Académique Documents
Professionnel Documents
Culture Documents
Manager - 2.8
Implementing
Date: 17-Feb-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
17-Feb-2017 3/416
Table of Contents
Implementing 4
Network-Accessible Target Devices .......................................................................................... 35
Authentication ...................................................................................................................................... 36
Kerberos with PIV/CAC .............................................................................................................. 36
LDAP .......................................................................................................................................... 37
LDAP+RADIUS in Combination ................................................................................................. 39
RADIUS or TACACS+ ................................................................................................................ 40
SAML ......................................................................................................................................... 41
AWS Coordination ............................................................................................................................... 61
AWS Coordination Stages ......................................................................................................... 61
Configure AWS Account Coordination ....................................................................................... 61
Access AWS Management Console .......................................................................................... 64
Configure Communication with AWS ......................................................................................... 65
Import Devices from AWS .......................................................................................................... 70
Configure Your Database .................................................................................................................... 70
Database Backup ....................................................................................................................... 70
Database Restoration ................................................................................................................ 74
Hardware Security Modules (HSMs) ................................................................................................... 75
SafeNet Luna SA Appliance ....................................................................................................... 75
SafeNet Luna PCI-E Card .......................................................................................................... 80
Thales nShield Connect HSM Appliance ................................................................................... 85
Common HSM Features ............................................................................................................ 93
Logging ............................................................................................................................................... 94
Splunk Server Specification ....................................................................................................... 94
Apply Firmware and Feature Licenses ................................................................................................ 94
Activation .................................................................................................................................... 94
Virtual Devices That Exceed License Limits .............................................................................. 95
Apply Feature Controls ....................................................................................................................... 95
Security Configuration ................................................................................................................ 96
Certificates Configuration ......................................................................................................... 102
Configure SSL VPN ................................................................................................................. 106
Configure Backups ................................................................................................................... 107
Power and Reboot ................................................................................................................... 109
Diagnostics and Troubleshooting ............................................................................................. 109
Cross Site Scripting Attack Checking ................................................................................................ 112
Disable Cross Site Scripting Attack Checking .......................................................................... 112
Enable Cross Site Scripting Attack Checking .......................................................................... 113
Master Provisioning Settings ................................................................................................................... 113
Apply Global Settings ........................................................................................................................ 113
Passwords ................................................................................................................................ 114
Warnings .................................................................................................................................. 114
Applet Customization ............................................................................................................... 114
Access Methods Settings ......................................................................................................... 114
Implementing 5
Branding ................................................................................................................................... 115
Identify Desired User Roles .............................................................................................................. 115
About Predefined Roles ........................................................................................................... 115
List of Privileges ....................................................................................................................... 115
Implementing 6
Manage Groups ....................................................................................................................... 160
Manage Services ..................................................................................................................... 160
Device viewing .................................................................................................................................. 160
Initial Unfiltered View ................................................................................................................ 161
Unfiltered Views ....................................................................................................................... 161
Filtered Views ........................................................................................................................... 161
Saved Views ............................................................................................................................ 161
About Access Setup .......................................................................................................................... 162
Access Methods ....................................................................................................................... 162
Services ................................................................................................................................... 165
Web Portal ............................................................................................................................... 173
RDP Applications ..................................................................................................................... 176
SSL VPN Services ................................................................................................................... 177
Out-of-Band Devices ................................................................................................................ 177
Set up Socket Filter Agents ............................................................................................................... 178
Socket Filter Lists ..................................................................................................................... 179
Socket Filter Agents ................................................................................................................. 179
Socket Filter Configuration ....................................................................................................... 179
Installation and Configuration Instructions ............................................................................... 179
Socket Filter Agent Installation Requirements ......................................................................... 179
Install and Configure a Socket Filter Agent on Windows ......................................................... 181
Install and Configure a UNIX Socket Filter ............................................................................... 183
Configure Support for Socket Filter Agents .............................................................................. 186
Set up Command Filters ................................................................................................................... 189
Set up Command Filter Lists (CFL) .......................................................................................... 189
Set up Command Filter Configuration (CFC) ........................................................................... 193
Set up Transparent Login .................................................................................................................. 194
SSH Connections ..................................................................................................................... 194
RDP Connections ..................................................................................................................... 197
Set Up the AWS API Proxy ............................................................................................................... 212
Provisioning Users .................................................................................................................................. 213
About Users ...................................................................................................................................... 214
User Types ............................................................................................................................... 214
Grouping .................................................................................................................................. 215
About User Roles .............................................................................................................................. 215
Role Types ............................................................................................................................... 215
User Role Cases ...................................................................................................................... 216
User Setup ........................................................................................................................................ 217
Using the Template .................................................................................................................. 217
Using CSV Import/Export ......................................................................................................... 222
Editing LDAP/RADIUS Imports ................................................................................................ 223
User Group Setup ............................................................................................................................. 224
Implementing 7
User Group Types .................................................................................................................... 224
Local Groups ............................................................................................................................ 224
Using the Template .................................................................................................................. 225
Import an LDAP Group ............................................................................................................. 227
User / User Group management ....................................................................................................... 234
User Record Updates ............................................................................................................... 234
Approve CAC User ................................................................................................................... 235
Manage Disabled Users ........................................................................................................... 236
User viewing ...................................................................................................................................... 236
Initial View ................................................................................................................................ 236
Filtering Populated User Views ................................................................................................ 236
Provisioning Policy for Users/Devices ..................................................................................................... 236
Access Provisioning .......................................................................................................................... 237
Access Restrictions ........................................................................................................................... 237
Command Filtering ............................................................................................................................ 237
Socket Filtering ................................................................................................................................. 238
Socket Filter Lists (SFLs) ......................................................................................................... 238
Socket Filter Agents (SFAs) ..................................................................................................... 238
Socket Filter Configuration (SFC) ............................................................................................ 238
Amazon Web Services (AWS) .......................................................................................................... 239
Defining AWS Policies ............................................................................................................. 239
Specifying AWS Policies .......................................................................................................... 239
Session Recording ............................................................................................................................ 239
Set Up a Policy .................................................................................................................................. 240
Prerequisites ............................................................................................................................ 241
Policy Template ........................................................................................................................ 241
Import a CSV Policy File .......................................................................................................... 245
Set a User-Device Policy .................................................................................................................. 246
Policy inspection ............................................................................................................................... 248
View Policy ............................................................................................................................... 248
View Effective Policy ................................................................................................................ 248
Implementing 8
Password Composition Policies .............................................................................................................. 252
Suggested Password Composition Policies ...................................................................................... 254
Create a Password Composition Policy with the GUI ....................................................................... 254
Create a Password Composition Policy with the CLI ........................................................................ 255
Maximum Password Age .................................................................................................................. 257
Set the Maximum Age of a Target Account Password with the GUI ........................................ 257
Set the Maximum Age of a Target Account Password with the CLI ......................................... 258
Automatic Updating of Expired Passwords .............................................................................. 259
Password View Policies .......................................................................................................................... 260
Create a Password View Policy ........................................................................................................ 260
Create a Password View Policy with the GUI .......................................................................... 261
Create a Password View Policy with the CLI ........................................................................... 263
Modify the Default Password View Policy ......................................................................................... 264
Customize Reasons for Viewing Password ............................................................................. 266
Change Password on View ............................................................................................................... 266
Enable Password Verification ........................................................................................................... 266
Get Authorization to View Password ................................................................................................. 266
Make a Request to View a Password Using the GUI ............................................................... 267
Grant, Deny, or Expire a Request Using the GUI .................................................................... 268
Grant or Deny a Request Without Login .................................................................................. 270
Delete a Password View Request Using the GUI .................................................................... 271
Make a Request to View a Password Using the CLI ................................................................ 272
Grant, Deny, or Expire a Request Using the CLI ..................................................................... 274
Update the Approval or Denial Reasons for a Request Using the CLI .................................... 276
Enable One Click Approval ............................................................................................................... 276
Configure Approval Role ................................................................................................................... 277
Check Out and Check In a Password ............................................................................................... 278
Check Out a Password Using the GUI ..................................................................................... 278
View the Password Check-Out User ........................................................................................ 279
Check in a Password Using the GUI ........................................................................................ 279
Force a Password Check-In Using the GUI ............................................................................. 280
Check Out a Password Using the CLI ...................................................................................... 281
Check in a Password Using the CLI ......................................................................................... 283
Force a Password Check in Using the CLI .............................................................................. 284
Enable Email Notification .................................................................................................................. 286
Configure Email Templates ............................................................................................................... 287
Configure the Email Server ...................................................................................................... 288
Configure the Request Email ................................................................................................... 289
Configure the Request Status Email ........................................................................................ 290
Configure the Password View Email ........................................................................................ 292
Configure the Expired Password View Request Email ............................................................ 293
Configure the One Click Approval Email .................................................................................. 294
Implementing 9
Configure the Report Results Email ......................................................................................... 296
SSH Key Pair Policies ............................................................................................................................. 297
Implementing 10
Add an EC2 Access Key Target Account from the GUI ........................................................... 320
Add a Target Alias from the GUI .............................................................................................. 321
Add a Target Account from the CLI .......................................................................................... 322
Add a Compound Account from the CLI .................................................................................. 324
Register Windows Target Accounts ........................................................................................................ 327
Process for Registering Windows Proxy Target Accounts ................................................................ 327
Process for Registering Windows Domain Services Target Accounts .............................................. 328
Create a Windows Target Application ............................................................................................... 328
Create a Windows Target Account and Target Alias ........................................................................ 329
Discover Windows Domain Services and Scheduled Tasks ............................................................. 330
Prerequisites ............................................................................................................................ 330
Discover Windows Domain Service Target Account Services ................................................. 331
Discover Windows Domain Service Target Account Scheduled Tasks ................................... 332
Discover Windows Proxy Target Account Services and Scheduled Tasks ....................................... 333
Prerequisites ............................................................................................................................ 333
Discover Windows Proxy Target Account Services ................................................................. 333
Discover Windows Proxy Target Account Scheduled Tasks ................................................... 335
View Target Account Passwords ............................................................................................................. 336
View an Account Password from the GUI ......................................................................................... 336
View an Account Password from the Access Page .......................................................................... 337
View Password History from the GUI ................................................................................................ 337
Set Password History Compromised Flag from the GUI ................................................................... 337
View Target Passwords from the CLI ................................................................................................ 338
Verify Synchronized Target Account Passwords .................................................................................... 339
Schedule Target Account Activities ......................................................................................................... 342
Add Proxies ............................................................................................................................................. 343
Start or Stop a Windows Proxy ............................................................................................................... 344
Start the Windows Proxy ................................................................................................................... 344
Stop the Windows Proxy ................................................................................................................... 344
Configure a Windows Proxy to Use a Windows Domain Account ........................................................... 345
Modify the Windows Proxy Configuration File ......................................................................................... 345
View Windows Proxy Logs ...................................................................................................................... 347
Implementing 11
Add a Static Target Group ................................................................................................................ 356
Add Dynamic and Static Requestor Groups ............................................................................................ 356
Add Dynamic Requestor Groups ...................................................................................................... 357
View All Requestors Belonging to an Existing Requestor Group ...................................................... 359
Add a Static Requestor Group .......................................................................................................... 360
Add or Modify Roles ................................................................................................................................ 360
Modify a Preconfigured Role ............................................................................................................. 361
Add a Role ........................................................................................................................................ 362
Add User Groups ..................................................................................................................................... 363
Implementing 12
Configure A2A Client Event Polling ......................................................................................................... 385
Implementing 13
CA Privileged Access Manager - 2.8
Implementing
This section covers the process of deployment. It describes the appliance (or cluster) placement or
installation process, the appliance (or cluster) configuration, and device-user provisioning, including
specification of custom device services, user groups, user roles; credential management groups,
applications and accounts; and user-device policy; among other objects.
Accessing Your Appliance Server (see page 15)
Configure Your Server (see page 25)
Provision Your Server (see page 121)
Credential Manager User Interface (see page 249)
Configure Credential Manager Password Policies (see page 252)
Configure Credential Manager Targets (see page 298)
Add Credential Manager Roles and Groups (see page 348)
Add and Run Credential Manager A2A Requestors (see page 365)
Reports (see page 387)
System Properties (see page 392)
Java API Example (see page 401)
XML Schema for Batch Processing (see page 415)
17-Feb-2017 14/416
CA Privileged Access Manager - 2.8
Network placement interfaces - During setup, configuration of network and appliance settings:
Client - Workstation (Windows, Mac, Linux) with a browser, and using the latest Oracle Java JRE
See CA PAM Client for Alternate Appliance Access (see page 15) for installation,
configuration, and use descriptions and procedures.
APIs
ExternalAPI
Credential Manager CLI and Credential Manager Java API for Credential Manager functions
17-Feb-2017 15/416
CA Privileged Access Manager - 2.8
Overview
You use the client to log in to CA Privileged Access Manager and perform administrator and end-user
activities without using a customer-installed Web browser and Oracle Java engine. You can run any
CA Privileged Access Manager connection applets and can provide a complete substitute for the
traditional CA Privileged Access Manager user interface.
You download a client version compatible with your workstation OS types and install from the login
page. The JRE is downloaded with the client, CA Privileged Access Manager-served JARs are
downloaded at runtime.
Global Settings
You control how you use the client from the Client Settings panel on the administration menu Global
Settings page. The following table describes the options available.
The client is available for download only while client access to CA Privileged Access Manager is
enabled. It is not sufficient to enable the client download check box in the following panel.
Default:
Enabled
Distributio Option When selected, and when the user selects a client download option
n Method button from the login page, …
and
Internet (CA … CA Privileged Access Manager attempts to deliver the client
field
Delivery installer and modules from the (hard-coded) internet-based CA
Network)(De Delivery Network (CDN) location.
fault)
Intranet: … CA Privileged Access Manager attempts to deliver the client
https://addr installer and modules from a server at the designated URL (on an
ess-field/ca- available network). Use this option only when CDN is chronically
pam/ unavailable.
17-Feb-2017 16/416
CA Privileged Access Manager - 2.8
Download Check Enabled When set to Enabled, the client download buttons on the CA
button on box (checked) Privileged Access Manager web UI login page appear.
Login
Page Default:
Enabled
License Agreement – The acceptance button is activated only after you scroll the license text to
the bottom of the panel.
Run - Extract the installer contents to a temporary location and execute the installer
Installing... – You cannot click Previous to back up in the sequence after the installer starts
installation or has completed it.
17-Feb-2017 17/416
CA Privileged Access Manager - 2.8
WEB – Opens a connection to the CA Privileged Access Manager server, and then opens
the CA PAM Client browser window to the UI, and closes the console.
You cannot switch the mode between WEB and CONNECT following your connection to the
appliance – you must first return to the initial connection screen by clicking Cancel and
restarting the client.
3. Optionally, click the gear icon in the lower-left corner to configure the CA Privileged Access
Manager Client (see page 19).
Click Update to update your currently installed client to the latest version automatically. If
the update requires it, you might need to restart the client.
Following client release level confirmation, a login transition screen is displayed and then the
login interface appears.
c. Click Login.
17-Feb-2017 18/416
CA Privileged Access Manager - 2.8
a. If you had selected WEB, a browser window opens to the CA Privileged Access
Manager web UI.
i. If you close the browser window, you close and exit both CA Privileged Access
Manager server and client.
ii. If you Log Off, the browser window closes (you do not revert to the login page),
and you are returned to the CA PAM Client login screen.
b. If you had selected CONNECT, the client window stays open while the connection is
made. When the connection is complete, information about it is displayed in a new
screen.
ii. You can click the Launch Web Browser button to maintain both browser and
console windows.
1. If you close the browser window, you can Launch Web Browser later
and can return to the same web UI location. Its state is preserved.
2. If you Log Off from the web UI, the web UI window closes and the
console reverts to the CA PAM Client login screen.
iii. If you Log Off, the console reverts to the CA PAM Client login screen.
Proxy settings
Memory requirements
Cache settings
Certificate settings
17-Feb-2017 19/416
CA Privileged Access Manager - 2.8
2. Click the gear icon in the lower-left corner to open the Configuration Settings window.
Proxy
If a proxy server to the target CA Privileged Access Manager is needed, specify one of the
following options:
Use system proxy settings for this network – for a workstation OS-managed proxy
Manual system proxy settings for this network – to set a custom target device as the proxy
General
Specify memory requirements for CA PAM Client.
Important! Due to a bug in the 32-bit Java Runtime Environment, for Windows this value
is considered a maximum. If the value is set here to 1201 MB or greater, the client cannot
start again. In that case, in the settings.properties file at the installation root, set memory.
max=1200 or less to recover.
Cache
Specifies the client caching controls where applicable.
Enable Caching – Specifies whether to store previous versions of CA PAM Client for reverting
to an earlier version. Default = On (checked).
Current Cache Size – Specifies the total size of the cached versions of CA PAM Client. Default:
Total size of cached prior versions.
Clear Cache – Specify to remove all cached versions. (You can remove individual versions
by using the Manage button.)
Max Cache Size, MB (0 = unlimited) – Specify the maximum size of the cache by using the
slider or the field.
Manage – Displays details for all cached versions of CA PAM Client. You can remove any or
all versions.
17-Feb-2017 20/416
CA Privileged Access Manager - 2.8
Certificate
From the table, specify a certificate authority (C.A.) certificate to be used. The CA PAM Client is
provided with a number of pre-installed C.A. certificates. You can add more certificates to serve
your needs.
2. Specify the server address in the Global Settings, Client Settings, Distribution Method,
Intranet option.
ca-pam/
install/
linux64/
CAPAMClientInstall_V2.6.0.bin One or more 64-bit Linux installers
...
linux86/
CAPAMClientInstall_V2.6.0.bin One or more 32-bit Linux installers
...
17-Feb-2017 21/416
CA Privileged Access Manager - 2.8
mac/
CAPAMClientInstall_V2.6.0.zip One or more Mac OS X installers
...
win/
CAPAMClientInstall_V2.6.0.exe One or more Windows installers
...
module/
linux64/
runtime-1.8.0_74.zip One 64-bit Linux Java JRE package
linux86/
runtime-1.8.0_74.zip One 32-bit Linux Java JRE package
mac/
runtime-1.8.0_74.zip One Mac OS X Java JRE package
win/
runtime-1.8.0_74.zip One Windows Java JRE package
Blocked Ports
The CA PAM Client cannot use many well-known ports, which are listed here. TCP and UDP are not
permitted, either for incoming or outgoing communication.
1 tcpmux
7 echo
9 discard
11 systat
13 daytime
15 netstat
17 qotd
19 chargen
20 ftp data
21 ftp access
22 ssh
23 telnet
17-Feb-2017 22/416
CA Privileged Access Manager - 2.8
25 smtp
37 time
42 name
43 nicname
53 domain
77 priv-rjs
79 finger
87 ttylink
95 supdup
101 hostriame
102 iso-tsap
103 gppitnp
104 acr-nema
109 pop2
110 pop3
111 sunrpc
113 auth
115 sftp
117 uucp-path
119 nntp
123 NTP
139 netbios
143 imap2
179 BGP
389 ldap
17-Feb-2017 23/416
CA Privileged Access Manager - 2.8
465 smtp+ssl
513 login
514 shell
515 printer
526 tempo
530 courier
531 chat
532 netnews
540 uucp
556 remotefs
563 nntp+ssl
587
601
636 ldap+ssl
993 ldap+ssl
995 pop3+ssl
2049 nfs
4045 lockd
6000 X11
17-Feb-2017 24/416
CA Privileged Access Manager - 2.8
Configuration Overview
CA Privileged Access Manager appliance access and licensing depend on your appliance form:
Hardware – A pre-licensed physical appliance. For configuration information, see Deploy the
Hardware Appliance (see page 25).
VMware OVA – Provided by your account representative with a link to download the OVA to your
vCenter location so that you can create a CA Privileged Access Manager VM, and a license to
activate it.
AWS AMI – Provided by your account representative with permission and an AMI number so that
you can create an instance within your AWS account, and a corresponding license to activate it.
Hardware – Use the LCD display on the left side of the front panel of the appliance. See Configure
Network Connections for the Hardware Appliance (see page 25).
VMware VM – After powering up your VM, use the VMware Console to access the same controls
as are provided by the LCD on a hardware device.
Required
Licensing – Your appliance must be licensed for target Devices and feature use
Security – Provide a certificate; optionally, set up PKI/CAC, specify CRL, sign applets, activate
SAML use, activate API access
Optional
17-Feb-2017 25/416
CA Privileged Access Manager - 2.8
Logs – Configure CA Privileged Access Manager to direct log and session recording output to
external storage
Next Step:
As the username "config" is commonly used, consider also changing the Login Id in addition to the
Password using the Change Password menu.
17-Feb-2017 26/416
CA Privileged Access Manager - 2.8
While the super account shows up in the administration user list (Administration Menu:
Users, Manage Users), the config account does not.
Initial Login
Perform Initial Administrator Login
All User accounts other than 'config' land initially at the My Info page, which provides basic User
account settings that the user ordinarily manages rather than by an administrator. The user must
enter a new password before leaving the page.
Configuration Settings
The Config drop-down in the Toolbar menu in the upper-right corner of the GUI window allows you
to set up your CA Privileged Access Manager appliance. Sub-menu choices vary between hardware,
AWS AMI instances, and VMware VMs.
Configure Date and Time Settings (see page 28)
Configure Network Resources (see page 29)
Authentication (see page 36)
AWS Coordination (see page 61)
Configure Your Database (see page 70)
Hardware Security Modules (HSMs) (see page 75)
Logging (see page 94)
Apply Firmware and Feature Licenses (see page 94)
Apply Feature Controls (see page 95)
Cross Site Scripting Attack Checking (see page 112)
17-Feb-2017 27/416
CA Privileged Access Manager - 2.8
Important! Some processes that are running, such as Sys Info and Session Recordings
continue to use the previous clock value until the services are restarted. To ensure that all
processes become synchronized after making a time change, reboot the appliance .
Each field in the Enter Date and Time panel is static, reflecting the clock value at the time the page
was opened. If you update the date and time manually, copy the time from a reliable source.
Alternatively, use Time Servers.
1. To specify time servers, enter the fully qualified domain name of each time server you want to
use to obtain the current time.
2. Optionally, select the Synchronize at boot check box to synchronize the time upon startup or
a reboot of the appliance.
3. Click Save.
Configure the list of NTP servers in the Authenticated NTP section of the Date/Time screen.
17-Feb-2017 28/416
CA Privileged Access Manager - 2.8
1. Paste the autokey obtained from each NTP server into this section.
2. Select one of the radio buttons for the security policy to indicate whether authenticated
servers are required.
3. Click Save.
The NTP Status window displays the status output from the NTP server.
Authentication
You can configure CA Privileged Access Manager to authenticate users against the following identity
sources:
Local authentication by CA Privileged Access Manager. Configure in Global Settings, and provision
through CA Privileged Access Manager local Users.
LDAP – includes Microsoft Active Directory (AD), OpenLDAP, and allows other conforming brands.
Set up in Config, 3rd Party, Add LDAP Domain panel.
LDAP+RADIUS – sequential verification from both sources. User enters credentials for both.
RADIUS – Set up server connection in Config, 3rd Party, RADIUS, and TACACS+ Configuration
panel.
RSA – Set up server connection in Config, 3rd Party, RSA Authentication Manager Configuration
panel.
IdP (Identify Provider) – Set up in Config, Security, CA Privileged Access Manager SAML IdP
Configuration. Configure more Global Settings. Import coordinated SP metadata.
TACACS+ – Set up server connection in Config, 3rd Party, RADIUS, and TACACS+ Configuration
panel.
17-Feb-2017 29/416
CA Privileged Access Manager - 2.8
Configuration settings for external authentication (except SAML) are made on Toolbar: Config, 3rd
Party page.
Third-party servers can separately be sources for user enumeration and authentication.
RADIUS Servers
Configure CA Privileged Access Manager to make queries to a RADIUS server.
When a RADIUS server is used specifically to identify users for a User Group, CA Privileged Access
Manager first attempts to match the User Group: Groupname to the designated Attribute 25.
If any of the LDAP user login names match an existing RADIUS user in CA Privileged
Access Manager
Note: CA Privileged Access Manager supports both PAP and CHAP authentication for
RADIUS.
LDAP Servers
Configure LDAP or Active Directory (AD)
As an Administrator, you must have an account that is configured on the LDAP or Active Directory
Server you connect to. This account must have read access to the tree from which you want to pull
Administrators.
17-Feb-2017 30/416
CA Privileged Access Manager - 2.8
The newly added LDAP domain appears in the LDAP Domains panel above the Add LDAP Domain
panel. Once the connection to the LDAP server has been configured, LDAP users are imported
through the Users, Manage Groups interface.
RSA SecurID authentication requires advance preparation by the SecurID administrator. Indicated in
Preparation / Authentication.
Use Browse to locate the sdconf.rec file, and Upload. After the first successful user authentication,
the Node secret will be populated.
RSA SecurID 800 authentication requires advance preparation by the SecurID administrator. Indicated
in Preparation / Authentication.
Use the following procedure to allow composite LDAP+RSA authentication for a CA Privileged Access
Manager user named "User123".
1. Provision both:
b. An LDAP directory with a record that uniquely has the value of "User123" for a certain
LDAP attribute. You specify the name of this LDAP attribute using the Unique Attribute
field when configuring CA Privileged Access Manager communication to the LDAP
directory. (See step 2.)
For example:
17-Feb-2017 31/416
CA Privileged Access Manager - 2.8
2. Configure CA Privileged Access Manager to communicate with the RSA server and the LDAP
directory:
a. Upload the sdconf.rec or sdopts.rec file in: Config, 3rd Party, RSA Authentication
Manager Configuration.
b. Communicate with the LDAP directory by specifying its server and bind credentials in:
Config, 3rd Party, Add LDAP Domain. The Unique Attribute field (as described in step
1) is required.
a. Use the LDAP Browser to register an LDAP user group containing the user identified by
"User123", and Select Authentication Type as "LDAP+RSA" (Figure 16).
b. After import, users in that group will have been provisioned to apply both
authentication tests when logging in.
1. This User specifies the composite authentication scheme (Authentication Type: LDAP+RSA),
and enters credentials consisting of:
2. Upon login, User123 is authenticated first against the (time sensitive) RSA server, and if
successful, against the LDAP directory before being logged into CA Privileged Access Manager.
Storage
Logs
The Config, Logs menu provides settings for storing audit material, logs, and session recordings:
For Logs
17-Feb-2017 32/416
CA Privileged Access Manager - 2.8
To Specify: On / Off; Text and Graphics media; Storage locations; Storage connection-attempt
preferences
Syslog
You can configure syslog servers to store either logs or session recordings.
1. Click Update.
MySQL Server
The MySQL Server panel completes a specification for an external server (initiated in the External Log
Server panel) by providing access credentials for the specific server.
Session Recordings
Configure these recording settings before using CA Privileged Access Manager in production include:
You can specify session recording for both command line (using "Text based recording"), graphical
(either RDP (Remote Desktop Protocol) or VNC (Virtual Network Computing) (using "Graphical
Session recording") applets.
Best Practices
We strongly recommend that both text and graphical recordings be assigned to a mounted directory
rather than syslog. The reasons for this recommendation include:
The amount of data that a session recording generates can easily overwhelm a syslog server
17-Feb-2017 33/416
CA Privileged Access Manager - 2.8
The amount of data that a session recording generates can easily overwhelm a syslog server
NFS/CIFS/S3 Settings
Create a mount for a specified NFS, CIFS, or Amazon AWS S3 location to store session recordings.
The recorded sessions can be sent to an external syslog server and written as files on a mounted
drive. Use a mounted directory to a Windows or UNIX server to ensure that the session recording is
available through the CA Privileged Access Manager administration interface.
Use S3 mounts only when your CA Privileged Access Manager is an Amazon Machine
Image (AMI) instance, not a hardware appliance.
S3 mounts depend on your access credentials. If you change (and Save) either your
Access Key ID and Secret Access Key, communication with AWS is broken.
Reestablishment with AWS is attempted at the next sync time (or when you click
Refresh AWS Devices on the Manage Devices page). This reset connection results in CA
Privileged Access Manager dropping any S3 mount.
This reset connection also results in deletion of Device records for any AWS devices
that cannot be accessed when the new connection is attempted. See "Amazon Web
Services (AWS) Configuration" for more information.
Note
CA Privileged Access Manager supports SMB signing for added CIFS mount security.
SafeNet Luna SA
17-Feb-2017 34/416
CA Privileged Access Manager - 2.8
HSM Licensing
License your CA Privileged Access Manager instance for either SafeNet or Thales use. Contact your CA
representative or CA Privileged Access Manager Support to add this license to your CA Privileged
Access Manager installation.
Configuration
Configuration is performed on the Config, 3rd Party page. See the "HSMs" section in the CA Privileged
Access Manager Implementation Guide.
Device target information can also be imported to create Device records from:
LDAP directories:
b. Specify account, and initiate Device imports, in Config, 3rd Party, Add AWS
Configuration.
VMware vCenter:
b. Specify Device/User, and initiate imports, in Config, 3rd Party, Add VMware vCenter
In each case, imported Device Groups are populated in Manage Groups, and their constituent
Devices are in Manage Devices.
Details about these configuration interfaces are provided in the Provisioning Devices (see page 126)
section.
17-Feb-2017 35/416
CA Privileged Access Manager - 2.8
Authentication
CA Privileged Access Manager provides for several methods of authenticating imported users:
Prerequisites
The applicable client workstations must have the approved PIV/CAC hardware and software. Only
one smart card reader can be used for each workstation. See Supported Clients (https://docops.ca.
com/display/CAPAM28/Supported+Clients).
Network Level Authentication (NLA) must be enabled on the applicable Windows RDP server
target Devices. See Windows OS (https://docops.ca.com/display/CAPAM28/Windows+OS).
A Kerberos Key Distribution Center server (KDC) that is maintained by an LDAP domain server,
from which CA Privileged Access Manager imports Devices.
4. In Kerberos KDC Port, enter the Kerberos port for that server (typically 88).
17-Feb-2017 36/416
CA Privileged Access Manager - 2.8
LDAP
Provisioning
Use the CA Privileged Access Manager LDAP Browser for importing LDAP users.
Note
2. Configure CA Privileged Access Manager for access to each AD domain that is involved in the
relevant cross-domain trust.
5. When this browser opens, you are presented with the pop-up window choice of the cross-
domain participants (and any other LDAP domains that have been configured for CA Privileged
Access Manager use) – select one of these from the Select LDAP Domain drop-down list.
6. From the LDAP browser, select a group that contains members in this cross-domain.
Initially – without SID resolution – the browser displays SID (Security Identifier) numbers
corresponding to the entities. Members that are contained in the foreign domain are not
resolved for the external domain. They are presented relative to the current local domain.
7. To enable the cross-domain SID resolution as fully qualified DN, select Options, Enable Group
Member SID Resolution. This menu item is a switch that can be turned on or off at any time.
8. Select a different browser tree item. After it has settled, return back to the previous group.
The browser now builds its tree and Entry Attributes display by resolving the SIDs. This might
take longer than previously to perform this access and present the resolved DNs for each
record.
9. If you now select the updated menu item, Options, Disable Group Member SID Resolution,
17-Feb-2017 37/416
CA Privileged Access Manager - 2.8
9. If you now select the updated menu item, Options, Disable Group Member SID Resolution,
and move back and forth between tree items, you see that the resolved members have been
cached. This cache persists while you are logged in, whether you are using the LDAP browser.
This resolution does not affect how groups are imported into CA Privileged Access Manager. Whether
the SIDs are resolved in the LDAP browser, foreign members are resolved by the LDAP browser to
create CA Privileged Access Manager Users.
Tasks
AD Provisioning
The AD account to be used by CA Privileged Access Manager for directory synchronization must have
sufficient privileges to reset the passwords of all AD users that are imported into CA Privileged Access
Manager. If this is not done, a CA Privileged Access Manager User imported from AD is not able to
change a password if it becomes invalid.
To grant the AD synchronization account minimal privileges to reset user account passwords, issue
the following command (or its GUI equivalent):
DOMAIN is the DN (Distinguished Name) for the domain, for example: DC=exampledomain,
DC=com
With this command, the AD synchronization user is not granted (full) domain admin rights to the AD,
but only reset-password permissions (in addition to the "read-only" permissions).
Use an AD account that has sufficient privileges to reset other AD users passwords (as noted in
Active Directory Provisioning).
AD Updates
Two use cases for user-activated password change are each triggered by an event in AD:
17-Feb-2017 38/416
CA Privileged Access Manager - 2.8
The AD administrator creates or resets the AD user password to a new (intended temporary)
value (and provides that value to the user), and the AD option: New Object - User or Reset
Password, User must change password at next logon is selected.
When authentication is later requested from AD for that user (during login), AD requires the user to
update the password immediately.
User Experience
The User logs in using Authentication Type="LDAP" and the applicable Domain. Corresponding to
which AD event has occurred, that User provides either of:
The temporary password that the user received from the AD administrator
After either type of login, the CA Privileged Access Manager User is presented with the My Info page,
with a message that the password must be change. After the password update (old and new
passwords), is provided:
The old and new values are silently passed on for authentication to, and updating in, the AD
server.
The User is relocated to wherever the user ordinarily lands (when no password change is
required).
Logs
Sessions, Logs has entries corresponding to the password update request and confirmation of the AD
record update.
LDAP+RADIUS in Combination
CA Privileged Access Manager allows the requirement of both an LDAP server and RADIUS server for
authentication.
Configuration
Configure CA Privileged Access Manager as you currently do for LDAP access and RADIUS
authentication, so that you have active servers available for both.
User Experience
When logging on to CA Privileged Access Manager, the user should:
17-Feb-2017 39/416
CA Privileged Access Manager - 2.8
2. Enter the RADIUS Password for this User, and click ENTER.
You are silently logged in through both LDAP and RADIUS authentication.
RADIUS or TACACS+
As a CA Privileged Access Manager administrator, you can authenticate with RADIUS and TACACS+
servers. Configure the RADIUS and TACACS+ Configuration panel on the 3rd party page, resulting in
corresponding User imports.
As with Users imported from LDAP, RADIUS and TACACS+ users are imported as User Groups. The
Users can be refreshed manually through a link that appears on the User Group page.
Requirements
TACACS+ server product support
tac_plus
Cisco ACS 4 or 5
Configuration
To set up the connection to a RADIUS or TACACS+ server, follow these steps:
2. Enter the information for your RADIUS or TACACS+ server in the Add New Server fields:
b. Port: the server port. The IANA-registered RADIUS authentication port is 1812. Somme
servers might us 49 or 1645.
d. Shared Secret: a text string that is used as a password for RADIUS server connectivity
3. Click Add.
After a successful Add, a confirmation in red text appears.
4. Set the optional Timeout. Enter a number of seconds. The default is 60.
17-Feb-2017 40/416
CA Privileged Access Manager - 2.8
SAML
CA Privileged Access Manager supports Security Assertion Markup Language (SAML) as an
authentication option. SAML is an XML-based open standard data format for exchanging
authentication and authorization data between two entities.
Two SAML operational modes are applicable for CA Privileged Access Manager use:
Service Provider (SP, which acts as a SAML Relying Party, or RP) – Consumer of identity
authentication and provider of a service
CA Privileged Access Manager can operate either as an IdP or an SP in a Web Portal SSO connection
using SAML 2.0. Depending on the CA Privileged Access Manager role, certain commercial services
are available to assume the complementary role:
CA Privileged Access Manager as IdP – The entity interacting with CA Privileged Access Manager
is an RP (ordinarily, an SP).
SP-initiated connections: The user is provided direct access to the SP, wherein the SP
redirects the user to CA Privileged Access Manager for authentication. After the user is
successfully authenticated, the user is redirected back to the SP Web Portal post-login landing
page.
CA Privileged Access Manager as SP – The entity interacting with this CA Privileged Access
Manager is an IdP.
SP-initiated connections
Case: CA Privileged Access Manager (second CA Privileged Access Manager acts here as
IdP)
Act as an Identity Provider (IdP) (see page 41)
Act as a Service Provider (SP) (see page 52)
17-Feb-2017 41/416
CA Privileged Access Manager - 2.8
Administrator Tasks
Configure Global Settings
User Authentication Method Inheritance
When the Authentication method for a User Group is set to "SAML", that setting inheritance can be
forced on (all) User members of the group whether (all) their (individual) Authentication settings are
set to "SAML". To make this enforcement, select Global Settings, SAML, Require Inherited SAML
Auth. This setting is selected by default.
IdP Session Reauthorization Period
If you want to change the amount of time that a SAML session is open to the CA Privileged Access
Manager IdP, during which repeated SAML authentication is provided without repeated credential
submission, edit the Global Settings, SAML: SAML Reauth Period setting. The preconfigured default
is 60 minutes.
Configure CA Privileged Access Manager IdP Certificate
You must have an SSL certificate for your FQDN properly prepared and applied to your CA Privileged
Access Manager:
2. Use the CSR to obtain a certificate, CA chain, and CRL from your applicable Certificate
Authority.
To prepare and download an IdP metadata file from CA Privileged Access Manager, follow these
steps:
3. Following a change in the CA Privileged Access Manager appliance hostname or the default
certificate, update the IdP Metadata file as follows:
a. In Entity ID, assign a name that can be used to identify this CA Privileged Access
Manager in this SAML ecosystem.
This ID is included in the metadata file. This IdP includes it in assertions that it
generates to identify itself.
b. In Fully Qualified Hostname, enter the value used for this CA Privileged Access
Manager, such as: xsuite.example.com (http://xsuite.example.com) 1
c.
17-Feb-2017 42/416
CA Privileged Access Manager - 2.8
c. From the drop-down list to the right of IdP Certificate, select the certificate+key you
are currently using for CA Privileged Access Manager.
d. Click Update IdP Metadata to apply the current certificate, hostname, and your
assigned ID.
You receive a red confirmation message at the top of the page.
4. Click Download IdP Metadata to save the CA Privileged Access Manager-specific "idp-
metadata.xml" file locally.
"idp-metadata.xml" is a CA Privileged Access Manager configuration file that describes the SAML
services supported by the IdP. The file also contains information about how an SP can send
authentication requests to the CA Privileged Access Manager IdP. It contains the certificate
containing the public key that CA Privileged Access Manager uses to sign all assertions. It also
includes the FQDN (or IP) of your CA Privileged Access Manager. Therefore, any time the FQDN or
the certificate is changed, the IdP metadata must be updated, downloaded, and uploaded to SPs.
Upon changing your hostname, click Accept IdP Certificate in that panel and re-download the CA
Privileged Access Manager SAML metadata file. Ensure that the service provider is provided with
the new CA Privileged Access Manager SAML metadata file.
After obtaining the metadata that defines the IdP (CA Privileged Access Manager SAML
authentication function), you upload it to the SP (AWS Management Console).
Caution
c. In Metadata Document, locate the metadata file that you downloaded earlier from CA
Privileged Access Manager. This provides the necessary information for CA Privileged
Access Manager to make authentication requests to CA Privileged Access Manager.
e. Click Create.
17-Feb-2017 43/416
CA Privileged Access Manager - 2.8
e. Click Create.
i. Select the third listed category, labeled Role for Identity Provider Access.
ii. To the right of Grant Web Single Sign-On (WebSSO) access to SAML providers,
click Select.
You see a new screen with the first paragraph beginning "Select the SAML
provider …"
b. From the drop-down list, select the SAML provider that you created during the
previous steps (here, Xsuite_IdP), then click Next Step.
You are in the Verify Role Trust screen. In our example, you do not need to edit the
Verify Role Trust: Policy Document. Click Next Step.
i. To keep your configuration simple, we recommend that you use one of the pre-
built templates listed under Select Policy Template. For example, scroll down
that section to find Amazon EC2 Read Only Access. (If you are testing on a
public EC2 instance, do not let others from login to your box.)
ii. Click Next Step. You see a new screen labeled Review for your confirmation.
e. Click Create Role. The shadow window disappears, and your new role appears in the
roles list.
Your AWS account is now configured to use CA Privileged Access Manager for IdP using SAML.
Apply AWS SP Metadata to CA Privileged Access Manager IdP
As an SP, AWS provides a SAML metadata file that defines how it communicates with the SP for an
IdP. The file also includes the attributes the SP expects in a successful IdP authentication response.
AWS uses the concept of roles for authorization. It thus needs an IdP SAML response to contain role
data of the user being authenticated. The role definition is provided in the AWS SAML metadata.
Case Procedure: AWS
Caution
17-Feb-2017 44/416
CA Privileged Access Manager - 2.8
Procedure
After obtaining the AWS (SP) metadata file, import it into CA Privileged Access Manager so that a
conforming Service configuration can be prepared for communicating with the SP (Target Device).
3. Browse to the SAML metadata file you previously downloaded from your SP, then click Import
SAML 2.0 SP Metadata.
Following this upload, you find:
b. a new Service of Protocol Web Portal with a Service Name matching the "entityID" of
the SP as identified in the "md:EntityDescriptor" element of the metadata file. In our
AWS example, this is the new Service: AWS Management Console Single Sign-On
c. a new Device with an Address containing the web location of the Assertion consumer
service for the SP.
4. Navigate to Services, TCP/UDP Services, locate the new service, and open it.
5. In the SAML SSO panel, for Initiating Party, select IdP Initiated.
Note: This option is not part of SAML 2.0 metadata.
6. In the SAML SSO panel, clear the Require Signed Authn Requests checkbox if it is selected.
7. Note: This option might be selected by default. We do not want a Relying Party to determine
IdP (CA Privileged Access Manager) security parameters unilaterally.
17-Feb-2017 45/416
CA Privileged Access Manager - 2.8
(1)+(2):
https://<Local IP><First Port>/samlsp/module.php/saml/sp/ saml2-acs.php/xsuite-
default-sp
Route When selected, this option directs all traffic through CA Privileged Access Manager.
Through CA When this option is not selected, traffic goes directly to the web service from the client
Privileged workstation. Default: [selected]
Access
Manager
SAML SSO Info
SAML Entity Required field
ID <md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Initiating SP Initiated (default) – The actor or user logs in to the Service Provider or SP (as the
Party Relying Party or RP) and requests a Service. The SP initiates a SAML query to the
Identity Provider or IdP to obtain a SAML Assertion, allowing the SP to make a service
access decision. (SAML 2.0 only)
IdP Initiated – The actor or user logs in to an IdP to initiate connection to, and obtain a
SAML Assertion for, a Service at an SP.
Require Use the (supplied) PEM Signing Certificate to sign authorization requests. Default:
Signed [selected]
Authn
Requests
PEM Signing <md:EntityDescriptor … >
Certificate <md:SPSSODescriptor … >
<md:KeyDescriptor use="signing" … >
<ds:KeyInfo … >
<ds:X509Data> <ds:X509Certificate> encodedContent </ds:X509Certificate>
Example:
MIIGhzCCBG+gAwIBAgIKYQrABAAAAAAAajANBgkqhkiG9w0BABGMRMwEQYK
...
0VyUrN0fafQmeuYITYzUoOt88LFClepqhrjn2s0AVoBLxcnmuemkw7nfgw==
Encryption None (default) – Do not use encryption
NameId
Assertion
PEM If Encryption="NameId" or "Assertion", use:
Encryption <md:EntityDescriptor … >
Certificate <md:SPSSODescriptor … >
17-Feb-2017 46/416
CA Privileged Access Manager - 2.8
Example:
MIIGhzCCBG+gAwIBAgIKYQrABAAAAAAAajANBgkqhkiG9w0BABGMRMwEQYK
...
0VyUrN0fafQmeuYITYzUoOt88LFClepqhrjn2s0AVoBLxcnmuemkw7nfgw==
SAML SSO Subject Name Identifier Formats
Select which of the five currently CA Privileged Access Manager-permitted URI-based Name Identifier
Format Identifiers are to be used by the SP from:
<md:EntityDescriptor … >
<md:SPSSODescriptor … >
<md:NameIDFormat> NameIDFormat </md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SAML SSO Attributes
Click the + (under Name) to open an Attribute line item with fields for the following labels. To delete
an item, click the X that appears to the left of the line when you mouse over it.
Name <md:EntityDescriptor … >
<md:SPSSODescriptor … >
<md:AttributeConsumingService … >
<md:RequestedAttribute Name=" nameOfAttribute "/ >
Friendly Assign a recognizable name or tag for CA Privileged Access Manager use. (When not
Name provided by imported SP metadata, Name is used.)
Required Select if the SP requires this Attribute.
You can work with an SP that does not provide an SP metadata for your use or does not ingest your
IdP metadata. Google is a popular service that does not use metadata for either purpose.
Apply CA Privileged Access Manager IdP Certificate Key to Google SP
Import the CA Privileged Access Manager IdP certificate key and configure Google to redirect to your
CA Privileged Access Manager.
Note
17-Feb-2017 47/416
CA Privileged Access Manager - 2.8
2. At the bottom of the screen, click on More Controls and then click on Security.
5. In the Sign-in page URL, put the following URL with your CA Privileged Access Manager
address.
https://YOUR_CAPAM_IP_OR_HOSTNAME/idp/profile/SAML2/Redirect/SSO/
6. In this pilot release, we do not currently support Single Sign-Out. You can input the following
URL into the Sign-out page URL field as a placeholder:
https://YOUR_CAPAM_IP_OR_HOSTNAME/
7. In this pilot release, we do not currently support changing passwords. You can input the
logout URL from the previous step into Change password URL as a temporary placeholder.
https://YOUR_CAPAM_IP_OR_HOSTNAME/
8. In Verification certificate, upload the certificate being used by the CA Privileged Access
Manager IdP. This certificate can be downloaded from CA Privileged Access Manager through
the Config, Security, Download Certificate or CSR panel, or copied from the CA Privileged
Access Manager IdP metadata file. Either can be provided here.
You can set up the SAML authorization Service even when no metadata file is provided by the SP, as
is the case for Google. Edit the CA Privileged Access Manager Service definition from documentation
provided elsewhere by the SP organization and trusted third parties. For Google, examples of
supporting documentation are provided in the links embedded in the procedure.
With this information, create a metadata file yourself and import it to create the Service, or edit a
Service template. Template editing is described in the following procedure.
Create a CA Privileged Access Manager IdP Service for the Google SSO SAML feature.
Procedure
1. Review the overview SAML SSO documentation provided by the SP organization, Google:
https://developers.google.com/google-apps/sso/saml_reference_implementation
a.
17-Feb-2017 48/416
4.
CA Privileged Access Manager - 2.8
a. The Service Name must match the SAML entityID of the SP. See the SP documentation
to determine the entityID of the SP.
entityID example source for Google applicability: https://developers.google.com
/google-apps/help/faq/saml-sso#recipient
b. Enter the Service a Local IP address and the Port(s) (for example, 127.0.0.5 and a
mapping of 443:4430).
a. For Application Protocol, select "Web Portal". This action updates the Service
template widgets to those required for a Web Portal.
The Auto-Login Method drop-down list appears in the lower-left corner of the panel.
b. For the Auto-Login Method, select "SAML 2.0 SSO POST", because this is the only
version that is accepted by Google.
SAML version example source for Google applicability: https://developers.google.com
/google-apps/help/faq/saml-sso#samlversion
This action further updates the Service template widgets to those required for a SAML
SP.
b. For the other widgets, you can use the default values.
b. For the Initiating Party drop-down list, select whether you want it to be "IdP Initiated"
or "SP initiated". The SP documentation specifies whether it requires IdP initiated or
SP initiated SAML. For Google, use the default value "SP initiated".
d. For Encryption, select "None", as Google Apps does not support encrypted assertions.
e. In the PEM Signing Certificate field, paste the base64 translation of X.509 certificate to
sign the SAML request.
f.
17-Feb-2017 49/416
CA Privileged Access Manager - 2.8
f. If Encryption for "NameId" or "Assertion" has been selected, enter the PEM
Encryption Certificate field, paste the base64 translation of X.509 certificate to
encrypt the SAML request.
