Server 2012

1. Add your Windows Server 2012 to your Domain.
For testing purposes, you can instead install a Domain Controller on the same server. See:
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-
setting-up-a-windows-server-2012-domain-controller.aspx
2. Install the Remote Desktop Session Host role using the following advice:
http://social.technet.microsoft.com/wiki/contents/articles/10421.deploying-the-rds-quick-
start-deployment-type-in-windows-server-2012-for-session-virtualization.aspx

http://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-
windows-server-2012.aspx
button, select the Always use the following command-line arguments option. Set its
arguments to use the follwing string.
Note: Whether you copy-and-paste this string enter it in manually, ensure that you do not
not work.
/C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"\
CA Privileged Access Manager Provisioning

Provisioning Windows transparent login on and through CA Privileged Access Manager has these
stages:
1. Preparing Target Device records, including an RDP server hosting an RDP Application
2. Running the Learn Tool at the RDP server in coordination (through the RDP Access Method
applet) with CA Privileged Access Manager
3. Configuring the RDP Application record on CA Privileged Access Manager
4. Provisioning Target Account records and CA Privileged Access Manager Policy
To run Learn Tool and edit transparent login configurations, a CA Privileged Access Manager
administrator must have at minimum the role of Service Manager. This permits the servicesRead,
servicesManage, and servicesDelete privileges. Among the preconfigured roles, these privileges are
also provided only to the Global Administrator and Operational Administrator roles.
Prepare Targets
Initially, as the CA Privileged Access Manager administrator, you provision a Device and the RDP
Application that is the target (or intermediary) of the transparent login. You might also want to
provision (in Credential Manager) the primary access credentials that are consumed during login to
the Device. At this stage, you do not need to provision the secondary credentials that are consumed
by the RDP Application.
17-Feb-2017 199/416
Run Learn Mode

During Learn Mode, CA Privileged Access Manager is taught the credential-processing interfaces of
the provisioned RDP Application. This process captures the required sequence in a transparent login
configuration file stored at CA Privileged Access Manager.
Example Procedure
This example procedure uses the execution of a connection to a Linux target Device using the RDP
Application PuTTY.
1. Confirm that you have provisioned in CA Privileged Access Manager your desired target
Device, and that the target RDP Application (that are configured later in CA Privileged Access
Manager) is installed on that Device.
2. If needed, log in to CA Privileged Access Manager as the administrator responsible for Learn
Mode.
3. Navigate to the Access page.
4. Mouse over the RDP link to the target Device so that (after a moment) it displays the RDP
options pop-up window.
5. While in that panel:
a. Select the new option Learn mode.
b. You might also want to expand the size of your RDP window in Resolutions to the
largest practical value (for example, "Fullscreen"), because Learn Mode is easier to use
when there is a large target desktop.
c. Click Launch to initiate the RDP connection.
Your RDP applet and connection launches. Following login, a script window appears telling
you that the Learn Mode Tool ("Transparent Login Learn Tool") is launching. After a minute,
this script window disappears and in a few minutes you see the initial Learn Tool window. If
transparent login configurations are already set up on CA Privileged Access Manager, they
show up in the drop box near the upper left corner of the Learn Tool. See the procedure in the
next section.
With the Learn Tool, you can create a configuration script that allows CA Privileged Access
Manager to recognize the username, password, submit, and other widgets of an RDP
Application when your Users connect to that application. This script also automatically
populates and executes them for transparent login. During script execution, the XML line
items in the script are sequentially compared against the characteristics and the current state
of the application for eventual login execution. PuTTY is used as the example in this exercise.
Initially, several configurations (Transparent Login Configs, or TLCs) can be pre-populated in
CA Privileged Access Manager. As the Learn Tool is launched, these configurations are loaded
into Learn Tool memory and are available from the configuration name drop-down list.
6. In this example, we create a new configuration. First, assign it a name. (This name is found in
the Transparent Login Configs list on CA Privileged Access Manager, and editable in the
configuration Name field, later when you prepare your RDP Application record.) Here, we
used "PuTTY-to-LinuxTarget1":
17-Feb-2017 200/416
6.
a. Click the "Add new configuration" button, and in the dialog window enter a Name, and
click OK.
b. The configuration name now appears in the field to the left of that button, and is
immediately saved on CA Privileged Access Manager. To save the (currently empty)
configuration in CA Privileged Access Manager with this name, click the "Save
configuration" button.
7. Open your target RDP application; a configuration interface is ordinarily presented (the PuTTY
Configuration window).
While both the Learn Tool and the application are open during this procedure, you populate
the Learn Tool script window (the body of its GUI). You identify widgets on the target
application using one of several Learn Tool widgets that are detailed in the following tables.
Each use of a scripting widget inserts a script command.
When executing PuTTY using its GUI, the simplest procedure might be to specify a target
address, then execute a connection using PuTTY default parameters. Then automatically
submit the username and password to affect a login:
First, you identify for the Learn Tool the location of the PuTTY Session screen, Host Name (or
IP address) field so that when the script is run, CA Privileged Access Manager knows where to
insert that address.
8. To create the script command that provides this, select the "Text input" tool. Like each of the
other Learn Tool scripting controls, this tool invokes an Add Edit Tag dialog window in which
you specify parameters to identify and populate this command.
The first field is the Element type. In this case, select the default "Text Field", as this is the
type of control that PuTTY Host Name (or IP address) control widget is. (The other choices are
"Drop Down List", "Checkbox", "Radio Button", and "Keystrokes"). To identify where this field
is, provide the Element Id. The first step to doing this is to invoke the application AutoIt
Control Viewer (v. 1.1) from the Learn Tool menu:
9. Click the "Run Control Viewer" button from the Learn Tool menu bar. You might briefly see a
script window, and then in a minute or so the Control Viewer window appears. Now you have
three windows.
Note: The Learn Tool window is resizable.
10. In the Control Viewer window, press and hold your mouse over the Browse Tool square area
to the upper right. A magnifying glass icon appears, which is your control selection cursor.
While you hold your mouse down, move this cursor over to the location of the widget (GUI
field, or control) that you want to identify.
As you move the cursor, the control of the target application that is under the cursor displays
a red outline. Depending on how the application (PuTTY) was designed, the red outline might
refer to a single control or a group of controls.
a. If the specific control (here, the host name field) you are looking for is already outlined
in red, you would now skip the remainder of this step 10.
b. In this case, however, a group of controls is selected, and you have not (yet) been able
to identify the Host Name (or IP address) field itself.
i.
17-Feb-2017 201/416
b.
i. To do this, now look at the additional characteristics for this specific control
highlighted in the line item in blue in the Controls list at the bottom of the
Control Viewer window. This list also identifies any subordinate controls
contained by that control. In this case, we want to identify the specific host
name control.
ii. Scroll that list to select the other controls in the list, one by one, until you
match the one you are searching for. When the selected control is outlined,
note (under the Control tab in the central Info group) what its full Instance
name (5) is: here, "[CLASS:Edit; INSTANCE:1]".
11. Now that you have identified the exact field that CA Privileged Access Manager needs to
populate, go back to finish using the Learn Tool Add Edit Tag window that you opened in step
8:
a. Select the entire Instance name (from open bracket to close bracket, inclusive), and
copy it in the Element Id field.
b. In the Value type field, select the "text" option. (The other two options are
"username" and "password", which refer to data that is supplied by CA Privileged
Access Manager during execution, and not embedded in the script.)
c. In the Value field, enter the IP address that you use to populate that PuTTY field.
Alternatively, you can specify a variable hostname by using *Value type="host" (which
has a fixed Value="true"). In that case, the Device that is associated with the
secondary Target Account specified in policy is used. See also Element type
='Keystrokes' in step 14, in which a Target Account is also used to populate username
and password.
d. Click OK to insert the populated script command. It appears in the script body.
Alternatively, you can specify a variable hostname by using *Value type="host" (which
has a fixed Value="true"). In that case, the Device that is associated with the
secondary Target Account specified in policy is used. See also Element type
='Keystrokes' in step 14, in which a Target Account is also used to populate username
and password.
12. The second element in the PuTTY Configuration window you identify is the Open button (on
the same screen), which is used to execute the connection:
a. Use the Control Viewer procedure of step 10 to identify the Element Id for this button.
b. Once you have that ID, open the scripting tool that is appropriate for it – the "Mouse
click" tool – because that is how this PuTTY control is used. The AddMouse Click Tag
popup window appears.
c. We are using the first option, Click on the element. (The other option allows to you
specify a specific pixel location for the mouse click.) Enter the Element Id value that
you identified in step 12a into the Id field.
d. Click OK to insert the populated script command. It appears underneath the first
command you entered.
You have now specified the two elements that provide PuTTY a destination.
17-Feb-2017 202/416
You have now specified the two elements that provide PuTTY a destination.
However, the point of the transparent login feature is to insert CA Privileged Access Manager-
supplied credentials transparently. Although the PuTTY application closes its configuration
window and opens a console for execution of the SSH connection, we can continue with the
same script to provide those credentials.
PuTTY opens its console and communicates with the target Linux Device. Doing this might
take some time, and we can account for it in the script:
13. Click the "Sleep" clock icon to open a new widget in which you enter a number of
milliseconds. As a rough estimate, you might want to provide, say, 1000. This allows PuTTY to
open and close its windows and be ready with the prompt it receives from its target device.
Now you can assume that your console window is ready with the first of its login prompts
from the target, for the username. The Learn Tool allows you to enter a script command that
recognizes the Target Account Account Name:
14. Select again the "Text input", and this time set up the Add Edit Tag as shown, with Element
type="Keystrokes" (and then Element Id="window" by default) and Value type="username".
Click OK. The script command that is created grabs the Account Name from the Target
Account provided by CA Privileged Access Manager through your Policy specification (as
explained later in this procedure), and pass it along to the PuTTY target.
15. However, to submit the username to the OS then, you have to send a return command. That
is, the Enter key: Use the "Text input" tool as in the previous step, but this time set Value type
="text", and for Value, click your mouse inside its field and press the Enter key. The field then
displays the text: {ENTER}. Click OK to insert this tag.
16. Likewise, use the "Text input" tool to set a second command with Value type="password".
Remember before entering that command to insert another "wait" command using the
"Sleep" tool as already explained. You might need to experiment for the most efficient wait
times.
Save this TLC by clicking the (now-active) Save configuration floppy disk icon near the right
side.
Now you should be ready with your script. However, you might want first to test it to see that
it performs as expected. CA Privileged Access Manager provides this capability with the
"Debug" tool.
17. (Optional) To test your configuration, run the Debug tool. This feature executes the currently
staged TLC script while displaying debug-level messages in a console.
a. Click the "Debug" tool button to open the Run dialog window.
b. In the App path field, use the browse […] button to the right to specify the location of
the RDP Application executable.
c. Enter the Title that this (first) window has, so that Debug can locate it.
d. When credentials and destination must be supplied to execute script processing fully,
enter these in Username, Password, and Host.
e. When you are ready to run the debug program, click Run.
The Debug console appears.
i.
17-Feb-2017 203/416
e.
i. The Debug program first checks each tag for syntax errors, providing feedback
in the console, under an initial "App #1" line label.
ii. When you bring RDP Application window (manually) into focus, the Debug
program then executes the script. The sequence is labeled ("Try #1"), and then
feedback is provided for each tag.
iii. If a tag fails to execute successfully, the script is restarted and executes again.
18. (Optional) To improve security in confirming your target application, generate and copy the
SHA-1 digest for the RDP Application by using the Learn Tool's Get Application Fingerprint
feature. When configuring the RDP Application in CA Privileged Access Manager, copy this
value into the Application Fingerprint field.
19. Continue with Configure RDP Application (see page 210).
Reference
The Learn Tool features are described in the following tables.
Learn Tool: Menu Bar
M Description
e
n
u
Vi Al When selected, this feature keeps the Learn Tool window in front of all other windows, even
e wa when it is not in focus.
w ys The selection state is persistent: After logging off this Device and then logging in again, the
on option value (whether selected or unselected) remains the same.
To Default: Selected
p
A Cle Select to remove currently cached applications.
ct ar When cache is set to "Enable" in Global Settings, Applet Customization, Transparent Login
io ca Cache, the Windows target caches the Transparent Login Agent (TLA), Learn Tool, and Control
n ch Viewer that are downloaded during connection from CA Privileged Access Manager when
e transparent login has been configured, provisioned, and activated. On subsequent connections
to that Windows target, the load times for these applications are reduced.
H Le Opens the Compiled HTML (CHM) Learn Tool Help file, which contains detailed descriptions of
el ar the Learn Tool controls.
p n
To
ol
He
lp
Ab Identifies the Learn Tool application and build versions in a dialog window.
ou
t
Learn Tool: XML Scripting Controls
17-Feb-2017 204/416
Icon Description
and
Tooltip
One set of <window></window> tags brackets a single-level sequence of XML
commands for CA Privileged Access Manager to manipulate the windows of an RDP
Application.
Each script control inserts a line containing one XML tag with attributes at the end of
the sequence, above the </window> tag.
You can copy-and-paste the XML tag lines as you would typically do in a text editing
program, so you can move the lines when and where needed.
Camera Scree Allows insertion of a tag that checks that a portion of the screen image of the
icon n transparent login application matches a screen capture saved previously, when the tag
verifi was created.
catio Usage
n
1. After selection, the mouse cursor becomes a cross-hair, while the full screen
area of the RDP window dims and becomes an active grid. Meanwhile, the
Learn Tool window is hidden from the desktop so that it does not interfere
with screen capture.
2. Use the cross-hair cursor to define a rectangle that selects a portion of the RDP
Application GUI to be compared to the same GUI during runtime.
3. After mouse-up from the cursor, the dialog window Screen Capture Preview
displays the comparison Screen capture and the Generated XML Tag to be
inserted using PNG character representation.
4. Click OK to insert this tag and show the Learn Tool window again.
Note: Ensure that the image portion captured does not vary from application
invocation to invocation, and matches whether the window is active or inactive, and
so on.
Example: (truncated): <checkimg content="iVBORuu ... C6kYII=" />
Clock Sleep Allows insertion of a tag that pauses the script for a configurable number of
icon milliseconds.
USAGE Upon selection, opens the Add Sleep Time Tag pop-up window to specify the
milliseconds, then inserts the tag at the end of the script.
Example: <sleep time="500" />
Duplica Activ Allows insertion of a tag that places the named window into focus.
te ate USAGE Upon selection, inserts this tag at the end of the script.
windo wind
Example: <activate />
ws ow
icon
Mouse Mous Allows insertion of a <click> tag, which effects a mouse-click at a specified location:
icon e on a specified button as identified using the Control Viewer; or
click at the center of the target window; or
at a location specified "x" pixels from the left and "y" pixels from the top of the target
window.
17-Feb-2017 205/416
Icon Description
and
Tooltip
Example: button: <click id="[CLASS:TEdit; INSTANCE:2]" />
Example: window center: <click pos="center" />
Example: location: <click x="123" y="72" />
Icon Description
and
Tooltip
Page Text Allows insertion of a tag that submits one of these data types:
with input Edits a specified control (field, drop-down list, checkbox, radio button) so that it
pencil contains specified data (text, sequence value, Boolean value).
Sends a text string, composed of literal value(s), keystroke shortcut(s) or label(s),
or parameter(s) provided by CA Privileged Access Manager such as username or
password.
Element Element Id Value Value
type type
"Text as determined "text" String, to populate the field
Field" through Control
"user "true":
Viewer – see
name For the specified Value Type, TLA sends the
example in
", or Value attached to the User policy through the
procedure
"pass target account record
word"
, or
"host"
"Combobox "text" String, matching a (drop-down) list option
"
"inde Integer, as specified to select the ordinal
x" location of a (drop-down) list option
"Keystrokes "window" "text" As specified:
" (or none) (a) strings, and
(b) key stroke tags:
(i) entered into the dialog field by

typing just the named key:
• includes: . ENTER , . ESCAPE , . TAB .
• appear as: {ENTER}, {ESCAPE}, {TAB}
• only one is permitted per XML tag.
(ii) entered by typing the key sequence:
for example: {F1} entered by typing
the four keys: . { + . F + 1 + . } +
"user "true":
name For the specified Value Type, TLA sends the
", or Value in the Target Account chosen for the
"pass RDP Application specified in CA Privileged
Access Manager policy.
17-Feb-2017 206/416
Icon Description
and
Tooltip
word"
, or
"host"
Element Element Id Checked
type
"Checkbox" As determined "True" or
through Control "False"
Viewer
"Radio "True"
Button"
Example: (using "Text Field", "text" options in dialog): The following tag inserts the
text string "123" (without quotes) into the ID-specified text field:
<edit id="[CLASS:TEdit; INSTANCE:1]" text="123" />
Check Eleme Allows insertion of a tag that confirms or denies existence of an element, and
mark nt optionally that element in a specified state (for example, a text field containing a
icon Verific particular string).
ation
Element types: Text field | Combobox | Checkbox | Radio Button
Element Id: Code identification of GUI feature obtained through Control Viewer.
Value: Literal. Ranges: Checkbox and Radio Button: (only) "checked"
Example: The following tag verifies that the radio button identified has been selected:
<verify component="radiobutton" id="[CLASS:TRadioButton; INSTANCE:3]" /> If the
component is not confirmed, the TLC script halts.
Learn Tool: Utilities
Icon Description
and
Tooltip
Page Run Runs the third-party, Learn Tool bundled application, AutoIt Control Viewer version
with Control 1.1.
magnif Viewer This application can be used to determine the Element Id when needed in a script
ying command. (No other Control Viewer functions are needed for CA Privileged Access
glass Manager use.)
Usage: (to identify a control or widget): See example in steps 9-10 of the procedure
above.
Usage: (to identify a window name): To populate the <window id= ""> XML tag (top
line of the TLC):
1. From the Control Viewer window, in the Browse Tool box in the upper right,
click your mouse and hold it down to show the magnifying glass cursor.
2. While holding your mouse down, drag the cursor so that it is over your RDP
Application window title bar, then let your mouse up.
3. In the Control Viewer Info panel, Window tab, Class row, copy the text from
its field. For example, for PuTTY, Control Viewer might display
"PuTTYConfigBox".
17-Feb-2017 207/416
4.
Icon Description
and
Tooltip
4. Paste the text from that field into the string below:
[CLASS:WindowID; INSTANCE:1]
substituting "WindowID" with your actual value.
5. Paste the entire revised string between the quote marks into the <window
id="" /> tag on the first line of your TLC.
Example: <window id="[CLASS:PuTTYConfigBox; INSTANCE:1]" />

Fingerp Get Calculates and displays an application fingerprint for an RDP Application so that it
rint Applica can be used during transparent login attempts.
tion Usage
Fingerp
rint 1. Click this button to open the Get Application Fingerprint dialog window.
Select the path location of the application executable and a fingerprint string
is generated and populated into the Application Fingerprint field. Copy the
full text string into the Ctrl-C buffer or a text file.
2. Paste the fingerrprint to the corresponding Application Fingerprint field of a
CA Privileged Access Manager RDP Application record.
3. When CA Privileged Access Manager makes a transparent login attempt, it
first checks this stored fingerprint against one generated for the RDP
Application discovered on the target RDP server (Windows Device). If the
fingerprints do not match, the attempt is canceled.
Play Debug Runs the TLC script currently staged in the Transparent Login Configuration panel
icon (the main body of the window).
Usage: See example in step 17 of the procedure above.
Learn Tool: File Controls
Icon Description
and
Toolti
p
Drop- Filter Displays the name of the configuration staged in the Transparent Login Configuration
down by field (the 'body' of the window).
list name /
(configu
ration
name)
(configu This drop-down list lists transparent login configurations, either:
ration
list) (a) all staged in the Learn Tool
17-Feb-2017 208/416
(b) filtered by name (string) entered

When the Learn Tool is launched following an RDP connection, these configurations
are copied from the full set managed in CA Privileged Access Manager Services, RDP
Applications, Transparent Login Configs. The initial set of configurations can include
several configuration samples (for example, for PuTTY or WinSCP) corresponding to
recent versions of those applications.
Page Add
with new 1. Opens a dialog window into which you can enter the name for a new
plus configur configuration.
sign ation 2. Upon clicking OK, the Learn Tool body is cleared (to <window> tags), a new
config file is created on CA Privileged Access Manager with that name, and the
name is loaded into the drop-down field.
3. Upon creation of new XML tags, the name is marked with a preceding asterisk,
indicating unsaved changes.
Dupli Copy
cate configur 1. While a configuration file is staged, this button opens a dialog window into
pages ation which you can enter the name for a new configuration.
2. The content of the first configuration is then copied into the new
configuration (so it appears in the Learn Tool GUI as if only the name has
changed). You can then edit and save to that new file.
Page Remove
with configur 1. Opens a dialog window for confirmation.
X ation 2. Upon selection, removes the currently staged configuration from the Learn
Tool and the file from CA Privileged Access Manager.
Inacti Save When active, saves the currently displayed configuration to CA Privileged Access
ve - configur Manager.
gray ation
flopp
y disk
Activ
e-
blue
flopp
y
disks
Inacti Save all When active, saves all configurations staged in the Learn Tool drop-down (that differ
ve - changes from currently saved versions) to CA Privileged Access Manager.
gray
flopp
y
disks
Activ
e-
blue
flopp
y
disks
17-Feb-2017 209/416
Cycle Refresh Loads all currently saved CA Privileged Access Manager TLCs into Learn Tool. If there
arrow all are unsaved configurations in the Learn Tool, they are erased.
Configure RDP Application

After using Learn Mode as described in the previous section, you have a transparent login
configuration in CA Privileged Access Manager that you can apply to the RDP Application you are
targeting.
1. Navigate to Services, RDP Applications.
2. Near the top-right of the page, click the Transparent Login Configs link to open the shadow
page Manage Transparent Login Configs.
Here you can confirm that the configuration you created with the Learn Tool is now available
for use.
3. Select the line item for your configuration, and confirm that it is as created in the Learn Tool.
Alternatively, you can create a configuration file from scratch by clicking the Create
Transparent Login Config link to open a blank template and populating it. Configuration files
are not dependent on creation with the Learn Tool.
4. Close this window to return to RDP Applications.
5. In the upper right, click the Create RDP Application link to open a blank template.
6. Fill in an RDP App Name that is helpful to your Users when they access the link from their
Access pages.
7. In Launch Path, provide the Windows pathname for the local target drive location of the
application.
8. In the Administration panel, select the Transparent Login checkbox to open the Transparent
Login panel below.
9. (Optional) In the Application Fingerprint field, paste the SHA-1 digest you generated while
using the Learn Tool.
10. Click Add Window. This opens a new line item that identifies the window of this RDP
Application that is used to execute a transparent login. After CA Privileged Access Manager
identifies the title of the designated window, it executes the associated configuration to
perform transparent login, or other behavior requiring credentials supplied by CA Privileged
Access Manager.
a. Enter the Window Title that is displayed in the RDP Application GUI.
b. From a drop-down list of currently managed transparent login configuration files

(revealed in Step 2 above), select an appropriate configuration in the Transparent
Login Config field.
c. If you want this configuration to be available to the User during any RDP session (with
access to the Windows shell) to this target Device, and not specifically during a session
to this RDP Application, select the RDP Session checkbox.
d. You can create more line items using Add Window if you want to assign more
17-Feb-2017 210/416
d. You can create more line items using Add Window if you want to assign more
transparent login configurations using this RDP Application. (For example, using PuTTY,
you might specify alternate targets or a different login parameter.)
11. Click Save.
12. Edit the CA Privileged Access Manager Device record for the Windows RDP server so that it
uses this RDP Application, now listed under Services.
13. Continue with Activate Policy.
Activate Policy
Because transparent login involves two or more sets of credentials, the CA Privileged Access Manager
Policy template now provides that you select the multiple credential pairs for each RDP Application
permitted. First, to access the RDP Application (in the example, "PuTTY"), and then any additional
credentials needed for secondary login ("PuTTY Configuration") to the secondary target device (here,
the Linux target).
Finally, in addition to your Service and Account provisioning, during policy preparation you must
select the Enabled checkbox in the Transparent Login panel at the bottom of the Policy template.
(This option is provided so that the transparent login feature for this policy can be easily switched on
or off without extensive reconfiguration of Service applications and credentials.)
Caching
Depending on your security needs, and after using the Learn Tool and testing transparent login
configurations, you might want to enable the Transparent Login Cache. This feature caches the Learn
Tool (when used), the Transparent Login Agent, and the Control Viewer (when Learn Tool is used) on
the RDP server so that they do not need to be loaded (onto a temporary local drive) during each login
at that Device, thus reducing application startup time.
Configuration
To turn on caching, set Global Settings, Applet Customization, Transparent Login Cache = "Enable" .
Usage
During login at a particular target, you see confirmation of the caching storage in the RDP
initialization console of each application cached.
User Experience
Script windows and the application interface are displayed briefly as the automation proceeds, and
stops showing changes when the script completes.
Following selection of the RDP Application link PuTTY, the user sees this sequence following login at
the RDP server host:
1. The console for the RDP session initialization appears.
2. The console for the transparent login agent (TLA) that is running on the local virtual drive
appears.
3. The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto
17-Feb-2017 211/416
3. The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto
populated and activated by the transparent login script, eventually invoking a second
interface (the PuTTY console).
4. The RDP Application (PuTTY) invokes a new window (the console interface), and is auto
populated by the continuing transparent login script. After the script completes, the console
interface is ready for User access.
Auditing
Logs
CA Privileged Access Manager logs each access attempt, for example:
2016-03-11 01:16:27 super login Win 2008 R2 (32-bit) Xsuite user transparently logged into RDP
Application "putty.exe" to "PuTTY Configuration" window as "dev"
Session Recording
A session recording marks the location of the secondary transparent login attempt. For RDP
connections to Windows, these are marked in the Events list and by a red arrow on the timeline. You
can see event detail as a tooltip from the line item in the Events list, and in the Info box at the lower
left and in a pop-up window during cross-over on the timeline.
For transparent login activity to be successfully recorded when the User has Internet Explorer, the
administrator must configure all equivalent CA Privileged Access Manager addresses. For example, a
cluster VIP name and VIP address in the browser security settings. See Set Up Session Recording (
https://docops.ca.com/display/CAPAM28/Set+Up+Session+Recording).
Set Up the AWS API Proxy

The AWS API Proxy provides CA Privileged Access Manager security restrictions for AWS API access .
The proxy is available for deployment in AWS AMI format.
Note: To use the AWS API Proxy, obtain CA Privileged Access Manager licensing to support
the required number of proxy users. Contact your CA Account Representative for more
information.
Important! If you use both the VMware NSX API Proxy and AWS API Proxy, each proxy
must be on a different subnet.
To use the the AWS API Proxy 2.1, enable it on the CA Privileged Access Manager appliance.
Follow these steps:
1. Navigate to the Credential Manager menu, and select A2A, Mappings.
17-Feb-2017 212/416
1. Navigate to the Credential Manager menu, and select A2A, Mappings.
a. Find the map between the AWS API Proxy Access Accounts and AWS API Proxy Clients.
b. Select the following checkboxes as noted: Check Execution User ID, Uncheck Execution
Path, and Uncheck File Path.
c. Save the mapping.
2. Go to the Policy, Manage Policy page. Delete all the password view options between the
xceedium.aws.amazon.com (http://xceedium.aws.amazon.com) and the AWS API proxy users.
Leave the actual AWS API Proxy service as it was. If the user did not have an AWS API Proxy
service defined, you can delete the policy instead.
3. Delete all target accounts belonging to the target application AWS API Proxy Access Credential
accounts.
The CA Privileged Access Manager database is now ready for use with proxies.
4. Navigate in the Credential Manager GUI to Groups, User Groups. Click Add and create a group
with the following values:
Name – AWS Proxy Accessors
Description – Promote or demote users to be able to add or delete Proxy target accounts
Role – TargetAdmin
Target Group – AWS API Proxy Access Accounts
As each AWS API Proxy assigned User logs in, they find on their landing page (or Access page) that
they have a drop-down list letting them view a password to use the proxy. After they view the
password, the account will be created and reused.
The AWS API Proxy privilege can now be assigned to User Groups and to individual Users. If you
assign the privilege at a group level, each User in the group has their own proxy target account
created the first time they log in and attempt to view the password. The number of users is limited to
the number of licensed users.
Provisioning Users
Each person accessing resources through CA Privileged Access Manager must have a User account.
User accounts can be established in two ways:
Created manually and individually using the GUI template.
Imported as a set of records in a CSV file, and created automatically as a group.

About Users (see page 214)
About User Roles (see page 215)
User Setup (see page 217)
User Group Setup (see page 224)
User / User Group management (see page 234)
17-Feb-2017 213/416
User / User Group management (see page 234)

User viewing (see page 236)
About Users
A User embodies a specific login account representing a person with privileges on CA Privileged
Access Manager. Every login account constitutes a User. Users are displayed, defined, and otherwise
managed through the Users menu on the CA Privileged Access Manager Administration menu bar.
Note
"User" (with a capital "U") is used in documentation to refer to a managed object or

account in CA Privileged Access Manager, and distinguish it from the actual person ("user")
who uses this account.
User Types
Privileges and Roles
Each User must be represented by at least one role attribute. A role is a set of access privileges. Each
privilege allows the User to perform certain functions on CA Privileged Access Manager. A set of
predefined roles is provided with the basic installation.
End Users
An "end user" is a CA Privileged Access Manager User whose sole activity is to exercise CA Privileged
Access Manager Device access or CA Privileged Access Manager Device Target Account password
viewing. This User has a predefined role of Standard User, which is assigned by default when the User
template is used to create an account. All end user activity is performed on the Access page (which is
unlabeled). These Users have no access to the Admin menu.
Note
The privileges of a Standard User are not a subset of all other predefined roles. In other
words, there are administrator roles that do not allow access or password viewing.
Administrators
A CA Privileged Access Manager "administrator" is a User who can exercise privileges beyond
Standard User privileges. As a result, an administrator sees a full or partial Admin menu, or has access
to the Config menu.
17-Feb-2017 214/416
config, super
Two administrator accounts are predefined on CA Privileged Access Manager to allow initial
configuration and operation: config and super. These names can be changed, but always constitute
the two baseline CA Privileged Access Manager User accounts, and have certain special privileges and
characteristics.
config has access only to the Config menu, including the Change Password menu. It does not
appear on the Users list.
The privileges of this account differ from assigned to the Configuration Administrator role.
"config" gains access solely through the /config/ directory, and is the only account to do so. It is
the only account with access to the Change Password menu. "config" does not appear in the
Users list (on the Manage Users page).
super has a predefined role of Global Administrator. It can be renamed but cannot be deleted.
"super" appears in the Users list.
Grouping
CA Privileged Access ManagerUser Groups – These objects provide for the inheritance of User
attributes from the group to its members.
Note
CA Privileged Access Manager User Groups are distinct from Credential Manager User
Groups.
About User Roles

Each CA Privileged Access Manager Role is a collection of Privileges. To perform operations, each
User must be assigned one or more Roles.
Role Types
Access: Users, Manage Roles
Credential Manager only: Policy, Manage Passwords, Users, Roles
Important
Any User who is to have Credential Manager privileges – administering or viewing

passwords – must assign a previously provisioned Credential Manager Group before that
User account can be successfully created.
The preconfigured Access Roles with Credential Manager privileges are:
17-Feb-2017 215/416
The preconfigured Access Roles with Credential Manager privileges are:
Password Manager
The Credential Manager Group is then assigned to a User account through the PM Groups setting.
This setting appears in an expansion pane upon your selection of an Access Role with Credential
Manager privileges.
CA Privileged Access Manager is preconfigured with the provisioned Credential Manager Group
"System Admin Group". This might appropriately be used to provision a Global Administrator using
the PM Groups setting.
User Role Cases

Expanded User Privilege Assignment Under Restricted Administration
CA Privileged Access Manager administrators with less than a Global Administrator role were once
restricted from creating or updating Users beyond Standard User or Monitor roles. Administrators
could not then update their own profile, or that of any other User, with privileges higher than their
own. This feature is named "restricted administration."
Terminology
Earlier implementations of restricted administration have also been known as "delegated

administration." However, this feature name can easily be confused with the unrelated
Delegated Administrator role. CA Privileged Access Manager documentation no longer uses
the term "delegated administration."
Restricted administration is now fine-tuned to allow full assignment of any set of privileges less than
one's own. An administrator below a Global Administrator can assign pre-set or custom roles other
than Standard User or Monitor, up to and including its own privileges. Conversely, restricted
administration prevents the assignment of roles, groups, and other objects that overstep the
applicable privileges.
CA Privileged Access Manager Provisioning Expanded User Privilege Assignment

Assume that your organization has a population of Devices that are maintained in two geographical
or network locations or regions. For each region, you want to assign an administrator with Delegated
Administrator privileges to manage only its own Users and Devices. Meanwhile, a User Group is
assigned the Device/Group Manager role to manage all Devices in both regions.
The options available to one of these two administrators when creating a User are then restricted.
The Delegated Administrator role permits the required privileges within the User/Device scope. The
Available Roles for this new User are therefore the "Delegated Administrator", its components
("Device/Group Manager", "Policy Manager", and "User/Group Manager"), and the typical "Standard
User" (assuming this administrator also performs Device or credentials access activities).
17-Feb-2017 216/416
Meanwhile, the Available Groups list identifies all User Groups that exist on this CA Privileged Access
Manager appliance. The "DeviceManagers" group is dim, which allows management of all Devices
rather than only those managed by this administrator. Because its choice would effectively result in
elevated privileges, it cannot be selected.
User Setup
As a CA Privileged Access Manager Administrator, you follow these procedures to create or edit Users
(User records). Several methods are available for creating Users.
Using the Template

The primary way to create a User account is manually using a template in the GUI.
Open the Template

Follow these steps to open the User Template:
1. Log in as an appropriate administrator, such as "super", and select: Menu bar: Users, Manage
Users.
The current (empty) User list appears below the Menu Bar.
2. In the upper right, to the left of the Search box, click Create User.
A User account creation template appears in the list window.
3. In the Basic Info and Contact Info panes, fill in (at least) the required fields (Username,
Keyboard Layout, Firstname, Lastname, Password, Re-Password, email) marked in red .
4. Fill in other fields as described in the accompanying chart:
Field Description
Buttons available when Creating or Editing a User record:
Save Create or update, and close, the current User record. Settings are effective immediately.
Cancel Close the current User record without saving it. Any changes that are entered are
discarded; if the record is new, it also is discarded.
Buttons available (only) when Editing a User record:
Delete Remove the User record.
Note: This differs from Account Status: Disabled, in which the account record is preserved.
Manage Navigate to the Policy page, populating the User(Group) field there with the current
Policy Username.
Note: Any changes that are made to the User record are lost upon selecting this button.
View Display a list of Devices and the associated policies that are currently active for this User.
Policy Known as Effective Policy, this list includes policy that is inherited by this user from User
Groups.
Basic Info
17-Feb-2017 217/416
Usernam Enter the Username that is presented at login. This name is referenced in configuring user
e access policy and appears in logs and recordings to provide a means of identifying specific
Required user activities.
Permitted characters include: "A""Z", "a""z", "0-9", "-", "_", " " (alphabet, upper and lower
case; numerical digits; dash; underscore; space).
Keyboard The type of character set mapping to keyboard.
Layout Default: EN-US – U.S. English standard keyboard layout
Required
Firstname Specify a first name.
Required
Lastname Specify a last name.
Required
Password Select the Password used for the initial log in. The user is automatically forced to change
Required the password at first connection. The password strength can be set under the
configuration tab.
Re Retype the password for confirmation.
(confirm)-
Password
Required
RDP Used by the RDP applet in credentials for access to a remote Windows device.
Usernam
e
Mainfram Display Name used by the AS/400 applets TN5250 and TN5250SSL.
e Display
Name
Descripti Specify any optional information pertaining to this user.
on
Contact Info
Phone Specify a telephone number.
Cell Specify a cellular telephone number.
Phone
Email Specify an email address.
Required
Administration
Authentic Select an authentication method:
ation Local: Authentication data (password) stored inside CA Privileged Access Manager
RADIUS: Authentication to a RADIUS server
RSA: Authentication with RSA SecurID
Account Enable or Disable the user account.
Status
Activate Set time frame windows when user is allowed to access the system.
Account Now - User account is activated once it is created.
Later – Set user account activation date and time.
17-Feb-2017 218/416
Terminal Specify whether a User login and all current sessions are to be terminated if that user
Session account reaches expiration date/time or exceeds the violation limit.
Upon Note: If this checkbox is selected and a user account gets deactivated while that user is
Deactivati logged in to CA Privileged Access Manager, the session is terminated.
on
Account Set date at which account is permanently deactivated.
Expiratio
n
Email on CA Privileged Access Manager (administration) user account to which an email notice is
Login sent whenever the current account logs in.
Email Send email to email account in Contact Info whenever current account logs in to CA
Self on Privileged Access Manager.
Login
Roles
Available Select the Access Roles (indicated in the drop-down list) for which this user should have
Roles authorization.
Important: Do not assign any User solely the role "Password Manager." That role does not
contain sufficient privileges for CA Privileged Access Manager access. Instead, keep the
default role Standard User – and then add Password Manager too – when you intend to
allow only password management privileges.
Roles are defined in terms of privilege sets specified per role as identified in Users,
Manage Roles. A set of about 15 roles is preset at installation, while other, user-defined,
roles might have been added in Manage Roles.
User roles "Standard User" (for the Access page) is the default set for a new user. The user
roles that are specified allow for configuration and administration of various functional
components of CA Privileged Access Manager. A Role can be removed (made unassigned)
by clicking the name of the role.
PM Appears, and is required, only when roles are selected with password managing capacities.
Groups
Available If above-selected Role is related to credential management :
Groups Provides drop-down list of Password Management User Groups available that are
applicable to the selected Role.
Access Rules are listed and numbered as line items that specify access permissions per calendar
Time week.
To specify a rule: Identify the Access Days and Times (From, To) during which this User can
log in to CA Privileged Access Manager during a calendar week.
Add Button that expands the current User specification window, providing the two widgets
Rules here for access time rules specification.
Access Select one or more days for which the User is permitted access.
Days
From _ Select a time range within the Access Days that are specified during which the User is
To _ permitted access.
Groups
Available Select groups for which the user is to be made a member (after Save). The group policy is
Groups applied to the user.
17-Feb-2017 219/416
Alternate Navigation to Template

Edit a User from a Policy Record
An administrator can edit a User record by invoking it directly from the Manage Policies page.
2. Populate the User (Group) field with a record name.
3. Double-click the name to display its editing template in a shadow box window. (The shadow
box fills the page – click Cancel to return to the Manage Policies page.)
Access Time (Pane)