8. In the panel SAML SSO Subject Name Identifier Formats, select the checkbox to the left of:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
9. Click Save.
Create a corresponding CA Privileged Access Manager Device that hosts the Assertion Consumer
Service (the CA Privileged Access Manager Service labeled "Google") you created.
The Device Address is the FQDN of the server hosting the Assertion Consumer Service extracted
from the SAML Assertion Consumer URL. In this case, the Assertion Consumer Service URL format
for Google is:
https://www.google.com/a/YOUR_GOOGLE_DOMAIN/acs
So, the device address that is provisioned in CA Privileged Access Manager is:
www.google.com (http://www.google.com)
The Device Services includes the Web Portal SAML SSO you prepared, namely:
Google
Create IdP User Matching the SP User
Create a CA Privileged Access Manager User with a Username matching a (nonprimary account)
Google User Name that is used for login.
Provision SSO Access Policy
To activate the connection Service for a particular User, first enable a policy for that User and target
Device (SP).
To AWS Management Console
Procedure
1. Create a policy for a User with the SAML SP target Device, "signin.aws.amazon.com (
http://signin.aws.amazon.com)".
2. Select the corresponding SP communication Service, "AWS Management Console Single Sign-
On".
The three SAML attributes that are required (as specified in the Service definition) are
prepopulated:
a. Subject Name Identifier – always required for SAML, as indicated in the associated
Service definition
b. RoleEntitlement
c. RoleSessionName
The following steps revise the SAML attributes identified by the Service from the SP metadata
17-Feb-2017 50/416
CA Privileged Access Manager - 2.8
The following steps revise the SAML attributes identified by the Service from the SP metadata
to deliver values that are accepted by AWS (instead of storage elsewhere in CA Privileged
Access Manager), as specified in the Amazon documentation at:
http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html#configuring-
saml-response
3. In the SAML panel, in the attribute group for SAML Requested Attribute=
"RoleSessionName", for xAttribute, assign a label. You can use any identifier, for example, you
can use "Email".
4. In the SAML panel, in the attribute group for SAML Requested Attribute= "RoleEntitlement",
for xAttribute, select "Constant", and assign to this content (in the field to the right) the
concatenated AWS ARNs for the IAM Role and the Identity Provider.
Example:
arn:aws:iam::123456789012:role/MyAWSroleForMyIDP,arn:aws:iam::123456789012:saml-
provider/AWSstoredMetadataForMyIDP
The Service assignment now appears.
5. Select Save.
To Google Apps
Procedure
1. Create a policy for a User with the SAML SP target Device, "www.google.com (http://www.
google.com)".
3. In the drop-down list for SAML Name Identifier Format, select the (one) available item, "urn:
oasis:names:tc:SAML:1.1:nameid-format:unspecified".
The xAttribute widget then appears.
User Experience
When a user attempts to connect to the SP, access procedure depends on the type of connection. If
the user explicitly navigates through an IdP gateway portal, it is IdP-initiated. If it is SP-initiated,
authentication with the IdP occurs behind the scenes.
For example, here the Access page provides only a link to AWS Management Console – not to Google.
This is because Google access is SP-initiated. The User starts first by logging in to Google, and only
then is asked to submit credentials to CA Privileged Access Manager.
IdP-initiated Connection Example A: AWS Management Console
In an CA Privileged Access Manager IdP-initiated connection, you initiate access to the SP from the CA
17-Feb-2017 51/416
CA Privileged Access Manager - 2.8
In an CA Privileged Access Manager IdP-initiated connection, you initiate access to the SP from the CA
Privileged Access Manager Access page.
3. After the CA Privileged Access Manager Access page has loaded, click the AWS service "AWS
Management Console Single Sign-On" to be SSO'd silently into the AWS Management
Console.
If you configured CA Privileged Access Manager to work with SP-initiated communication in the
Service record, you can initiate connection at the SP. Alternatively, you create another web portal
service that launches the user into the SP web portal.
You have been provided the access URL from the SP (Google).
Caution
1. Navigate your browser to your SP-designated access URL; for Google, of the form:
https://accounts.google.com/a/
17-Feb-2017 52/416
CA Privileged Access Manager - 2.8
Administrator Tasks
The CA Privileged Access Manager administrator:
Confirms default settings for SAML for all Users or reconfigure them in Global Settings (see page
53)
Confirms or updates the CA Privileged Access Manager certificate (see page 53) so that it is
sufficient for SP use
Configures SAML communication (see page 53) between the IdP and SP:
Configures another device (in this example, another CA Privileged Access Manager is used) to
function as an IdP for this SP
Provision User accounts on both the SP and the IdP (with matching usernames), and provision
policies on the IdP that permit those User accounts to access the Device/Service on the SP.
When the Authentication method for a User Group is set to "SAML," that setting inheritance can be
forced on (all) User members of the group whether (all) their (individual) Authentication settings are
set to "SAML". To make this enforcement, select Global Settings, SAML, Require Inherited SAML
Auth. This setting is selected by default.
SAML Reauth Period
(This setting applies only to CA Privileged Access Manager when it is used as IdP. See IdP session
reauthorization period (see page ) on page.)
2. Use the CSR to obtain a certificate, CA chain, and CRL from your applicable Certificate
Authority.
An RP definition or not (to this CA Privileged Access Manager) – upper portion of panel
17-Feb-2017 53/416
CA Privileged Access Manager - 2.8
An RP definition or not (to this CA Privileged Access Manager) – upper portion of panel
Zero or more IdP definitions (identifying and describing external IdPs serving this CA Privileged
Access Manager when it is operating as an RP) – lower portion of panel
17-Feb-2017 54/416
CA Privileged Access Manager - 2.8
The buttons are activated when, at minimum, the required RP components (indicated by *) have
been populated and Save Configuration has been successfully performed:
Add An Manually create an Identity Provider (IdP) record in the template that opens below the
Identity button. After you populate the template, click Save Configuration to create the IdP
Provider record, create a line item in this panel, and close the template.
Upload An Upload an Identity Provider (IdP) metadata file to CA Privileged Access Manager and
Identity create a new IdP record with a corresponding line item in this panel.
Provider
Metadata
The fields below are displayed (above the link buttons) for an Identify Provider (IdP) record that has
been successfully populated from either of the Identity Provider creation link buttons:
Friendly Assign a name for this IdP for use by CA Privileged Access Manager
Name
EntityID <md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Metadata Click the Download link to get the RP metadata file for this IdP. You can then import it
into the IdP and establish trust of this CA Privileged Access Manager RP.
Edit Click the Edit button to open the editing template for the associated IdP record. Its
fields are identified in the next section of this table.
Delete Click the Delete button to remove the line item and associated IdP record.
Test Click the Test button to test the connection to the associated IdP.
Identity Provider (IdP) template
Friendly REQUIRED
Name * Assign a name for this IdP for use by CA Privileged Access Manager
Organization Name of the company or other organization responsible for this IdP:
Name <md:EntityDescriptor … >
<md:Organization … >
<md:OrganizationName> organizationName </md:OrganizationName>
Entity ID * REQUIRED
SAML ID for this IdP that is unique for this SAML space:
<md:EntityDescriptor … entityID=" entityIdName " … >
Example:
ABCserver123
Description Description for this IdP.
Single Sign REQUIRED
On Protocol Applicable protocol binding for this IdP:
Binding * <md:EntityDescriptor … >
<md:IDPSSODescriptor … >
<md:SingleSignOnService … Binding=" urn:oasis:names:tc:SAML:2.0:bindings:binding "
…/>
Options:
SAML:2.0:bindings:HTTP-Redirect
SAML:2.0:bindings:HTTP-POST
Single Sign
On Service *
17-Feb-2017 55/416
CA Privileged Access Manager - 2.8
REQUIRED
Service location for this IdP:
<md:EntityDescriptor … >
<md:IDPSSODescriptor … >
<md:SingleSignOnService … Location=" location " … / >
Example:https://rp.example.com/idp/profile/SAML2/Redirect/SSO
Allow Just In Select this checkbox to enable CA Privileged Access Manager to provision a User
Time account for an asserted SAML user if the account does not already exist on the SP.
Provisioning
Include this User also in all existing User Groups on the SP as designated by the
‘userGroup’ attribute in the SAML assertion.
If an asserted User Group does not exist on the SP, do not create it.
Certificate * REQUIRED
<md:EntityDescriptor … >
<md:IDPSSODescriptor … >
<md:KeyDescriptor use="signing" … >
<ds:KeyInfo … >
<ds:X509Data> <ds:X509Certificate> encodedContent </ds:X509Certificate>
Example:
----BEGIN CERTIFICATE----
MIIGhzCCBG+gAwIBAgIKYQrABAAAAAAAajANBgkqhkiG9w0BABGMRMwEQYK
...
0VyUrN0fafQmeuYITYzUoOt88LFClepqhrjn2s0AVoBLxcnmuemkw7nfgw==
-----END CERTIFICATE-----
Sign Select this checkbox if authentication requests must be signed.
Authenticatio
n Requests
Signature Select the signature algorithm to be applied.
Algorithm Options:
RSA-SHA1
RSA-SHA256
RSA-SHA384
RSA-SHA512
Authenticatio Identify the applicable authentication contexts for this IdP.
n Contexts Options:
SAML:2.0:ac:classes:Kerberos
SAML:2.0:ac:classes:PasswordProtectedTransport
SAML:2.0:ac:classes:X509
SAML:2.0:ac:classes:SmartcardPKI
SAML:2.0:ac:classes:TLSClient
SAML:2.0:ac:classes:TimeSyncToken
SAML:2.0:ac:classes:unspecified
Require Select this checkbox if this requires encrypted assertions.
Encrypted
Assertions
Enable Select this checkbox if you require CA Privileged Access Manager to be configured for
Holder of smartcard authentication.
Key Support
17-Feb-2017 56/416
CA Privileged Access Manager - 2.8
Example: Using SAML Metadata from the IdP (a second CA Privileged Access Manager)
Specify your CA Privileged Access Manager to perform as a Service Provider (SP) (the most typical
type of SAML Relying Party, or RP).
a. For Entity ID, provide an Entity ID for this CA Privileged Access Manager that is unique
in this SAML environment (all IdP and RP devices that communicate with each other in
this environment).
b. For Fully Qualified Hostname, provide the FQDN that is used for SAML on this CA
Privileged Access Manager SP.
c. From the drop-down list next to Certificate Key Pair, select the certificate-key file that
you had prepared earlier.
3. Click Save Configuration. A small pop-up acknowledgment appears over a shadowed page;
click OK.
After the pop-up disappears, you see that the phrases below have changed to links, indicating
that your CA Privileged Access Manager is now configured for operation as an SP.
Provide to this CA Privileged Access Manager SP the identifying information of (at least one)
corresponding IdP. This can be done in one of two ways, either:
a. Manually, by clicking Add An Identity Provider to open a template to define the IdP
yourself.
4. Continue with the next section to obtain and apply the IdP metadata.
Prepare and download an IdP metadata file from the CA Privileged Access Manager that is the IdP.
1. Log in to your CA Privileged Access Manager IdP as (at least) a Configuration Administrator.
17-Feb-2017 57/416
3.
CA Privileged Access Manager - 2.8
a. In Entity ID, assign a name that can be used to identify this CA Privileged Access
Manager in this SAML ecosystem.
This ID is included in the metadata file. This IdP includes it in assertions that it
generates to identify itself.
b. In Fully Qualified Hostname, enter the value used for this CA Privileged Access
Manager, such as: xsuite.example.com (http://xsuite.example.com)
c. From the drop-down list to the right of IdP Certificate, select the certificate+key you
are currently using for CA Privileged Access Manager.
d. Click Update IdP Metadata to apply the current certificate, hostname, and your
assigned ID.
You receive a red confirmation message at the top of the page.
4. Click Download IdP Metadata to save the CA Privileged Access Manager-specific "idp-
metadata.xml" file locally.
"idp-metadata.xml" is a CA Privileged Access Manager configuration file that describes the SAML
services supported by the IdP. It also contains information about how an SP can send
authentication requests to the CA Privileged Access Manager IdP. It contains the certificate
containing the public key that CA Privileged Access Manager uses to sign all assertions. It also
includes the FQDN (or IP) of your CA Privileged Access Manager. Therefore, any time the FQDN or
the certificate is changed, the IdP metadata must be updated, downloaded, and uploaded to SPs.
Upon changing your hostname, click Accept IdP Certificate in that panel and download the CA
Privileged Access Manager SAML metadata file. Ensure that the service provider is provided with
the new CA Privileged Access Manager SAML metadata file.
After obtaining the metadata that defines the IdP (CA Privileged Access Manager SAML
authentication function), you upload it to the SP (the second CA Privileged Access Manager).
Upload the IdP metadata file (that you obtained from your first CA Privileged Access Manager) to the
second CA Privileged Access Manager (that is performing as an SP).
a. Browse to locate the "idp-metadata.xml" file that you obtained from the CA Privileged
Access Manager IdP.
3.
17-Feb-2017 58/416
CA Privileged Access Manager - 2.8
3. Scroll the page back down to the CA Privileged Access Manager SAML RP Configuration panel.
In the Configured Remote SAML Identity Providers section, the IdP is now identified by its
Friendly Name (if any, or by its Entity ID) and its Entity ID.
You now apply the SP metadata that corresponds to this IdP back on the IdP.
4. Stay at this location (on the CA Privileged Access Manager Config, Security page), and
continue with the next section.
Now that this CA Privileged Access Manager SP has been configured as a SAML RP and has been
informed of the IdP characteristics (by way of the IdP metadata file), you use an SP metadata file to
inform the IdP. In this way, both the SAML RP and the SAML IdP know – and are thus authorized to
communicate with – each other.
1. If you are not already there, navigate to Config, Security, CA Privileged Access Manager SAML
RP Configuration pane, Configured Remote SAML Identity Providers section.
2. Identify the line item for the IdP that you are looking for (if there are multiple IdPs).
3. Under the Metadata column, locate the blue Download link (for this Identity Provider (IdP)
line item, if there are more than one), and click it to save this CA Privileged Access Manager SP
metadata file (for this Identity Provider) locally, named "XsuiteMetadataFor_IdP-EntityID.xml"
by default.
1. Log in to your CA Privileged Access Manager IdP as (at least) a Configuration Administrator.
b. Click the Import SAML 2.0 SP Metadata button it to upload it to CA Privileged Access
Manager IdP.
After you do so, you will see several acknowledgment messages in green (below the
button). If there are errors, they are noted in red.
3. Confirm:
i.
17-Feb-2017 59/416
a.
i. the typical Service specifications for a Web Portal (Basic Info, Administration,
Web Portal panels), with Auto-Login Method="SAML 2.0 SSO POST", and SAML
elements:
b. In Devices, Manage Devices, a populated Device record with Device Name (and
Address) matching the IdP SAML-applicable FQDN has been created.
Now that the SP and IdP have been configured to trust each other, you can provision the IdP to
permit its Users to access the SP services.
When you open a policy template for the SP Device (for a particular User or User Group), select the
corresponding SP Service (identified by Entity ID). This opens the SAML panel so that its attributes can
be specified.
Note
You might need to revise the SAML attributes so that they are sufficiently identified. The
SAML Name Identifier Format is originally not specified. If this occurs, specify it from the
available selections so that xAttribute appears and can be specified.
User Experience
SP-Initiated Connection
1. The User here first points to the Service Provider destination, the CA Privileged Access
Manager SP.
2. However, rather than use the primary login interface, the User bypasses it by selecting Single
Sign On , an interface option that was activated as a result of the configuration of this CA
Privileged Access Manager as an SP (or RP).
3. The User is alerted that the login proceeds with authentication at a different target, the IdP. If
there are multiple IdP targets, the User must select one from the drop-down list, then click
ENTER.
The User is then brought to the login page for the IdP.
In this example, both SP and IdP are CA Privileged Access Manager devices. However, note the
17-Feb-2017 60/416
3.
In this example, both SP and IdP are CA Privileged Access Manager devices. However, note the
changed browser address and that the IdP is not configured as an SP, and so does not provide
a Single Sign On link as did the initial SP.
4. The User enters User and Password credentials as required by the IdP.
Because the User target is the SP, when the IdP has authenticated the User, its task is
complete. Control is handed back to the SP, where the login proceeds to finish at the
applicable landing page.
AWS Coordination
CA Privileged Access Manager administrators can preconfigure access to one or more regions in one
or more Amazon Web Services (AWS) accounts. Administrators can use this access both to import
AWS instances as CA Privileged Access Manager Devices from that region and provide controlled
(account-obfuscated) end-user access to the AWS Management Console.
Credentials for a particular AWS account are now stored as an individual target account in Credential
Manager. Using an enhanced configuration interface that you can provision any number of AWS
account / AWS region combinations for concurrent connection.
API access
Next Steps:
Pre-configuration of restricted access to the AWS Management Console website for any policy-
enabled CA Privileged Access Manager user
17-Feb-2017 61/416
CA Privileged Access Manager - 2.8
Import, and regular refresh, of all active AWS devices (in the configured AWS region) as CA
Privileged Access Manager devices
2. Store AWS Account Credentials in a CA Privileged Access Manager CM (see page 62)
Access Key ID
1. Select Policy, Manage Passwords. The Credential Manager menu opens in a separate tab or
window.
4. Begin typing AWS in the Application Name field, and select AWS Access Credential Accounts
from the drop-down list. (Optional) Alternatively, click the magnifying glass icon to open a
modal window to select this application. The target account window changes form, and the
Host Name and Device Name are also populated with the AWS-specific names.
5. In User Friendly Account Name, assign a unique label for your AWS account.
6. Fill in the Access Key ID and Secret Access Key you collected from AWS.
8. (Optional) If you using AWS GovCloud, in AWS Cloud Type select Government.
17-Feb-2017 62/416
CA Privileged Access Manager - 2.8
CA Privileged Access Manager can now use your AWS access credentials for auto-connection in
multiple scenarios.
2. In the Add AWS Connection panel, select your previously-set User Friendly Account Name in
Access Key Alias.
3. In the AWS Region panel, select your applicable geographical region. If desired, you can
coordinate with multiple account-region pairs.
4. (Optional) Select the Active checkbox to prompt device import. Otherwise, only the validity of
your stored account-region pair is tested.
5. Click Add to confirm the connection, and if activated, perform the initial account-region
device import from AWS. You receive a confirmation at the top of the page that the
connection has been validated, and the Amazon Web Services (AWS) Configuration panel
displays an account-region line item.
Your CA Privileged Access Manager connection to this AWS account is now activated for the selected
region. The connection is available for access to AWS Management Console and is used for device
import. The imported devices are visible and available for use on the Devices, Manage Devices page,
where the CA Privileged Access Manager-applied (not the imported) fields can also be edited.
2. In the User (Group) field, start typing the User or User Group you want the policy to apply to,
and select the matching full name from drop-down filtered list.
3. In the Device (Group) field, select xceedium.aws.amazon.com from the drop-down filtered
list.
4. In the upper-right corner of the page body, click the Create Policy link. A policy template
opens.
17-Feb-2017 63/416
CA Privileged Access Manager - 2.8
a. Click Add to the right of Services, an d from the pop-up window select AWS
Management Console SSO. Two fields open to the right of that name.
b. Click in the field marked Credential, and select AWS Access Credential Accounts - User
Friendly Account Name.
c. Click in the field marked AWS Policy, and select an available setting, such as
IAMUserAccess.
6. Click Save.
On their Access page, this user now has a web portal type link AWS Management Console SSO for
(placeholder) device xceedium.aws.amazon.com.
A User or User Group can have an auto-connection policy to the AWS Management Console using
only one AWS account. However, a user can be a member of multiple user groups, each of which has
a transparent login policy to the AWS console using different AWS access credentials. When a User
with access privileges to multiple AWS accounts attempts to access the AWS Management Console
web portal, a shadow box is presented for the User to select an account, and then automatically log
in.
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html
Work-around
1. In Policy, Manage Policy, click the AWS Policies link.
3. Apply the following AWS AIM policy settings to its Policy field, and click Save:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
4. Be sure to use this revised AWS Policy in the Services policy template for an applicable User
17-Feb-2017 64/416
CA Privileged Access Manager - 2.8
4. Be sure to use this revised AWS Policy in the Services policy template for an applicable User
with xceedium.aws.amazon.com. (http://xceedium.aws.amazon.com)
CA Privileged Access Manager can be configured to store information for more than one AWS
account, and any number of stored accounts may be activated for Device import. The Access Key ID
and Secret Access Key for (each) account are stored as CA Privileged Access Manager target account
parameters.
Prerequisites
Establish AWS administrative accounts, with knowledge of Access Credentials.
License
To use CA Privileged Access Manager with AWS, you apply a license with AWS Capability = Enabled.
You can check this on the Config, Licensing page.
2. Confirm that you have installed a CA Privileged Access Manager license that has AWS access
activated: On the Licensing page, the AWS Capability line item will indicate "Enabled."
Meanwhile, the following user-visible objects and interfaces for the following AWS-interacting
features will have been created in CA Privileged Access Manager:
On the Config, 3rd Party page, you will see the Amazon Web Services (AWS) Configuration
and Add AWS Connection panels as shown in Figure 105.
On the Config, Logs page, in the NFS/CIFS/S3 Settings panel, the Amazon S3 storage
option is activated.
On the Config, Synchronization page, in the Shared Key panel, the AWS Provision option
is activated.
On the Users, Manage Users page, on the User template, the (preconfigured) Role AWS
API Proxy User is a new Available Roles option. On the Users, Manage Roles page, that
Role, as well as the new AwsApiProxy privilege, are now provided.
On the Services, TCP/UDPServices page, the service AWS Management Console SSO is
17-Feb-2017 65/416
CA Privileged Access Manager - 2.8
On the Services, TCP/UDPServices page, the service AWS Management Console SSO is
created and populated. This service is automatically activated on Device xceedium.aws.
amazon.com (http://xceedium.aws.amazon.com).
On the Policies, Manage Passwords, Targets, Applications page, the target application
AWS Access Credential Accounts is created and populated. This application resides on
Device xceedium.aws.amazon.com (http://xceedium.aws.amazon.com). Any number of target
accounts can now be created, each of which stores access credentials for a specific AWS
Account.
3. To configure CA Privileged Access Manager for interaction with (one or more) AWS account(s),
we must first store credentials (passwords) for each account in a Password Management
record. These credentials will be used whenever CA Privileged Access Manager connects to
AWS – to import/synchronize devices, to log in to the AWS Management Console, or perform
other activity.
b. To the right of Application Name, click the magnifying glass and select "AWS Access
Credential Accounts". Both the Host Name and Application Name are then populated
with the CA Privileged Access Manager abstract host (xceedium.aws.amazon.com) and
application (AWS Access Credential Accounts) representations for AWS.
c. Populate this target account with credentials for a specific AWS account:
ii. Paste your AWS Access Key ID and corresponding Secret Access Key in the
labeled fields.
iii. Enter an easily identifiable name or tag for this account into User Friendly Key
Name. This name will be used to identify the account when you configure CA
Privileged Access Manager to communicate with AWS in Step 4.
d. Click Save to store the record and return to the Account List view. Note that the
Account List is ordered by Access Key ID, while the Access Key Alias field is not visible –
so be sure to record or remember the Access Key ID.
e. Repeat this target account creation procedure to store any additional AWS account
credentials.
4. Return now to Config, 3rd Party, Add AWS Connection. Using this panel, you will provision
each specific AWS connection (Access Key Alias – AWS Region combination) from which you
want to import devices
a. Under Access Key Alias, select (one of) the drop-down option(s) for the available
account(s) that you provisioned in Credential Manager (as User Friendly Key Name).
b. Select the AWS Region of this account that has the devices you want to import.
c.
17-Feb-2017 66/416
CA Privileged Access Manager - 2.8
c. If selected, the checkbox Active directs CA Privileged Access Manager to import all
devices from this connection immediately, and at the end of each AWS Refresh
Interval cycle. You may have connections that are populated, but may not want to
import at this time. You can leave this box unchecked if you do not want to import the
devices currently, but would like to "stage" the connection so that it is visible.
After successful provisioning, you will see a green confirmation message at the
top of the page. New Device records will be visible on the Devices, Manage
Devices page.
ii. A new line item representing the connection will appear in the Amazon Web
Services (AWS) Configuration panel.
5. For any existing configured records in the Amazon Web Services (AWS) Configuration panel:
a. To apply an update interval (to all connections), select an AWS Refresh Interval. This
parameter specifies the length of a repeating cycle, immediately following which CA
Privileged Access Manager performs an import from each connection provisioned
Active=YES.
b. To update a record, click the Edit button for the connection line item you wish to
change. This action re-stages the connection record into the Edit AWS Connection
panel: In this state, the Access Key Alias and AWS Region are not editable.
In the Edit AWS Connection panel:
ii. Click Save to preserve the currently staged settings (that is, a potential change
to/from the Active state) and return the record to Amazon Web Services (AWS)
Configuration, or click Cancel to return the panel to its default state.
Saving a newly-Active AWS connection record triggers configuration results in
the import of AWS AMI instances associated with that account (just as happens
during an initial Add operation).
i. Click Remove to completely remove the record from the configuration. (You
will receive a confirmation pop-up, from which you can also cancel the
removal.)
ii. Click Test to make a test connection to verify that the credentials can be used
17-Feb-2017 67/416
c.
ii. Click Test to make a test connection to verify that the credentials can be used
to log in to AWS and the specified region. (You will receive a confirmation
message at the top of the page.)
17-Feb-2017 68/416
CA Privileged Access Manager - 2.8
S3 Mounts
Because S3 mounts can no longer be assumed in the (sole) AWS Account and Region specified in the
release 2.2.0 3rd Party page configuration, in Config, Logs, NFS/CIFS/S3 Settings you must explicitly
identify which AWS Provision (Account and Region) is to be used.
Warning
17-Feb-2017 69/416
CA Privileged Access Manager - 2.8
Regarding S3 storage mounts: If there is an active S3 mount using a particular Config, Logs,
NFS/CIFS/S3 Settings, AWS Provision setting at the time you attempt to remove its
corresponding connection from Config, 3rd Party, Amazon Web Services (AWS)
Configuration, the connection will not be dropped, the mount will remain intact, and an
error message will be displayed on the 3rd Party page.
Synchronization
The members of a CA Privileged Access Manager synchronization cluster created within AWS must be
located within the same AWS VPC subnet.
Because synchronization can no longer be assumed in the (sole) AWS Account and Region specified in
the release 2.2.0 3rd Party page configuration, on the Config, Synchronization page you must
explicitly identify which AWS Provision (Account and Region) is being used.
Configuration (.cfg) files can only be used on the appliance where they were created.
Database (.gz) files can be used to recreate provisioning on other units: Services, Users, Devices,
Command Filter Lists, Socket Filter Lists, Policies.
Features that allow the administrator to view and manipulate these databases are on the Config,
Database page.
Database Backup (see page 70)
Schedule a Database Backup (see page 71)
Database Restoration (see page 74)
Database Backup
CA Privileged Access Manager administrators can copy data currently in use to internal or external
secondary-drive storage. You can manually back up the database and configuration internally or
schedule a backup to an external server. The backup saves the provisioning Database for Access and
Credential Manager with or without A2A, and the appliance Configuration files. These files are
offloaded to an external server hosting either an SFTP or SCP server. CA Privileged Access Manager
uses public key authentication to encrypt communication and must use a non-interactive login for
authentication.
From the Toolbar, go to the Config menu, select Database, then use the Schedule Backup, Save
Configuration and Database or Reset Database panel.
17-Feb-2017 70/416
CA Privileged Access Manager - 2.8
Best Practice
Schedule the database for backups as soon and as frequently as practical. The backup is then
available in case emergency recovery is needed.
Example: To schedule a backup that begins every night at 11PM, set Month,
Day, and Weekday each to All, the Hour to 23, and the Min to 00.
Timezone UT (As specified in Date/Time settings. Cannot be edited here.)
C
Protocol s Specify whether SCP or SFTP is used to transfer the files, or they are written to
c an NFS, CIFS, or Amazon (AWS) S3 mount.
p
sf
t
p
N
F
S
CI
F
S
17-Feb-2017 71/416
CA Privileged Access Manager - 2.8
A
m
a
z
o
n
S
3
Select d Set the key file for use in authentication.
Authoriza s
tion File a.
k
e
y
rs
a.
k
e
y
If the protocol = SCP or SFTP:
<user>@< Set the authentication and path with the syntax provided.
server>:
/path
Port Change the port on the destination server as needed. Default = 22
If the
protocol =
NFS:
Share Path on server: /<path>
Path
Hostname FQDN or IP address
If the
protocol =
CIFS:
Share Path on server: \\<hostname>\<share>
Path
Username Username of the share access account
Password Password for account specified by Username
Domain FQDN or IP address
If the
protocol =
Amazon
S3:
Bucket Name of AWS S3 bucket
AWS Name of CA PAM AWS provision as set in Config, 3rd Party: Access Key Alias –
Provision Region combination
17-Feb-2017 72/416
CA Privileged Access Manager - 2.8
Mount
[ed]
Best Practices
The database can be scheduled for backups as soon and as frequently as practical so that it is
available in case emergency recovery is needed.
17-Feb-2017 73/416
CA Privileged Access Manager - 2.8
Butto
n
1. Open the Database Backup Scheduler by selecting: Config, Schedule Backup, Save
Configuration and Database or Reset Database, Schedule Backup.
In the Database Backup Scheduler panel, the Current schedule pane will, by default, indicate
"None": This means that no scheduled backup is performed. When configured however,
Current Schedule pane displays the Month, Day, Weekday, and time of the active scheduled
backup.
3. Set up the receiving server or share for one of: scp, sftp, NFS, CIFS, or Amazon S3.
b. Copy these key files to the destination server, into the home directory of the user who
represents CA Privileged Access Manager for authentication.
c. In the destination server ".ssh" directory, import/append the contents of the (CA
Privileged Access Manager) key files into the "authorized_keys" file.
If an "authorized_keys" file does not exist, create one for this purpose.
Database Restoration
As a CA Privileged Access Manager administrator, you can restore the database or configuration file
using a previously saved file. You can also return the database to its original state.
1. Go to Config, Database. Use the Configuration and Database File Operations panel.
2. If no backup has been made, the Database File Operations buttons are not active. Instead of a
"Pick a filename" heading and a list of files, a message appears: " No files found in the storage
directory ." There is nothing to download, delete or restore until a backup exists.
3. Select the file to restore. CFG files are configuration files. GZ files are database files.
17-Feb-2017 74/416
CA Privileged Access Manager - 2.8
1. Go to Config, Database. Use the Schedule Backup, Save Configuration and Database or Reset
Database panel.
To provide hardware-based encryption to encrypt and decrypt stored credentials, configure one of
the following Hardware Security Modules (HSMs):
SafeNet Luna SA Appliance (see page 75)
SafeNet Luna PCI-E Card (see page 80)
Thales nShield Connect HSM Appliance (see page 85)
Common HSM Features (see page 93)
Configure Luna
Before you can configure CA Privileged Access Manager to communicate with the Luna HSM
appliance, you must prepare the appliance to recognize CA Privileged Access Manager.
Example
17-Feb-2017 75/416
CA Privileged Access Manager - 2.8
The following procedures describe a third-party environment (SafeNet Luna SA 4.3) that is outside CA
Technologies control. They should be considered only representative of the interface that
encountered and procedures that may be required. See the manufacturer documentation for your
SafeNet Luna.
1. Configure a network connection. The Luna appliance must be configured to be visible on the
network, and must be visible to CA Privileged Access Manager using IP addressing or machine
name (FQDN). When you do this, you establish an administrative account and password.
These are used later as the SafeNet Principle Username and SafeNet Principal Password. For
details and instructions, consult the SafeNet documentation.
a. Log in to the console. The console is a shell that is called "Lush" that you can log into
using SSH (for example, using ssh or PuTTY).
Upon login, you are presented with the Lush prompt:
Luna Command Line Shell v4.3.2-3 - (c) 2001 - 2008 SafeNet, Inc. All
rights reserved.
[luna] lunash:>
b. The internal PCI card is in its factory state and must be initialized for use. Type the
following command to Initialize the PCI card.
[luna] lunash:> hsm init -d xsuite -l xsuite –s<password>–f
As shown, you must use the string "xsuite" for the "-d" and the "-l" (lower case el)
options. The "-s" option specifies the mandatory "security officer" password and is
user-selectable.
Example:
[luna] lunash:> hsm init -d xsuite -l xsuite –s xD6@8iJkd!F –f
3. Storage must be initialized once on each Luna appliance (up to 3) that integrates with CA
Privileged Access Manager. Once initialized, the storage element on each SA appliance can be
shared by multiple instances of CA Privileged Access Manager.
b. Create Storage:
[luna] lunash:> partition create -par xsuite -pas<password>–f
As shown, you must use the string "xsuite" for the "-par" option. The "-pas" option is
the user-selectable storage password.
Example:
[luna] lunash:> partition create -par xsuite -pas 3e)kuuI%6j –f
c. Confirm Storage – You can confirm the creation of the storage and can show the
contents by issuing the following command:
17-Feb-2017 76/416
c. CA Privileged Access Manager - 2.8
Note: When tested for CA Privileged Access Manager 2.3, 5000 target account records took
approximately 10 minutes to process.
Once the SafeNet Luna HSM appliance is prepared to receive communication from CA Privileged
Access Manager, you can configure CA Privileged Access Manager to initiate and establish use of up
to three Luna appliances of the same release level (for example, all 4.3).
3. In the Schedule Backup, Save Configuration and Database or Reset Database panel, click
Save Database and Configuration.
The page updates with a confirmation of the backup creation along with the database (and
configuration) filenames. Note the database filename, which should be similar to:
gkdatabase20130714124622.gz
4. In the Configuration and Database File Operations panel, select the database filename from
the drop-down menu, and click Download.
The database is saved to your local workstation (or other location you choose).
5. Use this file if you must recover your CA Privileged Access Manager database.
3. In the second panel, SafeNet HSM Configuration, enter the Luna credentials that you
17-Feb-2017 77/416
CA Privileged Access Manager - 2.8
3. In the second panel, SafeNet HSM Configuration, enter the Luna credentials that you
established when setting up the device.
a. Enter the Security Principal Username you set when configuring the Luna
administrative account.
b. Enter the Security Principal Password you set when configuring the Luna
administrative account.
c. Enter the Partition Name as specified during Luna (5.2 or later) configuration.
d. Enter the PartitionPassword you set in the "Create Storage" step during your Luna
configuration procedure earlier.
e. Enter the Address (IP address or FQDN) assigned to the Luna appliance.
4. Click Add to initiate the configuration. After successful account access to the Luna appliance,
the page refreshes, returning with a confirmation message, an updated Network Attached
HSMs panel with the address (labeled HSM), Status(showing as PartitionName :
ConnectionStatus), and permitted Action (Remove button is available) of the configured
appliance, and an empty configuration panel (Figure 184).
6. Log back in to CA Privileged Access Manager, and navigate to the 3rd Party page.
Scaling
Although not required, we recommend that you configure Luna appliances in CA Privileged Access
Manager only during CA Privileged Access Manager downtime. If your CA Privileged Access Manager
is a production appliance, plan a maintenance window.
Note: When tested for CA Privileged Access Manager 2.3, 5000 target account records took
approximately 10 minutes to process.
You can add a second and a third Luna appliance to the CA Privileged Access Manager configuration.
When doing so, repeat the procedures in "Configure Luna" and "ConfigureCA Privileged Access
Manager."
17-Feb-2017 78/416
CA Privileged Access Manager - 2.8
Requirement: Use the same password for the storage element that you assigned in the Create
Storage procedure for each Luna appliance.
Remove a Luna Appliance
You can remove a Luna appliance from an existing CA Privileged Access Manager configuration.
3. In the SafeNet HSM panel (as in Figure 184), click the Remove button of a Luna appliance you
want to remove.
The page refreshes to show removal of the selected appliance.
4. If you have removed the only (remaining) appliance, reboot CA Privileged Access Manager.
5. Log back in to CA Privileged Access Manager, and navigate to the 3rd Party page.
6. If you have removed the only (remaining) appliance, then to initiate the required re-
encryption of passwords, navigate to Policy, Manage Passwords, Credential Manager GUI and
wait for the page to load.
Note: This reencryption also occurs immediately following a password request from
an A2A Client, if that occurs earlier.
A Luna HSM appliance or appliance group that has been configured on one CA Privileged Access
Manager appliance may then be configured on extra CA Privileged Access Manager appliances by
following the procedure in "CA Privileged Access Manager Configuration" earlier in this content.
Requirements: Each CA Privileged Access Manager appliance must use the same encryption
/decryption key.
Share a Luna Group Within a CA Privileged Access Manager Cluster
A Luna appliance group may be configured for use in an existing CA Privileged Access Manager
synchronized cluster by configuring the devices in the following sequence.
Important!: Each member of a CA Privileged Access Manager cluster must use the same
HSM installations – that is, an identical set of Address and Partition Name combinations
should be configured on each CA Privileged Access Manager.
Assumptions:
17-Feb-2017 79/416
CA Privileged Access Manager - 2.8
Assumptions:
1. If the CA Privileged Access Manager cluster is active, stop it. Per the following steps, do not
restart the cluster again until after all HSMs have been configured on each CA Privileged
Access Manager device.
2. In the SafeNet HSM Configuration panel on X1, fill in and Add H1.
Do not reboot (until after all HSMs – H1, H2, and H3 – have been configured on X1).
The encryption key must be generated one time only on H1, and then must be copied to
H2 and H3.
3. After CA Privileged Access Manager X1 has successfully connected to H1, fill in and Add H2. Do
not reboot.
4. After CA Privileged Access Manager X1 has successfully connected to H2, fill in and Add H3. Do
not reboot.
Model: K6 Base
17-Feb-2017 80/416
CA Privileged Access Manager - 2.8
Luna Preparation
The Luna PCI-E card is already installed and configured for CA Privileged Access Manager and a
SafeNet Luna PED (PIN Entry Device). During the "Configure CA Privileged Access Manager to Support
a Luna PCI-E Card" procedure, you provide further configuration through the PED. Do the following
preparation tasks before that time:
Read at least the following sections in the SafeNet Luna PCI-E (here, 5.0) online help from their
DVD: On the "START_HERE.html" page, select Product Documentation, Luna PCI 5.0 Help System,
then navigating from the left Table of Contents:
Review the concepts about Trusted Path Authentication, and information about the PED and
PED (USB) Keys. See E – Concepts, Trusted Path Authentication (options).
Note: Determine how many (of the 10 supplied) PED Keys to use.
Review the steps that you take at the PED with the PED Keys. See A – Configuration, PED
Authentication (Trusted Path) version.
Note: Procedures that describe interaction with the lunacm utility are no longer applicable –
instead,CA Privileged Access Manager handles these steps. "Configure to Support a Luna PCI-E
Card" describes theCA Privileged Access Manager GUI steps that you use in place of that CLI,
with your PED and PED Key responses.
Ensure that you have physical access to your CA Privileged Access Manager appliances.
Ensure that you have your PED and blue, red, and black PED Keys available when you perform
HSM configuration.
Database Backup
Before configuring CA Privileged Access Manager to engage with the Luna appliance, back up the CA
Privileged Access Manager database.
17-Feb-2017 81/416
CA Privileged Access Manager - 2.8
3. In the Schedule Backup, Save Configuration and Database or Reset Database panel, click
Save Database and Configuration.
The page updates with a confirmation of the backup creation with the database (and
configuration) filenames. Note the database filename, which is similar to:
gkdatabase20130714124622.gz
4. In the Configuration and Database File Operations panel, select the database filename from
the drop-down list, and click Download.
The database is saved to your local workstation (or other location you select).
Use this file if you must recover your CA Privileged Access Manager database.
HSM Configuration
Use this procedure to prepare one Luna PCI-E equipped CA Privileged Access Manager appliance for
SafeNet encryption use.
Important! After activation (as outlined in the following steps), the Luna PCI-E card is
permanently configured for that CA Privileged Access Manager appliance. You cannot
disengage an activated Luna card and start using the built-in Credential Manager
cryptography instead.
Note: To cluster the use of PCI-E cards in a CA Privileged Access Manager appliance cluster,
the following conditions must be true:
You must cluster the PCI-E cards according to "Scaling: Configuring a Cluster of CA
Privileged Access Manager/PCI-E Appliances" on this page.
1. Plug the PED device into the corresponding outlet on the PCI card interface in the back of the
appliance.
Note: If CA Privileged Access Manager does not recognize a PCI card in the
17-Feb-2017 82/416
b.
Note: If CA Privileged Access Manager does not recognize a PCI card in the
appliance (or if the appliance is a VMware VM or AWS AMI instance), the
SafeNet panels look different.
c. You see a pop-up warning that you are about to erase the contents of the PCI card.
d. When you are ready to continue with following the PED instructions, click OK.
3. With your PED Keys, go back to where the PED interface is visible (attached to the PCI card on
the CA Privileged Access Manager appliance) to perform the following SafeNet-specific steps:
Important! Take care in performing each step. The procedure is not reversible, and
recovery can only be accomplished by repeating the entire procedure
a. You are prompted several times for individual PED Keys. Perform key insertions and
data entry as requested:
Creation of one (or more) Security Officer (SO) keys, each using a blue PED Key
Creation of a cloning domain key, using a red PED Key. The cloning feature is not
used by CA Privileged Access Manager.
When the PED steps are complete, you are presented with a 16-byte challenge
string.
c. Click Enter, and then return to the CA Privileged Access Manager GUI.
5. Verify on the 3rd Party page that you see the following information:
At the top of the page, the response message: "Success initializing the internal LunaPCI-E
device"
17-Feb-2017 83/416
CA Privileged Access Manager - 2.8
a. In the LUNA PCI-E Configuration panel, carefully enter the challenge key into the
Password field.
b. Click Activate.
A warning dialog appears, informing you that you are about to activate the Luna PCI-E
device, and need your black PED Key ready.
7. Return to the PED interface with your black PED Key and attach it to complete activation of
the HSM.
8. At the CA Privileged Access Manager GUI, verify on the 3rd Party page that you see the
following items:
At the top of the page appears the response message: "Success activating the LunaPCI-E
device on this [[primary | non primary] clustered | standalone] CA Privileged Access
Manager".
1. Perform a complete CA Privileged Access Manager clustering procedure. See the online help
at the Synchronization page for details.
2. On the primary cluster member GUI and appliance, initialize and activate the Luna PCI-E as
outlined in HSM Configuration.
d. Copy (to the buffer or a file location) the full content of the Public Key field. (You
might need to scroll the field to capture the full key.)
17-Feb-2017 84/416
CA Privileged Access Manager - 2.8
a. With the copied key (in your buffer or a file), log in to the (primary member) GUI:
ii. In the LUNA PCI-E Configuration panel, paste the buffer in the Public Key field.
b. Go to the back of the appliance, attach the PED, and follow the instructions, including
plugging in the blue key.
ii. Copy (to the buffer or a file location) the full content of the Encrypted Key
field. (You might need to scroll the field to capture the full key.)
5. For the same non-primary member that was used in step 3, and with the copied key (in your
buffer or a file), log in to the GUI:
b. In the LUNA PCI-E Configuration panel, paste the copied key into the Encrypted Key
field.
At the top of the page, the response message: "Success inserting the encrypted
cipher key into the LunaPCI-E device"
License: A CA Privileged Access Manager "Thales HSM Capability" license is required to configure
connection to an nShield HSM.
17-Feb-2017 85/416
CA Privileged Access Manager - 2.8
CA Technologies has verified compatibility with Thales nShield Connect 1500, with client
software, SecWorld-linux-user-11.62.00, version 11.62.00. This client can be used with nShield
Connect versions: 500, 6000, and 6000+.
CA Technologies has verified compatibility with one nShield appliance. However, CA Privileged
Access Manager can accommodate up to three nShield appliances.
Integration with nShield encryption is supported with CA Privileged Access Manager deployed as
a hardware appliance or as a VMware OVA. It is not supported with an AWS AMI deployment.
If the nShield appliance is unreachable from CA Privileged Access Manager, administrators and end
users are unable to manage or use passwords and cannot invoke some applicable GUI pages. (There
is no failover to Credential Manager.)
Configure nShield
Before you can configure communication with the nShield HSM appliance, prepare the HSM to
recognize CA Privileged Access Manager.
Install and configure the nShield appliance according to the Thales product documentation.
Important! When creating an operator card set with more than one card, each card
must have the same OCS name and password. This allows a CA Privileged Access
Manager appliance to use multiple nShield HSMs as a failover group. In addition, CA
Privileged Access Manager searches the nShield appliance for the operator card
based on this name. Both the name and password are user selectable.
This OCS must be a "1 of N" set, where N is at least the number of HSMs. N can be
17-Feb-2017 86/416
CA Privileged Access Manager - 2.8
This OCS must be a "1 of N" set, where N is at least the number of HSMs. N can be
greater than that number, but the OCS must be 1 of N.
Make note of the OCS name. This is entered in the Token Label field.
Make note of the OCS pass phrase. This is entered in the Token Password field.
The Remote File System ("RFS") is used to store configuration data and shared secrets for
clients (in this case, CA Privileged Access Manager appliances) that are configured in a
clustered environment to share an HSM or group of HSMs.
Make note of the IP address of the client computer on which you set up the RFS. This is
entered in the Remote File System field. Do not use an FQDN.
5. Register your CA Privileged Access Manager (or each member in your cluster) as a client of:
1. a. The nShield appliance. During this process, configure the client as a "non-privileged"
client that does not use an nToken device.
b. The RFS.
License Installation
Prior to configuring CA Privileged Access Manager to communicate with your HSMs, license CA
Privileged Access Manager for HSM use.
17-Feb-2017 87/416
CA Privileged Access Manager - 2.8
3. In the Schedule Backup, Save Configuration and Database or Reset Database panel, click
Save Database and Configuration.
The page updates with a confirmation of the backup creation along with the database (and
configuration) filenames. Note the database filename, which is similar to:
gkdatabase20130714124622.gz
4. In the Configuration and Database File Operations panel, select the database filename from
the drop-down menu, and click Download.
The database is saved to your local workstation (or other location you choose).
Use this file if you must ever recover your CA Privileged Access Manager database.
3. In the Thales HSM Configuration panel, enter the nShield credentials that you established
when setting up that appliance:
a. Enter the name of the applicable OCS you set when configuring the nShield appliance
in the Token Label field.
b. Enter IP address (not a DNS name) of the client computer on which you set up the RFS
when configuring the nShield appliance as the Remote File System.
Note: The standard port that is used with the two nShield address
parameters is 9004, but it does not need to be specified here explicitly.
However, if you are not using this default port number, you must identify
any alternate port in a full socket declaration – for example, as: 192.168.0.2:
9999
c. Enter the password of the applicable OCS you set when configuring the nShield
appliance as the Token Password.
d. Enter the Address (IP address only, not a DNS name) assigned to the nShield
appliance.
17-Feb-2017 88/416
4.
time, which for several thousand records should last about 10 minutes or less, the existing
Credential Manager database is still available for use by CA Privileged Access Manager for
other purposes.
After successful account access to the nShield appliance, the page refreshes, returning with a
confirmation message and an updated Networked Attached HSMs panel with the address and
status of the appliance, and a now empty configuration panel.
7. To confirm the required reencryption of passwords, navigate to the Policy, Manage Passwords
, Credential Manager GUI and wait for that page to load.
This reencryption also occurs immediately following a password request from an A2A Client, if
that occurs earlier.
The following table provides reference material for the configuration panels that are displayed when
configuring Thales nShield:
17-Feb-2017 89/416
CA Privileged Access Manager - 2.8
Thales HSM
Configuration panel
allows you to stage
HSM parameters as
follows:
Token Label St As set Enter the name of the applicable OCS (Operator Card Set) you
ri during created when configuring the nShield appliance.
ng nShield
configu
ration
Remote File System IP Dotted Enter the IP address of the Remote File System (RFS) used. NOTE:
v4 quad, For Thales HSMs, a DNS name is not permitted.
ad as in:
dr 192.16
es 8.0.2
s
Token Password St As set Enter the password of the applicable OCS (Operator Card Set) you
ri during created when configuring the nShield appliance.
ng nShield
configu
ration
Address IP Dotted Enter the IP address of the nShield Connect. NOTE: For Thales HSMs,
v4 quad, a DNS name is not permitted.
ad as in:
dr 192.16
es 8.0.2
s
Add Bu Activates CA Privileged Access Manager use of the HSM.
tt If this is the first HSM staged, then after initiation of this Add
on command, a pop-up appears to (1) warn the administrator that
"Adding this HSM configuration will trigger reencryption of all
passwords in the database", and (2) advise the administrator to do a
password database backup first.
After completion of this Add command, a (green) confirmation
message along with the instruction to reboot, or a (red) error
message, appears at the top of the page.
Token Password St As set Enter a new password for the applicable OCS (Operator Card Set)
ri during you set when configuring the nShield appliance. Set the new
ng nShield password on the nShield before entering it here.
configu
ration
Update & Activate Bu After you click this button, CA Privileged Access Manager does the
tt following operations:
on Attempts communication to (primary) HSM.
If successful, confirms that the new Token Password is in HSM.
If successful, stores the new password in CA Privileged Access
Manager .
17-Feb-2017 90/416
CA Privileged Access Manager - 2.8
Configuration Options
You can change the CA Privileged Access Manager configuration of HSMs to add or remove one or
more HSMs, and/or update the stored OCS password.
Add HSMs
You can connect (Add) one or two more HSMs, for a maximum of three (3) HSMs.
3. In the second panel, enter the credentials that you established when setting up the device.
a. Enter the Security Principal Username you set when configuring the nShield
administrative account.
b. Enter the Security Principal Password you set when configuring the nShield
administrative account.
c. Enter the Partition Name as specified during nShield (5.2 or later) configuration.
d. Enter the PartitionPassword you set in the "Create Storage" step during your nShield
configuration procedure earlier.
e. Enter the Address (IP address or FQDN) assigned to the nShield appliance.
4. Click Add to initiate the configuration. After successful account access to the nShield
appliance, the page refreshes, returning with a confirmation message, an updated Network
Attached HSMs panel with the address (labeled HSM), Status (showing as PartitionName :
ConnectionStatus), and permitted Action (Remove button is available) of the configured
appliance, and an empty configuration panel (Figure 184).
6. Log back in to CA Privileged Access Manager, and navigate to the 3rd Party page.
17-Feb-2017 91/416
7.
The Token Password value should be the same as that used for the first HSM – otherwise, you need
to reconfigure your (additional) HSM OCS.
Remove HSMs
You can Remove any number of HSMs (one-by-one), and (eventually) reverse the encryption
mechanism back to native Credential Manager. To do so:
4. At the right-hand side of the line item of the HSM you want to remove from CA Privileged
Access Manager integration, click Remove.
If this is the only HSM currently configured, you see a pop-up message warning you that
removal triggers reencryption of all passwords in the database (as they are reassigned to
native Credential Manager).
5. Following the re-encryption process, you see a green "Success …" (or a red "Error …")
message.
7. Log back in to CA Privileged Access Manager, and navigate back to the 3rd Party page.
You should see the same page as shown in Figure 189, except that the "Success …" message is
gone, confirming that the HSM is no longer being used.
An nShield HSM or HSM group can be configured for use in an existing CA Privileged Access Manager
synchronized cluster.
Assumptions:
17-Feb-2017 92/416
CA Privileged Access Manager - 2.8
1. On X1:
d. If there is an H3, specify and integrate (see page 88) for it.
Updating Passwords
You can update the Token Password of an installed Thales nShield HSM, or the Partition Password of
an installed SafeNet Luna SA HSM, without taking the HSM offline.
1. On the HSM appliance or appliances, change the relevant HSM password. (See the
manufacturer documentation.)
2. In CA Privileged Access Manager Web UI or Client, navigate to the Config, 3rd Party, Network
Attached HSMs panel and confirm that the HSM Status field at the top of the panel shows
"online."
For example, for a Thales HSM:
In the Thales HSM Configuration staging panel, enter the new password in the second Token
Password field at the bottom of the panel (beside the Update and Activate button).
Note: Because the password field characters are hidden, you can copy and paste
the password instead of typing the password to avoid data entry errors. If you have
multiple HSMs, the Token Password is the same on each, so you do not have to
identify the specific appliance.
17-Feb-2017 93/416
CA Privileged Access Manager - 2.8
If the password is not correct, or if there was a problem communicating with the HSM, the
following response appears:
"Error the HSM password is incorrect."
Logging
Splunk endpoints can be specified as resources for CA Privileged Access Manager.
4. Enter the server IP address or FQDN port in the left and right fields, respectively.
5. Click Add to engage the server and include it in the Current Servers list.
17-Feb-2017 94/416
CA Privileged Access Manager - 2.8
Maximum number of VMware NSX API Proxy Users that can be provisioned
Whether SafeNet HSM Capability is enabled or disabled. If SafeNet is enabled, Thales cannot be
enabled.
Whether Thales HSM Capability is enabled or disabled. If Thales is enabled, SafeNet cannot be
enabled.
A Start Date
For CA Privileged Access Manager as an AWS AMI instance only: An End Date
Type of license: Perpetual (no end date), Temporary, or Evaluation (also temporary)
A license file is prepared by CA Technologies and installed with your appliance. An update is provided
to you to use to overwrite an existing license through the Install New License pane.
If an imported Device exceeds the permit count, it is provided a Device record, but it is not
provisioned. It does not have Access or Password Management capability. The Device thus has a
placeholder but is not operational. If you attempt to assign and Save a Device Type, the attempt is
rejected. Later, when either a permit is freed up or another Device permit is added, the Device record
can be used.
PKI, which involves the items to enable smartcard authentication, including Certificate Revocation
Lists (CRLs)
Also on the Config menu you find settings for SSL VPN, and backups. This section also includes
information on troubleshooting.
17-Feb-2017 95/416
CA Privileged Access Manager - 2.8
Security Configuration
The CA Privileged Access Manager Security Configuration page allows the administrator to change or
edit information about:
Cryptography
CA PAM uses TLS 1.0, TLS 1.1, or TLS 1.2 to protect communications that it manages. Client
connection sessions are protected using AES256 or AES128 encryption with SHA128 or SHA1 hashing.
An AES key can also be obtained using a SHA1 hash (which FIPS permits).
Note: Java does not currently support Diffie Hellman (DH) Key Agreement using key sizes of
2048 bits or more. As a result, if a server generates a DH key size 2048 bits or larger, Java
throws an exception and the SSH connection fails.
CA PAM generates certificate requests and self-signed certificates using RSA 2048 or RSA 4096
certificates with SHA512 hashing. Certificates can also be uploaded to CA PAM in PEM and DER
formats. CA PAM also supports Public Key Infrastructure (PKI) authentication by using X.509
certificates. Clients present their certificates to CA PAM, which uses its internal certificate chain and a
certificate revocation list (CRL) or OCSP to validate the client.
Session keys are destroyed by zeroing memory after the user disconnects from the session. Key
generation includes public-private RSA keys and an AES-256 credential storage key. RSA keys are
provided upon request of the user. A credential storage key is created on initial boot.
An authorized administrator sets the encryption policy through options provided on the Security page
as described here.
1. The fingerprint for the host on which the client resides, if fingerprinting is enabled
17-Feb-2017 96/416
CA Privileged Access Manager - 2.8
3. DNS
When a requestor application requests credentials, the credentials remain encrypted as they are
transferred over the network. The A2A Client decrypts the credentials before passing them to the
requestor.
The administrator manually updates the intermediate CRL periodically before it expires. Select "Use
downloaded CRL" in the CRL Options.
In the Upload Certificate or Private Key area, perform the following steps:
1. Upload the Root Certificate: Upload the Root Certificates of each Chain to be used in CA PAM.
The root certificate must be downloaded from the Certificate Authority (CA). It must match
with the Certification path of the user certificates.
Option Description
CA Bundles Upload the root certificate.
Other Options Select either PKCS 11 or X.509 format for the certificates to be uploaded.
Filename Browse to the certificate to be uploaded.
Destination Change the filename of the certificate. The filename can be left blank if the
Filename name stays the same.
Passphrase Enter the password if necessary for the certificate.
Option Description
Certificate Upload the root certificate CRL.
Revocation List
Other Options This field does not apply to the CRL and does not require a change.
17-Feb-2017 97/416
CA Privileged Access Manager - 2.8
Option Description
Intermediate Upload the intermediate certificate.
Certificate
Other Options Select either PKCS 11 or X.509 format for the certificates to be
uploaded.
Filename Browse to the certificate to be uploaded.
Destination Change the filename of the certificate. The filename can be left blank
Filename if the name stays the same.
Passphrase Enter the password if necessary for the certificate.
Option Description
Certificate Upload the root certificate CRL.
Revocation List
Other Options This field does not apply to the CRL and does not require a change.
Filename Browse to the CRL to be uploaded.
Destination Change the filename of the CRL. The filename can be left blank if
Filename the name stays the same.
Passphrase Enter the password if necessary for the CRL.
Note: Passwords are not typically required for CRLs.
Option B: OCSP
17-Feb-2017 98/416
CA Privileged Access Manager - 2.8
CA PAM sends an Online Certificate Status Protocol (OCSP) request to the OCSP server to validate
client certificates. OCSP server information is included in the client certificate. Select "Use
downloaded CRL "in the CRL Options while uploading the certificates and root CRLs.
Option Description
CA Bundles Upload the root certificate.
Other Options Select either PKCS 11 or X.509 format for the certificates to be
uploaded.
Filename Browse to the certificate to be uploaded.
Destination Change the filename of the certificate. The filename can be left blank if
Filename the name stays the same.
Passphrase Enter the password if necessary for the certificate.
Option Description
Certificate Upload the root certificate CRL.
Revocation List
Other Options This field does not apply to the CRL and does not require a change.
Filename Browse to the CRL to be uploaded.
Destination Change the filename of the CRL. The filename can be left blank if
Filename the name stays the same.
Passphrase Enter the password if necessary for the CRL.
Note: Passwords are not typically required for CRLs.
Option Description
Upload the intermediate certificate.
17-Feb-2017 99/416
a.
Intermediate
Certificate
Other Options Select either PKCS 11 or X.509 format for the certificates to be
uploaded.
Filename Browse to the certificate to be uploaded.
Destination Change the filename of the certificate. The filename can be left blank
Filename if the name stays the same.
Passphrase Enter the password if necessary for the certificate.
Option Description
Certificate Upload the root certificate CRL.
Revocation List
Other Options This field does not apply to the CRL and does not require a change.
Filename Browse to the CRL to be uploaded.
Destination Change the filename of the CRL. The filename can be left blank if
Filename the name stays the same.
Passphrase Enter the password if necessary for the CRL.
Note: Passwords are not typically required for CRLs.
The PKI/Smartcard User Logon checkbox is used to enable/disable PKI authentication. With this
option checked, the browser prompts for a client-side certificate upon locating the URL of the
configured CA PAM.
The Login Page Without CAC checkbox lets you enable/disable username/password-based
logons. When this box is checked and if a smartcard is not present, users are not able to log in to
CA PAM. If the box is unchecked, users have the option of authenticating using username and
password or other configured authentication methods. If users are unable to authenticate using
smartcard, the configuration page is always available using a known username and password.
Important
17-Feb-2017 100/416
CA Privileged Access Manager - 2.8
The ActivID ActivClient attempts to send the Smartcard certificate to the log in page. The
user must either disable ActivClient or select cancel when prompted.
1. Ensure that ActiveID 6.0 or 6.1 is properly configured to read the card if the contents of the
certificate can be viewed in ActiveClient Agent.
2. Open an Internet Explorer 6 or higher browser and point the URL to that of CA PAM. You are
then required to enter the PIN of the card. Enter the appropriate PIN.
3. Select the appropriate certificate from the browser store. In environments with multiple
certificates, either the identity or the dual-purpose certificates can be used to authenticate to
CA PAM. Once the certificate is chosen, it is verified against its Certificate Chain in CA PAM.
4. The first time that you access a CA PAM appliance using PKI, you receive a message that the
Client certificate is in the registration process.
5. After a CA PAM administrator approves your account and provides the correct associations,
you can then log in to CA PAM with a smartcard.
17-Feb-2017 101/416
CA Privileged Access Manager - 2.8
Certificates Configuration
A CA Privileged Access Manager administrator can create a certificate or a certificate-signing request
(CSR) on the Config, Security page. These procedures create either a self-signed SSL certificate or a
CSR with the DNS name. This procedure is recommended to prevent extra pop-up windows
generated by Microsoft Windows when not using a "trusted" SSL certificate.
Important! The certificate Subject attribute must contain a Common Name (CN) attribute
that matches the FQDN (Fully Qualified Domain Name) or the IP Address of the CA
Privileged Access Manager host.
Option 2 (see page 103) (generate a CSR): Requires more steps and might involve a cost.
Ordinarily used when an organization requires it.
Option Description
Key Size 1024 or 2048
Default: 1024
Common Set the DNS or IP address of CA Privileged Access Manager in the certificate
Name
Country Set the country of the certificate.
State Set the state of the certificate.
Note: Use full name rather than abbreviations.
City Set the city of the certificate.
Organiza Set the organization (typically a company or agency name) of the certificate.
tion
Org. Set the organizational unit name (typically a subdivision or location of the
Unit Organization) for the certificate.
Days Set the validity time-period. The current CA Privileged Access Manager appliance
date becomes the "Not Valid Before" date for the certificate. The "Days" field is
then used to determine the "Not Valid After" date.
Alternate
Subject
Names
17-Feb-2017 102/416
CA Privileged Access Manager - 2.8
Optional setting, but required if more than one address is to be used: List FQDN and
IP address aliases to the Common Name, one to a line. This list must include the
Common Name.
Notes:
Do not add a newline (line feed) after the last entry.
Refer to: X.509 Subject Alternative Name
Filename Create a name for the certificate.
2. Select Create.
Stage certificate for use
3. In the Set Certificate panel, select the filename of the certificate previously created.
4. Click Verify Certificate to confirm that this certificate is acceptable by CA Privileged Access
Manager.
6. Important: Reboot the CA Privileged Access Manager appliance for the new certificate to take
effect.
Install the certificate as a trusted root certificate in a browser
7. When the Security Alert pop-up window appears, select View Certificate.
Important
The Issued to field must match the URL that is used to access CA Privileged Access
Manager.
The Microsoft Certificate Import correctly installs the certificate when choosing the
automatic selection of the certificate store.
Because the certificate is a root certificate, an extra Security Warning is displayed.
This warning can be safely bypassed.
b. Enter information for the fields as identified in Table. Do not use special characters.
17-Feb-2017 103/416
b.
Field Description
Type As noted in procedure
Key 1024 or 2048
Size Default: 1024
Comm Set the DNS or IP address of CA Privileged Access Manager to the certificate
on request. (This field maps to the CN field of the X.509 certificate.)
Name
Countr Set the country of the certificate request.
y (This field maps to C value/ two-letter country code designation.)
State Set the state of the certificate. (This field maps to ST value/ State designation.)
City Set the city of the certificate. (This field maps to L value/ Locality or city
designation.)
Organi Set the organization (typically a company or agency name) of the certificate.
zation (This field maps to O value/ Organization designation.)
Org. Set the organizational unit name (typically a subdivision or location of the
Unit Organization) for the certificate. (This field maps to OU value/Organizational
Unit designation.)
Days Set the validity time-period. The current CA Privileged Access Manager
appliance date becomes the "Not Valid Before" date for the certificate. The
"Days" field is then used to determine the "Not Valid After" date. Only used
for self-signed certificates
Alterna Optional setting, but required if more than one address is to be used: List
te FQDN and IP address aliases to the Common Name, one to a line. This list
Subject must include the Common Name.
Names Notes:
Do not add a newline (line feed) after the last entry
Refer to: X.509 Subject Alternative Name
Filena Create a name for the certificate.
me Note: This is also the name of the private key that is generated. It must exactly
match the name of the certificate when uploaded.
2. In the Pick a file drop-down list of the Download Certificate or CSR panel, select the filename
of the CSR you created, and click Download.
This *.pem (PEM) file is used to request a certificate from a third party Certificate Authority
(CA) such as VeriSign. An advantage to this approach is that users do not have to install root
certificates because the third party validates the site and already has a trust relationship with
the browser.
3. Follow instructions from the chosen third-party CA (certificate authority) and receive a
certificate.
4. As necessary, rename the certificate received from the third party so that:
a. Its base name is the same as the one that originally generated.
17-Feb-2017 104/416
4.
CA Privileged Access Manager - 2.8
a. Its base name is the same as the one that originally generated.
ii. Certificate with Private Key if the CSR was not generated by CA Privileged
Access Manager
Field Description
Type As noted in procedure
Other Select whichever format is applicable (PKCS 11 or X.509) format for the
Options certificates to be uploaded.
Filename As noted in procedure
Dest. Can be used to change the filename of the certificate. This field can be left
Filename blank if the name stays the same.
Note: If CA Privileged Access Manager generated the CSR, the "Destination
Filename" must match the name of the CSR to match the private key
properly.
Passphras Enter the passphrase, then re-enter in Confirm, when necessary for the
e/ certificate.
Confirm Note: A passphrase is probably necessary, and has been set by the third-
[Passphra party CA.
se]
b. Click Verify Certificate to ensure that CA Privileged Access Manager accepts the
certificate.
Either a confirmation phrase or error message is provided at the top of the page.
a. After certificate confirmation, select Accept Certificate to stage the new certificate for
activation (following a reboot).
8.
17-Feb-2017 105/416
CA Privileged Access Manager - 2.8
8. After reboot, return to the Security page. To the right of System Certification, the newly
activated certificate name appears.
Caution
Verify that your IP address allocation does not conflict with what is configured by default
for SSL VPN (10.8.0.0/16).
Workaround: If there is a conflict with your existing network, change the SSL VPN address
space to an unused netblock. The smallest subnet that is permitted is a /29.
Note
This connection method requires the installation of a device driver and VPN Ethernet
adapter on the client computer. Use this method only when the application is not able to
use the default method.
17-Feb-2017 106/416
CA Privileged Access Manager - 2.8
Split Tunneling
"Split tunneling" occurs when a user connects through the VPN to an internal network and can
directly access the public network. By default, split tunneling is disabled. This is a best-practices case
for users connecting to the internal network as it protects them from external attacks. However,
sometimes – as when using CA Privileged Access Manager with Citrix Access Gateway – split
tunneling is required to allow communication to pass correctly.
Routing Configuration
When using the SSL VPN, user traffic leaving CA Privileged Access Manager has an IP address as
defined in the Virtual Network pane of the SSL VPN Configuration panel. This network must be
configured to use the CA Privileged Access Manager IP address as the default gateway to reach the
defined network.
Client Installation
At each User computer, you must install an SSL VPN client.
You might need to wait a few moments before download begins. CA Privileged Access Manager is
determining the appropriate file for your local OS.
Configure Backups
CA Privileged Access Manager administrators can schedule a backup to save both the Database and
the Configuration files simultaneously. These files are offloaded to an external server hosting either
an SFTP server or SCP. CA Privileged Access Manager uses public key authentication to encrypt
communication and must use a non-interactive login for authentication.
More Information
Best Practices
Schedule the database for backups as soon as possible. Make them as frequently as practical so that
it is available in case emergency recovery is needed.
1.
17-Feb-2017 107/416
CA Privileged Access Manager - 2.8
1. Open the Database Backup Scheduler by selecting: Config, Schedule Backup, Save
Configuration and Database or Reset Database, Schedule Backup.
In the Database Backup Scheduler panel, the Current schedule pane will, by default, indicate
"None": This means that no scheduled backup is performed. When configured however, the
Current Schedule pane displays the Month, Day, Weekday, and time of the active scheduled
backup.
b. Copy these key files to the destination server, and into the home directory of the user
who represents CA Privileged Access Manager for authentication.
i. Import/append the contents of the (CA Privileged Access Manager) key files
into the authorized_keys file. NOTE: If an authorized_keys file does not exist,
create one for this purpose.
Important
17-Feb-2017 108/416
CA Privileged Access Manager - 2.8
Physical Appliance
This page provides two buttons that allow an administrator to:
The physical power switch on the appliance remains in the "on" position
The GUI screen appears "frozen," as it does not update (beyond an initial "Powering down"
acknowledgment) or disappear.
Reboot Appliance – shuts down, and then reboots, the appliance remotely.
Instead of Reboot Appliance, you can Reboot Instance. (This is equivalent to Instance Action,
Reboot in the AWS Management Console.)
Important
When preparing a diagnostics package, use these functions only under the direction of CA
Technologies Support staff.
Diagnostics
System Diagnostic
The System Diagnostic tool gathers information about specific CA Privileged Access Manager file
versions. The tool provides a listing of filenames, showing the dates they were modified and their file
versions. To run the system diagnostic, follow these steps:
2. Save the file in a location accessible to the CA Privileged Access Manager appliance.
17-Feb-2017 109/416
CA Privileged Access Manager - 2.8
System Monitor
The System Monitor tool provides encrypted output of system diagnostics information.
System Diagnostics
This panel is to be used with the aid of CA Technologies Support. If Support asks for System Log Files,
use the button in this panel to download them. If core dumps are being collected, they are contained
in this download.
SPFD Logs
Click Download SPFD Log File to save the log for the service provider daemon for this appliance to
your local client access computer.
Tomcat Logs
Click View recent entries to open a dialog showing recent unfiltered log entries. Click Download
Tomcat Log File to save the Credential Management "catalina.out" logfile for this appliance to your
local client access computer. Use the drop-down list to filter by log level, such as "Warning."
Applet Debugging
This panel is to be used with the aid of CA Technologies CA Privileged Access Manager Support.
Note
Log files can grow rapidly if you set the log level to "Debug." Restore it to a lower level as
soon as practical. Monitor the disk usage ("System Info"), and if it is high, reboot CA
Privileged Access Manager. Rebooting will clear these logs.
17-Feb-2017 110/416
CA Privileged Access Manager - 2.8
Maintenance Mode
Maintenance Mode provides a way to prevent new CA Privileged Access Manager logins so that an
administrator can perform configuration changes. These changes might otherwise disrupt or be
disrupted by user activity. This mode can simply be toggled on or off.
When a user who is not a Global Administrator tries to log in to CA Privileged Access Manager while
in Maintenance Mode, the user sees an updated login page displaying an error message: "This CA
Privileged Access Manager is in maintenance mode. Only admin level users can log in."
Note
Although new logins are prevented, current user logins are not disconnected at the time
Maintenance Mode is set. The administrator might, for example, send an email requesting
currently connected users log out, or when necessary, force disconnections through the
Sessions, Manage Sessions interface. Maintenance Mode also does not disable the
Credential Manager CLI.
17-Feb-2017 111/416
CA Privileged Access Manager - 2.8
Performance Graphs
CA Privileged Access Manager activity can be graphed for the following dimensions by clicking Turn
graphing on. Graphics take about 20 minutes or so to be displayed.
CPU Utilization
Tools
On the Config menu, on the Tools page, CA Privileged Access Manager provides network diagnostic
tools. Use these tools to check device connectivity and troubleshoot communication from the CA
Privileged Access Manager appliance. Test networking with the standard ping, traceroute, DNS
resolution, and port scan. These settings define attributes to provisioned objects such as Users,
Devices, and passwords, but are not derived from or attached to any specific objects.
Reflected cross site scripting attacks when the browser fails to do so.
Persisted cross site scripting attacks (where a script is persisted in the database or logs and then
played back to an unsuspecting user who later logs in to CA Privileged Access Manager)
If CA Privileged Access Manager is blocking excessive events that are known not to be XSS attacks,
disable cross site scripting attack checking and contact CA Support.
To identify requests that are being blocked, search the session logs for the following message:
Preventing Cross Site Scripting Attempt
17-Feb-2017 112/416
CA Privileged Access Manager - 2.8
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
The CA Privileged Access Manager Administration menu Global Settings tab contains options that
provide for customization of how CA Privileged Access Manager functions for all Users and Devices.
This tab invokes the Global Settings, Configure page, which has several sections that allow
customization of global user policies such as timeouts, passwords, access methods, and terminal
settings.
17-Feb-2017 113/416
CA Privileged Access Manager - 2.8
To save the settings, select the Save Global Settings button at either the top or the bottom of the
screen. The screen refreshes to display the updated configuration and the 'Configurations updated'
text appears on the screen. The login page has a non-configurable timeout of 3 minutes. This time is
for the life of the page itself, not the Login Timeout setting measuring logged-in idle time. After that
time, the page must be refreshed before CA Privileged Access Manager accepts a login.
Passwords
For Local users, the password characteristics can be customized by changing these fields. Other
authentication method password policies are enforced by their infrastructure and CA Privileged
Access Manager cannot control them. Unlike other accounts, the super account never expires and is
not deactivated even if the password failures limit is activated.
Warnings
Two optional warning messages can be applied to users. They can be customized to reflect individual
company policies. The License Warning box scrolls to accommodate a long message. Upon selecting
the checkboxes, you are provided with editing boxes.
Applet Customization
The Applet Customization pane allows specification (for all users and all devices) of the default
terminal display characteristics for Telnet and SSH applets, and a switch to allow or disallow copy-and-
paste text buffering.
An administrator can override the defaults on a device basis by changing the Terminal Type, Key
Mapping, and Xceedium Terminal Customization settings for individual devices.
A user can override the defaults by changing the Xceedium Terminal Customization under the
My Info button.
After you make a connection, you can still add a drive by using the interface provided by the applet
window.
Access Methods Settings (see page 114)
Branding (see page 115)
Set the access methods that CA Privileged Access Manager can perform when available for, and
allowed by a particular user policy on a particular device. If you do not use Telnet, for instance, you
can clear it to disable CA Privileged Access Manager from allowing any Telnet sessions.
The set of Access Methods available and shown depends upon which license the CA Privileged Access
17-Feb-2017 114/416
CA Privileged Access Manager - 2.8
The set of Access Methods available and shown depends upon which license the CA Privileged Access
Manager appliance is using. If it is a mainframe license, the TN* applets are available. Otherwise,
those applets are not available, and do not appear as options here. Here are some typical Access
Methods, which are grouped by category:
Branding
A custom logo for your organization can be used in the CA Privileged Access Manager GUI in place of
the CA Technologies logo. Browse to the desired logo graphics file to stage it in the Upload Custom
Logo field and click Save Global Settings (at either the center top or bottom of page).
Roles are assigned to Users and User Groups during their creation and editing. See Provisioning Users
(see page 213) for more information.
Note
The predefined Auditor role allows read-only access to settings on the Global Settings
page.
List of Privileges
In addition to the set of Predefined Roles that are described, administrators can also create Custom
Roles. A Role is constructed by selecting from a list of Privileges, described in the following table.
Privilege Category / Definition: The Privilege that is named at left allows the Role that has it to:
Name
Standard User
17-Feb-2017 115/416
CA Privileged Access Manager - 2.8
17-Feb-2017 116/416
CA Privileged Access Manager - 2.8
Name Admi A Aut Config Delega Device Globa Glo M Operat Pass Poli Serv Sessi Sta Tro User
nistra u odi uratio ted /Grou l bal o ional word cy ice on nda ubl /Grou
tive di sco n Admin p Admi Set ni Admini Man Ma Man Man rd esh p
Audit to ver Mana istrato Mana nistra ter to strator ager nag ager ager Use oot Mana
or r y ger r ger tor r er r er ger
acces √ √ √
sAll
mana √ √ √
geAll
monit √ √ √
orAll
sessio √ √ √
nRead
sessio √ √ √
nMan
age
√ √ √
17-Feb-2017 117/416
CA Privileged Access Manager - 2.8
overvi
ewRe
ad
toolsA √ √ √
ll
loggin √ √ √
gAll
sessio √ √ √
nReco
rding
Read
global √* √ √ √ √
Settin
gsRea
d
global ** √ √ √ √
Settin
gsMa
nage
servic √ √ √ √
esRea
d
servic √ √ √
esMa
nage
servic √ √ √
esDel
ete
users √ √ √ √ √
Read
users √ √ √ √
Mana
ge
users √ √ √ √
Delet
e
users √ √ √ √
Assign
userG √ √ √ √ √
roupR
ead
userG √ √ √ √
roupU
pdate
cacUs √ √ √ √
erApp
roval
17-Feb-2017 118/416
CA Privileged Access Manager - 2.8
socke √ √ √ √ √ √
tFilter
Agent
Read
socke √ √ √ √ √
tFilter
Agent
Delet
e
devic √ √ √ √ √
esRea
d
devic √ √ √ √
esMa
nage
devic √ √ √ √
esDel
ete
devic √ √ √ √
esAssi
gn
devic √ √ √ √ √
eGrou
pRead
devic √ √ √ √
eGrou
pUpd
ate
policy √ √ √ √ √
Read
policy √ √ √ √
Mana
ge
socke √ √ √ √ √
tFilter
sRead
socke √ √ √ √
tFilter
sMan
age
comm √ √ √ √ √
andFil
tersR
ead
comm √ √ √ √
andFil
tersM
anage
17-Feb-2017 119/416
CA Privileged Access Manager - 2.8
policy √ √
Impor
t
policy √ √
Expor
t
config √ √
uratio
nMan
age
rolesR √ √ √
ead
autod √ √ √
iscove
ry
crede √ √ √
ntials
Mana
ge
Auditors have read-only access to Global Settings to inspect settings that have impact on log data.
17-Feb-2017 120/416
CA Privileged Access Manager - 2.8
Provisioning is, for CA PAM purposes, about the management of connections. A network is composed
of computational devices that have various users. The point of this management is to monitor,
control, and track, in various ways these users access to these devices.
Thus, the baseline-managed objects in CA PAM are devices and users. A policy is the relationship
between a device (or device group) and a user (or user group). In other words, a policy is the
specification of what each user is permitted to do with each device. It can also capture (in recordings)
all that the User does with the device, permitted or not.
CA PAM provisioning starts with device definition. CA PAM is licensed by device, and the type of each
device determines the provisioning path to its definition. CA PAM users access devices in various
ways. The rules governing the relationships between users and devices constitute policies.
Provisioning Overview (see page 121)
Summary of Device Access Provisioning (see page 122)
Summary of Credential Manager Provisioning (see page 124)
Provisioning Devices (see page 126)
Provisioning Users (see page 213)
Provisioning Policy for Users/Devices (see page 236)
Provisioning Overview
We recommend that you perform provisioning, and configuration that is directly related to
provisioning, in the following order. Configure the Global Settings first: These circumscribe available
options or create default settings for User accounts, Access Methods, and Terminal Customization.
1. Configure the following User parameters before provisioning any managed objects:
Global Settings
User Roles
17-Feb-2017 121/416
CA Privileged Access Manager - 2.8
3. Provision Services for Devices – These objects instruct CA Privileged Access Manager to invoke
communication applications resident on a local user computer or use prepacked [S]FTP or TS
Web, and provide them with destination configuration, sometimes including auto-login
credentials. This category also includes RDP applications, SSL VPN, and web portals.
4. Provision Filters for Devices – Two methods are available to screen device access:
Command Filter – prevents commands (that you specify) from executing. (These filters do
not have to be provisioned early in the order.)
5. Provision Access Methods for Devices – These applets are downloaded from the appliance to
a user computer. They support several popular graphical and CLI protocols (for example, RDP
and SSH), and AS/400 mainframe (TN3270 and others), and out-of-band protocols.
6. Provision Devices and Device Groups – set up the CA Privileged Access Manager Device
records that point to actual devices. Complete provisioning of CA Privileged Access Manager
Devices requires prior specification of the Services and Access Methods that are used to
communicate with them.
8. Provision Users and User Groups – set up the CA Privileged Access Manager User records that
represent their human users and their roles. You can determine which and how many Users
are required, based on which Device resources require User access, and of what kind.
9. Provision Policy – specifies which managed objects are available to which Users, for what
purposes, and what type of controls are applied. Complete provisioning requires prior
complete specification of Devices and Users.
Global Settings
Access Methods (see below) – global switches determining which CA Privileged Access
Manager applets are available
17-Feb-2017 122/416
CA Privileged Access Manager - 2.8
CA Privileged Access Manager Socket Filter Agents on devices that use Socket Filters (see
below)
Specification relies on your local network composition; you might need to obtain and
deploy non-CA Technologies software.
Specification relies on your local network composition; you might need to obtain and
deploy non-CA Technologies software.
Command Filter – Prevents commands (that you specify) from executing. (These do not
have to be provisioned early in the order.)
5. Provision Access Methods – These CA Privileged Access Manager applets are downloaded
from the product appliance to the computer of the user. They support several popular
graphical and CLI protocols (for example, RDP and SSH), AS/400 mainframe (TN3270 and
others), and out-of-band protocols.
You can determine which and how many Users are required, based on which Device
resources require User access, and of what kind.
8. Provision Policy
9.
Specifies which managed objects will interwork. Complete provisioning requires prior
complete specification of Devices and Users.
17-Feb-2017 123/416
CA Privileged Access Manager - 2.8
Provisioning of a Device managed object, of type Password Management, representing the target
server hosting the target account bearing that password.
Association to that Device of the target application in which that account is defined.
Association to that Device and target application of the target account itself.
Typically, there are specific complexity requirements for passwords, specific rules on how and when
the password can be retrieved, and rules governing who can view password-related data.
A2A Provisioning
Request scripts are applications that require credentials for target accounts that have been
provisioned on Devices of type Password Management. These scripts request the managed
credentials by way of the A2A Client, which runs on a request server. This request server is – like a
target server – a CA Privileged Access Manager Device, and its Device type is A2A.
Because the A2A Client is not part of the CA Privileged Access Manager appliance and must be
installed on a host in the customer's environment, the process for A2A provisioning consists of steps
executed on the A2A Client host and on the CA Privileged Access Manager appliance.
1. Prepare Devices of type Password Management (as described in the previous section) that
host target accounts for use by request servers.
17-Feb-2017 124/416
CA Privileged Access Manager - 2.8
3. Using the CA Privileged Access Manager GUI, integrate the A2A Client with the CA Privileged
Access Manager server
Verify that the A2A Client has registered with the CA Privileged Access Manager server as
a Device of type A2A.
5. Using the CA Privileged Access Manager GUI, integrate the request server with the CA
Privileged Access Manager server
Target Groups – A target group is a collection of target servers, target applications, or target
accounts that meet specific filter criteria – for example, this filter could be the string "London" in
the Descriptor2 field.
Credential Manager User Groups – A Credential Manager user group is a collection of one target
group and, one requestor group, and one Credential Manager role.
NOTE If the Target Group is not specified, then members of this group do not have access to any
target servers, target applications, or target accounts. If the Request Group is not specified, then
members of this group do not have access to any clients or scripts.
IMPORTANT Do not confuse Credential Manager User Groups with CA Privileged Access Manager
User Groups.
A CA Privileged Access Manager User Group is:
17-Feb-2017 125/416
CA Privileged Access Manager - 2.8
Listed on the Users, Manage Groups page, and created/edited from a template opened on that
page.
Listed on the Policy, Manage Passwords >> Groups, User Groups page, and created/edited from a
template opened on that page.
Can be assigned to a CA Privileged Access Manager User that has a CA Privileged Access Manager
Role with the "credentialsManage" privilege. Once a CA Privileged Access Manager user has
credentials Manage privilege, the user can be assigned a Credential Manager group on User
template on the Users, Manage Users page where a "PM Group" pull-down menu is presented.
Preset CA Privileged Access Manager Roles with credentials Manage privilege include:
Global Administrator
Operational Administrator
Password Manager
Provisioning Devices
A Device is a CA Privileged Access Manager-managed, IP-addressable network node that is the
potential access or password target of a CA Privileged Access Manager User (as defined above).
Devices are displayed, defined, and otherwise managed through the Devices menu on the CA
Privileged Access Manager menu bar.
A device that serves a CA Privileged Access Manager system is not necessarily an access target in that
system. For example, a RADIUS authentication server or syslog storage that provides resources to CA
Privileged Access Manager – but is managed by external administrators – is not listed or managed as
a CA Privileged Access Manager Device. However, the attributes of that device are specified in the
appliance configuration settings.
About Devices (see page 127)
Device Features (see page 130)
Device Discovery (see page 136)
Device Setup (see page 140)
Device Group Setup (see page 152)
Device and Device Group Management (see page 159)
Device viewing (see page 160)
About Access Setup (see page 162)
Set up Socket Filter Agents (see page 178)
Set up Command Filters (see page 189)
Set up Transparent Login (see page 194)
Set Up the AWS API Proxy (see page 212)
17-Feb-2017 126/416
CA Privileged Access Manager - 2.8
About Devices
A Device is the CA Privileged Access Manager representation of a CA Privileged Access Manager-
managed, IP-addressable network node. A Device is a potential target for access or password
management by a CA Privileged Access Manager User. It is a potential request server in an A2A
system. Devices are displayed, defined, and otherwise managed through the Devices menu on the CA
Privileged Access Manager Administration menu bar.
Note
A device that serves a CA Privileged Access Manager system is not necessarily an Access or Password
Management target in that system. For example, a RADIUS authentication server or syslog server that
provides resources to CA Privileged Access Manager – but that is not an access target – is not listed or
managed as a CA Privileged Access Manager Device, even while it is specified in product configuration
settings.
Access to Devices
CA Privileged Access Manager enables secure access to devices. It does not allow connection to any
device until it has been approved at the device level. To complete this approval, access methods must
be chosen. This can be done either when initially creating the device, finishing edits before access is
enabled, or to change methods for existing devices.
Access Types
17-Feb-2017 127/416
CA Privileged Access Manager - 2.8
Use a local software installation; for example, PuTTY can be available to implement SSH.
Establish a console.
Monitoring Devices
Monitoring allows the administrator to know which physical devices are available for certain types of
communication, or whether an unknown communication problem is based at that device. CA
Privileged Access Manager provides protocol-based device monitoring.
17-Feb-2017 128/416
CA Privileged Access Manager - 2.8
The privileged user - A person with a high-level responsibility for a target device or target
application, and who uses a shared, centrally stored password for access to a master or otherwise
high-privilege target account.
A request script - A script or application that requires a centrally stored password login to an
application using a high-privilege account.
From these users and their actions, two device-oriented activities can be identified:
CA Privileged Access Manager Password Management manages target devices that process or
consume submitted passwords. Privileged users interact with target devices, and
CA Privileged Access Manager A2A manages requestor-hosting devices that obtain passwords
(through CA Privileged Access Manager) and submit them to targets.
These device-oriented activities, and other non-device activities (such as managing the viewing of
passwords), come under the umbrella of CA Privileged Access Manager Credential Manager.
Device Types
From these features come these Device types, each with separate functionality and licensing:
Access Devices
A2A Devices
Grouping
The provisioning and management of Devices are made easier by relying on mechanisms that allow
two varieties of group treatment:
Device Groups – These objects provide for inheritance of Device attributes from the group to its
members.
Tags – These Device attributes allow a potentially large number of arbitrary labels to be assigned
for any particular device, and shared across many devices. The labels can then be filtered to
identify sets of sharing devices.
17-Feb-2017 129/416
CA Privileged Access Manager - 2.8
Device Features
Device Types
Devices in CA Privileged Access Manager are categorized into three types. A Device object can
represent any physical device logically using one or more of these types:
Device Licenses (on Licensing page):
PasswordDevice – Device for which passwords are managed (pushed fromCA Privileged Access
Manager) (identified by the label "Password Management" in Global Settings and in a Device
template)
A2ADevice – Device running application clients that connect to CA Privileged Access Manager to
retrieve passwords (identified by the label "A2A" in Global Settings and in a Device template).
A Device Type license permits a maximum number of Devices for each Device Type. The maximum
number and the current count of each Device Type appear on the Access Dashboard under License
Usage. The same numbers also appear on the Sys Info dialog.
Session Management license – for an Access Device (can co-exist with Credential Manager
Device)
Credential Manager license – for a Credential Manager Device (can co-exist with Access Device)
Access Types
CA Privileged Access Manager enables secure access to devices. It does not allow connection to any
device until it has been approved at the device level. To complete this approval, access methods must
be chosen. This can be done either when initially creating the device, finishing edits before access is
enabled, or to change methods for existing devices.
Prepackaged - Standard access methods that are used by most administrators have been built as
Access Method applets and do not require any additional software to be installed on a user
desktop.
Custom - In addition to the default applet access, virtually any connection application can be
configured to allow access by configuring local CA Privileged Access Manager Services.
Access Methods
CA Privileged Access Manager provides several prepackaged Access Method applets, with support for
VNC, TELNET, SSH, RDP, and serial connections. Default ports can be modified if the application is
running on a different port from the one indicated.
17-Feb-2017 130/416
CA Privileged Access Manager - 2.8
Telnet - Administrators often use this tool to connect to UNIX hosts running the TELNET daemon.
SSH - Secure Shell protocol. The SSH applet connects to servers running the SSH daemon and
does not require the client end user to have SSH client software such as Putty loaded.
RDP - RDP (Remote Desktop Protocol) is an access method for connecting to Microsoft Terminal
Services and is commonly used for administration of Windows servers. The RDP applet is
optimized to take advantage of RDP 6.x compression types, with noticeable reductions in file size
in comparison with RDP 5.2.
Important
RDP remote device usernames are not prepopulated from CA Privileged Access Manager
login usernames. Instead, the CA Privileged Access Manager User can populate this name
through a field on the My Info page
Important
TLS levels - As of release 2.6, the RDP client (the applet) supports TLS 1.2 connections and
supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite.
XRDP - The CA Privileged Access Manager RDP client applet can also be used to connect with an
XRDP server running on a managed Linux Device.
17-Feb-2017 131/416
CA Privileged Access Manager - 2.8
OOB Applets
For Out of Band access under the Manage screen, KVM, serial console, and power are available. CA
Privileged Access Manager adds a layer of security to the out of band devices by allowing user access
to only certain servers.
KVM - KVM captures the keyboard, video, and mouse signals and converts them into packets
allowing remote console access to administrators.
Serial - Serial console is used for the administration of network equipment and Unix servers.
Because it does not rely on IP connectivity, operations such as upgrades can be performed
without loss of connectivity.
Power - This enables administrators to control the power of intelligent-power remote devices.
Mainframe Applets
TN3270 and TN5250 are Telnet clients for the IBM AS/400 that emulate 5250 terminals and printers.
SSL versions are available to provide SSL/TLS support.
NOTESupport for AS/400-class applet Display Names (TN5250 and TN5250SSL only) is provided on
the My Info page with the Mainframe Display Name field.
Services
Services are a way to customize access to the devices. A CA Privileged Access Manager administrator
can create new services on known ports and to specific applications. These services can include: fat
client access such as SQL query frontends, mainframe clients, or any proprietary applications, which
use TCP or UDP connections.
Prepackaged Services
Services that are prepackaged with CA Privileged Access Manager are identified here.
Important
CA Privileged Access Manager ships with several preconfigured SFTP/FTP Services. These
services currently support several SFTP/FTP servers including OpenSSH-derived Linux, AIX,
and Solaris SFTP implementations. Microsoft IIS SFTP/FTP implementations are also
supported with a known limitation when multiple hard drives are present.
17-Feb-2017 132/416
CA Privileged Access Manager - 2.8
While other FTP servers might be compatible, CA Privileged Access Manager does not test or verify
them. The preconfigured services must be used to track SFTP/FTP activity associated with target
devices as per the compliance requirements of many of our clients. The activity is tracked in CA
Privileged Access Manager session logs. The service names that are suffixed with "emb" provide the
WinSCP client to users without any FTP client application installed. We encourages input on any FTP
servers that appear to be incompatible with our current offering, and consider adding support for
more FTP servers as business needs permit. It is our goal to provide the most comprehensive access
solution for our customers while balancing the need for Access Control and Audit.
Types
sftpftp With use of an SFTP client, transports files to and from FTP servers.
sftpsftp With use of an SFTP client, transports files to and from SFTP servers.
sftpftpemb - This service downloads an WinSCP client to the user desktop. WinSCP (Windows
Secure CoPy) is a free and open source SFTP and FTP client for Microsoft Windows.
sftpsftpemb - This service downloads the WinSCP client to the user desktop.
Caution
When running SFTPFTPemb or SFTPSFTPemb, a default option for WinSCP file transfer
causes the resulting file to be partially saved. Change the setting for Preferences, Other
general options: Preferences, Transfer: Endurance, Enabl e transfer resume/transfer to
temporary filename for. Change the default setting of "Files above: 100KB" to "Disable",
then users can successfully "PUT" files onto the remote server.
RDP Applications
With Microsoft Terminal Services, single target-hosted applications can be published through RDP
instead of allowing access to the entire desktop. This functionality is only available to servers running
Microsoft Terminal Server . On Windows Server 2008, more setup is required.
Credential Manager
Passwords are managed by CA Privileged Access Manager Credential Manager component. Each
Credential Manager password is uniquely identified, and maintained, after it is registered.
Target Registration
Register both new and updated target accounts in the GUI. Credential Manager divides the target
application registration into four levels:
17-Feb-2017 133/416
CA Privileged Access Manager - 2.8
Target Applications - The target application is a container for all managed accounts of a single
application, such as all privileged users of an Oracle database. A target application contains one or
more target accounts. The target application also defines the connector for password
synchronization, that is, the mechanism for accessing target accounts. The target application is a
conceptual division of the target data. It allows for multiple applications or entities within the
same server to contain the same account user name. For example, if a given server hosts two
databases, then each database is a unique target application, and each database could have a
uniquely identified user account dbasys. Target application names must be unique within a given
Device.
Target Accounts - The target account is the specific set of credentials (that is, user name and
password). Target account user names must be unique for a given target application.
For A2A
Target Aliases. Target aliases provide a mechanism to identify uniquely a specific target account
with an alias name. This alias name is referenced by any requesting application when requesting
credentials. Target aliases provide an extra level of security by eliminating the need to hard-code
the name of privileged accounts.
Password Synchronization
For each target account, you can update the secure Credential Manager database only, or update
both Credential Manager and the target system.
Password synchronization is the process of synchronizing the password stored in Credential Manager
with the same credentials in the target application. When passwords are synchronized, credentials
are pulled from the Credential Manager database to send to the target system, which attempts to
verify the credentials.
For a Windows target account, Credential Manager directs the Password Management Windows
Proxy to perform the password verification and update.
By using password synchronization, you can configure Credential Manager to update the target
account password immediately or on a schedule. If there is an associated password composition
policy, Credential Manager generates a password that meets the policy criteria. You can also update
passwords for a group of target accounts, which then have their password update schedules
synchronized. A compound account allows you to update a series of replicated databases with the
same password, and to keep their passwords synchronized with each other.
When you activate password synchronization, the communication protocol between Credential
Manager and managed Devices depends on the target application type. Every application type has a
corresponding target connector, which implements the communication protocol for that type of
target application.
17-Feb-2017 134/416
CA Privileged Access Manager - 2.8
Target Connectors
The following list describes the target connectors (or application types) supported by Password
Management.
AS400 - Use the AS/400 connector to manage user accounts on AS/400 iSeries IBM midrange
systems.
AWS Access Credentials - This target connector provides a placeholder application for AWS
Access Keys. It can be associated only with the target server xceedium.aws.amazon.com.
Cisco SSH - Use the Cisco SSH connector to manage accounts on a Cisco router. This Cisco SSH
connector uses the SSH or Telnet protocols for communication. The Cisco SSH target connector
supports SSH v2, and not SSH v1.
Junos - Use the Junos connector to manage any Juniper JUNOS® accounts.
LDAP - Use the LDAP connector to manage any accounts that support the OpenLDAP V3 protocol.
Optionally, you can configure the LDAP connector to use LDAP over an SSL connection.
MSSQL - Use the MSSQL connector to manage Microsoft SQL accounts. The MSSQL connector
uses JDBC for communication.
Oracle - Use the Oracle connector to manage Oracle accounts. The Oracle connector uses JDBC
for communication.