This pane allows configuration of the time periods (or windows) during which users can log in to CA
Privileged Access Manager. User windows are defined by "rules." To delete a rule, select the Add
Rules link and Add New Rule for the user.
Use the Access Time Table to create any time-based access restrictions. When the group is created,
any existing users can be chosen to be members. After the group is created, Users can be added to
the appropriate group. Notes about the group can be entered into the description field.
Note
CA Technologies User Groups are not available for Active Directory or other directory users.
Instead, users should be grouped in the directory and the attribute that is read by CA
Privileged Access Manager. Setting policies for directory users is done at the group level.
Username
For Users accessing AWS: Usernames are required to be from 2 through 32 characters long,
inclusively due to restrictions on federated users within AWS.
Authentication
Local
Local User accounts are hosted in the CA Privileged Access Manager database, and are authenticated
by testing the submitted User and Password against that database.
Local Users must be created under the Create User menu. Fields that are highlighted in red are
required.
In the Authentication drop-down list in the Administration pane, select Local.
17-Feb-2017 220/416
RADIUS
RADIUS users are similar to Local Users with the exception that the password is not stored locally.
When a User logs on, the login Password is sent to the RADIUS server for approval. That is because
the User presents RADIUS credentials as provisioned by the RADIUS server. The User is not prompted
to change passwords in the local CA Privileged Access Manager environment. If a RADIUS User is
provisioned through LDAP, that user authenticates against a RADIUS server.
Prerequisite: To execute authentication, RADIUS server parameters must be set in Config, 3rd Party.
See RADIUS or TACACS+ (see page 40) for instructions.
1. In the Authentication drop-down list in the Administration pane, select RADIUS.
2. Select PAP or CHAP.
RSA SecurID
RSA SecurID users log in with a User and Passcode that includes the concatenated sequence:
PINtokencode where the PIN is your memorized personal identification number, and the tokencode is
the current readout from your SecurID device (fob).
Example: If your PIN = 3425 and the current readout from your SecurID fob = 866329, the Passcode
you enter (for that point in time) would be these ten digits: 3425866329
Smartcard/PKI
Smartcards use certificates to authenticate users. CA Privileged Access Manager checks the user
certificate against an OCSP server, or a current Certificate Revocation List (CRL). The smartcard
parameters must be set in the https://XsuiteIPaddr/config / screens under the Security tab.
The first time that a smartcard user accesses CA Privileged Access Manager, the Designated Name
and User account is registered, and the Username appears in the Approve CAC User tab. This User
must be approved before device access can be assigned.
Roles
Each Access Role is a collection of (Access-defined) Privileges. To perform Access operations, each
User must be assigned one or more Roles.
Available Roles
During the creation or edit of a User record, the CA Privileged Access Manager administrator specifies
one or more Roles using the Available Roles drop-down list. This menu presents all Roles that are
currently defined, including a set of 16 Predefined Roles (identified in the next section). By default,
the Create User template is prepopulated with a Predefined Role: Standard User (allowing device
access). In addition, the User can inherit Roles from Groups in which the User is a member.
Roles are defined preliminary to User creation. See Appliance Configuration, Master Settings, User
Roles.
17-Feb-2017 221/416
Credential Manager Roles

There are three Access Roles that include the "credentialsManage" privilege. This privilege allows
access to the Credential Manager menu (through the Policy, Manage Passwords selection).
A Credential Manager User Group needs to be specified to determine the scope of menu access. This
is done by using the expansion pane PM Groups, which appears upon selection.
Using CSV Import/Export

A template is provided to create an interpretable User data file for CA Privileged Access Manager.
Create a file from the template, and fill in settings according to the field requirements described in
Using the Template.
Configure Internet Explorer

To use the Import/Export functions with Internet Explorer (IE), changes might need to be made to the
security settings. To establish the necessary settings:
1. Open IE browser.
3. In the Internet Options pop-up window, select the Security tab.
a. Select the slider zone
b. Click Custom level. Scroll to Downloads. For File download, select the Enable option.
4. Click OK to save changes.
Import Users
1. Select Menu bar: Users, Import/Export Users
The Import/Export Users page appears.
2. In the Import Users from CSV file panel, click Download Sample File, and save the file.
3. Create a CSV file based on the downloaded template. Refer to the table for instructions and
information about the fields.
CSV Format
Do not change the heading (first) row text.
Password field indicates a single-use password that must be changed upon first login
following database update.
New User records:
Not all fields are required. Required fields include: Username, Firstname, Lastname,
Password, Email
17-Feb-2017 222/416
For any fields not used: Preserve all headings on the first row, but leave cells below
blank.
Updates to existing User records:
Current passwords can be maintained by using six asterisks, ******. (Otherwise,

passwords must be updated.)
Each User Group is represented by a line record with Type="user group".
User Group records should be at the top of the file, ahead of all User records.
User membership in a User Group is indicated in the Group Membership column.
As it is for individual Users, an Authentication option can be applied to a User Group:

Each User signs on by selecting the relevant option from the dropdown box on the CA
Privileged Access Manager login page.
To have RSA present in the list of Authentication Types, the relevant RSA SecurID
server must first be configured.
4. In the Import Users from CSV file panel, Browse to select the file, and click Import Users.
The content of the file is added to any existing User database; they do not replace the current
database.
5. Navigate to Users, Manage Users, and confirm that the import was successful by inspecting
the User list.
Export Users
This button creates a CSV file of all Local, RADIUS, SecurID, and Smartcard/PKI users. For Local users,
the Password field is masked.
Editing LDAP/RADIUS Imports

These User records are created through features in the Users, Manage Groups page. However,
portions of their records can be edited here on the Manage Users page. Note these characteristics:
The User is already assigned (the CA Privileged Access Manager copy of) the LDAP group it was
imported from (see Groups panel).
Editing range:
No fields that are imported from LDAP or RADIUS can be edited.
Certain CA Privileged Access Manager-assigned fields, however, can be edited. These include:
Keyboard Layout
RDP Username
Mainframe Display Name
Account Status
17-Feb-2017 223/416
Account Status
Terminate Session Upon Deactivation
Email on Login
Email Self on Login
Available Roles
The Access Time fields
Available Groups (the associated LDAP group cannot be removed).
User Group Setup

A set of CA Privileged Access Manager Users with similar attributes can be associated with each other
by defining a User Group. User Groups allow for more manageable changes.
User Group settings override those individual settings that are labeled the same.
Each User can be a member of more than one User Group.
User Group Types
Important
Do not confuse Access User Groups with Credential Manager User Groups. User Groups
and Roles are specified in two distinct locations, one for general use and one specifically for
Credential Manager.
Access User Groups

Access User Groups are static collections of Users. Some User attributes, such as (Access) Roles and
Access Time, can be assigned at the group level. Create these User Groups by navigating to Users,
Manage Groups.
Credential Manager User Groups

Credential Manager User Groups are dynamically determined from a (Credential Manager) Role and a
Target Group or a Request Group against the current set of Users. Create these User Groups by
navigating to Policy, Manage Passwords, Users, User Groups.
Local Groups
This feature allows you to create a User Group consisting of CA Privileged Access Manager local
Users.
17-Feb-2017 224/416
Using the Template

To create a User Group consisting of local Users, follow these steps:
1. Log in as an appropriate administrator (such as "super").
2. Select: Menu bar: Users, Manage Groups.

The current (empty) User Group list appears below the Menu Bar.
A User Group is necessarily restricted to a single Authentication scheme.
3. To create a User Group that is restricted to Local Users, click Create Local Group.
A template opens up for you to provide User Group settings.
User Group fields
Field Definition
Basic Info
Groupname Name to assign to this group.
Format if imported (using Import LDAP Group) from Active Directory:
LDAPsourceGroupName + "@" + LDAPdomain
Format if imported (using Import LDAP Group) from other than Active Directory
(for example, from SunOne, OpenLDAP, or other): LDAPsourceGroupName
Double-byte characters are permitted, for example:
NOTE: LDAPdomain = Base DN as specified in Bind Credentials in Config, 3rd Party
Applet Recording
Warning
Description Provide your custom definition for the group, or:
Format if imported (when using Import LDAP Group) from an LDAP server: "LDAP
Group" + LDAPsourceGroupName + "from" + LDAPsourceDistinguishedName
Authentication
Authentication Authentication method to be used during User login. The options available
depend on which type group is being created (Local, RADIUS, or imported LDAP)
SAML Attribute Enumerated:
If the User provisioning source was an LDAP directory Active Directory:
Distinguished Name
User Principal Name
SAM Account Name
If the User provisioning source was an LDAP directory of type OpenLDAP,
SunOne, or other:
Distinguished Name
Unique Attribute
If Authentication = Local, or RADIUS, or PKI:
User Name
Login IP Ranges Network access definition:
Identify source IP address ranges, if any, required for CA Privileged Access
Manager login client.
Formats:
Single IP 192.0.2.1
CIDR 192.0.2.0/28
17-Feb-2017 225/416
Range 192.0.2.1-32
Delimiters that are permitted between ranges: space, comma, semicolon, newline
Example: 192.0.2.0/28,192.0.3.234/32
If left empty, no IP address restrictions are applied.
NOTE User definition overrides (any) User Group definition, for either more or
less restrictive rules. Also, if no User policy is defined but that User is a member
of multiple User Groups with different rules, the group permissions are additive
(less restrictive).
Provision (label Type of source from which the group was provisioned.
shown in User
Group list only –
not in each
record)
Roles
Available Roles Drop-down list of CA Privileged Access Manager User Roles available through
previous provisioning. Multiple roles can be assigned per group (or for an
individual user through an individual user record).
Default: Standard User.
Important: The "credentialsManage" privilege is not currently propagated to
member Users. Thus, User Group roles of Global Administrator, Operational
Administrator, or Password Manager must also be applied in the individual
record of each member User who is managing passwords.
Access Time
Add Rules Button which activates an expansion pane for creating access rules for this group.
Users
(no label) Displays a sequence of the Usernames that are members of this User Group.
For Local groups: Set of all member usernames; usernames can be added or
removed.
For Imported LDAP groups: Set of all member usernames; usernames cannot be
added or removed. Editing must be accomplished in the source LDAP directory.
Using the Template for RADIUS Group

The Create RADIUS Group menu appears only after RADIUS server has been configured for CA
Privileged Access Manager access. See RADIUS or TACACS+ (see page 40) for instructions on
configuring RADIUS connectivity.
This feature allows you to create a User Group that is imported from a RADIUS server that is
configured for CA Privileged Access Manager use. This template is similar to the template provided
for Create Local Group.
To open a template to create a CA Privileged Access Manager RADIUS User Group, click the
Create RADIUS Group link .
About CA Privileged Access Manager and RADIUS Groups

To locate users properly, each CA Privileged Access Manager RADIUS Groupname must match a
corresponding group ID on the RADIUS server.
CA Privileged Access Manager uses the configured RADIUS grouping to manage Users. The GroupID
must match the corresponding RADIUS group (that is, RADIUS attribute 25 value). All the privileges
that RADIUS users maintain are derived from their RADIUS group.
17-Feb-2017 226/416
Any RADIUS user who does not have a local account that is configured or whose RADIUS group
(attribute 25 value) does not match a CA Privileged Access Manager RADIUS Groupname is not
granted access.
If a RADIUS group has been provisioned on CA Privileged Access Manager, but the user does not
exist, a shadow RADIUS user is created. The shadow user is not visible in the user management
screen or the user list.
Edit from the Manage Policies Page

An administrator can edit a User Group record by invoking it directly from the Manage Policies page.
2. Populate the User (Group) field with a record name.
SAML SSO with Juniper SA Using RADIUS Authentication

See Network Configuration, SSO, Juniper Networks, Configure CA Privileged Access Manager for
SAML SSO with Juniper SA using RADIUS Authentication.
For information about importing an LDAP Group, see Import an LDAP Group (see page 227)
.
Import an LDAP Group

As an Administrator, you can create a User Group which refers to a group maintained on an LDAP
server. You use the CA Privileged Access Manager LDAP Browser to set up this group. The CA
Privileged Access Manager appliance must have been previously licensed through the Config,
Upgrade page, and configured through the Config, 3rd Party to access the LDAP server. After the
LDAP server has been provisioned, LDAP groups are available for importing through the Users,
Manage Groups page as described here.
Note
The Import LDAP Groups menu appears after an LDAP server has been configured for CA
Privileged Access Manager access. Go to Appliance Configuration, Network Configuration,
3rd Party, LDAP Domains, to set up the connection to the LDAP server. See Configure for
Network Resources (see page ) for more information.
To launch the LDAP Browser from the Manage Groups page, click the Import LDAP Groups link.
17-Feb-2017 227/416
Note
Your CA Privileged Access Manager must be licensed for the LDAP Browser to launch.
LDAP Browser
For a quick look at what is in this browser: Near the top of the left pane, under the tab Explore, a
graphical representation of an LDAP DIT is displayed. When you select an item or node in the left
pane, you see its object attributes on the right. Because this LDAP entry belongs to the class
groupOfUniqueNames, its tree icon has the appearance of a user group. It has a checkbox so that you
can potentially select it and its members for import.
17-Feb-2017 228/416
LDAP Browser Menus

Text Menu Definition
Copy icon (No Text-Menu Copy the Distinguished Name of selected entry to the Clipboard.
item)
Group icon (No Text- Display all the groups in this container.
Menu item) After first selecting an object in the tree under the Explore tab, clicking
this button will then switch you to the Results tab. Once there, you see a
(fully expanded) tree of all groups (objectClass: group) contained within
the selected object.
File
Connect Log in to an LDAP database. Invokes a pop-up window from which you can
select from currently accessible domains.
Disconnect Log out of the current LDAP domain.
Print Print currently selected node.
Exit Close browser window.
Note: Browser continues running while connection is active, and during
that time can be invoked again from the Users, Manage Groups: Import
LDAP Group button.
View Viewing options for graphical menu items below the main menu
Show Button Bar Icon-based menu
Location: Below the main menu bar, on the left
Default: On
Show Search Bar Location: Below the main menu bar, on the right
Default: On
Options
Set LDAP Connection Maximum time (seconds) before a connection attempt is canceled. This is
Timeout useful when multiple servers are specified for a particular LDAP domain in
Config, 3rd Party configuration.
Default: 60 seconds
Set Result Set Page Size Maximum number of records in an LDAP directory before pagination is
triggered for representation in the browser tree.
Number of records in each page of a paginated subtree.
Default: 1000
Bookmark A bookmark can be made on any leaf (directory, group, user, or other
object) in a tree. It can later be selected directly from the menu.
Bookmarks are saved for each domain, and appear only when the browser
is connected to that domain.
Add Bookmark Opens an editing window for bookmarking currently selected leaf:
DN – pre-populated with the current Distinguished Name (DN)
Bookmark Name – pre-populated with the current Common Name (CN)
Description – (blank)
Edit Bookmark Opens a bookmark selection window. Selection in turn opens a bookmark
editing window (see Add Bookmark).
Delete Bookmark
17-Feb-2017 229/416
Opens a bookmark selection window. Selection in turn deletes and

confirms deletion of the bookmark.
Search
Search Dialog Opens a detailed search specification window. (Contrast to Quick Search.)
Delete Filter Opens a window with a list of filters for selection and deletion.
Return Attribute Lists
Paged Results
Next Page of Results Retrieve next page of results and display page wrapper (Page n Results) in
the Explore tree (when green; otherwise, gray when inapplicable).
Tools
Stop Action Suspends current LDAP request. This is useful when the page size is large
and the browser is searching a large database.
CA Privileged Access CA Privileged Access Manager-specific menu items
Manager Groups
Manage selected groups Lists all items that are currently selected (or staged) for importing to CA
to register with the CA Privileged Access Manager.
Privileged Access
Manager appliance.
Register selected groups Perform the input operation on the items that are selected, which are
with the CA Privileged listed in Manage selected groups to register with the CA Privileged Access
Access Manager Manager appliance.
appliance
Import LDAP Groups Procedure

To import LDAP Groups into CA Privileged Access Manager, follow these steps:
1. Confirm that you have configured the desired LDAP repository in Config, 3rd Party.
2. On the Users, Manage Groups page, click the Import LDAP Group link.
This link triggers launch of the LDAP browser, which immediately prompts for an LDAP domain
selection.
3. In the browser pop-up window, select the domain from which you import users.
The browser connects and displays all records below that domain (restricted by the
pagination option you might have previously requested).
4. Open nested folders until a user group that you want to import is visible, and select its
checkbox.
5. Repeat this step for each group you want to import. You can traverse the tree in any order or
direction.
6.
17-Feb-2017 230/416
6. Optional Once you have selected all the groups that you want to import, you can review
them. Go to CA Privileged Access Manager Groups, Manage selected groups to register with
the CA Privileged Access Manager appliance.
A new pop-up window opens, in which the Distinguished Names for all selected groups are
visible. You can select and edit any group DN, or remove it from the staging list.
7. Import the selected groups by selecting CA Privileged Access Manager Groups, Register
selected groups with the CA Privileged Access Manager appliance.
A new window presents the staged groups in a list so that you can watch their progress and
status. It also displays any messages associated with the actions.
8. Select Authentication Type from the drop-down list at the top of the window.
9. When ready to import the groups, click Register Groups in the lower-left corner.
10. CA Privileged Access Manager imports the groups in the order that is presented , and the
browser provides feedback and cancellation options throughout the process.
While a group is imported, there is a progress bar (labeled Registering Group) to the right of
its Group Name. You can cancel registration of the current group (and continue with
subsequent groups), or you can cancel the registration of all groups, even after they have
started. In the latter case, CA Privileged Access Manager "reverses" the import process so that
all groups and their members are removed.
When the imports are finished, each line item in the registration window shows either a green
checkmark for success or a red cross for import failure/cancellation. You can review the status
of the full list and each individual group by selecting its line item. If you made any changes or
any errors occurred during the import, the lower Messages panel provides details after you
select the specific group of interest.
11. In the GUI, confirm that the imported groups now appear on the Users, Manage Groups page.
12. You might want to open the User Group or User records to examine more fields.
In each User Group record:
a. The Description field is:

"LDAP Group" + SourceGroupName + "from" + SourceDistinguishedName
For Example: LDAP Group QA Managers from ou=Groups,dc=example,dc=com
b. In each User record of an LDAP-imported group:
i. An LDAP User record cannot be deleted.
ii. Each LDAP-imported field cannot be edited.
iii. The Username field is displayed as:

CN + "@" + domain
For Example: user1@example.com
c. The Roles panel each record indicates " No roles selected ." However, roles are
inherited from the LDAP group, where the default setting is "Standard User."
17-Feb-2017 231/416
About Nested Groups

If an LDAP group is an element in a parent group member attribute, then users in the parent and
child groups are imported with the parent.
About Pagination
Note
Pagination is available for Active Directory (AD) and OpenLDAP. Pagination is not available
on SunOne and possibly other LDAP implementations.
The LDAP Browser incorporates a special pagination feature to reduce overhead on LDAP access. The
browser setting Result Set Page Size specifies the maximum number of members (directories,
groups, or objects; or nodes) for any directory. (This value is initially set to a default of 1000.) If the
overhead required to display all directory members is too heavy, the administrator can reduce this
variable value.
For example, set this value to 5. Whenever there are more than five members in any directory, an
initial pagination leaf is inserted when that directory is opened, before displaying the actual directory
contents.
About Search
When you know the name of the directory or object you are looking for, you can use one of two
search options provided in LDAP Browser.
If the tree is paginated in the browser, it does not have to be "built-out" in the browser to traverse
the entire tree on the server.
About Quick Search

You can use the Quick Search button in the upper-right corner of the browser to locate the desired
object:
1. In the Explore tab tree, select the node that you want to be at the top of the search.
Your choice is reflected in the Quick Search label.
2. To the right of the Search From label, select an attribute from the drop-down list, and enter a
search string in the text box.
3. Click Quick Search.

A filtered tree appears in the Results tab.
4. Select an object in the tree to see Entry Attributes on the right.
17-Feb-2017 232/416
About the Search Dialog

For a more refined search, one that can be limited to a certain subset of objects or saved for future
use, select menu item Search, Search Dialog.
LDAP Browser: Search Dialog options
Field/Button Definition
Filter Name Assign a "bookmark" name for the filter: When you have filled in the remainder of
this dialog, click Save in the lower right. The filter is then available from the
Search menu.
Start Searching Identify the root node for your search.
From
Alias Options
Resolve aliases When checked: LDAP Browser returns the real entry to which the alias points.
while searching When unchecked: LDAP Browser returns all alias entries as regular entries.
Resolve aliases
when finding base
object
Search Level
Select Search Search Base Object
Level Search Next Level
Search Full Subtree
Information to Allows you to select from a saved list in Return Attributes Lists.
retrieve
Build Filter
Not Negative of (entire) constructed entry
[Expression]
[Attribute] Menu of all LDAP attributes: accountExpires through x500uniqueIdentifier
[Operator] Logic to apply to the attribute in this expression
[Character string] Text being tested with this expression
More [button] Add another logic template to concatenate with other defined logic
Less [button] Remove most recently defined logic
Save [button] Save entire filled-in template to the label assigned in a filter name
Load [button] Load existing filter to this template for editing or copying.
View [button] Show actual LDAP filter sent
[Template Commands]
Search [button] Perform search as currently defined in this template.
Cancel [button] Close dialog without executing a search or saving it to a filter name
After executing a search, a subtree traversing only the search "hits" is returned in the Results tab .
17-Feb-2017 233/416
About Double-Byte Characters

CA Privileged Access Manager provides double-byte character support, allowing East Asian characters
in data storage and GUI representation of Usernames and User Group Names. This support preserves
and displays LDAP Usernames configured and imported with these characters.
Although User records with double-byte character Usernames can be imported as members of LDAP
groups, individual Local User records with double-byte characters are not currently permitted.
Refresh LDAP Groups

Click this link button to revise the user list for the LDAP user groups previously imported.
User / User Group management

The following CA Privileged Access Manager functions are available for managing Local, LDAP,
RADIUS, and SecurID users on the List Users menu. (The imported LDAP values cannot be edited, but
the generated fields can.) The Smartcard/PKI user options available are "edit" and "delete."
User Record Updates

Editing a User
To delete a User account:
1. From the list in Users, Manage Users, identify the line item record of an existing User, and
click anywhere in the line. NOTE: Upon mouseover within the line boundary, the record is
selected.
2. Complete edits, and click Save.

After you update the User record, the visible record (editing fields) collapses so that only the
User list is visible.
Copying a User
To create a new User account with the same access permissions and policies as an existing User:
1. From the list in Users, Manage Users, open the record of an existing User.
2. At the bottom of the record, click the Copy button.

A new record is created, populated with a copy of the original User information except for the
Username.
This new record opens immediately below the record of the copied User, while the
record of the copied User is closed. To confirm this, inspect the User list above the
new record editing pane. It shows the line item of the original User.
3. Enter (the required) Username for the new User. Edit other fields as desired, and select the
17-Feb-2017 234/416
3. Enter (the required) Username for the new User. Edit other fields as desired, and select the
Save button to create the new User.
Disabling a User
To disable (preserve, but not allow activity by) a User account:
open its record (by clicking it).
2. In the Administration pane, select Account Status: Disabled
3. At the left side of the top center of the pane, click Save.
To re-enable a User account:
open its record (by clicking it).
2. In the Administration pane, select Account Status: Enabled
3. At the left side of the top center of the pane, click Save.
To re-enable multiple User accounts:
1. From the list in Users, Manage Disabled Users, selecteach User to enable by clicking its
checkbox.
2. When the list of choices is complete, click Enable.
Deleting a User
To delete (completely remove) a User account:
select the checkbox to the left.
2. Click the Delete button.
3. Click Yes in the confirmation request. An acknowledgment is presented in a new dialog.
4. Close the acknowledgment box.
NOTE Only afterward is the list is updated by removing the line item.
Approve CAC User

Smartcards, including Common Access Cards (CAC), use certificates to authenticate users. CA
Privileged Access Manager validates the user certificate against a Certificate Revocation List. The
smartcard parameters must be set in the Global Configuration under the Security tab.
The first time that a smartcard user accesses CA Privileged Access Manager their public key is
registered and the user appears in the Approve CAC User. The user must be approved before device
access can be assigned.
17-Feb-2017 235/416
Manage Disabled Users

All currently disabled users are listed on this page. Functions are available only to Delete or Enable a
user – no other editing is permitted through this screen. However, these Users remain on the
Manage Users list, where their records can be edited.
User viewing
Initial View
You log in to CA Privileged Access Manager initially as config, and then as super. When (as super) you
switch over to the default Users menu, you see a list populated with the super account.
Later, you are able to view all and edit any users here except for config. Config must be edited in the
Toolbar: Change Password menu while logged in as config.
Filtering Populated User Views

After you have added users, they might not all be visible on the (first) Access page. If there is a large
number, you can filter this set of users using the Search box to narrow the list to matches of the
search string provided.
Provisioning Policy for Users/Devices

CA Privileged Access Manager enables organizations to enforce access rules for specific users and
user groups. CA Privileged Access Manager policies for associating Users to Devices can be done at a
granular level (device and port). Each user then has access only to devices and applications that they
need to do their jobs.
A Policy is a set of configuration values identifying permitted or required:
Access types (access method applets, TCP/UDP and application services, SSL VPN services, out-of-
band access, power)
Access restrictions (command filters, socket filters)
Passwords (which involve Devices and resident applications)
Recording (graphical or command line)
A Policy specifies the interactivity between:
one CA Privileged Access Manager-registered User or User Group (including LDAP and RADIUS)
and
one CA Privileged Access Manager-managed Device or Device Group
17-Feb-2017 236/416
After a User has logged on to a Device using its preset Policy assignments, CA Privileged Access
Manager can:
Record User activity
Block or Alert User commands
Terminate User leapfrog attempts
Access Provisioning
The access capabilities that you provide for a Device are available for specification in Policy. See
About Access Setup (see page 162) for information about setting up access capabilities for Devices.
Access Restrictions
Through a Policy, these restrictions to Device or Device Group access can be imposed on a particular
User or User Group:
Command Filtering
Socket Filtering
Command Filtering
Command filter lists can be used to enforce policy in the command line applets TELNET, SSH, and
serial consoles.
Both Command Filtering and Socket Filtering use whitelists and blacklists to set the appropriate
policy.
A command-filtering blacklist is a list of commands that a user cannot type. If the user attempts
to type the command,CA Privileged Access Manager can flag (log), alert, remediate, and stop the
command from being processed. All other commands are allowed.
A command filtering whitelist is a list of the commands that a user can type. All other commands
are prohibited.
Note
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250
applets.
17-Feb-2017 237/416
The Command Filter Configuration (CFC) sets the behavior of the blacklist and whitelist command
filters.
Command Filter Alerts Example
From: xsuite1@example.com
To: xs-admin1@example.com
Cc:
Subject: Alert Msg from xsuite1
-------------------------------------------------------------------------------
Date/Time: Fri, 1 Oct 2010 14:09:05
User ID: Traveler123
User Source IP: 168.0.2.123
Violation on: LinuxBox12
Captured Keystrokes: rlogin
Socket Filtering
Socket Filter Agents (SFAs) are CA Privileged Access Manager components used to restrict access
either to server-based devices or from server-based devices. Socket filters provide a different kind of
access control than devices with finite command sets, such as routers and switches, for which
command filtering is applied.
Three components are required:
Socket Filter Lists – to define either a socket blacklist (specifying where access is prohibited) or
whitelist (specifying where access is allowed)
Socket Filter Agents – to apply rules that are specified by Socket Filter Lists and used in Policies.
Socket Filter Configuration – to apply agent behavior across all CA Privileged Access Manager-
managed devices using socket filter agents.
Socket Filter Lists (SFLs)

Socket Filter Lists define groups of servers or networks that can be applied to a policy for LeapFrog
Prevention.
Socket Filter Agents (SFAs)

Once a Socket Filter Agent is deployed and a user connects through CA Privileged Access Manager to
the host Device, the SFA downloads the user policy The SFA then enforces at the Device any blacklist
or whitelist filters. A blacklist contains devices and ports that user is prevented from accessing. A
whitelist identifies the only devices and ports that a user can connect to. The SFA does not inspect or
disturb any other connections to that Device, such as production web traffic or CA Privileged Access
Manager users who are not restricted.
SFAs can be installed on Windows and Linux devices. The Linux root account is exempt from SFA rules
and restrictions. Windows administrator accounts are subject to SFA rules and restrictions.
Socket Filter Configuration (SFC)

Global values that affect the behavior of the socket filter agents are found under Socket Filter
Configuration, accessible through the Policies menu.
17-Feb-2017 238/416
CA Technologies advises verifying your organization policies before setting up socket filtering, as
network heartbeat checks might not be allowed.
Amazon Web Services (AWS)

When connection is made to AWS after populating the Config, 3rd Party, AWS settings, the Policy,
Manage Policies, AWS Policies link interface is established for specifying AWS IAM Policy.
Defining AWS Policies

AWS policy is applied for AWS privileges when accessing the AWS management interface. Initially, the
editing window Manage AWS Policies holds two default versions, but you can edit or create a new
IAM policy.
Although CA Privileged Access Manager is designed to pass an IAM Policy to AWS, AWS does not
accept an AWS Policy that is "too lengthy." The length limit is not a predictable value, but can be
evaluated by AWS before processing to avoid errors. Therefore, CA Privileged Access Manager sends
all submitted policies to AWS for preprocessing. If the size limit is exceeded, an error message is
relayed to the CA Privileged Access Manager user.
Workaround: Some guidance on permitted length is provided in this AWS Forum thread:
https://forums.aws.amazon.com/thread.jspa?threadID=80882
Specifying AWS Policies

When a Service has been configured for access to the AWS management interface, the credential
specification pop-up window in the Manage Policy interface also provides for the IAM policy
specification through the AWS Policy field at the right-hand side of the pop-up window.
Session Recording
In addition to the access controls that are applied in advance, session recording can be assigned to
policy, providing a view of User actions after the fact. As recordings, they simulate the environment
of the User to provide a view into what transpired during a connection session.
Privileged administrators also apply control during sessions with the ability to terminate a
connection session or log a User off CA Privileged Access Manager, while CA Privileged
Access Manager logging is another during, or post, session tracking resource.
In the command-line applets, TELNET, SSH, and Console user keystrokes can be recorded. Graphical
session recording is available with the RDP and VNC applets.
Recordings are identified in the GUI as line items. They can be searched with variable text filtering.
When a recording identifies a User violation, this fact is marked inside the recording as the User
views it. The line item record is also highlighted in bold red.
17-Feb-2017 239/416
The session recording logs are not stored on CA Privileged Access Manager. The session recording
files can be stored on mount points or sent to a syslog consolidation server.
Use a directory mounted to a Windows or UNIX server for session recordings to be available through
the administration interface. The session recordings can be viewed in Sessions, Session Recordings.
Session Recording policy is set for a user/user group – device / device group pair in Policy, Manage
Policies.
In the Recording pane:
Selecting Command Line records user entry, and if Bidirectional is selected, CA Privileged Access
Manager records both the user and device responses.
Selecting Graphical records the user GUI interaction with the Windows server as a movie that can
be played, stopped at any point, and replayed from any point.
Set Up a Policy
As a CA Privileged Access Manager administrator, you assign Policies between a User and a Device
either implicitly or explicitly.
Explicit assignment is when you use either:
Web template: in Policy, Manage Policies
Imported CSV file: Import through Policy, Import/Export Policy, then, Edit / View in Policy,
Manage Policies
Implicit assignment is inheritance from a parent group.
A User effective policy spans these categories, as the union of all policy assignments. It reflects the
range of Device and access options available to a User as represented on the User Access page.
As a CA Privileged Access Manager administrator, you can view a User effective policy in Users,
Manage Users, [Edit User], View Policy
The configuration of a Device provides a template for choosing which access methods are allowed for
a particular User from those that are possible on that Device (that is, those that are technically
provided and CA Privileged Access Manager-configured). The scope of this template has previously
been defined by the attributes assigned in the Device record.
A unique policy can exist between every match of each of the first (Users and User Groups) with each
of the second (Devices and Device Groups). If, for example, there are three (3) Users and three (3)
Devices, after matching each User with each Device, there could be up to nine (9) different policies.
For information about Credential Manager Password Policies, see Credential Manager
Policies (see page 252).
17-Feb-2017 240/416
Prerequisites
1. Session recording activation requires that storage is configured in advance on the Config, Logs
page.
2. Define Users, Devices, Access Types, Filters, AWS Policies.
Set Up AWS Policies

When connection is made to AWS after populating the Config, 3rd Party, AWS settings, the Policy,
Manage Policies, AWS Policies link interface is established for specifying AWS IAM Policy. This is the
policy that is applied for AWS privileges when accessing the AWS management interface. Initially, the
editing window Manage AWS Policies holds two default versions, but you can edit one or create a
new IAM policy.
Although CA Privileged Access Manager is designed to pass an IAM Policy to AWS, AWS does not
accept a CA Privileged Access Manager-provided AWS Policy that is "too lengthy." The length limit is
not a predictable value, but AWS can evaluate it by before processing to avoid a disruptive error
condition, so CA Privileged Access Manager sends all submitted policies to AWS for preprocessing. If
the size limit is exceeded, an error message is relayed to the CA Privileged Access Manager user.
Workaround: Some guidance on permitted length is provided in this AWS Forum thread:
https://forums.aws.amazon.com/thread.jspa?threadID=80882
Use AWS Policies

When a Service has been configured for access to the AWS management interface, the credential
specification pop-up window in the Manage Policy interface also provides for the IAM policy
specification through the AWS Policy field at the right-hand side of the pop-up window.
Define Policies
To define Policies, two UI methods are available to create associations:
Web templates (see page 241) – For each User, enter data into the GUI
CSV file (see page 245) – You can load records for a batch of Users
Policy Template
To create or edit a Policy using the web template, follow these steps:
1. Select from the Menu Bar: Policy, Manage Policies. The Manage Policies page appears.
By default, when you open the Manage Policies page, a list of recently edited records
appears.
2. There are two ways to find an existing policy record:
a. If the line-item policy record you want is already visible in the list, click on it to open
the editing fields.
b.
17-Feb-2017 241/416
2.
b. If the policy record is not visible, use the pair of labeled text boxes provided near the
top of the page. You can use one or both of the fields to specify:
i. A User or a User Group
ii. A Device or a Device Group
3. Upon placing the cursor inside a field, you will see a drop-down list of all instances, which
starts filtering as you type (a portion of) a name. (This filtering is the CA Privileged Access
Managerautosuggest feature.) After you select a User and/or Device name, the policy list
(below the search boxes) is filtered and fewer policy records are displayed for possible
selection.
The individual Users, as well as the User Group, resulting from an imported LDAP group will all
be available for application of policy.
a. In the autosuggest drop-down list, the following constructions are used to represent
imported Users and Groups:
i. User: CommonName@Domain – CommonName
ii. User: Dave Smith@example.com – Dave Smith
iii. User Group: CommonName@Domain – Group
iv. User Group: QAgroup@example.com – Group
b. After being selected, in the selection field, and then once created, in the page list, the
User is designated by their Distinguished Name, for example:
i. User: CN=Dave Smith,CN=Users,DC=example,DC=com
ii. User Group: CN=Users,DC=example,DC=com
4. When you choose a Device Group, only those Access Methods that were specified for the
group, and not those specified for individual Devices, will be applicable and displayed.
5. Click the desired policy record from the filtered list to display the Policy relationship for that
User-Device pair.
To help you choose, in the rightmost Details column an indicator of the policy components
that have been set is provided: If a setting has been made to a policy category (Access
Methods , Services, etc.), the policy section label is blackened; otherwise it is gray.
6. To create a new policy record, use the search boxes described in the preceding step to select
a User (or User Group) and Device (or Device Group) pair – there should be no resulting
records ("No results"). Otherwise, return to the previous step.
7. Click the blue link in the upper right corner, Create Policy , to open the policy editing pane .
8. Apply settings as described in the following Table.
9. After you click Save, the editing pane will close, and you will see a policy "list" with the one
line item you just created.
17-Feb-2017 242/416
Field Description
Access: Access Methods
Select any number of desired items from the drop-down lists provided in this page. The options that
are provided in the lists were set in the configuration record for this Device. See Provisioning Devices
Add / Edit As previously activated for this Device
Access: Services
(See Access Methods description)
Password Management: Passwords
Note: For AWS AMI instance UNIX and Linux Devices, only EC2 keys autopopulate as
options
Access: OOB & Power
(See Access Methods description)
KVM As previously activated for this Device
Power
Serial
Access: Fil ters
Select one or no Command Filter, and one or no Socket Filter. The available filters were set in the
Manage Filters interface. See Provisioning: Filters for more information.
Command As previously defined. Select one.
Filters Grouped as:
Black Lists
White Lists
Socket As previously defined. Select one.
Filters Grouped as:
Black Lists
White Lists
Restrict Prerequisite: Populated Socket Filters
login if When selected: If CA Privileged Access Manager cannot detect a running Socket Filter
agent is Agent on this device, and a connection is being attempted that is among those that the
not SFA monitors, the login is rejected.
running. Note: For connection types that are not monitored by CA Privileged Access Manager
socket filtering, connection instances are never rejected by this feature.
Connections that SFAs monitor include: Access Method GUI, CLI, and mainframe
applets; and RDP, VNC, and ICA Services.
Connections that SFAs do not monitor include: standard (customized) Services and
Web Portal Services. [XGK-231 As user, ability to launch a "normal" or "Web Portal"
Service which has "Restrict login if agent is not running" set.]
Recording The options provided in the lists will have been previously set in the configuration
record for this Device. See Provisioning: Devices for more information.
Note: So that session recordings may be viewed when CA Privileged Access Manager is
accessed through a Juniper SA appliance, the administrator must configure a policy for
allowing custom headers. See "Junos configuration required for viewing session
recordings"
17-Feb-2017 243/416
Graphical Prerequisite: RDP and/or VNC are permitted (listed in Selected Access Methods).
Select if you want this User's activity on this Device to be recorded graphically: Graphical
session recording is available for the RDP and VNC applets.
Command Prerequisite: TELNET, SSH, or Console are permitted (listed in Selected Access Methods).
Line Select if you want this User command line activity on this Device to be recorded (as plain
text): TELNET, SSH, and Console user keystrokes can be recorded.
Note: SSH Proxy (SSH by using a Service) recording requires that the Bidirectional
checkbox is selected.
Bidirectiona Prerequisite: Command Line option has been selected.
l Select if you want Device command line output to be recorded in addition to User
command line entries.
NOTE: All mainframe-access applets (TN3270, TN3270SSL, TN5250, TN5250SSL) apply
bidirectional session recording (when session recording is enabled).
Web Portal Prerequisite: A Web Portal is permitted (selected and listed in Services).
Select if you want this User activity on this Device Web Portal to be recorded graphically:
Graphical session recording is available for the VNC applet.
On Prerequisite: (No other recording selections are made.)
Violation When selected, then whenever a User causes a violation against a Command Filter or
Socket Filter during a connection session, session recording is initiated on the active
session. The recording continues until the User ends the connection session.
Junos Configuration Required for Viewing Session Recordings

So that session recordings can be viewed when CA Privileged Access Manager is accessed through a
Juniper SA appliance, the administrator must configure a policy for allowing custom headers.
To configure the policy, follow these steps:
1. Navigate to Resource Policies, Web, Custom Headers
2. Create a new policy.
3. Specify the IP address of the web portal resource that this policy applies to, with protocol
specification, for example:
https://192.0.2.123
4. Select the allow custom headers action.
Alternate Navigation to Template

You can also navigate to Edit Policy from a User Record (applicable to Local, LDAP, and RADIUS Users).
A User policy template can be called directly from the User record, not only through the Policy menu:
1. Open a User record through Users, Manage Users.
2. From either the top or the bottom of the record, click Manage Policy.
This feature is available not only for Local Users but also for LDAP and RADIUS users.
3. You are then transferred to the Manage Policies page, where the User (Group) field is
prepopulated with the Username you left. From here, you can select the appropriate Device
(Group) and edit their policy.
17-Feb-2017 244/416
Import a CSV Policy File

Instead of creating policies individually through the web interface, you can prepopulate them into a
comma-separated value (CSV) configuration file. A sample file is provided for spreadsheet editing and
population.
Download Sample CSV

1. Select from the Menu Bar: Policy, Import/Export Policy
The Import/Export Policies page appears.
2. In the Import Policy from CSV file panel, click Download Sample File.
Alternatively, if there is currently a set of policies, you can create a current file from the
existing one. In that case, in the Export Policy from CA Privileged Access Manager to CSV file
panel click Export Policy.
3. Copy and rename the sample (or exported) file (sample: "PolicyImportSample.csv"), and open
the new copy in any spreadsheet to inspect the column headers (policy field labels; first line)
and cell values (one policy record per line).
Each line below the (first-line) header is a full policy association.
4. Create and populate the new file.
5. On the Policy, Import/Export Policy page, click Browse in the "Import Policy from the CSV file"
panel to locate your new file.
6. Click Import Policy to upload the CSV file.
Export Policy
To export existing policy to a CSV file:
1. Select from the Menu Bar: Policy, Import/Export Policy

The Import/Export Policies page appears.
2. In the Export Policy to CSV file panel, click Export Policy.
3. Save the resulting CSV to a filename.

The CSV file has the format of the sample file (available from Download Sample File button in
pane).
17-Feb-2017 245/416
Policy Template Compared to CSV Fields

Web fields CSV syntax
(preselected) A(1) Type: Policy
B(2) User: CA Privileged Access Manager Username
C(3) Device: CA Privileged Access Manager Device Name
Applets F(6) Applets
Syntax: name=appletName1 | name=appletName2
[custom_name=customname] | = "and" (not the standard "or")
appletNameN enumerated values: RDP, SSH, others.
TCP/UDP & APP D(4) Services
Services
SSLVPN Services E(5) SSL VPN Services: As previously defined.
KVM Include with: F(6) Applets
Enumerated values: KVM, Power, Serial
Power
Serial
Command Filters G(7) Command Filters: As previously defined.
Multiple filters are delimited by "|"
Socket Filters H(8) Socket Filters: As previously defined.
Multiple filters are delimited by "|"
Restrict login if agent is I(9) Restrict login if agent is not running:
not running. Syntax: True(T or t) or False(F or f)
Graphical J(10) Graphical Recording:
Syntax: True(t) or False(f)
Command Line K(11) Command Line Recording:
Bidirectional L(12) Bidirectional Recording:
Import Policy
To import a policy CSV to CA Privileged Access Manager, use the interface on the Policy, Import
/Export Policy page.
Set a User-Device Policy

As a CA Privileged Access Manager Administrator, you apply a policy to a user-device pair to allow
that user to the device or to view a password based in the device.
Follow these steps:
1. Select Policy, Manage Policies. The policy page appears.
2. In the User (Group) field, start typing the User or User Group you want, and select the
17-Feb-2017 246/416
2. In the User (Group) field, start typing the User or User Group you want, and select the
matching full name from the filtered drop-down list.
3. In the Device (Group) field, start typing the Device or Device Group you want, and select the
matching full name from the filtered drop-down list.
4. In the upper-right corner of the page body, click the Create Policy link. A policy template
opens.
5. (Optional) To use an Access Method, click Add (or Edit) to the right of Access, and from the
drop-down list select an available type:port (for example, RDP:3389). A blank field opens to
the right.
a. (Optional) To allow auto-connection to the device, click in this field and select a target
account - target account pair.
6. (Optional) To use a previously provisioned local Service, click Add (or Edit) to the right of
Services, and from the drop-down list select a Service (for example, PuTTY). A blank field
opens to the right.
a. (Optional) To allow auto-connection to the device, click in this field and select a target
account - target account pair.
7. (Optional) To allow this user to view a target account password:
a. Click Add (or Edit) to the right of Passwords, an d from the drop-down list select a
target application (for example, WindowsOS). A blank field opens to the right.
b. Click in this field. Select an available target account from the drop-down list for the
application which stores the password.
8. (Optional) If this device is out-of-band, to the right of OOB & Power select controls to activate
KVM control, Power switching, or Serial access.
9. (Optional) To apply a Command Filter to all connections, select one from the drop-down list.
10. (Optional) To apply a Socket Filter to all connections, select one from the drop-down list.
a. (Optional) To prevent device access whenever its Socket Filter Agent (SFA) is not
running, select Restrict login if agent is not running.
11. (Optional) To activate recording, select Graphical for RDP or VNC connections or Command
Line for CLI connections.
a. (Optional) For CLI connections, to capture both output and input lines, select
Bidirectional. Otherwise, only output lines are captured.
b. (Optional) To start recording only after the user commits a (filter) violation, select On
Violation. Otherwise, all connections are recorded from start to finish.
12. Click Save. You return to the policy list.
17-Feb-2017 247/416
The activated device or password access is now available for execution from the Access page of the
user.
Policy inspection
View Policy
To view (and edit) explicitly assigned policy for a (User / User Group) and (Device / Device Group)
pair, enter the policy editing mode.
View Effective Policy

Without entering the policy editing mode, you can view a list of the current User or User Group
effective policy across all individual Devices, directly from that User or User Group record. By
"effective policy" is meant the combination of the policy that is:
Explicitly set with each Device for that User or User Group
Inherited from the policy of User Groups of which the current User is a member
Inherited from the policy of Device Groups which are associated with the current User or User
Group
Procedure
1. Open the Users, Manage Users page.
2. Move your mouse over a User record line item, and open it for editing by clicking it.
3. At the right-hand side of either the top or bottom of the User record, click the button View
Policy .
A shadow window appears with a list showing one Device record per line. Each Device
displays its current access options (Access Methods, OOB, Services, SSLVPN, RDP
Applications). Each Device record can be clicked to reveal, in a left pane, the actual policy pair
generating the inheritance. By clicking Expand All or Collapse All, all records can be opened or
closed, respectively.
17-Feb-2017 248/416
Credential Manager User Interface

The Credential Manager UI provides access to Credential Manager functions.
To access the Credential Manager UI, select Policy, Manage Passwords from the CA Privileged Access
Manager UI.
Set Credential Manager UI Preferences

The GUI provides configurable display options to enable individual users to customize GUI elements.
Also, an administrator can define the initial preferences of a user. See Customize the Global Default
Preferences (https://docops.ca.com/display/CAPAM28/Customize+the+Global+Default+Preferences).
You can modify the following display options:
Time Zone Region: The country or time zone-specific region
Time Zone: The localized time zone or the offset from Greenwich Mean Time (GMT)
List Page Size: The number of entries that are displayed per page in a list
Home Page: The start page for the GUI
These options are configured on the Preferences page. The Preferences page also displays the date
and time for both the user specified time zone and the CA Privileged Access Manager appliance.
Modifications do not take effect until the next login session.
Set Your Time Zone

You can customize how Credential Manager displays dates and times in the GUI. Dates are stored in
UTC, but can be displayed in the GUI in the specified time zone for the user. Selecting a custom time
zone can only be done through the GUI.
Follow these steps:
1. Select Policy, Manage Passwords.
2. Click the Preferences link in the top right corner of the title bar. The User Preferences pop-up
window appears.
3. Select an entry in the Time Zone Region list box.
4. Select an entry in the Time Zone list box.
5. Click Save.
17-Feb-2017 249/416
Modifications do not take effect until the next login session.
Set a List Size

Credential Manager data such as accounts and password requests appear in lists in the GUI. You can
specify the number of list entries per page that appear in the GUI.
Follow these steps:
window appears.
3. Enter an integer value for the number of list entries per page.
4. Click Save.
Set Your Start Page

To configure the home page for Credential Manager, you can optionally select a start page from the
User Preferences window. Depending on the permissions that are assigned to a role, the dashboard
might not appear upon login.
Follow these steps:
window appears.
3. Select the start page from the Home Page list box.
4. Click Save.
Customize Your Dashboard

The dashboard provides a set of predefined metrics to help monitor system activity. Credential
Manager lets you modify the default offerings. You can add, remove, and reposition list items, and
you can set display thresholds. Changes that you make apply only to the account you are logged in to.
Also, an administrator can define an initial dashboard for the user. See Customize the Global
Dashboard (https://docops.ca.com/display/CAPAM28/Customize+the+Global+Dashboard).
Follow these steps:
2. Click the Dashboard tab. If you are logging on to Credential Manager for the first time after an
17-Feb-2017 250/416
2. Click the Dashboard tab. If you are logging on to Credential Manager for the first time after an
installation, an empty Dashboard Summary appears.
3. To edit the default Dashboard settings, click the Gear icon in the top right corner of the
Dashboard Summary. The Dashboard Settings window appears.
4. To add a new item to the Dashboard Summary, click the Plus icon. Select an entry from the list
of dashboard items available to add. Click Add.
5. To remove an entry from the Dashboard Summary, click the Remove icon on the row and click
Save. The Remove icon is a yellow X.
6. To reposition a list item, drag-and-drop the item to the desired location or click the Up or the
Down icon at the end of the row. Click Save.
7. To set a threshold limit that activates a warning icon in the Dashboard Summary, enter a
value in the Threshold field. For example, if you set a threshold value of 5 for Passwords Not
Verified and the number of unverified passwords reaches 5 or more, a warning icon appears
in the Dashboard Summary page.
8. To reset your dashboard to the global settings, click Restore Defaults.
17-Feb-2017 251/416
Configure Credential Manager Password

Policies
CA Privileged Access Manager Credential Manager allows you to create these policies regarding
passwords:
Password composition policies (see page 252): These policies are rules to which passwords must
conform.
Password view policies (see page 260): These policies determine what to do when someone
wants to view a password and what to do after a password is viewed.
You can also create policies for SSH key pairs (see page 297). These policies set the rules for
generating SSH key pairs that are used by UNIX accounts.
Password Composition Policies

Password composition policies are the rules to which passwords must conform. Credential Manager
allows you to define various password composition policies to ensure that passwords meet the
unique security needs of your organization.
Password composition policies are applied on a target application basis; that is, each target
application defines which password composition policy to apply. Manually entered passwords are
validated against the password composition policy that is registered for the associated target
application. Credential Manager also uses the registered password composition policy to generate
random passwords.
Password composition policies characteristics define the minimum requirements for passwords.
Configurable password composition policies characteristics include:
Password Prefix: A fixed sequence of characters that must start the password string
Must Contain: Types of characters that a password must contain
Each type of character that is selected must be included in the password
Each type of character that is not selected must be excluded in the password
First Must Contain: The password must start with one of the selected choices.
At least one option must be selected
As it applies to a single character, exactly one of the options can/is used
The first character of each specific password is one of the types of characters selected
17-Feb-2017 252/416
Must Not Contain: Character patterns that the password must not contain. Options include:
Minimum Length: Password length must be greater than or equal to this value.
Disallow Repeating Characters: Do not allow any adjacent matching characters. However,
matching characters that are not adjacent are allowed. See the following example:
ABCCDECFC
Disallow Duplicate Characters: Do not allow any matching characters. See the following
example:
ABCCDECFC
Characters to Exclude: Do not allow any character from a list that you specify.
Maximum Length: Password length must be less than or equal to this value.
Minimum Iterations Before Reuse: Do not allow the reuse of any of the previous [specified
number of] passwords. For example, if you enter “3”, then the current password cannot be
reused, nor can the previous password, nor the one before that. However, the third previous
password can be reused, and any password previous to that. Entering “0” means that there are
no restrictions; this password can always be reused.
Minimum Days Before Reuse: This option prevents the reuse of any password that was used
within the last specified number of days.
Maximum Password Age Enforcement: A password expires after this many days. It is then
considered 'expired'. Credential Manager can then automatically change the password if
configured to do so in the Settings>General Settings page.
You cannot create a policy without at least one (ASCII character set) item from Must Contain and at
least one item from First Must Contain. This behavior can prevent the creation of effective policies
for passwords of certain character sets.
The options Minimum Iterations Before Reuse and Minimum Days Before Reuse prevent the same
password from being used twice up to the set value of iterations or days.
Minimum Iterations Before Reuse and Minimum Days Before Reuse conditions are only checked
when updating a target account password.
When no policy is set, the default password composition policy is applied. With the default policy,
manually entered passwords can be any string of characters consisting of uppercase characters,
lowercase characters, numeric character, and special characters. The password must have 4-16
characters.
Credential Manager generates passwords by using the associated password composition policy. With
the default policy, Credential Manager generates passwords that are 16 randomly generated
characters consisting of upper and lower case alphabetic characters, numeric and special characters.
Caution:
17-Feb-2017 253/416
Ensure that policies that you create always meet or exceed the minimum password
composition policy of any target account under management. Also, validate that the use of
special characters defined in the password composition policy is allowed in the target
system. Failure to do so allows Credential Manager to generate a password update that
fails because the target system prevents the update.
You can create password composition policies with the GUI or the CLI. Once you create password
composition policies, you can then apply them to target applications.
Suggested Password Composition Policies

Drawing on customer feedback, CA Technologies suggests you use the following password
composition policies:
Databases: Use alpha and numeric characters, plus a special character, such as [!#_-$@*], with a
minimum length of 6 characters and a maximum length of 12 characters.
Windows: Use alpha and numeric characters, plus a special character, such as [!#_-$@*], with a
minimum length of 6 characters and a maximum length of 12 characters.
UNIX: Use alpha characters (no mixed or numeric characters) with a length of eight characters.
Password composition policies must comply with that required by the remote applications.
Create a Password Composition Policy with the GUI

Follow these steps:
2. From the new tab/window menu bar, select Targets, Password Composition Policies. The
Password Composition Policy List page appears.
3. Click Add. The Password Composition Policy Details page appears.
4. Provide a unique name for the policy.
5. (Optional) Provide a description for the policy.
6. Select the policy rules that you want to apply. At least one of the Must Contain or First Must
Contain items must be checked. Do not enter same characters in Must Contain and Must Not
Contain fields.
7. Click Test. The GUI notifies that the options you set are acceptable and shows the sample
password generated. This test helps you to:
See the generated sample password
Verify whether the password can be generated with the options you set
17-Feb-2017 254/416
7.
Verify whether the password can be generated with the options you set
Verify the generated password suits your requirement
Verify that the generated password is difficult to assume
8. Click Save.
Create a Password Composition Policy with the CLI

Use the following procedure to create a password composition policy from the CLI using the
addPasswordPolicy command.
Follow these steps:
1. Specify the password composition policy:
capam_command adminUserID=admin capam=mycompany.com cmdName=addPasswordPolicy

PasswordPolicy.name=MaximumPasswordAgePolicy
PasswordPolicy.description=PasswordCompositionPolicy
Attribute.passwordPrefix=pas
Attribute.composedOfUpperCaseCharacters=True
Attribute.composedOfLowerCaseCharacters=True
Attribute.composedOfNumericCharacters=True
Attribute.composedOfSpecialCharacters=true
Attribute.specialCharacters=!#$%()*+,-./:;=?[\\]^_{|}~
Attribute.firstCharacterUpperCase=true
Attribute.firstCharacterLowerCase=true
Attribute.firstCharacterNumeric=true
Attribute.firstCharacterSpecial=true
Attribute.firstCharacterSpecials=!#$%()*+,-./:;=?[\\]^_{|}~
Attribute.mustNotContainConsecutiveDuplicateCharacters=true
Attribute.mustNotContainAnyDuplicateCharacters=true
Attribute.mustNotContainCharacters=true
Attribute.composedOfMustNotContainCharacters=XYZ
Attribute.minLength=6
Attribute.maxLength=16
Attribute.minIterationsBeforeReuse=2
Attribute.minDaysBeforeReuse=3
2. Enter your password at the prompt.

Credential Manager returns the following XML command string:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordPolicy>
<minLength>6</minLength>
<maxLength>16</maxLength>
<minDaysBeforeReuse>3</minDaysBeforeReuse>
17-Feb-2017 255/416
<minIterationsBeforeReuse>2</minIterationsBeforeReuse>
<firstCharacterSpecialCharacters>!#$%()*+,-./:;=?[\\]^_{|}~<
/firstCharacterSpecialCharacters>
<mustNotContainCharacters>true</mustNotContainCharacters>
<passwordPrefix>pas</passwordPrefix>
<specialCharacters>!#$%()*+,-./:;=?[\\]^_{|}~</specialCharacters>
<composedOfLowerCaseCharacters>true</composedOfLowerCaseCharacters>
<composedOfMustNotContainCharacters>false</composedOfMustNotContainCharacters>
<composedOfNumericCharacters>true</composedOfNumericCharacters>
<composedOfSpecialCharacters>true</composedOfSpecialCharacters>
<composedOfUpperCaseCharacters>true</composedOfUpperCaseCharacters>
<firstCharacterLowerCase>true</firstCharacterLowerCase>
<firstCharacterNumeric>true</firstCharacterNumeric>
<firstCharacterSpecial>true</firstCharacterSpecial>
<firstCharacterUpperCase>true</firstCharacterUpperCase>
<mustNotContainDuplicateCharacters>true</mustNotContainDuplicateCharacters>
<mustNotContainRepeatingCharacters>true</mustNotContainRepeatingCharacters>
<name>NewPasswordPolicy</name>
<type>passwordPolicy</type>
<description>PasswordCompositionPolicy</description>
<ID>1006</ID>
<Attribute.composedOfNumericCharacters>true</Attribute.
composedOfNumericCharacters>
<Attribute.mustNotContainCharacters>true</Attribute.mustNotContainCharacters>
<Attribute.composedOfSpecialCharacters>true</Attribute.
composedOfSpecialCharacters>
<Attribute.firstCharacterNumeric>true</Attribute.firstCharacterNumeric>
<Attribute.mustNotContainAnyDuplicateCharacters>true</Attribute.
mustNotContainAnyDuplicateCharacters>
<Attribute.firstCharacterSpecial>true</Attribute.firstCharacterSpecial>
<Attribute.firstCharacterSpecials>!#$%()*+,-./:;=?[\\]^_{|}~</Attribute.
firstCharacterSpecials>
<Attribute.firstCharacterLowerCase>true</Attribute.firstCharacterLowerCase>
<Attribute.composedOfLowerCaseCharacters>true</Attribute.
composedOfLowerCaseCharacters>
<Attribute.maxLength>16</Attribute.maxLength>
<Attribute.passwordPrefix>pas</Attribute.passwordPrefix>
<Attribute.composedOfMustNotContainCharacters>false</Attribute.
composedOfMustNotContainCharacters>
<Attribute.firstCharacterUpperCase>true</Attribute.firstCharacterUpperCase>
<Attribute.minLength>6</Attribute.minLength>
<Attribute.minDaysBeforeReuse>3</Attribute.minDaysBeforeReuse>
<Attribute.specialCharacters>!#$%()*+,-./:;=?[\\]^_{|}~</Attribute.
specialCharacters>
<Attribute.composedOfUpperCaseCharacters>true</Attribute.
composedOfUpperCaseCharacters>
<Attribute.minIterationsBeforeReuse>2</Attribute.minIterationsBeforeReuse>
<Attribute.mustNotContainConsecutiveDuplicateCharacters>true</Attribute.
mustNotContainConsecutiveDuplicateCharacters>
<createDate>Wed Nov 24 07:13:03 UTC 2010</createDate>
<createUser>admin</createUser>
<extensionType />
<hash />
17-Feb-2017 256/416
<updateDate>Wed Nov 24 07:13:03 UTC 2010</updateDate>

<updateUser>admin</updateUser>
</PasswordPolicy>
</cr.result>
</CommandResult>
Maximum Password Age

When creating a password composition policy, you can set the password lifetime for a target
account. After this time, the password expires. The password lifetime is reset each time that the
password is updated.
You can also enable or disable the automatic updating of expired passwords globally. If it is enabled,
the password for a synchronized account is automatically updated after it expires. Passwords for
unsynchronized accounts remain expired until manually updated.
You can see the password expiry details from the Account Details page. The following parameters
apply:
Maximum Password Age Enforcement: This field indicates whether the associated password
composition policy has maximum password age enforcement enabled.
Maximum Password Age Policy: This field indicates the maximum password age in days as
specified in the associated password composition policy.
Password Expiry: The expiry date of a password is the number of days from its last update to the
maximum age specified by in the password composition policy that is associated with its
application. The display is green if it expires at least on day in the future. The display is yellow if it
expires on the current day. The display is red if it has already expired.
See also the Accounts with Expired Passwords report.
Set the Maximum Age of a Target Account Password with the GUI
Follow these steps:
2. Click Targets, Password Composition Policies. The Password Composition Policy List page
appears.
3. Follow the steps of creating a password composition policy. See Create a Password
Composition Policy Using the GUI (see page 254).
In the password composition policy, configure the following parameters:
Maximum Password Age Enforcement: This parameter sets whether password age
enforcement is active or not. If disabled, the password for the target account never
expires.
Maximum Password Age (Days): This parameter specifies the maximum age of a password
in days. The default value is 90 days.
17-Feb-2017 257/416
Set the Maximum Age of a Target Account Password with the CLI
Follow these steps:
1. Specify the new policy:
capam_command adminUserID=admin capam=mycompany.com cmdName=addPasswordPolicy

PasswordPolicy.name=MaximumPasswordAgePolicyNew
PasswordPolicy.description=PasswordCompositionPolicy
Attribute.composedOfUpperCaseCharacters=True
Attribute.composedOfLowerCaseCharacters=True
Attribute.composedOfNumericCharacters=True
Attribute.firstCharacterUpperCase=true Attribute.minLength=6
Attribute.maxLength=16 Attribute.minIterationsBeforeReuse=2
Attribute.minDaysBeforeReuse=3 Attributre.maxPasswordAge=true
Attribute.maxPasswordAge=12

Credential Manager returns the following XML command string:
<CommandResult>
<cr.result>
<PasswordPolicy>
<minLength>6</minLength>
<maxLength>16</maxLength>
<maxPasswordAge>0</maxPasswordAge>
<minDaysBeforeReuse>3</minDaysBeforeReuse>
<minIterationsBeforeReuse>2</minIterationsBeforeReuse>
<firstCharacterSpecialCharacters>!#$%()*+,-./:;=?@[\]^_`{|}~&<
/firstCharacterSpecialCharacters>
<mustNotContainCharacters></mustNotContainCharacters>
<passwordPrefix></passwordPrefix>
<specialCharacters>!#$%()*+,-./:;=?@[\]^_`{|}~&</specialCharacters>
<composedOfLowerCaseCharacters>true</composedOfLowerCaseCharacters>
<composedOfMustNotContainCharacters>false</composedOfMustNotContainCharacters>
<composedOfNumericCharacters>true</composedOfNumericCharacters>
<composedOfSpecialCharacters>false</composedOfSpecialCharacters>
<composedOfUpperCaseCharacters>true</composedOfUpperCaseCharacters>
<enableMaxPasswordAge>false</enableMaxPasswordAge>
<firstCharacterLowerCase>false</firstCharacterLowerCase>
<firstCharacterNumeric>false</firstCharacterNumeric>
<firstCharacterSpecial>false</firstCharacterSpecial>
<firstCharacterUpperCase>true</firstCharacterUpperCase>
<mustNotContainDuplicateCharacters>false</mustNotContainDuplicateCharacters>
<mustNotContainRepeatingCharacters>false</mustNotContainRepeatingCharacters>
<name>MaximumPasswordAgePolicyNew</name>
<type>passwordPolicy</type>
<description>PasswordCompositionPolicy</description>
<ID>1004</ID>
17-Feb-2017 258/416
<Attribute.composedOfNumericCharacters>true</Attribute.
composedOfNumericCharacters>
<Attribute.mustNotContainCharacters></Attribute.mustNotContainCharacters>
<Attribute.composedOfSpecialCharacters>false</Attribute.
composedOfSpecialCharacters><Attribute.firstCharacterNumeric>false</Attribute.
firstCharacterNumeric>
<Attribute.maxPasswordAge>0</Attribute.maxPasswordAge>
<Attribute.enableMaxPasswordAge>false</Attribute.enableMaxPasswordAge>
<Attribute.firstCharacterSpecial>false</Attribute.firstCharacterSpecial>
<Attribute.firstCharacterSpecials>!#$%()*+,-./:;=?@[\]^_`{|}~&</Attribute.
firstCharacterSpecials>
<Attribute.mustNotContainAnyDuplicateCharacters>false</Attribute.
mustNotContainAnyDuplicateCharacters>
<Attribute.firstCharacterLowerCase>false</Attribute.firstCharacterLowerCase>
<Attribute.composedOfLowerCaseCharacters>true</Attribute.
composedOfLowerCaseCharacters>
<Attribute.maxLength>16</Attribute.maxLength>
<Attribute.passwordPrefix></Attribute.passwordPrefix>
<Attribute.composedOfMustNotContainCharacters>false</Attribute.
composedOfMustNotContainCharacters>
<Attribute.firstCharacterUpperCase>true</Attribute.firstCharacterUpperCase>
<Attribute.minLength>6</Attribute.minLength>
<Attribute.minDaysBeforeReuse>3</Attribute.minDaysBeforeReuse>
<Attribute.specialCharacters>!#$%()*+,-./:;=?@[\]^_`{|}~&</Attribute.
specialCharacters>
<Attribute.composedOfUpperCaseCharacters>true</Attribute.
composedOfUpperCaseCharacters>
<Attribute.minIterationsBeforeReuse>2</Attribute.minIterationsBeforeReuse>
<Attribute.mustNotContainConsecutiveDuplicateCharacters>false</Attribute.
mustNotContainConsecutiveDuplicateCharacters>
<createDate>Thu Dec 01 11:17:28 UTC 2011</createDate>
<updateDate>Thu Dec 01 11:17:28 UTC 2011</updateDate>
<extensionType></extensionType>
<hash></hash>
</PasswordPolicy>
</cr.result>
</CommandResult>
Automatic Updating of Expired Passwords

You can enable or disable automatic updating of expired passwords globally from the GUI and from
the CLI.
Use the following procedure to enable or disable automatic updating of expired passwords globally
from the GUI:
Follow these steps:
2. Click Settings, General Setting. The General Settings page appears.
17-Feb-2017 259/416
3. Select the Automatically Update Expired Passwords check box. This option automatically
updates synchronized accounts that have expired passwords with a new password.
To enable the automatic updating of expired passwords globally from the CLI, use the
targetAccountPasswordExpirationEnabled system property as in the following example:
capam_command adminUserID=admin capam=mycompany.com cmdName=setSystemProperty

propertyName=targetAccountPasswordExpirationEnabled propertyValues=true
The default value of the targetAccountPasswordExpirationEnabled property is false.
Password View Policies

You can create policies to:
Automatically change the account password for synchronized accounts once it is viewed
Ensure that only one person at a time can view an account password
Ensure that an account password is only revealed after a specific approver has authorized it
Note:
Password view policies apply only to password administration with the GUI, CLI, or Java
API. Requests from A2A clients are unaffected by password view policies.
The default password view policy:
Does not change the password once it is viewed
Allows multiple persons to view a password
Allows a password to be viewed without special authorization
Requires a user to authenticate before viewing a password
Create a Password View Policy

Each CA Privileged Access Manager target account is associated with a password view policy, either
the default policy or a custom policy that you create. You can use either the GUI or CLI to create your
password view policy.
Note:
17-Feb-2017 260/416
Any change to an existing password view policy applies to all future attempts to view a
password. The previous version of the password view policy for the requestors can govern
any attempts that are “in transit”. For example, if you disable Check-out/Check-in on a
policy while a password is checked out, the password remains checked out until a user
checks it back in, or the time interval for the check-out expires.
For this reason, we recommend that you do not change the password view policy of an
account if there are outstanding password view requests for that account.
However, the changes that are made to the list of approvers in the password view policy
take effect immediately. For example, a new approver that is added to the list of approvers
is able to receive the email that is related to the request. The newly added approver can
approve or deny the request. Similarly, if an approver is removed from the list, that
approver is no longer able to receive the email or, approve or deny the request.
Create a Password View Policy with the GUI

Follow these steps:
2. From the new tab/window menu bar, select Workflow, Password View Policies. The Password
View Policy List page appears.
3. Click Add. A blank Password View Policy Details page appears.
4. Enter the policy name and description. Specify the following settings:
The Service Desk Integration (https://docops.ca.com/display/CAPAM/.

Integrate+with+Your+Service+Desk+Solution+v2.7) information, if applicable
Re-authenticate for View: If you select this option, a dialog appears when a user tries to
view a password. To continue, the user enters their password.
Re-authenticate for Auto-Connect: If you select this option, a dialog appears when a user
tries to auto-connect to an application through Access. To continue, the user enters their
password.
Reason Required for View: If you select this option, a dialog appears when a user tries to
view an Account password. The user selects a Reason and enters an optional Description
and optional Reference Code to view the password. Select the View Credential (eye icon)
for an Account on the Account List page or on the Account Details page.
Reason Required for Auto-Connect: If you select this option, a dialog appears when a user
tries to auto-connect. The user selects a Reason and enters an optional Description and
optional Reference Code to view the password. Select the View Credential (eye icon) for
an Account on the Account List page or on the Account Details page.
Change Password on View (see page 266)
Change Password on Auto-Connect
The change password interval, if either of the previous two options are selected
17-Feb-2017 261/416
Dual authorization (see page 266), if applicable, and details that are related to it such as:
Request must be within. Specify the period in days within which password view can be
requested, if applicable. The default value is 14 days.
The default request interval is. Specify the default interval in minutes, to be set to view
the password, if applicable. The default value is 60 minutes.
Note:
When you request a password view, the time difference that is shown in
Request Password From and Request Password To fields is set to the default
request interval provided in the password view policy.
The maximum request interval. Specify the maximum interval in minutes, up to which
the password can be viewed, if applicable. The default value is 60 minutes.
Enable One Click Approval (see page 276)
The list of approvers
Note:
The list of approvers must be registered in Credential Manager with an email

address for each.
Check-out/Check-in (see page 278)
How long to wait before automatically checking in the account password, if applicable
Note:
Check-in/checkout interval must be less than or equal to the Dual authorization

interval. When both check-out/check-in and dual authorization are enabled,
the check-out/check-in expiry time is forced to be less than or equal to the dual
authorization expiry time.
Email notification (see page 286)
Use the dual authorization list of approvers or select a new set of users for sending
email notification, if applicable
Whether only the active users from the dual authorization list of approvers or new set
of users must be emailed, if applicable
17-Feb-2017 262/416
The list of users to be emailed, if applicable.
5. Click Save.
Create a Password View Policy with the CLI

Use the following procedure to create a password view policy from the CLI using the
addPasswordViewPolicy command.
Follow these steps:
1. Specify the password composition policy:
capam_command adminUserID=admin capam=mycompany.com

cmdName=addPasswordViewPolicy
PasswordViewPolicy.name=PasswordViewPolicy
PasswordViewPolicy.changePasswordOnView=true
PasswordViewPolicy.checkinCheckoutRequired=true
PasswordViewPolicy.authenticationRequired =true
PasswordViewPolicy.checkinCheckoutInterval=60
PasswordViewPolicy.dualAuthorization=true
PasswordViewPolicy.enableOneClickApproval=true
PasswordViewPolicy.approvers=approver1,approver2
PasswordViewPolicy.emailNotificationRequired=true
PasswordViewPolicy.emailNotificationToDualAuthApprovers=false
PasswordViewPolicy.emailNotificationToActiveUsers=true
PasswordViewPolicy.emailNotificationUsers=user1,user2

Credential Manager returns the following XML command string.
<CommandResult>
<cr.result>
<PasswordViewPolicy>
<name>PasswordViewPolicy</name>
<readOnly>false</readOnly>
<description />
<enableOneClickApproval>true</enableOneClickApproval>
<changePasswordOnView>true</changePasswordOnView>
<emailNotificationRequired>true</emailNotificationRequired>
<dualAuthorizationRequired>true</dualAuthorizationRequired>
<passwordViewRequestMaxDays>14</passwordViewRequestMaxDays>
<passwordViewRequestMaxInterval>60</passwordViewRequestMaxInterval>
<dualAuthorizationInterval>60</dualAuthorizationInterval>
<approverIDs>[]</approverIDs>
<emailNotificationUserIDs>[]</emailNotificationUserIDs>
<checkinCheckoutRequired>true</checkinCheckoutRequired>
<checkinCheckoutInterval>60</checkinCheckoutInterval>
<passwordChangeInterval>60</passwordChangeInterval>
17-Feb-2017 263/416
<emailNotificationForDualAuthApprovers>false<
/emailNotificationForDualAuthApprovers>
<authenticationRequired>true</authenticationRequired>
<emailNotificationForActiveUsers>true</emailNotificationForActiveUsers>
<ID>1016</ID>
<createDate>Wed Nov 17 07:46:45 UTC 2010</createDate>
<extensionType />
<hash>uO9WFJd7m5RNv2N/3ZgIqVGU00M=</hash>
<updateDate>Wed Nov 17 07:46:45 UTC 2010</updateDate>
</PasswordViewPolicy>
</cr.result>
</CommandResult>
The previous example creates a policy that is named PasswordViewPolicy. This new policy
specifies:
An account password must be changed once it is viewed.
Only one person at a time can view an account password.
The person must authenticate before viewing an account password.
Once checked out, a password is automatically checked in after 60 minutes.
When the password is viewed, an email must be sent to the list of identified approver.
The email sent to list of approvers must contain two URLs (one to approve and another to deny
the password view request).
When the password is viewed, an email is sent to the list of identified users.
Modify the Default Password View Policy

CA Privileged Access Manager allows you to modify the default password view policy that is provided
with Credential Manager. You can edit the default policy to use your own password view policy as the
default.
Note:
When modifying the default password view policy, do not change its name. Leave it as
"Default".
Use the following procedure to modify the default password view policy using the GUI.
Follow these steps:
17-Feb-2017 264/416
3. Click Default link. A Password View Policy Details page for default password view policy
appears.
4. Keep the Name for Password View Policy as “Default”. Select or modify the following options,
as required:
Description of the Password View Policy
The Service Desk Integration (https://docops.ca.com/display/CAPAM28

/Integrate+with+Your+Service+Desk+Solution) information, if applicable
Re-authenticate for View
Re-authenticate for Auto-Connect
Reason Required for View
Reason Required for Auto-Connect
Change Password on View
Change Password on Auto-Connect
The dual authorization and details that are related to it:
Password view request expiry period
Default and maximum password view request interval
One click approval
List of approvers, if applicable
Check-out/Check-in
How long to wait before automatically checking in the account password, if applicable.
Note:
When both check-out/check-in and dual authorization is enabled, the check-out

/check-in expiry time is limited to be same or less than the dual authorization
expiry time.
The email notification and details that are related to it:
17-Feb-2017 265/416
Choice of the dual authorization list of approvers
New set of users and the list of users, to be emailed, if applicable.
5. Click Save.
Customize Reasons for Viewing Password

Use the setPasswordViewReasons CLI command to customize the list of reasons for viewing a
password that is displayed to GUI users. See setPasswordViewReasons (https://docops.ca.com/display
/CAPAM28/setPasswordViewReasons) for details.
Change Password on View

If the password view policy of a synchronized account specifies it, displaying a password
automatically causes the password to be changed. This feature is often used with privileged accounts.
Credential Manager changes the password automatically after a delay specified by the policy.
If the password view policy of the account also requires it to be checked out, the password is
changed only once when it is checked back in. It is changed only once regardless of the number of
times the user displays the password while the account is checked out.
Enable Password Verification

By default, when viewing passwords through the GUI, Credential Manager verifies the user password
after the initial login. To ensure that password verification occurs every time an account password is
viewed, enable the Requires Authentication setting.
Follow these steps:
2. From the new tab/window menu bar, select Workflow, Password View Policies.
3. For each password view policy, click Requires Authentication.
4. Click Save.
Get Authorization to View Password

If the password view policy of an account specifies dual authorization, a person with an Approver role
must grant access to the account password before the requesting person can view the password.
When a requestor attempts to view the account password, Credential Manager sends an email
containing the request to the identified approvers for the account. Approvers receive the password
view request email notification with details including the name of the user submitting the request
and the account name for the password to be viewed, the requested account target application
name, the requested account target servername, and password view reason. The email also shows
17-Feb-2017 266/416
name, the requested account target servername, and password view reason. The email also shows
the requested timeframe (in UTC) to view the password and two URLs (one to approve and the other
to deny the request) if the Enable One Click Approval option is enabled in the Password View Policy
for the account for the password to be viewed. In this case, the approver does not need to login to
Credential Manager. Instead, they can click the approve or deny URLs in the email. If Enable One
Click Approval option is disabled, the email contains all the details except the two URLs. The
approver can view a list of pending password view requests to approve, deny, or expire them using
the GUI. Credential Manager sends an email to the requestors notifying them of the password view
request decision. If the request is approved, the requestor can then view the password.
Requests must be made for a specific time period (for example, August 8 from 9:00 – 11:00). In the
GUI, enter the timeframe that is based on your local time zone, as set in the Preferences page. For
the CLI, specify the time period in UTC.
Make a Request to View a Password Using the GUI

Follow these steps:
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page
appears.
3. Click the blue View icon corresponding to the Account for which you want to request
authorization. The View icon resembles an eye. It is located under the Action column for the
account for which you want to view the password. The View Account Password Request pop-
up window appears.
OR
Select the name of the account for which you want to request authorization. The Account
Details page appears.
Click the View icon corresponding to the Account for which you want to request
authorization. The View icon resembles an eye. It is located under the Action column for the
account for which you want to view the password. The View Account Password Request pop-
up window appears.
4. Select when you want to start and finish viewing the password. Times are given in based on
your local time zone, as set in the Preferences page.
Note:
The system populates the Request Password From field with the current date and
time, and the Request Password To field with the current date and time plus the
amount of time that is specified in the Password View Policy default request
interval field.
5. Enter your (Credential Manager administrator) Password.
6. From the drop-down list, select the Reason category for the password view request.
17-Feb-2017 267/416
6. From the drop-down list, select the Reason category for the password view request.
Depending on your organizational policy, your Reason can also require a Reason Description
or a Reason Code.
7. Click View.
Credential Manager automatically sends an email notification to the approvers for that account and
the Email Notification Sent pop-up appears.
The reference code is shown only if the requestor enters the reference code in the View Account
Password Request screen before requesting password authorization.
Grant, Deny, or Expire a Request Using the GUI

Follow these steps:
2. From the Dashboard, select Password View Requests Requiring Your Approval. A list of
requests appears.
3. Select a specific pending password view request. The Password View Request Details page
appears.
4. After reviewing the password view request reason details from the received email
notification, approve, deny, or expire the request by:
Clicking Approve to approve the password view request.
Clicking Deny to reject a password view request.
Clicking Expire to expire a password view request.
Notes:
Approve, Deny, and Expire are one time actions. This means that a password view
request can be approved, denied, or expired only once.
The status of the password view request changes automatically when it exceeds
the date and time that is specified in the request. For example, if the password
view request start date and time is 2012-11-19 18:06 and the end date and time is
2012-11-19 19:06; after 2012-11-19 19:06 the status of the request that is yet
pending changes to Expired, the status of the request that is approved or denied
changes to Approved, Expired, or Denied and the status of the request that is
checked in or checked out changes to Checked In or Checked Out.
Users also can select multiple Password View Requests and then click Approve All
or Deny All.
Use the following procedure to grant, deny, or expire a request using the GUI “My Approval List”.
Follow these steps:
17-Feb-2017 268/416
Follow these steps:
2. From the new tab/window menu bar, select Workflow, My Approval List. The My Approval
List page appears.
3. Select a specific pending password view request. The Password View Request Details page
appears.
notification, approve, deny, or expire the request by:
Clicking Approve to approve the password view request.
Clicking Deny to reject a password view request.
Clicking Expire to expire a password view request.
Use the following procedure to grant a request using the GUI Target Account List.
Follow these steps:
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of current requests.
notification, click the green Thumbs Up icon. It is located under the Action column for the
account you want to grant the request. The Password View Request Approval pop-up appears.
4. Select the status as Approve. The status field shows Approve as the default value.
Note:
You can switch the status to Deny if you want to deny the request.
5. Select the reason to approve the password view request, from the drop-down list. The Reason
field shows Approve as the default value.
6. (Optional) Enter the reason description.
7. Click Save. A pop-up appears asking you to confirm your intent.
8. Click OK.
Use the following procedure to deny a request using the GUI Target Account List.
Follow these steps:
17-Feb-2017 269/416
notification, click the red Thumbs Down icon. It is located under the Action column for the
account you want to deny the request. Password View Request Approval pop-up window
appears.
4. Select the status as Deny. (The Status field shows Deny as the default value.)
Note:
You can switch the status to approve if you decide to approve the request.
5. Select the Reason to deny the password view request from the drop-down list. (The Reason
field shows Deny as the default value.)
7. Click Save. A pop-up appears asking you to confirm your intent.
8. Click OK.
Use the following procedure to grant, deny, or expire a request using the GUI Target Account List.
Follow these steps:
notification, click the Account Name link corresponding to the account for the password view
request to be approved, denied, or expired. The Password View Request details page appears.
Grant or Deny a Request Without Login