SPML - Use the SPML connector to manage any Service Provisioning Markup Language (SPML)
accounts.The UNIX target connector supports SSH v2, and not SSH v1.
UNIX (Advanced) - Use the UNIX (Advanced) connector to manage UNIX-based privileged
accounts. The UNIX (Advanced) target connector allows for greater customization of the earlier
UNIX target connector.
VMWare - This target connector uses WSDL using SSL to support ESX/ESXi target account
password synchronization.
Windows Domain Services - The Windows Domain Services connector and the Windows Proxy
connector both manage Windows accounts. Use the Windows Domain Services connector to
update the password of Active Directory accounts. This connector uses the LDAP interface to
Active Directory to update account passwords. You can also use this connector to update
Windows services and scheduled tasks if the connector communicates with a deployed Windows
Proxy. The connector performs the following activities:
If the domain account is used for a service or scheduled task, it uses one or more Password
Management Windows Proxies to update service or scheduled task credentials and restart
services
17-Feb-2017 135/416
CA Privileged Access Manager - 2.8
Important
The Active Directory must support secure LDAPS connections (typically on port 636).
The Windows Domain Services target connector does not support unencrypted LDAP
connections, only LDAPS (LDAP over SSL). The "Domain Controller Port (SSL)" field in
the Windows Domain Services application details can be left blank if the LDAPS port is
the default 636. Otherwise, the port must be populated.
Port 389 is often used for unencrypted LDAP. CA Privileged Access Manager does not
synchronize AD target accounts using unencrypted LDAP.
Windows Proxy - The Windows Proxy connector and the Windows Domain Services connector
both manage Windows accounts. Use the Windows Proxy connector to manage both the
Active Directory and Local Windows accounts, and the passwords for Windows services and
scheduled tasks. This connector uses the Windows APIs to make updates to the account,
services, and scheduled tasks passwords. The connector can optionally query one or more
DNS servers to find domain controllers. The Windows Proxy connector uses HTTPS and AES
encryption for secure communications.
In addition to the provided target connectors, Credential Manager provides a Generic application
type, which permits credential requests. However, Generic applications do not support password
synchronization.
Device Discovery
As a CA Privileged Access Manager administrator, you want to add devices easily. CA Privileged
Access Manager provides a feature that discovers and registers devices. Discovery is an alternative to
manually adding target devices.
To perform discovery of Devices, follow these steps:
1. Select the Device Scan Profiles tab and click the Add button.
17-Feb-2017 136/416
CA Privileged Access Manager - 2.8
1. Select the Device Scan Profiles tab and click the Add button.
2. On the Profile tab, name the profile, and enter an optional description.
3. If you want to put all discovered devices under CA Privileged Access Manager management,
select Auto-manage devices.
4. Select a Default OS from the list in case Discovery does not determine an OS.
5. Purge Interval sets the number of days after which devices discovered by this scan are deleted
(if not also discovered by another profile). The Purge Interval default is set on the Global
Settings page, under Basic Settings, as Scan Purge Interval.
6. Enter an optional Default Location in case Discovery does not determine a location.
7. On the Inclusions tab, identify at least one Target IP Address or one Device Name to include in
the Discovery. You can include multiple of each type of target. Click the appropriate button to
add Inclusions. Once a target type is added, its button displays as asterisk.
8. The Exclusions tab enables you to specify IP addresses to exclude from the Scan. Use the same
notation as for Inclusions.
9. The Access Methods tab enables selection from Default Access Methods which have been
enabled on the Global Settings page.
10. The Services tab enables you to select Services to scan. These Services are the same Services
(along with their descriptions and port numbers) listed on the Services menu.
11. If Device Groups have been created (see Devices, Manage Groups), you can select them on
the Device Groups tab.
12. The Tags tab allows you to add Tags to the discovered devices. Tags are freeform labels that
are added on the Manage Devices page. If any Tags have been created, they appear in the
Available column. You can add new Tags in Tag Name section below the selection columns.
13. The Target Applications tab lists available application such as SSH, LDAP, and MSSQL. Select
applications to scan from this list.
a. Use the Schedule tab to create an optional schedule. Once you select a frequency,
other fields appear. Select the appropriate time intervals. Click OK to save the Scan
Profile.
b. To run the scan on demand rather than on a schedule, click OK to save it. Select the
17-Feb-2017 137/416
14.
b. To run the scan on demand rather than on a schedule, click OK to save it. Select the
Scan Profile from the Scan Profiles list, and click the Run button above the list.
Note
Clicking Delete for a highlighted Device Scan Profile will delete its Device Scan History. It
will also delete any Devices associated with that Profile unless they are associated with
another Profile.
Discovery Jobs
Once a scan is running, check its progress on the Discovery Jobs tab. You can also cancel the job on
this panel by clicking Cancel Job. Once it is complete, view a summary of its results on the Device
Scan History tab.
Note
The Discovery Jobs and other tables are refreshed according to the default set on the
Global Settings page. Table Refresh Interval is in the Basic Settings section, and defaults to
60 seconds.
The Most Recent Scans page has a filter capability and three buttons: View Summary Details, View
Scan Results, and View Scans.
17-Feb-2017 138/416
CA Privileged Access Manager - 2.8
Manage button above the Is Managed column activates. Click Manage, and answer the dialog box.
You can also click the Manage All button to manage all listed devices. The Export button sends
detailed information on each discovered device to a CSV file. The Logs button displays a window with
a log table including each action taken regarding this scan. The Update button is active for one device
at a time. It allows you to change the management, access methods, services, and applications
associated with the selected device.
View Scans
To see all scans that are run for a given Profile, click the View Scans button above the Summary. The
resulting table lists each Scan Discovery Time and the number of Discovered, New, and Not Found
Devices for each Scan Job. Select a Scan Discovery Time and either the View Summary Details for lists
of Device Names discovered, or View Scan Results button for detailed, updatable information. See
View Summary Details or View Scan Results for more information.
To see all discovered devices rather than just those for a given scan, select the Discovered Devices
tabs at the top of the Discovery area.
Note: The number of items in the Device Scan Results is controlled by the Global Settings page.
Default Page Size, under Basic Settings, defaults to 30. This option also controls the number of items
shown in the Device discovery lists.
Discovered Devices
The Discovered Devices tab on the Autodiscovery panel displays a list of all devices that it has ever
discovered, their Operating Systems, their scan status, and Latest Discovery Time. A checkbox
indicates whether CA Privileged Access Manager manages the device.
Manage
To manage a device, select it by clicking its row or checking the box to the left of its device name. The
Manage button above the Is Managed column activates. Click Manage, and answer the dialog box.
You can also click the Manage All button to manage all listed devices.
Export
The Export button sends detailed information on each discovered device to a CSV file.
Update
The Update button is active for one device at a time. Click Update to display the Update Discovered
Device window. The various tabs allow you to change the management, access methods, services,
and applications associated with the selected device. The Device Information tab provides details
such as IP address, OS detail, status, and the profile name and its discovery time.
Note
The number of items in the Discovered Devices is controlled by the Global Settings page.
Default Page Size, under Basic Settings, defaults to 30. This option also controls the number
of items shown in the Device discovery lists.
17-Feb-2017 139/416
CA Privileged Access Manager - 2.8
Device Setup
In addition to Device Discovery (see page 136) (Autodiscovery), CA Privileged Access Manager Devices
can be created using the Device Templates or using CSV import.
Access Methods – invoke CA Privileged Access Manager proprietary Java applet downloaded from
CA Privileged Access Manager to a local Client computer
TCP/UDP Services
When one or more policies have been defined: Link to Manage Policy
Link to the Target Application List for provisioning Target Applications and Target Accounts
Fields To Configure
Basic Info
Device The user specified name of the device. Users see this name on the access page.
Name Note: Double-byte characters such as those used for traditional Chinese are supported.
Required
Address The device IP address or FQDN (DNS must be set up properly under the Configuration
Required login Network screen).
Note: Beginning with version 2.2.0 and SFA 2.x, communication is possible whether an IP
address or FQDN is used.
Scan The Utility that executes a port scan to detect services that have been configured.
17-Feb-2017 140/416
CA Privileged Access Manager - 2.8
Operating The Device OS that can be chosen from the drop-down list.
System
Location The Physical device location that can be chosen from the drop-down list
Device Select one or more of the listed device type designations to provision their functionality
Type in this device:
Access
Password Management
A2A
Each device type prompts its own panel fields. These fields are each indicated in this table
by bold headings.
Descriptio The Field used for additional information
n
Special Click the option button Special Type = yes only for KVM over IP, intelligent power, or
Type serial console devices.
Access: Sp Appears only upon selection "yes" for the option button: Special Type
ecial
Type:
Special
Type
Device
Type Select from an enumerated list of the CA Privileged Access Manager-aware device types.
(Required)
Login If required by Device: Username for access.
Password If required by Device: Password for the identified Username.
Protocol
(Required)
Ports
Manage Opens a shadow window to allow specification.
Custom
Types
Password Management: Target Server
Descriptio Custom description category 1
n1
Descriptio Custom description category 2
n2
A2A: Request Client
Descriptio Custom description category 1
n1
Descriptio Custom description category 2
n2
Active Activation status to permit the A2A client to receive credentials from CA Privileged Access
Manager
True or false
Default: false
17-Feb-2017 141/416
CA Privileged Access Manager - 2.8
Preserve Prevents the request server host name from being overwritten each time this A2A Client
Hostname registers
Default: When left empty, existing hostname value is not changed.
Tags
Specification of label attributes for the current Device.
A tag can be applied to a Device record in one of two ways:
When the tag already exists in at least one Device record: Selection from drop-down
list of existing tags generated by autosuggestion upon typing
When the tag does not yet exist in any Device record: Typing the tag name, then
pressing Enter.
Access: Access Methods
Available The permitted methods that users can employ to gain access to the device.
Methods For the current release, these methods include: VNC, Telnet, SSH, Serial, Power, RDP,
KVM.
Mainframe licenses provide (in addition): TN3270, TN3270SSL, TN5250, TN5250SSL.
When certain Access Methods are selected, an expansion pane provides additional
information. For example, Name appears to label the Access Method, or a Port to assign.
Note: The product supports keystroke logging and command filtering for all activities
conducted within the SSH applet. However, because the X11 server is running on the
local client, it cannot provide graphical session recording , or command filtering for
actions taken within the forwarded graphical application.
17-Feb-2017 142/416
CA Privileged Access Manager - 2.8
17-Feb-2017 143/416
CA Privileged Access Manager - 2.8
Port
Contact
Add
Access: Terminal
Term ansi
Type ibm – allows punch-through (only) to an AS/400 target device using a CA Privileged Access
Manager provisioned credential.
scoansi
vt100 – Default
vt220
vt320
xterm
Key None selected
Mapping AT 386
xterm-vt220 – Default
vt320
"End" to Note: This function is deprecated.
Select
Terminal Triggers Terminal Customization expansion pane
Customiza
tion
Access: Terminal Customization appears only upon selection of above checkbox: Terminal
Terminal Customization
Customiza
tion
Character Default: UTF-8
Encoding
Font Default: Monospaced
Family
Font Size Default: 11
Cursor Default: #000000
Foregroun
d
Foregroun Default: #ffffff
d Color
Backgroun Default: #000000
d Color
Terminal Default: [80,24]
Size
Buffer Default: 100
Size
Scroll Default: Right
Position
Groups
17-Feb-2017 144/416
CA Privileged Access Manager - 2.8
Available Allows Device to be associated with a Device Group. Available groups are listed in drop-
Groups down list.
Add Confirms the selected Device Group.
Identifies the now-available Device Group in a list to the right in the pane.
1. Click the Yes option button for the Special Type option.
An expansion pane to provide configuration details appear s.
2. From the Type drop-down list, select the correct KVM, power, or serial console and Access
Methods.
Note: Select Generic Terminal Server to configure any device that uses reverse Telnet.
3. If a Login and Password are supplied here, Users are not prompted.
Zero or more ports, each pair separated (consistently) by either a comma, a space, or a comma
and a space; and in any order
Example: 5-15
Example: 14575-15020
No port mapping
Note: Some Device Types pre-populate the Ports field with the expected default port numbers.
1. In the target Device record, select the expansion template link for the OOB method that is
used: Serial, Power, or KVM
A set of configuration fields to provide configuration details appear.
17-Feb-2017 145/416
CA Privileged Access Manager - 2.8
2. In the drop-down list for OOB Host, select the Special Type Device that you prepared as an
OOB Host.
3. Repeat the specification for any additional OOB methods that are to be used.
Multiple Power configurations can be made using different OOB power devices, or the same OOB
power device using different ports, or those options in combination.
Create a custom Special Type by specifying a Device [Type] Name, the Protocol Telnet or SSH,
and (a series of) command/response pairs, and click Save This Device.The new, custom Special
Type appears both in the Existing Custom Devices [Types] at the bottom of the shadow window,
and on the Special Type: Type drop-down list on the main Manage Devices page.
Edit a custom Special Type by clicking it from the Existing Custom Devices list, changing any fields,
and then saving it again.
Note: Although the custom Special Type record can be edited, it cannot be deleted.
The Tags field allows you to either select an existing tag (from a drop-down list) or create a new tag
(by typing it and then pressing Enter), and in so doing assign it to the current Device. When you start
typing into the Tags field, a list of currently available tags appears in the multiselection autosuggest
drop-down list.
Example
You might have a number of devices that use Windows operation system, but also a number that do
not. For some network maintenance purpose, you collect all Windows – whether Windows XP,
Windows Server 2008, or others into one group. In that case, you can tag all Devices with Windows.
On the Manage Devices and Access pages, you can then search for "windows" to collect all instances.
1. In the panel Access Methods, and to the right of Add, click on the blue name-link of a desired
Access Method.
This expands the Create Device pane so that further definition can be applied to the Device
Access Method specification.
17-Feb-2017 146/416
1.
For each provisioned Access Method, specify an (optional) Custom Name, and a Port
number. The Port field is pre-populated with the default value for the corresponding
Access Method.
For each OOB device, identify the applicable OOB Host, and apply an (optional, single) Port
number.
Repeat as desired.
2. At the right-hand side of the panel Services, click Add on its blue name-link.
This invokes a pop-up pane from which you can select from the set of defined services.
3.
For each desired Service, click the checkbox.
The selected service is immediately specified directly to the right of the Services label.
Now that at least one Service is listed, the Add button changes to Edit .
Repeat as desired.
4. Click Save to save the (full page) specification and close the editing panel and return to the
Manage Devices page (or continue with other edits in this pane).
Note: If you return to this Device record, you see that the selected items in the Access
Methods pane are collapsed in a similar way to those in the Services pane.
Click Edit to re-open the Access Method editing environment.
Monitoring Specification
Important
We recommend that you inquire about your organization policies as these network
heartbeat checks might not be permitted.
A Device can be configured to monitor protocol availability. This functionality allows the security
team to see the status of the devices to which they are providing access. When monitoring is
configured for a device, the users are able to see the status of the protocol at the Device under the
Monitoring menu button. To use monitoring options, the Monitoring pane is expanded.
A Protocol must be specified from the drop-down list, and a single Port can be designated. Available
types of monitoring and ports in brackets are ICMP (ping), verification of TELNET (23), ftp (21), http
(80), SMTP (25), IMAP (143), POP2 (110), SSH (22), DNS (53), NTP (123), and custom TCP (any port).
The Contact User (CA Privileged Access Manager administrator) must be provided: An email alert is
sent to this User in the event of a protocol contact failure.
After the monitored protocol is Added and thus registered, it appears to the left of the widget .
17-Feb-2017 147/416
CA Privileged Access Manager - 2.8
Note: A User can override this customization by specifying user-based Terminal Settings.
Cases
More than one Credential Source can be used for a particular Device Group.
When configuring policy for that Device Group, all accounts of the multiple Credential Sources are
available for selection. When a User initiates a connection, these administrator-selected options
are presented so that the User can select one.
All Access Methods and Services that are supported for the Devices in a Device Group that has
one or more Credential Sources can be used.
Provisioning Multiple Credential Sources
To set up CA Privileged Access Manager records that allow multiple credential sources to provide
optional credentials to Users to access Devices:
Note: Where not already proper nouns, capitalized names refer to CA Privileged Access Manager
objects. For example, "User" refers to a User account, and "Device" refers to a Device record.
1. Create, or identify from existing Devices, a set of desired target Devices for which you use CA
Privileged Access Manager auto-connection to make connections (Devices, Manage Devices).
In the example that is used for this procedure, these targets are named:
TargetDevice1
TargetDevice2
TargetDevice3
2. Create or identify existing Devices to be used as Credential Sources (Devices, Manage Devices
).
To recap the relationships:
A Credential Source Device is a Target Server for Target Applications and their dependent
Target Accounts, maintained in CA Privileged Access Manager Credential Manager, that
can be used to access other Devices.
The actual device that each Credential Source Device represents maintains access
credentials for other (target) devices. For example, it might host a Windows Active
Directory (AD) Domain Controller, or some other LDAP-based server.
The accounts that are maintained by those servers are represented by corresponding
Credential Manager Target Account records. Those CA Privileged Access Manager
records can be configured to periodically synchronize with the directory servers to
maintain an accurate representation.
17-Feb-2017 148/416
CA Privileged Access Manager - 2.8
The member Credential Sources in a Device Group determine the full range of
credentials that are available for CA Privileged Access Manager auto-connection use by
members of that group.
You can use the credentials from any Target Account of any member Credential Source
to access any member Device.
In the example that is used for this procedure, these Devices are named:
CredSourceDevice1
CredSourceDevice2
and each maintains a portion of the credentials managed for TargetDevice1, TargetDevice2,
and TargetDevice3.
DeviceGroup1
that uses the specified Credential Sources for access to the specified target Devices.
4. Create the Target Applications and Target Accounts that are used to manage those access
credentials (Policy, Manage Passwords, [Credential Manager menu], Targets, Applications,
and Accounts).
In the example, access credential accounts are set up as follows:
On CredSourceDevice1: CredSourceDevice1_App1_Acct1
CredSourceDevice1_App1_Acct2
On CredSourceDevice2: CredSourceDevice2_App1_Acct1
Again, each of these credentials is applicable for access to all three example Devices.
5. Set up a policy for a User/User Group with this Device Group ( Policy, Manage Policies).
You can now select for auto-connection from the list of all credentials maintained by these
Credential Sources.
3. Double-click the name to display its editing template in a shadow box window.
17-Feb-2017 149/416
CA Privileged Access Manager - 2.8
3. Double-click the name to display its editing template in a shadow box window.
4. When finished, click Save (or Cancel) to return to the Manage Policies page.
1. Click either the Save and Add Target Applications or the Manage Target Applications button
to hover an Application List shadow box above the Device record.
2. From within the shadow box page, you can switch between the Target Application List and
the Target Account List. The GUI controls are presented as they would be when named
instead from Targets, Target Applications:
Edit a Target Account by first clicking Go to Accounts List in the upper-left corner, then
clicking on its Account Name.
3. When finished, exit the shadow box by clicking the blue X at the upper right.
More Information:
For information about importing Devices using a CSV file, and importing AWS and VMware
Devices, see Import and Export Devices (see page 150).
1. Open IE browser.
17-Feb-2017 150/416
CA Privileged Access Manager - 2.8
5. Click Custom level. Scroll to Downloads. For File download, select the Enable option.
Important
If you export a device file containing Special Type devices, does not contain the password.
Therefore, if you import that file back into CA Privileged Access Manager, the passwords
are not present in the import.
The Device records created cannot be deleted except upon disconnection from AWS.
The following CA Privileged Access Manager Device attributes are populated from AWS instance
attributes, and cannot be edited:
The AWS Name and AWS Instance ID are combined to create a CA Privileged Access Manager
Device Name of "awsName (awsInstance)".
The following CA Privileged Access Manager Device attributes are populated from AWS instance
attributes, and can be edited in the Device record:
17-Feb-2017 151/416
CA Privileged Access Manager - 2.8
During import, each virtual machine (instance) in VMware results in the creation of a Device
The Name of the Device that is created is the combination: "VMwareInstanceName – vm-nn"
where "nn" is a VMware assigned number.
When available, the internal Address of each Device is provided; otherwise it is marked as "
Not-Active-VmwareDeviceName - vmnn". You cannot edit it.
During import, each folder in VMware results in the creation of a Device Group
The Name of the Device Group that is created is the combination: "VMwareFolderName -
group-vnn" where "nn" is VMware assigned number. You can edit it.
When using Device Groups, unless otherwise specified, the concept of deny takes precedence. If the
service is not defined as available at the device level, it is not available at the group level. In other
words, the most restrictive policy is used when a conflict arises.
17-Feb-2017 152/416
CA Privileged Access Manager - 2.8
2. Enter a Group Name and Description. If licensed for AWS, Select a Group Type.
3. To propagate Access Methods and Services (to only the Access Type members), select Access
Methods and Services to enable in those group members.
4. Identify the member Devices from the drop-down list that appears when you select the field.
2. Assign AWS instance imported Devices to it, all of which use the same key pair.
4. From the SSH applet credential pop-up box, select the key pair held in common.
This key pair is used for auto-connection for any Device in the group.
3. Double-click the name to display its editing template in a shadow box window.
4. When finished, click Save (or Cancel) to return to the Manage Policies page.
17-Feb-2017 153/416
CA Privileged Access Manager - 2.8
17-Feb-2017 154/416
CA Privileged Access Manager - 2.8
TCP
/UD
P&
APP
Servi
ces
Add Allows the selected TCP/UDP service or Application to be used by the Device Group.
Identifies the now-applicable service in a list to the right in the pane.
SSLV Selection (post-Add button) indicates that each member of the Device Group can respond to
PN the specified SSL VPN Service.
Servi Lists the available services as defined in Config: SSL VPN menu.
ces
Add Allows the selected SSL VPN service to be used by the Device Group.
Identifies the now- applicable service in a list to the right in the pane.
Devices
[List] The new Device Group is populated here with (existing) Devices.
To add a Device: Start typing its name until it appears in a pop-up drop-down list. Then select it
(its line item) to populate the Devices field.
More Information:
For information about importing an LDAP Group, see Import LDAP Groups (see page 155).
To launch the LDAP Browser from the Manage Groups page, click the link Import LDAP Group .
Your CA Privileged Access Manager must be licensed for the LDAP Browser to launch.
17-Feb-2017 155/416
CA Privileged Access Manager - 2.8
17-Feb-2017 156/416
CA Privileged Access Manager - 2.8
Return Attribute
Lists
Paged Results
Next Page of Retrieve next page of results and display page wrapper in the Explore tree (when
Results green; otherwise, gray when inapplicable).
Tools
Stop Action Suspends current LDAP request. This is useful when the page size is large and the
browser is searching a large database.
CA Privileged CA Privileged Access Manager-specific menu items
Access Manager
Groups
Manage selected Lists all items that are currently selected (or staged) for import to CA Privileged
groups to Access Manager.
register with the
appliance.
Register selected Perform the input operation on the items that are selected, which are listed in
groups with the Manage selected groups to register with the CA Privileged Access Manager
appliance appliance.
Icons appear in the Button Bar menu when that menu is active (or "on"). By default, the Button Bar is
on.
2. On the Devices, Manage Groups page, click the Import LDAP Group link.
This link triggers launch of the LDAP browser, which immediately prompts for an LDAP domain
selection.
3. In the browser pop-up window, select the domain from which you import devices.
The browser connects and displays all records below that domain (restricted by the
pagination option you have previously requested).
4. Open nested folders until a device group that you want to import is visible, and select its
checkbox.
5. Repeat the step above for each group you want to import. You can traverse the tree in any
order or direction.
6. (Optional) Once you have selected all the groups that you want to import, you can review
them CA Privileged Access Manager Groups, Manage selected groups to register with the CA
Privileged Access Manager appliance.
This opens a new pop-up window in which the Distinguished Names for all selected groups
are visible. You can select and edit any group DN, or remove it from the staging list.
7. Import the selected groups by selecting CA Privileged Access Manager Groups, Register
selected groups with the CA Privileged Access Manager appliance.
A new window presents the staged groups in a list. You can watch their progress and status,
and can display any messages associated with the actions.
17-Feb-2017 157/416
CA Privileged Access Manager - 2.8
8. When ready to import the groups, click Register Groups in the lower-left corner.
CA Privileged Access Manager imports the groups in the order that is presented, and the
browser provides feedback and cancellation options throughout the process.
While a group is imported, there is a progress bar (labeled Registering Group) to the right of
its Group Name. You can cancel registration of the current group (and continue with
subsequent groups), or you can cancel the registration of all groups, even after they have
started. In the latter case, CA Privileged Access Manager "reverses" the import process so that
all groups and their members are removed.
When the imports are finished, each line item in the registration window shows either a green
checkmark for success or a red cross for import failure/cancellation. You can review the status
of the full list and each individual group by selecting its line item. If you made any changes or
any errors occurred during the import, the lower Messages panel provides details after you
select the specific group of interest.
9. In the GUI, confirm that the imported groups now appear on the Devices, Manage Groups
page.
10. You can open the Device Group or Device records to examine more fields.
dNSHostName
17-Feb-2017 158/416
CA Privileged Access Manager - 2.8
Copying a Device
The permissions and policies of an existing device can be copied to create a device with the same
access.
To create a new Device ID by copying an existing device, select the Copy button next to the Device ID
intended to be used as a template. A copy of the device information is displayed. Add the required
fields and make any appropriate changes. Select the Save button to create the Device. Associations
and policies can be changed after the device is created.
Deleting a Device
To delete a particular device, select the Device from the Manage Devices page. In the device
information screen, select the Delete button and select the appropriate response on the subsequent
confirmation screen.
Manage Tags
Tags, which are created within a Device create/edit template, are compiled by CA Privileged Access
Manager into a list which spans all Devices.
View Tags
Click the Devices, Manage Devices , Manage Tags link to display the Manage Tags shadow window.
All tags are shown (paginated, if needed) with the number of occurrences in the right column.
Sort tags on the Tag Name (results list alphabetically) or on #Used (occurrences) (results list from
low to high).
17-Feb-2017 159/416
CA Privileged Access Manager - 2.8
Edit Tags
Each tag can be edited or deleted in the Manage Tags window (not in the Create Device / Edit Device
template). Select the Tag line item to open an editing box.
Manage Groups
The Manage Groups page displays all the groups which have been configured.
Manage Services
In the Services tab, the following management options are available.
Editing a Service
To change a setting on a service:
An Update service screen appears to allow parameters other than the name to be changed.
To change the name of a service:
1. Use Copy to clone the service attributes (while allowing the Service Name to be filled in).
Copying a Service
1. From the list in Services, TCP/UDP Services, open the record of an existing Service.
3. Enter (the required) Service Name for the new Service. Edit other fields as desired, and select
the Save button to create the new Service.
Deleting a Service
Select the checkbox next to the service, and click the Delete button at the bottom of the screen. The
Service is immediately removed, and the remaining Service list appears.
Device viewing
As a CA Privileged Access Manager administrator, you can view a list of Device records on the Devices
, Manage Devices page.
17-Feb-2017 160/416
CA Privileged Access Manager - 2.8
Unfiltered Views
From the Devices, Manage Devices menu, all current devices (initially) appear in alphabetical order
by Device Name. You can also sort the list by clicking on any of the displayed field names: Name,
Address, OS, Description, or Location; or by applying filters.
Global Settings, Default Page Size determines how many Devices are listed on each Manage Devices
page. If there are more Device records than this value, the Manage Device list is paginated, with
navigation controls at the bottom of the page.
Filtered Views
The gray-field Search function in the upper-right corner of the page body accepts a (non- case
sensitive) string and match it to the beginning of the Name field across all Device records, and replace
what was an Unfiltered list with a new list, now labeled "Filtered."
Device Type
Location
Tags
If no item is selected, no value is filtered against that field, so all records are shown. Selecting a value
in the field, however, filters the set of Device records against that value. Only those records with the
selected value are (immediately) shown in a revised list. If multiple values are selected, records that
match any of the selected values is included.
Any combination of the checkbox selections or strings from each Device field list can be selected for
any particular search. For string selections in OS, Location and Tags:
To select a sequence of values in one category: Select the first entry, then while holding the Shift
key, select the last entry.
To select any combination of individual values in one category: Select one entry after another
while holding the Ctrl key.
Saved Views
The filtering that you apply can be saved as a View, and used either by default or selected from a
menu.
17-Feb-2017 161/416
CA Privileged Access Manager - 2.8
1. After applying desired list filtering, near the top left (to the right of "Unfiltered"), click Save as
View. The Save View pop-up window appears.
3. Select Set as Default if you want the Manage Devices page to always open to this view.
The view is relabeled to the saved view name, and the view can be selected at any time from the My
Views menu to the left of the Search box.
Access Method – CA Privileged Access Manager invokes a proprietary Java applet to make a
connection using one of several standard protocols (SSH, RDP, others)
Service – CA Privileged Access Manager invokes a local third-party application from your client
(for example, PuTTY on a Windows PC) to handle the connection
RDP Application – CA Privileged Access Manager uses the RDP protocol to invoke a specific
application on a target Windows OS Device
Access Methods
A CA Privileged Access Manager Access Method is a Java connection applet for a particular
communication protocol. You activate Access Methods in Global Settings and then assign them to
Devices.
Prerequisites
RDP
The RDP client applet supports TLS 1.2 connections and supports the
TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. For best security, ensure your RDP server (target
Windows Device) is configured for TLS 1.2 communication.
17-Feb-2017 162/416
CA Privileged Access Manager - 2.8
This setting configures the "outer boundaries" of available methods. If any particular method is not
selected (its box is not selected), it is not available on any device.
2. Locate desired device, and click on its line item to open its record.
3. In the Access Methods pane: From the Available Methods links, click a desired applet, add an
optional Custom Name, and click Save. Repeat as necessary to allow more methods to be
used.
As each method is added, it appears in a vertical list below the Add links. Any previously
configured method can be removed by clicking its Remove link.
4. When you are finished adding methods (and making any other changes to the Device record),
click the Save button at the top or bottom of the record. CA Privileged Access Manager saves
these settings and collapse the record back to a line item.
When you open the record again, you see a line; click Edit to return to an editing view.
Optional Features
SSH SCP and SFTP File Transfer
You can configure CA Privileged Access Manager to allow Users to SCP or SFTP files while connected
through the SSH Access Method. The SSH Access Method uses the CA Privileged Access Manager
client MindTerm applet, and can record these transactions.
Administrator Setup
To provide every user that has a provisioned SSH Access Method applet the ability to SCP or SFTP file
transfer:
3. In the Applet Customization panel, click Configure Terminal Settings to open its interface.
4. In the SSH Terminal File Transfer drop-down list, select Enable SCP/SFTP.
17-Feb-2017 163/416
CA Privileged Access Manager - 2.8
4. In the SSH Terminal File Transfer drop-down list, select Enable SCP/SFTP.
6. Set up Policy for User that permits use of the SSH Access Method to applicable target Devices.
User Experience
When SSH Terminal File Transfer has been enabled as noted in Administrator Setup , the user has
access to the SCP and SFTP file transfer features as described in the following procedure:
1. Log in to CA Privileged Access Manager as a User permitted to execute the SSH Access
Method.
3. Click an SSH Access Method to open a MindTerm applet to its configured target Device.
4. In the MindTerm Java applet window (labeled with your Device Name), select Plugins, SCP
File Transfer to open a file transfer window. See right-hand side of Figure 5.
5. Use the MindTerm – SCP (Internal_IP_address) applet file transfer window to perform any of
these functions:
Use arrow buttons between directory content lists to move files between the Local System
(your client computer) to the Remote System (target Device).
Rename – for a pop-up window allowing you to change the name of the selected directory
This table describes the types of log entries now effected by file transfer transactions.
Log Entries for File Transfer Transactions
17-Feb-2017 164/416
CA Privileged Access Manager - 2.8
Services
A CA Privileged Access Manager Service invokes a connection mechanism that is external to the CA
Privileged Access Manager server, such as a website portal or an application that resides on a user
workstation.
New Service: In the upper right of the window to the left of the Search field, click Create
TCP/UDP Service.
3. Edit the template fields.For information about the fields, refer to the following Create TCP
/UDP Service Expansion Panel Fields table.
If the Application Protocol is a Web Portal, refer also to Web Portal (see page 173) .
17-Feb-2017 165/416
CA Privileged Access Manager - 2.8
17-Feb-2017 166/416
CA Privileged Access Manager - 2.8
on Console
Pro Web Portal
toc Otherwise, use the selection: Disabled
ol
Cli Preload the path to the local app for auto-launch once the service is initiated. The user can also
ent set or override this path at launch time.
Ap
plic
ati
on
We Prerequisite: First select Web Portal from the Application Protocol: to enable the fields in this
b pane.
Por
tal
Lau This field allows specification of a local URL that is launched when the portal service is accessed.
nch Enter the following string (bold = literal):
UR [http | https]://<Local IP>:<First Port>/[path_to_target_page]
L First, specify which protocol, HTTP, or HTTPS
The <Local IP> and <First Port> are automatically populated from the Basic Info fields Local IP
(constructing the full IP from 127 + three fields) and Port(s) (using the first port specified),
respectively
Finally, specify a [path…] to restrict access to a specific landing page
The user is automatically connected to the web service.
Ho Specify the FQDN of the target website in this field.
st Per HTTP 1.1, if the web portal resides on a single IP address which hosts several websites
He (such as Apache NameVirtualHost or IIS Host Header Access), this setting is used to identify the
ad correct website target.
er Example: www.example.com
Ali Specify any strings which can be used as a substitute portal target, which is separated by
ase commas.
s If the target web portal is referred to by several different names, enter those names here.
Example: If Host Header contains www.example.com , while some links on the portal page
point to example.com, enter example.com here so that requests to that site are handled
successfully.
Hid If this portal is not intended to be user-facing, select this checkbox so as not to display an
e access link for the user on the Access page.
Fro Use Case: When multiple internal servers are to be identified as portals so they can be
m accessed to meet a user portal request, not all servers might need to be exposed to the end
Us user. For example, multiple local servers might provide content to serve a particular HTTP
er request – HTML page, graphic files, CGI processing – but only the original web page needs to be
public. Without this "off" switch, server portals that are inappropriate for an end user are
nevertheless displayed on the Access page.
You can also import Services in batch mode using a CSV file. See Import or Export Services (see page
172) for instructions.
17-Feb-2017 167/416
CA Privileged Access Manager - 2.8
Note
Note: Establish a portal for every web server that the user accesses. However, some
servers provide content to the web pages that call them (through embedded links) but do
not face users. See the following description for the option Hide From User.
1. In the Basic Info pane (continuing from Set up Service using the GUI, step 3):
Important
If you are setting up a Web Portal to access Microsoft SharePoint® and Mac clients
access it, you must set Local IP to: 127.0.0.1 (and must provide a valid Host Header
– see the following).
In Port(s), enter:
For Application Protocol, select the Web Portal option from the drop-down list.
When you chose Application Protocol: Web Portal above, the Launch URL field became
available and must now be used.
The other fields in that pane – Host Header, Aliases, and Hide from User – are each
optional. See Table 48 for information.
17-Feb-2017 168/416
CA Privileged Access Manager - 2.8
The URL specified here is launched when the web portal enabled service is accessed. Use
the syntax shown in the example line below the text box (indicated by "Ex."), using and
substituting the tags as identified below.
4. Specify the applicable FQDN hostname in Host Header so that the portal is able to distinguish
between multiple hosted websites, for example "www.example.com". If the IP address of the
server hosts only one (FQDN) site, this field is not required; however, it is good practice to
specify it explicitly.
Host Header is required for Microsoft SharePoint sites.
Host Header is not applicable to HTTPS (SSL) sites.
5. If any alias hostnames are used to reach the portal: Enter these in Aliases (separated by
commas). These aliases are mapped by CA Privileged Access Manager to the true host (see
Host Header).
6. If the portal is to be used in the background: Hide From User specifies that a server is available
for CA Privileged Access Manager-internal access, but is not to be accessible to an end user.
An example use is for a server that delivers graphic files that are requested from a browser
after a baseline website delivers an HTML page.
7. Click Save.
8. Create a Device that corresponds to the web server you are aiming to reach. In Devices,
Manage Devices, create a Device with the web server IP address (do not use FQDN) in the
Address field.
17-Feb-2017 169/416
CA Privileged Access Manager - 2.8
Important
When a native SSH client service is marked in a policy for session recording, the
Bidirectional checkbox must be selected for the recording to work.
1. In the Basic Info pane (continuing from Set up Service using the GUI, step 3):
22 (for SSH)
For Application Protocol, select the SSH option from the drop-down list.
For Client Application, fill in the path if you want to invoke the client automatically.
Windows
3. Click Save.
4. Create a Device that corresponds to the SSH target you are aiming to reach. In Devices,
Manage Devices, create a Device with the target IP address (do not use FQDN) in the Address
field.
17-Feb-2017 170/416
CA Privileged Access Manager - 2.8
Note
When launching your SSH client, you must specify a username component. For example:
$ ssh –l username 127.0.0.1
Optional Features
Note
Session recording is not activated when either of these features are invoked.
Administrator Setup
You can set up your native SSH Service to allow either:
Automatic invocation of the SSH application with options (switches) through the CA Privileged
Access Manager Service command line specification (in the Client Application field)
Manual invocation of the SSH application by the User, who applies commands at execution (after
the secure tunnel has been established by CA Privileged Access Manager by clicking the Service
link on the Access page)
Prerequisites
To use X11 forwarding, the target Device must have X11 applications that are installed and its SSH
server configured (where necessary) to provide X11 forwarding, while the User workstation must run
an X11 server to display the output.
Note: When used on UNIX, Linux, and other UNIX-like systems, the SSH Access Method requires the
socat relay utility.
Automatic Invocation
In Figure 12, a CA Privileged Access Manager Service has been configured to use SSH by automatically
invoking a Client Application, PuTTY (on a Windows client), and applying its –ssh option.
To effect X11 forwarding, the –X option is also applied (Figure 12). When the User clicks this
Service from the Access page, PuTTY is automatically invoked and connects using those options.
To effect command execution, a (target OS) command is placed after the "<Local IP> <First Port>"
string.
Manual Invocation
17-Feb-2017 171/416
CA Privileged Access Manager - 2.8
Alternatively, if a CA Privileged Access Manager Service has been configured to use SSH but without
specifying the Client Application, the User can manually invoke (any installed) application (such as
PuTTY), and successfully use the X11 forwarding or command execution options available to that
application.
User Experience
Automatic Invocation
When a User (on a properly configured client) invokes an Access page Service link, the SSH client
(here, PuTTY) is automatically executed with the specified (for example, -X) switches or commands.
After logging in or auto-connecting to the target, the User can immediately run X11 applications
on the target and their output will be forwarded to the workstation.
If a command is specified, the session immediately closes when the command is finished
executing.
Manual Invocation
If the CA Privileged Access Manager Service Client Application setting is empty, the User must start a
local SSH client application manually to execute the SSH connection, and use that application X11
forwarding or command execution features. For example, after invoking PuTTY on a Windows
workstation, you would use PuTTY Connection, SSH, X11, Enable X11 forwarding or Connection, SSH,
Remote options, respectively. If a command is specified (using the latter option), the session
immediately closes when the command is finished executing.
Log Entries
After X11 forward is performed or whenever a command is executed under this feature, one of the
corresponding CA Privileged Access Manager session log entries is written.
2. Click Download Sample File to save the template file to a convenient editing location.
3. Copy the sample to a new file, and open it in a spreadsheet program or a plain-text editor.
Caution
17-Feb-2017 172/416
CA Privileged Access Manager - 2.8
Microsoft Excel incorrectly interprets the colon-embedded fields that are intended
to be used as RemotePort:LocalPort representation. Cell E7 contains "4.815972…"
This is an Excel conversion of the original plain-text CSV content provided in the file,
namely, "23:5555". Even if adjustments are made to the Excel and file save-as
settings, this behavior persists in reading or writing the file.
Workarounds
a. Always use plain-text editor (for example, Notepad) to prevent conversions from
occurring.
b. Use Excel first for most editing. As a final editing stage, open the file in a plain-text
editor, and delete any conversions. Repopulate those cells with colon-embedded
values such as RemotePort:LocalPort.
4. Edit or add line items for each service desired. For descriptions of each field, see CSV File Types
(https://docops.ca.com/display/CAPAM28/CSV+File+Types).
Note
Web Portal
Auto-connection is the automatic, silent, and invisible, supply of, and consumption by a target
Device, of credentials managed by CA Privileged Access Manager. This process was referred to as
"SSO" ("Single Sign-On") in previous product documentation.
Several methods for automated website login (auto-connection) are now provided by CA Privileged
Access Manager to access websites with many types of login methods.
With CA Privileged Access Manager 2.4, an enhanced Xceedium Browser allows you to apply one of
several specific methods of automatically logging in to a target web portal of your choice, through the
new Auto-Login Method facility. The methods now provided include:
CA Privileged Access Manager HTML WebSSO – Use this option when the login method that is
employed by the web portal is HTML-based. (This is the most common method.) It employs
JavaScript injection to provide credentials to a web page's HTML as it is being loaded into the
Xceedium Browser, and then execute the login. When using this method, the CA Privileged Access
Manager administrator first "teaches" CA Privileged Access Manager which login page widgets are
17-Feb-2017 173/416
CA Privileged Access Manager - 2.8
Manager administrator first "teaches" CA Privileged Access Manager which login page widgets are
used to capture the username and the password, and which is used as the login trigger. (This
simple process is described in step 8 of an example illustrated in the next section.) Examples of
web portals that use this method include Dropbox and Google.
CA Privileged Access Manager HTTP WebSSO – Use this option when the login method that is
employed by the web portal is HTTP protocol authentication. In this case, CA Privileged Access
Manager encodes login credentials and inserts them into a header, which is appended onto each
HTTP or HTTPS request. Examples of web portals that use this method include Microsoft
SharePoint installations.
There are also built-in CA Privileged Access Manager Auto-Login Methods that are designed to
allow interaction with the login functionality of specific brand web portals. These methods are
also referred to as "plug-ins." The following methods are provided to access the following web
portal types:
Administrator Setup
1. Log in to CA Privileged Access Manager as an administrator (for example, as "super").
3. Near the upper-right corner, click Create TCP/UDP Service to open a Service template.
a. In the Administration panel, click the Application Protocol drop-down menu, and
select the "Web Portal" option.
b. In the Web Portal panel, click the Browser Type drop-down menu, and select the
"Xceedium Browser" option.
In the Administration panel, the Auto-Login Method drop-down menu appears at
right.
c. Click the Auto-Login Method drop-down menu, and select the appropriate option for
your target website. In the example, we use "CA Privileged Access Manager HTML
WebSSO" option.
d. In the Web Portal panel, in the Launch URL field, enter the CA Privileged Access
Manager template that corresponds to the login address.
In the example, we are setting up access to the Dropbox site. The Dropbox login
address is (currently): https://www.dropbox.com/login
After you substitute the target Device (www.dropbox.com) with the target template
(<Local IP>:<First Port>), you have the CA Privileged Access Manager template for this
login address:https://<Local IP>:<First Port>/login
e. Populate the other fields as needed. The Service Name and Port fields are required.
17-Feb-2017 174/416
CA Privileged Access Manager - 2.8
5. Set up a Device that corresponds to the Web Portal target (here, www.dropbox.com), and
select the Dropbox-service Service for that Device.
6. Set up a Target Application of type "Generic" for this Device (for example, named: Dropbox-
login), and set up a Target Account for this Target Application with the access credentials.
Here, your Dropbox Account Email and Password. Example, user@example.com and
p@$$w0rd that you want to use.
7. Set up a Policy that associates a User (for example, named: XsuiteUser) to this Device, and
when doing so, select the Service (here, Dropbox-service) you created and associate to that
Service the Target Application – Target Account combination (for example, Dropbox-service:
Dropbox-login – user@example.com) needed.
8. If your target website uses the "CA Privileged Access Manager HTML WebSSO" method (such
as the Dropbox example illustrated), you now perform a "learn" procedure to activate the
portal for end users:
a. Open the Access page, and recognize that a drop-down Web Portal is now available
with two Service listing options for this Device (here, Dropbox-service (Learn) and
Dropbox-service).
i. The first of these, the learn option, shows a red X to its left. This option is used
by the CA Privileged Access Manager administrator to contact the login address
and set up CA Privileged Access Manager to recognize the target widgets, as
described in the next step. After successful setup, this red "X" changes to a
green checkmark, indicating that access to the Web Portal has been activated
and is ready to use.
ii. The second Web Portal option is the login option for actual login entry. As
noted above, the administrator must successfully apply the learning mode first
for this Service to function.
iii. Activate the browser to submit the username and password for login
processing.
(The identification process that you must perform is described in the next step.)
For the CA Privileged Access Manager Service to use these widgets for an auto-
connection, it has to be "taught" where they are:
17-Feb-2017 175/416
CA Privileged Access Manager - 2.8
c.
i. Move your mouse into the username (or other login name identifier) field
(here, Email), right-click to open the learning menu, and select Mark
Accountname Field.
After you do this, the field is populated with the placeholder field
"accountname", the outline of the field is now green, and there is now a green
checkmark at the right-hand side of the field.
ii. Move your mouse to the password field, right-click, and select Mark Password
Field.
The field is populated with an obfuscated password "••••••••",the outline of
the field is now green, and there is now a green checkmark at the right-hand
side of the field.
iii. Move your mouse so that it is over the login (or other submit identifier) button,
right-click, and select Mark Submit Button. (There is no change in marking.)
iv. For any other required widgets for your particular portal, simply perform the
required action for each widget. (There is no right-click menu item to select,
and there is no feedback, but all action is recorded.)
For example, if you want to teach this CA Privileged Access Manager to learn
the interface to another, target CA Privileged Access Manager portal that
requires LDAP authentication, do this: In addition to teaching it the above three
widgets, select "LDAP" for Authentication Type, and select the appropriate
configured Domain from its pop-up below. All these actions are preserved for
auto-connection use when you save them, as described in the next step.
d. In the upper-right corner of the browser window is the "Save auto-login template"
(floppy disk image) button. Click that button to save your settings, close the learn-
mode browser, and activate use of this Web Portal.
Following activation, you see a pop-up window telling you that the configuration is
now saved, and upon your confirmation, the browser will close. You can repeat the
learning process at any time and can save new results.
e. On the Access page menu, you see that the learning option now has the green
checkbox mentioned earlier. This means that the login option is available for use.
On the end user Access page, there is the single access link, without the learn-mode
option. See user access described in the following User Experience section.
User Experience
Upon logging in (or, if applicable, navigating to the Access page) an end user is presented with an
access link.
If learn mode is applicable to the Web Portal, only CA Privileged Access Manager users who have
Device management privileges (such as "super") see the learn option that is described in the
Administrator Setup.
Upon opening the portal link, the User sees a splash page while CA Privileged Access Manager
negotiates with the portal to provide the username and password. It then executes the login submit
button. Following the splash page, the User is logged in.
RDP Applications
To activate an RDP Application in CA Privileged Access Manager, set it up in an RDP Application
template. Assign that template to a Device.
17-Feb-2017 176/416
CA Privileged Access Manager - 2.8
2. Click Create RDP Application to open the template, and complete the following information:
RDP App Name - Specifies a unique name for the RDP application service
Launch path - Provides the full path to the RDP application that runs when the user connects. For
example: C:\Windows\System32\notepad.exe
<AWSURL> - When this string (including brackets) is used, it specifies the AWS Management
Console home page. This token is used as the target address of a browser on a recording-
designated Windows “jumpbox.”
3. Enter TCP Ports and UDP Ports. The SSL VPN service is created for specific ports separated by
commas, or for All ports.
4. Click Save.
Out-of-Band Devices
The OOB Devices button is used for non-login management of out-of-band devices and power
control. Out-of-Band, or "Lights Out," Management allows a system administrator to monitor and
manage devices by remote control regardless of whether the device is on. CA Privileged Access
Manager supports Serial Console, Terminal Servers, and KVM over IP and Power Management.