If the password view policy of an account specifies dual authorization with enabled one click
approval, Credential Manager sends an email to the identified approvers for the account, when a
person attempts to view the account password.
The identified approvers receive the password view request email notification with the details
including the name of the user creating the request, the account name for the password to be
viewed, the requested account target application name, the requested account target servername,
the password view reason, and requested time period in UTC and two URLs, one to approve and the
other to deny the password view request.
17-Feb-2017 270/416
The resulting output can differ based on the email template configuration. See Configuring
Notification Email Templates (see page 287).
The approver can approve or deny the password view request directly from the received email; this
option eliminates the need to log in to Credential Manager.
The approver can grant or deny a password view request from email links, only when the password
view policy has dual authorization with enabled one click approval. Also the approvers must be
registered in Credential Manager with an email address.
From the received email notification, the approver can review the password view request reason
details, and then approve or deny the request by:
Clicking the URL given for approving the password view request. The password view request
status is updated to Approved, a web page appears with Password view request approval
confirmation message.
Clicking the URL given for denying the password view request. The password view request status
is updated to Denied, a web page appears with Password view request rejection confirmation
message.
Under certain conditions, the Approver is redirected to an error page. The conditions that can cause
this outcome include:
The approver is invalid or expired.
The password view request is invalid or expired.
The status is invalid.
The password view request is already approved or denied.
Delete a Password View Request Using the GUI

All password view requests with status Approved, Denied, Pending, or Expired are available in the My
Approval List. Any password view request that is not required can be deleted from the My Approval
List with the GUI.
Use the following procedure to delete a request using the GUI My Approval List.
Follow these steps:
2. From the new tab/window menu bar, select Workflow, My Approval List. The My Approval
List page appears.
3. Select the check box corresponding the password view requests to be deleted. Click Delete. A
pop-up appears asking you to confirm your intent.
4. Click OK.
17-Feb-2017 271/416
Also, you can automate the activity of deleting the password view requests by specifying the value of
Password View Request Delete Interval days in the General Settings page. This setting deletes the
password view requests after the specified interval. For example, if you specify the value of Password
View Request Delete Interval days as 2, the password view requests are deleted automatically from
the My Approval List after every two days. This case is similar to deleting the password view requests
from the My Approval List in automated way.
Use the following procedure to set the Password View Request Delete Interval from the GUI.
Follow these steps:
2. From the new tab/window menu bar, select Settings, General Settings.
3. Enter the number of desired Password View Request Interval Days.
4. Click Save.
Make a Request to View a Password Using the CLI

If the password view policy of an account specifies dual authorization, displaying a password
automatically causes the request to be sent to the approver. See Viewing Target Account Passwords
(see page 336) for the procedure.
In such cases, the XML command string that is returned from the operation:
Contains a status code of 400, indicating successful operation
Excludes all account details except a warning message indicating that the request has been
forwarded for processing
Follow these steps:
1. Search target accounts to retrieve the target account ID:

cmdName=searchTargetAccount TargetAccount.userName=dualaccount

Credential Manager returns the following XML command string. Note the ID value. In this
example, it is 1005.
<CommandResult>
<cr.result>
<TargetAccount>
<privileged>true</privileged>
<aliases />
<password>{1}3d2876d75f730fcf7b00f974816aa97b</password>
17-Feb-2017 272/416
<lastUsed />
<passwordViewPolicyID>1013</passwordViewPolicyID>
<accessType />
<cacheBehavior>useCacheFirst</cacheBehavior>
<cacheDuration>30</cacheDuration>
<compoundServerList>[]</compoundServerList>
<lastVerified />
<lastViewed />
<targetApplicationID>1001</targetApplicationID>
<userName>dualaccountnew</userName>
<compoundAccount>false</compoundAccount>
<passwordVerified>false</passwordVerified>
<synchronize>false</synchronize>
<targetApplication />
<cacheAllow>true</cacheAllow>
<targetServerAlias />
<ID>1005</ID>
<Attribute.extensionType>mssql</Attribute.extensionType>
<Attribute.useOtherAccountToChangePassword>false</Attribute.
useOtherAccountToChangePassword>
<Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid>
<Attribute.descriptor1 />
<Attribute.descriptor2 />
<createDate>Tue Nov 16 12:44:50 UTC 2010</createDate>
<extensionType>mssql</extensionType>
<hash>FIRqOhKpXV1sg1rsroJzlYHmzH4=</hash>
<updateDate>Tue Nov 16 12:44:50 UTC 2010</updateDate>
</TargetAccount>
</cr.result>
</CommandResult>
3. View the password. Use the ID provided by the output of the previous command:

cmdName=viewAccountPassword TargetAccount.ID=1005 reason=Poweroutagereason
reasonDetails=Recover Tuesday pm PasswordViewRequest.requestPeriodStart="2010-
11-16 16:58" PasswordViewRequest.requestPeriodEnd="2010-11-16 17:05"
<CommandResult>
<cr.warningCode>4625</cr.warningCode>
<cr.warningMessage>This account has dual authorization enabled. A request to
view the password has been e-mailed to the approvers of this account on your
behalf.</cr.warningMessage>
</CommandResult>
17-Feb-2017 273/416
Grant, Deny, or Expire a Request Using the CLI

Use the following procedure to approve or deny a password view request from the CLI using the
updatePasswordViewRequestStatus command.
Follow these steps:

cmdName=searchPasswordViewRequestByApprover

example, it is 4.
<CommandResult>
<cr.result>
<PasswordViewRequest>
<status>1</status>
<targetAccountID>1</targetAccountID>
<startDate/>
<endDate/>
<requestorID>3</requestorID>
<approverID>-1</approverID>
<ID>4</ID>
<createDate>Wed Sep 10 14:42:20 UTC 2008</createDate>
<createUser>req1</createUser>
<hash>RLMwHaMdENv9mlFnoSsoSOJezJw=</hash>
<updateDate>Wed Sep 10 15:42:20 UTC 2008</updateDate>
<updateUser>req1</updateUser>
<extensionType/>
</PasswordViewRequest>
</cr.result>
</CommandResult>
3. Change the status of the password view request to approved or denied. Use the ID provided
by the output of the previous command:

cmdName=updatePasswordViewRequestStatus PasswordViewRequest.ID=4
PasswordViewRequest.status=approved
<CommandResult>
17-Feb-2017 274/416
4.
<cr.result>
<status>1</status>
<startDate>Wed Sep 10 15:47:00 UTC 2008</startDate>
<endDate>Wed Sep 10 16:02:00 UTC 2008</endDate>
<approverID>1</approverID>
<ID>1</ID>
<hash>Yc5gR/IpPVh8evYKGipQYa9AGXU=</hash>
<extensionType/>
</cr.result>
Use the following procedure to expire a password view request from the CLI using the
expirePasswordViewRequestCmd command.
Follow these steps:

cmdName=searchPasswordViewRequestByApprover

example, it is 4.
<CommandResult>
<cr.result>
<status>1</status>
<startDate/>
<endDate/>
<ID>4</ID>
<hash>RLMwHaMdENv9mlFnoSsoSOJezJw=</hash>
<updateUser>req1</updateUser>
<extensionType/>
17-Feb-2017 275/416
</cr.result>
</CommandResult>
3. Change the status of the password view request to approved or denied. Use the ID provided
by the output of the previous command:

cmdName=expirePasswordViewRequestCmd PasswordViewRequest.ID=4
<CommandResult>
<cr.result>
</cr.result>
Update the Approval or Denial Reasons for a Request Using the CLI
The reasons to be populated in the Reason drop-down list while approving or denying the password
view request using the GUI, can be updated using the setSystemProperty command.
To update the list of approval reasons, use:
cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordApprovalReasons

propertyValues=reason1|reason2
To update the list of denial reasons, use:
cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordDenialReasons

propertyValues=reason1|reason2
The | character delimits multiple reasons.
Enable One Click Approval

This feature allows identified approvers to approve or deny the password view request without
logging in to Credential Manager.
When adding or updating the password view policy, enable Enable one click Approval under Dual
Authorization and specify the list of approvers to be notified by email. After enabling one click
approval in the policy, an email is sent to the identified approvers, when the password is viewed. The
email contains the password view request details and two URLs one to approve and the other to deny
the password view request. The approver can approve or deny the password view request directly
from the received email by clicking the provided URLs.
17-Feb-2017 276/416
Note:
The identified approvers must have Credential Manager user accounts to receive the email
notification. The email address that is associated with the user account is used.
Follow these steps:
3. Click the Name link of the password view policy for which one click approval is to be enabled.
The Password View Policy Details template page appears.
4. Click Dual Authorization.
Click Enable One Click Approval.
Add the approvers to be emailed from the Available Approvers list to the Assigned
Approvers list.
5. To disable one click approval, clear Enable One Click Approval.
Note:
If One Click Approval is disabled, each identified approver still receives an email, but
without the links to approve or deny the password view request.
6. Click Save.
Configure Approval Role

If dual authorization is enabled, a user with an Approver role must grant approval before the
password can be viewed.
Use the procedures that are described in Add or Modify Roles (see page 360) to create the Approver
role. The new role must have the following permissions:
listPasswordViewRequestByApprover
updatePasswordViewRequestStatus
In addition, an Approver must have a valid email address. Their user group must also be able to
access the accounts they are approving.
17-Feb-2017 277/416
Check Out and Check In a Password

If an account has a Checkout/Checkin view policy, a person wanting to view the account password
can only do so after the account has been checked out. The person then has exclusive access to the
password. While it is checked out, other persons cannot view the password nor can they change any
aspect of the account in any way. Once the password is checked back in to Credential Manager,
others can view it and can update it.
The Checkout/Checkin password view policy can have a time interval, after which the account is
automatically checked back in.
Sometimes an administrator needs immediate access to a password that is checked out. In these
cases, the administrator can remove the restriction on the account by checking in the account on
behalf of another user. By default, only the administrator role has permission to force a check-in
operation. If necessary, you can configure other roles with this permission.
Check Out a Password Using the GUI

Follow these steps:
with a list of existing accounts.
3. In the account list, select the account for which you want to view the password. The Account
Details page appears
4. Click the blue View icon. The View icon resembles an eye. It is located under the Action
column of the account list. A page appears prompting you for your password and the reasons
for viewing the target password.
5. Enter your (Credential Manager administrator) password.
Note:
The password field is displayed if the target account is authenticated.
6. Select your reason for viewing the (target account) password.
8. Click View.
The GUI displays the account User ID and the password. The GUI also notifies you that the
account is checked out.
9. Click OK.
17-Feb-2017 278/416
View the Password Check-Out User

Follow these steps:
3. In the account list, click the blue Checkout (“Account is checked out”) icon. The Checkout icon
resembles an eye with an X across it. It is located under the Action column of the account list.
A page appears showing who has checked out the password.
The Reference Code is shown only if the requestor has entered the reference code in View
Account Password Request screen before viewing the account password.
Check in a Password Using the GUI

When you check out an account password, no other user can view the password or can change the
account. Checking in the password removes this restriction and frees the account for use by others.
In emergency situations, an administrator can check in a password on behalf of another user.
You can check in an account password by using the followed tabbed pages:
Credential Manager menu Targets, Accounts
Credential Manager menu Workflow, My Requests
CA Privileged Access Manager menu Access
Use the following procedure to check in a password using the Targets, Account page.
Follow these steps:
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Targets,
Accounts. For the account you want to check in, do one of the following actions:
In the right column that is labeled Action, click the blue Check-In icon. The Check-In icon
resembles a right arrow pointing inside a box.
In the left column that is labeled Account Name, click the name to open the Account
Details page. Then, click the blue Check-In icon.
A message confirms the check-in operation.

The account password is checked in.
Use the following procedure to check in a password using the Workflow, My Requests page.
Follow these steps:
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Workflow,
My Requests. The My Requests page appears.
2.
17-Feb-2017 279/416
2. Select the account (with status “Checked Out”) for which you want to view checkout details.
The Password View Request Details page appears.
3. Click the Check In button. The account password is checked in.
Use the following procedure to check in a password using the Access page.
Follow these steps:
1. If the user is an administrator, then from the CA Privileged Access Manager main menu, select
Access. Otherwise, the user home page is the (unlabeled) Access page.
When an administrator views, and by so doing, checks out a password for a user, the system
creates a list of checked out passwords at the top of the Access page. The count of passwords
is also shown in bold in the upper left.
Note:
If you are not an administrator, you might need to log out and log in again before
checked-out passwords are visible.
If you are not an administrator, you might need to log out and log in again before checked-out
passwords are visible.
To check in the password, click Check In in the right-hand column of the password line item.
Force a Password Check-In Using the GUI

When you check out an account password, the checkout restricts others from viewing the password
and changing the account. However, sometimes the administrator must override this restriction. If an
account is checked out and the administrator requires access to it, the administrator can check in an
account on behalf of another user. When the administrator forces a check-in operation, any required
activities that are associated with that operation also occur, for example, an update of the account
password.
The administrator can check in an account on behalf of another user by using the followed tabbed
pages:
Credential Manager menu Targets, Accounts
Credential Manager menu Workflow, All Requests
User the following procedure to check in a password using the Targets, Account page.
Follow these steps:
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Targets,
Accounts. For the account you want to check in, do one of the following actions:
17-Feb-2017 280/416
1.
In the right column that is labeled Action, click the blue Check-In icon. The Check-In icon
resembles a right arrow pointing inside a box.
In the left column that is labeled Account Name, click the name to open the Account
Details page. Then, click the blue Check-In icon.
A message confirms the check-in operation.

The account password is checked in.
Use the following procedure to check in a password using the Workflow, All Requests page.
Follow these steps:
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Workflow,
All Requests. The All Requests page appears.
2. Select the account (with status “Checked Out”) for which you want to view checkout details.
The Password View Request Details page appears.
3. Click the Force Check In button. The account password is checked in.
Check Out a Password Using the CLI

Displaying a password automatically causes the password to be checked out if the account password
view policy specifies it.
Use the following procedure to view an account password from the CLI.
Follow these steps:

cmdName=searchTargetAccount TargetAccount.userName=account1

example, it is 1.
<CommandResult>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 UTC 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate>
17-Feb-2017 281/416
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<privileged>false</privileged>
<lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
3. View the password. Use the ID provided by the output of the previous command.

cmdName=viewAccountPassword TargetAccount.ID=1 reason=Power Outage
reasonDetail=Recovery

<CommandResult>
<cr.warningMessage>You have this account checked out.</cr.warningMessage>
<cr.result>
<TargetAccount>
<ID>1</ID>
<aliases/>
<password>cspmpw</password>
<targetServerAlias/>
<accessType/>
<userName>cspmuser</userName>
<lastVerified>Wed Sep 10 14:31:08 UTC 2008</lastVerified>
<hash>GiymUJ8e6bKzDrQgkbp/tPRZPXQ=</hash>
17-Feb-2017 282/416

<extensionType>windows</extensionType>
</TargetAccount>
</cr.result>
</CommandResult>
Check in a Password Using the CLI

Use the following procedure to check in a password from the CLI using the
checkInAccountPassword command.
Follow these steps:
1. Search target accounts to retrieve the target account ID of the account that was previously
checked out:


example, it is 1.
<CommandResult>
<cr.result>
<TargetAccount>
<ID>1</ID>
</TargetAccount>
</cr.result>
</CommandResult>
17-Feb-2017 283/416
3. Check in the password. Use the ID provided by the output of the previous command.

cmdName=checkInAccountPassword TargetAccount.ID=1

<CommandResult>
<cr.result>
<status>1</status>
<ID>3</ID>
<hash>fcWQRQVNDoGOFxpvM/DLZGlu6l4=</hash>
<extensionType/>
</cr.result>
</CommandResult>
Force a Password Check in Using the CLI

When you check out an account password, the checkout restricts others from viewing the password
and from changing the account. However, sometimes the administrator must override this
restriction. If an account is checked out and the administrator requires access to it, the administrator
can check in an account on behalf of another user. When the administrator forces a check-in
operation, any required activities that are associated with that operation also occur, for example, an
update of the account password.
Follow these steps:
1. Search target accounts to retrieve the target account ID of the account that was previously
checked out:


example, it is 1.
<CommandResult>
17-Feb-2017 284/416
2.
<cr.result>
<TargetAccount>
<ID>1</ID>
</TargetAccount>
</cr.result>
</CommandResult>
3. Check in the password. Use the ID provided by the output of the previous command.

cmdName=forceCheckInAccountPassword TargetAccount.ID=1

<CommandResult>
<cr.result>
<status>1</status>
<ID>3</ID>
<hash>fcWQRQVNDoGOFxpvM/DLZGlu6l4=</hash>
17-Feb-2017 285/416

<extensionType/>
</cr.result>
</CommandResult>
Enable Email Notification

This feature allows certain users to receive email notification when another user views an account
password. Email notification is mutually exclusive with the dual authorization feature.
Note:
Emails are sent only for successful initial password view requests. For example, if the
password is viewed for an already checked out account, no email is sent.
If the administrator does not want to enable dual authorization, but wants to receive notification
whenever the password is viewed, the administrator must enable the Email Notification option from
the Password View Policy Details page when adding or updating the policy.
When adding or updating the policy, the administrator can specify whether to use the dual
authorization list of approvers or select a new set of users to receive email notification. The
administrator also can specify to send the email notification only to the active users from the list of
identified users. After email notification is enabled in the policy, an email is sent to the selected users
whenever the password is viewed.
Note:
The identified users must have Credential Manager user accounts to receive the email
notification. The email address that is associated with the user account is used.
Use the Email Settings page to customize the email message to be sent to the users identified in the
policy. See Configure Notification Email Templates (see page 287).
Follow these steps:
3. Click the Name link of the password view policy for which Email Notification is to be enabled.
The Password View Policy Details page appears.
4. Click Email Notification.
17-Feb-2017 286/416
4. Click Email Notification.
Click Approvers for dual authorization option button to send email to the list of dual
authorization approvers
Click Following Users option button to send email to the new set of users. Add the users to
be emailed from the Available Users list to the Assigned Users list.
Click Send only to Active Users check box if only the active users from the dual
authorization list of approvers or a new set of users are to be emailed
5. To disable Email Notification, clear Requires Email Notification.
6. Click Save.
Configure Email Templates

This content describes how to configure default templates for email notifications in CA Privileged
Access Manager Credential Manager.
If dual authorization and email notification are enabled, authorization requests, approvals, and
viewed password information trigger email notifications. The email contains text and clickable links.
Credential Manager supplies default templates for the following types of email:
The request email (from a requestor to list of approvers)
The request status email (from an approver to a requestor informing them whether the request
was approved or denied)
The password view email (from a user to a set of users when a password is viewed)
The expired password view request email. The email is from the approver expiring the password
view request to a requestor and the other approvers in dual authorization list. It is an auto-
generated mail (when a request in Pending status expires) generated by Credential Manager to a
requestor and the approvers in the dual authorization list.
The one click approval email (from a requestor to a list of approvers)
The report results email (from a requestor to a list of approvers)
The email templates contain tokens that Credential Manager uses to look up request-specific items
when generating the email. The tokens are case-sensitive and use the following syntax:
@ClassName.methodName@
The allowed values of ClassName and methodName vary depending on the type of email.
You can customize the content of the request email, the request status email, the password view
email, the expired password view request email, the one click approval email, and the report results
email using the Email Settings GUI page or the setSystemProperty CLI command.
Contents
17-Feb-2017 287/416
Contents
Configure the Email Server

This section describes how to configure the connection between Credential Manager and the email
server.
Note:
Note: The email server, application, and account must already be provisioned as targets in
the database before the email template can be configured through the GUI.
Configure the Email Server from the GUI

Follow these steps:
2. From the new tab/window menu bar, select Settings, Email Settings. The Email Settings page
appears.
3. Click the magnifying glass to select your email account from the Find Account popup or type
the email target account name in the Account Name field.
The Host Name field is automatically populated with the name of the target server. If the
email server is different from the target server, then edit the field as required.
4. Enter the Server Port number for the email server.
5. Enter the Credential Manager server host name to be used in the approve or deny URL. The
URLs are sent in the email whenever the request for viewing the password of the account
with enabled one-click approval, is generated.
Note:
By default, the primary site host name is used. Admin is authorized to edit this
name.
6. Enter the email address to use in the From field.
Configure the Email Server from the CLI

Define the property values for the email service with the setSystemProperty command.
Follow these steps:
1. Specify the first property for the email service:
17-Feb-2017 288/416
1.

propertyName=emailServerHost propertyValues=mail.yourdomain.com encryptValue=fal
se
2. Repeat the previous step for each property as required. Refer to the following table.
Property Name Value Required Notes encryptValue

emailServe mail.yourdomain. Yes Host name of the mail False
rHost com server
emailServe Port number No Port number the SMTP False
rPort service is listening on.
Default is 25.
emailTrans smtp No Email transport type. False
portType Default is smtp
emailTarge Target account ID No False
tAccountID of the email setting
oneclickSe mail.yourdomain. Yes Credential Manager Primary False
rverHost com Host name
emailFromA view_requests@you Yes The "From" address for False
ddress rdomain.com emails
Configure the Request Email

This section describes how to configure the request email through the template. The request email
template contains tokens. Credential Manager populates the tokens at runtime.
Configure the Request Email Template from the GUI

Follow these steps:
2. From the new tab/window menu bar, select Settings, Email Settings.
3. Modify the template text for the Request Subject and Request Body as desired.
For the request email, @ClassName.methodName@ tokens can have the value pairs that
are shown in the following table.
ClassName Values methodName Values

getUserName
TargetAccount
getName
TargetApplication
TargetServer getDeviceName
getHostName
getName
PasswordViewPolicy
17-Feb-2017 289/416

getReason
PasswordViewRequest
getReasonDescription
getSsoType
User getUserID
(the user name generating the password view request)
Configure the Request Email Template from the CLI

Follow these steps:
1. Specify the first property for the request email template:

propertyName=emailRequestBody propertyValues="Do not reply to this email. A
password view request has been submitted by user @User.getUserID@ to view the
password for account @TargetAccount.getUserName@ of application
@TargetApplication.getName@ on server @TargetServer.getHostName@.The password
view request reason is @PasswordViewRequest.getReason@ (@PasswordViewRequest.
getReasonDescription@). Please login to the CPA system and manage this request."
Property Default Value Required

Name
emailR Do not reply to this email. A password view request has been submitted No
equest by user @User.getUserID@ to view the password for account
Body @TargetAccount.getUserName@ of application @TargetApplication.
getName@ on server @TargetServer.getHostName@.
The password view request reason is @PasswordViewRequest.

getReason@ (@PasswordViewRequest.getReasonDescription@). Please
login to the CPA system and manage this request.
emailR Password View Request for target account @TargetAccount. No
equest getUserName@
Subjec
t
Configure the Request Status Email

This section describes the configuration of the request status email template.
Configure the Request Status Email Template from the GUI

Follow these steps:
17-Feb-2017 290/416
3. Modify the template text for the Request Status Update Subject and Request Status Update
Body as desired.
For the request status email, @ClassName.methodName@ tokens can have the value pairs
that are shown in the following table.

getUserName
TargetAccount
getName
TargetApplication
getDeviceName
TargetServer
getHostName
getName
PasswordViewPolicy
getStatusString
PasswordViewRequest
getSsoType
getApprovalReason
getApprovalReasonDescription
User getUserID
getFirstName
getLastName
Configure the Request Status Email Template from the CLI

Follow these steps:
1. Specify the first property for the request status email template:

propertyName=emailRequestStatusBody propertyValues="Do not reply to this email.
The status of your request to view password for the account @TargetAccount.
getUserName@ of application @TargetApplication.getName@ in server @TargetServer.
getHostName@, is: @PasswordViewRequest.getStatusString@."

Name
emailRe Do not reply to this email. The status of your request to view password No
questSt for the account @TargetAccount.getUserName@ of application
atusBod @TargetApplication.getName@ in server @TargetServer.
y getHostName@, is: @PasswordViewRequest.getStatusString@.
emailRe Password View Request Status for account @TargetAccount. No
questSt getUserName@
atusSub
ject
17-Feb-2017 291/416
Configure the Password View Email

This section describes how to configure the password view email through the template. The request
email template contains tokens. Credential Manager populates the tokens at runtime.
Configure the Password View Email Template from the GUI

Follow these steps:
3. Modify the template text for the Password View Subject and Password View Body as desired.
For the password view email, @ClassName.methodName@ tokens can have the value pairs
that are shown in the following table.

getUserName
TargetAccount
getName
TargetApplication
getHostName
TargetServer
getDeviceName
getName
PasswordViewPolicy
getSsoType
PasswordViewRequest
getReason
User getUserID
(the user name viewing the password)
Configure the Password View Email Template from the CLI

Follow these steps:
1. Specify the first property for the password view email template:

propertyName=emailPasswordViewBody propertyValues="Do not reply to this email.
The Password for the account @TargetAccount.getUserName@ of application
@TargetApplication.getName@ on server @TargetServer.getHostName@ has been
accessed by user @User.getUserID@."
17-Feb-2017 292/416
2.

Name
emailPa Do not reply to this email. The Password for the account No
sswordV @TargetAccount.getUserName@ of application @TargetApplication.
iewBody getName@ on server @TargetServer.getHostName@ has been
accessed by user @User.getUserID@.
emailPa Password of account @TargetAccount.getUserName@ has been No
sswordV accessed by @User.getUserID@
iewSubj
ect
Configure the Expired Password View Request Email

This section describes how to configure the expired password view request email through the
template. The request email template contains tokens. Credential Manager populates the tokens at
runtime.
Configure the Expired Password View Template from the GUI

Follow these steps:
3. Modify the template text for the Expired Password View Request Subject and Expired
Password View Request Body as desired.
For the expired password view request email, @ClassName.methodName@ tokens can
have the value pairs that are shown in the following table.

getUserName
TargetAccount
getName
TargetApplication
getHostName
TargetServer
getDeviceName
getName
PasswordViewPolicy
getSsoType
PasswordViewRequest
User getUserID
Configure the Expired Password View Template from the CLI

Follow these steps:
17-Feb-2017 293/416
1. Specify the first property for the expired password view request email template:

propertyName=emailExpiredPasswordViewRequestBody propertyValues=" Do not reply
to this email. The Password View Request for the account @TargetAccount.
getUserName@ of application @TargetApplication.getName@ on server @TargetServer.
getHostName@ requested by user @User.getUserID@ has expired."

TargetAccount getUserName
TargetApplication getName
TargetServer getHostName
PasswordViewPolicy getName
PasswordViewRequest getReason
getStartDate
getEndDate
User getUserID
Configure the One Click Approval Email

This section describes how to configure the one click approval email through the template. The
request email template contains tokens. Credential Manager populates the tokens at runtime.
Configure the One Click Approval Email Template from the GUI
Follow these steps:
3. Modify the template text for the One Click Approval Subject and One Click Approval Body as
desired.
For the one-click approval email, @ClassName.methodName@ tokens can have the value
pairs that are shown in the following table.

getUserName
TargetAccount
getName
TargetApplication
getHostName
TargetServer
17-Feb-2017 294/416

getDeviceName
getName
PasswordViewPolicy
getReason
PasswordViewRequest
getStartDate
getEndDate
getSsoType
User getUserID
The one-click approval email template also contains following specialized tokens:
@PasswordViewRequestIdentifier.getApprovalUrl@ - Use this token to show the

URL to approve the password view request.
@PasswordViewRequestIdentifier.getDenialUrl@ - Use this token to show the

URL to deny the password view request.
Configure the One Click Approval Email Template from the CLI
Follow these steps:
1. Specify the first property for the one click approval email template:

propertyName=emailOne Click ApprovalBody propertyValues=" Do not reply to this
email. A password view request has been submitted with the following
details: Requestor : @User.getUserID@ Requested Account: @TargetAccount.
getUserName@ Requested Account Target Application Name: @TargetApplication.
getName@ Requested Account Target Server: @TargetServer.getHostName@ 
Request Reason: @PasswordViewRequest.getReason@ (@PasswordViewRequest.
getReasonDescription@) Start Date: @PasswordViewRequest.getStartDate@ End
Date: @PasswordViewRequest.getEndDate@ <a href='@ApprovalURL@'>Click
here to Approve this Request</a> <a href='@DenialURL@'>Click here to
Deny this Request</a>."

Name
emailO Do not reply to this email. A password view request has been No
neClic submitted with the following details: Requestor : @User.
kAppro getUserID@ Requested Account: @TargetAccount.
valBod getUserName@ Requested Account Target Application Name:
y @TargetApplication.getName@ Requested Account Target Server:
@TargetServer.getHostName@ Request Reason:
17-Feb-2017 295/416

Name
@PasswordViewRequest.getReason@ (@PasswordViewRequest.
getReasonDescription@) Start Date: @PasswordViewRequest.
getStartDate@ End Date: @PasswordViewRequest.
getEndDate@ <a href='@ApprovalURL@'>Click here to Approve
this Request</a> <a href='@DenialURL@'>Click here to Deny this
Request</a>
emailO Password View Request for target account @TargetAccount. No
neClic getUserName@
kAppro
valSub
ject
Configure the Report Results Email

This section describes how to configure the report results email through the template. The request
email template contains tokens. Credential Manager populates the tokens at runtime.
Configure the Report Results Email Template from the GUI

Follow these steps:
3. Modify the template text for the Report Results Subject and Report Results Body as desired.
The report results email template contains following specialized tokens:
@reportName@ - Use this token to show the report name.
@reportStartDate@ - Use this token to show the "From" date of the report results.
@reportEndDate@ - Use this token to show the "To" date of the report results.
Configure the Report Results Email Template from the CLI

Follow these steps:
1. Specify the first property for the report results email template:

propertyName=emailReportResultsBody propertyValues=" Do not reply to this
email. The @reportName@ report has been run. The attached results encompass
the period from @reportStartDate@ to @reportEndDate@."
17-Feb-2017 296/416
2.

Name
emailRepor Do not reply to this email. The @reportName@ report has been No
tResultsBo run. The attached results encompass the period from
dy @reportStartDate@ to @reportEndDate@.
emailRepor Report results for @reportName@ No
tResultsSu
bject
SSH Key Pair Policies

Credential Manager can generate SSH key pairs for provisioning access to UNIX devices that use
them. To allow this generation, an SSH key pair policy must be specified for the UNIX application type
for the accounts that use key pairs.
Use the following procedure to create an SSH key pair policy using the GUI.
Follow these steps:
2. From the new tab/window menu bar, select Targets, SSH Key Pair Policies. The SSH Key Pair
Policy List page appears.
3. Click Add. The SSH Key Pair Policy Details page appears.
4. Provide a unique name for the policy.
5. (Optional) Provide a description for the policy.
6. Select the SSH key type: RSA or DSA
7. Specify the SSH key length:
For RSA keys: 1024 bytes, 2048 bytes, or 4096 bytes
For DSA keys: 512 bytes or 1024 bytes
8. Click Test. The GUI notifies you that the options you set are acceptable and shows the sample
SSH key pair fingerprint.
9. Click Save.
17-Feb-2017 297/416
Configure Credential Manager Targets

In Credential Manager, devices of type Password Management are also known as target servers.
Target servers host target applications.
Target applications are applications that require credentials to receive communication. You can
configure Credential Manager to either synchronize or store the target credentials. You can retrieve
target credentials from the GUI. A managed script or application can retrieve target credentials using
an A2A Client.
To set up Credential Manager for a target server, follow these steps:
1. Use the GUI to provision a CA Privileged Access Manager Device of type Password
Management. Alternatively, use the addTargetServer CLI command.
2. Provision Password Management on that Device:
a. Add a Target Application (see page 315).
b. Add a Target Account for that application. See Add Target Accounts and Target Aliases
(see page 316). The managed password is an attribute of the target account.
Register Target Accounts

Register both new and updated target accounts in the GUI. Credential Manager divides the target
application registration into four levels:
Devices. The CA Privileged Access Manager Device – or “target server” – is an application server
that hosts one or more target applications that require access credentials. Register the Device
before registering target applications and target accounts. Device names must be unique. The
Devices level applies to both password management and A2A.
Target Applications. The target application is a container for all managed accounts of a single
application, such as all privileged users of an Oracle database. A target application contains one or
more target accounts. The target application also defines the connector for password
synchronization, that is, the mechanism for accessing target accounts. The target application is a
conceptual division of the target data. It allows for multiple applications or entities within the
same server to contain the same account user name. For example, if a given server hosts two
databases, then each database is a unique target application, and each database could have a
uniquely identified user account dbasys. Target application names must be unique within a
given device. The target application level applies to both password management and A2A.
Target Accounts. The target account is the specific set of credentials (for example, user name and
password). Target account user names must be unique for a given target application. The target
account level applies to both password management and A2A.
17-Feb-2017 298/416
Target Aliases. Target aliases are used only if you are implementing A2A Credential Manager.
They provide a mechanism to identify uniquely a specific target account with an alias name.
Requesting applications use the target alias when requesting credentials. Target aliases provide
an extra level of security by eliminating the need to hard-code the name of the privileged account
that is used to access the target application.
Account Discovery
As a CA Privileged Access Manager administrator, you want to add accounts easily. CA Privileged
Access Manager provides a feature that discovers and manages accounts. Account Discovery is an
alternative to manually adding target accounts. The product supports discovery of Linux, UNIX,
Windows Domain Service, and LDAP accounts.
Unlike Account Discovery, SSH Key Discovery is not intended to result in the management of private
keys of privileged users. SSH Key Discovery is primarily intended as an audit of SSH keys in the
network. SSH Key Discovery only occurs for application types Linux and UNIX. See SSH Key Discovery
Account Discovery Prerequisites

Before you perform Discovery, the product needs to know where to look, so target servers need to
exist. Applications and administrative accounts need to be provisioned in Credential Manager as
target accounts. This administrative account needs to be verified in Credential Manager. See
Configure Credential Manager Targets (see page 298) for more information.
Register Target Servers. See Device Setup (see page 140) or Device Discovery (see page 136) for
more information.
Register Target Applications. See Add Target Applications (see page 315) for more information.
Target applications with support for Discovery display an Account Discovery section for the
identification of privileged accounts. The options in these sections differ by application type:
UNIX applications allow specification of UID and GID values or ranges to limit the accounts
returned by Discovery. The UID and GID values or ranges are used in conjunction, so that the
user needs to satisfy both criteria to be included.
For Windows Domain Service, using Active Directory, you can limit discovered users by
specifying AD Groups. In the Account Discovery section of the Target Application Details, add
one or more Groups, separated by commas. Account Discovery does not find users whose
Primary Group is set to a group you use to discover accounts. The default Primary Group is
“Domain Users” and is not typically changed except for Macintosh clients or POSIX-compliant
applications.
LDAP Application Account Discovery provides four fields to help specify privileged accounts.
Base DN is optional. Account Object is an objectclass name corresponding to accounts or
users in the directory. Name Attribute denotes an account name. Filter allows addition of an
optional filter string to limit your results. For more information, see your LDAP provider
documentation.
17-Feb-2017 299/416
Select "Discovery Allowed" in one or more Accounts.

Account properties include a checkbox to indicate that the account is available as a credential for
the discovery process. Any accounts that do not have this box selected are not used as credentials
for a discovery scan.
If "Discovery Allowed" is checked, another checkbox is enabled for UNIX accounts. "Allow
multiple server discovery for this type of application" indicates that this account can be used as a
global discovery account for any server and application of this type. For example, if you have 20
servers with a common account and password, use one account and select this box. Then for any
discovery job with this application type selected, this account is used as a credential for discovery.
Discover Accounts
To perform discovery of accounts, follow these steps:
1. Go to Credential Manager by selecting Manage Passwords from the Policy menu.

The Credential Manager Dashboard appears.
2. Select Discovery from the Targets Menu.