Each row in the access list represents a device on the network that a CA Privileged Access Manager
username is permitted to manage. This list of permitted devices is defined by policy as applied
through CA Privileged Access Manager associations. It dynamically reflects access policy as it is
applied by a CA Privileged Access Manager administrator to a user or group.
Control Indicators include:
17-Feb-2017 177/416
CA Privileged Access Manager - 2.8
Serial – Serial consoles are intended for use when the device is not functional or when network
connectivity is lost due to a reboot or upgrade. Supported out-of-band access methods include
Serial Port consoles and Terminal Servers.
Serial console access can be recorded and command controls can be enforced. All managed access
creates an event.
KVM – Certain KVM over IP network appliances have integrated support and can be used to limit
access to only certain devices connected. Other KVM over IP devices can be supported using their
web interface.
Power – Controls a smart power switch that is capable of powering the device on or off. CA
Privileged Access Manager can be used to restrict access to certain devices on the switch.
Status is shown for each device with an icon with a color dot at the lower right:
Yellow indicates that the device is new – or has failed to reply – and the status is unknown.
1. Select the Power button. This brings up a pop-up window showing power options.
2. Select power option ON, OFF, or RESET. Or, to exit without making changes, select the Cancel
button.
Socket Filter Lists (SFLs): Define either a socket blacklist or whitelist. Blacklists specify only
devices and ports that a user cannot access. Whitelist specify only devices and ports that a user
can connect to.
Socket Filter Agents (SFAs): Apply rules that are specified by Socket Filter Lists and used in access
policies.
Socket Filter Configuration (SFC): Defines and applies agent behavior across all CA Privileged
Access Manager managed devices using Socket Filter Agents.
17-Feb-2017 178/416
CA Privileged Access Manager - 2.8
For the purposes of Common Criteria testing, and when in FIPS mode, use version 2.5.5 or later of the
SFAs. Versions 2.5.5 and later only use TLS 1.2 with approved algorithms to communicate with the CA
Privileged Access Manager server.
Socket filtering uses network heartbeat checks. We recommend that you verify your policies before
setting up socket filtering. Your organization might not allow network heartbeat checks.
Network Connectivity
Use of any SFA requires that the following network connectivity prerequisites be met:
Port 8550 or a configured substitute must be allowed between the target host containing the SFA
and the CA Privileged Access Manager appliance.
Port 443 must also be open to allow communication back to CA Privileged Access Manager,
including messages for CA Privileged Access Manager log entries.
Use the following optional procedure to monitor the status of SFA agents from the CA Privileged
Access Manager web interface.
17-Feb-2017 179/416
CA Privileged Access Manager - 2.8
To accommodate earlier product releases, refer to the Release Notes for your product.
Permission Level
SFA installation requires administration privileges, such as those provided by the Windows default
Administrator account or the UNIX root account.
Windows OS Support
You can install Windows SFAs on a target device that has one of the following Microsoft Windows
operating systems:
To accommodate other target device operating systems with previous releases of SFAs, refer to the
Release Notes for your product.
UNIX OS Support
You can install UNIX SFAs on a target device that has one of the following operating systems:
AIX 7
To accommodate other target device operating systems with previous releases of SFAs, refer to the
Release Notes for your product.
17-Feb-2017 180/416
CA Privileged Access Manager - 2.8
1. Ensure that all installation prerequisites are met. See Installation Requirements (see page 179)
.
2. Log in to the target Windows device as a local administrator. Do not log in using a domain-
based user account.
3. Use the Add/Remove Programs window (or equivalent) to remove any existing Windows SFA
from the target device.
4. From the target device, log in to the CA Technologies Support website, and navigate to
Knowledge Base, Downloads > Socket Filter Agent Packages.
To change values after installation, use the configuration utility. See Configuration and Operation of
Windows SFAs (see page ).
17-Feb-2017 181/416
CA Privileged Access Manager - 2.8
The SFA works with Socket Filter Lists (SFLs) configured on the CA Privileged Access Manager
appliance. For details, see Configure the Appliance for SFAs (see page 186).
1. Ensure that all installation prerequisites are met. See Installation Requirements (see page 179)
.
2. Log in to the target Windows device as a local administrator. Do not log in using a domain-
based user account.
3. Use the Add/Remove Programs window (or equivalent) to remove any existing Windows SFA
from the target device.
4. From the target device, log in to the CA Technologies Support website, and navigate to
Knowledge Base, Downloads > Socket Filter Agent Packages.
To change values after installation, use the configuration utility. See Configuration and Operation of
Windows SFAs (see page ).
The SFA works with Socket Filter Lists (SFLs) configured on the CA Privileged Access Manager
appliance. For details, see Configure the Appliance for SFAs (see page ).
17-Feb-2017 182/416
CA Privileged Access Manager - 2.8
Launching the utility displays a dialog with the field described in the following table. (see page )
Log messages are stored in the log.txt file that is located in the installation directory.
Access the Windows Control Panel and use the Add/Remove Programs window (or equivalent).
Where sfa-version is the SFA release version and os-version is the UNIX version.
17-Feb-2017 183/416
CA Privileged Access Manager - 2.8
Where sfa-version is the SFA release version and os-version is the UNIX version.
For example:
Depending on the OS, there are different methods of deploying the SFAs. Because minimal
configuration is required on the managed target device, an SFA can be deployed through preexisting
software delivery mechanisms.
Note
On UNIX and Linux targets, the Socket Filter Agent only filters non-root users.
1. Ensure that all installation prerequisites are met. See Installation Requirements (see page 179)
.
4. From the target device, log in to the CA Technologies Support website, and navigate to
Knowledge Base, Downloads, Socket Filter Agent Packages.
7. In the directory you want to install the SFA, run the appropriate installer script for your target
Device OS:
[root]# sh download-loc/gksfd_sfa-version_os-version[_64] _linux_install.sh
A terminal window opens, allowing you to interact with the installer script.
8. Follow the online directions. When requested, supply a destination directory to install the
SFA. The default is /usr/sbin.
For AIX, the control script is installed in /etc/rc.d/init.d/. For all other versions of
UNIX, the control script is installed in /etc/init.d/.
If you specify a location different from the default installation location, you might encounter
unexpected behavior. CA Technologies recommend against moving from default locations.
The SFA works with Socket Filter Lists (SFLs) configured on the CA Privileged Access Manager
appliance. For details, see Configure the Appliance for SFAs (see page 186).
17-Feb-2017 184/416
CA Privileged Access Manager - 2.8
The following table describes key settings in the gksfd.cfg configuration file.
gksfd [-options]
To apply persistent changes, set the UNIX SFA options in the rc.gksfd file.
17-Feb-2017 185/416
CA Privileged Access Manager - 2.8
1. Stop the gksfd daemon from the directory where the executable was installed. The
following is an example for Red Hat 5 Linux:
[root]# /etc/init.d/rc.gksfd stop
Note: To ensure proper performance, define no more than 8000 sockets in each SFL.
2. Select the blue link Manage Filters button in the top right corner.
The Manage Filters overlay window appears (showing the Command Filter Config template).
17-Feb-2017 186/416
CA Privileged Access Manager - 2.8
4. To left of the Search field, click the blue link Create List.
The Create Socket Filter List pane replaces the Socket Filter Lists pane.
When used against LDAP users, socket filter whitelists must also include IP addresses of the
relevant domain controller or controllers. Because IP addresses can change in your
environment, whitelists can require relatively active management (that is, updating) of the
filters.
8. Click the Save button to save the settings and close the editing pane.
The list is now effective, and available for inspection or editing with the Socket Filter Lists pane.
1. Select from the Menu Bar: Policy, Import/Export Socket Filter Lists.
The Import/Export Socket Filter Lists page appears.
This page allows you to create SFLs by importing a CSV file. A sample file is available by
selecting the Download Sample File button. See Figure 7 (see page ) and Table 4 (see page
).
2. Use the Browse button to select the CSV file for import and select Import Socket Filter Lists to
upload.
3.
17-Feb-2017 187/416
CA Privileged Access Manager - 2.8
3. Optionally use the Export Socket Filter Lists button to export existing SFLs from CA Privileged
Access Manager to a CSV file. These lists can be stored, modified and imported or reimported
later.
2. Select the blue link Manage Filters button in the top right corner.
The Manage Filters overlay window appears (showing the Command Filter Config template).
Select the gray link button Socket Filter Config.
The Socket Filter Config pane appears. prepopulated with default values.
3. Adjust where necessary the fields and click the Save Socket Filter Config button to save the
settings.
Field Description
Basic Info
Agent Port The default is 8550. The value must match the port where the agents are listening.
NOTE:The socket filter agents must be configured to use the same port.
SFA IMPORTANT: This check box must be selected for filters to be monitored (in addition
Monitoring to device filter specification on the specific device page).
Enable this option if the policies include disallowing users to log on to a device if the
agent is not running. Agent status also appears in the Devices menu button under
Socket Filter Agent.
Appliance ID A unique number that refers to each physical appliance, and must be set when using
SFA agents with Windows. Thus when CA Privileged Access Managers are clustered,
each member must have a unique ID.
Log All When selected, logs all access activity (whether device is an entry on a whitelist or is
Access missing from a blacklist).
17-Feb-2017 188/416
CA Privileged Access Manager - 2.8
Field Description
PREREQUISITE: Second-generation Socket Filter Agent installation is required.
Messages
Violation Provides the ability to customize the message that appears to the user when a policy is
Message violated.
When the following strings (including brackets) are used in a Socket Filter Config
message, they are substituted as specified:
NOTE: Double-byte characters such as those used for traditional Chinese are
permitted.
Violation The area for information that is sent to "super" if violations occur.
Additional e-
mail Message PREREQUISITE: Administrator email must be configured.
NOTE: Double-byte characters are NOT permitted in email messages. (They are
permitted only in screen messages.)
Action
# Violations The number of violations that are permitted to occur. When the violation count
Before matches this threshold, the action that is specified in Action After Limit Exceeded is
Action taken. Set this value to zero (0) if no count should be enforced.
NOTE: The count of violations is persistent per user-device basis regardless of how
many times the user connects. Thus a user is not permitted to reset the count by
reconnecting and trying again.
Action After Select the appropriate action to comply with policy when the user exceeds the number
Limit of violations.
Exceeded
17-Feb-2017 189/416
CA Privileged Access Manager - 2.8
A command-filtering blacklist is a list of commands that a user cannot type. If the user attempts to
type the command, CA Privileged Access Manager can flag (log), alert, remediate, and stop the
command from being processed. All other commands are allowed.
A command filtering whitelist is a list of the commands that a user can type. All other commands are
prohibited.
Note
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250
applets.
2. In the upper corner of the white page body, select the Manage Filters link.
The Manage Filters overlay window appears (showing the Command Filter Config template).
3. Near the top of this window, select the gray link button Command Filter Lists .
The Command Filter Lists pane appears.
Note: Before you set up lists, the field displays "No Results." After you set up lists, a list can be
selected here and edited.
This denial applies per character: After sufficient characters (literal Keyword or
Regexp) have been entered to match a violation criterion, the specified action (Alert
/Block) is applied. (See the following control definitions for more information).
When a CA Privileged Access Manager user submits a CLI command to a device, and
when the policy specific to this user-device combination specifies this whitelist, then
any command that this user requests that is on this list – and only those on this list – is
allowed.
17-Feb-2017 190/416
b.
allowed.
Note: Command filter whitelists cannot be configured for Mainframe TN3270 and
TN5250 applets.
This allowance applies per line string entered (that is, the permission test is made
following a linefeed/Enter/carriage return).
7. Into the Keyword field, enter a command string. Depending on which type of list you are
creating:
If you are creating a blacklist, then for each Keyword to test, you must select one or more
controls:
b. Block – If you want the command line containing the Keyword to be canceled
immediately (prevented from executing).
c. Regexp – If the Keyword field specifies a regular expression to be applied to the actual
command line entered. Whenever a command that is entered by the User conforms to
the regexp, the command is flagged as a violation.
d. When both Regexp and Alert are selected, then for security reasons the body of the
alert message that is sent does not include the regular expression string (Keyword).
At least one of these three options must be chosen. Otherwise, the Keyword has no
effect.
Important: When populating the Keyword field for a blacklist using Regexp, begin with
a start-of-line metacharacter (ordinarily: ^). However, because a blacklist keyword
string is evaluated character by character, the end-of-line metacharacter (ordinarily: $)
is never interpreted and is therefore unnecessary.
Example:
To match (prevent) a user key entry of exactly who -a
Fill the Keyword field with one of the following regular expressions:
Correct: ^who -a
a. Incorrect: who -a
If you are creating a whitelist, then for each Keyword to test, you can select:
a. Regexp – If the Keyword field specifies a regular expression to be applied to the actual
command line entered. The regular expressions that are permitted follow the syntax
supported by the (Perl-based) Oracle® java.util.regex API. Only when a command that
is entered by the User conforms to one or more of the regexp or commands in this
whitelist is the command allowed.
Important: When populating the Keyword field for a whitelist when using Regexp, it
does not matter whether you do or do not include the start-of-line (ordinarily: ^) or
17-Feb-2017 191/416
CA Privileged Access Manager - 2.8
Correct: who
^who
^who$
who$
Example:
[Li][Ss] +
This is a regular expression that permits variations of upper or lower case on the Unix
command ls, but requires a space be added for the expression to be accepted.
Example:
[Li][Ss] +\-[LlAa][LlAa]?
This is a variant of the previous example, based on ls -al, in which upper and lower
case are again permitted. But the order of the two characters al is arbitrary, and two
or more spaces are required between the command and its argument. Because the
entered command filter string is anchored by start-of-line and end-of-line
metacharacters, in this example trailing spaces are prohibited.
8. To add another Keyword specification, click the Add Keyword button to open the template
for a new specification line, and fill in the fields for that line.
10. Click the X (close) button to exit the overlay window and return to the Manage Policies page.
Copy the sample file to a new file, and edit it for your use.
Note: In an imported CSV file, if you include a blacklist line with the same key fields ( Type, List
Name, List Type, and Keyword) as those of an earlier line in that file, the latter line effectively
replaces the earlier line. In other words, the values that are applied for Alert, Block, and
Regexp are the last values read, or those in the latest key-matching line.
Use the Browse button to select the CSV file for import and select Import Command Filter
Lists to upload.
17-Feb-2017 192/416
CA Privileged Access Manager - 2.8
Also, Export Command Filter Lists allows users to export existing lists from CA Privileged Access
Manager to a CSV file. These lists can be stored, modified and imported.
2. In the upper corner of the white page body, select the Manage Filters link .
The Manage Filters overlay window appears, showing the Command Filter Config template.
3. Adjust the fields where necessary, and click the Save Command Filter Config button to save
the settings.
17-Feb-2017 193/416
CA Privileged Access Manager - 2.8
SSH Connections
You can provision a CA Privileged Access Manager device to permit execution of sudo or BeyondTrust
PowerBroker pbrun using the login password for the device from the SSH Access Method applet.
17-Feb-2017 194/416
CA Privileged Access Manager - 2.8
Important
Configuration
Security Requirement: Configure sudo or pbrun on the target so that each execution
requires a password from the client. Otherwise, security can be compromised.
Usage
Target Support
OS versions:Unix and Linux
Unix/Linux Configuration
Configure sudo or pbrun for target Devices to request a password (to which CA Privileged Access
Manager responds transparently) every time that it is invoked. For example, set
timestamp_timeout=0 so that there is no time gap during which sudo execution requires no
password. Otherwise, CA Privileged Access Manager security can be compromised.
1. Create or open an existing Device record on the Devices, Manage Devices page.
a. If this is a new Device record, populate at least the required attributes (entitled in red).
c. Scroll to the Transparent Login panel near the bottom the record. Depending on
whether you want to use sudo or pbrun (or both), fill in:
ii. Password Prompt with the prompt (or a fully static substring) for user
17-Feb-2017 195/416
c.
ii. Password Prompt with the prompt (or a fully static substring) for user
password input that is presented immediately upon executing sudo/pbrun.
The longer or more complete a literal string match you provide, the greater the
security you have. The full prompt that is experienced by the user might be
"[sudo] password for user: ", where "user" represents the dynamically applied
actual username. The maximum string that can be applied here is then: "[sudo]
password for ", so use that string.
d. Complete provisioning of other Device fields as needed or desired, and click Save.
2. Create or open an existing policy record on the Policy, Manage Policies page.
a. Scroll to the Transparent Login panel near the bottom the record, and select its
checkbox.This option allows you to turn transparent login on and off for a particular
User/User Group (analogous to the on/off communication method selections in Access
)
b. Complete the provisioning of other Policy fields as needed or desired, and click Save.
Transparent login is now ready for Access use to this Device.
User Experience
The User logs in as usual to the target Device using the SSH Access Method applet. When sudo or
pbrun is invoked, the normal response (prompting the User to enter a password) is not displayed.
Meanwhile, CA Privileged Access Manager supplies the password passed in during auto-connection.
Instead, sudo/pbrun continues directly into executing the sudo-argument commands.
Complex Commands
You can use a configured privileged command (sudo or pbrun) anywhere, and multiple times, on a
command line while CA Privileged Access Manager provides the login user password for
uninterrupted completion.
Examples:
You can also use a configured privileged command (sudo or pbrun) on multiple lines while CA
Privileged Access Manager provides the login user password for uninterrupted completion.
Example:
> done
Unsupported Syntax
We do not support the following uses:
Sending a sudo command argument to the background, as in: $ sudo updatedb &
Stringing a sudo command directly after vi exit commands, as in: :wq sudo updatedb, before
exiting vi with the Enter key.
17-Feb-2017 196/416
CA Privileged Access Manager - 2.8
Best Practices
If a password prompt ever appears during execution of a sudo or pbrun command in a Windows
Device that is configured for secondary transparent login, exit using Ctrl-C. Any other response
might trigger a password lockout. Example: Pressing Enter or another key entry.
Audit Logs
Following each invocation of sudo or pbrun, an audit log entry like the following example is made:
2016-03-11 01:16:27 user xsso ubuntu Executed "sudo pwd" using transparent
RDP Connections
You can implement transparent login for a Windows RDP server for secondary access through an
application on that Device. As with CA Privileged Access Manager HTML WebSSO, the administrator
uses "Learn Mode" to teach the product to recognize the relevant access interface of a target
application. In this case, it is a CA Privileged Access Manager-configured RDP Application.
A significant feature of this implementation is that no storage of credentials or software is needed on
the target RDP server side. No installation of agents is needed on the access client or the RDP server.
Optionally, these applications can be cached for improved load times.
No special configuration is required on CA Privileged Access Manager or the target Device. The
provisioning process as described here embodies the required setup.
Target Support
OS versions: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012; x86 and x64
versions for each
Applications: VMware vSphere Client and vSphere Client console; Microsoft SQL Server
Management Studio; WinSCP; Dell Toad; PuTTY; Oracle SQL*Plus
Windows Configuration
Windows (RDP server) devices that are the targets of CA Privileged Access Manager transparent login
require the following configuration to work properly.
If you are using a signed certificate on CA Privileged Access Manager, you must install the CA
certificate on each Windows target Device. Import this certificate as a Trusted Root.
Session Recording
For transparent login activity to be successfully recorded when using Internet Explorer, the
administrator must configure all equivalent CA Privileged Access Manager addresses. For example, a
cluster VIP name and VIP address in the browser security settings:
2. Click the Security tab, then on Trusted Sites, and then the Sites button.
17-Feb-2017 197/416
CA Privileged Access Manager - 2.8
3. In the Trusted sites dialog window, key in and Add each equivalent CA Privileged Access
Manager address in use. Click Close to exit Trusted sites.
This setting might not work fully. If that is the case, try this additional configuration in Internet
Options:
1. Click the Connections tab, then on LAN settings. If the Proxy server checkbox is selected, click
the Advanced button.
3. Click OK to save and exit Proxy Settings, then click OK again to save and exit Local Area
Network (LAN) Settings, and then OK again to save and exit Internet Options.
3. For security reasons: In the RemoteApp Properties dialog, Command-line arguments option
buttons, select "Always use the following command-line arguments". Set its arguments to use
the following string.
Note: Whether you copy-and-paste this string or enter it in manually, ensure that you do not
introduce any additional hidden characters or white space. Otherwise, the command might
not work.
2. Install the Remote Desktop Session Host role using the following advice:
http://technet.microsoft.com/en-us/library/cc742813.aspx
4. For security reasons: In the RemoteApp Properties dialog, Command-line arguments option
button, select the Always use the following command-line arguments option. Set its
arguments to use the following string.
Note: Whether you copy-and-paste this string or enter it in manually, ensure that you do not
introduce any additional hidden characters or white space. Otherwise, the command might
not work.
17-Feb-2017 198/416
CA Privileged Access Manager - 2.8
2. Install the Remote Desktop Session Host role using the following advice:
http://social.technet.microsoft.com/wiki/contents/articles/10421.deploying-the-rds-quick-
start-deployment-type-in-windows-server-2012-for-session-virtualization.aspx
4. For security reasons: In the RemoteApp Properties dialog, Command-line arguments option
button, select the Always use the following command-line arguments option. Set its
arguments to use the follwing string.
Note: Whether you copy-and-paste this string enter it in manually, ensure that you do not
introduce any additional hidden characters or white space. Otherwise, the command might
not work.
1. Preparing Target Device records, including an RDP server hosting an RDP Application
2. Running the Learn Tool at the RDP server in coordination (through the RDP Access Method
applet) with CA Privileged Access Manager
To run Learn Tool and edit transparent login configurations, a CA Privileged Access Manager
administrator must have at minimum the role of Service Manager. This permits the servicesRead,
servicesManage, and servicesDelete privileges. Among the preconfigured roles, these privileges are
also provided only to the Global Administrator and Operational Administrator roles.
Prepare Targets
Initially, as the CA Privileged Access Manager administrator, you provision a Device and the RDP
Application that is the target (or intermediary) of the transparent login. You might also want to
provision (in Credential Manager) the primary access credentials that are consumed during login to
the Device. At this stage, you do not need to provision the secondary credentials that are consumed
by the RDP Application.
17-Feb-2017 199/416
CA Privileged Access Manager - 2.8
This example procedure uses the execution of a connection to a Linux target Device using the RDP
Application PuTTY.
1. Confirm that you have provisioned in CA Privileged Access Manager your desired target
Device, and that the target RDP Application (that are configured later in CA Privileged Access
Manager) is installed on that Device.
2. If needed, log in to CA Privileged Access Manager as the administrator responsible for Learn
Mode.
4. Mouse over the RDP link to the target Device so that (after a moment) it displays the RDP
options pop-up window.
b. You might also want to expand the size of your RDP window in Resolutions to the
largest practical value (for example, "Fullscreen"), because Learn Mode is easier to use
when there is a large target desktop.
Your RDP applet and connection launches. Following login, a script window appears telling
you that the Learn Mode Tool ("Transparent Login Learn Tool") is launching. After a minute,
this script window disappears and in a few minutes you see the initial Learn Tool window. If
transparent login configurations are already set up on CA Privileged Access Manager, they
show up in the drop box near the upper left corner of the Learn Tool. See the procedure in the
next section.
With the Learn Tool, you can create a configuration script that allows CA Privileged Access
Manager to recognize the username, password, submit, and other widgets of an RDP
Application when your Users connect to that application. This script also automatically
populates and executes them for transparent login. During script execution, the XML line
items in the script are sequentially compared against the characteristics and the current state
of the application for eventual login execution. PuTTY is used as the example in this exercise.
Initially, several configurations (Transparent Login Configs, or TLCs) can be pre-populated in
CA Privileged Access Manager. As the Learn Tool is launched, these configurations are loaded
into Learn Tool memory and are available from the configuration name drop-down list.
6. In this example, we create a new configuration. First, assign it a name. (This name is found in
the Transparent Login Configs list on CA Privileged Access Manager, and editable in the
configuration Name field, later when you prepare your RDP Application record.) Here, we
used "PuTTY-to-LinuxTarget1":
17-Feb-2017 200/416
6.
a. Click the "Add new configuration" button, and in the dialog window enter a Name, and
click OK.
b. The configuration name now appears in the field to the left of that button, and is
immediately saved on CA Privileged Access Manager. To save the (currently empty)
configuration in CA Privileged Access Manager with this name, click the "Save
configuration" button.
7. Open your target RDP application; a configuration interface is ordinarily presented (the PuTTY
Configuration window).
While both the Learn Tool and the application are open during this procedure, you populate
the Learn Tool script window (the body of its GUI). You identify widgets on the target
application using one of several Learn Tool widgets that are detailed in the following tables.
Each use of a scripting widget inserts a script command.
When executing PuTTY using its GUI, the simplest procedure might be to specify a target
address, then execute a connection using PuTTY default parameters. Then automatically
submit the username and password to affect a login:
First, you identify for the Learn Tool the location of the PuTTY Session screen, Host Name (or
IP address) field so that when the script is run, CA Privileged Access Manager knows where to
insert that address.
8. To create the script command that provides this, select the "Text input" tool. Like each of the
other Learn Tool scripting controls, this tool invokes an Add Edit Tag dialog window in which
you specify parameters to identify and populate this command.
The first field is the Element type. In this case, select the default "Text Field", as this is the
type of control that PuTTY Host Name (or IP address) control widget is. (The other choices are
"Drop Down List", "Checkbox", "Radio Button", and "Keystrokes"). To identify where this field
is, provide the Element Id. The first step to doing this is to invoke the application AutoIt
Control Viewer (v. 1.1) from the Learn Tool menu:
9. Click the "Run Control Viewer" button from the Learn Tool menu bar. You might briefly see a
script window, and then in a minute or so the Control Viewer window appears. Now you have
three windows.
Note: The Learn Tool window is resizable.
10. In the Control Viewer window, press and hold your mouse over the Browse Tool square area
to the upper right. A magnifying glass icon appears, which is your control selection cursor.
While you hold your mouse down, move this cursor over to the location of the widget (GUI
field, or control) that you want to identify.
As you move the cursor, the control of the target application that is under the cursor displays
a red outline. Depending on how the application (PuTTY) was designed, the red outline might
refer to a single control or a group of controls.
a. If the specific control (here, the host name field) you are looking for is already outlined
in red, you would now skip the remainder of this step 10.
b. In this case, however, a group of controls is selected, and you have not (yet) been able
to identify the Host Name (or IP address) field itself.
i.
17-Feb-2017 201/416
b.
i. To do this, now look at the additional characteristics for this specific control
highlighted in the line item in blue in the Controls list at the bottom of the
Control Viewer window. This list also identifies any subordinate controls
contained by that control. In this case, we want to identify the specific host
name control.
ii. Scroll that list to select the other controls in the list, one by one, until you
match the one you are searching for. When the selected control is outlined,
note (under the Control tab in the central Info group) what its full Instance
name (5) is: here, "[CLASS:Edit; INSTANCE:1]".
11. Now that you have identified the exact field that CA Privileged Access Manager needs to
populate, go back to finish using the Learn Tool Add Edit Tag window that you opened in step
8:
a. Select the entire Instance name (from open bracket to close bracket, inclusive), and
copy it in the Element Id field.
b. In the Value type field, select the "text" option. (The other two options are
"username" and "password", which refer to data that is supplied by CA Privileged
Access Manager during execution, and not embedded in the script.)
c. In the Value field, enter the IP address that you use to populate that PuTTY field.
Alternatively, you can specify a variable hostname by using *Value type="host" (which
has a fixed Value="true"). In that case, the Device that is associated with the
secondary Target Account specified in policy is used. See also Element type
='Keystrokes' in step 14, in which a Target Account is also used to populate username
and password.
d. Click OK to insert the populated script command. It appears in the script body.
Alternatively, you can specify a variable hostname by using *Value type="host" (which
has a fixed Value="true"). In that case, the Device that is associated with the
secondary Target Account specified in policy is used. See also Element type
='Keystrokes' in step 14, in which a Target Account is also used to populate username
and password.
12. The second element in the PuTTY Configuration window you identify is the Open button (on
the same screen), which is used to execute the connection:
a. Use the Control Viewer procedure of step 10 to identify the Element Id for this button.
b. Once you have that ID, open the scripting tool that is appropriate for it – the "Mouse
click" tool – because that is how this PuTTY control is used. The AddMouse Click Tag
popup window appears.
c. We are using the first option, Click on the element. (The other option allows to you
specify a specific pixel location for the mouse click.) Enter the Element Id value that
you identified in step 12a into the Id field.
d. Click OK to insert the populated script command. It appears underneath the first
command you entered.
You have now specified the two elements that provide PuTTY a destination.
17-Feb-2017 202/416
CA Privileged Access Manager - 2.8
You have now specified the two elements that provide PuTTY a destination.
However, the point of the transparent login feature is to insert CA Privileged Access Manager-
supplied credentials transparently. Although the PuTTY application closes its configuration
window and opens a console for execution of the SSH connection, we can continue with the
same script to provide those credentials.
PuTTY opens its console and communicates with the target Linux Device. Doing this might
take some time, and we can account for it in the script:
13. Click the "Sleep" clock icon to open a new widget in which you enter a number of
milliseconds. As a rough estimate, you might want to provide, say, 1000. This allows PuTTY to
open and close its windows and be ready with the prompt it receives from its target device.
Now you can assume that your console window is ready with the first of its login prompts
from the target, for the username. The Learn Tool allows you to enter a script command that
recognizes the Target Account Account Name:
14. Select again the "Text input", and this time set up the Add Edit Tag as shown, with Element
type="Keystrokes" (and then Element Id="window" by default) and Value type="username".
Click OK. The script command that is created grabs the Account Name from the Target
Account provided by CA Privileged Access Manager through your Policy specification (as
explained later in this procedure), and pass it along to the PuTTY target.
15. However, to submit the username to the OS then, you have to send a return command. That
is, the Enter key: Use the "Text input" tool as in the previous step, but this time set Value type
="text", and for Value, click your mouse inside its field and press the Enter key. The field then
displays the text: {ENTER}. Click OK to insert this tag.
16. Likewise, use the "Text input" tool to set a second command with Value type="password".
Remember before entering that command to insert another "wait" command using the
"Sleep" tool as already explained. You might need to experiment for the most efficient wait
times.
Save this TLC by clicking the (now-active) Save configuration floppy disk icon near the right
side.
Now you should be ready with your script. However, you might want first to test it to see that
it performs as expected. CA Privileged Access Manager provides this capability with the
"Debug" tool.
17. (Optional) To test your configuration, run the Debug tool. This feature executes the currently
staged TLC script while displaying debug-level messages in a console.
a. Click the "Debug" tool button to open the Run dialog window.
b. In the App path field, use the browse […] button to the right to specify the location of
the RDP Application executable.
c. Enter the Title that this (first) window has, so that Debug can locate it.
d. When credentials and destination must be supplied to execute script processing fully,
enter these in Username, Password, and Host.
e. When you are ready to run the debug program, click Run.
The Debug console appears.
i.
17-Feb-2017 203/416
e.
i. The Debug program first checks each tag for syntax errors, providing feedback
in the console, under an initial "App #1" line label.
ii. When you bring RDP Application window (manually) into focus, the Debug
program then executes the script. The sequence is labeled ("Try #1"), and then
feedback is provided for each tag.
iii. If a tag fails to execute successfully, the script is restarted and executes again.
18. (Optional) To improve security in confirming your target application, generate and copy the
SHA-1 digest for the RDP Application by using the Learn Tool's Get Application Fingerprint
feature. When configuring the RDP Application in CA Privileged Access Manager, copy this
value into the Application Fingerprint field.
Reference
M Description
e
n
u
Vi Al When selected, this feature keeps the Learn Tool window in front of all other windows, even
e wa when it is not in focus.
w ys The selection state is persistent: After logging off this Device and then logging in again, the
on option value (whether selected or unselected) remains the same.
To Default: Selected
p
A Cle Select to remove currently cached applications.
ct ar When cache is set to "Enable" in Global Settings, Applet Customization, Transparent Login
io ca Cache, the Windows target caches the Transparent Login Agent (TLA), Learn Tool, and Control
n ch Viewer that are downloaded during connection from CA Privileged Access Manager when
e transparent login has been configured, provisioned, and activated. On subsequent connections
to that Windows target, the load times for these applications are reduced.
H Le Opens the Compiled HTML (CHM) Learn Tool Help file, which contains detailed descriptions of
el ar the Learn Tool controls.
p n
To
ol
He
lp
Ab Identifies the Learn Tool application and build versions in a dialog window.
ou
t
17-Feb-2017 204/416
CA Privileged Access Manager - 2.8
Icon Description
and
Tooltip
One set of <window></window> tags brackets a single-level sequence of XML
commands for CA Privileged Access Manager to manipulate the windows of an RDP
Application.
Each script control inserts a line containing one XML tag with attributes at the end of
the sequence, above the </window> tag.
You can copy-and-paste the XML tag lines as you would typically do in a text editing
program, so you can move the lines when and where needed.
Camera Scree Allows insertion of a tag that checks that a portion of the screen image of the
icon n transparent login application matches a screen capture saved previously, when the tag
verifi was created.
catio Usage
n
1. After selection, the mouse cursor becomes a cross-hair, while the full screen
area of the RDP window dims and becomes an active grid. Meanwhile, the
Learn Tool window is hidden from the desktop so that it does not interfere
with screen capture.
2. Use the cross-hair cursor to define a rectangle that selects a portion of the RDP
Application GUI to be compared to the same GUI during runtime.
3. After mouse-up from the cursor, the dialog window Screen Capture Preview
displays the comparison Screen capture and the Generated XML Tag to be
inserted using PNG character representation.
4. Click OK to insert this tag and show the Learn Tool window again.
Note: Ensure that the image portion captured does not vary from application
invocation to invocation, and matches whether the window is active or inactive, and
so on.
Example: (truncated): <checkimg content="iVBORuu ... C6kYII=" />
Clock Sleep Allows insertion of a tag that pauses the script for a configurable number of
icon milliseconds.
USAGE Upon selection, opens the Add Sleep Time Tag pop-up window to specify the
milliseconds, then inserts the tag at the end of the script.
Example: <sleep time="500" />
Duplica Activ Allows insertion of a tag that places the named window into focus.
te ate USAGE Upon selection, inserts this tag at the end of the script.
windo wind
Example: <activate />
ws ow
icon
Mouse Mous Allows insertion of a <click> tag, which effects a mouse-click at a specified location:
icon e on a specified button as identified using the Control Viewer; or
click at the center of the target window; or
at a location specified "x" pixels from the left and "y" pixels from the top of the target
window.
17-Feb-2017 205/416
CA Privileged Access Manager - 2.8
Icon Description
and
Tooltip
Example: button: <click id="[CLASS:TEdit; INSTANCE:2]" />
Example: window center: <click pos="center" />
Example: location: <click x="123" y="72" />
Icon Description
and
Tooltip
Page Text Allows insertion of a tag that submits one of these data types:
with input Edits a specified control (field, drop-down list, checkbox, radio button) so that it
pencil contains specified data (text, sequence value, Boolean value).
Sends a text string, composed of literal value(s), keystroke shortcut(s) or label(s),
or parameter(s) provided by CA Privileged Access Manager such as username or
password.
Element Element Id Value Value
type type
"Text as determined "text" String, to populate the field
Field" through Control
"user "true":
Viewer – see
name For the specified Value Type, TLA sends the
example in
", or Value attached to the User policy through the
procedure
"pass target account record
word"
, or
"host"
"Combobox "text" String, matching a (drop-down) list option
"
"inde Integer, as specified to select the ordinal
x" location of a (drop-down) list option
"Keystrokes "window" "text" As specified:
" (or none) (a) strings, and
17-Feb-2017 206/416
CA Privileged Access Manager - 2.8
Icon Description
and
Tooltip
word"
, or
"host"
Element Element Id Checked
type
"Checkbox" As determined "True" or
through Control "False"
Viewer
"Radio "True"
Button"
Example: (using "Text Field", "text" options in dialog): The following tag inserts the
text string "123" (without quotes) into the ID-specified text field:
<edit id="[CLASS:TEdit; INSTANCE:1]" text="123" />
Check Eleme Allows insertion of a tag that confirms or denies existence of an element, and
mark nt optionally that element in a specified state (for example, a text field containing a
icon Verific particular string).
ation
Element types: Text field | Combobox | Checkbox | Radio Button
Element Id: Code identification of GUI feature obtained through Control Viewer.
Value: Literal. Ranges: Checkbox and Radio Button: (only) "checked"
Example: The following tag verifies that the radio button identified has been selected:
<verify component="radiobutton" id="[CLASS:TRadioButton; INSTANCE:3]" /> If the
component is not confirmed, the TLC script halts.
Icon Description
and
Tooltip
Page Run Runs the third-party, Learn Tool bundled application, AutoIt Control Viewer version
with Control 1.1.
magnif Viewer This application can be used to determine the Element Id when needed in a script
ying command. (No other Control Viewer functions are needed for CA Privileged Access
glass Manager use.)
Usage: (to identify a control or widget): See example in steps 9-10 of the procedure
above.
Usage: (to identify a window name): To populate the <window id= ""> XML tag (top
line of the TLC):
1. From the Control Viewer window, in the Browse Tool box in the upper right,
click your mouse and hold it down to show the magnifying glass cursor.
2. While holding your mouse down, drag the cursor so that it is over your RDP
Application window title bar, then let your mouse up.
3. In the Control Viewer Info panel, Window tab, Class row, copy the text from
its field. For example, for PuTTY, Control Viewer might display
"PuTTYConfigBox".
17-Feb-2017 207/416
4.
CA Privileged Access Manager - 2.8
Icon Description
and
Tooltip
4. Paste the text from that field into the string below:
[CLASS:WindowID; INSTANCE:1]
substituting "WindowID" with your actual value.
5. Paste the entire revised string between the quote marks into the <window
id="" /> tag on the first line of your TLC.
Play Debug Runs the TLC script currently staged in the Transparent Login Configuration panel
icon (the main body of the window).
Usage: See example in step 17 of the procedure above.
Icon Description
and
Toolti
p
Drop- Filter Displays the name of the configuration staged in the Transparent Login Configuration
down by field (the 'body' of the window).
list name /
(configu
ration
name)
(configu This drop-down list lists transparent login configurations, either:
ration
list) (a) all staged in the Learn Tool
17-Feb-2017 208/416
CA Privileged Access Manager - 2.8
Dupli Copy
cate configur 1. While a configuration file is staged, this button opens a dialog window into
pages ation which you can enter the name for a new configuration.
2. The content of the first configuration is then copied into the new
configuration (so it appears in the Learn Tool GUI as if only the name has
changed). You can then edit and save to that new file.
Page Remove
with configur 1. Opens a dialog window for confirmation.
X ation 2. Upon selection, removes the currently staged configuration from the Learn
Tool and the file from CA Privileged Access Manager.
Inacti Save When active, saves the currently displayed configuration to CA Privileged Access
ve - configur Manager.
gray ation
flopp
y disk
Activ
e-
blue
flopp
y
disks
Inacti Save all When active, saves all configurations staged in the Learn Tool drop-down (that differ
ve - changes from currently saved versions) to CA Privileged Access Manager.
gray
flopp
y
disks
Activ
e-
blue
flopp
y
disks
17-Feb-2017 209/416
CA Privileged Access Manager - 2.8
Cycle Refresh Loads all currently saved CA Privileged Access Manager TLCs into Learn Tool. If there
arrow all are unsaved configurations in the Learn Tool, they are erased.
2. Near the top-right of the page, click the Transparent Login Configs link to open the shadow
page Manage Transparent Login Configs.
Here you can confirm that the configuration you created with the Learn Tool is now available
for use.
3. Select the line item for your configuration, and confirm that it is as created in the Learn Tool.
Alternatively, you can create a configuration file from scratch by clicking the Create
Transparent Login Config link to open a blank template and populating it. Configuration files
are not dependent on creation with the Learn Tool.
5. In the upper right, click the Create RDP Application link to open a blank template.
6. Fill in an RDP App Name that is helpful to your Users when they access the link from their
Access pages.
7. In Launch Path, provide the Windows pathname for the local target drive location of the
application.
8. In the Administration panel, select the Transparent Login checkbox to open the Transparent
Login panel below.
9. (Optional) In the Application Fingerprint field, paste the SHA-1 digest you generated while
using the Learn Tool.
10. Click Add Window. This opens a new line item that identifies the window of this RDP
Application that is used to execute a transparent login. After CA Privileged Access Manager
identifies the title of the designated window, it executes the associated configuration to
perform transparent login, or other behavior requiring credentials supplied by CA Privileged
Access Manager.
a. Enter the Window Title that is displayed in the RDP Application GUI.
c. If you want this configuration to be available to the User during any RDP session (with
access to the Windows shell) to this target Device, and not specifically during a session
to this RDP Application, select the RDP Session checkbox.
d. You can create more line items using Add Window if you want to assign more
17-Feb-2017 210/416
CA Privileged Access Manager - 2.8
d. You can create more line items using Add Window if you want to assign more
transparent login configurations using this RDP Application. (For example, using PuTTY,
you might specify alternate targets or a different login parameter.)
12. Edit the CA Privileged Access Manager Device record for the Windows RDP server so that it
uses this RDP Application, now listed under Services.
Activate Policy
Because transparent login involves two or more sets of credentials, the CA Privileged Access Manager
Policy template now provides that you select the multiple credential pairs for each RDP Application
permitted. First, to access the RDP Application (in the example, "PuTTY"), and then any additional
credentials needed for secondary login ("PuTTY Configuration") to the secondary target device (here,
the Linux target).
Finally, in addition to your Service and Account provisioning, during policy preparation you must
select the Enabled checkbox in the Transparent Login panel at the bottom of the Policy template.
(This option is provided so that the transparent login feature for this policy can be easily switched on
or off without extensive reconfiguration of Service applications and credentials.)
Caching
Depending on your security needs, and after using the Learn Tool and testing transparent login
configurations, you might want to enable the Transparent Login Cache. This feature caches the Learn
Tool (when used), the Transparent Login Agent, and the Control Viewer (when Learn Tool is used) on
the RDP server so that they do not need to be loaded (onto a temporary local drive) during each login
at that Device, thus reducing application startup time.
Configuration
To turn on caching, set Global Settings, Applet Customization, Transparent Login Cache = "Enable" .
Usage
During login at a particular target, you see confirmation of the caching storage in the RDP
initialization console of each application cached.
User Experience
Script windows and the application interface are displayed briefly as the automation proceeds, and
stops showing changes when the script completes.
Following selection of the RDP Application link PuTTY, the user sees this sequence following login at
the RDP server host:
2. The console for the transparent login agent (TLA) that is running on the local virtual drive
appears.
3. The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto
17-Feb-2017 211/416
CA Privileged Access Manager - 2.8
3. The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto
populated and activated by the transparent login script, eventually invoking a second
interface (the PuTTY console).
4. The RDP Application (PuTTY) invokes a new window (the console interface), and is auto
populated by the continuing transparent login script. After the script completes, the console
interface is ready for User access.
Auditing
Logs
CA Privileged Access Manager logs each access attempt, for example:
2016-03-11 01:16:27 super login Win 2008 R2 (32-bit) Xsuite user transparently logged into RDP
Application "putty.exe" to "PuTTY Configuration" window as "dev"
Session Recording
A session recording marks the location of the secondary transparent login attempt. For RDP
connections to Windows, these are marked in the Events list and by a red arrow on the timeline. You
can see event detail as a tooltip from the line item in the Events list, and in the Info box at the lower
left and in a pop-up window during cross-over on the timeline.
For transparent login activity to be successfully recorded when the User has Internet Explorer, the
administrator must configure all equivalent CA Privileged Access Manager addresses. For example, a
cluster VIP name and VIP address in the browser security settings. See Set Up Session Recording (
https://docops.ca.com/display/CAPAM28/Set+Up+Session+Recording).
Note: To use the AWS API Proxy, obtain CA Privileged Access Manager licensing to support
the required number of proxy users. Contact your CA Account Representative for more
information.
Important! If you use both the VMware NSX API Proxy and AWS API Proxy, each proxy
must be on a different subnet.
To use the the AWS API Proxy 2.1, enable it on the CA Privileged Access Manager appliance.
17-Feb-2017 212/416
CA Privileged Access Manager - 2.8
a. Find the map between the AWS API Proxy Access Accounts and AWS API Proxy Clients.
b. Select the following checkboxes as noted: Check Execution User ID, Uncheck Execution
Path, and Uncheck File Path.
2. Go to the Policy, Manage Policy page. Delete all the password view options between the
xceedium.aws.amazon.com (http://xceedium.aws.amazon.com) and the AWS API proxy users.
Leave the actual AWS API Proxy service as it was. If the user did not have an AWS API Proxy
service defined, you can delete the policy instead.
3. Delete all target accounts belonging to the target application AWS API Proxy Access Credential
accounts.
The CA Privileged Access Manager database is now ready for use with proxies.
4. Navigate in the Credential Manager GUI to Groups, User Groups. Click Add and create a group
with the following values:
Description – Promote or demote users to be able to add or delete Proxy target accounts
Role – TargetAdmin
As each AWS API Proxy assigned User logs in, they find on their landing page (or Access page) that
they have a drop-down list letting them view a password to use the proxy. After they view the
password, the account will be created and reused.
The AWS API Proxy privilege can now be assigned to User Groups and to individual Users. If you
assign the privilege at a group level, each User in the group has their own proxy target account
created the first time they log in and attempt to view the password. The number of users is limited to
the number of licensed users.
Provisioning Users
Each person accessing resources through CA Privileged Access Manager must have a User account.
User accounts can be established in two ways:
17-Feb-2017 213/416
CA Privileged Access Manager - 2.8
About Users
A User embodies a specific login account representing a person with privileges on CA Privileged
Access Manager. Every login account constitutes a User. Users are displayed, defined, and otherwise
managed through the Users menu on the CA Privileged Access Manager Administration menu bar.
Note
User Types
Privileges and Roles
Each User must be represented by at least one role attribute. A role is a set of access privileges. Each
privilege allows the User to perform certain functions on CA Privileged Access Manager. A set of
predefined roles is provided with the basic installation.
End Users
An "end user" is a CA Privileged Access Manager User whose sole activity is to exercise CA Privileged
Access Manager Device access or CA Privileged Access Manager Device Target Account password
viewing. This User has a predefined role of Standard User, which is assigned by default when the User
template is used to create an account. All end user activity is performed on the Access page (which is
unlabeled). These Users have no access to the Admin menu.
Note
The privileges of a Standard User are not a subset of all other predefined roles. In other
words, there are administrator roles that do not allow access or password viewing.
Administrators
A CA Privileged Access Manager "administrator" is a User who can exercise privileges beyond
Standard User privileges. As a result, an administrator sees a full or partial Admin menu, or has access
to the Config menu.
17-Feb-2017 214/416
CA Privileged Access Manager - 2.8
config, super
Two administrator accounts are predefined on CA Privileged Access Manager to allow initial
configuration and operation: config and super. These names can be changed, but always constitute
the two baseline CA Privileged Access Manager User accounts, and have certain special privileges and
characteristics.
config has access only to the Config menu, including the Change Password menu. It does not
appear on the Users list.
The privileges of this account differ from assigned to the Configuration Administrator role.
"config" gains access solely through the /config/ directory, and is the only account to do so. It is
the only account with access to the Change Password menu. "config" does not appear in the
Users list (on the Manage Users page).
super has a predefined role of Global Administrator. It can be renamed but cannot be deleted.
"super" appears in the Users list.
Grouping
CA Privileged Access ManagerUser Groups – These objects provide for the inheritance of User
attributes from the group to its members.
Note
CA Privileged Access Manager User Groups are distinct from Credential Manager User
Groups.
Role Types
Access: Users, Manage Roles
Credential Manager only: Policy, Manage Passwords, Users, Roles
Important
17-Feb-2017 215/416
CA Privileged Access Manager - 2.8
Global Administrator
Operational Administrator
Password Manager
The Credential Manager Group is then assigned to a User account through the PM Groups setting.
This setting appears in an expansion pane upon your selection of an Access Role with Credential
Manager privileges.
CA Privileged Access Manager is preconfigured with the provisioned Credential Manager Group
"System Admin Group". This might appropriately be used to provision a Global Administrator using
the PM Groups setting.