The Discovery panel appears with five tabs.
3. Create a Scan Profile.
4. Run the Scan.
5. View the Scan Results.
6. Bring Accounts under management.
Scan Profiles
Start by adding a Scan Profile. Follow these steps:
1. Select the Scan Profiles tab and click the Add button.
2. On the Profile tab, name the profile, and give it an optional description. Purge Interval sets
the number of days after which devices that are discovered by this scan are deleted (if not
also discovered by another profile). The Purge Interval default is set on the Global Settings
page, under Basic Settings, as Scan Purge Interval.
3. On the Servers tab, select from Available Servers, moving them to Selected Servers with the
arrow button. The available servers listed are managed Devices. See the Prerequisites section
a.
17-Feb-2017 300/416
4.
Profile.
Note
Clicking Delete for a highlighted Scan Profile will delete its Scan Profile History. It will also
delete any Accounts associated with that Profile unless they are associated with another
Profile.
Scan Profile Jobs

Once a scan is running, monitor its progress on the Scan Profile Jobs tab. You can also cancel the job
on this panel by clicking Cancel Job. Once it is complete, view a summary of its results on the Scan
Profile History tab.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
Note
The Scan Profile Jobs and other tables are refreshed according to the default set on the
60 seconds.
Scan Profile History

Select the Scan Profile History tab to view the results of the account discovery scans. Each row shows
a Scan Profile, its latest Discovery time, and a summary of the scan results. The summary shows a
count of discovered accounts, how many are new, and not found. "Not found" Accounts were
discovered by a previous run of the same Scan Profile, but are now missing. The Summary shows the
same information about SSH Keys. See SSH Key Discovery (see page ) for more information. The
Summary also shows a count of any errors that were encountered. These numbers refer only to the
latest run of this scan profile.
17-Feb-2017 301/416

the Scan Profile name and the Job Time. The Discovered Accounts, New Accounts, and Not Found
Accounts tabs list the Account Names in each respective category. For information about the
Discovered Keys, New Keys, and Not Found Keys, see the SSH Key Discovery (see page ) section.
The Logs tab displays a table including each action taken regarding this scan.
View Account Scan Results

On the Scan Profile History panel, click a Scan Profile, then on View Account Scan Results to see
information about the discovered accounts. The account name, the device where it was found, the
application, and a timestamp are displayed. A checkbox indicates whether CA Privileged Access
Manager manages the account.
The Export button creates a CSV file with a row for each Discovered Account listed.
The View button shows the data for one row that whose Account Name box is checked. In its Logs
tab, it displays log information that is not shown in the Account Scan results panel.
The Manage button brings an account under management. To manage accounts, select one or more
by clicking the box to the left their names. Then click the Manage button. The Manage Discovered
Accounts window opens.
Manage Discovered Accounts

To manage an account from the Manage Discovered Accounts window, follow these steps:
1. Select a synchronization option. This option is not available if the application type is "Generic."
Update only the Password Authority Server. Passwords are only updated in Credential
Manager. Credential Manager and target system passwords can differ.
Update both the Password Authority Server and the target system. Password updates are
performed in both Credential Manager and the target system to maintain consistency.
2. For most target account types, a Password Change Process option specifies whether the
managed account can change its own password or whether another, higher-privilege account
must do that. If you select Use the following account to change the password, a field appears
below the legend so that you can select the password-changing account.
NOTE: Some application types allow an account password to be updated from another
account (for example, root). If this situation applies, select that account. The account that is
used to change the password must already be registered in Credential Manager.
3. Select whether the account type is A2A (application-to-application) or Privileged Account. This
choice is only possible if your license allows for A2A devices. If you select A2A, more fields
appear. You can set the Cache Behavior to use the Cache or the Server first, or not use a
cache. You can also set the Cache Expiry in days.
4. Password View Policy allows you to select a policy, including a Default policy. Access
Password View Policies from the Workflow menu.
17-Feb-2017 302/416
5. Enter a Password. The Account Details page available from the Accounts option on the
Targets menu has more options. It has Generate Credential, View Credential, and Credential
History options that are not presented here. Once an Account is managed, it can be accessed
from the Accounts page.
6. (Optional) Enter an Access Type. Access type is a reference field for customer convenience. It
can be used to define dynamic target groups. It is not used by Credential Manager.
7. (Optional) Enter Descriptors if you are using target groupings.
8. Click OK to save.
View Scans
To see all scans that have run for a given Profile, click the View Scans button above the Summary.
Clicking the Summary numbers lists the accounts or keys discovered in the same panel as View
Summary Details. You can also click the View Summary Details button to get to this panel.
Discovered Accounts
To see all discovered accounts rather than only the accounts for a given scan, select the Discovered
Accounts tab. The displayed table lists each Account Name, Device Name, Application Name, Latest
Discovery Time, and whether it Is Managed.
Export
You can export information about discovered accounts or keys to a CSV file for use in spreadsheets
and databases. To export all accounts, click the Export button above the displayed list to generate a
CSV file. The exported CSV file contains the following columns:
Type, UserName, First Name, Last Name, Password, Password Set Time, Phone, Cell Phone, Email,
Description, Active Flag, Activation Time, Last Activation Time, Account Disabled Time, Expiration
Time, Authentication, Email On Login Contact, Email Self On Login Flag, Terminate Session on
Deactivation Flag, Access Times, Provision Type, Group Membership, Applet Message, Roles, Smart
Button Group, User Principal Name, PA Group Membership, Login IP Ranges, API Keys
View
The View button on the Discovered Accounts panel opens a dialog with same information, except the
discovery time. In the dialog, the fields are available to select and copy.
Manage
The Manage button brings an account under management. To manage accounts, select one or more
by clicking the box to the left their names. Then click the Manage button. The Manage Discovered
Accounts window opens. For more information, see Manage Discovered Accounts under View
Account Scan Results.
17-Feb-2017 303/416
Services and Scheduled Tasks

Discovery of Windows Account Services and Scheduled Tasks remains on the Account Details page,
accessible from the Targets, Accounts menu. See Register Windows Target Accounts (see page 330)
Also Available
Credential Manager provides a feature that discovers Linux or UNIX SSH keys for auditing.
See SSH Key Discovery (see page 304) for more information.
SSH Key Discovery

As a CA Privileged Access Manager administrator, you want to audit SSH keys easily. Credential
Manager provides a feature that discovers Linux or UNIX SSH keys. Unlike Account Discovery (see
page 299), SSH Key Discovery is not intended to result in management of discrete private keys of
privileged users. SSH Key Discovery is primarily intended as an audit of SSH keys in the network. SSH
Key Discovery only occurs for application types Linux and UNIX.
Prerequisites
Before you perform Discovery, the product requires target servers to know where to look. The
product requires provisioned applications and administrative accounts in Credential Manager as
target accounts. These administrative accounts need to be verified in Credential Manager.
See Configure Credential Manager Targets (see page 298) for more information.
Register target servers
Register applications
Target applications with support for Discovery display an Account Discovery section for the
identification of privileged accounts. The options in these sections differ by application type. UNIX
applications allow specification of UID and GID values or ranges to limit the accounts returned by
Discovery. The UID and GID settings are used in conjunction, so that the targets must satisfy both
criteria to be discovered.
Provision administrative account

For Linux or UNIX accounts, the administrative account doing the discovery needs "sudo"
permissions. If the account has SSH key pairs rather than only a password, add "NOPASSWD" to
its entry in the sudoers file.
sudo Permissions
For SSH Key discovery, the administrative account runs sudo against all these commands:
test
17-Feb-2017 304/416
cat
date
ssh-keygen
To test whether an account has sufficient access, issue one of these commands while logged on using
that account. For example:
sudo -l ssh-keygen
Successful commands echo the full command name, while failures report insufficient access:
Sorry, user user may not run sudo on [server].
SSH key discovery skips any accounts with inadequate permissions.
NOPASSWD in sudoers File

If the administrative account uses SSH public/private key pairs, rather than only a password, CA
Privileged Access Manager requires further configuration. Because a CA Privileged Access Manager
account uses either a password or SSH key to connect, it does not respond if the target using SSH key
pairs demands a password. To accommodate this situation, configure the target server not to ask for
a password when using SSH key pairs.
Follow these steps:
1. On the server that is targeted for SSH Key discovery, edit the sudoers file in the /etc directory.
2. Find the entry for the administrative account.
3. Add "NOPASSWD" to its entry. For example:
Account1 ALL=(ALL) NOPASSWD: ALL
4. Repeat for each server targeted for SSH Key discovery.
Allow Discovery
Important
Account properties include a checkbox to indicate that the account is available as a

credential for the discovery process. Any accounts that do not have this box checked are
not used as credentials for a discovery scan.
Note
17-Feb-2017 305/416
If "Discovery Allowed" is checked, another checkbox is enabled for UNIX accounts. "Allow
multiple server discovery for this type of application" indicates that this account can be
used as a global discovery account for any server and application of this type. For example,
if you have 20 servers with a common account and password, use one account and select
this box. Then for any discovery job with this application type selected, this account is used
as a credential for discovery.
Discover Keys
To perform discovery of SSH keys, follow these steps:
1. Go to Credential Manager by selecting Manage Passwords from the Policy menu.

The Credential Manager Dashboard appears.
2. Select Discovery from the Targets Menu.

The Discovery panel appears with five tabs.
3. Create a Scan Profile.
4. Run the Scan.
5. View the Scan Results.
Scan Profiles
Start by adding a Scan Profile. Follow these steps:
1. Select the Scan Profiles tab and click the Add button.
2. On the Profile tab, name the profile, and give it an optional description. Purge Interval sets
the number of days after which devices that are discovered by this scan are deleted. If have
also been discovered by another profile, they will not be deleted. The Purge Interval default is
set on the Global Settings page, under Basic Settings, as Scan Purge Interval.
3. On the Servers tab, select from Available Servers, moving them to Selected Servers with the
arrow button. The available servers list is populated by managed devices. See the
Prerequisites section for more information.
Profile.
17-Feb-2017 306/416
Note
Clicking Delete for a highlighted Scan Profile deletes its Scan Profile History. It also deletes
any Accounts that are associated with that Profile unless they are associated with another
Profile.
Scan Profile Jobs

Once a scan is running, monitor its progress on the Scan Profile Jobs tab. You can also cancel the job
on this panel by clicking Cancel Job. Once it is complete, view a summary of its results on the Scan
Profile History tab.
Note
The Scan Profile Jobs and other tables are refreshed according to the default set on the
60 seconds.
Scan Profile History

Select the Scan Profile History tab to view the results of the discovery scans. Each row shows a Scan
Profile, its latest Discovery time, and a summary of the scan results. The summary shows a count of
discovered Keys, how many are new, and not found. "Not found" Keys were discovered by a previous
run of the same Scan Profile, but are now missing. The Summary shows the same information about
Accounts. See Account Discovery (see page 299) for more information. The Summary also displays
the number of errors encountered. These numbers refer only to the latest run of this scan profile.

the Scan Profile name and the Job Time. The Discovered Keys, New Keys, and Not Found Keys tabs list
the Account Names and SSH Key Fingerprints in each respective category. For information about the
Discovered Accounts, New Accounts, and Not Found Accounts, see the Accounts Discovery section.
The Logs tab displays a table including each action taken regarding this scan.
View Key Scan Results

On the Scan Profile History panel, click a Scan Profile. Click View Key Scan Results to see information
about the discovered keys.
Account Name
17-Feb-2017 307/416
One or more accounts are associated with an SSH key. This field is named "userIds" in the CSV file.
Fingerprint
SSH public keys provide a unique hexadecimal string, which is similar to a condensed hash. We
display the fingerprint as hex pairs separated by colons.
Key File Age
The number of days since the key file was last modified. This number of days might or might not be
the age of the key itself.
Key Size
The size (or length) of the SSH key in bits; usually 1024, 2048, or 4096
Device Name
The computer where the key was discovered. This device is named "targetServerName" in the CSV
file.
Authorized Key File Name
The location of the authorized_keys file where the SSH keys are stored.
Is Managed
The Is Managed box is checked if CA Privileged Access Manager manages the SSH key. Only SSH keys
that are generated and deployed with CA Privileged Access Manager are managed.
The Is Managed field is read-only. To bring a discovered SSH key under CA Privileged Access Manager
management, revoke it manually. Then, create a new key forCA Privileged Access Manager.
The Export button creates a CSV file with a row for each Discovered Account listed.
The View button opens the View Discovered Keys dialog for the Account Name whose box is checked.
The dialog has a Basic Info and Advanced Info tab. The Advanced Info tab displays log information
that is not shown in the Account Scan results panel.
Discovered Keys
The Discovered Keys tab on the Discovery panel and the View Key Scan Results page contain the
same information. See View Key Scan Results for descriptions of the columns displayed. Click the
View button on the Discovered Keys panel to open the View Discovered Key dialog.
View Discovered Keys

The Basic Info tab of the View Discovered Key dialog contains the same information as the Discovered
Keys tab. The Advanced Info tab provides this additional information:
Key
17-Feb-2017 308/416
Key
The Key field displays the entire public key, parts of which are displayed in other fields, including the
modulus or base64 key. For SSH protocol 1, only RSA is supported, and is designated as "rsa1" Key
Type. For RSA1, exponent and modulus are displayed. For the various Key Types supported by SSH
protocol 2, base64 is displayed. The Key field also includes information that is displayed elsewhere as
Key Type, Options, Key Size, and Comment fields.
Key Instance
Because it is possible to duplicate the authorized_keys text file, we provide this field to maintain data
consistency. Any duplicate keys have an incremented integer here, though it is usually 1.
Key Type
Displays the type of SSH key, such as rsa1, ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ecdsa-sha2-
nistp384, ecdsa-sha2-nistp521
Comment
SSH key generation allows inclusion of comments in the key file, which are displayed in this field if
present.
Revoked
Some systems are configured to allow an SSH key to be revoked. Key Discovery tests each key to see
if it was revoked using the command "ssh-keygen –Q". If so, that is saved as a property.
Bubble Babble
Bubble Babble is an encoding method for binary data fingerprints. It renders the hexadecimal digits
into pseudo words that are more natural and can be pronounced relatively easily.
Export
You can export information about discovered SSH keys to a CSV file for use in spreadsheets and
databases. To export all SSH keys, select the Discovered Keys tab. Click the Export button above the
displayed list to generate a CSV file. To export data from a specific scan, select the Scan Profile
History tab. Select a Scan Profile, then click View Key Scan Results. The Export button appears above
the list of keys.
The exported CSV file contains more information than is displayed in the UI. In addition to what is
found in various UI panels, the following fields are presented:
targetApplicationName
The name of the target application given by the CA Privileged Application Manager user during
registration
protocolVersion
SSH Protocol 1 or 2
options
17-Feb-2017 309/416
options
Login options as included in the SSH key file
exponent
Part of SSH protocol 1 (RSA1) key, with values such as 65527
modulus
Part of SSH protocol 1 (RSA1) key, a long integer
base64Key
Part of SSH protocol 2 key, a long base64 representation of the public key
authorizedKeyFileTimestamp
The timestamp of the authorized key file, used to determine Key File Age field
lastLogin
LastLogin displays the last time that this key was used to log in, determined by its last log entry.
LastLogin might be blank if the log file does not go far back enough.
Password Synchronization
When you add a target account, you select whether you want to update only the Credential Manager
database or update both the CA Privileged Access Manager secure password database and the target
system.
Password synchronization is the process of synchronizing the password that is stored in the
Credential Manager database with the same credentials (for example, user names and passwords)
registered in the target application. When passwords are synchronized, credentials are pulled from
the Credential Manager database and sent to the target system. The target system then attempts to
verify that the credentials are accurate.
When a target account is a Windows account, Credential Manager directs the Windows Proxy to
perform the password verification and update.
By using password synchronization, you can configure Credential Manager to update the target
account password:
Immediately
After a password is viewed
When it attains a certain age
On a schedule
17-Feb-2017 310/416
Password synchronization needs an associated password composition policy, Credential Manager

generates a password that meets the policy criteria.
You can also update passwords for a group of target accounts, which then have their password
update schedules synchronized. A different type of account grouping, which is known as a compound
account, allows you to update a series of replicated databases with the same password and to keep
their passwords synchronized with each other.
When you activate password synchronization, the communication protocol between Credential
Manager and Credential Manager Devices depends on the target application type. Every application
type has a corresponding target connector, which implements the communication protocol for that
type of target application.
Password synchronization is not available for the Generic application type.
Target Connectors
The following list describes the target connectors (or application types) supported by Credential
Manager.
AS400: Use the AS400 connector to manage user accounts on AS/400 iSeries IBM midrange
systems.
AWS Access Credentials Accounts: This target connector provides a placeholder application for
Amazon Web Services (AWS) access credentials. It can be associated only with the built-in target
server xceedium.aws.amazon.com. It is only available when CA Privileged Access Manager is
licensed for AWS Capability.
AWS Proxy Credential Accounts: This target connector provides a placeholder application for
AWS proxy credentials. It can be associated only with the built-in target server xceedium.aws.
amazon.com. It is only available when CA Privileged Access Manager is licensed for AWS API Proxy
Users.
Cisco: Use the Cisco connector to manage accounts on a Cisco router. It uses either the SSHv2 or
Telnet protocol for communication. The Cisco target connector supports SSH v2; not SSH v1.
Juniper Junos: Use the Juniper Junos connector to manage any Juniper JUNOS® accounts.
LDAP: Use the LDAP connector to manage any accounts that support the OpenLDAP V3 protocol.
Optionally, you can configure the LDAP connector to use LDAP over an SSL connection.
MSSQL: Use the MSSQL connector to manage Microsoft SQL Server accounts. The MSSQL
connector uses JDBC for communication.
MYSQL: This target connector provides password synchronization functionality for MySQL 5
databases.
Oracle: Use the Oracle connector to manage Oracle DBMS accounts. The Oracle connector uses
JDBC for communication.
Palo Alto: Use the Palo Alto connector to manage accounts on Palo Alto routers and PAN-OS.
17-Feb-2017 311/416
SPML v2.0: Use the SPML connector to manage any Service Provisioning Markup Language
(SPML) accounts.
UNIX: Use the UNIX connector to manage UNIX-based accounts. It supports SSH, Telnet, and RSA
keys. The UNIX target connector allows for greater customization of the earlier UNIX (deprecated)
target connector.
VMWare ESX/ESXi: This target connector uses WSDL over SSL to support the synchronization of
passwords of ESX/ESXi target accounts.
VMWare NSX Controller: This target connector provides synchronization support for NSX
controller target accounts.
VMWare NSX Manager:This target connector provides synchronization support for NSX manager
target accounts.
VMWare NSX Proxy: This target connector provides synchronization support for NSX proxy target
accounts.
WebLogic: This target connector provides password synchronization functionality for Oracle
WebLogic v10 application servers.
Windows Domain Services: The Windows Domain Services connector and the Windows Proxy
connector both manage Windows accounts. Use the Windows Domain Services connector to
update the password of Active Directory accounts or if you are unable to use the Windows Proxy
connector in your environment. This connector uses the LDAPS (that is, LDAP over SSL) interface
to Active Directory to update account passwords. You can also use this connector to update
Windows services and scheduled tasks if the connector communicates with a deployed Windows
Proxy. The connector performs the following activities:
It verifies and synchronizes the password against an Active Directory database.
It queries one or more DNS servers to find domain controllers (optional).
It uses LDAPS to connect to the domain controller.
If the domain account is used for a service or for a scheduled task, it uses one or more
Credential Manager Windows Proxies to update service credentials or scheduled task
credentials and restart services.
It uses HTTPS and AES encryption for secure communications.
Note:
The Active Directory database must support secure LDAPS connections (typically on port
636). The Windows Domain Services target connector does not support unencrypted LDAP
connections; only LDAPS (LDAP over SSL) connections. The "Domain Controller Port (SSL)"
field in the Windows Domain Services application details can be left blank if the LDAPS
port is the default 636. Otherwise, the port must be populated.
17-Feb-2017 312/416
Note:
Port 389 is used for unencrypted LDAP. Credential Manager does not synchronize AD
target accounts using unencrypted LDAP.
Windows Proxy: The Windows Proxy connector and the Windows Domain Services connector
both manage Windows accounts. Use the Windows Proxy connector to manage Active Directory
and Local Windows accounts, and the passwords for local Windows services and scheduled tasks.
This connector uses Windows APIs to make updates to the account, services, and scheduled tasks
passwords. The connector can optionally query one or more DNS servers to find domain
controllers. The Windows Proxy connector uses HTTPS and AES encryption for secure
communications.
Note:
If the guest account in the domain or on the target server is enabled, the Windows Proxy
connector can appear to verify successfully the password of the target account that does
not exist on the target server. Disable the guest account in the domain or on the target
server to avoid this false password verification.
The permissions that are required for the Windows Proxy connector are affected by a number of
architectural deployment decisions, such as:
The type accounts being managed by the proxy, for example local, domain, or both
Whether passwords on services and scheduled tasks are also being managed
Whether the Windows Proxy connector is deployed on each server, or whether one Windows
Proxy connector is deployed for the domain
If you only manage local Windows accounts, local service passwords, or local scheduled task
passwords and you choose to deploy the proxy on each server or workstation being managed,
then the proxy can be run in the context of local system. This scenario allows successful updates
to the local accounts, services, and scheduled tasks.
If you deploy a single (or multiple for High Availability) proxy to manage multiple servers, the
proxy must operate under an account with adequate privileges to manage the accounts, services,
and scheduled tasks. If you use the Windows Domain Service connector to manage the domain
accounts, then the proxy only needs to run with a domain account that has privileges to change
local passwords, services, or scheduled tasks on the machines being managed.
As a result, the service account being used for the proxy can have its privileges limited to that of a
Domain User. To enable management of local Windows accounts and the passwords on Windows
services and scheduled tasks, the service account must be a member of the Local Administrator
group on the server hosting the Target Account being managed.
To use the Windows Proxy connector to manage Domain accounts too, add the service account to
the domain Account Operators group to allow the proxy to reset passwords in Active Directory.
17-Feb-2017 313/416
type, which permits credential requests. However, Generic applications do not support password
synchronization.
For more details, see Target Connector Settings (https://docops.ca.com/display/CAPAM28

/Credential+Manager+Target+Connector+Settings).
Target Connector Script Processor

Some target connectors, such as the Cisco and UNIX target connectors, include a large amount of low-
level code to handle communications with the remote host. CA Privileged Access Manager uses a
Script Processor to simplify such communications.
The Script Processor (written in Java) executes a high-level version of the logic for manipulating
credentials on remote hosts. CA Privileged Access Manager uses two scripts to allow different levels
of testing and production use. One script verifies passwords. The other script updates passwords.
The scripts that are provided with CA Privileged Access Manager are known as the default scripts. To
use them, configure a set of default prompts and command values that the script expects to
encounter. The values can be configured with CLI parameters or the CA Privileged Access Manager
GUI parameters when adding target applications and target accounts. Refer to the section for the
specific target connector in Target Connector Settings (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Target+Connector+Settings) for valid values and default values.
If you are using the GUI, use the Update Credentials Script panel to specify the script to be used for
updating credentials. The panel provides the following options:
Use the default script: This option indicates that CA Privileged Access Manager uses the default
script that is provided with the release.
Use a revised default script (requires patch): This option specifies the name of the file containing
the revised update script. The contents of the file is used as the revised script. When selected,
this option opens a field with a drop-down list of available scripts, each of which has been
uploaded from a patch that is supplied by CA Support.
Use a replacement script: This option specifies a replacement update script. When selected, this
option opens a text field in which to insert the replacement script.
Start by selecting Use the default script and make desired changes in the Script Processor. If, after
making your changes, you find that the connector does not work correctly, contact CA Support to
determine the issue. If changes to the script logic are required, your Support representative requests
CA Technologies Engineering to prepare a revised script. The revised script is a temporary script for
testing purposes against a small, representative sample of Target Accounts.
To use a revised script, select the Use a revised default script (requires patch) option and specify the
file. If the revised script works correctly, you can request that CA Engineering create a product patch
to convert the revised script into a replacement script that can be selected using the Script Processor
GUI on a per-Target Application basis. Alternatively, CA Engineering can opt to produce a product
patch that modifies the default script so that the connector behavior is changed for all Target
Applications.
To use a replacement script, select the Use a replacement script option and paste the new script in
17-Feb-2017 314/416
To use a replacement script, select the Use a replacement script option and paste the new script in
the Replacement Script field, and try the operation.
You might need to try more than one replacement script to configure CA Privileged Access Manager
to conform to your OS environment. Only edit the replacement scripts with coordination with
Support. Once a suitable replacement script has been determined, CA Technologies Operations (or
Support) creates a revised script patch that can be applied (on the Upgrade page). Once this patch
has been applied, return to the Update/Verify Credentials Script panel, click Use a revised default
script (requires patch), and select it from the Use which revised script? drop-down list.
Add Target Applications

The target application type refers to the target connector that Credential Manager uses for password
synchronization.
Note:
If you do not select a password composition policy, a built-in policy is used. This policy
specifies a minimum length of four characters and a maximum length of 16 characters with
no character restrictions.
Follow these steps:
2. From the new tab/window menu bar, select Targets, Applications. The Application List page
appears.
3. Click Add. The Application Details page appears.
4. Click the magnifying glass to pick the target.
5. Enter an application name. Application names must be unique for a given target server.
6. Select the application type; for example, UNIX. Extra fields appear depending on the
application type you select.
Use the additional fields to specify data that is required by the target connector to connect
and access an account in the application. For details, see Credential Manager Target
Connector Settings (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Target+Connector+Settings) and Target Connector Script Processor (see
page 314).
7. (Optional) Select a password composition policy.
8. If you are using target groupings, provide descriptors for the target application.
9. Modify or fill in the fields for the particular application type you selected, as required.
10. Click Save.
17-Feb-2017 315/416
10. Click Save.
Your new target application is added to the list of applications on the Application List page.
Add Target Accounts and Aliases

Note:
Create accounts on the native system before registration in Credential Manager. For
example, create an Oracle account on the Oracle database before you register it in
Credential Manager as a synchronized account. Once you register the account in Credential
Manager, the target password benefits from frequent managed updates to reflect the
password that is maintained in the Credential Manager database.
Random Passwords
Credential Manager provides a mechanism to generate automatically a pseudorandom password. For
synchronized accounts, the random password is based on the configured password composition
policy and updates automatically directly on the target system. For Generic accounts, manually
change this password on the target system to agree with the password stored in the secure database.
Synchronized Accounts
Credential Manager automatically verifies synchronized accounts upon initial registration. In addition,
You can also use a button in the GUI or the verifyAccountPassword CLI command to verify
manually synchronized target account passwords.
You can schedule password updates for synchronized accounts with the GUI (Targets, Scheduled
Jobs). Alternatively, you can enable password expiration.
A scheduled job can be created to verify the passwords of synchronized accounts.
Compound Accounts
A compound account consists of several accounts on a cluster of servers, all having the same account
name. When a password change occurs, all members of the compound account remain synchronized.
When the password of a compound account is updated, it is changed on all the cluster members. If
the password cannot be changed on one or more of the cluster members, it must be rolled back to
the previous value on all them to keep the cluster members synchronized.
If a password update fails and the subsequent rollback succeeds, the Verified column of the
Compound section of the Account Details page displays a yellow warning symbol next to the server
on which the update failed. A tooltip indicates the specific error message.
17-Feb-2017 316/416
If a password update fails and the subsequent rollback fails, the Verified column displays a red X
symbol next to the server on which the rollback failed. A tooltip displays the specific error message,
and the password on this server is out-of-sync.
Compound accounts respect existing target account functions such as: workflow, scheduled jobs,
auto-connect, and target group membership.
Target Aliases
A target alias enables an A2A requestor to request credentials from a specific account without
transmitting the account user name and password. Target aliases are account-specific and are
generated when the account is created. Privileged password accounts do not use target aliases.
Password Viewing
Credential Manager generates a log entry each time a user views a password.
A report is available that lists each time that an attempt was made to view an account password.
Credential Manager allows GUI users to view target account passwords for both synchronized and
nonsynchronized target accounts. If you enable the change password on view feature, Credential
Manager automatically changes viewed synchronized account passwords after a set time interval.
The change password on view feature works with compound accounts, so the password is changed
on all servers even if only one account is accessed.
Password Updating
When you update a target password and the synchronization flag is set, Credential Manager
automatically verifies the password. When you update any other target account information,
manually perform password verification by clicking Verify Password.
When adding a target account, you can configure Credential Manager to use an alternate account
with sufficient privileges (that is, a master account) to update a specific target account password,
rather than using the target account directly. This method permits Credential Manager to
synchronize headless accounts that do not have permission to change their own passwords. Also, it
ensures that Credential Manager can change the password even if a user has changed the password
manually on the target system.
Selecting to use an alternate account for password updating opens a Find Account pop-up window
with a table listing the target accounts that can be selected and their relevant information (that is,
application name, application type and host name). By default, Credential Manager displays the
target accounts filtered by application name. You can select to filter by account name or host name,
or to show all the target accounts that are defined in the system. All target accounts can be selected.
Typically, the other account is an account of the same application. For example, the password for an
Oracle database account is changed by a privileged account on the same database. It is also possible
to use another account which is associated with a different application.
17-Feb-2017 317/416
Using either an LDAP or AD account to change the password of a UNIX account is the only dissimilar
account combination that is supported. It is your responsibility to select compatible combinations.
When using the other account option, the target account that is used to update the password cannot
be the current target account. If you select the current target account, an error message results when
you attempt to save the settings. If you want the current target account to be the account that is
used to change its own password, select the "Account can change own password" option.
The initial password that you enter must be the same as the password on the target account, unless a
user with more privileges (for example, root) is used to update the password.
Complex Passwords with Special Characters

SSH private keys and certain complex passwords can be difficult to input with CLI commands because
the keys and passwords can contain special characters such as spaces, line feeds, and carriage
returns. If the password being supplied contains such special characters, the shell (Windows and
UNIX) can interfere with the interpretation of them. In this case, the information that is received by
the Credential Manager server through the shell is corrupt or not what the user intended.
To avoid this issue, perform base-64 encoding on the complex password before specifying them to
CLI commands, such as addTargetAccount or updateTargetAccount. Ensure the
passwordIsBase64Encoded parameter for the command is set to true.
CA Technologies recommends the following utilities to perform the base-64 encoding:
For Windows, use the b64 utility available at: http://sourceforge.net/projects/base64/.
For Linux and UNIX, use the base64 built-in command.
For OS X, use the base64 built-in command.
CA Technologies recommends the following utilities to verify file hashes:
For Windows, use the Microsoft File Checksum Integrity Verifier utility available at: http://www.
microsoft.com/en-us/download/details.aspx?id=11533.
For Linux, use the sh1sum command.
For OS X, use the shasum command.
Add a Target Account from the GUI

Follow these steps:
with a list of existing target accounts.
3. Click Add. The Account Details page appears.
17-Feb-2017 318/416
4. Click the magnifying glass to find an existing target server.
5. Click the magnifying glass to find an existing target application on the host server, or click + to
create a new target application. Depending on the application type of the target application,
more fields appear.
6. Enter the account name.

The account name must be unique for a given target application and must be the account
name that is used by the target system. For example, on a UNIX system, the account name is
the UNIX userid.
7. Select the password view policy for the account.
8. Enter an initial account password or click the blue Generate Password icon to generate a
default password. The Generate Password icon looks like a ring with a set of keys. It is located
to the right of the Password field.
9. If you are adding a compound account, see Add a Compound Target Account from the GUI
(see page 320).
10. Select the appropriate synchronization option (for example, update both Credential Manager
and the target system). This option is not available if the application type is “Generic”.
Update only the Password Authority Server: Passwords are only updated in Credential
Update both the Password Authority Server and the target system: Password updates are
11. Modify or fill in the fields for the particular type of application you selected, as required.
Note:
Some application types allow an account password to be updated from another

account (for example root). If this situation applies to you, select that account.
The account that is used to change the password must already be registered in
Credential Manager.
12. Select whether the account type is A2A (application-to-application) or privileged account. This
choice is only possible if your license allows for A2A devices. If you select A2A, more fields
appear allowing you to add the target alias. See Add a Target Alias from the GUI (see page 321)
.
13. (Optional) Enter an access type.

Access type is a reference field for customer convenience. It can be used to define dynamic
target groups. It is not used by Credential Manager.
14. If you are using target groupings, enter descriptors for the target account.
15. Click Save. Your new target account is added to the list of accounts on the Account List page.
17-Feb-2017 319/416
For most target account types, a Change Process option specifies whether the managed account can
change its own password or whether another, higher-privilege account must do that. If you select
"Use the following account to change password", a field appears below the legend so that you can
enter the password-changing account.
Add a Compound Target Account from the GUI

Follow these steps:
1. Do steps 1-8 of the Add a Target Account from the GUI (see page 318) procedure.
2. Click the Compound check box. The target server menu appears.
3. Click Add. The target server selection box appears.
4. Click the magnifying glass to find the server you want to add to the compound account.
Note:
The target server that is selected as the host server cannot be added as a
compound server for the account.
5. Repeat steps 3 and 4 until you have added as many servers as you want.
There is no limit on the number of servers you can add, but the functionality has only been
tested to 20 servers.
When adding compound accounts, "Update only the Password Authority Server" is the only
valid synchronization option.
7. Once the compound account has been added, you can access the account and can change the
synchronization option (for example, update both Credential Manager and the target system).
This option is not available if the application type is “Generic”.
Update only the Password Authority Server: Passwords are only updated in Credential
Add an EC2 Access Key Target Account from the GUI

Before doing this procedure, ensure that you have downloaded from AWS the EC2 Private Key file.
The key file has a .pem extension.
Follow these steps:
2. From the new tab/window menu bar, select Targets. The Account List page appears with a list
17-Feb-2017 320/416
of existing target accounts.
4. Click the lower magnifying glass to find and select the AWS Access Credential Accounts
Application Name.
When you do so, the Host Name and Device Name fields are populated with xceedium.aws.
amazon.com and more fields appear.
5. Select the Password View Policy (if needed) for the account.
6. For AWS Access Credential Type, select the EC2 Private Key option button. The EC2 Private
Key tab activates.
7. Enter the EC2 Instance User Name, such as ec2-user (for Amazon Linux), or root (for Red
Hat Linux), or other full permission account.
8. Browse and upload the EC2 Private Key key file.
9. In Key Pair Name, enter the filename of the EC2 Private Key you just uploaded, but without
the extension.
10. (Optional) Enter a passphrase to use with the EC2 private key in the Passphrase field.
choice is only possible if your license allows for A2A accounts. If you select A2A Account, more
fields appear allowing you to add the target alias. See Add a Target Account From the GUI (see
page 318).
12. (Optional) Enter an access type. Access type is a reference field for customer convenience. It is
not used by Credential Manager
13. Click Save. Your new target account is added to the list of accounts on the Account List page.
Add a Target Alias from the GUI

Follow these steps:
1. Do steps 1-12 of the Add a Target Account from the GUI (see page 318) procedure. For step
12, specify the account type as A2A.
2. Enter a target alias name. The target alias name must be unique across the Credential
Manager.
3. Enter the appropriate settings for password caching for the Credential Manager A2A Client:
Use Cache First: The A2A Client looks for the password in local cache first. If there is no
password or if the password is not the most recent, the A2A Client contacts the product
appliance.
Use Server First: The A2A Client contacts the product appliance to get the most recent
password. If a password is unavailable, the A2A Client looks in the local cache.
17-Feb-2017 321/416
No Cache: The password is never stored in the local cache. The A2A Client always contacts
the product appliance for the password.
4. Set the cache duration.
Add a Target Account from the CLI

Follow these steps:
1. Add a target server:
capam_command adminUserID=admin capam=mycompany.com cmdName=addTargetServer

TargetServer.hostName=Vienna-Lab3.cloakware.com TargetServer.ipAddress=11.1.0.3
Attribute.descriptor1=Vienna Attribute.descriptor2=Lab
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.result>
<TargetServer>
<ID>1</ID>
<createDate>Mon Nov 12 15:35:14 EST 2007</createDate>
<updateDate>Mon Nov 12 15:35:14 EST 2007</updateDate>
<hash>XhMAD33ITheWuMB1L89Zsxfdxsg=</hash>
<hostName>Vienna-Lab3.cloakware.com</hostName>
<IPAddress>11.1.0.3</IPAddress>
</TargetServer>
</cr.result>
</CommandResult>
3. Add a target application:

cmdName=addTargetApplication TargetServer.hostName=Vienna-Lab3.cloakware.com
TargetApplication.type=Generic TargetApplication.name='Generic Application Type'
string.
<CommandResult>
17-Feb-2017 322/416
4.
<cr.result>
<TargetApplication>
<ID>1</ID>
<hash>kvSzMfnFi2iCIihAVt85+N2jzpc=</hash>
<targetServerID>1</targetServerID>
<type>Generic</type>
<name>Generic</name>
<policyID>0</policyID>
</TargetApplication>
</cr.result>
</CommandResult>
5. Add a target account:
capam_command adminUserID=admin capam=mycompany.com cmdName=addTargetAccount

TargetServer.hostName=Vienna-Lab3.cloakware.com TargetApplication.name='Generic
Application Type' TargetAccount.userName=account1 TargetAccount.password=123456
TargetAccount.cacheBehavior=useCacheFirst TargetAccount.privileged=false
TargetAccount.cacheDuration=20 TargetAccount.accessType='A generic system
account' TargetAccount.synchronize=false Attribute.changePasswordAfterViewing=t
rue Attribute.descriptor1=Vienna Attribute.descriptor2=Lab
string.
<CommandResult>
<cr.result>
<TargetAccount>
<Attribute.changePasswordAfterViewing>true
</Attribute.changePasswordAfterViewing>
<ID>1</ID>
17-Feb-2017 323/416
<lastVerified>
</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
7. Decide whether the account type is A2A (application-to-application) or privileged account.