Terminology
Restricted administration is now fine-tuned to allow full assignment of any set of privileges less than
one's own. An administrator below a Global Administrator can assign pre-set or custom roles other
than Standard User or Monitor, up to and including its own privileges. Conversely, restricted
administration prevents the assignment of roles, groups, and other objects that overstep the
applicable privileges.
The options available to one of these two administrators when creating a User are then restricted.
The Delegated Administrator role permits the required privileges within the User/Device scope. The
Available Roles for this new User are therefore the "Delegated Administrator", its components
("Device/Group Manager", "Policy Manager", and "User/Group Manager"), and the typical "Standard
User" (assuming this administrator also performs Device or credentials access activities).
17-Feb-2017 216/416
CA Privileged Access Manager - 2.8
Meanwhile, the Available Groups list identifies all User Groups that exist on this CA Privileged Access
Manager appliance. The "DeviceManagers" group is dim, which allows management of all Devices
rather than only those managed by this administrator. Because its choice would effectively result in
elevated privileges, it cannot be selected.
User Setup
As a CA Privileged Access Manager Administrator, you follow these procedures to create or edit Users
(User records). Several methods are available for creating Users.
1. Log in as an appropriate administrator, such as "super", and select: Menu bar: Users, Manage
Users.
The current (empty) User list appears below the Menu Bar.
2. In the upper right, to the left of the Search box, click Create User.
A User account creation template appears in the list window.
3. In the Basic Info and Contact Info panes, fill in (at least) the required fields (Username,
Keyboard Layout, Firstname, Lastname, Password, Re-Password, email) marked in red .
Field Description
Buttons available when Creating or Editing a User record:
Save Create or update, and close, the current User record. Settings are effective immediately.
Cancel Close the current User record without saving it. Any changes that are entered are
discarded; if the record is new, it also is discarded.
Buttons available (only) when Editing a User record:
Delete Remove the User record.
Note: This differs from Account Status: Disabled, in which the account record is preserved.
Manage Navigate to the Policy page, populating the User(Group) field there with the current
Policy Username.
Note: Any changes that are made to the User record are lost upon selecting this button.
View Display a list of Devices and the associated policies that are currently active for this User.
Policy Known as Effective Policy, this list includes policy that is inherited by this user from User
Groups.
Basic Info
17-Feb-2017 217/416
CA Privileged Access Manager - 2.8
Usernam Enter the Username that is presented at login. This name is referenced in configuring user
e access policy and appears in logs and recordings to provide a means of identifying specific
Required user activities.
Permitted characters include: "A""Z", "a""z", "0-9", "-", "_", " " (alphabet, upper and lower
case; numerical digits; dash; underscore; space).
Keyboard The type of character set mapping to keyboard.
Layout Default: EN-US – U.S. English standard keyboard layout
Required
Firstname Specify a first name.
Required
Lastname Specify a last name.
Required
Password Select the Password used for the initial log in. The user is automatically forced to change
Required the password at first connection. The password strength can be set under the
configuration tab.
Re Retype the password for confirmation.
(confirm)-
Password
Required
RDP Used by the RDP applet in credentials for access to a remote Windows device.
Usernam
e
Mainfram Display Name used by the AS/400 applets TN5250 and TN5250SSL.
e Display
Name
Descripti Specify any optional information pertaining to this user.
on
Contact Info
Phone Specify a telephone number.
Cell Specify a cellular telephone number.
Phone
Email Specify an email address.
Required
Administration
Authentic Select an authentication method:
ation Local: Authentication data (password) stored inside CA Privileged Access Manager
RADIUS: Authentication to a RADIUS server
RSA: Authentication with RSA SecurID
Account Enable or Disable the user account.
Status
Activate Set time frame windows when user is allowed to access the system.
Account Now - User account is activated once it is created.
Later – Set user account activation date and time.
17-Feb-2017 218/416
CA Privileged Access Manager - 2.8
Terminal Specify whether a User login and all current sessions are to be terminated if that user
Session account reaches expiration date/time or exceeds the violation limit.
Upon Note: If this checkbox is selected and a user account gets deactivated while that user is
Deactivati logged in to CA Privileged Access Manager, the session is terminated.
on
Account Set date at which account is permanently deactivated.
Expiratio
n
Email on CA Privileged Access Manager (administration) user account to which an email notice is
Login sent whenever the current account logs in.
Email Send email to email account in Contact Info whenever current account logs in to CA
Self on Privileged Access Manager.
Login
Roles
Available Select the Access Roles (indicated in the drop-down list) for which this user should have
Roles authorization.
Important: Do not assign any User solely the role "Password Manager." That role does not
contain sufficient privileges for CA Privileged Access Manager access. Instead, keep the
default role Standard User – and then add Password Manager too – when you intend to
allow only password management privileges.
Roles are defined in terms of privilege sets specified per role as identified in Users,
Manage Roles. A set of about 15 roles is preset at installation, while other, user-defined,
roles might have been added in Manage Roles.
User roles "Standard User" (for the Access page) is the default set for a new user. The user
roles that are specified allow for configuration and administration of various functional
components of CA Privileged Access Manager. A Role can be removed (made unassigned)
by clicking the name of the role.
PM Appears, and is required, only when roles are selected with password managing capacities.
Groups
Available If above-selected Role is related to credential management :
Groups Provides drop-down list of Password Management User Groups available that are
applicable to the selected Role.
Access Rules are listed and numbered as line items that specify access permissions per calendar
Time week.
To specify a rule: Identify the Access Days and Times (From, To) during which this User can
log in to CA Privileged Access Manager during a calendar week.
Add Button that expands the current User specification window, providing the two widgets
Rules here for access time rules specification.
Access Select one or more days for which the User is permitted access.
Days
From _ Select a time range within the Access Days that are specified during which the User is
To _ permitted access.
Groups
Available Select groups for which the user is to be made a member (after Save). The group policy is
Groups applied to the user.
17-Feb-2017 219/416
CA Privileged Access Manager - 2.8
3. Double-click the name to display its editing template in a shadow box window. (The shadow
box fills the page – click Cancel to return to the Manage Policies page.)
4. When finished, click Save (or Cancel) to return to the Manage Policies page.
Use the Access Time Table to create any time-based access restrictions. When the group is created,
any existing users can be chosen to be members. After the group is created, Users can be added to
the appropriate group. Notes about the group can be entered into the description field.
Note
CA Technologies User Groups are not available for Active Directory or other directory users.
Instead, users should be grouped in the directory and the attribute that is read by CA
Privileged Access Manager. Setting policies for directory users is done at the group level.
Username
For Users accessing AWS: Usernames are required to be from 2 through 32 characters long,
inclusively due to restrictions on federated users within AWS.
Authentication
Local
Local User accounts are hosted in the CA Privileged Access Manager database, and are authenticated
by testing the submitted User and Password against that database.
Local Users must be created under the Create User menu. Fields that are highlighted in red are
required.
17-Feb-2017 220/416
CA Privileged Access Manager - 2.8
RADIUS
RADIUS users are similar to Local Users with the exception that the password is not stored locally.
When a User logs on, the login Password is sent to the RADIUS server for approval. That is because
the User presents RADIUS credentials as provisioned by the RADIUS server. The User is not prompted
to change passwords in the local CA Privileged Access Manager environment. If a RADIUS User is
provisioned through LDAP, that user authenticates against a RADIUS server.
Prerequisite: To execute authentication, RADIUS server parameters must be set in Config, 3rd Party.
See RADIUS or TACACS+ (see page 40) for instructions.
RSA SecurID
RSA SecurID users log in with a User and Passcode that includes the concatenated sequence:
PINtokencode where the PIN is your memorized personal identification number, and the tokencode is
the current readout from your SecurID device (fob).
Example: If your PIN = 3425 and the current readout from your SecurID fob = 866329, the Passcode
you enter (for that point in time) would be these ten digits: 3425866329
Smartcard/PKI
Smartcards use certificates to authenticate users. CA Privileged Access Manager checks the user
certificate against an OCSP server, or a current Certificate Revocation List (CRL). The smartcard
parameters must be set in the https://XsuiteIPaddr/config / screens under the Security tab.
The first time that a smartcard user accesses CA Privileged Access Manager, the Designated Name
and User account is registered, and the Username appears in the Approve CAC User tab. This User
must be approved before device access can be assigned.
Roles
Each Access Role is a collection of (Access-defined) Privileges. To perform Access operations, each
User must be assigned one or more Roles.
Available Roles
During the creation or edit of a User record, the CA Privileged Access Manager administrator specifies
one or more Roles using the Available Roles drop-down list. This menu presents all Roles that are
currently defined, including a set of 16 Predefined Roles (identified in the next section). By default,
the Create User template is prepopulated with a Predefined Role: Standard User (allowing device
access). In addition, the User can inherit Roles from Groups in which the User is a member.
Roles are defined preliminary to User creation. See Appliance Configuration, Master Settings, User
Roles.
17-Feb-2017 221/416
CA Privileged Access Manager - 2.8
1. Open IE browser.
b. Click Custom level. Scroll to Downloads. For File download, select the Enable option.
Import Users
1. Select Menu bar: Users, Import/Export Users
The Import/Export Users page appears.
2. In the Import Users from CSV file panel, click Download Sample File, and save the file.
3. Create a CSV file based on the downloaded template. Refer to the table for instructions and
information about the fields.
CSV Format
Password field indicates a single-use password that must be changed upon first login
following database update.
Not all fields are required. Required fields include: Username, Firstname, Lastname,
Password, Email
17-Feb-2017 222/416
CA Privileged Access Manager - 2.8
For any fields not used: Preserve all headings on the first row, but leave cells below
blank.
User Group records should be at the top of the file, ahead of all User records.
4. In the Import Users from CSV file panel, Browse to select the file, and click Import Users.
The content of the file is added to any existing User database; they do not replace the current
database.
5. Navigate to Users, Manage Users, and confirm that the import was successful by inspecting
the User list.
Export Users
This button creates a CSV file of all Local, RADIUS, SecurID, and Smartcard/PKI users. For Local users,
the Password field is masked.
The User is already assigned (the CA Privileged Access Manager copy of) the LDAP group it was
imported from (see Groups panel).
Editing range:
Certain CA Privileged Access Manager-assigned fields, however, can be edited. These include:
Keyboard Layout
RDP Username
Account Status
17-Feb-2017 223/416
CA Privileged Access Manager - 2.8
Account Status
Email on Login
Available Roles
User Group settings override those individual settings that are labeled the same.
Important
Do not confuse Access User Groups with Credential Manager User Groups. User Groups
and Roles are specified in two distinct locations, one for general use and one specifically for
Credential Manager.
Local Groups
This feature allows you to create a User Group consisting of CA Privileged Access Manager local
Users.
17-Feb-2017 224/416
CA Privileged Access Manager - 2.8
3. To create a User Group that is restricted to Local Users, click Create Local Group.
A template opens up for you to provide User Group settings.
Field Definition
Basic Info
Groupname Name to assign to this group.
Format if imported (using Import LDAP Group) from Active Directory:
LDAPsourceGroupName + "@" + LDAPdomain
Format if imported (using Import LDAP Group) from other than Active Directory
(for example, from SunOne, OpenLDAP, or other): LDAPsourceGroupName
Double-byte characters are permitted, for example:
NOTE: LDAPdomain = Base DN as specified in Bind Credentials in Config, 3rd Party
Applet Recording
Warning
Description Provide your custom definition for the group, or:
Format if imported (when using Import LDAP Group) from an LDAP server: "LDAP
Group" + LDAPsourceGroupName + "from" + LDAPsourceDistinguishedName
Authentication
Authentication Authentication method to be used during User login. The options available
depend on which type group is being created (Local, RADIUS, or imported LDAP)
SAML Attribute Enumerated:
If the User provisioning source was an LDAP directory Active Directory:
Distinguished Name
User Principal Name
SAM Account Name
If the User provisioning source was an LDAP directory of type OpenLDAP,
SunOne, or other:
Distinguished Name
Unique Attribute
If Authentication = Local, or RADIUS, or PKI:
User Name
Login IP Ranges Network access definition:
Identify source IP address ranges, if any, required for CA Privileged Access
Manager login client.
Formats:
Single IP 192.0.2.1
CIDR 192.0.2.0/28
17-Feb-2017 225/416
CA Privileged Access Manager - 2.8
Range 192.0.2.1-32
Delimiters that are permitted between ranges: space, comma, semicolon, newline
Example: 192.0.2.0/28,192.0.3.234/32
If left empty, no IP address restrictions are applied.
NOTE User definition overrides (any) User Group definition, for either more or
less restrictive rules. Also, if no User policy is defined but that User is a member
of multiple User Groups with different rules, the group permissions are additive
(less restrictive).
Provision (label Type of source from which the group was provisioned.
shown in User
Group list only –
not in each
record)
Roles
Available Roles Drop-down list of CA Privileged Access Manager User Roles available through
previous provisioning. Multiple roles can be assigned per group (or for an
individual user through an individual user record).
Default: Standard User.
Important: The "credentialsManage" privilege is not currently propagated to
member Users. Thus, User Group roles of Global Administrator, Operational
Administrator, or Password Manager must also be applied in the individual
record of each member User who is managing passwords.
Access Time
Add Rules Button which activates an expansion pane for creating access rules for this group.
Users
(no label) Displays a sequence of the Usernames that are members of this User Group.
For Local groups: Set of all member usernames; usernames can be added or
removed.
For Imported LDAP groups: Set of all member usernames; usernames cannot be
added or removed. Editing must be accomplished in the source LDAP directory.
To open a template to create a CA Privileged Access Manager RADIUS User Group, click the
Create RADIUS Group link .
17-Feb-2017 226/416
CA Privileged Access Manager - 2.8
Any RADIUS user who does not have a local account that is configured or whose RADIUS group
(attribute 25 value) does not match a CA Privileged Access Manager RADIUS Groupname is not
granted access.
If a RADIUS group has been provisioned on CA Privileged Access Manager, but the user does not
exist, a shadow RADIUS user is created. The shadow user is not visible in the user management
screen or the user list.
3. Double-click the name to display its editing template in a shadow box window.
4. When finished, click Save (or Cancel) to return to the Manage Policies page.
For information about importing an LDAP Group, see Import an LDAP Group (see page 227)
.
Note
The Import LDAP Groups menu appears after an LDAP server has been configured for CA
Privileged Access Manager access. Go to Appliance Configuration, Network Configuration,
3rd Party, LDAP Domains, to set up the connection to the LDAP server. See Configure for
Network Resources (see page ) for more information.
To launch the LDAP Browser from the Manage Groups page, click the Import LDAP Groups link.
17-Feb-2017 227/416
CA Privileged Access Manager - 2.8
Note
Your CA Privileged Access Manager must be licensed for the LDAP Browser to launch.
LDAP Browser
For a quick look at what is in this browser: Near the top of the left pane, under the tab Explore, a
graphical representation of an LDAP DIT is displayed. When you select an item or node in the left
pane, you see its object attributes on the right. Because this LDAP entry belongs to the class
groupOfUniqueNames, its tree icon has the appearance of a user group. It has a checkbox so that you
can potentially select it and its members for import.
17-Feb-2017 228/416
CA Privileged Access Manager - 2.8
17-Feb-2017 229/416
CA Privileged Access Manager - 2.8
1. Confirm that you have configured the desired LDAP repository in Config, 3rd Party.
2. On the Users, Manage Groups page, click the Import LDAP Group link.
This link triggers launch of the LDAP browser, which immediately prompts for an LDAP domain
selection.
3. In the browser pop-up window, select the domain from which you import users.
The browser connects and displays all records below that domain (restricted by the
pagination option you might have previously requested).
4. Open nested folders until a user group that you want to import is visible, and select its
checkbox.
5. Repeat this step for each group you want to import. You can traverse the tree in any order or
direction.
6.
17-Feb-2017 230/416
CA Privileged Access Manager - 2.8
6. Optional Once you have selected all the groups that you want to import, you can review
them. Go to CA Privileged Access Manager Groups, Manage selected groups to register with
the CA Privileged Access Manager appliance.
A new pop-up window opens, in which the Distinguished Names for all selected groups are
visible. You can select and edit any group DN, or remove it from the staging list.
7. Import the selected groups by selecting CA Privileged Access Manager Groups, Register
selected groups with the CA Privileged Access Manager appliance.
A new window presents the staged groups in a list so that you can watch their progress and
status. It also displays any messages associated with the actions.
8. Select Authentication Type from the drop-down list at the top of the window.
9. When ready to import the groups, click Register Groups in the lower-left corner.
10. CA Privileged Access Manager imports the groups in the order that is presented , and the
browser provides feedback and cancellation options throughout the process.
While a group is imported, there is a progress bar (labeled Registering Group) to the right of
its Group Name. You can cancel registration of the current group (and continue with
subsequent groups), or you can cancel the registration of all groups, even after they have
started. In the latter case, CA Privileged Access Manager "reverses" the import process so that
all groups and their members are removed.
When the imports are finished, each line item in the registration window shows either a green
checkmark for success or a red cross for import failure/cancellation. You can review the status
of the full list and each individual group by selecting its line item. If you made any changes or
any errors occurred during the import, the lower Messages panel provides details after you
select the specific group of interest.
11. In the GUI, confirm that the imported groups now appear on the Users, Manage Groups page.
12. You might want to open the User Group or User records to examine more fields.
In each User Group record:
c. The Roles panel each record indicates " No roles selected ." However, roles are
inherited from the LDAP group, where the default setting is "Standard User."
17-Feb-2017 231/416
CA Privileged Access Manager - 2.8
About Pagination
Note
Pagination is available for Active Directory (AD) and OpenLDAP. Pagination is not available
on SunOne and possibly other LDAP implementations.
The LDAP Browser incorporates a special pagination feature to reduce overhead on LDAP access. The
browser setting Result Set Page Size specifies the maximum number of members (directories,
groups, or objects; or nodes) for any directory. (This value is initially set to a default of 1000.) If the
overhead required to display all directory members is too heavy, the administrator can reduce this
variable value.
For example, set this value to 5. Whenever there are more than five members in any directory, an
initial pagination leaf is inserted when that directory is opened, before displaying the actual directory
contents.
About Search
When you know the name of the directory or object you are looking for, you can use one of two
search options provided in LDAP Browser.
If the tree is paginated in the browser, it does not have to be "built-out" in the browser to traverse
the entire tree on the server.
1. In the Explore tab tree, select the node that you want to be at the top of the search.
Your choice is reflected in the Quick Search label.
2. To the right of the Search From label, select an attribute from the drop-down list, and enter a
search string in the text box.
17-Feb-2017 232/416
CA Privileged Access Manager - 2.8
Field/Button Definition
Filter Name Assign a "bookmark" name for the filter: When you have filled in the remainder of
this dialog, click Save in the lower right. The filter is then available from the
Search menu.
Start Searching Identify the root node for your search.
From
Alias Options
Resolve aliases When checked: LDAP Browser returns the real entry to which the alias points.
while searching When unchecked: LDAP Browser returns all alias entries as regular entries.
Resolve aliases
when finding base
object
Search Level
Select Search Search Base Object
Level Search Next Level
Search Full Subtree
Information to Allows you to select from a saved list in Return Attributes Lists.
retrieve
Build Filter
Not Negative of (entire) constructed entry
[Expression]
[Attribute] Menu of all LDAP attributes: accountExpires through x500uniqueIdentifier
[Operator] Logic to apply to the attribute in this expression
[Character string] Text being tested with this expression
More [button] Add another logic template to concatenate with other defined logic
Less [button] Remove most recently defined logic
Save [button] Save entire filled-in template to the label assigned in a filter name
Load [button] Load existing filter to this template for editing or copying.
View [button] Show actual LDAP filter sent
[Template Commands]
Search [button] Perform search as currently defined in this template.
Cancel [button] Close dialog without executing a search or saving it to a filter name
After executing a search, a subtree traversing only the search "hits" is returned in the Results tab .
17-Feb-2017 233/416
CA Privileged Access Manager - 2.8
Although User records with double-byte character Usernames can be imported as members of LDAP
groups, individual Local User records with double-byte characters are not currently permitted.
1. From the list in Users, Manage Users, identify the line item record of an existing User, and
click anywhere in the line. NOTE: Upon mouseover within the line boundary, the record is
selected.
Copying a User
To create a new User account with the same access permissions and policies as an existing User:
1. From the list in Users, Manage Users, open the record of an existing User.
This new record opens immediately below the record of the copied User, while the
record of the copied User is closed. To confirm this, inspect the User list above the
new record editing pane. It shows the line item of the original User.
3. Enter (the required) Username for the new User. Edit other fields as desired, and select the
17-Feb-2017 234/416
CA Privileged Access Manager - 2.8
3. Enter (the required) Username for the new User. Edit other fields as desired, and select the
Save button to create the new User.
Disabling a User
To disable (preserve, but not allow activity by) a User account:
1. From the list in Users, Manage Users, identify the line item record of an existing User, and
open its record (by clicking it).
3. At the left side of the top center of the pane, click Save.
1. From the list in Users, Manage Users, identify the line item record of an existing User, and
open its record (by clicking it).
3. At the left side of the top center of the pane, click Save.
1. From the list in Users, Manage Disabled Users, selecteach User to enable by clicking its
checkbox.
Deleting a User
To delete (completely remove) a User account:
1. From the list in Users, Manage Users, identify the line item record of an existing User, and
select the checkbox to the left.
NOTE Only afterward is the list is updated by removing the line item.
17-Feb-2017 235/416
CA Privileged Access Manager - 2.8
User viewing
Initial View
You log in to CA Privileged Access Manager initially as config, and then as super. When (as super) you
switch over to the default Users menu, you see a list populated with the super account.
Later, you are able to view all and edit any users here except for config. Config must be edited in the
Toolbar: Change Password menu while logged in as config.
Access types (access method applets, TCP/UDP and application services, SSL VPN services, out-of-
band access, power)
one CA Privileged Access Manager-registered User or User Group (including LDAP and RADIUS)
and
17-Feb-2017 236/416
CA Privileged Access Manager - 2.8
After a User has logged on to a Device using its preset Policy assignments, CA Privileged Access
Manager can:
Access Provisioning
The access capabilities that you provide for a Device are available for specification in Policy. See
About Access Setup (see page 162) for information about setting up access capabilities for Devices.
Access Restrictions
Through a Policy, these restrictions to Device or Device Group access can be imposed on a particular
User or User Group:
Command Filtering
Socket Filtering
Command Filtering
Command filter lists can be used to enforce policy in the command line applets TELNET, SSH, and
serial consoles.
Both Command Filtering and Socket Filtering use whitelists and blacklists to set the appropriate
policy.
A command-filtering blacklist is a list of commands that a user cannot type. If the user attempts
to type the command,CA Privileged Access Manager can flag (log), alert, remediate, and stop the
command from being processed. All other commands are allowed.
A command filtering whitelist is a list of the commands that a user can type. All other commands
are prohibited.
Note
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250
applets.
17-Feb-2017 237/416
CA Privileged Access Manager - 2.8
The Command Filter Configuration (CFC) sets the behavior of the blacklist and whitelist command
filters.
From: xsuite1@example.com
To: xs-admin1@example.com
Cc:
Subject: Alert Msg from xsuite1
-------------------------------------------------------------------------------
Date/Time: Fri, 1 Oct 2010 14:09:05
User ID: Traveler123
User Source IP: 168.0.2.123
Violation on: LinuxBox12
Captured Keystrokes: rlogin
Socket Filtering
Socket Filter Agents (SFAs) are CA Privileged Access Manager components used to restrict access
either to server-based devices or from server-based devices. Socket filters provide a different kind of
access control than devices with finite command sets, such as routers and switches, for which
command filtering is applied.
Socket Filter Lists – to define either a socket blacklist (specifying where access is prohibited) or
whitelist (specifying where access is allowed)
Socket Filter Agents – to apply rules that are specified by Socket Filter Lists and used in Policies.
Socket Filter Configuration – to apply agent behavior across all CA Privileged Access Manager-
managed devices using socket filter agents.
17-Feb-2017 238/416
CA Privileged Access Manager - 2.8
CA Technologies advises verifying your organization policies before setting up socket filtering, as
network heartbeat checks might not be allowed.
Although CA Privileged Access Manager is designed to pass an IAM Policy to AWS, AWS does not
accept an AWS Policy that is "too lengthy." The length limit is not a predictable value, but can be
evaluated by AWS before processing to avoid errors. Therefore, CA Privileged Access Manager sends
all submitted policies to AWS for preprocessing. If the size limit is exceeded, an error message is
relayed to the CA Privileged Access Manager user.
Workaround: Some guidance on permitted length is provided in this AWS Forum thread:
https://forums.aws.amazon.com/thread.jspa?threadID=80882
Session Recording
In addition to the access controls that are applied in advance, session recording can be assigned to
policy, providing a view of User actions after the fact. As recordings, they simulate the environment
of the User to provide a view into what transpired during a connection session.
Privileged administrators also apply control during sessions with the ability to terminate a
connection session or log a User off CA Privileged Access Manager, while CA Privileged
Access Manager logging is another during, or post, session tracking resource.
In the command-line applets, TELNET, SSH, and Console user keystrokes can be recorded. Graphical
session recording is available with the RDP and VNC applets.
Recordings are identified in the GUI as line items. They can be searched with variable text filtering.
When a recording identifies a User violation, this fact is marked inside the recording as the User
views it. The line item record is also highlighted in bold red.
17-Feb-2017 239/416
CA Privileged Access Manager - 2.8
The session recording logs are not stored on CA Privileged Access Manager. The session recording
files can be stored on mount points or sent to a syslog consolidation server.
Use a directory mounted to a Windows or UNIX server for session recordings to be available through
the administration interface. The session recordings can be viewed in Sessions, Session Recordings.
Session Recording policy is set for a user/user group – device / device group pair in Policy, Manage
Policies.
In the Recording pane:
Selecting Command Line records user entry, and if Bidirectional is selected, CA Privileged Access
Manager records both the user and device responses.
Selecting Graphical records the user GUI interaction with the Windows server as a movie that can
be played, stopped at any point, and replayed from any point.
Set Up a Policy
As a CA Privileged Access Manager administrator, you assign Policies between a User and a Device
either implicitly or explicitly.
Imported CSV file: Import through Policy, Import/Export Policy, then, Edit / View in Policy,
Manage Policies
A User effective policy spans these categories, as the union of all policy assignments. It reflects the
range of Device and access options available to a User as represented on the User Access page.
As a CA Privileged Access Manager administrator, you can view a User effective policy in Users,
Manage Users, [Edit User], View Policy
The configuration of a Device provides a template for choosing which access methods are allowed for
a particular User from those that are possible on that Device (that is, those that are technically
provided and CA Privileged Access Manager-configured). The scope of this template has previously
been defined by the attributes assigned in the Device record.
A unique policy can exist between every match of each of the first (Users and User Groups) with each
of the second (Devices and Device Groups). If, for example, there are three (3) Users and three (3)
Devices, after matching each User with each Device, there could be up to nine (9) different policies.
For information about Credential Manager Password Policies, see Credential Manager
Policies (see page 252).
17-Feb-2017 240/416
CA Privileged Access Manager - 2.8
Prerequisites
1. Session recording activation requires that storage is configured in advance on the Config, Logs
page.
Although CA Privileged Access Manager is designed to pass an IAM Policy to AWS, AWS does not
accept a CA Privileged Access Manager-provided AWS Policy that is "too lengthy." The length limit is
not a predictable value, but AWS can evaluate it by before processing to avoid a disruptive error
condition, so CA Privileged Access Manager sends all submitted policies to AWS for preprocessing. If
the size limit is exceeded, an error message is relayed to the CA Privileged Access Manager user.
Workaround: Some guidance on permitted length is provided in this AWS Forum thread:
https://forums.aws.amazon.com/thread.jspa?threadID=80882
Define Policies
To define Policies, two UI methods are available to create associations:
Web templates (see page 241) – For each User, enter data into the GUI
CSV file (see page 245) – You can load records for a batch of Users
Policy Template
To create or edit a Policy using the web template, follow these steps:
1. Select from the Menu Bar: Policy, Manage Policies. The Manage Policies page appears.
By default, when you open the Manage Policies page, a list of recently edited records
appears.
a. If the line-item policy record you want is already visible in the list, click on it to open
the editing fields.
b.
17-Feb-2017 241/416
2.
b. If the policy record is not visible, use the pair of labeled text boxes provided near the
top of the page. You can use one or both of the fields to specify:
3. Upon placing the cursor inside a field, you will see a drop-down list of all instances, which
starts filtering as you type (a portion of) a name. (This filtering is the CA Privileged Access
Managerautosuggest feature.) After you select a User and/or Device name, the policy list
(below the search boxes) is filtered and fewer policy records are displayed for possible
selection.
The individual Users, as well as the User Group, resulting from an imported LDAP group will all
be available for application of policy.
a. In the autosuggest drop-down list, the following constructions are used to represent
imported Users and Groups:
b. After being selected, in the selection field, and then once created, in the page list, the
User is designated by their Distinguished Name, for example:
4. When you choose a Device Group, only those Access Methods that were specified for the
group, and not those specified for individual Devices, will be applicable and displayed.
5. Click the desired policy record from the filtered list to display the Policy relationship for that
User-Device pair.
To help you choose, in the rightmost Details column an indicator of the policy components
that have been set is provided: If a setting has been made to a policy category (Access
Methods , Services, etc.), the policy section label is blackened; otherwise it is gray.
6. To create a new policy record, use the search boxes described in the preceding step to select
a User (or User Group) and Device (or Device Group) pair – there should be no resulting
records ("No results"). Otherwise, return to the previous step.
7. Click the blue link in the upper right corner, Create Policy , to open the policy editing pane .
9. After you click Save, the editing pane will close, and you will see a policy "list" with the one
line item you just created.
17-Feb-2017 242/416
CA Privileged Access Manager - 2.8
Field Description
Access: Access Methods
Select any number of desired items from the drop-down lists provided in this page. The options that
are provided in the lists were set in the configuration record for this Device. See Provisioning Devices
(see page 126) for more information.
Add / Edit As previously activated for this Device
Access: Services
(See Access Methods description)
Add / Edit As previously activated for this Device
Password Management: Passwords
Add / Edit As previously activated for this Device
Note: For AWS AMI instance UNIX and Linux Devices, only EC2 keys autopopulate as
options
Access: OOB & Power
(See Access Methods description)
KVM As previously activated for this Device
Power
Serial
Access: Fil ters
Select one or no Command Filter, and one or no Socket Filter. The available filters were set in the
Manage Filters interface. See Provisioning: Filters for more information.
Command As previously defined. Select one.
Filters Grouped as:
Black Lists
White Lists
Socket As previously defined. Select one.
Filters Grouped as:
Black Lists
White Lists
Restrict Prerequisite: Populated Socket Filters
login if When selected: If CA Privileged Access Manager cannot detect a running Socket Filter
agent is Agent on this device, and a connection is being attempted that is among those that the
not SFA monitors, the login is rejected.
running. Note: For connection types that are not monitored by CA Privileged Access Manager
socket filtering, connection instances are never rejected by this feature.
Connections that SFAs monitor include: Access Method GUI, CLI, and mainframe
applets; and RDP, VNC, and ICA Services.
Connections that SFAs do not monitor include: standard (customized) Services and
Web Portal Services. [XGK-231 As user, ability to launch a "normal" or "Web Portal"
Service which has "Restrict login if agent is not running" set.]
Recording The options provided in the lists will have been previously set in the configuration
record for this Device. See Provisioning: Devices for more information.
Note: So that session recordings may be viewed when CA Privileged Access Manager is
accessed through a Juniper SA appliance, the administrator must configure a policy for
allowing custom headers. See "Junos configuration required for viewing session
recordings"
17-Feb-2017 243/416
CA Privileged Access Manager - 2.8
Graphical Prerequisite: RDP and/or VNC are permitted (listed in Selected Access Methods).
Select if you want this User's activity on this Device to be recorded graphically: Graphical
session recording is available for the RDP and VNC applets.
Command Prerequisite: TELNET, SSH, or Console are permitted (listed in Selected Access Methods).
Line Select if you want this User command line activity on this Device to be recorded (as plain
text): TELNET, SSH, and Console user keystrokes can be recorded.
Note: SSH Proxy (SSH by using a Service) recording requires that the Bidirectional
checkbox is selected.
Bidirectiona Prerequisite: Command Line option has been selected.
l Select if you want Device command line output to be recorded in addition to User
command line entries.
NOTE: All mainframe-access applets (TN3270, TN3270SSL, TN5250, TN5250SSL) apply
bidirectional session recording (when session recording is enabled).
Web Portal Prerequisite: A Web Portal is permitted (selected and listed in Services).
Select if you want this User activity on this Device Web Portal to be recorded graphically:
Graphical session recording is available for the VNC applet.
On Prerequisite: (No other recording selections are made.)
Violation When selected, then whenever a User causes a violation against a Command Filter or
Socket Filter during a connection session, session recording is initiated on the active
session. The recording continues until the User ends the connection session.
3. Specify the IP address of the web portal resource that this policy applies to, with protocol
specification, for example:
https://192.0.2.123
2. From either the top or the bottom of the record, click Manage Policy.
This feature is available not only for Local Users but also for LDAP and RADIUS users.
3. You are then transferred to the Manage Policies page, where the User (Group) field is
prepopulated with the Username you left. From here, you can select the appropriate Device
(Group) and edit their policy.
17-Feb-2017 244/416
CA Privileged Access Manager - 2.8
2. In the Import Policy from CSV file panel, click Download Sample File.
Alternatively, if there is currently a set of policies, you can create a current file from the
existing one. In that case, in the Export Policy from CA Privileged Access Manager to CSV file
panel click Export Policy.
3. Copy and rename the sample (or exported) file (sample: "PolicyImportSample.csv"), and open
the new copy in any spreadsheet to inspect the column headers (policy field labels; first line)
and cell values (one policy record per line).
Each line below the (first-line) header is a full policy association.
5. On the Policy, Import/Export Policy page, click Browse in the "Import Policy from the CSV file"
panel to locate your new file.
Export Policy
To export existing policy to a CSV file:
17-Feb-2017 245/416
CA Privileged Access Manager - 2.8
Import Policy
To import a policy CSV to CA Privileged Access Manager, use the interface on the Policy, Import
/Export Policy page.
2. In the User (Group) field, start typing the User or User Group you want, and select the
17-Feb-2017 246/416
CA Privileged Access Manager - 2.8
2. In the User (Group) field, start typing the User or User Group you want, and select the
matching full name from the filtered drop-down list.
3. In the Device (Group) field, start typing the Device or Device Group you want, and select the
matching full name from the filtered drop-down list.
4. In the upper-right corner of the page body, click the Create Policy link. A policy template
opens.
5. (Optional) To use an Access Method, click Add (or Edit) to the right of Access, and from the
drop-down list select an available type:port (for example, RDP:3389). A blank field opens to
the right.
a. (Optional) To allow auto-connection to the device, click in this field and select a target
account - target account pair.
6. (Optional) To use a previously provisioned local Service, click Add (or Edit) to the right of
Services, and from the drop-down list select a Service (for example, PuTTY). A blank field
opens to the right.
a. (Optional) To allow auto-connection to the device, click in this field and select a target
account - target account pair.
a. Click Add (or Edit) to the right of Passwords, an d from the drop-down list select a
target application (for example, WindowsOS). A blank field opens to the right.
b. Click in this field. Select an available target account from the drop-down list for the
application which stores the password.
8. (Optional) If this device is out-of-band, to the right of OOB & Power select controls to activate
KVM control, Power switching, or Serial access.
9. (Optional) To apply a Command Filter to all connections, select one from the drop-down list.
10. (Optional) To apply a Socket Filter to all connections, select one from the drop-down list.
a. (Optional) To prevent device access whenever its Socket Filter Agent (SFA) is not
running, select Restrict login if agent is not running.
11. (Optional) To activate recording, select Graphical for RDP or VNC connections or Command
Line for CLI connections.
a. (Optional) For CLI connections, to capture both output and input lines, select
Bidirectional. Otherwise, only output lines are captured.
b. (Optional) To start recording only after the user commits a (filter) violation, select On
Violation. Otherwise, all connections are recorded from start to finish.
17-Feb-2017 247/416
CA Privileged Access Manager - 2.8
The activated device or password access is now available for execution from the Access page of the
user.
Policy inspection
View Policy
To view (and edit) explicitly assigned policy for a (User / User Group) and (Device / Device Group)
pair, enter the policy editing mode.
Explicitly set with each Device for that User or User Group
Inherited from the policy of User Groups of which the current User is a member
Inherited from the policy of Device Groups which are associated with the current User or User
Group
Procedure
1. Open the Users, Manage Users page.
2. Move your mouse over a User record line item, and open it for editing by clicking it.
3. At the right-hand side of either the top or bottom of the User record, click the button View
Policy .
A shadow window appears with a list showing one Device record per line. Each Device
displays its current access options (Access Methods, OOB, Services, SSLVPN, RDP
Applications). Each Device record can be clicked to reveal, in a left pane, the actual policy pair
generating the inheritance. By clicking Expand All or Collapse All, all records can be opened or
closed, respectively.
17-Feb-2017 248/416
CA Privileged Access Manager - 2.8
To access the Credential Manager UI, select Policy, Manage Passwords from the CA Privileged Access
Manager UI.
Time Zone: The localized time zone or the offset from Greenwich Mean Time (GMT)
List Page Size: The number of entries that are displayed per page in a list
These options are configured on the Preferences page. The Preferences page also displays the date
and time for both the user specified time zone and the CA Privileged Access Manager appliance.
2. Click the Preferences link in the top right corner of the title bar. The User Preferences pop-up
window appears.
5. Click Save.
17-Feb-2017 249/416
CA Privileged Access Manager - 2.8
2. Click the Preferences link in the top right corner of the title bar. The User Preferences pop-up
window appears.
3. Enter an integer value for the number of list entries per page.
4. Click Save.
2. Click the Preferences link in the top right corner of the title bar. The User Preferences pop-up
window appears.
3. Select the start page from the Home Page list box.
4. Click Save.
Also, an administrator can define an initial dashboard for the user. See Customize the Global
Dashboard (https://docops.ca.com/display/CAPAM28/Customize+the+Global+Dashboard).
2. Click the Dashboard tab. If you are logging on to Credential Manager for the first time after an
17-Feb-2017 250/416
CA Privileged Access Manager - 2.8
2. Click the Dashboard tab. If you are logging on to Credential Manager for the first time after an
installation, an empty Dashboard Summary appears.
3. To edit the default Dashboard settings, click the Gear icon in the top right corner of the
Dashboard Summary. The Dashboard Settings window appears.
4. To add a new item to the Dashboard Summary, click the Plus icon. Select an entry from the list
of dashboard items available to add. Click Add.
5. To remove an entry from the Dashboard Summary, click the Remove icon on the row and click
Save. The Remove icon is a yellow X.
6. To reposition a list item, drag-and-drop the item to the desired location or click the Up or the
Down icon at the end of the row. Click Save.
7. To set a threshold limit that activates a warning icon in the Dashboard Summary, enter a
value in the Threshold field. For example, if you set a threshold value of 5 for Passwords Not
Verified and the number of unverified passwords reaches 5 or more, a warning icon appears
in the Dashboard Summary page.
17-Feb-2017 251/416
CA Privileged Access Manager - 2.8
Password composition policies (see page 252): These policies are rules to which passwords must
conform.
Password view policies (see page 260): These policies determine what to do when someone
wants to view a password and what to do after a password is viewed.
You can also create policies for SSH key pairs (see page 297). These policies set the rules for
generating SSH key pairs that are used by UNIX accounts.
Password composition policies are applied on a target application basis; that is, each target
application defines which password composition policy to apply. Manually entered passwords are
validated against the password composition policy that is registered for the associated target
application. Credential Manager also uses the registered password composition policy to generate
random passwords.
Password composition policies characteristics define the minimum requirements for passwords.
Configurable password composition policies characteristics include:
Password Prefix: A fixed sequence of characters that must start the password string
Each type of character that is not selected must be excluded in the password
First Must Contain: The password must start with one of the selected choices.
The first character of each specific password is one of the types of characters selected
17-Feb-2017 252/416
CA Privileged Access Manager - 2.8
Must Not Contain: Character patterns that the password must not contain. Options include:
Minimum Length: Password length must be greater than or equal to this value.
Disallow Repeating Characters: Do not allow any adjacent matching characters. However,
matching characters that are not adjacent are allowed. See the following example:
ABCCDECFC
Disallow Duplicate Characters: Do not allow any matching characters. See the following
example:
ABCCDECFC
Characters to Exclude: Do not allow any character from a list that you specify.
Maximum Length: Password length must be less than or equal to this value.
Minimum Iterations Before Reuse: Do not allow the reuse of any of the previous [specified
number of] passwords. For example, if you enter “3”, then the current password cannot be
reused, nor can the previous password, nor the one before that. However, the third previous
password can be reused, and any password previous to that. Entering “0” means that there are
no restrictions; this password can always be reused.
Minimum Days Before Reuse: This option prevents the reuse of any password that was used
within the last specified number of days.
Maximum Password Age Enforcement: A password expires after this many days. It is then
considered 'expired'. Credential Manager can then automatically change the password if
configured to do so in the Settings>General Settings page.
You cannot create a policy without at least one (ASCII character set) item from Must Contain and at
least one item from First Must Contain. This behavior can prevent the creation of effective policies
for passwords of certain character sets.
The options Minimum Iterations Before Reuse and Minimum Days Before Reuse prevent the same
password from being used twice up to the set value of iterations or days.
Minimum Iterations Before Reuse and Minimum Days Before Reuse conditions are only checked
when updating a target account password.
When no policy is set, the default password composition policy is applied. With the default policy,
manually entered passwords can be any string of characters consisting of uppercase characters,
lowercase characters, numeric character, and special characters. The password must have 4-16
characters.
Credential Manager generates passwords by using the associated password composition policy. With
the default policy, Credential Manager generates passwords that are 16 randomly generated
characters consisting of upper and lower case alphabetic characters, numeric and special characters.
Caution:
17-Feb-2017 253/416
CA Privileged Access Manager - 2.8
Ensure that policies that you create always meet or exceed the minimum password
composition policy of any target account under management. Also, validate that the use of
special characters defined in the password composition policy is allowed in the target
system. Failure to do so allows Credential Manager to generate a password update that
fails because the target system prevents the update.
You can create password composition policies with the GUI or the CLI. Once you create password
composition policies, you can then apply them to target applications.
Databases: Use alpha and numeric characters, plus a special character, such as [!#_-$@*], with a
minimum length of 6 characters and a maximum length of 12 characters.
Windows: Use alpha and numeric characters, plus a special character, such as [!#_-$@*], with a
minimum length of 6 characters and a maximum length of 12 characters.
UNIX: Use alpha characters (no mixed or numeric characters) with a length of eight characters.
Password composition policies must comply with that required by the remote applications.
2. From the new tab/window menu bar, select Targets, Password Composition Policies. The
Password Composition Policy List page appears.
6. Select the policy rules that you want to apply. At least one of the Must Contain or First Must
Contain items must be checked. Do not enter same characters in Must Contain and Must Not
Contain fields.
7. Click Test. The GUI notifies that the options you set are acceptable and shows the sample
password generated. This test helps you to:
Verify whether the password can be generated with the options you set
17-Feb-2017 254/416
7.
Verify whether the password can be generated with the options you set
8. Click Save.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordPolicy>
<minLength>6</minLength>
<maxLength>16</maxLength>
<minDaysBeforeReuse>3</minDaysBeforeReuse>
17-Feb-2017 255/416
CA Privileged Access Manager - 2.8
<minIterationsBeforeReuse>2</minIterationsBeforeReuse>
<firstCharacterSpecialCharacters>!#$%()*+,-./:;=?[\\]^_{|}~<
/firstCharacterSpecialCharacters>
<mustNotContainCharacters>true</mustNotContainCharacters>
<passwordPrefix>pas</passwordPrefix>
<specialCharacters>!#$%()*+,-./:;=?[\\]^_{|}~</specialCharacters>
<composedOfLowerCaseCharacters>true</composedOfLowerCaseCharacters>
<composedOfMustNotContainCharacters>false</composedOfMustNotContainCharacters>
<composedOfNumericCharacters>true</composedOfNumericCharacters>
<composedOfSpecialCharacters>true</composedOfSpecialCharacters>
<composedOfUpperCaseCharacters>true</composedOfUpperCaseCharacters>
<firstCharacterLowerCase>true</firstCharacterLowerCase>
<firstCharacterNumeric>true</firstCharacterNumeric>
<firstCharacterSpecial>true</firstCharacterSpecial>
<firstCharacterUpperCase>true</firstCharacterUpperCase>
<mustNotContainDuplicateCharacters>true</mustNotContainDuplicateCharacters>
<mustNotContainRepeatingCharacters>true</mustNotContainRepeatingCharacters>
<name>NewPasswordPolicy</name>
<type>passwordPolicy</type>
<description>PasswordCompositionPolicy</description>
<ID>1006</ID>
<Attribute.composedOfNumericCharacters>true</Attribute.
composedOfNumericCharacters>
<Attribute.mustNotContainCharacters>true</Attribute.mustNotContainCharacters>
<Attribute.composedOfSpecialCharacters>true</Attribute.
composedOfSpecialCharacters>
<Attribute.firstCharacterNumeric>true</Attribute.firstCharacterNumeric>
<Attribute.mustNotContainAnyDuplicateCharacters>true</Attribute.
mustNotContainAnyDuplicateCharacters>
<Attribute.firstCharacterSpecial>true</Attribute.firstCharacterSpecial>
<Attribute.firstCharacterSpecials>!#$%()*+,-./:;=?[\\]^_{|}~</Attribute.
firstCharacterSpecials>
<Attribute.firstCharacterLowerCase>true</Attribute.firstCharacterLowerCase>
<Attribute.composedOfLowerCaseCharacters>true</Attribute.
composedOfLowerCaseCharacters>
<Attribute.maxLength>16</Attribute.maxLength>
<Attribute.passwordPrefix>pas</Attribute.passwordPrefix>
<Attribute.composedOfMustNotContainCharacters>false</Attribute.
composedOfMustNotContainCharacters>
<Attribute.firstCharacterUpperCase>true</Attribute.firstCharacterUpperCase>
<Attribute.minLength>6</Attribute.minLength>
<Attribute.minDaysBeforeReuse>3</Attribute.minDaysBeforeReuse>
<Attribute.specialCharacters>!#$%()*+,-./:;=?[\\]^_{|}~</Attribute.
specialCharacters>
<Attribute.composedOfUpperCaseCharacters>true</Attribute.
composedOfUpperCaseCharacters>
<Attribute.minIterationsBeforeReuse>2</Attribute.minIterationsBeforeReuse>
<Attribute.mustNotContainConsecutiveDuplicateCharacters>true</Attribute.
mustNotContainConsecutiveDuplicateCharacters>
<createDate>Wed Nov 24 07:13:03 UTC 2010</createDate>
<createUser>admin</createUser>
<extensionType />
<hash />
17-Feb-2017 256/416
CA Privileged Access Manager - 2.8
You can also enable or disable the automatic updating of expired passwords globally. If it is enabled,
the password for a synchronized account is automatically updated after it expires. Passwords for
unsynchronized accounts remain expired until manually updated.
You can see the password expiry details from the Account Details page. The following parameters
apply:
Maximum Password Age Enforcement: This field indicates whether the associated password
composition policy has maximum password age enforcement enabled.
Maximum Password Age Policy: This field indicates the maximum password age in days as
specified in the associated password composition policy.
Password Expiry: The expiry date of a password is the number of days from its last update to the
maximum age specified by in the password composition policy that is associated with its
application. The display is green if it expires at least on day in the future. The display is yellow if it
expires on the current day. The display is red if it has already expired.
Set the Maximum Age of a Target Account Password with the GUI
Follow these steps:
2. Click Targets, Password Composition Policies. The Password Composition Policy List page
appears.
3. Follow the steps of creating a password composition policy. See Create a Password
Composition Policy Using the GUI (see page 254).
In the password composition policy, configure the following parameters:
Maximum Password Age Enforcement: This parameter sets whether password age
enforcement is active or not. If disabled, the password for the target account never
expires.
Maximum Password Age (Days): This parameter specifies the maximum age of a password
in days. The default value is 90 days.
17-Feb-2017 257/416
CA Privileged Access Manager - 2.8
Set the Maximum Age of a Target Account Password with the CLI
Follow these steps:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordPolicy>
<minLength>6</minLength>
<maxLength>16</maxLength>
<maxPasswordAge>0</maxPasswordAge>
<minDaysBeforeReuse>3</minDaysBeforeReuse>
<minIterationsBeforeReuse>2</minIterationsBeforeReuse>
<firstCharacterSpecialCharacters>!#$%()*+,-./:;=?@[\]^_`{|}~&<
/firstCharacterSpecialCharacters>
<mustNotContainCharacters></mustNotContainCharacters>
<passwordPrefix></passwordPrefix>
<specialCharacters>!#$%()*+,-./:;=?@[\]^_`{|}~&</specialCharacters>
<composedOfLowerCaseCharacters>true</composedOfLowerCaseCharacters>
<composedOfMustNotContainCharacters>false</composedOfMustNotContainCharacters>
<composedOfNumericCharacters>true</composedOfNumericCharacters>
<composedOfSpecialCharacters>false</composedOfSpecialCharacters>
<composedOfUpperCaseCharacters>true</composedOfUpperCaseCharacters>
<enableMaxPasswordAge>false</enableMaxPasswordAge>
<firstCharacterLowerCase>false</firstCharacterLowerCase>
<firstCharacterNumeric>false</firstCharacterNumeric>
<firstCharacterSpecial>false</firstCharacterSpecial>
<firstCharacterUpperCase>true</firstCharacterUpperCase>
<mustNotContainDuplicateCharacters>false</mustNotContainDuplicateCharacters>
<mustNotContainRepeatingCharacters>false</mustNotContainRepeatingCharacters>
<name>MaximumPasswordAgePolicyNew</name>
<type>passwordPolicy</type>
<description>PasswordCompositionPolicy</description>
<ID>1004</ID>
17-Feb-2017 258/416
CA Privileged Access Manager - 2.8
<Attribute.composedOfNumericCharacters>true</Attribute.
composedOfNumericCharacters>
<Attribute.mustNotContainCharacters></Attribute.mustNotContainCharacters>
<Attribute.composedOfSpecialCharacters>false</Attribute.
composedOfSpecialCharacters><Attribute.firstCharacterNumeric>false</Attribute.
firstCharacterNumeric>
<Attribute.maxPasswordAge>0</Attribute.maxPasswordAge>
<Attribute.enableMaxPasswordAge>false</Attribute.enableMaxPasswordAge>
<Attribute.firstCharacterSpecial>false</Attribute.firstCharacterSpecial>
<Attribute.firstCharacterSpecials>!#$%()*+,-./:;=?@[\]^_`{|}~&</Attribute.
firstCharacterSpecials>
<Attribute.mustNotContainAnyDuplicateCharacters>false</Attribute.
mustNotContainAnyDuplicateCharacters>
<Attribute.firstCharacterLowerCase>false</Attribute.firstCharacterLowerCase>
<Attribute.composedOfLowerCaseCharacters>true</Attribute.
composedOfLowerCaseCharacters>
<Attribute.maxLength>16</Attribute.maxLength>
<Attribute.passwordPrefix></Attribute.passwordPrefix>
<Attribute.composedOfMustNotContainCharacters>false</Attribute.
composedOfMustNotContainCharacters>
<Attribute.firstCharacterUpperCase>true</Attribute.firstCharacterUpperCase>
<Attribute.minLength>6</Attribute.minLength>
<Attribute.minDaysBeforeReuse>3</Attribute.minDaysBeforeReuse>
<Attribute.specialCharacters>!#$%()*+,-./:;=?@[\]^_`{|}~&</Attribute.
specialCharacters>
<Attribute.composedOfUpperCaseCharacters>true</Attribute.
composedOfUpperCaseCharacters>
<Attribute.minIterationsBeforeReuse>2</Attribute.minIterationsBeforeReuse>
<Attribute.mustNotContainConsecutiveDuplicateCharacters>false</Attribute.
mustNotContainConsecutiveDuplicateCharacters>
<createDate>Thu Dec 01 11:17:28 UTC 2011</createDate>
<createUser>admin</createUser>
<updateDate>Thu Dec 01 11:17:28 UTC 2011</updateDate>
<updateUser>admin</updateUser>
<extensionType></extensionType>
<hash></hash>
</PasswordPolicy>
</cr.result>
</CommandResult>
Use the following procedure to enable or disable automatic updating of expired passwords globally
from the GUI:
17-Feb-2017 259/416
CA Privileged Access Manager - 2.8
3. Select the Automatically Update Expired Passwords check box. This option automatically
updates synchronized accounts that have expired passwords with a new password.
To enable the automatic updating of expired passwords globally from the CLI, use the
targetAccountPasswordExpirationEnabled system property as in the following example:
Automatically change the account password for synchronized accounts once it is viewed
Ensure that only one person at a time can view an account password
Ensure that an account password is only revealed after a specific approver has authorized it
Note:
Password view policies apply only to password administration with the GUI, CLI, or Java
API. Requests from A2A clients are unaffected by password view policies.
Note:
17-Feb-2017 260/416
CA Privileged Access Manager - 2.8
Any change to an existing password view policy applies to all future attempts to view a
password. The previous version of the password view policy for the requestors can govern
any attempts that are “in transit”. For example, if you disable Check-out/Check-in on a
policy while a password is checked out, the password remains checked out until a user
checks it back in, or the time interval for the check-out expires.
For this reason, we recommend that you do not change the password view policy of an
account if there are outstanding password view requests for that account.
However, the changes that are made to the list of approvers in the password view policy
take effect immediately. For example, a new approver that is added to the list of approvers
is able to receive the email that is related to the request. The newly added approver can
approve or deny the request. Similarly, if an approver is removed from the list, that
approver is no longer able to receive the email or, approve or deny the request.
2. From the new tab/window menu bar, select Workflow, Password View Policies. The Password
View Policy List page appears.
4. Enter the policy name and description. Specify the following settings:
Re-authenticate for View: If you select this option, a dialog appears when a user tries to
view a password. To continue, the user enters their password.
Re-authenticate for Auto-Connect: If you select this option, a dialog appears when a user
tries to auto-connect to an application through Access. To continue, the user enters their
password.
Reason Required for View: If you select this option, a dialog appears when a user tries to
view an Account password. The user selects a Reason and enters an optional Description
and optional Reference Code to view the password. Select the View Credential (eye icon)
for an Account on the Account List page or on the Account Details page.
Reason Required for Auto-Connect: If you select this option, a dialog appears when a user
tries to auto-connect. The user selects a Reason and enters an optional Description and
optional Reference Code to view the password. Select the View Credential (eye icon) for
an Account on the Account List page or on the Account Details page.
The change password interval, if either of the previous two options are selected
17-Feb-2017 261/416
CA Privileged Access Manager - 2.8
The change password interval, if either of the previous two options are selected
Dual authorization (see page 266), if applicable, and details that are related to it such as:
Request must be within. Specify the period in days within which password view can be
requested, if applicable. The default value is 14 days.
The default request interval is. Specify the default interval in minutes, to be set to view
the password, if applicable. The default value is 60 minutes.
Note:
When you request a password view, the time difference that is shown in
Request Password From and Request Password To fields is set to the default
request interval provided in the password view policy.
The maximum request interval. Specify the maximum interval in minutes, up to which
the password can be viewed, if applicable. The default value is 60 minutes.
Note:
How long to wait before automatically checking in the account password, if applicable
Note:
Use the dual authorization list of approvers or select a new set of users for sending
email notification, if applicable
Whether only the active users from the dual authorization list of approvers or new set
of users must be emailed, if applicable
17-Feb-2017 262/416
CA Privileged Access Manager - 2.8
5. Click Save.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordViewPolicy>
<name>PasswordViewPolicy</name>
<readOnly>false</readOnly>
<description />
<enableOneClickApproval>true</enableOneClickApproval>
<changePasswordOnView>true</changePasswordOnView>
<emailNotificationRequired>true</emailNotificationRequired>
<dualAuthorizationRequired>true</dualAuthorizationRequired>
<passwordViewRequestMaxDays>14</passwordViewRequestMaxDays>
<passwordViewRequestMaxInterval>60</passwordViewRequestMaxInterval>
<dualAuthorizationInterval>60</dualAuthorizationInterval>
<approverIDs>[]</approverIDs>
<emailNotificationUserIDs>[]</emailNotificationUserIDs>
<checkinCheckoutRequired>true</checkinCheckoutRequired>
<checkinCheckoutInterval>60</checkinCheckoutInterval>
<passwordChangeInterval>60</passwordChangeInterval>
17-Feb-2017 263/416
CA Privileged Access Manager - 2.8
<emailNotificationForDualAuthApprovers>false<
/emailNotificationForDualAuthApprovers>
<authenticationRequired>true</authenticationRequired>
<emailNotificationForActiveUsers>true</emailNotificationForActiveUsers>
<ID>1016</ID>
<createDate>Wed Nov 17 07:46:45 UTC 2010</createDate>
<createUser>admin</createUser>
<extensionType />
<hash>uO9WFJd7m5RNv2N/3ZgIqVGU00M=</hash>
<updateDate>Wed Nov 17 07:46:45 UTC 2010</updateDate>
<updateUser>admin</updateUser>
</PasswordViewPolicy>
</cr.result>
</CommandResult>
The previous example creates a policy that is named PasswordViewPolicy. This new policy
specifies:
When the password is viewed, an email must be sent to the list of identified approver.
The email sent to list of approvers must contain two URLs (one to approve and another to deny
the password view request).
When the password is viewed, an email is sent to the list of identified users.
Note:
When modifying the default password view policy, do not change its name. Leave it as
"Default".
Use the following procedure to modify the default password view policy using the GUI.
17-Feb-2017 264/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Workflow, Password View Policies. The Password
View Policy List page appears.
3. Click Default link. A Password View Policy Details page for default password view policy
appears.
4. Keep the Name for Password View Policy as “Default”. Select or modify the following options,
as required:
The change password interval, if either of the previous two options are selected
Check-out/Check-in
How long to wait before automatically checking in the account password, if applicable.
Note:
17-Feb-2017 265/416
CA Privileged Access Manager - 2.8
5. Click Save.
If the password view policy of the account also requires it to be checked out, the password is
changed only once when it is checked back in. It is changed only once regardless of the number of
times the user displays the password while the account is checked out.
2. From the new tab/window menu bar, select Workflow, Password View Policies.
4. Click Save.
When a requestor attempts to view the account password, Credential Manager sends an email
containing the request to the identified approvers for the account. Approvers receive the password
view request email notification with details including the name of the user submitting the request
and the account name for the password to be viewed, the requested account target application
name, the requested account target servername, and password view reason. The email also shows
17-Feb-2017 266/416
CA Privileged Access Manager - 2.8
name, the requested account target servername, and password view reason. The email also shows
the requested timeframe (in UTC) to view the password and two URLs (one to approve and the other
to deny the request) if the Enable One Click Approval option is enabled in the Password View Policy
for the account for the password to be viewed. In this case, the approver does not need to login to
Credential Manager. Instead, they can click the approve or deny URLs in the email. If Enable One
Click Approval option is disabled, the email contains all the details except the two URLs. The
approver can view a list of pending password view requests to approve, deny, or expire them using
the GUI. Credential Manager sends an email to the requestors notifying them of the password view
request decision. If the request is approved, the requestor can then view the password.
Requests must be made for a specific time period (for example, August 8 from 9:00 – 11:00). In the
GUI, enter the timeframe that is based on your local time zone, as set in the Preferences page. For
the CLI, specify the time period in UTC.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page
appears.
3. Click the blue View icon corresponding to the Account for which you want to request
authorization. The View icon resembles an eye. It is located under the Action column for the
account for which you want to view the password. The View Account Password Request pop-
up window appears.
OR
Select the name of the account for which you want to request authorization. The Account
Details page appears.
Click the View icon corresponding to the Account for which you want to request
authorization. The View icon resembles an eye. It is located under the Action column for the
account for which you want to view the password. The View Account Password Request pop-
up window appears.
4. Select when you want to start and finish viewing the password. Times are given in based on
your local time zone, as set in the Preferences page.
Note:
The system populates the Request Password From field with the current date and
time, and the Request Password To field with the current date and time plus the
amount of time that is specified in the Password View Policy default request
interval field.
6. From the drop-down list, select the Reason category for the password view request.
17-Feb-2017 267/416
CA Privileged Access Manager - 2.8
6. From the drop-down list, select the Reason category for the password view request.
Depending on your organizational policy, your Reason can also require a Reason Description
or a Reason Code.
7. Click View.
Credential Manager automatically sends an email notification to the approvers for that account and
the Email Notification Sent pop-up appears.
The reference code is shown only if the requestor enters the reference code in the View Account
Password Request screen before requesting password authorization.
2. From the Dashboard, select Password View Requests Requiring Your Approval. A list of
requests appears.
3. Select a specific pending password view request. The Password View Request Details page
appears.
4. After reviewing the password view request reason details from the received email
notification, approve, deny, or expire the request by:
Notes:
Approve, Deny, and Expire are one time actions. This means that a password view
request can be approved, denied, or expired only once.
The status of the password view request changes automatically when it exceeds
the date and time that is specified in the request. For example, if the password
view request start date and time is 2012-11-19 18:06 and the end date and time is
2012-11-19 19:06; after 2012-11-19 19:06 the status of the request that is yet
pending changes to Expired, the status of the request that is approved or denied
changes to Approved, Expired, or Denied and the status of the request that is
checked in or checked out changes to Checked In or Checked Out.
Users also can select multiple Password View Requests and then click Approve All
or Deny All.
Use the following procedure to grant, deny, or expire a request using the GUI “My Approval List”.
17-Feb-2017 268/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Workflow, My Approval List. The My Approval
List page appears.
3. Select a specific pending password view request. The Password View Request Details page
appears.
4. After reviewing the password view request reason details from the received email
notification, approve, deny, or expire the request by:
Use the following procedure to grant a request using the GUI Target Account List.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of current requests.
3. After reviewing the password view request reason details from the received email
notification, click the green Thumbs Up icon. It is located under the Action column for the
account you want to grant the request. The Password View Request Approval pop-up appears.
4. Select the status as Approve. The status field shows Approve as the default value.
Note:
You can switch the status to Deny if you want to deny the request.
5. Select the reason to approve the password view request, from the drop-down list. The Reason
field shows Approve as the default value.
8. Click OK.
Use the following procedure to deny a request using the GUI Target Account List.
17-Feb-2017 269/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of current requests.
3. After reviewing the password view request reason details from the received email
notification, click the red Thumbs Down icon. It is located under the Action column for the
account you want to deny the request. Password View Request Approval pop-up window
appears.
4. Select the status as Deny. (The Status field shows Deny as the default value.)
Note:
You can switch the status to approve if you decide to approve the request.
5. Select the Reason to deny the password view request from the drop-down list. (The Reason
field shows Deny as the default value.)
8. Click OK.
Use the following procedure to grant, deny, or expire a request using the GUI Target Account List.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of current requests.
3. After reviewing the password view request reason details from the received email
notification, click the Account Name link corresponding to the account for the password view
request to be approved, denied, or expired. The Password View Request details page appears.
The identified approvers receive the password view request email notification with the details
including the name of the user creating the request, the account name for the password to be
viewed, the requested account target application name, the requested account target servername,
the password view reason, and requested time period in UTC and two URLs, one to approve and the
other to deny the password view request.
17-Feb-2017 270/416
CA Privileged Access Manager - 2.8
The resulting output can differ based on the email template configuration. See Configuring
Notification Email Templates (see page 287).
The approver can approve or deny the password view request directly from the received email; this
option eliminates the need to log in to Credential Manager.
The approver can grant or deny a password view request from email links, only when the password
view policy has dual authorization with enabled one click approval. Also the approvers must be
registered in Credential Manager with an email address.
From the received email notification, the approver can review the password view request reason
details, and then approve or deny the request by:
Clicking the URL given for approving the password view request. The password view request
status is updated to Approved, a web page appears with Password view request approval
confirmation message.
Clicking the URL given for denying the password view request. The password view request status
is updated to Denied, a web page appears with Password view request rejection confirmation
message.
Under certain conditions, the Approver is redirected to an error page. The conditions that can cause
this outcome include:
Use the following procedure to delete a request using the GUI My Approval List.
2. From the new tab/window menu bar, select Workflow, My Approval List. The My Approval
List page appears.
3. Select the check box corresponding the password view requests to be deleted. Click Delete. A
pop-up appears asking you to confirm your intent.
4. Click OK.
17-Feb-2017 271/416
CA Privileged Access Manager - 2.8
Also, you can automate the activity of deleting the password view requests by specifying the value of
Password View Request Delete Interval days in the General Settings page. This setting deletes the
password view requests after the specified interval. For example, if you specify the value of Password
View Request Delete Interval days as 2, the password view requests are deleted automatically from
the My Approval List after every two days. This case is similar to deleting the password view requests
from the My Approval List in automated way.
Use the following procedure to set the Password View Request Delete Interval from the GUI.
2. From the new tab/window menu bar, select Settings, General Settings.
4. Click Save.
In such cases, the XML command string that is returned from the operation:
Excludes all account details except a warning message indicating that the request has been
forwarded for processing
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<TargetAccount>
<privileged>true</privileged>
<aliases />
<password>{1}3d2876d75f730fcf7b00f974816aa97b</password>
17-Feb-2017 272/416
CA Privileged Access Manager - 2.8
<lastUsed />
<passwordViewPolicyID>1013</passwordViewPolicyID>
<accessType />
<cacheBehavior>useCacheFirst</cacheBehavior>
<cacheDuration>30</cacheDuration>
<compoundServerList>[]</compoundServerList>
<lastVerified />
<lastViewed />
<targetApplicationID>1001</targetApplicationID>
<userName>dualaccountnew</userName>
<compoundAccount>false</compoundAccount>
<passwordVerified>false</passwordVerified>
<synchronize>false</synchronize>
<targetApplication />
<cacheAllow>true</cacheAllow>
<targetServerAlias />
<ID>1005</ID>
<Attribute.extensionType>mssql</Attribute.extensionType>
<Attribute.useOtherAccountToChangePassword>false</Attribute.
useOtherAccountToChangePassword>
<Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid>
<Attribute.descriptor1 />
<Attribute.descriptor2 />
<createDate>Tue Nov 16 12:44:50 UTC 2010</createDate>
<createUser>admin</createUser>
<extensionType>mssql</extensionType>
<hash>FIRqOhKpXV1sg1rsroJzlYHmzH4=</hash>
<updateDate>Tue Nov 16 12:44:50 UTC 2010</updateDate>
<updateUser>admin</updateUser>
</TargetAccount>
</cr.result>
</CommandResult>
3. View the password. Use the ID provided by the output of the previous command:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.warningCode>4625</cr.warningCode>
<cr.warningMessage>This account has dual authorization enabled. A request to
view the password has been e-mailed to the approvers of this account on your
behalf.</cr.warningMessage>
</CommandResult>
17-Feb-2017 273/416
CA Privileged Access Manager - 2.8
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordViewRequest>
<status>1</status>
<targetAccountID>1</targetAccountID>
<startDate/>
<endDate/>
<requestorID>3</requestorID>
<approverID>-1</approverID>
<ID>4</ID>
<createDate>Wed Sep 10 14:42:20 UTC 2008</createDate>
<createUser>req1</createUser>
<hash>RLMwHaMdENv9mlFnoSsoSOJezJw=</hash>
<updateDate>Wed Sep 10 15:42:20 UTC 2008</updateDate>
<updateUser>req1</updateUser>
<extensionType/>
</PasswordViewRequest>
</cr.result>
</CommandResult>
3. Change the status of the password view request to approved or denied. Use the ID provided
by the output of the previous command:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
17-Feb-2017 274/416
4.
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordViewRequest>
<status>1</status>
<targetAccountID>1</targetAccountID>
<startDate>Wed Sep 10 15:47:00 UTC 2008</startDate>
<endDate>Wed Sep 10 16:02:00 UTC 2008</endDate>
<requestorID>3</requestorID>
<approverID>1</approverID>
<ID>1</ID>
<createDate>Wed Sep 10 14:42:20 UTC 2008</createDate>
<createUser>req1</createUser>
<hash>Yc5gR/IpPVh8evYKGipQYa9AGXU=</hash>
<updateDate>Wed Sep 10 15:47:09 UTC 2008</updateDate>
<updateUser>admin</updateUser>
<extensionType/>
</PasswordViewRequest>
</cr.result>
Use the following procedure to expire a password view request from the CLI using the
expirePasswordViewRequestCmd command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordViewRequest>
<status>1</status>
<targetAccountID>1</targetAccountID>
<startDate/>
<endDate/>
<requestorID>3</requestorID>
<approverID>-1</approverID>
<ID>4</ID>
<createDate>Wed Sep 10 14:42:20 UTC 2008</createDate>
<createUser>req1</createUser>
<hash>RLMwHaMdENv9mlFnoSsoSOJezJw=</hash>
<updateDate>Wed Sep 10 15:42:20 UTC 2008</updateDate>
<updateUser>req1</updateUser>
<extensionType/>
17-Feb-2017 275/416
CA Privileged Access Manager - 2.8
</PasswordViewRequest>
</cr.result>
</CommandResult>
3. Change the status of the password view request to approved or denied. Use the ID provided
by the output of the previous command:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
</cr.result>
Update the Approval or Denial Reasons for a Request Using the CLI
The reasons to be populated in the Reason drop-down list while approving or denying the password
view request using the GUI, can be updated using the setSystemProperty command.
When adding or updating the password view policy, enable Enable one click Approval under Dual
Authorization and specify the list of approvers to be notified by email. After enabling one click
approval in the policy, an email is sent to the identified approvers, when the password is viewed. The
email contains the password view request details and two URLs one to approve and the other to deny
the password view request. The approver can approve or deny the password view request directly
from the received email by clicking the provided URLs.
17-Feb-2017 276/416
CA Privileged Access Manager - 2.8
Note:
The identified approvers must have Credential Manager user accounts to receive the email
notification. The email address that is associated with the user account is used.
2. From the new tab/window menu bar, select Workflow, Password View Policies. The Password
View Policy List page appears.
3. Click the Name link of the password view policy for which one click approval is to be enabled.
The Password View Policy Details template page appears.
Add the approvers to be emailed from the Available Approvers list to the Assigned
Approvers list.
Note:
If One Click Approval is disabled, each identified approver still receives an email, but
without the links to approve or deny the password view request.
6. Click Save.
Use the procedures that are described in Add or Modify Roles (see page 360) to create the Approver
role. The new role must have the following permissions:
listPasswordViewRequestByApprover
updatePasswordViewRequestStatus
In addition, an Approver must have a valid email address. Their user group must also be able to
access the accounts they are approving.
17-Feb-2017 277/416
CA Privileged Access Manager - 2.8
The Checkout/Checkin password view policy can have a time interval, after which the account is
automatically checked back in.
Sometimes an administrator needs immediate access to a password that is checked out. In these
cases, the administrator can remove the restriction on the account by checking in the account on
behalf of another user. By default, only the administrator role has permission to force a check-in
operation. If necessary, you can configure other roles with this permission.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of existing accounts.
3. In the account list, select the account for which you want to view the password. The Account
Details page appears
4. Click the blue View icon. The View icon resembles an eye. It is located under the Action
column of the account list. A page appears prompting you for your password and the reasons
for viewing the target password.
Note:
8. Click View.
The GUI displays the account User ID and the password. The GUI also notifies you that the
account is checked out.
9. Click OK.
17-Feb-2017 278/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of existing accounts.
3. In the account list, click the blue Checkout (“Account is checked out”) icon. The Checkout icon
resembles an eye with an X across it. It is located under the Action column of the account list.
A page appears showing who has checked out the password.
The Reference Code is shown only if the requestor has entered the reference code in View
Account Password Request screen before viewing the account password.
You can check in an account password by using the followed tabbed pages:
Use the following procedure to check in a password using the Targets, Account page.
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Targets,
Accounts. For the account you want to check in, do one of the following actions:
In the right column that is labeled Action, click the blue Check-In icon. The Check-In icon
resembles a right arrow pointing inside a box.
In the left column that is labeled Account Name, click the name to open the Account
Details page. Then, click the blue Check-In icon.
Use the following procedure to check in a password using the Workflow, My Requests page.
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Workflow,
My Requests. The My Requests page appears.
2.
17-Feb-2017 279/416
CA Privileged Access Manager - 2.8
2. Select the account (with status “Checked Out”) for which you want to view checkout details.
The Password View Request Details page appears.
Use the following procedure to check in a password using the Access page.
1. If the user is an administrator, then from the CA Privileged Access Manager main menu, select
Access. Otherwise, the user home page is the (unlabeled) Access page.
When an administrator views, and by so doing, checks out a password for a user, the system
creates a list of checked out passwords at the top of the Access page. The count of passwords
is also shown in bold in the upper left.
Note:
If you are not an administrator, you might need to log out and log in again before
checked-out passwords are visible.
If you are not an administrator, you might need to log out and log in again before checked-out
passwords are visible.
To check in the password, click Check In in the right-hand column of the password line item.
The administrator can check in an account on behalf of another user by using the followed tabbed
pages:
User the following procedure to check in a password using the Targets, Account page.
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Targets,
Accounts. For the account you want to check in, do one of the following actions:
17-Feb-2017 280/416
1.
In the right column that is labeled Action, click the blue Check-In icon. The Check-In icon
resembles a right arrow pointing inside a box.
In the left column that is labeled Account Name, click the name to open the Account
Details page. Then, click the blue Check-In icon.
Use the following procedure to check in a password using the Workflow, All Requests page.
1. Select Policy, Manage Passwords, then from the new tab/window menu bar, select Workflow,
All Requests. The All Requests page appears.
2. Select the account (with status “Checked Out”) for which you want to view checkout details.
The Password View Request Details page appears.
3. Click the Force Check In button. The account password is checked in.
Use the following procedure to view an account password from the CLI.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 UTC 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate>
17-Feb-2017 281/416
CA Privileged Access Manager - 2.8
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
3. View the password. Use the ID provided by the output of the previous command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.warningMessage>You have this account checked out.</cr.warningMessage>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<ID>1</ID>
<privileged>false</privileged>
<aliases/>
<password>cspmpw</password>
<targetApplicationID>1</targetApplicationID>
<passwordViewPolicyID>6</passwordViewPolicyID>
<cacheBehavior>useCacheFirst</cacheBehavior>
<cacheAllow>true</cacheAllow>
<targetServerAlias/>
<accessType/>
<userName>cspmuser</userName>
<cacheDuration>30</cacheDuration>
<synchronize>false</synchronize>
<lastVerified>Wed Sep 10 14:31:08 UTC 2008</lastVerified>
<passwordVerified>false</passwordVerified>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<createDate>Wed Sep 10 15:31:08 UTC 2008</createDate>
<createUser>admin</createUser>
<hash>GiymUJ8e6bKzDrQgkbp/tPRZPXQ=</hash>
17-Feb-2017 282/416
CA Privileged Access Manager - 2.8
1. Search target accounts to retrieve the target account ID of the account that was previously
checked out:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 UTC 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
17-Feb-2017 283/416
CA Privileged Access Manager - 2.8
3. Check in the password. Use the ID provided by the output of the previous command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordViewRequest>
<status>1</status>
<targetAccountID>1</targetAccountID>
<startDate>Wed Sep 10 15:34:00 UTC 2008</startDate>
<endDate>Wed Sep 10 19:34:00 UTC 2008</endDate>
<requestorID>1</requestorID>
<approverID>-1</approverID>
<ID>3</ID>
<createDate>Wed Sep 10 14:34:51 UTC 2008</createDate>
<createUser>admin</createUser>
<hash>fcWQRQVNDoGOFxpvM/DLZGlu6l4=</hash>
<updateDate>Wed Sep 10 15:34:51 UTC 2008</updateDate>
<updateUser>admin</updateUser>
<extensionType/>
</PasswordViewRequest>
</cr.result>
</CommandResult>
1. Search target accounts to retrieve the target account ID of the account that was previously
checked out:
<CommandResult>
17-Feb-2017 284/416
2.
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 UTC 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
3. Check in the password. Use the ID provided by the output of the previous command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<PasswordViewRequest>
<status>1</status>
<targetAccountID>1</targetAccountID>
<startDate>Wed Sep 10 15:34:00 UTC 2008</startDate>
<endDate>Wed Sep 10 19:34:00 UTC 2008</endDate>
<requestorID>1</requestorID>
<approverID>-1</approverID>
<ID>3</ID>
<createDate>Wed Sep 10 14:34:51 UTC 2008</createDate>
<createUser>admin</createUser>
<hash>fcWQRQVNDoGOFxpvM/DLZGlu6l4=</hash>
17-Feb-2017 285/416
CA Privileged Access Manager - 2.8
Note:
Emails are sent only for successful initial password view requests. For example, if the
password is viewed for an already checked out account, no email is sent.
If the administrator does not want to enable dual authorization, but wants to receive notification
whenever the password is viewed, the administrator must enable the Email Notification option from
the Password View Policy Details page when adding or updating the policy.
When adding or updating the policy, the administrator can specify whether to use the dual
authorization list of approvers or select a new set of users to receive email notification. The
administrator also can specify to send the email notification only to the active users from the list of
identified users. After email notification is enabled in the policy, an email is sent to the selected users
whenever the password is viewed.
Note:
The identified users must have Credential Manager user accounts to receive the email
notification. The email address that is associated with the user account is used.
Use the Email Settings page to customize the email message to be sent to the users identified in the
policy. See Configure Notification Email Templates (see page 287).
2. From the new tab/window menu bar, select Workflow, Password View Policies. The Password
View Policy List page appears.
3. Click the Name link of the password view policy for which Email Notification is to be enabled.
The Password View Policy Details page appears.
17-Feb-2017 286/416
CA Privileged Access Manager - 2.8
Click Approvers for dual authorization option button to send email to the list of dual
authorization approvers
Click Following Users option button to send email to the new set of users. Add the users to
be emailed from the Available Users list to the Assigned Users list.
Click Send only to Active Users check box if only the active users from the dual
authorization list of approvers or a new set of users are to be emailed
6. Click Save.
If dual authorization and email notification are enabled, authorization requests, approvals, and
viewed password information trigger email notifications. The email contains text and clickable links.
Credential Manager supplies default templates for the following types of email:
The request status email (from an approver to a requestor informing them whether the request
was approved or denied)
The password view email (from a user to a set of users when a password is viewed)
The expired password view request email. The email is from the approver expiring the password
view request to a requestor and the other approvers in dual authorization list. It is an auto-
generated mail (when a request in Pending status expires) generated by Credential Manager to a
requestor and the approvers in the dual authorization list.
The email templates contain tokens that Credential Manager uses to look up request-specific items
when generating the email. The tokens are case-sensitive and use the following syntax:
@ClassName.methodName@
The allowed values of ClassName and methodName vary depending on the type of email.
You can customize the content of the request email, the request status email, the password view
email, the expired password view request email, the one click approval email, and the report results
email using the Email Settings GUI page or the setSystemProperty CLI command.
Contents
17-Feb-2017 287/416
CA Privileged Access Manager - 2.8
Contents
Note:
Note: The email server, application, and account must already be provisioned as targets in
the database before the email template can be configured through the GUI.
2. From the new tab/window menu bar, select Settings, Email Settings. The Email Settings page
appears.
3. Click the magnifying glass to select your email account from the Find Account popup or type
the email target account name in the Account Name field.
The Host Name field is automatically populated with the name of the target server. If the
email server is different from the target server, then edit the field as required.
5. Enter the Credential Manager server host name to be used in the approve or deny URL. The
URLs are sent in the email whenever the request for viewing the password of the account
with enabled one-click approval, is generated.
Note:
By default, the primary site host name is used. Admin is authorized to edit this
name.
17-Feb-2017 288/416
CA Privileged Access Manager - 2.8
1.
2. Repeat the previous step for each property as required. Refer to the following table.
2. From the new tab/window menu bar, select Settings, Email Settings.
3. Modify the template text for the Request Subject and Request Body as desired.
For the request email, @ClassName.methodName@ tokens can have the value pairs that
are shown in the following table.
getName
TargetApplication
TargetServer getDeviceName
getHostName
getName
PasswordViewPolicy
17-Feb-2017 289/416
CA Privileged Access Manager - 2.8
2. Repeat the previous step for each property as required. Refer to the following table.
2. From the new tab/window menu bar, select Settings, Email Settings.
17-Feb-2017 290/416
CA Privileged Access Manager - 2.8
3. Modify the template text for the Request Status Update Subject and Request Status Update
Body as desired.
For the request status email, @ClassName.methodName@ tokens can have the value pairs
that are shown in the following table.
getName
TargetApplication
getDeviceName
TargetServer
getHostName
getName
PasswordViewPolicy
getStatusString
PasswordViewRequest
getSsoType
getApprovalReason
getApprovalReasonDescription
User getUserID
getFirstName
getLastName
1. Specify the first property for the request status email template:
2. Repeat the previous step for each property as required. Refer to the following table.
17-Feb-2017 291/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Settings, Email Settings.
3. Modify the template text for the Password View Subject and Password View Body as desired.
For the password view email, @ClassName.methodName@ tokens can have the value pairs
that are shown in the following table.
getName
TargetApplication
getHostName
TargetServer
getDeviceName
getName
PasswordViewPolicy
getSsoType
PasswordViewRequest
getReason
getReasonDescription
User getUserID
(the user name viewing the password)
1. Specify the first property for the password view email template:
2. Repeat the previous step for each property as required. Refer to the following table.
17-Feb-2017 292/416
2.
2. From the new tab/window menu bar, select Settings, Email Settings.
3. Modify the template text for the Expired Password View Request Subject and Expired
Password View Request Body as desired.
For the expired password view request email, @ClassName.methodName@ tokens can
have the value pairs that are shown in the following table.
getName
TargetApplication
getHostName
TargetServer
getDeviceName
getName
PasswordViewPolicy
getSsoType
PasswordViewRequest
User getUserID
(the user name generating the password view request)
17-Feb-2017 293/416
CA Privileged Access Manager - 2.8
1. Specify the first property for the expired password view request email template:
2. Repeat the previous step for each property as required. Refer to the following table.
Configure the One Click Approval Email Template from the GUI
Follow these steps:
2. From the new tab/window menu bar, select Settings, Email Settings.
3. Modify the template text for the One Click Approval Subject and One Click Approval Body as
desired.
For the one-click approval email, @ClassName.methodName@ tokens can have the value
pairs that are shown in the following table.
getName
TargetApplication
getHostName
TargetServer
17-Feb-2017 294/416
CA Privileged Access Manager - 2.8
getReason
PasswordViewRequest
getReasonDescription
getStartDate
getEndDate
getSsoType
User getUserID
(the user name generating the password view request)
The one-click approval email template also contains following specialized tokens:
Configure the One Click Approval Email Template from the CLI
Follow these steps:
1. Specify the first property for the one click approval email template:
2. Repeat the previous step for each property as required. Refer to the following table.
17-Feb-2017 295/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Settings, Email Settings.
3. Modify the template text for the Report Results Subject and Report Results Body as desired.
@reportStartDate@ - Use this token to show the "From" date of the report results.
@reportEndDate@ - Use this token to show the "To" date of the report results.
1. Specify the first property for the report results email template:
2. Repeat the previous step for each property as required. Refer to the following table.
17-Feb-2017 296/416
2.
Use the following procedure to create an SSH key pair policy using the GUI.
2. From the new tab/window menu bar, select Targets, SSH Key Pair Policies. The SSH Key Pair
Policy List page appears.
3. Click Add. The SSH Key Pair Policy Details page appears.
8. Click Test. The GUI notifies you that the options you set are acceptable and shows the sample
SSH key pair fingerprint.
9. Click Save.
17-Feb-2017 297/416
CA Privileged Access Manager - 2.8
Target applications are applications that require credentials to receive communication. You can
configure Credential Manager to either synchronize or store the target credentials. You can retrieve
target credentials from the GUI. A managed script or application can retrieve target credentials using
an A2A Client.
1. Use the GUI to provision a CA Privileged Access Manager Device of type Password
Management. Alternatively, use the addTargetServer CLI command.
b. Add a Target Account for that application. See Add Target Accounts and Target Aliases
(see page 316). The managed password is an attribute of the target account.
Devices. The CA Privileged Access Manager Device – or “target server” – is an application server
that hosts one or more target applications that require access credentials. Register the Device
before registering target applications and target accounts. Device names must be unique. The
Devices level applies to both password management and A2A.
Target Applications. The target application is a container for all managed accounts of a single
application, such as all privileged users of an Oracle database. A target application contains one or
more target accounts. The target application also defines the connector for password
synchronization, that is, the mechanism for accessing target accounts. The target application is a
conceptual division of the target data. It allows for multiple applications or entities within the
same server to contain the same account user name. For example, if a given server hosts two
databases, then each database is a unique target application, and each database could have a
uniquely identified user account dbasys. Target application names must be unique within a
given device. The target application level applies to both password management and A2A.
Target Accounts. The target account is the specific set of credentials (for example, user name and
password). Target account user names must be unique for a given target application. The target
account level applies to both password management and A2A.
17-Feb-2017 298/416
CA Privileged Access Manager - 2.8
Target Aliases. Target aliases are used only if you are implementing A2A Credential Manager.
They provide a mechanism to identify uniquely a specific target account with an alias name.
Requesting applications use the target alias when requesting credentials. Target aliases provide
an extra level of security by eliminating the need to hard-code the name of the privileged account
that is used to access the target application.
Account Discovery
As a CA Privileged Access Manager administrator, you want to add accounts easily. CA Privileged
Access Manager provides a feature that discovers and manages accounts. Account Discovery is an
alternative to manually adding target accounts. The product supports discovery of Linux, UNIX,
Windows Domain Service, and LDAP accounts.
Unlike Account Discovery, SSH Key Discovery is not intended to result in the management of private
keys of privileged users. SSH Key Discovery is primarily intended as an audit of SSH keys in the
network. SSH Key Discovery only occurs for application types Linux and UNIX. See SSH Key Discovery
(see page 304) for more information.
Register Target Servers. See Device Setup (see page 140) or Device Discovery (see page 136) for
more information.
Register Target Applications. See Add Target Applications (see page 315) for more information.
Target applications with support for Discovery display an Account Discovery section for the
identification of privileged accounts. The options in these sections differ by application type:
UNIX applications allow specification of UID and GID values or ranges to limit the accounts
returned by Discovery. The UID and GID values or ranges are used in conjunction, so that the
user needs to satisfy both criteria to be included.
For Windows Domain Service, using Active Directory, you can limit discovered users by
specifying AD Groups. In the Account Discovery section of the Target Application Details, add
one or more Groups, separated by commas. Account Discovery does not find users whose
Primary Group is set to a group you use to discover accounts. The default Primary Group is
“Domain Users” and is not typically changed except for Macintosh clients or POSIX-compliant
applications.
LDAP Application Account Discovery provides four fields to help specify privileged accounts.
Base DN is optional. Account Object is an objectclass name corresponding to accounts or
users in the directory. Name Attribute denotes an account name. Filter allows addition of an
optional filter string to limit your results. For more information, see your LDAP provider
documentation.
17-Feb-2017 299/416
CA Privileged Access Manager - 2.8
If "Discovery Allowed" is checked, another checkbox is enabled for UNIX accounts. "Allow
multiple server discovery for this type of application" indicates that this account can be used as a
global discovery account for any server and application of this type. For example, if you have 20
servers with a common account and password, use one account and select this box. Then for any
discovery job with this application type selected, this account is used as a credential for discovery.
Discover Accounts
To perform discovery of accounts, follow these steps:
Scan Profiles
Start by adding a Scan Profile. Follow these steps:
1. Select the Scan Profiles tab and click the Add button.
2. On the Profile tab, name the profile, and give it an optional description. Purge Interval sets
the number of days after which devices that are discovered by this scan are deleted (if not
also discovered by another profile). The Purge Interval default is set on the Global Settings
page, under Basic Settings, as Scan Purge Interval.
3. On the Servers tab, select from Available Servers, moving them to Selected Servers with the
arrow button. The available servers listed are managed Devices. See the Prerequisites section
for more information.
a.
17-Feb-2017 300/416
4.
a. Use the Schedule tab to create an optional schedule. Once you select a frequency,
other fields appear. Select the appropriate time intervals. Click OK to save the Scan
Profile.
b. To run the scan on demand rather than on a schedule, click OK to save it. Select the
Scan Profile from the Scan Profiles list, and click the Run button above the list.
Note
Clicking Delete for a highlighted Scan Profile will delete its Scan Profile History. It will also
delete any Accounts associated with that Profile unless they are associated with another
Profile.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
Note
The Scan Profile Jobs and other tables are refreshed according to the default set on the
Global Settings page. Table Refresh Interval is in the Basic Settings section, and defaults to
60 seconds.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
17-Feb-2017 301/416
CA Privileged Access Manager - 2.8
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
The Export button creates a CSV file with a row for each Discovered Account listed.
The View button shows the data for one row that whose Account Name box is checked. In its Logs
tab, it displays log information that is not shown in the Account Scan results panel.
The Manage button brings an account under management. To manage accounts, select one or more
by clicking the box to the left their names. Then click the Manage button. The Manage Discovered
Accounts window opens.
1. Select a synchronization option. This option is not available if the application type is "Generic."
Update only the Password Authority Server. Passwords are only updated in Credential
Manager. Credential Manager and target system passwords can differ.
Update both the Password Authority Server and the target system. Password updates are
performed in both Credential Manager and the target system to maintain consistency.
2. For most target account types, a Password Change Process option specifies whether the
managed account can change its own password or whether another, higher-privilege account
must do that. If you select Use the following account to change the password, a field appears
below the legend so that you can select the password-changing account.
NOTE: Some application types allow an account password to be updated from another
account (for example, root). If this situation applies, select that account. The account that is
used to change the password must already be registered in Credential Manager.
3. Select whether the account type is A2A (application-to-application) or Privileged Account. This
choice is only possible if your license allows for A2A devices. If you select A2A, more fields
appear. You can set the Cache Behavior to use the Cache or the Server first, or not use a
cache. You can also set the Cache Expiry in days.
4. Password View Policy allows you to select a policy, including a Default policy. Access
Password View Policies from the Workflow menu.
17-Feb-2017 302/416
CA Privileged Access Manager - 2.8
5. Enter a Password. The Account Details page available from the Accounts option on the
Targets menu has more options. It has Generate Credential, View Credential, and Credential
History options that are not presented here. Once an Account is managed, it can be accessed
from the Accounts page.
6. (Optional) Enter an Access Type. Access type is a reference field for customer convenience. It
can be used to define dynamic target groups. It is not used by Credential Manager.
8. Click OK to save.
View Scans
To see all scans that have run for a given Profile, click the View Scans button above the Summary.
Clicking the Summary numbers lists the accounts or keys discovered in the same panel as View
Summary Details. You can also click the View Summary Details button to get to this panel.
Discovered Accounts
To see all discovered accounts rather than only the accounts for a given scan, select the Discovered
Accounts tab. The displayed table lists each Account Name, Device Name, Application Name, Latest
Discovery Time, and whether it Is Managed.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
Export
You can export information about discovered accounts or keys to a CSV file for use in spreadsheets
and databases. To export all accounts, click the Export button above the displayed list to generate a
CSV file. The exported CSV file contains the following columns:
Type, UserName, First Name, Last Name, Password, Password Set Time, Phone, Cell Phone, Email,
Description, Active Flag, Activation Time, Last Activation Time, Account Disabled Time, Expiration
Time, Authentication, Email On Login Contact, Email Self On Login Flag, Terminate Session on
Deactivation Flag, Access Times, Provision Type, Group Membership, Applet Message, Roles, Smart
Button Group, User Principal Name, PA Group Membership, Login IP Ranges, API Keys
View
The View button on the Discovered Accounts panel opens a dialog with same information, except the
discovery time. In the dialog, the fields are available to select and copy.
Manage
The Manage button brings an account under management. To manage accounts, select one or more
by clicking the box to the left their names. Then click the Manage button. The Manage Discovered
Accounts window opens. For more information, see Manage Discovered Accounts under View
Account Scan Results.
17-Feb-2017 303/416
CA Privileged Access Manager - 2.8
Also Available
Credential Manager provides a feature that discovers Linux or UNIX SSH keys for auditing.
See SSH Key Discovery (see page 304) for more information.
Prerequisites
Before you perform Discovery, the product requires target servers to know where to look. The
product requires provisioned applications and administrative accounts in Credential Manager as
target accounts. These administrative accounts need to be verified in Credential Manager.
See Configure Credential Manager Targets (see page 298) for more information.
Register applications
Target applications with support for Discovery display an Account Discovery section for the
identification of privileged accounts. The options in these sections differ by application type. UNIX
applications allow specification of UID and GID values or ranges to limit the accounts returned by
Discovery. The UID and GID settings are used in conjunction, so that the targets must satisfy both
criteria to be discovered.
sudo Permissions
For SSH Key discovery, the administrative account runs sudo against all these commands:
test
17-Feb-2017 304/416
CA Privileged Access Manager - 2.8
cat
date
ssh-keygen
To test whether an account has sufficient access, issue one of these commands while logged on using
that account. For example:
sudo -l ssh-keygen
Successful commands echo the full command name, while failures report insufficient access:
1. On the server that is targeted for SSH Key discovery, edit the sudoers file in the /etc directory.
Allow Discovery
Important
Note
17-Feb-2017 305/416
CA Privileged Access Manager - 2.8
If "Discovery Allowed" is checked, another checkbox is enabled for UNIX accounts. "Allow
multiple server discovery for this type of application" indicates that this account can be
used as a global discovery account for any server and application of this type. For example,
if you have 20 servers with a common account and password, use one account and select
this box. Then for any discovery job with this application type selected, this account is used
as a credential for discovery.
Discover Keys
To perform discovery of SSH keys, follow these steps:
Scan Profiles
Start by adding a Scan Profile. Follow these steps:
1. Select the Scan Profiles tab and click the Add button.
2. On the Profile tab, name the profile, and give it an optional description. Purge Interval sets
the number of days after which devices that are discovered by this scan are deleted. If have
also been discovered by another profile, they will not be deleted. The Purge Interval default is
set on the Global Settings page, under Basic Settings, as Scan Purge Interval.
3. On the Servers tab, select from Available Servers, moving them to Selected Servers with the
arrow button. The available servers list is populated by managed devices. See the
Prerequisites section for more information.
a. Use the Schedule tab to create an optional schedule. Once you select a frequency,
other fields appear. Select the appropriate time intervals. Click OK to save the Scan
Profile.
b. To run the scan on demand rather than on a schedule, click OK to save it. Select the
Scan Profile from the Scan Profiles list, and click the Run button above the list.
17-Feb-2017 306/416
CA Privileged Access Manager - 2.8
Note
Clicking Delete for a highlighted Scan Profile deletes its Scan Profile History. It also deletes
any Accounts that are associated with that Profile unless they are associated with another
Profile.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
Note
The Scan Profile Jobs and other tables are refreshed according to the default set on the
Global Settings page. Table Refresh Interval is in the Basic Settings section, and defaults to
60 seconds.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
Account Name
17-Feb-2017 307/416
CA Privileged Access Manager - 2.8
One or more accounts are associated with an SSH key. This field is named "userIds" in the CSV file.
Fingerprint
SSH public keys provide a unique hexadecimal string, which is similar to a condensed hash. We
display the fingerprint as hex pairs separated by colons.
The number of days since the key file was last modified. This number of days might or might not be
the age of the key itself.