This choice is only possible if your license allows for A2A accounts. For A2A accounts, add a
target alias.
capam_command adminUserID=admin capam=mycompany.com cmdName=addTargetAlias

TargetAlias.name=ViennaAlias5 TargetServer.hostName=Vienna-Lab3.cloakware.com
TargetApplication.name='Generic Application Type' TargetAccount.
userName=account1
string.
<CommandResult>
<cr.result>
<TargetAlias>
<ID>1</ID>
<hash>iB6pR3X7E8yP8p4RemqsChneEQc=</hash>
<name>ViennaAlias5</name>
<accountID>1</accountID>
</TargetAlias>
</cr.result>
</CommandResult>
Add a Compound Account from the CLI

Follow these steps:
1. Add a target server:

TargetServer.hostName=Unix server cluster TargetServer.ipAddress=11.1.0.3
string.
17-Feb-2017 324/416
2. CA Privileged Access Manager - 2.8
<CommandResult>
<cr.result>
<TargetServer>
<ID>1</ID>
<hostName>Unix server cluster</hostName>
</TargetServer>
</cr.result>
</CommandResult>
3. Add one or more servers:

TargetServer.hostName=Vienna-Lab3.cloakware.com TargetServer.ipAddress=11.1.0.3
string.
<CommandResult>
<cr.result>
<TargetServer>
<ID>2</ID>
</TargetServer>
</cr.result>
</CommandResult>
Repeat step 3 and 4 for each compound server you want to add. Each addTargetServer
operation returns a new <ID> value.
5. Add a target application.
17-Feb-2017 325/416
5.

cmdName=addTargetApplication TargetServer.hostName=Vienna-Lab3.cloakware.com
TargetApplication.type=Generic TargetApplication.name='Generic Application Type'
string.
<CommandResult>
<cr.result>
<TargetApplication>
<ID>1</ID>
<hash>kvSzMfnFi2iCIihAVt85+N2jzpc=</hash>
<targetServerID>1</targetServerID>
<type>Generic</type>
<name>Generic</name>
<policyID>0</policyID>
</TargetApplication>
</cr.result>
</CommandResult>
7. Add a compound target account:
capam_command adminUserID=admin capam=mycompany.com cmdName=addTargetAccount

TargetServer.hostName=Vienna-Lab3.cloakware.com TargetApplication.name='Generic
Application Type' TargetAccount.userName=account1 TargetAccount.password=123456
TargetAccount.cacheBehavior=useCacheFirst TargetAccount.privileged=false
TargetAccount.cacheDuration=20 TargetAccount.accessType='A generic system
account' TargetAccount.synchronize=false Attribute.changePasswordAfterViewing=t
rue TargetAccount.isCompound=true TargetAccount.compoundServerIDs=1,2 Attribute.
descriptor1=Vienna Attribute.descriptor2=Lab
For the TargetAccount.compoundServerIDs parameter, list each <ID> value that is

returned in steps 3 and 4, separated by commas.
string.
<CommandResult>
<cr.result>
<TargetAccount>
17-Feb-2017 326/416
<Attribute.changePasswordAfterViewing>true
</Attribute.changePasswordAfterViewing>
<ID>1</ID>
<lastVerified>
</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
Register Windows Target Accounts

This section describes the additional steps that are associated with registering accounts that use the
Credential Manager Windows Proxy application type or the Credential Manager Windows Domain
Services application type.
Process for Registering Windows Proxy Target Accounts

To register Windows Proxy target accounts, including Windows services, use the following procedure.
Follow these steps:
1. Ensure that you have installed and registered a Windows Proxy.
2. Create a Device (target server) of type Password Management or A2A.
3. Create a Target Application on that Device. This step includes associating a Windows Proxy
with the host on which the Windows account resides. See Create a Windows Target
Application. (see page 328)
4. Create a Target Account for that application. This step includes associating Windows Services
with the target account. For an A2A account, also create a Target Alias. See Create a Windows
Target Account and Target Alias (see page 329).
Credential Manager provides an automatic discovery feature that streamlines the registration
17-Feb-2017 327/416
process for multiple Windows services and scheduled tasks. See Discover Windows Proxy Target
Accounts Services and Scheduled Tasks (see page ).
Process for Registering Windows Domain Services Target

Accounts
The process to register Windows Domain Services target accounts is similar to the process for
Windows Proxy target accounts. See Process for Registering Windows Proxy Target Accounts (see
page 327).
When adding the target application, select the Windows Domain Service application type instead of
Windows Proxy.
process for multiple Windows Domain Service target accounts. For details, see Account Discovery
(see page 299).
Create a Windows Target Application

Follow these steps:
2. From the new tab/window menu bar, select Targets, Applications. The Application List page
appears.
3. Click Add. The Application Details page appears.
4. Click the magnifying glass to find an existing target server or click the + to create a new target
server.
5. Enter a unique application name.
6. Select "Windows Proxy" as the Application Type. The Application Details page updates by
displaying the Windows Proxy Application Details panel.
7. (Optional) Select a Password Composition Policy.
8. If you are using target groupings, add Descriptors.
9. Modify or fill in the fields for the Windows Proxy Application Details panel, as required.
10. Click Save.
Your new Windows target application is added to the list of applications on the Application List page.
17-Feb-2017 328/416
Create a Windows Target Account and Target Alias

Follow these steps:
of existing accounts.
4. Click the magnifying glass to find an existing target server, or click + to create a new target
server.
5. Click the magnifying glass to find an existing target application on the host server, or click + to
create a new target application. Select or create a Windows Proxy type of target application.
The Windows Domain Account Details panel appears on the Account Details page.
6. Enter the account name. The account name must be unique for a given target application and
must be the account name that is used by the target system.
7. Select the password view policy for the account.
8. Enter an initial account password or click the blue Generate Password icon to generate a
default password. The Generate Password icon looks like a ring with a set of keys. It is located
to the right of the Password field.
9. Select the appropriate synchronization option (for example, update both Credential Manager
and the target system). This option is not available if the application type is Generic.
Update only the Password Authority Server: Passwords are updated only in Credential
performed both in Credential Manager and on the target system to maintain consistency.
10. Modify or fill in the fields for the Windows Account Details panel, as required.
choice is only possible if your license allows for A2A accounts. If you select A2A Account, more
fields appear allowing you to add the target alias.
12. For A2A accounts, enter a target alias name. The target alias name must be unique across
Credential Manager.
13. For A2A accounts, enter the appropriate settings for password caching for the A2A Client:
Use Cache First: The A2A Client looks for the password in local cache first. If there is no
password or if the password is not the most recent, the A2A Client contacts Credential
Manager.
Use Server First: The A2A Client contacts Credential Manager to get the most recent
17-Feb-2017 329/416
13.
Use Server First: The A2A Client contacts Credential Manager to get the most recent
password. If a password is unavailable, the A2A Client looks in the local cache.
No Cache: The password is never stored in the local cache. The A2A Client always contacts
Credential Manager for the password.
14. For A2A accounts that use caching, set the cache duration.
15. (Optional) Enter an access type. Access type is a reference field for customer convenience. It is
not used by Credential Manager.
16. If you are using target groupings, enter descriptors for the target account.
17. Click Save.
Your new Windows target account is added to the list of accounts on the Account List page.
Discover Windows Domain Services and Scheduled Tasks

Note:
Windows Domain Service Account Discovery is now part of Account Discovery, which also
discovers Linux, UNIX, and LDAP accounts. See Account Discovery (see page 299) for more
information. Windows Domain Services and Scheduled Tasks are still discovered from the
Windows Domain Account Details section of the Target Accounts.
Credential Manager provides a feature for automatic discovery and registration of Windows Domain
Service services and scheduled tasks. Credential Manager also facilitates adding and deleting
Windows OS-based Scheduled Tasks to or from a valid Windows Account and managing the
associated password.
Discovery of services and scheduled tasks is based on domains and groups.
Prerequisites
Before you use service or scheduled task discovery, ensure that the following prerequisites are met:
The target server and application are registered.
An administrative account to be used for discovery has been provisioned and added to the
Credential Manager database as a target account.
The administrative account to be used for discovery has been verified in Credential Manager.
17-Feb-2017 330/416
Discover Windows Domain Service Target Account Services

Use services discovery to speed the process for adding the services that are associated with a
Windows Domain Service target account. Discovered services are typically added to synchronized
accounts so Credential Manager can manage them.
Follow these steps:
appears.
3. Click the target account name for which you want to discover services. The account that you
select must be verified.
Note:
Select a target account of the Windows Domain Service application type
The Account Details page appears.
4. Ensure that the data in the fields are specified according to your requirements.
5. For service discovery, click the Services tab.
6. In the Using Proxy box, select a proxy to use for service discovery.
7. In the Host to Search box, enter the host name on which the services reside.
8. Click Discover Services. The proxy connects to the specified host and returns a list of services
for the account. The discovered services are added to the Services table on the Account
Details page
9. Click Save if you want to update credentials for all the discovered services whenever the
target accounts password changes.
10. To add manually a service to the account, click the Add link in the Services table. In the new
row, select the host that is running the Proxy, enter the Service Host that is running the
service, and enter the Service. Click Save. This action synchronizes the service login credentials
with the target account. Only the added service credentials are updated automatically
whenever the target account password changes.
11. To remove any services that are not required, click the Delete link corresponding to the
service in the Services table. The deleted service is not updated when the target account
password changes.
17-Feb-2017 331/416
11.
Note:
The deleted service retains its current login credentials and is not updated.
12. To allow the Credential Manager account to start or restart a service, select its check box in
the Start/Restart column; to disallow, clear the check box.
Discover Windows Domain Service Target Account Scheduled Tasks

Use scheduled tasks discovery to speed the process for adding the scheduled tasks that are
associated with a Windows Domain Service target account. Discovered scheduled tasks are typically
added to synchronized accounts so Credential Manager can manage them.
Follow these steps:
appears.
3. Click the target account name for which you want to discover scheduled tasks. The account
that you select must be verified.
Note:
Select a target account of the Windows Domain Service application type.
The Account List page appears.
5. For scheduled tasks discovery, click the Scheduled Tasks tab.
6. In the Using Proxy box, select a proxy to use for scheduled task discovery.
7. In the Host to Search box, enter the host name on which the scheduled tasks reside.
8. Click Discover Tasks. The proxy connects to the specified host and returns a list of scheduled
tasks for the account. The discovered scheduled tasks are added to the Scheduled Tasks table
on the Account Details page.
9. Click Save if you want to update credentials for all the discovered scheduled tasks whenever
the target accounts password changes.
10.
17-Feb-2017 332/416
10. To add manually a scheduled task to the account, click the Add link in the Scheduled Tasks
table. In the new row, select the host that is running the Proxy, enter the Task Host in which
the scheduled task resides, and enter the Task Name. Click Save. This action synchronizes the
scheduled task login credentials with target account. Only the added scheduled task
credentials are updated automatically whenever the target account password changes.
11. To remove any scheduled tasks that are not required, click the Delete link corresponding to
the task in the Scheduled Tasks table. The deleted scheduled task credentials are not updated
when the target account password changes.
Note:
The deleted scheduled task retains its current login credentials and is not updated.
Discover Windows Proxy Target Account Services and

Scheduled Tasks
Credential Manager administrators can discover, add, and remove Windows Scheduled Tasks and
Services to or from any supported Windows Account Type for a target account. They can also manage
them with Credential Manager.
Prerequisites
Before you use service and scheduled task discovery, ensure that the following prerequisites are met:
The target server and application are registered.
An administrative account to be used for discovery has been provisioned and added to the
Credential Manager database as a target account.
The administrative account to be used for discovery has been verified in Credential Manager.
If the administrative account to be used for discovery is local, the Scheduled task, Target account,
and Agent are in same domain.
Discover Windows Proxy Target Account Services

Use services discovery to speed the process for adding the services that are associated with a
Windows Proxy target account. Discovered services are typically added to synchronized accounts so
Credential Manager can manage them.
Follow these steps:
2.
17-Feb-2017 333/416
appears.
3. Click the target account name for which you want to discover services. The account that you
select must be verified.
Note:
Select a target account of the Windows Proxy application type.
The Account Details page appears.
5. For service discovery, click the Services tab.
6. In the Host to Search box, enter the host name on which the services reside.
7. Click Discover Services. The proxy connects to the specified host and returns a list of services
for the account. The discovered services are added to the Services table on the Account
Details page.
8. Click Save if you want to update credentials for all the discovered services whenever the
target accounts password changes.
9. To add manually a service to the account, click the Add link in the Services table. In the new
row, enter the Service Host that is running the service, and enter the Service. Click Save. This
action synchronizes the service login credentials with the target account. Only the added
service credentials are updated automatically whenever the target account password
changes.
10. To remove any services that are not required, click the Delete link corresponding to the
service in the Services table. The deleted services credentials are not updated whenever the
target account password changes.
Note:
The deleted service retains its current login credentials and is not updated.
11. To allow the Credential Manager account to start or restart a service, select its check box in
the Start/Restart column; to disallow, clear the check box.
17-Feb-2017 334/416
Discover Windows Proxy Target Account Scheduled Tasks

Use scheduled tasks discovery to speed the process for adding the scheduled tasks that are
associated with a Windows Proxy target account. Discovered scheduled tasks are typically added to
synchronized accounts so Credential Manager can manage them.
Follow these steps:
appears.
3. Click the target account name for which you want to discover scheduled tasks.
Note:
Select a target account of the Windows Proxy application type.
The account that you select must be verified.
5. For scheduled tasks discovery, click the Scheduled Tasks tab.
6. In the Host to Search box, enter the host name on which the scheduled tasks reside.
7. Click Discover Tasks. The proxy connects to the specified host and returns a list of scheduled
tasks for the account. The discovered scheduled tasks are added to the Scheduled Tasks table
on the Account Details page.
8. Click Save if you want to update credentials for all the discovered scheduled tasks whenever
the target accounts password changes.
9. To add manually a scheduled task to the account, click the Add link in the Scheduled Tasks
table. In the new row, select the host that is running the Proxy, enter the Task Host in which
the scheduled task resides, and enter the Task Name. Click Save. This action synchronizes the
scheduled task login credentials with the target account. Only the added scheduled task
credentials are updated automatically whenever the target account password changes.
10. To remove any scheduled tasks that are not required, click the Delete link corresponding to
the task in the Scheduled Tasks table. The deleted scheduled tasks credentials are not
updated whenever the target account password changes.
Note:
17-Feb-2017 335/416
View Target Account Passwords

Provided you have the correct license, you can view both privileged account and A2A passwords from
the GUI or the CLI. Credential Manager administrators must have appropriate permissions to view
passwords or password histories.
View an Account Password from the GUI

Follow these steps:
of existing accounts.
3. Click the blue View icon. The View icon resembles an eye. It is located under the Action
column for the account for which you want to view the password.
4. Enter your Password.
5. Select your reason for viewing the (target account) password.
Note:
You can customize the list of reasons for viewing a password. See Customize the
Reasons for Viewing a Password (https://docops.ca.com/display/CAPAM28
/setPasswordViewReasons).
6. Enter any necessary details and reference code.
7. For compound accounts, a drop-down list of all target servers for the account appears in the
pop-up window. Select the specific target server for which you want to view the password.
Normally, the password is the same for all servers. If a password update fails, each server on
which the subsequent rollback fails has an out-of-sync password.
8. Click View. The GUI displays the account User ID and password.
9. Click OK to close the window.
17-Feb-2017 336/416
View an Account Password from the Access Page

Active Target Applications and their associated Target Accounts are listed on the Access page. E (see
page )very Target Application associated with a Device is identified in the drop-down menu in the
Target Applications column. Every Target Account associated with each application appears in a
nested list.
After selecting a Target Account from the drop-down menu for a particular Device, a pop-up window
appears with a View Account Password Request window. After entering the Password (for the
currently logged-in CA Privileged Access Manager user), the credentials are displayed in the pop-up.
View Password History from the GUI

Follow these steps:
3. In the account list, click the account for which you want to view the password history. The
Account Details page appears.
4. Click the blue View History icon. The View History icon resembles a clock with a counter-
clockwise arrow. It is located to the right of the Password field. The Password History page
appears showing password change history.
The Password History Compromised flag may be manually set within Credential Manager. The
flag may be used to record whether a password has become known to an unauthorized
individual. The flag may be set to true to indicate a password should not be reused. The value
of the flag does not affect Credential Manager processing.
Set Password History Compromised Flag from the GUI

Follow these steps:
2. From the new tab/window menu bar, select Targets, Accounts.
3. Select the account with the compromised password.
4. Click the blue View History icon. The View History icon resembles a clock with a counter-
clockwise arrow. It is located to the right of the Password field.
5. Click the date and time of the password request. The Password History details page appears.
6. Select the Compromised checkbox.
17-Feb-2017 337/416
6. Select the Compromised checkbox.
7. Click Save.
View Target Passwords from the CLI

Follow these steps:

string.
<CommandResult>
<cr.result>
<TargetAccount>
<ID>1</ID>
</TargetAccount>
</cr.result>
</CommandResult>
3. Request to view the password. Use the ID provided by the output of the previous command:

cmdName=viewAccountPassword TargetAccount.ID=1 reason=Power Outage
reasonDetail=Recovery
For compound accounts, you can specify the TargetServer.hostName parameter to
17-Feb-2017 338/416
3.
For compound accounts, you can specify the TargetServer.hostName parameter to

view the password for a specific server. This parameter is not required for accounts that are
not compound.
string.
<CommandResult>
<cr.result>
<TargetAccount>
<ID>1</ID>
<password>123456</password>
<lastVerified>2007-11-12 15:42:43.0</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
Verify Synchronized Target Account Passwords

Use the following procedure to verify a synchronized target account password from the GUI.
Follow these steps:
of existing target accounts.
3. Click the target account name of which password you want to verify. The account you select
must be verified. The Account Details page appears.
4. Click the Verify Password icon located to the right of the Password field. (Note that a
17-Feb-2017 339/416
4. Click the Verify Password icon located to the right of the Password field. (Note that a
Windows tooltip stating "Verify Password" appears upon moving your mouse over the icon.)
A message indicating successful password verification appears.
Use the following procedure to verify a synchronized target account password from the CLI.
Follow these steps:

string.
<CommandResult>
<cr.result>
<TargetAccount>
<ID>1233</ID>
</TargetAccount>
</cr.result>
</CommandResult>
3. Run the following command:

cmdName=verifyAccountPassword TargetAccount.ID=1233
string.
17-Feb-2017 340/416
4.
<CommandResult>
<cr.result>
<TargetAccount>
<privileged>true</privileged>
<aliases></aliases>
<password>{1}8ae8e633c1fa6020bfb7695e17f83f18</password>
<lastUsed></lastUsed>
<userName>sqlaccount1</userName>
<accessType></accessType>
<synchronize>true</synchronize>
<lastVerified>Tue Apr 05 11:47:40 UTC 2011</lastVerifi
ed><lastViewed></lastViewed>
<passwordVerified>true</passwordVerified>
<compoundAccount>false</compoundAccount>
<targetApplication></targetApplication>
<targetServerAlias></targetServerAlias>
<ID>1233</ID>
<Attribute.extensionType>mssql</Attribute.extensionType>
<Attribute.useOtherAccountToChangePassword>false</Attribute.
useOtherAccountToChangePassword>
<Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid><Attribute.
descriptor1></Attribute.descriptor1>
<Attribute.descriptor2></Attribute.descriptor2>
<createDate>Tue Apr 05 11:44:37 UTC 2011</createDate><extensionType>mssql<
/extensionType>
<updateUser>admin</updateUser><updateDate>Tue Apr 05 11:47:40 UTC 2011<
/updateDate>
<createUser>admin</createUser><hash>EuufPEVlFusXtH6XF3rs7BbEJFY=</hash>
</TargetAccount>
</cr.result>
</CommandResult>
If the password does not verify (that is, there is a password mismatch), the attribute
passwordVerified returns a "false" value; for example, <passwordVerified>false<
/passwordVerified>.
17-Feb-2017 341/416
Schedule Target Account Activities

Credential Manager allows you to schedule several target account activities. You can schedule regular
password updates for synchronized target accounts. Scheduled password updates use automatically
generated passwords that conform to your specified password composition policies. In addition,
Credential Manager allows you to schedule password verification to alert you if passwords become
out-of-sync.
Note
Scheduled jobs do not change target account passwords that are stored in CA Privileged
Access Manager only and not synchronized to a target device.
You can schedule password update or verification jobs with the following recurrence: daily, weekly,
monthly, yearly, or after an arbitrary number of days.
For password update or verification jobs, you can schedule jobs on a per account basis or per target
group basis. When you schedule a job on a per target group basis, the update or verification is
performed on each of the synchronized target accounts within that target group. If a single update or
verification fails, the job status is marked as failed. However, the job continues to process the
remaining updates or verifications.
To view the status of scheduled jobs, generate the Scheduled Jobs Report. See Generating Reports
(see page 387).
Use the following procedure to schedule a password update or verification.
Follow these steps:
2. Select Targets, Scheduled Jobs. The Scheduled Job List page appears.
3. Click Add. The Scheduled Job Details page appears.
4. Enter the Job Name. Use a text description for the job.
5. Select the Date and Time for the initial job run.
6. Enter the Recurrence criteria. The Recurrence area updates based on your selection.
7. Select the command updateTargetAccountPassword for password updates, or

verifyAccountPassword for password verification. The fields on the page change
according to your selection.
8. Select whether you want this job to apply to a target group or individual account.
9. Specify either the target group or individual target account for this job.
17-Feb-2017 342/416
9. Specify either the target group or individual target account for this job.
10. For the updateTargetAccountPassword command:
Select whether Credential Manager generates the new password. If you select No, extra
fields appear so you can supply the new password.
For Credential Manager generated passwords, select whether to apply the same new
password to all accounts in the group.
11. Click Save.
Add Proxies
Add proxies in CA Privileged Access Manager for such activities as managing multiple domains,
improving load balancing, and building redundancy into your setup.
Important:
Install the Windows Proxy software on a Windows host before adding a proxy to Credential
Manager. See Install a Windows Proxy for Credential Manager (https://docops.ca.com/display
/CAPAM28/Install+a+Windows+Proxy+for+Credential+Manager). The Windows Proxy runs as
service on the Windows host. During the installation process:
1. Identify the CA Privileged Access Manager appliance with which the proxy registers.
2. Access the proxy list by selecting Targets, Proxies.
3. Activate the proxy by opening the proxy record in that list and changing its Status to
"Active".
Use the following procedure to add a proxy manually and register it automatically.
Follow these steps:
2. Click Targets, Proxies.

The Proxy List page appears.
3. Click Add.
The Proxy Details page appears.
4. In the Host Name box, enter the DNS host name or IP address where the proxy software
resides.
5. In the Device Name box, assign a name to the Device.
17-Feb-2017 343/416
6. In the IP Address box, enter the IP address of the host.
7. To activate the proxy, select Active. Otherwise, select Inactive.
8. Click Add.
9. To prevent the host name from being overwritten each time the client registers, select the
Preserve Host Name check box. Otherwise, clear the check box.
The default setting for this check box is determined by the Preserve Client/Proxy Host Names
on the Settings page.
10. If you are using target groupings, in the Descriptor fields, enter the proxy descriptor
information.
11. Click Save.
Start or Stop a Windows Proxy

Start and stop a Windows Proxy using the Windows Services Administrative tool or a command line.
Start the Windows Proxy

Follow these steps:
1. Start the cspmagentd service using the Services Administrative tool:

The steps to start the service using the Windows Services Administrative tool depend on your
Windows platform. For example, to start the service with Windows 7, click Start, Control
Panel, Administrative Tools, Services, select cspmagentd in the Services list and then click
Start.
–or
Open a command line window and type:
net start cspmagentd
Stop the Windows Proxy

Follow these steps:
1. Stop the cspmagentd service using the Services Administrative tool:

The steps to stop the service using the Windows Services Administrative tool depend on your
Windows platform. For example, to stop the service with Windows 7, click Start, Control
Panel, Administrative Tools, Services, select cspmagentd in the Services list, and then click
Stop.
–or
Open a command line window and type:
net stop cspmagentd
17-Feb-2017 344/416
Configure a Windows Proxy to Use a Windows

Domain Account
There may be instances where you might want the Windows Proxy to connect to the CA Privileged
Access Manager appliance using a Windows Domain account.
Follow these steps:
You must have local administrator privileges to change the Windows Proxy settings.
1. Click Start, Control Panel, Administrative Tools, Services.
2. Right click on cspmagentd and select Properties.
3. Click on the Log On tab.
4. Click the This Account radio button.
5. Type the Domain and Windows account names for the account.
Note:
The Domain name for the account must precede the Windows account name,
separated by a backward slash.
Modify the Windows Proxy Configuration File

There may be instances where you might want to edit the Windows Proxy configuration file. Some
examples might include:
Changing a configuration that is not included in the installer, for example port numbers.
Applying a configuration change after installation, for example changing the log file location.
Modifying the logging level to debug a problem.
The Windows Proxy configuration file is located at:
C:\<install_home>\cloakware\cspmclient\config\cspm_client_config.xml
where <install_home> is the location and name of your installation folder, for example
Program Files\cspm_agent.
17-Feb-2017 345/416
The following table describes the XML tags in the Windows Proxy configuration file.
XML Tag Description

<applicati Valid value is cspm_agent.
ontype>
If this value is set to cspm_agent, the Credential Manager client starts with
Windows Proxy functionality.
cspm_agent is valid supported only on Windows platforms.

<cacheallo Enables or disables caching for the Credential Manager client.
w>
The default value is true.
<loglevel> Specifies the log level. Valid values are severe, warning, info, fine and off.
Entry is case insensitive.
The default value is warning. The off setting means log messages are not
generated.
<cspmserve Specifies the host name of the CA Privileged Access Manager appliance. This value is
r> set by the installer.
<cspmserve The default port on which the CA Privileged Access Manager appliance listens. The
r_port> default is blank.
For HTTPS, the default is 443. If the server port is changed from 443, you must
modify this value.
<daemonser The Windows Proxy uses this port to listen for requests from the CA Privileged
ver1_port> Access Manager appliance. For the Windows Proxy, the default value is 27077.
<daemonser This port is not used by the Windows Proxy.
ver2_port>
<logfile> Specifies the location of the log file used by the daemon. The installer sets this value.
<c_logfile The log file used by the service and stateless client interface stubs.
>
The default is: C:\WINDOWS\TEMP\cspm_c_client_log.txt on Windows
Server 2008 R2.
The log file must be in a directory to which all users of the Windows Proxy have write
access.
<patch> Specifies patch management attributes, as in the following XML tags: frequency, s
tarthour, and endhour.
<frequency Specifies the frequency at which the Window Proxy polls the CA Privileged Access
> Manager appliance to check for an upgrade.
Valid values are daily or weekly. The default value is daily.

<startHour Determines the interval by which the Windows Proxy randomly polls the CA
> Privileged Access Manager appliance for a version check.
Valid values are 0-23. The default value is 0 (12 A.M.).
17-Feb-2017 346/416
XML Tag Description

<endHour> Determines the interval by which the Windows Proxy randomly polls the CA
Privileged Access Manager appliance for a version check.
Valid values are 0-23. The default value is 5 (5 A.M.)

<operation For internal use only.
>
View Windows Proxy Logs

You can view Windows Proxy logs with the GUI, so you can troubleshoot client issues.
Follow these steps:
2. Click Targets, Proxies. The Proxy List page appears.
3. Click the host name of the server where the proxy whose logs you want to view is installed.
The Proxy Details page appears.
Note:
You can only request the most recent log file. Previously rotated files are excluded.
4. Click the Get Logs button.

A zip file containing the Windows Proxy logs directory is downloaded to your browser. The
default maximum file size is 20 MB. You can configure the maximum file size using the
getLogsMaxSize {SystemProperty.SYSTEM_PROPERTY_MAX_LOG_SIZE}
property setting. For further details, see the description of the setSystemProperty CLI
command.
17-Feb-2017 347/416
Add Credential Manager Roles and Groups

Credential Manager Groups offer improved separation of duties and improved security by allowing
users, or groups of users access to view and change only those resources over which they should
have control.
Credential Manager uses static and dynamic groupings. Static groups enable the direct assignment of
specific resources to a particular user group. Static groups enforce the specified resource assignment
and provide precise control over group membership. Dynamic groups use filter rules to specify
patterns for resource assignment. All matching entities are assigned membership in the specified
dynamic group. Any new entity that is added and that matches the pattern is automatically placed in
all applicable groups, minimizing administrative burden.
For installations that do not have consistent standards for the assignment of group attributes (such as
server names, application names and IP addresses), there are two descriptor fields for each entity.
You can use the contents of these fields to create naming standards to support dynamic group
assignment.
Credential Manager users are also grouped, which simplifies the design and implementation of the
security policies used to manage them.
Credential Manager User Groups and Roles are distinct and separate from CA Privileged Access
Manager User Groups and Roles. See Credential Manager Grouping Terminology (see page 348).
Authorization groupings do not apply to reports, metrics, or application-to-application credential

requests.
Credential Manager Grouping Terminology

In CA Privileged Access Manager, Credential Manager User Groups and Roles are distinct and
separate from Access Manager User Groups and Roles.
A target account password can be accessed from Credential Manager by either a user or a request
script:
A user creates a password request from the GUI, from the CLI, or from a program that uses the
Java API.
A request script executes a request to the A2A client.
To filter access to passwords, target accounts and request scripts can be partitioned into target
groups and requestor groups. Credential Manager user groups can then be defined to permit only
selected operations on a target or request group.
The following table describes grouping terminology.
17-Feb-2017 348/416
Term Definition
Targe A target group is a collection of Credential Manager devices (target servers), target
t applications, or target accounts that meet specific filter criteria (for example, all target servers
Grou that have the identifier London in the Descriptor2 field).
p
A single target can belong to multiple target groups. When a target group consists of target
servers, all applications and accounts on that server are automatically contained within that
target group.
Requ A requestor group is a collection of requestor servers (A2A Clients) or requestors (scripts) that
estor meet specific filter criteria (for example, all requestor servers that have the identifier New
Grou York in the Descriptor1 field).
p
A single requestor can belong to multiple requestor groups. When a requestor group consists
of requestor servers, all applications on that server are automatically contained within that
requestor group.
Roles Each role is a collection of actions that can be performed in Credential Manager. You can build
roles for each series of permissions you want to assign CA Privileged Access Manager users.
User A collection of all CA Privileged Access Manager users who are dynamically determined from a
Grou Credential Manager role, a target group, or a request group.
p
Credential Manager User Groups are distinct and separate from CA Privileged Access Manager
User Groups. See User Groups in and Credential Manager (see page ).
If the Target Group is not specified in a Credential Manager User Group, then members of the
User Group do not have access to any target servers, target applications, or target accounts. If
the Request Group is not specified, members of the User Group do not have access to any A2A
clients or scripts.
Users Users are CA Privileged Access Manager user accounts. Each Credential Manager user belongs
to one or more user groups. The user groups define what targets and requestors the user can
see and what actions the user can perform on the CA Privileged Access Manager interfaces.
Filter A condition that is assigned to a target group or requestor group that determines which target
or requestor objects are accessible by members of the target or requestor group.
User Groups and Roles in CA Privileged Access Manager and

Credential Manager
Credential Manager User Groups are distinct and separate from CA Privileged Access Manager User
Groups.
A CA Privileged Access Manager User Group is:
A static association of specific CA Privileged Access Manager Users. Some User attributes, such as
(Access) Roles and Access Time, can be assigned at the group level.
Listed on the Users, Manage Groups page. CA Privileged Access Manager User Groups are created
or edited from a template opened on that page.
A Credential Manager User Group is:
17-Feb-2017 349/416
A Credential Manager User Group is:
A collection of all CA Privileged Access Manager users who are dynamically determined from a
Credential Manager role, a target group, or a request group.
Listed on the Policy, Manage Passwords, Groups, User Groups page. Credential Manager User
Groups are created or edited from a template opened on that page, or through CLI commands.
A User Group can be assigned to a CA Privileged Access Manager user that has a CA Privileged
Access Manager role with the credentialsManage permission. Once a CA Privileged Access
Manager user has the credentialsManage permission, the user can be assigned to
Credential Manager group with the User template on the Users, Manage Users page. The Users,
Manage User page has a “PM Group” pull-down menu. The following preset CA Privileged Access
Manager roles have the credentialsManage permission:
Password Manager
Similarly CA Privileged Access Manager roles are configured with the Roles template on the Users,
Manage Roles page. Credential Manager roles are configured on the Policy, Manage Passwords,
Groups, Roles page. Credential Manager roles are created or edited from a template opened on that
page, or through CLI commands.
Target and Requestor Group Filters for Dynamic Groups

Add filters to dynamic target and requestor groups to define which elements belong to the group.
When using the GUI to add a target or requestor group, you add filters from the Group List page.
Filter attributes are displayed as checkboxes on the Group List page and filter types are selected from
a drop-down list.
When using the CLI to add a dynamic target or requestor group, you add filters as a separate
command (addFilter) after you add the target or requestor group. The following table describes
the filters that you can create.
Filter Object Filter Attribute Description
(Filter.objectClassId) (Filter.attribute)
Target server Host name Host name for the target server.
(c.cw.m.ts) (hostName)
ipAddress IP address for the target server.
(IPAddress)
descriptor1 Descriptor for the target server.
(Attribute.
descriptor1)
descriptor2 Descriptor for the target server.
17-Feb-2017 350/416
(Attribute.
descriptor2)
Target application Name Name of the target application.
(c.cw.m.tp (http://c.cw.m.tp))
(name)
Type Type (target connector) of the target
application.
(type)
descriptor1 Descriptor for the target application.
(Attribute.
descriptor1)
descriptor2 Descriptor for the target application.
(Attribute.
descriptor2)
Target account accountName Account user name for the target account.
(c.cw.m.ac (http://c.cw.m.ac)) (userName)

accessType Access type for the target account.
(accessType)
descriptor1 Descriptor for the target account.
(Attribute.
descriptor1)
descriptor2 Descriptor for the target account.
(Attribute.
descriptor2)
Requestor server Host name Host name for the requestor server.
(c.cw.m.rs) (hostName)
ipAddress IP address for the requestor server.
(IPAddress)
descriptor1 Descriptor for the requestor server.
(Attribute.
descriptor1)
descriptor2 Descriptor for the requestor server.
(Attribute.
descriptor2)
17-Feb-2017 351/416
Requestor application Name Script name for the requestor application.
(c.cw.m.sc (http://c.cw.m.sc))
(name)
Type Script type for the requestor application.
(type)
descriptor1 Descriptor for the requestor application.
(Attribute.
descriptor1)
descriptor2 Descriptor for the requestor application.
(Attribute.
descriptor2)
File path Path to the script file.
(filePath)
Execution Path Path from which the application is launched.
(executionPath)
Add Dynamic and Static Target Groups

For dynamic group assignments in CA Privileged Access Manager, you can apply target group filters to
target servers, target applications, or target accounts.
When you apply multiple filters within a dynamic target group, filters that use the same attribute (for
example, Host Name) are applied using a logical or relationship. For example, if a target group
contains a server filter for Paris as the host name, and a server filter for Production as the host name,
then the group contains target servers with either Paris or Production in their host name. Filters that
use different attributes are applied using a logical and relationship. For example, if a group contains a
server filter for Paris as the host name, and an account filter for siteAdmin as the account name, then
the group contains only siteAdmin accounts running on servers with Paris in their host name.
For static group assignments, you define the specific servers, applications, and accounts that are
members of the group. Static groups provide precise control over the accounts within the group. On
the UI, selecting an account automatically populates the server and application filters of the static
group with appropriate information. Use static groups to assign specific target accounts to a group
for management.
If no target accounts are defined for the static group, all target accounts associated with the target
applications in the static group are managed.
17-Feb-2017 352/416
Credential Manager is preconfigured with the dynamic target group All Targets. The default
Credential Manager Administrator account, super, is assigned to the All Targets group.
Credential Manager allows you to show all the targets that are associated with a specific target
group. This capability allows you to validate that you have set your resource assignments and target
filters appropriately.
Add a Dynamic Target Group

Use the following procedure to add a dynamic target group from the GUI.
Follow these steps:
2. From the new tab/window menu bar, click Targets, Target Groups. The Group List page
appears.
3. Click Add Dynamic Group. The Group Details page appears.
4. Enter the group Name.
5. (Optional) Enter the group Description.
6. Add filters to a server, application, or account. Repeat this procedure for each filter you want
to add.
a. Click the check box for the filter you want to apply.
The filter attribute is displayed on the screen.
b. Click the Not Specified link.

The filter pop-up appears over the window.
c. Select the filter type from the drop-down list (for example, contains).
d. Enter the filter expression (for example, 192.0.2).

When creating a filter for Application Type, use the following table to supply the filter
expression.
Application Type Enter the following text as the filter expression.

AS400 AS400
AWS Access Credentials Accounts AwsAccessCredentials
AWS Proxy Credential Accounts AwsApiProxyCredentials
Cisco CiscoSSH
Juniper Junos juniper
LDAP ldap
MSSQL mssql
17-Feb-2017 353/416
Application Type Enter the following text as the filter expression.

MYSQL mysql
Oracle oracle
SPML v2.0 SPML2
UNIX unixII
VMWare ESX/ESXi vmware
VMWare NSX Controller nsxcontroller
VMWare NSX Manager nsxmanager
VMWare NSX Proxy nsxproxy
WebLogic weblogic10
Windows Domain Services windowsDomainService
Windows Proxy windows
e. Click + to add the expression.
f. Click Save. The Filter specification is listed.
7. Click Save.
After you add filters, click Save at the bottom of the page to commit the target group to
Credential Manager.
Use the following procedure to add a dynamic target group from the CLI.
Follow these steps:
1. Add a target group. Remember to specify dynamic or static. For example:
capam_command adminUserID=admin capam=mycompany.com cmdName=addGroup Group.

name=TokyoTargets Group.description="Targets in Tokyo" Group.type=target Group.
dynamic=true
string. Note the ID value, because it is the required Group.ID value in the addFilter
command.
<CommandResult>
<cr.result>
<Group>
<name>TokyoTargets</name>
<permissions>[]</permissions>
<type>target</type>
<description>Targets in Tokyo</description>
<dynamic>true</dynamic>
<ID>5</ID>
17-Feb-2017 354/416
<createDate>Thu May 08 09:42:52 EDT 2008</createDate>

<hash>eGuxUhVerHQile7mjKyW9b/ZJ04=</hash>
<updateDate>Thu May 08 09:42:52 EDT 2008</updateDate>
<extensionType />
</Group>
</cr.result>
</CommandResult>
3. Add a filter. For example, adding a target server host name filter:
capam_command adminUserID=admin capam=mycompany.com cmdName=addFilter Group.ID=

5 Filter.objectClassId=c.cw.m.ts Filter.attribute=hostName Filter.type=contains
Filter.expression="mydomain"
string.
<CommandResult>
<cr.result>
<Filter>
<type>contains</type>
<attributeName>hostName</attributeName>
<groupID>5</groupID>
<objectClassID>c.cw.m.ts</objectClassID>
<expression>mydomain</expression>
<ID>7</ID>
<hash />
<extensionType />
</Filter>
</cr.result>
</CommandResult>
View All Targets Belonging to an Existing Target Group

Use the following procedure to view all targets belonging to an existing target group from the GUI.
Follow these steps:
appears.
3. Click the target group that you want to view. The Group Details page appears.
17-Feb-2017 355/416
3. Click the target group that you want to view. The Group Details page appears.
4. Click Show. The list of targets matching the criteria within the group displays.
5. Click OK.
Add a Static Target Group

Use the following procedure to add a static target group from the GUI.
Follow these steps:
appears.
3. Click Add Static Group. The Group Details page appears.
6. Add the servers, applications, and accounts over which the group should have control.
a. Click + for the entity you want to add. A list of available resources appears. The
following figure shows a typical page that appears when you click + for applications.
b. Select the desired resources from the list.
c. Click Select.
Note:
All accounts are listed in the Find Account popup. Selecting a specific
account populates the server and application filters with the associated
server and application information for that account.
7. Click Save.
When modifying target group data, click Save at the bottom of the page to commit the
changes to Credential Manager.
Add Dynamic and Static Requestor Groups

For dynamic group assignments, you can apply requestor group filters to requestor servers and
requestors.
17-Feb-2017 356/416
When you apply multiple filters within a dynamic requestor group, filters that use the same attribute
(for example, Host Name) are applied using a logical or relationship. For example, if a requestor
group contains a server filter for Paris as the host name, and a server filter for Production as
the host name, then the group contains requestor servers with either Paris or Production in their
host name. Filters that use different attributes are applied using a logical and relationship. For
example, if a group contains a server filter for Paris as the host name, and an account filter for
siteAdmin as the account name, then the group contains only siteAdmin accounts running on
servers with Paris in their host name.
Credential Manager is preconfigured with the dynamic requestor group All Requestors. The
default Credential Manager Administrator account, admin, is assigned to the All Requestors group.
Credential Manager allows you to show all the requestors associated with a specific requestor group.
You can validate that you have set your resource assignments and requestor filters appropriately.
Add Dynamic Requestor Groups

Use client and script filters to define a requestor group dynamically. Filters provide added flexibility
for defining group members.
When dealing with many scripts, you can eliminate the need to provision each script manually. Set
the script filters to access all client applications having a particular file or execution path. If you define
Path File or Execution File filters, then all scripts in the path that meet the filter criteria become
members of the script group. The group includes scripts that are defined in the Credential Manager
database and those scripts that are not.
If a credential request (GetScriptCredentials) is from a script that is not defined in the

Credential Manager database, but matches an authorization mapping with a requestor group which
contains the filters Type, Descriptor1, and Descriptor2, then the credential request fails. The data for
these filters does not exist in the database until the script is provisioned.
Use the following procedure to add a dynamic requestor group from the GUI.
Follow these steps:
2. From the new tab/window menu bar, select A2A, Request Groups. The Group List page
appears.
3. Click Add Dynamic Group. The Group Details page appears.
6. Add filters to a client or script. Repeat this procedure for each filter you want to add to the
list.
a. Click the checkbox for the filter you want to apply.

The filter attribute is displayed on the screen.
17-Feb-2017 357/416
6.
b. Click the Not Specified link.

The filter pop-up appears.
c. Select the filter type from the drop-down list (for example: contains).
d. Enter the filter expression (for example: 10)
e. Click + to add the expression.
f. Click Save.
7. Click Save.
When modifying filter data, click Save at the bottom of the page to commit the changes to
Credential Manager.
Use the following procedure to add a dynamic requestor group from the CLI.
Follow these steps:
1. Add a requestor group. For example:
capam_command adminUserID=admin capam=mycompany.com cmdName=addGroup Group.

name=NewYorkRequestors Group.description="Requestors in New York" Group.
type=requestor Group.dynamic=true
string. Note the ID value, because it is the required Group.ID value in the addFilter
command.
<CommandResult>
<cr.result>
<Group>
<ID>4</ID>
<createDate>Tue Apr 08 10:21:21 EDT 2008</createDate>
<updateDate>Tue Apr 08 10:21:21 EDT 2008</updateDate>
<hash>jrLLJH7U5QUFjNux1GD1avKk/qc=</hash>
<name>NewYorkRequestors</name>
<description>Requestors in New York</description>
<type>requestor</type>
<dynamic>true</dynamic>
<permissions>[]</permissions>
</Group>
</cr.result>
</CommandResult>
3. Add a filter. For example, adding a requestor server host name filter:
17-Feb-2017 358/416
3. CA Privileged Access Manager - 2.8
capam_command adminUserID=admin capam=mycompany.com cmdName=addFilter group.ID=

4 Filter.objectClassId=c.cw.m.rs Filter.attribute=hostName Filter.type=contains
Filter.expression="mydomain"
string.
<CommandResult>
<cr.result>
<Filter>
<ID>7</ID>
<hash>
</hash>
<expression>mydomain</expression>
<type>contains</type>
<objectClassID>c.cw.m.rs</objectClassID>
<attributeName>hostName</attributeName>
<groupID>4</groupID>
</Filter>
</cr.result>
</CommandResult>
View All Requestors Belonging to an Existing Requestor

Group
Use the following procedure to view all requestors belonging to an existing requestor group from the
GUI.
Follow these steps:
appears.
3. Click the requestor group that you want to view. The Group Details page appears.
4. Click Show. The list of requestors matching the criteria within the group displays.
5. Click OK.
17-Feb-2017 359/416
Add a Static Requestor Group

Use the following procedure to add a static requestor group from the GUI.
Follow these steps:
appears.
3. Click Add Static Group. The Group Details page appears.
6. Add the clients and requestors over which the group should have control.
a. Click + for the entity (Client; Script) you want to add. A list of available resources
appears.
b. Select one or more resources from the list.
c. Click Select.
7. Click Save.
When modifying requestor group data, click Save at the bottom of the page to commit the
changes to Credential Manager.
Add or Modify Roles

CA Privileged Access Manager Credential Manager allows you to define roles that determine which
actions the user can perform in the Credential Manager. For a complete list and description of
possible actions, see Credential Manager CLI User Interface Actions (https://docops.ca.com/display
/CAPAM28/Credential+Manager+CLI+User+Interface+Actions).
When selecting available permissions for a role, Credential Manager requires the associated get
permission and list permissions. For example, if you want a user to addAgent or deleteAgent
, you must also add permission to getAgent.
Credential Manager is preconfigured with the following roles:
FirecallApprover: This role provides a user with the ability to approve password view requests
only. This role is usually assigned with to users with a view type of General User.
FirecallAutoConnect: This role is deprecated and should not be used.
FirecallUser: This role provides a user with the ability to view target account passwords only. This
17-Feb-2017 360/416
FirecallUser: This role provides a user with the ability to view target account passwords only. This
role is usually assigned with to users with a view type of General User.
ReadOnly: This role provides a user access to most of the Credential Manager interface, but they
cannot change any information on the pages they access. Users with this role can view target
account passwords. Users with this role are different from users with a view type of General User,
who can access only a very limited subset of the Credential Manager interface.
RequestorAdmin: This role provides a user permission to access and update only requestor
information. You might give this role to personnel doing requestor integration for A2A
integration. Users with this role cannot add script authorizations and do not have access to any
target or user information.
ScriptAuthorizationAdmin: This role allows a user to add script authorizations. You might give
this role to personnel doing requestor integration for A2A integration.
ServerAdmin: This role provides the User access to all Credential Manager administrative
functions, except those provided in the Targets, Applications; Targets, Aliases; A2A or Groups
menus.
System Admin: This is the default role used by Credential Manager to provide access to all
Credential Manager functionality. Do not modify this role.
TargetAdmin: This role allows a user to access and update only target information. You might give
this role to database administrators that need to register and manage database accounts using
Credential Manager. Users with this role can to add and update password policies; however, they
cannot delete password policies. Users with this role do not have access to any requestor or user
information.
UserAdmin: This role allows a user to administer Credential Manager Roles and Credential
Manager User Groups. Users with only this role do not have access to any target or requestor
information, nor to individual User accounts or (regular) User Groups.
ViewReports: This role lets a user generate and view Credential Manager reports.
BaseRole: This role is used internally. Do not modify this role.
Modify a Preconfigured Role

Use the following procedure to modify a preconfigured role from the GUI.
Follow these steps:
2. From the new tab/window menu bar, select Groups, Roles. The Roles List page appears.
3. Select the role you want to modify (for example, RequestorAdmin). The available
permissions display on the Role Details page.
4. Add or remove permissions using the < and, buttons.
5. Click Save.
17-Feb-2017 361/416
5. Click Save.
Add a Role
Use the following procedure to add a role from the GUI.
Follow these steps:
2. From the new tab/window menu bar, select Groups, Roles. The Roles List page appears.
3. Click Add. A blank Role Details page appears.
4. Supply a role Name and Description.
5. Add or remove permissions using the < and, buttons.
6. Click Save.
Use the following procedure to add a role from the CLI.
Follow these steps:
1. Add a role. For example:
capam_command adminUserID=admin capam=mycompany.com cmdName=addRole Role.

name=patchMgrRole Role.description="Manages patches" Role.
permissions=activatePatch,activatePatchNow,addPatch,deletePatch,
deletePatchDetail,getPatchDetail,listPatch,listPatchDetailSummary,updatePatch,
updatePatchDetail,updatePatchDetailList
For a complete list and description of Role.permissions, see Credential Manager CLI
User Interface Actions (https://docops.ca.com/display/CAPAM28
/Credential+Manager+CLI+User+Interface+Actions).
string.
<CommandResult>
<cr.result>
<Role>
<ID>11</ID>
<hash>SD0la6QKWvtwUPILIy5eznW7I7I=</hash>
<name>patchMgrRole</name>
17-Feb-2017 362/416
<description>Manages patches</description>
<permissions>[activatePatch, activatePatchNow, addPatch, deletePatch,
deletePatchDetail, getPatchDetail, listPatch, listPatchDetailSummary,
updatePatch, updatePatchDetail, updatePatchDetailList]</permissions>
<hidden>false</hidden>
</Role>
</cr.result>
</CommandResult>
Add User Groups

CA Privileged Access Manager Credential Manager user groups provide a mapping of a single target
group, requestor group, and role. To allow for flexibility, each Credential Manager administrative user
can belong to multiple user groups.
Note:
After an upgrade, customers may see a new user group called Base Users. The Base Users
group is a container for users that are not associated to any other user group. CA
Technologies recommends that customers associate any Base Users to other more
meaningful user groups.
Use the following procedure to add an Credential Manager user group from the GUI.
Follow these steps:
2. From the new tab/window menu bar, select Groups, User Groups. The User Groups page
appears.
3. Click Add. The User Group Details page appears.
4. Enter a unique Name for the user group.
5. (Optional) Enter a Description for the user group.
6. Select a Role.
7. Select a Target Group.
8. Select a Request Group.
9. Click Save.
The Show Users button helps to show the user group members list.
Use the following procedure to add a Credential Manager user group from the CLI.
17-Feb-2017 363/416
Use the following procedure to add a Credential Manager user group from the CLI.
Follow these steps:
1. Add a user group. For example:
capam_command adminUserID=admin capam=mycompany.com cmdName=addUserGroup

UserGroup.name=LonUserGroup UserGroup.description="London user group" UserGroup.
roleID=11 UserGroup.groups=3,2
string.
<CommandResult>
<cr.result>
<UserGroup>
<name>LonUserGroup</name>
<description>London user group</description>
<role />
<roleID>11</roleID>
<groups>[]</groups>
<groupIDs>[2, 3]</groupIDs>
<ID>2</ID>
<hash>D8VjGl43dB45/altCCiikvXebbw=</hash>
<extensionType />
</UserGroup>
</cr.result>
</CommandResult>
17-Feb-2017 364/416
Add and Run Credential Manager A2A

Requestors
Devices of type A2A are also known as Request Servers or Requestors. Provisioning these CA
Privileged Access Manager devices requires coordinated setup in the following locations:
In the CA Privileged Access Manager provisioning framework, by specifying a device of type A2A
On the physical device, by installing the A2A Client
Either setup can be performed first, except when you are deploying A2A Devices within an AWS VPC.
To deploy an AWS AMI instance as an A2A Device, do not manually add the Device before installing
the A2A Client. Instead, create the instance in AWS, and allow CA Privileged Access Manager import it
automatically. When this happens, CA Privileged Access Manager recognizes the internal IP address
of the device. After you install the A2A Client, it registers with the server using that AWS-internal
address.
To process credential requests, follow these steps:
1. Activate the request server (A2A Device). This step is not required when the A2A Device has
already been provisioned.
2. Associate the request script.
3. Add the authorization mapping.
A2A Client Connection Security

When an A2A Client registers with Credential Manager, Credential Manager identifies the client by
the following data, in this order:
1. The fingerprint for the host on which the client resides, if fingerprinting is enabled
2. A unique client token
3. DNS
When a requestor application requests credentials, the credentials remain encrypted as they are
transferred over the network. The A2A Client decrypts the credentials before passing them to the
requestor.
17-Feb-2017 365/416
Fingerprinting
A server fingerprint consists of a combination of hardware characteristics. Examples: CPU serial
numbers and network IDs. Credential Manager dynamically calculates the fingerprint of the server
executing a script to validate the physical machine identity of the credential requestor.
Unique Client Token

The client token is a unique request server identifier that identifies the client in the Credential
Manager database. When a client initially registers with Credential Manager, the server generates a
unique token for the client. For subsequent client requests, the server uses the token to retrieve
credentials from the database.
DNS
Credential Manager uses the client host name as part of the client authentication process. Reverse IP
lookup is also possible, if needed.
Request Server Auto-Registration

You can register request servers as A2A-enabled devices in the Devices menu manually or
automatically.
If you provision a CA Privileged Access Manager Device before an A2A Client is installed, then
upon receipt of a A2A Client login, Credential Manager automatically updates the request server
information in an active state.
If you install an A2A Client before you provision it in CA Privileged Access Manager, then upon
receipt of an A2A Client login, Credential Manager automatically adds the request server
information in an inactive state. It then flags the request in the GUI for the Credential Manager
administrator to activate.
Authorization Mapping
Credential Manager ensures target credential security by requiring you to authorize requestors to
retrieve the target credentials through a target alias. You can authorize various combinations of
requestors, request servers, and request groups to retrieve credentials for a target alias or for a
target group. Once the request group, request server, and request scripts are registered, Credential
Manager uses authorization mapping to associate them with a target alias or a target group.
When adding the authorization mapping, you can enable system-wide checks for request validation
or you can configure them in the GUI.
17-Feb-2017 366/416
Option Scope
Request server Validated for every application

Application name Validated for every application
Application location Validated only if file path is checked
Application hash (script integrity) Validated only if script integrity validation is checked
Execution user ID Validated only if execution user ID is checked
Execution path Validated only if execution path is checked
Integrity Verification
To support Integrity Verification, the file name, file path, and execution path must be registered in a
specific way. The way depends on the operating system of the client and the integration method
(Java, executable, DLL, or shared object) as described in the following table.
Integration Method Registered Data

Java (CSPMClientclass) Script name: The name of the class file containing
theCSPMClientinstantiation andgetScriptCredentialscall, without
the class extension.
File path: The absolute file path to the class file.
Execution path: The absolute file path to the class file. UNIX file
paths cannot contain symbolic links.
UNIX executable (cspmclient, Script name: The name of the requestor file that contains the
cspmclient64) Credential Manager executable call.
File path: The absolute path to the requestor file.
Execution path: The absolute path from which the requestor is

launched. UNIX file paths cannot contain symbolic links.
UNIX shared object library Script name: The name of the requestor file that contains the
(libcspmclientc.so, shared object call.
libcspmclientc64.so)
File path: The absolute path to the requestor file.
Execution path: The absolute path from which the requestor is

being launched. UNIX file paths cannot contain symbolic links.
Windows executable Script name: The name of the requestor file that contains the
(cspmclient.exe,cspmclient64. executable call, including the file extension.
exe)
File path: The absolute path to the application file that contains the
executable call.
Execution path: The absolute path from which the application is

launched.
17-Feb-2017 367/416
Integration Method Registered Data

Windows DLL Script name: The name of the requestor file that contains the call
togetCredentials, including the file extension.
File path: The absolute path to the requestor file containing the
DLL call.
Execution path: The absolute path from which the application is

launched.
The absolute file path is the complete path without symbolic links. To print the absolute file path in
UNIX, use the commandpwd–P.
Example Requestors
Each A2A Client includes example applications. The examples are located in the$CSPM_CLIENT_HOME
/cspmclient/examplesdirectory.
The UNIX version of the A2A Client supports symbolic links in the File Path field only.
Example Integration Registration Data

Method
Executable: example.pl Script name: example.pl
cspmclient
Source file:example.pl File path: $CSPM_CLIENT_HOME /cspmclient_v.4.1.0
/examples
Execution path: $CSPM_CLIENT_HOME

/cspmclient_v.4.1.0/examples
Script type: Perl

Executable: Run_example, Java Script name:Example
Example.class
File path:$CSPM_CLIENT_HOME /cspmclient_v.4.1.0
Source file: Example.java /examples

Script type: Java

Executable: example_c_interfa Script name: example_c_interface_java
ce_java cspmclient
File path: $CSPM_CLIENT_HOME /cspmclient_v.4.1.0
Source file: example.c /examples

Script type: C
17-Feb-2017 368/416
Executable:example.ksh Script name:example.ksh

cspmclient
Source file:example.ksh File path:$CSPM_CLIENT_HOME /cspmclient_v.4.1.0
/examples

Script type: ksh
When entering Credential Manager request script data, you must enter the actual value
for$CSPM_CLIENT_HOME.
Example Integration Method Registration Data

Executable:VB_Sample Credential Manager Script name:VB_Sample.exe
MFC DLL
Source directory:VB_Sa File path: $CSPM_CLIENT_HOME
mple \cspmclient\examples\VB_Sample
Execution path:$CSPM_CLIENT_HOME
\cspmclient\examples\VB_Sample
Script type: VB
Executable: VC_Sample Credential Manager Script name: VC_Sample.exe
MFC DLL
Source directory:VC_Sa File path:$CSPM_CLIENT_HOME
mple \cspmclient\examples\VC_Sample
\cspmclient\examples\VC_Sample
Script type: C
Executable: VBScriptSam Credential Manager Script name:VBSCriptSample.html
ple.html ATL DLL
File path: $CSPM_CLIENT_HOME
Source directory:VB_Scri \cspmclient\examples\VB_Script_Sample
pt_Sample
\cspmclient\examples\VB_Script_Sample
Script type: VB
Executable:JavaScriptSa Credential Manager Script name:JavaScriptSample.htm
mple.htm ATL DLL
File path: $CSPM_CLIENT_HOME
Source directory:Java_Sc \cspmclient\examples\Java_Script_Sample
ript_Sample
\cspmclient\examples\Java_Script_Sample
17-Feb-2017 369/416
Example Integration Method Registration Data

Script type: Java
Activate or Deactivate Request Servers

This procedure requires that you install and start the A2A Client. Upon the first launch of the A2A
Client, Credential Manager automatically registers the server hosting the Client as a Request Server in
an inactive state.
Important:
This procedure assumes that you have:
Installed the A2A Client software
Started the A2A Client daemon (UNIX) or service (Windows) so that it is now running
Follow these steps:
1. Select Devices, Manage Devices.
2. From the Device list on that page, identify the A2A Client by specifying its Device Name and or
IP address. Open its record.
3. In the Request Client panel, select the Active check box.
4. Click Save to activate the A2A Client in the Credential Manager server, and exit the template.
To deactivate a request server, repeat the previous procedure but clear the Active check box.
Clearing the Device Type: A2A check box also undoes the registration. However, in this case the A2A
Client responds by reregistering the request server. If you change the device Address without
changing the Device Name before the A2A Client reregisters, the A2A Client does not successfully
reregister. The Tomcat log contains an error entry stating that the Credential Manager server “could
not register the [request server because] Device Name [name] already exists.
Add Requestors
To implement A2A scripts, you add requestors in CA Privileged Access Manager. This procedure
assumes that you have registered the request server and set it to the active status. (See Install an
A2A Client for Credential Management (https://docops.ca.com/display/CAPAM28
/Install+an+A2A+Client+for+Credential+Management).) Example Requestors (see page 368) provide
registration data for the examples.
Use the following procedure to add requestors from the GUI.
17-Feb-2017 370/416
Use the following procedure to add requestors from the GUI.
Follow these steps:
2. From the new tab/window menu bar, select A2A, Scripts.

The Script List page appears.
3. Click Add.
The Script Details page appears.
4. Click the magnifying glass to find an existing client or click the + to add a new client.
5. Enter the Script or Application Name, File Path, Execution Path, and script Type.
6. If using target groupings, enter descriptors for the target application.
7. Click Save.
The Script List page updates with the registered request scripts.
Use the following procedure to retrieve the script hash from the GUI.
Follow these steps:
1. Click A2A, Scripts.
2. Select the script you want to retrieve the hash for.

The Script Details page appears.
3. Click Get Script Hash. If you are unable to retrieve the script hash, ensure that the server
hosting the A2A Client is not blocking communication to Credential Manager. By default, A2A
Client listens on port 28888.
4. Click Save.
Use the following procedure to add requestors from the CLI.
Follow these steps:
1. Add a request server:
capam_command adminUserID=admin capam=mycompany.com cmdName=addRequestServer

RequestServer.hostName=Vienna-Lab4.cloakware.com RequestServer.ipAddress=11.2.0.
4 RequestServer.active=true RequestServer.type=CLIENT Attribute.
descriptor1=Vienna Attribute.descriptor2=Lab
string.
<CommandResult>
17-Feb-2017 371/416
2.
<cr.result>
<RequestServer>
<ID>1</ID>
<hash>/fvVAT2Ri4AN7zYCsweyB++/9ow=</hash>
<type>CLIENT</type>
- 145 -
CA Privileged Access Manager Credential Management Implementation Guide
<port>1</port>
<oldKey>
</oldKey>
<currentKey>13a3a6811160561bf8f69acf66f37f24a97b7e2b99b4afbbe61bade35c0b4108991
057
a80ac4c9ecabef1d0657f14ad9911f26061bf0a4feb952e717807a72bd90663f62b2a21c35c11e4
143
31a01b18594eb56c5da497ccf990f23b1855adadf294ba50e93fd25824950c4ef6115db67f61d81
edb
2ebb2cbc619e2cd97786c60bd4c5e9b9a615131e8d8da7001b4b45dcaeca9be3b13a46efe544972
9ad
f9399ef5b67cdfabcbc60f7d298c151e50ec64060d5fd3c5e74652ba4198497c2933f3ef2e15600
e71
74467054f2b19a26fdf5c5d1ee080b0e7d5cc269daa947e59320083de7143c6c8ff757d41a98d8c
aac
e690129a88e5d4e472039f8f2bc7061e7a913e070075e7dc90cdd1a248cf1ea78e5d00c9429535b
502
3068472c817c36fe8a9af1bb615a6d357ace3ec30cfd1a1edf07982b95517a9066f4e0d0ce716a1
0f9
111943a4f9e144ba0a8f198c2a02e58df5eb0b77c7845900af8105eebc7e</currentKey>
<autoPatch>true</autoPatch>
<pendingAcknowledgement>true</pendingAcknowledgement>
<active>true</active>
<actionRequired>false</actionRequired>
<action>
</action>
<currentFingerprint>
</currentFingerprint>
<pendingFingerprint>
</pendingFingerprint>
<currentFingerprintDate>
</currentFingerprintDate>
<pendingFingerprintDate>
</pendingFingerprintDate>
<osName>
</osName>
<osVersion>
17-Feb-2017 372/416
</osVersion>
<osArchitecture>
</osArchitecture>
<clientType>
</clientType>
<clientVersion>
</clientVersion>
</RequestServer>
</cr.result>
</CommandResult>
3. Add a request script:
capam_command adminUserID=admin capam=mycompany.com cmdName=addRequestScript

RequestServer.hostName=Vienna-Lab4.cloakware.com RequestScript.name=example.pl
RequestScript.executionPath=/opt/cloakware/cspmclient_v.3.5.0/examples
RequestScript.type=Perl RequestScript.filePath=/opt/cloakware/cspmclient_v.3.5.0
/examples Attribute.descriptor1=Vienna Attribute.descriptor=Lab
string.
<CommandResult>
<cr.result>
<RequestScript>
<ID>1</ID>
<hash>/14qoJ1SI63KgaTIKDZD8J5lWvs=</hash>
<name>example.pl</name>
<filePath>/ope/cloakware/cspmclient_v.3.5.0/examples</filePath>
<executionPath>/opt/cloakware/cspmclient_v.3.5.0/examples</executionPath>
<type>Perl</type>
<requestServerID>1</requestServerID>
<scriptHash>
</scriptHash>
</RequestScript>
</cr.result>
</CommandResult>
Add Authorization Mappings

For requestors to retrieve credentials successfully, you must authorize them. Requestor
authorizations are known as authorization mappings. You can configure authorization mappings
between:
A requestor (script) and a target alias
17-Feb-2017 373/416
A requestor (script) and a target alias
A request server and a target alias
A request group and a target alias
A requestor (script) and a target group
A request server and a target group
A request group and a target group
A mapping to a target group includes all aliases for all accounts in the group. A mapping from a
request server can include all applications (scripts) on the server or can be restricted to a specific
script. A mapping from a request group includes all applications (scripts) in the group.
For each mapping, you can have the following verified:
Execution user ID
Execution path
File path to application
Application hash (script integrity)
Note:
Before adding an authorization mapping, add the target alias or target group, request
server, or request server group, and request script if necessary. If there is no verification of
the script (such as integrity verification or execution path), then a request script entry is
not required for an authorization with a request group mapping.
When you create a dynamic requestor script group using the filter File Path or Execution Path, the
group contains all scripts in the path that satisfy the filter criteria. The group includes those scripts
that are defined in the Credential Manager database and those scripts that are not. When mapping a
script group created with these filters, be attentive to how you set the Check Execution Path and
Check File Path checkboxes in the Authorization Details page to avoid unexpected results. If you
select the Check Execution Path and/or Check File Path checkboxes, the authorization mapping is
restricted to only those scripts that are in the Credential Manager database. Any scripts in the group
that are not defined in the database are excluded from the authorization mapping. If you clear the
checkboxes, all scripts in the group are included in the authorization mapping.
Use the following procedure to add an authorization mapping from the GUI.
Follow these steps:
2.
17-Feb-2017 374/416
2. From the new tab/window menu bar, select A2A, Mappings. The Authorization List page
appears with a list of existing authorizations.
3. Click Add. The Authorization Details screen appears.
4. Select for Target either Group or Alias.
5. Click the magnifying glass to search for a specific target group or alias.
6. Select for Request either Group or Client.
7. Click the magnifying glass to search for a specific A2A requestor group or client.
8. Specify whether the mapping applies to all applications (scripts) on the request server or an
individual application (script). If the mapping applies to an individual script, click the
magnifying glass to find the specific script or type the script name in the field.
This step does not apply for A2A requestor groups because the mapping applies to all scripts
on the requestor servers in the A2A requestor group.
9. Select Check Execution User ID.
10. Enter one or more execution user IDs. Separate multiple user IDs with commas.
11. If required, select Check Execution Path. Selecting this check box restricts the authorization to
provisioned scripts only.
12. If required, select Check File Path. Selecting this check box restricts the authorization to
provisioned scripts only.
13. Select Perform Script Integrity Validation.
Note:
If Credential Manager does not allow you to select Perform Script Integrity
Validation, Credential Manager does not have a valid script hash. Add the
authorization mapping without checking the Perform Script Integrity Validation, and
run a successful query from the requestor. Then, update the authorization mapping
to select Perform Script Integrity Validation.
14. Click Save.
Use the following procedure to add an authorization from the CLI.
Follow these steps:
1. Add an authorization mapping:
capam_command adminUserID=admin capam=mycompany.com cmdName=addAuthorization

TargetAlias.name=ViennaAlias5 RequestServer.hostName=Vienna-Lab4.cloakware.com
17-Feb-2017 375/416
1.
RequestScript.name=example.pl RequestScript.executionPath=/opt/cloakware
/cspmclient_v.3.3.0/examples Authorization.checkExecutionID=true Authorization.
executionUser=root Authorization.checkPath=true Authorization.checkScriptHash=tr
ue
string.
<CommandResult>
<cr.result>
<Authorization>
<ID>1</ID>
<hash>XOPh+2zvQDphQ0M4LPzLfyTPoiw=</hash>
<executionUser>root</executionUser>
<targetAliasID>1</targetAliasID>
<scriptID>1</scriptID>
<requestServerID>1</requestServerID>
<checkPath>false</checkPath>
<checkExecutionUser>true</checkExecutionUser>
<checkScriptHash>false</checkScriptHash>
<checkFilePath>false</checkFilePath>
</Authorization>
</cr.result>
</CommandResult>
View Unsuccessful Client Requests

All requests made to Credential Manager are stored in the Credential Manager database. You can
view unsuccessful A2A client requests from the Dashboard by clicking the item Failed A2A Client
Request In Last 30 Days in the Dashboard Summary list.
Run an Example Application

This section describes running an example application on either a UNIX client or a Windows client.
Run an Example Application on a UNIX Client

Follow these steps:
1. Launch the example with the target alias and bypass cache flags:
17-Feb-2017 376/416
1.
/opt/cloakware/cspmclient/examples/example.pl SydneyAlias1 true
Note:
When using Integrity Verification in UNIX, you must use the complete path to
invoke the requestor script.
A successful query provides the user name and password associated with the target alias. For
example, running the Java example on a UNIX-based A2A Client yields the following result:
/opt/cloakware/cspmclient/examples/Run_example testAlias1 true

Status Code: 400
UsedId: someaccount
Password: q6YIbGECP0C261Xo
PASSED
Run an Example Application on a Windows Client

Follow these steps:
1. In Windows Explorer, browse to the $CSPM_CLIENT_HOME\cspmclient\examples

folder. For VB_Sample and VC_Sample, browse to the appropriate folder.
2. Double-click VB_Sample.exe or VC_Sample.exe. The sample application launches.
3. In the VB_Sample window, fill in the Target Alias field, and click Get Script Credentials. A
successful query displays the userID and password in a new pop-up window.
Start or Stop an A2A Client

In Windows, you can start and stop the A2A Client using the Windows Services Administrative tool or
a command line.
Start the A2A Client

Use the following procedure to start the A2A client on UNIX.
1. Enter the following command:
cspmclientd start
Use the following procedure to start the A2A client on Windows.
Follow these steps:
17-Feb-2017 377/416
1. Start the service cspmclientd using the Services Administrative tool.

The steps to start the service using the Windows Services Administrative tool depend on your
Panel, Administrative Tools, Services, select cspmclientd in the Services list and then click
Start.
–or
Open a command line window and enter the following command:
net start cspmclientd
Stop the A2A Client

Use the following procedure to stop the A2A client on UNIX.
1. Enter the following command:
cspmclientd stop
Use the following procedure to stop the A2A client on Windows.
Follow these steps:
1. Stop the service cspmclientd using the Services Administrative tool.

The steps to stop the service using the Windows Services Administrative tool depend on your
Panel, Administrative Tools, Services, select cspmclientd in the Services list and then click
Stop.
–or
Open a command line window and enter the following command:
net stop cspmclientd
Modify the A2A Client Configuration File

There can be instances where you want to edit the A2A Client configuration file. Some examples
might include:
Changing a configuration that is not included in the installer. Example; port numbers.
Applying a configuration change after installation. Example: changing the log file location.
Modifying the logging level to debug a problem.
The A2A client configuration file is located here:
$CSPM_CLIENT_HOME/cspmclient/config/cspm_client_config.xml
where $CSPM_CLIENT_HOME is the location and name of your installation directory, for example
17-Feb-2017 378/416
/opt/cloakware.
The following table describes the XML tags in the A2A Client configuration file.
XML Description
Tag
<appl Valid values are cspm or cspm_agent.
icati
ontyp The default value is cspm.
e>
<cach Enables or disables caching for the A2A Client.
eallo
w> The default value is true.
This setting overrides the CA Privileged Access Manager appliance cacheBehavior

setting. If the <cacheallow> XML tag is true, then the client behaves as specified by the
CA Privileged Access Manager appliance cacheBehavior setting. If the <cacheallow>
XML tag is false, then the CA Privileged Access Manager appliance cacheBehavior
setting is ignored.
<logl Specifies the log level. Valid values are severe, warning, info, fine and off. Entry is
evel> case insensitive.
The default value is warning. The off setting means log messages are not generated.
<cspm Specifies the host name of the CA Privileged Access Managerappliance. The installer sets this
serve value.
r>
<cspm The default port on which the CA Privileged Access Manager appliance listens. The default is
serve blank.
r_por
t> For HTTPS, the default is 443. If the server port is changed from 443, you must modify this
value.
<daem The A2A Client uses this port to listen for local requests from client stubs. The daemon
onser validates that the request is local. The default value is 28088.
ver1_
port>
<daem The A2A Client uses this port to listen for local requests from the CA Privileged Access
onser Manager appliance. When this value is set to 1, the A2A client does not listen for external
ver2_ requests. The default value is 28888. When this value is set to 1 the A2A client enables
port> polling (that is, it polls the CA Privileged Access Manager appliance for event information).
<even Specifies the number interval in seconds after which the A2A Client polls the CA Privileged
tpoll Access Manager appliance for events. This entry is optional. If this value is not present, the
ing_i A2A Client uses the default polling interval of 120 seconds.
nterv
al>
<logf Specifies the location of the log file used by the A2A Client, specifically the UNIX daemon, or
ile> Windows service. The installer sets this value.
The log file used by the service and stateless client interface stubs.
17-Feb-2017 379/416
XML Description
Tag
<c_lo The default is: C:\WINDOWS\TEMP\cspm_c_client_log.txt on Windows Server
gfile 2008 R2 and /tmp/cspm_c_client_log.txt on UNIX platforms.
>
The log file must be in a directory to which all users of the A2A Client have write access.
<patc Specifies patch management attributes, as in the following XML tags: frequency, starth
h> our, and endhour.
<freq Specifies the frequency at which the A2A Client polls the CA Privileged Access Manager
uency appliance to check for an upgrade.
>
Valid values are daily or weekly. The default value is daily.
<star Determines the interval by which the A2A Client randomly polls the CA Privileged Access
tHour Manager appliance for a version check.
>
Valid values are 0-23. The default value is 0 (12 A.M.).
<endH Determines the interval by which the A2A Client randomly polls the CA Privileged Access
our> Manager appliance for a version check.
Valid values are 0-23. The default value is 5 (5 A.M.)

<oper For internal use only.
ation
>
View A2A Client Logs

You can view A2A Client logs with the GUI, so you can troubleshoot client issues. This is not available
for clients with event polling enabled.
Follow these steps:
2. Click A2A, Clients. The Client List page appears.
3. Click the host name of the server where the A2A client whose logs you want to view is
installed. The Client Details page appears.
When the A2A client is not reachable from the site server, you must log into the site where
the A2A client is registered.
4. Click the Get Logs button. A zip file containing the Tomcat logs directory is downloaded to
your browser. The default maximum file size is 20 MB. You can configure the maximum file
size using the getLogsMaxSize {SystemProperty.
SYSTEM_PROPERTY_MAX_LOG_SIZE} property setting. For further details, see the
description of the setSystemProperty CLI command.
17-Feb-2017 380/416
Update an A2A Client Key

The A2A Client key is used to encrypt communication between the A2A Client and the CA Privileged
Access Manager appliance. As an added layer of security, you can choose to update the A2A Client
key on a regular basis to mitigate possible detection and misuse of the key.
Follow these steps:
3. Click the host name of the server where the A2A client whose key you want to update is
4. Click the Change Key button.
Refresh All A2A Client Script Hashes

A2A Client script hashes are used during integrity verification of A2A request scripts or applications.
See Integrity Verification (see page 367). If you update or change an A2A request script or
application, you must refresh the script hashes to avoid false integrity violations.
You can refresh the script hash for all the request applications on the specified request server (A2A
Client) from the GUI as well as from the CLI.
Use the following procedure to refresh the script hash for all the request applications from the GUI.
Follow these steps:
3. Click the host name of the server where the A2A client whose script hash you want to refresh
is installed. The Client Details page appears.
4. Click the Get All Script Hash button.
To refresh the script hash for all the request applications from the CLI, run the getAllScriptHash
CLI command. For further details, see getAllScriptHash (https://docops.ca.com/display/CAPAM28
/getAllScriptHash).
Check A2A Client Connection Status

You can verify the connection status of an A2A Client from the GUI as well as from the CLI. The A2A
Client connection status is shown as Online, Offline or Unknown on the Client List page.
The following table describes the different A2A Client connection status values and the condition
17-Feb-2017 381/416
The following table describes the different A2A Client connection status values and the condition
under which the A2A Client has that status.
Icon Status Condition

Green Onlin The A2A Client has connected to the CA Privileged Access Manager appliance
Bubble e within the configured threshold.
Yellow Unkno The A2A Client has not connected to the CA Privileged Access Manager appliance
Bubble wn within the configured threshold.
Red Offli The A2A Client service cspmclientd is stopped.
Bubble ne
Use the following procedure to verify the A2A Client connection status from the GUI.
Follow these steps:
3. Click the host name of the server where the A2A Client whose status you want to verify is
The Connection Status field displays the previous connection status icon followed by the last
status updated date and time.
4. Click the Check Connection Status button. The updated A2A Client connection status is
displayed in Connection Status field with a connection status icon followed by the connection
status updated date and time.
Use the following procedure to verify the A2A Client connection status from the CLI.
Follow these steps:
1. Retrieve the request server ID by running the searchRequestServer CLI command.
2. Use the resulting request server ID in the checkConnectionStatus CLI command. The
following is an example:

cmdName=checkConnectionStatus RequestServer.ID=1001
string:
<CommandResult>
<cr.result>
<RequestServer>
<type>CLIENT</type>
<port>28888</port>
17-Feb-2017 382/416
<osName>Windows 7</osName>
<osVersion>7.0</osVersion>
<active>true</active>
<action></action>
<osPlatform>win</osPlatform>
<clientVersionNum>4.4.1</clientVersionNum>
<currentFingerprint>aXrPcM52mlPUH+yqaDqjN6+wi+8=</currentFingerprint>
<currentKey>{1}
fec6fe90d3c5b63aaad9f1f0f084554a426a8909448c7e9239544e5f0de55217a4d9a3d6736317c
2a413a3865e2725de0244323fcd02ce1aea0afd29396145f6</currentKey>
<oldKey>{1}
58005ca6fbf6101d7428cda4580ed8c5437fc5e1ab3e24d3c7c53dcffed3809311a18ff0ce7c7c5
175a769b8f4e762f012b6783450f4b4b4d60e9131c32223a2</oldKey>
<pendingAcknowledgement>false</pendingAcknowledgement>
<osArchitecture>x86</osArchitecture>
<patchStatus>Idle</patchStatus>
<previousClientVersion></previousClientVersion>
<pendingFingerprint></pendingFingerprint>
<pendingFingerprintDate></pendingFingerprintDate>
<actionRequired>false</actionRequired>
<connectionStatus>1</connectionStatus>
<preserveHostName>false</preserveHostName>
<clientType>java</clientType>
<siteID>1000</siteID>
<connectionStatusUpdateDate>Thu May 05 11:39:43 UTC 2011<
/connectionStatusUpdateDate>
<currentFingerprintDate>2011-05-05 10:00:42.477</currentFingerprintDate>
<lastPatchStatusChangeDate></lastPatchStatusChangeDate>
<hostName>xp-sushma.cpa.intra</hostName>
<ID>1001</ID>
<Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid>
<createDate>Thu May 05 10:00:42 UTC 2011</createDate>
<updateDate>Thu May 05 10:59:00 UTC 2011</updateDate>
<updateUser>CSPM_CLIENT</updateUser>
<extensionType></extensionType>
<createUser>CSPM_CLIENT</createUser>
<hash>j3kMJ+3DBi/EQXSV76bdZ5Or15Q=</hash>
</RequestServer>
</cr.result>
</CommandResult>
Configure an A2A Client to Use Another Server

If you have previously used your A2A Client installation for one server and are now pointing it to a
different server, you must delete the following cache file before starting the A2A Client daemon or
service again:
$CSPM_CLIENT_HOME/cspmclient/config/data/.cspmclient.dat
17-Feb-2017 383/416
/opt/cloakware.
Use the following procedure to reconfigure an A2A Client to use a different CA Privileged Access
Manager appliance.
Follow these steps:
1. Stop the A2A Client. See Stop the A2A Client (see page ).
2. Navigate to $CSPM_CLIENT_HOME/cspmclient/config/data/.
3. Delete the .cspmclient.dat file.
4. Update the <cspmserver> entry in the A2A Client configuration with your new server
name. The following is an example:
<cspmserver>new_server.company.com</cspmserver>
The configuration file is located at $CSPM_CLIENT_HOME/cspmclient/config
/cspm_client_config.xml.
5. Restart the A2A Client. See Start the A2A Client (see page ).
Configure the A2A Client Multi-Home Feature

With the Multi-Home feature, administrators can specify alternate CA Privileged Access Manager
appliance addresses (and ports) for use in the A2A Client configuration file. When a connection to the
CA Privileged Access Manager appliance is made, the A2A Client attempts to connect to each address
in sequential order. If no attempts are successful, an error code is returned.
Multi-Home Alternate Address Restrictions

Before you configure the Multi-Home feature for Credential Manager, keep in mind the following
restriction:
Administrators should reconfigure their DNS server entry rather than hardcode entries into the
A2A Client configuration file.
Multi-Home Configuration Procedure

Follow these steps:
1. Open the A2A Client configuration file:

where $CSPM_CLIENT_HOME is your installation directory, for example /opt/cloakware
.
2.
17-Feb-2017 384/416
2. Enter XML entries for cspmserver and cspmserver_port as shown in the following
example:
This example specifies three pairs of entries; one pair for each the servers. The order of the
entries in the file determines the connection order.
<?xml version="1.0" encoding="utf-8" ?>

<configuration>
<applicationtype>cspm</applicationtype>
<cacheallow>true</cacheallow>
<loglevel>WARNING</loglevel>
<cspmserver>cspm1.cloakware.com</cspmserver>
<cspmserver_port></cspmserver_port>
<cspmserver_port></cspmserver_port>
<cspmserver_port>80</cspmserver_port>
<daemonserver1_port>27088</daemonserver1_port>
<logfile>C:\cspm\cloakware\cspmclient\log\cspm_client_log.txt</logfile>
<c_logfile>C:\WINDOWS\Temp\cspm_c_client_log.txt</c_logfile>
<patch>
<frequency>daily</frequency>
<starthour>0</starthour>
<endhour>5</endhour>
</patch>
<operation>production</operation>
</configuration>
3. Save your changes.
Configure A2A Client Event Polling

If you need to disable the external listening port for the A2A Client, then you must configure the A2A
Client to poll the CA Privileged Access Manager appliance for messages. Some example messages
from the CA Privileged Access Manager appliance to the A2A client include get script hash or
get fingerprint.
The A2A Client can poll the CA Privileged Access Manager appliance for event data. Administrators
can configure how the A2A Client retrieves event information by modifying the A2A Client
configuration file.
Important:
To enable event polling you must set the external listening port value to 1 in the A2A Client
configuration file.
When event polling is enabled, the A2A client contacts the CA Privileged Access Manager appliance at
17-Feb-2017 385/416
When event polling is enabled, the A2A client contacts the CA Privileged Access Manager appliance at
a regular poll interval and queries the CA Privileged Access Manager appliance for event data. Events
are placed in the queue and remain in the queue until the A2A Client issues a request to retrieve
event data.
The default poll interval is 120 seconds.
Note:
Always exercise caution when configuring event polling. Enabling event polling increases
network traffic between the CA Privileged Access Manager appliance and A2A Client. If too
many A2A Clients run event polling it can create performance reductions at the appliance
because it increases the requests sent to the appliance.
Follow these steps:
1. Open the A2A Client configuration file:

where $CSPM_CLIENT_HOME is your installation directory, for example /opt/cloakware
.
Note:
CA Technologies recommends you use WordPad when editing the configuration file
in Windows.
2. In the A2A Client configuration file, modify the XML tags as follows:
3. To change the default polling interval, for example from 120 seconds to 180 seconds, add the
following element:
<eventpolling_interval>180</eventpolling_interval>
4. Save your changes.
17-Feb-2017 386/416
Reports
You can generate reports from Credential Manager data. Credential Manager stores audit, metric,
and event data in the database. Using this data, Credential Manager can produce three types of
reports: activity, metric, SQL, or command.
Activity: Pulls data from the auditlog table in the Credential Manager database. These reports are
not customizable. An example is the Administrative Activities report.
Metrics: Pulls data from XML blocks within entries in the metrics table of the Credential Manager
database. All entries are available to the report. These reports can be customized. An example is
the Account Request report.
SQL: Generates reports by executing SQL queries on the database. These reports can be
customized. An example is the Orphaned Request Server report.
Command: Pulls data from CLI search command responses.
Credential Manager can produce a defined set of reports using these report types. The reports reflect
the time zone that the user selects or UTC. All reports are based on Coordinated Universal Time
(UTC). You can customize metrics and SQL reports to produce more reports.
Note:
Credential Manager uses pop-ups to display reports. Some web browsers might block pop-
ups. We recommend that you configure your browser to allow all pop-ups.
Report Size Limits

CA Privileged Access Manager recommends that you limit reports to include less than 5000 records,
although it is possible to run larger reports. The maximum size ultimately depends on the type of
report, its output format, and the available memory in Credential Manager. If an HTML report runs
out of memory, try generating a CSV or a PDF file instead.
Use the following procedure to set the number of Credential Manager report entries.
Follow these steps:
2. From the new tab/window menu bar, select Settings, General Settings. The General Settings
page appears.
3. In the Maximum Number of Report Entries field, enter the desired number or report entries.
The default is 5000.
17-Feb-2017 387/416
4. Click Save.
Alternatively, use the setReportRowLimit CLI command.
Available Reports
The following list describes available Credential Manager reports for CA Privileged Access Manager:
Account Password Updates: Displays a listing of accounts whose password was updated.
Account Requests: Displays account password retrieval requests. You can filter this report by:
Target alias name
Execution user ID
Request server host name
Request server IP address
Account address type
Accounts with Expired Passwords: Displays a list of accounts with expired passwords.
Accounts with Incorrect Passwords: Displays a listing of accounts whose password have not
verified.
Administrative Activities: Displays administrative activities. You can filter this report by:
User name
Activity: Add or Update
Type of object: Target account or Target application
Authorization Mappings: Displays a list of all authorization mappings.
Automatically Updated Expired Passwords: Displays a list of accounts that are updated to comply
with applicable Maximum Age policy.
Cluster State: Displays a listing of cluster state changes. You can filter this report by the origin
host name.
Event Processing Status: Displays event status for request servers.
List all Target Accounts in a Target Group: Displays a listing of all target accounts in a group.
List all Target Applications in a Target Group: Displays a listing of all applications in a target
group.
List all Target Servers in a Target Group: Displays a listing of all target servers in a target group.
17-Feb-2017 388/416
List all Target Servers in a Target Group: Displays a listing of all target servers in a target group.
Orphaned Request Servers: Displays a list of request servers with no activity for one year.
Privileged Accounts: Displays list of privileged accounts.
Requests for Invalid Aliases: Displays requests for aliases.
Scheduled Jobs: Displays scheduled job results.
View Password Requests: Displays a listing of view account password requests from the admin
UI.
Generate Reports
The GUI allows you to generate various reports on demand. They are listed on the Reports page of
the GUI. Audit, metric, and event data can be archived through the CLI.
Use the following procedure to generate a report from Credential Manager.
Follow these steps:
2. From the new tab/window menu bar, select Reports.The Reports page appears.
3. Select the report that you want to generate, for example, Administrative Activities.
The relevant report request popup appears.
4. If applicable, select a Quick Date range, or enter the Start and End Dates for the report.
Reports cover the period from 00:00:00 (midnight) of the start day to 23:59:59 of the end day.
5. Specify any additional parameters, including filters, that are specific for your report.
6. Select the Output Format type.
7. If your time zone is not already set to be UTC, select whether to use UTC or your time zone.
8. Click Run Report.

The report displays in a new browser window.
Note:
Your Web browser might first ask you to allow the report to be displayed
17-Feb-2017 389/416
Schedule Reports
Credential Manager allows you to schedule jobs that run the selected report and emails the output to
the selected recipients. Recipients can be selected from all Credential Manager users with a valid
email address.
You can schedule report jobs with the following recurrence: daily, weekly, monthly, yearly, or after an
arbitrary number of days. Alternatively, you can schedule the report to occur only once at a specified
time.
Scheduled reports do not support filtering.
To view the status of scheduled jobs, generate the Scheduled Jobs Report. See Generate Reports (see
page 389).
Follow these steps:
2. From the new tab/window menu bar, select Reports, Scheduled Jobs. The Scheduled Job List
page appears.
3. Click Add. The Scheduled Job Details page appears.
4. Enter the Job Name, which is a text description for the job.
5. Select the date and time for the initial job run.
6. Enter the Recurrence criteria. The Recurrence area updates based on your selection.
7. In the Report Name field, select the type of report you want to generate.
8. Select the Quick Dates for the timeframe that you want the report to cover. Reports cover the
period from 00:00:00 (midnight) of the start day to 23:59:59 of the end day. The Start Date
and End Date fields update automatically, and are recalculated each time that the report is
run.
9. If your time zone is not UTC, select whether to display the report times in UTC or your time
zone.
10. Select the output format: HTML on the current page, CSV export file, or PDF generated
document.
11. Move the desired email recipients from the Available Recipients list to the Selected Recipients
list. As a default, the logged-in user is saved in the Selected Recipients list.
12. Click Save.
17-Feb-2017 390/416
Limit the Size of the Report Email Attachment

You can configure the maximum size of a report email attachment through the system property
reportAttachmentLimit. This system property limits the maximum size of a report email
attachment. When the report exceeds the configured size set through this property, the email is not
sent.
You can configure an email attachment size through the reportAttachmentLimit system
property as shown in the following example:

propertyName=reportAttachmentLimit propertyValues=5cspmserver_admin -u admin
cmdName=setSystemProperty propertyName=reportAttachmentLimit propertyValues=5
The following table shows the details of the reportAttachmentLimit system property:
Property Name Value Required Notes encryptValue

reportAttac Maximum size of a report email N/A This is an integer value in False
hmentLimit attachment (for example, 1) MB. Default value is 5
MB.
17-Feb-2017 391/416
System Properties
The following table details the system properties available in Credential Manager. You can set the
following system properties through the setSystemProperty CLI command.
To set a system property, you must specify the name of the system property, set its value and
encryptValue parameter (if applicable) with the setSystemProperty CLI command.
For further details, see setSystemProperty (https://docops.ca.com/display/CAPAM28/setSystemProperty).
Property Default Value Value Notes

Name Description
clientIna 30 N/A This
ctivityCh proper
eckHour ty is
s for
use
by CA
Techn
ologie
s
suppo
rt to
help
with
debug
ging
custo
mer
issues.
We
recom
mend
that
custo
mers
do
not
chang
e the
defaul
t
value.
eventsCo N/A N/A Used
untThres to set
holdValu the
e thresh
old
count
17-Feb-2017 392/416

Name Description
of the
unpro
cessed
child
events
.
eventPro 10 (if not set) N/A Used
cessorPo to set
olSize the
pool
size of
the
event
proces
sor.
If this
proper
ty is
not
set to
any
value,
its
defaul
t
value
is
consid
ered
as 10.
targetAc False N/A Set
countPas the
swordEx proper
pirationE ty
nabled value
to
True
to
enable
autom
atic
updati
ng of
expire
d
passw
ords.
N/A
17-Feb-2017 393/416

Name Description
emailSer mail. Host
verHost yourdomai name
n.com of the
mail
server
emailSer 25 Port Port
verPort number numb
er the
SMTP
servic
e is
listeni
ng on.
emailTra smtp SMTP Email
nsportTy transp
pe ort
type
emailTar ID of the
getAcco target
untID email
account
oneclick N/A mail. Crede
ServerHo yourdomai ntial
st n.com Manag
er
Primar
y Host
name.
emailFro N/A view_reque The
mAddres sts@yourd "From
s omain.com "
addres
s for
emails
.
ViewPas Severity 1: Manual recovery from server outage| Severity 1: Manual reason1|re Multip
swordRe change due to potential password breach|Severity 2: Password ason2 le
asons composition audit |Severity 3: Application migration|Severity 3: Pre- reason
production application testing|Other s are
delimi
ted by
the |
charac
ter.
The
reason
s are
shown
17-Feb-2017 394/416

Name Description
in a
drop-
down
list
when
a user
wants
to
view a
passw
ord.
viewPass Approve reason1|re Multip
wordApp ason2 le
rovalRea reason
sons s are
delimi
ted by
the |
charac
ter.
The
reason
s are
shown
in a
drop-
down
list
when
a user
wants
to
appro
ve a
passw
ord
view
reques
t.
viewPass Deny|Password request outside permitted window|Other reason1|re Multip
wordDen ason2 le
ialReaso reason
ns s are
delimi
ted by
the |
charac
ter.
The
reason
17-Feb-2017 395/416

Name Description
s are
shown
in a
drop-
down
list
when
a user
wants
to
deny
a
passw
ord
view
reques
t.
lunaPass N/A N/A Luna
word SA set
partiti
on
passw
ord.
getLogs 20 MB N/A Used
MaxSize to
config
ure
the
filesize
for
server
logs,
Windo
ws
proxy
logs,
or
client
logs.
emailRe Password View Request for target account @TargetAccount. N/A Proper
questSu getUserName@ ty for
bject config
uring
the
reques
t
email.
This is
an
17-Feb-2017 396/416

Name Description
option
al
proper
ty.
emailRe Do not reply to this email. A password view request has been submitted N/A Proper
questBo by user @User.getUserID@ to view the password for account ty for
dy @TargetAccount.getUserName@ of application @TargetApplication. config
getName@ on server @TargetServer.getHostName@. uring
the
The password view request reason is @PasswordViewRequest. reques
getReason@ (@PasswordViewRequest.getReasonDescription@). Please t
login to the CPA system and manage this request. email.
This is
an
option
al
proper
ty.
emailRe Password View Request Status for account @TargetAccount. N/A Proper
questSta getUserName@ ty for
tusSubje config
ct uring
the
reques
t
status
email.
This is
an
option
al
proper
ty.
emailRe Do not reply to this email. The status of your request to view password N/A Proper
questSta for the account @TargetAccount.getUserName@ of application ty for
tusBody @TargetApplication.getName@ in server @TargetServer. config
getHostName@, is: @PasswordViewRequest.getStatusString@. uring
the
reques
t
status
email.
This is
an
option
al
proper
ty.
N/A
17-Feb-2017 397/416

Name Description
emailPas Password of account @TargetAccount.getUserName@ has been Proper
swordVi accessed by @User.getUserID@ ty for
ewSubje config
ct uring
the
passw
ord
view
email.
This is
an
option
al
proper
ty.
emailPas Do not reply to this email. The Password for the account N/A Proper
swordVi @TargetAccount.getUserName@ of application @TargetApplication. ty for
ewBody getName@ on server @TargetServer.getHostName@ has been config
accessed by user @User.getUserID@. uring
the
passw
ord
view
email.
This is
an
option
al
proper
ty.
emailPas Password View Request for account @TargetAccount.getUserName@ N/A Proper
swordVi requested by @User.getUserID@ has expired ty for
ewRequ config
estExpire uring
dSubject the
expire
d
passw
ord
view
reques
t
email.
This is
an
option
al
proper
ty.
17-Feb-2017 398/416

Name Description
emailPas Do not reply to this email. The Password View Request for the account N/A Proper
swordVi @TargetAccount.getUserName@ of application @TargetApplication. ty for
ewRequ getName@ on server @TargetServer.getHostName@ requested by config
estExpire user @User.getUserID@ has expired. uring
dBody the
expire
d
passw
ord
view
reques
t
email.
This is
an
option
al
proper
ty.
emailOn Do not reply to this email. A password view request has been N/A Proper
eClickPas submitted with the following details: Requestor : @User. ty for
swordAp getUserID@ Requested Account: @TargetAccount. config
provalSu getUserName@ Requested Account Target Application Name: uring
bject @TargetApplication.getName@ Requested Account Target Server: one
@TargetServer.getHostName@ Request Reason: click
@PasswordViewRequest.getReason@ (@PasswordViewRequest. appro
getReasonDescription@) Start Date: @PasswordViewRequest. val
getStartDate@ End Date: @PasswordViewRequest. email.
getEndDate@ <a href='@ApprovalURL@'>Click here to This is
Approve this Request</a> <a href='@DenialURL@'>Click here an
to Deny this Request</a> option
al
proper
ty.
emailOn Password View Request for target account @TargetAccount. N/A Proper
eClickPas getUserName@ ty for
swordAp config
provalBo uring
dy one
click
appro
val
email.
This is
an
option
al
proper
ty.
17-Feb-2017 399/416

Name Description
emailRe Report results for @reportName@ N/A Proper
portResu ty for
ltSubject config
uring
the
report
results
email.
This is
an
option
al
proper
ty.
emailRe Do not reply to this email. The @reportName@ report has been run. N/A Proper
portResu The attached results encompass the period from @reportStartDate@ ty for
ltBody to @reportEndDate@. config
uring
the
report
results
email.
This is
an
option
al
proper
ty.
17-Feb-2017 400/416
Java API Example

The following is an example implementation of a Java API based application for use with Credential
Manager in CA Privileged Access Manager:
import java.util.ArrayList;
import java.util.List;
import com.cloakware.cspm.common.AdminAPICommandNames;
import com.cloakware.cspm.common.AdminAPIParameterNames;
import com.cloakware.cspm.server.bo.Authorization;
import com.cloakware.cspm.server.bo.Filter;
import com.cloakware.cspm.server.bo.Group;
import com.cloakware.cspm.server.bo.PasswordPolicy;
import com.cloakware.cspm.server.bo.PasswordViewPolicy;
import com.cloakware.cspm.server.bo.RequestScript;
import com.cloakware.cspm.server.bo.RequestServer;
import com.cloakware.cspm.server.bo.Role;
import com.cloakware.cspm.server.bo.TargetAccount;
import com.cloakware.cspm.server.bo.TargetAlias;
import com.cloakware.cspm.server.bo.TargetApplication;
import com.cloakware.cspm.server.bo.TargetServer;
import com.cloakware.cspm.server.bo.User;
import com.cloakware.cspm.server.bo.UserGroup;
import com.cloakware.cspm.server.ui.AdminAPI;
import com.cloakware.cspm.server.ui.AdminAPIFactory;
import com.cloakware.cspm.server.ui.Request;
import com.cloakware.cspm.server.ui.Result;
/**
* An implementation of a Java API based application.
*
* This program does not contain a complete list of commands and parameters.
* Refer to the Java Documentation for the Password
* Authority Java API or the CLI Documentation for the complete list.
*
* This program can be instantiated in your own program or can be executed
* through the Command Line.
*
* The Password Authority cliTool.jar must be in your Class Path to
* use this application.
*
* This application should only be used in Password Authority version 4.2.1 or
* above and Java 1.5 or above.
*
*/
public class JavaAPIExample {
17-Feb-2017 401/416
private AdminAPI adminAPI;

private Result result;
private Request request;
private String passwordAuthorityServerKeyStore =

"C:\\Program Files\\Cloakware\\CSPM\\CSPM_backup\\cspm_admin.keystore";
private String passwordAuthorityUserName = "admin";
private String passwordAuthorityUserPassword = "admin4cspm!";
private String passwordAuthorityServerHostName = "localhost";
private TargetServer targetServer;

private TargetApplication targetApplication;
private TargetAccount targetAccount;
private TargetAlias targetAlias;
private RequestServer requestServer;
private RequestScript requestScript;
private Authorization authorization;
private Group targetGroup;
private Group requestGroup;
private Role role;
private UserGroup userGroup;
private PasswordPolicy passwordPolicy;
private PasswordViewPolicy passwordViewPolicy;
private User user;
//Target Server
private static final String TARGET_SERVER_HOST_NAME =
"hostname.cloakware.com";
//Target Application
private static final String TARGET_APPLICATION_NAME = "Target Application";
private static final String TARGET_APPLICATION_TYPE = "unix";
private static final String SSH_PORT_ATTRIBUTE = "sshPort";
private static final String SSH_PORT = "22";
//Target Account
private static final String TARGET_ACCOUNT_USER_NAME = "username";
private static final String TARGET_ACCOUNT_USER_PASSWORD = "password123!";
private static final String USE_OTHER_ACCOUNT_TO_CHANGE_PASSWORD_ATTRIBUTE =
"useOtherAccountToChangePassword";
//Target Alias
private static final String TARGET_ALIAS_NAME = "targetAlias";
//Request Server
private static final String REQUEST_SERVER_HOST_NAME =
"requestserver.cloakware.com";
//Request Script
private static final String REQUEST_SCRIPT_NAME = "example.pl";
private static final String REQUEST_SCRIPT_EXECUTION_PATH = "C:\\test";
private static final String REQUEST_SCRIPT_FILE_PATH = "C:\\test";
17-Feb-2017 402/416
private static final String REQUEST_SCRIPT_TYPE = "Perl";
//Target Group
private static final String TARGET_GROUP_NAME = "targetGroup";
//Request Group
private static final String REQUEST_GROUP_NAME = "requestGroup";
//Filter
private static final String FILTER_EXPRESSION = REQUEST_SERVER_HOST_NAME;
//Role
private static final String ROLE_NAME = "roleName";
private static final String ROLE_ADD_REQUEST_SERVER = "addRequestServer";
private static final String ROLE_UPDATE_REQUEST_SERVER =
"updateRequestServer";
private static final String ROLE_DELETE_REQUEST_SERVER =
"deleteRequestServer";
//User Group
private static final String USER_GROUP_NAME = "userGroup";
private static final String USER_GROUP_DESCRIPTION = "userGroupDescription";
//User
private static final String USER_USER_NAME = "userName";
private static final String USER_USER_PASSWORD = "admin4cspm!";
//Password Policy
private static final String PASSWORD_POLICY_NAME = "passwordPolicy";
private static final String PASSWORD_POLICY_DESCRIPTION =
"passwordPolicyDesc";
private static final int MINIMUM_PASSWORD_LENGTH = 3;
private static final int MAXIMUM_PASSWORD_LENGTH = 8;
//Password View Policy

private static final String PASSWORD_VIEW_POLICY_NAME =
"passwordViewPolicy";
//View Target Account Password

private static final String VIEW_TARGET_ACCOUNT_USER_NAME = "admin";
private static final String VIEW_TARGET_ACCOUNT_USER_PASSWORD =
"admin4cspm!";
private static final String VIEW_TARGET_ACCOUNT_REASON =
"I need access to the server.";
/**
* This application can be run with no arguments or the following:
* key store - Password Authority Key Store
* user - Password Authority user name
* password - Password of the user
* host name - Password Authority Server
*
* The order of the arguments is fixed, however the arguments are
17-Feb-2017 403/416
* themselves optional. If no arguments are provided, it

* uses the default values of a new Password Authority Windows Server
* Installation.
*
* @param args - The list of command line arguments.
*/
public static void main(String[] args) {
JavaAPIExample javaAPIExample = new JavaAPIExample();
javaAPIExample.init(args);
javaAPIExample.runJavaAPIExample();
javaAPIExample.logout();
}
/**
* Initializes the Java API object and logs in to the Password Authority
* Server. The String Array should contain the location of a Password
* Authority key store, a Password Authority user name, the password of
* that user, and the host name of a Password Authority Server. The order
* of the arguments is fixed. If the String Array is null, the default
* values will be used.
*
* @param args - The Java API arguments
*/
public void init(String[] args) {
adminAPI = new AdminAPI();
if (args != null && args.length == 4) {

if (args[0] != null) {
passwordAuthorityServerKeyStore = args[0];
}
passwordAuthorityUserName = args[0];
}
passwordAuthorityUserPassword = args[0];
}
passwordAuthorityServerHostName = args[0];
}
}
adminAPI.login(passwordAuthorityServerKeyStore,
passwordAuthorityUserName, passwordAuthorityUserPassword,
passwordAuthorityServerHostName );
}
/**
* A helper method which runs all add, update, search, view and delete
* example methods.
*
*/
public void runJavaAPIExample() {
//Add
17-Feb-2017 404/416
addTargetServer();
addTargetApplication();
addTargetAccount();
addTargetAlias();
addRequestServer();
addRequestScript();
addAuthorization();
addTargetGroup();
addRequestGroup();
addFilter();
addRole();
addUserGroup();
addUser();
addPasswordPolicy();
addPasswordViewPolicy();
//Update
updateUserGroup();
//Search
searchRequestServer();
//View Target Account Password

viewTargetAccountPassword();
//Delete
deletePasswordViewPolicy();
deletePasswordPolicy();
deleteUser();
deleteUserGroup();
deleteRole();
deleteRequestGroup();
deleteTargetGroup();
deleteAuthorization();
deleteTargetAlias();
deleteTargetServer();
deleteRequestScript();
deleteRequestServer();
}
/**
* Logs out of the Password Authority Server.
*/
public void logout() {
adminAPI.logout();
}
/**
* Adds a Target Server.
*/
public void addTargetServer() {
//Create a TargetServer instance by using AdminAPIFactory
targetServer = AdminAPIFactory.createTargetServer();
17-Feb-2017 405/416
targetServer.setHostName(TARGET_SERVER_HOST_NAME);
//Use the add method to create a Target Server
result = adminAPI.add(targetServer);
System.out.println("addTargetServer: "+ result.getStatusMessage());
//Retrieves a target server object from the result of the add command.
targetServer = result.getValueAsTargetServer();
//Prints the newly added Target server data.

System.out.println("Target Server ID: " + targetServer.getID());
System.out.println("Target Server host name: " +
targetServer.getHostName());
System.out.println("Target Server IP Address: "+
targetServer.getIPAddress());
}
/**
* Adds a Target Application.
*/
public void addTargetApplication() {
//Create a Unix TargetApplication instance by using AdminAPIFactory
targetApplication = AdminAPIFactory.createTargetApplication();
targetApplication.setTargetServerID(targetServer.getID());
targetApplication.setName(TARGET_APPLICATION_NAME);
targetApplication.setType(TARGET_APPLICATION_TYPE);
targetApplication.setExtendedAttribute(SSH_PORT_ATTRIBUTE,
SSH_PORT);
result = adminAPI.add(targetApplication);
System.out.println("addTargetApplication: "+ result.getStatusMessage());
targetApplication = result.getValueAsTargetApplication();
}
/**
* Adds a Target Account.
*/
public void addTargetAccount() {
//Create a TargetAccount instance by using AdminAPIFactory
targetAccount = AdminAPIFactory.createTargetAccount();
targetAccount.setTargetApplicationID(targetApplication.getID());
targetAccount.setUserName(TARGET_ACCOUNT_USER_NAME);
targetAccount.setPassword(TARGET_ACCOUNT_USER_PASSWORD);
targetAccount.setPrivileged(false);
//change setSynchronize to true if the Target Account is
//to be synchronized.
targetAccount.setSynchronize(false);
targetAccount.setExtendedAttribute
(USE_OTHER_ACCOUNT_TO_CHANGE_PASSWORD_ATTRIBUTE,
String.valueOf(false));
result = adminAPI.add(targetAccount);
System.out.println("addTargetAccount: "+ result.getStatusMessage());
targetAccount = result.getValueAsTargetAccount();
}
17-Feb-2017 406/416
/**
* Adds a Target Alias.
*/
public void addTargetAlias() {
//Create a TargetAlias instance by using AdminAPIFactory
targetAlias = AdminAPIFactory.createTargetAlias();
targetAlias.setAccountID(targetAccount.getID());
targetAlias.setName(TARGET_ALIAS_NAME);
result = adminAPI.add(targetAlias);
System.out.println("addTargetAlias: "+ result.getStatusMessage());
targetAlias = result.getValueAsTargetAlias();
}
/**
* Adds a Request Server.
*/
public void addRequestServer() {
//Create a RequestServer instance by using AdminAPIFactory
requestServer = AdminAPIFactory.createRequestServer();
requestServer.setHostName(REQUEST_SERVER_HOST_NAME);
result = adminAPI.add(requestServer);
System.out.println("addRequestServer: "+ result.getStatusMessage());
requestServer = result.getValueAsRequestServer();
}
/**
* Adds a Request Script.
*/
public void addRequestScript() {
//Create a RequestScript instance by using
AdminAPIFactory
requestScript = AdminAPIFactory.createRequestScript();
requestScript.setRequestServerID(requestServer.getID());
requestScript.setName(REQUEST_SCRIPT_NAME);
requestScript.setExecutionPath(REQUEST_SCRIPT_EXECUTION_PATH);
requestScript.setFilePath(REQUEST_SCRIPT_FILE_PATH);
requestScript.setType(REQUEST_SCRIPT_TYPE);
result = adminAPI.add(requestScript);
System.out.println("addRequestScript: "+ result.getStatusMessage());
requestScript = result.getValueAsRequestScript();
}
/**
* Adds an Authorization.
*/
public void addAuthorization() {
//Create an Authorization instance by using AdminAPIFactory
authorization = AdminAPIFactory.createAuthorization();
authorization.setRequestServerID(requestServer.getID());
authorization.setScriptID(requestScript.getID());
authorization.setTargetAliasID(targetAlias.getID());
result = adminAPI.add(authorization);
System.out.println("addAuthorization: "+ result.getStatusMessage());
17-Feb-2017 407/416
authorization = result.getValueAsAuthorization();
}
/**
* Adds a Target Group.
*/
public void addTargetGroup() {
//Create a Target Group instance by using AdminAPIFactory
targetGroup = AdminAPIFactory.createGroup();
targetGroup.setName(TARGET_GROUP_NAME);
targetGroup.setType(Group.TYPE_TARGET);
result = adminAPI.add(targetGroup);
System.out.println("addTargetGroup: "+ result.getStatusMessage());
targetGroup = result.getValueAsGroup();
}
/**
* Adds a Request Group.
*/
public void addRequestGroup() {
//Create a Request Group instance by using AdminAPIFactory
requestGroup = AdminAPIFactory.createGroup();
requestGroup.setName(REQUEST_GROUP_NAME);
requestGroup.setType(Group.TYPE_REQUESTOR);
result = adminAPI.add(requestGroup);
System.out.println("addRequestGroup: "+ result.getStatusMessage());
requestGroup = result.getValueAsGroup();
}
/**
* Adds a Filter to an existing Group.
*/
public void addFilter() {
//A filter can only be added to an existing group.
Filter filter = AdminAPIFactory.createFilter();
//Set the group id to the id of an existing group object.
filter.setGroupID(requestGroup.getID());
//AttributeName is the field on which to create the filter.
filter.setAttributeName(RequestServer.BEAN_PROPERTY_HOSTNAME);
filter.setType(Filter.TYPE_CONTAINS);
//The object class id can be set to the CLASS_ID of any of the supported
//objects.
filter.setObjectClassID(RequestServer.CLASS_ID);
filter.setExpression(FILTER_EXPRESSION);
result = adminAPI.add(filter);
System.out.println("addFilter: "+ result.getStatusMessage());
filter = result.getValueAsFilter();
}
/**
* Adds a Role with add, update and delete Request Server permissions.
*/
public void addRole() {
17-Feb-2017 408/416
//Create a Role instance by using AdminAPIFactory

role = AdminAPIFactory.createRole();
role.setName(ROLE_NAME);
role.addPermission(ROLE_ADD_REQUEST_SERVER);
role.addPermission(ROLE_UPDATE_REQUEST_SERVER);
role.addPermission(ROLE_DELETE_REQUEST_SERVER);
result = adminAPI.add(role);
System.out.println("addRole: "+ result.getStatusMessage());
role = result.getValueAsRole();
}
/**
* Adds a User Group.
*/
public void addUserGroup() {
ArrayList newGroups = new ArrayList();
//Create a UserGroup instance by using AdminAPIFactory

userGroup = AdminAPIFactory.createUserGroup();
userGroup.setName(USER_GROUP_NAME);
//Create an ArrayList of the Group IDs that are to be added to the
//UserGroup.
newGroups.add(requestGroup.getID());
newGroups.add(targetGroup.getID());
userGroup.setGroupIDs(newGroups);
userGroup.setRoleID(role.getID());
result = adminAPI.add(userGroup);
System.out.println("addUserGroup: "+ result.getStatusMessage());
userGroup = result.getValueAsUserGroup();
}
/**
* Adds a Password Authority User.
*/
public void addUser() {
ArrayList userGroupIDs = new ArrayList();
//Create a User instance by using AdminAPIFactory

user = AdminAPIFactory.createUser();
user.setUserID(USER_USER_NAME);
user.setPassword(USER_USER_PASSWORD);
//Create an ArrayList of UserGroup IDs that are to be added to the
//User.
userGroupIDs.add(userGroup.getID());
user.setUserGroupIDs(userGroupIDs);
result = adminAPI.add(user);
System.out.println("addUser: "+ result.getStatusMessage());
user = result.getValueAsUser();
}
/**
* Adds a Password Composition Policy
*/
17-Feb-2017 409/416
public void addPasswordPolicy() {

//Create a PasswordPolicy instance by using AdminAPIFactory
passwordPolicy = AdminAPIFactory.createPasswordPolicy();
passwordPolicy.setName(PASSWORD_POLICY_NAME);
passwordPolicy.setDescription(PASSWORD_POLICY_DESCRIPTION);
passwordPolicy.setExtendedAttribute(PasswordPolicy.MIN_LENGTH,
String.valueOf(MINIMUM_PASSWORD_LENGTH));
passwordPolicy.setExtendedAttribute(PasswordPolicy.MAX_LENGTH,
String.valueOf(MAXIMUM_PASSWORD_LENGTH));
passwordPolicy.setExtendedAttribute(PasswordPolicy.USE_ALPHA,
String.valueOf(true));
result = adminAPI.add(passwordPolicy);
System.out.println("addPasswordPolicy: "+ result.getStatusMessage());
passwordPolicy = result.getValueAsPasswordPolicy();
}
/**
* Adds a Password View Policy
*/
public void addPasswordViewPolicy() {
//Create a PasswordViewPolicy instance by using AdminAPIFactory
passwordViewPolicy = AdminAPIFactory.createPasswordViewPolicy();
passwordViewPolicy.setName(PASSWORD_VIEW_POLICY_NAME);
passwordViewPolicy.setChangePasswordOnView(true);
result = adminAPI.add(passwordViewPolicy);
System.out.println("addPasswordViewPolicy: " +
result.getStatusMessage());
passwordViewPolicy = result.getValueAsPasswordViewPolicy();
}
/**
* Updates an existing User Group.
*/
public void updateUserGroup() {
//An update uses an object retrieved via a search command or
//the output of a previous add or update.
userGroup.setDescription(USER_GROUP_DESCRIPTION);
result = adminAPI.update(userGroup);
System.out.println("updateUserGroup: "+ result.getStatusMessage());
userGroup = result.getValueAsUserGroup();
System.out.println("updateUserGroup description: " +
userGroup.getDescription());
}
/**
* Searches for a Request Server host name.
*
* If a parameter is specified, all matching Request Servers are
* returned. If no parameter is specified, all Request Servers are
* returned.
*/
public void searchRequestServer() {
RequestServer searchRequestServer;
17-Feb-2017 410/416
List resultList;
//To search, a Request object must be created and passed to the

//AdminAPI execute method.
request = new Request();
request.setCommand(AdminAPICommandNames.SEARCH_REQUEST_SERVER);
request.setParameter(
AdminAPIParameterNames.SEARCH_REQUEST_SERVER_HOST_NAME,
REQUEST_SERVER_HOST_NAME);
result = adminAPI.execute(request);
System.out.println("searchRequestServer: "+ result.getStatusMessage());
//The search commands return a List object containing the result of
//your search.
resultList = result.getValueAsList(RequestServer.CLASS_ID);
if (resultList.size() > 0) {
searchRequestServer = (RequestServer) resultList.get(0);
System.out.println("searchRequestServer host name: " +
searchRequestServer.getHostName());
}
}
/**
* Views a Target Account Password. The result depends on the Password
* View Policy of the Target Account.
*/
public void viewTargetAccountPassword() {
TargetAccount viewPasswordAccount;
//To view a password, a Request object must be created and passed to
//the AdminAPI execute method.
request = new Request();
request.setCommand(AdminAPICommandNames.VIEW_ACCOUNT_PASSWORD);
AdminAPIParameterNames.
VIEW_ACCOUNT_PASSWORD_TARGET_ACCOUNT_ID,
targetAccount.getID());
AdminAPIParameterNames.VIEW_ACCOUNT_PASSWORD_ADMIN_USER_ID,
VIEW_TARGET_ACCOUNT_USER_NAME);
AdminAPIParameterNames.
VIEW_ACCOUNT_PASSWORD_ADMIN_PASSWORD,
VIEW_TARGET_ACCOUNT_USER_PASSWORD);
AdminAPIParameterNames.VIEW_ACCOUNT_PASSWORD_REASON,
VIEW_TARGET_ACCOUNT_REASON);
result = adminAPI.execute(request);
System.out.println("viewTargetAccountPassword: "+
if (result.getWarningMessage() != null &&
result.getWarningMessage().length() > 0) {
System.out.println("viewTargetAccountPassword: " +
result.getWarningMessage());
17-Feb-2017 411/416
}
viewPasswordAccount = result.getValueAsTargetAccount();
System.out.println("viewTargetAccountPassword password:" +
viewPasswordAccount.getPassword());
}
/**
* Deletes an existing Password View Policy.
*/
public void deletePasswordViewPolicy() {
//Delete a PasswordViewPolicy
result = adminAPI.delete(passwordViewPolicy);
//The delete method will return the deleted object for future reference.
passwordViewPolicy = result.getValueAsPasswordViewPolicy();
System.out.println("deletePasswordViewPolicy: " +
}
/**
* Deletes a Password Composition Policy.
*/
public void deletePasswordPolicy() {
//Delete a PasswordPolicy
result = adminAPI.delete(passwordPolicy);
System.out.println("deletePasswordPolicy: "+ result.getStatusMessage());
}
/**
* Deletes a Password Authority user.
*/
public void deleteUser() {
result = adminAPI.delete(user);
System.out.println("deleteUser: "+ result.getStatusMessage());
}
/**
* Deletes a Role.
*/
public void deleteRole() {
result = adminAPI.delete(role);
System.out.println("deleteRole: "+ result.getStatusMessage());
}
/**
* Deletes a User Group.
*/
public void deleteUserGroup() {
result = adminAPI.delete(userGroup);
System.out.println("deleteUserGroup: "+ result.getStatusMessage());
}
/**
* Deletes a Request Group.
17-Feb-2017 412/416
*/
public void deleteRequestGroup() {
//Delete a Group
result = adminAPI.delete(requestGroup);
System.out.println("deleteRequestGroup: "+ result.getStatusMessage());
}
/**
* Deletes a Target Group.
*/
public void deleteTargetGroup() {
//Delete a Group
result = adminAPI.delete(targetGroup);
System.out.println("deleteTargetGroup: "+ result.getStatusMessage());
}
/**
* Deletes an Authorization.
*/
public void deleteAuthorization() {
//Delete the Authorization
result = adminAPI.delete(authorization);
System.out.println("deleteAuthorization: "+ result.getStatusMessage());
}
/**
* Deletes a Target Alias.
*/
public void deleteTargetAlias() {
//Delete the Target Alias
result = adminAPI.delete(targetAlias);
System.out.println("deleteTargetAlias: "+ result.getStatusMessage());
}
/**
* Deletes a Target Server. Deleting a Target Server will also delete
* all associated Target Applications and Target Accounts.
*/
public void deleteTargetServer() {
//Delete the Target Server
result = adminAPI.delete(targetServer);
System.out.println("deleteTargetServer: "+ result.getStatusMessage());
}
/**
* Deletes a Request Script.
*/
public void deleteRequestScript() {
//Delete the Request Script
result = adminAPI.delete(requestScript);
System.out.println("deleteRequestScript: "+ result.getStatusMessage());
}
17-Feb-2017 413/416
/**
* Deletes a Request Server.
*/
public void deleteRequestServer() {
//Delete the Request Server
result = adminAPI.delete(requestServer);
System.out.println("deleteRequestServer: "+ result.getStatusMessage());
}
}
17-Feb-2017 414/416
XML Schema for Batch Processing

Use the CA Privileged Access Manager Credential Manager XML schema for batch processing to
ensure that your input file is appropriately formatted.
<?xml version="1.0" encoding="utf-8" ?>
<xs:schema xmlns="http://www.cloakware.com"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.cloakware.com"
elementFormDefault="qualified">
<xs:element name="PARAMETER">
<xs:complexType>
<xs:sequence>
<xs:element name="NAME" type="xs:string"
minOccurs="1" maxOccurs="1"/>
<xs:element name="VALUE" type="xs:string"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="COMMAND_PARAMETERS">
<xs:complexType>
<xs:sequence>
<xs:element ref="PARAMETER" minOccurs="1"
maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="COMMAND">
<xs:complexType>
<xs:sequence>
<xs:element ref="COMMAND_PARAMETERS"
minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
<xs:element name="CLI_REQUEST" >

<xs:complexType>
<xs:sequence>
<xs:element ref="COMMAND" minOccurs="1"
maxOccurs="unbounded" />
17-Feb-2017 415/416
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
17-Feb-2017 416/416

CA Privileged Access Manager - 2.8 - ENU - Implementing - 20170217 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CA Privileged Access Manager - 2.8 - ENU - Implementing - 20170217 PDF

Transféré par

Droits d'auteur :

Formats disponibles

CA Privileged Access

The manufacturer of this Documentation is CA.

Accessing Your Appliance Server ............................................................. 15

Configure Your Server ............................................................................... 25

Provision Your Server ............................................................................. 121

Credential Manager User Interface ......................................................... 249

Configure Credential Manager Password Policies .................................. 252

Configure Credential Manager Targets ................................................... 298

Add Credential Manager Roles and Groups ........................................... 348

Add and Run Credential Manager A2A Requestors ................................ 365

Reports .................................................................................................... 387

System Properties ................................................................................... 392

Java API Example ................................................................................... 401

XML Schema for Batch Processing ......................................................... 415

Accessing Your Appliance Server

The full set of options currently include:

Hardware appliance: LCD interface on the front panel

VMware OVA appliance: Console for the VM

AWS AMI instance appliances: N/A

See Supported Clients (https://docops.ca.com/display/CAPAM28/Supported+Clients) for OS,

Client - Workstation through the CA PAM Client

See ExternalAPI (https://docops.ca.com/display/CAPAM28/ExternalAPI) for installation,

See Credential Manager APIs (https://docops.ca.com/display/CAPAM28

CA Privileged Access Manager Client for Alternate

Configuring CA Privileged Access Manager for the CA

Option Format Values Description

If selected, provide also the FQDN or IP address of the download

See the Reference section for more server setup instructions.

Deploy the Client

Download the CA PAM Client

Install the CA PAM Client

Note the following items:

Choose Install Set – Choices available:

Typical - Install the client on the local workstation

Run the CA PAM Client

Follow these steps:

1. Open the client application.

2. Enter connection parameters for your server appliance:

CONNECT – Opens a connection to CA Privileged Access Manager server, and maintains a

4. Click Connect to initiate a connection attempt.

5. Follow these steps:

a. Enter your CA Privileged Access Manager Username and Password.

b. Select your applicable Authentication Type.

6. After completing your connection:

i. You can use existing CA Privileged Access Manager-configured Services and

1. The CA Privileged Access Manager administrator must provide any

(Optional) Configure the CA PAM Client

Follow these steps:

1. Open the client application.

3. Select the corresponding labeled tab to change the following settings.

Auto-detect proxy settings for this network – for a network-managed proxy

Automatic proxy configuration URL – to specify a webserver-supplied proxy

Default (Windows, Linux x86): 1200 MB

Default (Mac, Linux x64): 2048 MB

Cached Versions: [quantity]

Uninstall the CA PAM Client

Windows / Mac / Linux

_CA Privileged Access Manager Client_installation

Open this directory to execute the uninstallation wizard named:

Change CA PAM Client Installation

Serve CA PAM Client Installers

1. Set up the server file structure according to the following specifications.

Client Server Directory Structure