Key Size
The size (or length) of the SSH key in bits; usually 1024, 2048, or 4096
Device Name
The computer where the key was discovered. This device is named "targetServerName" in the CSV
file.
The location of the authorized_keys file where the SSH keys are stored.
Is Managed
The Is Managed box is checked if CA Privileged Access Manager manages the SSH key. Only SSH keys
that are generated and deployed with CA Privileged Access Manager are managed.
The Is Managed field is read-only. To bring a discovered SSH key under CA Privileged Access Manager
management, revoke it manually. Then, create a new key forCA Privileged Access Manager.
The Export button creates a CSV file with a row for each Discovered Account listed.
The View button opens the View Discovered Keys dialog for the Account Name whose box is checked.
The dialog has a Basic Info and Advanced Info tab. The Advanced Info tab displays log information
that is not shown in the Account Scan results panel.
Filter: Tables in the Discovery area allow filtering by column values. You can use asterisks and percent
signs as multiple-character wildcards.
Discovered Keys
The Discovered Keys tab on the Discovery panel and the View Key Scan Results page contain the
same information. See View Key Scan Results for descriptions of the columns displayed. Click the
View button on the Discovered Keys panel to open the View Discovered Key dialog.
Key
17-Feb-2017 308/416
CA Privileged Access Manager - 2.8
Key
The Key field displays the entire public key, parts of which are displayed in other fields, including the
modulus or base64 key. For SSH protocol 1, only RSA is supported, and is designated as "rsa1" Key
Type. For RSA1, exponent and modulus are displayed. For the various Key Types supported by SSH
protocol 2, base64 is displayed. The Key field also includes information that is displayed elsewhere as
Key Type, Options, Key Size, and Comment fields.
Key Instance
Because it is possible to duplicate the authorized_keys text file, we provide this field to maintain data
consistency. Any duplicate keys have an incremented integer here, though it is usually 1.
Key Type
Displays the type of SSH key, such as rsa1, ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ecdsa-sha2-
nistp384, ecdsa-sha2-nistp521
Comment
SSH key generation allows inclusion of comments in the key file, which are displayed in this field if
present.
Revoked
Some systems are configured to allow an SSH key to be revoked. Key Discovery tests each key to see
if it was revoked using the command "ssh-keygen –Q". If so, that is saved as a property.
Bubble Babble
Bubble Babble is an encoding method for binary data fingerprints. It renders the hexadecimal digits
into pseudo words that are more natural and can be pronounced relatively easily.
Export
You can export information about discovered SSH keys to a CSV file for use in spreadsheets and
databases. To export all SSH keys, select the Discovered Keys tab. Click the Export button above the
displayed list to generate a CSV file. To export data from a specific scan, select the Scan Profile
History tab. Select a Scan Profile, then click View Key Scan Results. The Export button appears above
the list of keys.
The exported CSV file contains more information than is displayed in the UI. In addition to what is
found in various UI panels, the following fields are presented:
targetApplicationName
The name of the target application given by the CA Privileged Application Manager user during
registration
protocolVersion
SSH Protocol 1 or 2
options
17-Feb-2017 309/416
CA Privileged Access Manager - 2.8
options
exponent
modulus
base64Key
Part of SSH protocol 2 key, a long base64 representation of the public key
authorizedKeyFileTimestamp
The timestamp of the authorized key file, used to determine Key File Age field
lastLogin
LastLogin displays the last time that this key was used to log in, determined by its last log entry.
LastLogin might be blank if the log file does not go far back enough.
Password Synchronization
When you add a target account, you select whether you want to update only the Credential Manager
database or update both the CA Privileged Access Manager secure password database and the target
system.
Password synchronization is the process of synchronizing the password that is stored in the
Credential Manager database with the same credentials (for example, user names and passwords)
registered in the target application. When passwords are synchronized, credentials are pulled from
the Credential Manager database and sent to the target system. The target system then attempts to
verify that the credentials are accurate.
When a target account is a Windows account, Credential Manager directs the Windows Proxy to
perform the password verification and update.
By using password synchronization, you can configure Credential Manager to update the target
account password:
Immediately
On a schedule
17-Feb-2017 310/416
CA Privileged Access Manager - 2.8
You can also update passwords for a group of target accounts, which then have their password
update schedules synchronized. A different type of account grouping, which is known as a compound
account, allows you to update a series of replicated databases with the same password and to keep
their passwords synchronized with each other.
When you activate password synchronization, the communication protocol between Credential
Manager and Credential Manager Devices depends on the target application type. Every application
type has a corresponding target connector, which implements the communication protocol for that
type of target application.
Target Connectors
The following list describes the target connectors (or application types) supported by Credential
Manager.
AS400: Use the AS400 connector to manage user accounts on AS/400 iSeries IBM midrange
systems.
AWS Access Credentials Accounts: This target connector provides a placeholder application for
Amazon Web Services (AWS) access credentials. It can be associated only with the built-in target
server xceedium.aws.amazon.com. It is only available when CA Privileged Access Manager is
licensed for AWS Capability.
AWS Proxy Credential Accounts: This target connector provides a placeholder application for
AWS proxy credentials. It can be associated only with the built-in target server xceedium.aws.
amazon.com. It is only available when CA Privileged Access Manager is licensed for AWS API Proxy
Users.
Cisco: Use the Cisco connector to manage accounts on a Cisco router. It uses either the SSHv2 or
Telnet protocol for communication. The Cisco target connector supports SSH v2; not SSH v1.
Juniper Junos: Use the Juniper Junos connector to manage any Juniper JUNOS® accounts.
LDAP: Use the LDAP connector to manage any accounts that support the OpenLDAP V3 protocol.
Optionally, you can configure the LDAP connector to use LDAP over an SSL connection.
MSSQL: Use the MSSQL connector to manage Microsoft SQL Server accounts. The MSSQL
connector uses JDBC for communication.
MYSQL: This target connector provides password synchronization functionality for MySQL 5
databases.
Oracle: Use the Oracle connector to manage Oracle DBMS accounts. The Oracle connector uses
JDBC for communication.
Palo Alto: Use the Palo Alto connector to manage accounts on Palo Alto routers and PAN-OS.
17-Feb-2017 311/416
CA Privileged Access Manager - 2.8
SPML v2.0: Use the SPML connector to manage any Service Provisioning Markup Language
(SPML) accounts.
UNIX: Use the UNIX connector to manage UNIX-based accounts. It supports SSH, Telnet, and RSA
keys. The UNIX target connector allows for greater customization of the earlier UNIX (deprecated)
target connector.
VMWare ESX/ESXi: This target connector uses WSDL over SSL to support the synchronization of
passwords of ESX/ESXi target accounts.
VMWare NSX Controller: This target connector provides synchronization support for NSX
controller target accounts.
VMWare NSX Manager:This target connector provides synchronization support for NSX manager
target accounts.
VMWare NSX Proxy: This target connector provides synchronization support for NSX proxy target
accounts.
WebLogic: This target connector provides password synchronization functionality for Oracle
WebLogic v10 application servers.
Windows Domain Services: The Windows Domain Services connector and the Windows Proxy
connector both manage Windows accounts. Use the Windows Domain Services connector to
update the password of Active Directory accounts or if you are unable to use the Windows Proxy
connector in your environment. This connector uses the LDAPS (that is, LDAP over SSL) interface
to Active Directory to update account passwords. You can also use this connector to update
Windows services and scheduled tasks if the connector communicates with a deployed Windows
Proxy. The connector performs the following activities:
If the domain account is used for a service or for a scheduled task, it uses one or more
Credential Manager Windows Proxies to update service credentials or scheduled task
credentials and restart services.
Note:
The Active Directory database must support secure LDAPS connections (typically on port
636). The Windows Domain Services target connector does not support unencrypted LDAP
connections; only LDAPS (LDAP over SSL) connections. The "Domain Controller Port (SSL)"
field in the Windows Domain Services application details can be left blank if the LDAPS
port is the default 636. Otherwise, the port must be populated.
17-Feb-2017 312/416
CA Privileged Access Manager - 2.8
Note:
Port 389 is used for unencrypted LDAP. Credential Manager does not synchronize AD
target accounts using unencrypted LDAP.
Windows Proxy: The Windows Proxy connector and the Windows Domain Services connector
both manage Windows accounts. Use the Windows Proxy connector to manage Active Directory
and Local Windows accounts, and the passwords for local Windows services and scheduled tasks.
This connector uses Windows APIs to make updates to the account, services, and scheduled tasks
passwords. The connector can optionally query one or more DNS servers to find domain
controllers. The Windows Proxy connector uses HTTPS and AES encryption for secure
communications.
Note:
If the guest account in the domain or on the target server is enabled, the Windows Proxy
connector can appear to verify successfully the password of the target account that does
not exist on the target server. Disable the guest account in the domain or on the target
server to avoid this false password verification.
The permissions that are required for the Windows Proxy connector are affected by a number of
architectural deployment decisions, such as:
The type accounts being managed by the proxy, for example local, domain, or both
Whether passwords on services and scheduled tasks are also being managed
Whether the Windows Proxy connector is deployed on each server, or whether one Windows
Proxy connector is deployed for the domain
If you only manage local Windows accounts, local service passwords, or local scheduled task
passwords and you choose to deploy the proxy on each server or workstation being managed,
then the proxy can be run in the context of local system. This scenario allows successful updates
to the local accounts, services, and scheduled tasks.
If you deploy a single (or multiple for High Availability) proxy to manage multiple servers, the
proxy must operate under an account with adequate privileges to manage the accounts, services,
and scheduled tasks. If you use the Windows Domain Service connector to manage the domain
accounts, then the proxy only needs to run with a domain account that has privileges to change
local passwords, services, or scheduled tasks on the machines being managed.
As a result, the service account being used for the proxy can have its privileges limited to that of a
Domain User. To enable management of local Windows accounts and the passwords on Windows
services and scheduled tasks, the service account must be a member of the Local Administrator
group on the server hosting the Target Account being managed.
To use the Windows Proxy connector to manage Domain accounts too, add the service account to
the domain Account Operators group to allow the proxy to reset passwords in Active Directory.
In addition to the provided target connectors, Credential Manager provides a Generic application
17-Feb-2017 313/416
CA Privileged Access Manager - 2.8
In addition to the provided target connectors, Credential Manager provides a Generic application
type, which permits credential requests. However, Generic applications do not support password
synchronization.
The Script Processor (written in Java) executes a high-level version of the logic for manipulating
credentials on remote hosts. CA Privileged Access Manager uses two scripts to allow different levels
of testing and production use. One script verifies passwords. The other script updates passwords.
The scripts that are provided with CA Privileged Access Manager are known as the default scripts. To
use them, configure a set of default prompts and command values that the script expects to
encounter. The values can be configured with CLI parameters or the CA Privileged Access Manager
GUI parameters when adding target applications and target accounts. Refer to the section for the
specific target connector in Target Connector Settings (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Target+Connector+Settings) for valid values and default values.
If you are using the GUI, use the Update Credentials Script panel to specify the script to be used for
updating credentials. The panel provides the following options:
Use the default script: This option indicates that CA Privileged Access Manager uses the default
script that is provided with the release.
Use a revised default script (requires patch): This option specifies the name of the file containing
the revised update script. The contents of the file is used as the revised script. When selected,
this option opens a field with a drop-down list of available scripts, each of which has been
uploaded from a patch that is supplied by CA Support.
Use a replacement script: This option specifies a replacement update script. When selected, this
option opens a text field in which to insert the replacement script.
Start by selecting Use the default script and make desired changes in the Script Processor. If, after
making your changes, you find that the connector does not work correctly, contact CA Support to
determine the issue. If changes to the script logic are required, your Support representative requests
CA Technologies Engineering to prepare a revised script. The revised script is a temporary script for
testing purposes against a small, representative sample of Target Accounts.
To use a revised script, select the Use a revised default script (requires patch) option and specify the
file. If the revised script works correctly, you can request that CA Engineering create a product patch
to convert the revised script into a replacement script that can be selected using the Script Processor
GUI on a per-Target Application basis. Alternatively, CA Engineering can opt to produce a product
patch that modifies the default script so that the connector behavior is changed for all Target
Applications.
To use a replacement script, select the Use a replacement script option and paste the new script in
17-Feb-2017 314/416
CA Privileged Access Manager - 2.8
To use a replacement script, select the Use a replacement script option and paste the new script in
the Replacement Script field, and try the operation.
You might need to try more than one replacement script to configure CA Privileged Access Manager
to conform to your OS environment. Only edit the replacement scripts with coordination with
Support. Once a suitable replacement script has been determined, CA Technologies Operations (or
Support) creates a revised script patch that can be applied (on the Upgrade page). Once this patch
has been applied, return to the Update/Verify Credentials Script panel, click Use a revised default
script (requires patch), and select it from the Use which revised script? drop-down list.
Note:
If you do not select a password composition policy, a built-in policy is used. This policy
specifies a minimum length of four characters and a maximum length of 16 characters with
no character restrictions.
2. From the new tab/window menu bar, select Targets, Applications. The Application List page
appears.
5. Enter an application name. Application names must be unique for a given target server.
6. Select the application type; for example, UNIX. Extra fields appear depending on the
application type you select.
Use the additional fields to specify data that is required by the target connector to connect
and access an account in the application. For details, see Credential Manager Target
Connector Settings (https://docops.ca.com/display/CAPAM28
/Credential+Manager+Target+Connector+Settings) and Target Connector Script Processor (see
page 314).
8. If you are using target groupings, provide descriptors for the target application.
9. Modify or fill in the fields for the particular application type you selected, as required.
17-Feb-2017 315/416
CA Privileged Access Manager - 2.8
Your new target application is added to the list of applications on the Application List page.
Create accounts on the native system before registration in Credential Manager. For
example, create an Oracle account on the Oracle database before you register it in
Credential Manager as a synchronized account. Once you register the account in Credential
Manager, the target password benefits from frequent managed updates to reflect the
password that is maintained in the Credential Manager database.
Random Passwords
Credential Manager provides a mechanism to generate automatically a pseudorandom password. For
synchronized accounts, the random password is based on the configured password composition
policy and updates automatically directly on the target system. For Generic accounts, manually
change this password on the target system to agree with the password stored in the secure database.
Synchronized Accounts
Credential Manager automatically verifies synchronized accounts upon initial registration. In addition,
You can also use a button in the GUI or the verifyAccountPassword CLI command to verify
manually synchronized target account passwords.
You can schedule password updates for synchronized accounts with the GUI (Targets, Scheduled
Jobs). Alternatively, you can enable password expiration.
Compound Accounts
A compound account consists of several accounts on a cluster of servers, all having the same account
name. When a password change occurs, all members of the compound account remain synchronized.
When the password of a compound account is updated, it is changed on all the cluster members. If
the password cannot be changed on one or more of the cluster members, it must be rolled back to
the previous value on all them to keep the cluster members synchronized.
If a password update fails and the subsequent rollback succeeds, the Verified column of the
Compound section of the Account Details page displays a yellow warning symbol next to the server
on which the update failed. A tooltip indicates the specific error message.
17-Feb-2017 316/416
CA Privileged Access Manager - 2.8
If a password update fails and the subsequent rollback fails, the Verified column displays a red X
symbol next to the server on which the rollback failed. A tooltip displays the specific error message,
and the password on this server is out-of-sync.
Compound accounts respect existing target account functions such as: workflow, scheduled jobs,
auto-connect, and target group membership.
Target Aliases
A target alias enables an A2A requestor to request credentials from a specific account without
transmitting the account user name and password. Target aliases are account-specific and are
generated when the account is created. Privileged password accounts do not use target aliases.
Password Viewing
Credential Manager generates a log entry each time a user views a password.
A report is available that lists each time that an attempt was made to view an account password.
Credential Manager allows GUI users to view target account passwords for both synchronized and
nonsynchronized target accounts. If you enable the change password on view feature, Credential
Manager automatically changes viewed synchronized account passwords after a set time interval.
The change password on view feature works with compound accounts, so the password is changed
on all servers even if only one account is accessed.
Password Updating
When you update a target password and the synchronization flag is set, Credential Manager
automatically verifies the password. When you update any other target account information,
manually perform password verification by clicking Verify Password.
When adding a target account, you can configure Credential Manager to use an alternate account
with sufficient privileges (that is, a master account) to update a specific target account password,
rather than using the target account directly. This method permits Credential Manager to
synchronize headless accounts that do not have permission to change their own passwords. Also, it
ensures that Credential Manager can change the password even if a user has changed the password
manually on the target system.
Selecting to use an alternate account for password updating opens a Find Account pop-up window
with a table listing the target accounts that can be selected and their relevant information (that is,
application name, application type and host name). By default, Credential Manager displays the
target accounts filtered by application name. You can select to filter by account name or host name,
or to show all the target accounts that are defined in the system. All target accounts can be selected.
Typically, the other account is an account of the same application. For example, the password for an
Oracle database account is changed by a privileged account on the same database. It is also possible
to use another account which is associated with a different application.
17-Feb-2017 317/416
CA Privileged Access Manager - 2.8
Using either an LDAP or AD account to change the password of a UNIX account is the only dissimilar
account combination that is supported. It is your responsibility to select compatible combinations.
When using the other account option, the target account that is used to update the password cannot
be the current target account. If you select the current target account, an error message results when
you attempt to save the settings. If you want the current target account to be the account that is
used to change its own password, select the "Account can change own password" option.
The initial password that you enter must be the same as the password on the target account, unless a
user with more privileges (for example, root) is used to update the password.
To avoid this issue, perform base-64 encoding on the complex password before specifying them to
CLI commands, such as addTargetAccount or updateTargetAccount. Ensure the
passwordIsBase64Encoded parameter for the command is set to true.
For Windows, use the Microsoft File Checksum Integrity Verifier utility available at: http://www.
microsoft.com/en-us/download/details.aspx?id=11533.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of existing target accounts.
17-Feb-2017 318/416
CA Privileged Access Manager - 2.8
5. Click the magnifying glass to find an existing target application on the host server, or click + to
create a new target application. Depending on the application type of the target application,
more fields appear.
8. Enter an initial account password or click the blue Generate Password icon to generate a
default password. The Generate Password icon looks like a ring with a set of keys. It is located
to the right of the Password field.
9. If you are adding a compound account, see Add a Compound Target Account from the GUI
(see page 320).
10. Select the appropriate synchronization option (for example, update both Credential Manager
and the target system). This option is not available if the application type is “Generic”.
Update only the Password Authority Server: Passwords are only updated in Credential
Manager. Credential Manager and target system passwords can differ.
Update both the Password Authority Server and the target system: Password updates are
performed in both Credential Manager and the target system to maintain consistency.
11. Modify or fill in the fields for the particular type of application you selected, as required.
Note:
12. Select whether the account type is A2A (application-to-application) or privileged account. This
choice is only possible if your license allows for A2A devices. If you select A2A, more fields
appear allowing you to add the target alias. See Add a Target Alias from the GUI (see page 321)
.
14. If you are using target groupings, enter descriptors for the target account.
15. Click Save. Your new target account is added to the list of accounts on the Account List page.
17-Feb-2017 319/416
CA Privileged Access Manager - 2.8
For most target account types, a Change Process option specifies whether the managed account can
change its own password or whether another, higher-privilege account must do that. If you select
"Use the following account to change password", a field appears below the legend so that you can
enter the password-changing account.
1. Do steps 1-8 of the Add a Target Account from the GUI (see page 318) procedure.
2. Click the Compound check box. The target server menu appears.
4. Click the magnifying glass to find the server you want to add to the compound account.
Note:
The target server that is selected as the host server cannot be added as a
compound server for the account.
5. Repeat steps 3 and 4 until you have added as many servers as you want.
There is no limit on the number of servers you can add, but the functionality has only been
tested to 20 servers.
When adding compound accounts, "Update only the Password Authority Server" is the only
valid synchronization option.
6. Do steps 11-15 of the Add a Target Account from the GUI (see page 318) procedure.
7. Once the compound account has been added, you can access the account and can change the
synchronization option (for example, update both Credential Manager and the target system).
This option is not available if the application type is “Generic”.
Update only the Password Authority Server: Passwords are only updated in Credential
Manager. Credential Manager and target system passwords can differ.
Update both the Password Authority Server and the target system: Password updates are
performed in both Credential Manager and the target system to maintain consistency.
2. From the new tab/window menu bar, select Targets. The Account List page appears with a list
17-Feb-2017 320/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets. The Account List page appears with a list
of existing target accounts.
4. Click the lower magnifying glass to find and select the AWS Access Credential Accounts
Application Name.
When you do so, the Host Name and Device Name fields are populated with xceedium.aws.
amazon.com and more fields appear.
5. Select the Password View Policy (if needed) for the account.
6. For AWS Access Credential Type, select the EC2 Private Key option button. The EC2 Private
Key tab activates.
7. Enter the EC2 Instance User Name, such as ec2-user (for Amazon Linux), or root (for Red
Hat Linux), or other full permission account.
9. In Key Pair Name, enter the filename of the EC2 Private Key you just uploaded, but without
the extension.
10. (Optional) Enter a passphrase to use with the EC2 private key in the Passphrase field.
11. Select whether the account type is A2A (application-to-application) or privileged account. This
choice is only possible if your license allows for A2A accounts. If you select A2A Account, more
fields appear allowing you to add the target alias. See Add a Target Account From the GUI (see
page 318).
12. (Optional) Enter an access type. Access type is a reference field for customer convenience. It is
not used by Credential Manager
13. Click Save. Your new target account is added to the list of accounts on the Account List page.
1. Do steps 1-12 of the Add a Target Account from the GUI (see page 318) procedure. For step
12, specify the account type as A2A.
2. Enter a target alias name. The target alias name must be unique across the Credential
Manager.
3. Enter the appropriate settings for password caching for the Credential Manager A2A Client:
Use Cache First: The A2A Client looks for the password in local cache first. If there is no
password or if the password is not the most recent, the A2A Client contacts the product
appliance.
Use Server First: The A2A Client contacts the product appliance to get the most recent
password. If a password is unavailable, the A2A Client looks in the local cache.
17-Feb-2017 321/416
CA Privileged Access Manager - 2.8
No Cache: The password is never stored in the local cache. The A2A Client always contacts
the product appliance for the password.
5. Do steps 13-15 of the Add a Target Account from the GUI (see page 318) procedure.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetServer>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:35:14 EST 2007</createDate>
<updateDate>Mon Nov 12 15:35:14 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>XhMAD33ITheWuMB1L89Zsxfdxsg=</hash>
<hostName>Vienna-Lab3.cloakware.com</hostName>
<IPAddress>11.1.0.3</IPAddress>
</TargetServer>
</cr.result>
</CommandResult>
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
17-Feb-2017 322/416
4.
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetApplication>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:38:32 EST 2007</createDate>
<updateDate>Mon Nov 12 15:38:32 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>kvSzMfnFi2iCIihAVt85+N2jzpc=</hash>
<targetServerID>1</targetServerID>
<type>Generic</type>
<name>Generic</name>
<policyID>0</policyID>
</TargetApplication>
</cr.result>
</CommandResult>
6. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true
</Attribute.changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 EST 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
17-Feb-2017 323/416
CA Privileged Access Manager - 2.8
<cacheBehavior>useCacheFirst</cacheBehavior>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>
</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
8. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAlias>
<ID>1</ID>
<createDate>Mon Nov 12 15:43:24 EST 2007</createDate>
<updateDate>Mon Nov 12 15:43:24 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>iB6pR3X7E8yP8p4RemqsChneEQc=</hash>
<name>ViennaAlias5</name>
<accountID>1</accountID>
</TargetAlias>
</cr.result>
</CommandResult>
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
17-Feb-2017 324/416
2. CA Privileged Access Manager - 2.8
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetServer>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:35:14 EST 2007</createDate>
<updateDate>Mon Nov 12 15:35:14 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>XhMAD33ITheWuMB1L89Zsxfdxsg=</hash>
<hostName>Unix server cluster</hostName>
<IPAddress>11.1.0.3</IPAddress>
</TargetServer>
</cr.result>
</CommandResult>
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetServer>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>2</ID>
<createDate>Mon Nov 12 15:35:14 EST 2007</createDate>
<updateDate>Mon Nov 12 15:35:14 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>XhMAD33ITheWuMB1L89Zsxfdxsg=</hash>
<hostName>Vienna-Lab3.cloakware.com</hostName>
<IPAddress>11.1.0.4</IPAddress>
</TargetServer>
</cr.result>
</CommandResult>
Repeat step 3 and 4 for each compound server you want to add. Each addTargetServer
operation returns a new <ID> value.
17-Feb-2017 325/416
CA Privileged Access Manager - 2.8
5.
6. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetApplication>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:38:32 EST 2007</createDate>
<updateDate>Mon Nov 12 15:38:32 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>kvSzMfnFi2iCIihAVt85+N2jzpc=</hash>
<targetServerID>1</targetServerID>
<type>Generic</type>
<name>Generic</name>
<policyID>0</policyID>
</TargetApplication>
</cr.result>
</CommandResult>
8. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
17-Feb-2017 326/416
CA Privileged Access Manager - 2.8
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true
</Attribute.changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 EST 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheBehavior>useCacheFirst</cacheBehavior>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>
</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
3. Create a Target Application on that Device. This step includes associating a Windows Proxy
with the host on which the Windows account resides. See Create a Windows Target
Application. (see page 328)
4. Create a Target Account for that application. This step includes associating Windows Services
with the target account. For an A2A account, also create a Target Alias. See Create a Windows
Target Account and Target Alias (see page 329).
Credential Manager provides an automatic discovery feature that streamlines the registration
17-Feb-2017 327/416
CA Privileged Access Manager - 2.8
Credential Manager provides an automatic discovery feature that streamlines the registration
process for multiple Windows services and scheduled tasks. See Discover Windows Proxy Target
Accounts Services and Scheduled Tasks (see page ).
When adding the target application, select the Windows Domain Service application type instead of
Windows Proxy.
Credential Manager provides an automatic discovery feature that streamlines the registration
process for multiple Windows Domain Service target accounts. For details, see Account Discovery
(see page 299).
2. From the new tab/window menu bar, select Targets, Applications. The Application List page
appears.
4. Click the magnifying glass to find an existing target server or click the + to create a new target
server.
6. Select "Windows Proxy" as the Application Type. The Application Details page updates by
displaying the Windows Proxy Application Details panel.
9. Modify or fill in the fields for the Windows Proxy Application Details panel, as required.
Your new Windows target application is added to the list of applications on the Application List page.
17-Feb-2017 328/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets. The Account List page appears with a list
of existing accounts.
4. Click the magnifying glass to find an existing target server, or click + to create a new target
server.
5. Click the magnifying glass to find an existing target application on the host server, or click + to
create a new target application. Select or create a Windows Proxy type of target application.
The Windows Domain Account Details panel appears on the Account Details page.
6. Enter the account name. The account name must be unique for a given target application and
must be the account name that is used by the target system.
8. Enter an initial account password or click the blue Generate Password icon to generate a
default password. The Generate Password icon looks like a ring with a set of keys. It is located
to the right of the Password field.
9. Select the appropriate synchronization option (for example, update both Credential Manager
and the target system). This option is not available if the application type is Generic.
Update only the Password Authority Server: Passwords are updated only in Credential
Manager. Credential Manager and target system passwords can differ.
Update both the Password Authority Server and the target system: Password updates are
performed both in Credential Manager and on the target system to maintain consistency.
10. Modify or fill in the fields for the Windows Account Details panel, as required.
11. Select whether the account type is A2A (application-to-application) or privileged account. This
choice is only possible if your license allows for A2A accounts. If you select A2A Account, more
fields appear allowing you to add the target alias.
12. For A2A accounts, enter a target alias name. The target alias name must be unique across
Credential Manager.
13. For A2A accounts, enter the appropriate settings for password caching for the A2A Client:
Use Cache First: The A2A Client looks for the password in local cache first. If there is no
password or if the password is not the most recent, the A2A Client contacts Credential
Manager.
Use Server First: The A2A Client contacts Credential Manager to get the most recent
17-Feb-2017 329/416
13.
Use Server First: The A2A Client contacts Credential Manager to get the most recent
password. If a password is unavailable, the A2A Client looks in the local cache.
No Cache: The password is never stored in the local cache. The A2A Client always contacts
Credential Manager for the password.
14. For A2A accounts that use caching, set the cache duration.
15. (Optional) Enter an access type. Access type is a reference field for customer convenience. It is
not used by Credential Manager.
16. If you are using target groupings, enter descriptors for the target account.
Your new Windows target account is added to the list of accounts on the Account List page.
Windows Domain Service Account Discovery is now part of Account Discovery, which also
discovers Linux, UNIX, and LDAP accounts. See Account Discovery (see page 299) for more
information. Windows Domain Services and Scheduled Tasks are still discovered from the
Windows Domain Account Details section of the Target Accounts.
Credential Manager provides a feature for automatic discovery and registration of Windows Domain
Service services and scheduled tasks. Credential Manager also facilitates adding and deleting
Windows OS-based Scheduled Tasks to or from a valid Windows Account and managing the
associated password.
Prerequisites
Before you use service or scheduled task discovery, ensure that the following prerequisites are met:
An administrative account to be used for discovery has been provisioned and added to the
Credential Manager database as a target account.
The administrative account to be used for discovery has been verified in Credential Manager.
17-Feb-2017 330/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page
appears.
3. Click the target account name for which you want to discover services. The account that you
select must be verified.
Note:
4. Ensure that the data in the fields are specified according to your requirements.
6. In the Using Proxy box, select a proxy to use for service discovery.
7. In the Host to Search box, enter the host name on which the services reside.
8. Click Discover Services. The proxy connects to the specified host and returns a list of services
for the account. The discovered services are added to the Services table on the Account
Details page
9. Click Save if you want to update credentials for all the discovered services whenever the
target accounts password changes.
10. To add manually a service to the account, click the Add link in the Services table. In the new
row, select the host that is running the Proxy, enter the Service Host that is running the
service, and enter the Service. Click Save. This action synchronizes the service login credentials
with the target account. Only the added service credentials are updated automatically
whenever the target account password changes.
11. To remove any services that are not required, click the Delete link corresponding to the
service in the Services table. The deleted service is not updated when the target account
password changes.
17-Feb-2017 331/416
11.
Note:
The deleted service retains its current login credentials and is not updated.
12. To allow the Credential Manager account to start or restart a service, select its check box in
the Start/Restart column; to disallow, clear the check box.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page
appears.
3. Click the target account name for which you want to discover scheduled tasks. The account
that you select must be verified.
Note:
4. Ensure that the data in the fields are specified according to your requirements.
6. In the Using Proxy box, select a proxy to use for scheduled task discovery.
7. In the Host to Search box, enter the host name on which the scheduled tasks reside.
8. Click Discover Tasks. The proxy connects to the specified host and returns a list of scheduled
tasks for the account. The discovered scheduled tasks are added to the Scheduled Tasks table
on the Account Details page.
9. Click Save if you want to update credentials for all the discovered scheduled tasks whenever
the target accounts password changes.
10.
17-Feb-2017 332/416
CA Privileged Access Manager - 2.8
10. To add manually a scheduled task to the account, click the Add link in the Scheduled Tasks
table. In the new row, select the host that is running the Proxy, enter the Task Host in which
the scheduled task resides, and enter the Task Name. Click Save. This action synchronizes the
scheduled task login credentials with target account. Only the added scheduled task
credentials are updated automatically whenever the target account password changes.
11. To remove any scheduled tasks that are not required, click the Delete link corresponding to
the task in the Scheduled Tasks table. The deleted scheduled task credentials are not updated
when the target account password changes.
Note:
The deleted scheduled task retains its current login credentials and is not updated.
Prerequisites
Before you use service and scheduled task discovery, ensure that the following prerequisites are met:
An administrative account to be used for discovery has been provisioned and added to the
Credential Manager database as a target account.
The administrative account to be used for discovery has been verified in Credential Manager.
If the administrative account to be used for discovery is local, the Scheduled task, Target account,
and Agent are in same domain.
2.
17-Feb-2017 333/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page
appears.
3. Click the target account name for which you want to discover services. The account that you
select must be verified.
Note:
4. Ensure that the data in the fields are specified according to your requirements.
6. In the Host to Search box, enter the host name on which the services reside.
7. Click Discover Services. The proxy connects to the specified host and returns a list of services
for the account. The discovered services are added to the Services table on the Account
Details page.
8. Click Save if you want to update credentials for all the discovered services whenever the
target accounts password changes.
9. To add manually a service to the account, click the Add link in the Services table. In the new
row, enter the Service Host that is running the service, and enter the Service. Click Save. This
action synchronizes the service login credentials with the target account. Only the added
service credentials are updated automatically whenever the target account password
changes.
10. To remove any services that are not required, click the Delete link corresponding to the
service in the Services table. The deleted services credentials are not updated whenever the
target account password changes.
Note:
The deleted service retains its current login credentials and is not updated.
11. To allow the Credential Manager account to start or restart a service, select its check box in
the Start/Restart column; to disallow, clear the check box.
17-Feb-2017 334/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page
appears.
3. Click the target account name for which you want to discover scheduled tasks.
Note:
4. Ensure that the data in the fields are specified according to your requirements.
6. In the Host to Search box, enter the host name on which the scheduled tasks reside.
7. Click Discover Tasks. The proxy connects to the specified host and returns a list of scheduled
tasks for the account. The discovered scheduled tasks are added to the Scheduled Tasks table
on the Account Details page.
8. Click Save if you want to update credentials for all the discovered scheduled tasks whenever
the target accounts password changes.
9. To add manually a scheduled task to the account, click the Add link in the Scheduled Tasks
table. In the new row, select the host that is running the Proxy, enter the Task Host in which
the scheduled task resides, and enter the Task Name. Click Save. This action synchronizes the
scheduled task login credentials with the target account. Only the added scheduled task
credentials are updated automatically whenever the target account password changes.
10. To remove any scheduled tasks that are not required, click the Delete link corresponding to
the task in the Scheduled Tasks table. The deleted scheduled tasks credentials are not
updated whenever the target account password changes.
Note:
The deleted scheduled task retains its current login credentials and is not updated.
17-Feb-2017 335/416
CA Privileged Access Manager - 2.8
The deleted scheduled task retains its current login credentials and is not updated.
2. From the new tab/window menu bar, select Targets. The Account List page appears with a list
of existing accounts.
3. Click the blue View icon. The View icon resembles an eye. It is located under the Action
column for the account for which you want to view the password.
Note:
You can customize the list of reasons for viewing a password. See Customize the
Reasons for Viewing a Password (https://docops.ca.com/display/CAPAM28
/setPasswordViewReasons).
7. For compound accounts, a drop-down list of all target servers for the account appears in the
pop-up window. Select the specific target server for which you want to view the password.
Normally, the password is the same for all servers. If a password update fails, each server on
which the subsequent rollback fails has an out-of-sync password.
8. Click View. The GUI displays the account User ID and password.
17-Feb-2017 336/416
CA Privileged Access Manager - 2.8
After selecting a Target Account from the drop-down menu for a particular Device, a pop-up window
appears with a View Account Password Request window. After entering the Password (for the
currently logged-in CA Privileged Access Manager user), the credentials are displayed in the pop-up.
2. From the new tab/window menu bar, select Targets, Accounts. The Account List page appears
with a list of existing accounts.
3. In the account list, click the account for which you want to view the password history. The
Account Details page appears.
4. Click the blue View History icon. The View History icon resembles a clock with a counter-
clockwise arrow. It is located to the right of the Password field. The Password History page
appears showing password change history.
The Password History Compromised flag may be manually set within Credential Manager. The
flag may be used to record whether a password has become known to an unauthorized
individual. The flag may be set to true to indicate a password should not be reused. The value
of the flag does not affect Credential Manager processing.
4. Click the blue View History icon. The View History icon resembles a clock with a counter-
clockwise arrow. It is located to the right of the Password field.
5. Click the date and time of the password request. The Password History details page appears.
17-Feb-2017 337/416
CA Privileged Access Manager - 2.8
7. Click Save.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 EST 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
3. Request to view the password. Use the ID provided by the output of the previous command:
17-Feb-2017 338/416
3.
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:42:43 EST 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>123456</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>2007-11-12 15:42:43.0</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
2. From the new tab/window menu bar, select Targets. The Account List page appears with a list
of existing target accounts.
3. Click the target account name of which password you want to verify. The account you select
must be verified. The Account Details page appears.
4. Click the Verify Password icon located to the right of the Password field. (Note that a
17-Feb-2017 339/416
CA Privileged Access Manager - 2.8
4. Click the Verify Password icon located to the right of the Password field. (Note that a
Windows tooltip stating "Verify Password" appears upon moving your mouse over the icon.)
A message indicating successful password verification appears.
Use the following procedure to verify a synchronized target account password from the CLI.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetAccount>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.changePasswordAfterViewing>true</Attribute.
changePasswordAfterViewing>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1233</ID>
<createDate>Mon Nov 12 15:42:43 EST 2007</createDate>
<updateDate>Mon Nov 12 15:42:43 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>account1</userName>
<password>14adc6a1a720e58ee52032364b98f95b</password>
<accessType>A</accessType>
<cacheAllow>true</cacheAllow>
<cacheDuration>20</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified>
</TargetAccount>
</cr.result>
</CommandResult>
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
17-Feb-2017 340/416
4.
CA Privileged Access Manager - 2.8
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<TargetAccount>
<privileged>true</privileged>
<aliases></aliases>
<password>{1}8ae8e633c1fa6020bfb7695e17f83f18</password>
<lastUsed></lastUsed>
<passwordViewPolicyID>1000</passwordViewPolicyID>
<targetApplicationID>1222</targetApplicationID>
<userName>sqlaccount1</userName>
<accessType></accessType>
<cacheDuration>30</cacheDuration>
<synchronize>true</synchronize>
<cacheBehavior>useCacheFirst</cacheBehavior>
<lastVerified>Tue Apr 05 11:47:40 UTC 2011</lastVerifi
ed><lastViewed></lastViewed>
<passwordVerified>true</passwordVerified>
<compoundAccount>false</compoundAccount>
<targetApplication></targetApplication>
<cacheAllow>true</cacheAllow>
<targetServerAlias></targetServerAlias>
<ID>1233</ID>
<Attribute.extensionType>mssql</Attribute.extensionType>
<Attribute.useOtherAccountToChangePassword>false</Attribute.
useOtherAccountToChangePassword>
<Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid><Attribute.
descriptor1></Attribute.descriptor1>
<Attribute.descriptor2></Attribute.descriptor2>
<createDate>Tue Apr 05 11:44:37 UTC 2011</createDate><extensionType>mssql<
/extensionType>
<updateUser>admin</updateUser><updateDate>Tue Apr 05 11:47:40 UTC 2011<
/updateDate>
<createUser>admin</createUser><hash>EuufPEVlFusXtH6XF3rs7BbEJFY=</hash>
</TargetAccount>
</cr.result>
</CommandResult>
If the password does not verify (that is, there is a password mismatch), the attribute
passwordVerified returns a "false" value; for example, <passwordVerified>false<
/passwordVerified>.
17-Feb-2017 341/416
CA Privileged Access Manager - 2.8
Note
Scheduled jobs do not change target account passwords that are stored in CA Privileged
Access Manager only and not synchronized to a target device.
You can schedule password update or verification jobs with the following recurrence: daily, weekly,
monthly, yearly, or after an arbitrary number of days.
For password update or verification jobs, you can schedule jobs on a per account basis or per target
group basis. When you schedule a job on a per target group basis, the update or verification is
performed on each of the synchronized target accounts within that target group. If a single update or
verification fails, the job status is marked as failed. However, the job continues to process the
remaining updates or verifications.
To view the status of scheduled jobs, generate the Scheduled Jobs Report. See Generating Reports
(see page 387).
2. Select Targets, Scheduled Jobs. The Scheduled Job List page appears.
4. Enter the Job Name. Use a text description for the job.
5. Select the Date and Time for the initial job run.
6. Enter the Recurrence criteria. The Recurrence area updates based on your selection.
8. Select whether you want this job to apply to a target group or individual account.
9. Specify either the target group or individual target account for this job.
17-Feb-2017 342/416
CA Privileged Access Manager - 2.8
9. Specify either the target group or individual target account for this job.
Select whether Credential Manager generates the new password. If you select No, extra
fields appear so you can supply the new password.
For Credential Manager generated passwords, select whether to apply the same new
password to all accounts in the group.
Add Proxies
Add proxies in CA Privileged Access Manager for such activities as managing multiple domains,
improving load balancing, and building redundancy into your setup.
Important:
Install the Windows Proxy software on a Windows host before adding a proxy to Credential
Manager. See Install a Windows Proxy for Credential Manager (https://docops.ca.com/display
/CAPAM28/Install+a+Windows+Proxy+for+Credential+Manager). The Windows Proxy runs as
service on the Windows host. During the installation process:
1. Identify the CA Privileged Access Manager appliance with which the proxy registers.
3. Activate the proxy by opening the proxy record in that list and changing its Status to
"Active".
Use the following procedure to add a proxy manually and register it automatically.
3. Click Add.
The Proxy Details page appears.
4. In the Host Name box, enter the DNS host name or IP address where the proxy software
resides.
17-Feb-2017 343/416
CA Privileged Access Manager - 2.8
8. Click Add.
9. To prevent the host name from being overwritten each time the client registers, select the
Preserve Host Name check box. Otherwise, clear the check box.
The default setting for this check box is determined by the Preserve Client/Proxy Host Names
on the Settings page.
10. If you are using target groupings, in the Descriptor fields, enter the proxy descriptor
information.
17-Feb-2017 344/416
CA Privileged Access Manager - 2.8
You must have local administrator privileges to change the Windows Proxy settings.
5. Type the Domain and Windows account names for the account.
Note:
The Domain name for the account must precede the Windows account name,
separated by a backward slash.
Changing a configuration that is not included in the installer, for example port numbers.
Applying a configuration change after installation, for example changing the log file location.
C:\<install_home>\cloakware\cspmclient\config\cspm_client_config.xml
where <install_home> is the location and name of your installation folder, for example
Program Files\cspm_agent.
17-Feb-2017 345/416
CA Privileged Access Manager - 2.8
The following table describes the XML tags in the Windows Proxy configuration file.
The default value is warning. The off setting means log messages are not
generated.
<cspmserve Specifies the host name of the CA Privileged Access Manager appliance. This value is
r> set by the installer.
<cspmserve The default port on which the CA Privileged Access Manager appliance listens. The
r_port> default is blank.
For HTTPS, the default is 443. If the server port is changed from 443, you must
modify this value.
<daemonser The Windows Proxy uses this port to listen for requests from the CA Privileged
ver1_port> Access Manager appliance. For the Windows Proxy, the default value is 27077.
<daemonser This port is not used by the Windows Proxy.
ver2_port>
<logfile> Specifies the location of the log file used by the daemon. The installer sets this value.
<c_logfile The log file used by the service and stateless client interface stubs.
>
The default is: C:\WINDOWS\TEMP\cspm_c_client_log.txt on Windows
Server 2008 R2.
The log file must be in a directory to which all users of the Windows Proxy have write
access.
<patch> Specifies patch management attributes, as in the following XML tags: frequency, s
tarthour, and endhour.
<frequency Specifies the frequency at which the Window Proxy polls the CA Privileged Access
> Manager appliance to check for an upgrade.
17-Feb-2017 346/416
CA Privileged Access Manager - 2.8
3. Click the host name of the server where the proxy whose logs you want to view is installed.
The Proxy Details page appears.
Note:
You can only request the most recent log file. Previously rotated files are excluded.
17-Feb-2017 347/416
CA Privileged Access Manager - 2.8
Credential Manager uses static and dynamic groupings. Static groups enable the direct assignment of
specific resources to a particular user group. Static groups enforce the specified resource assignment
and provide precise control over group membership. Dynamic groups use filter rules to specify
patterns for resource assignment. All matching entities are assigned membership in the specified
dynamic group. Any new entity that is added and that matches the pattern is automatically placed in
all applicable groups, minimizing administrative burden.
For installations that do not have consistent standards for the assignment of group attributes (such as
server names, application names and IP addresses), there are two descriptor fields for each entity.
You can use the contents of these fields to create naming standards to support dynamic group
assignment.
Credential Manager users are also grouped, which simplifies the design and implementation of the
security policies used to manage them.
Credential Manager User Groups and Roles are distinct and separate from CA Privileged Access
Manager User Groups and Roles. See Credential Manager Grouping Terminology (see page 348).
A target account password can be accessed from Credential Manager by either a user or a request
script:
A user creates a password request from the GUI, from the CLI, or from a program that uses the
Java API.
To filter access to passwords, target accounts and request scripts can be partitioned into target
groups and requestor groups. Credential Manager user groups can then be defined to permit only
selected operations on a target or request group.
17-Feb-2017 348/416
CA Privileged Access Manager - 2.8
Term Definition
Targe A target group is a collection of Credential Manager devices (target servers), target
t applications, or target accounts that meet specific filter criteria (for example, all target servers
Grou that have the identifier London in the Descriptor2 field).
p
A single target can belong to multiple target groups. When a target group consists of target
servers, all applications and accounts on that server are automatically contained within that
target group.
Requ A requestor group is a collection of requestor servers (A2A Clients) or requestors (scripts) that
estor meet specific filter criteria (for example, all requestor servers that have the identifier New
Grou York in the Descriptor1 field).
p
A single requestor can belong to multiple requestor groups. When a requestor group consists
of requestor servers, all applications on that server are automatically contained within that
requestor group.
Roles Each role is a collection of actions that can be performed in Credential Manager. You can build
roles for each series of permissions you want to assign CA Privileged Access Manager users.
User A collection of all CA Privileged Access Manager users who are dynamically determined from a
Grou Credential Manager role, a target group, or a request group.
p
Credential Manager User Groups are distinct and separate from CA Privileged Access Manager
User Groups. See User Groups in and Credential Manager (see page ).
If the Target Group is not specified in a Credential Manager User Group, then members of the
User Group do not have access to any target servers, target applications, or target accounts. If
the Request Group is not specified, members of the User Group do not have access to any A2A
clients or scripts.
Users Users are CA Privileged Access Manager user accounts. Each Credential Manager user belongs
to one or more user groups. The user groups define what targets and requestors the user can
see and what actions the user can perform on the CA Privileged Access Manager interfaces.
Filter A condition that is assigned to a target group or requestor group that determines which target
or requestor objects are accessible by members of the target or requestor group.
A static association of specific CA Privileged Access Manager Users. Some User attributes, such as
(Access) Roles and Access Time, can be assigned at the group level.
Listed on the Users, Manage Groups page. CA Privileged Access Manager User Groups are created
or edited from a template opened on that page.
17-Feb-2017 349/416
CA Privileged Access Manager - 2.8
A collection of all CA Privileged Access Manager users who are dynamically determined from a
Credential Manager role, a target group, or a request group.
Listed on the Policy, Manage Passwords, Groups, User Groups page. Credential Manager User
Groups are created or edited from a template opened on that page, or through CLI commands.
A User Group can be assigned to a CA Privileged Access Manager user that has a CA Privileged
Access Manager role with the credentialsManage permission. Once a CA Privileged Access
Manager user has the credentialsManage permission, the user can be assigned to
Credential Manager group with the User template on the Users, Manage Users page. The Users,
Manage User page has a “PM Group” pull-down menu. The following preset CA Privileged Access
Manager roles have the credentialsManage permission:
Global Administrator
Operational Administrator
Password Manager
Similarly CA Privileged Access Manager roles are configured with the Roles template on the Users,
Manage Roles page. Credential Manager roles are configured on the Policy, Manage Passwords,
Groups, Roles page. Credential Manager roles are created or edited from a template opened on that
page, or through CLI commands.
When using the CLI to add a dynamic target or requestor group, you add filters as a separate
command (addFilter) after you add the target or requestor group. The following table describes
the filters that you can create.
(Filter.objectClassId) (Filter.attribute)
Target server Host name Host name for the target server.
(c.cw.m.ts) (hostName)
ipAddress IP address for the target server.
(IPAddress)
descriptor1 Descriptor for the target server.
(Attribute.
descriptor1)
descriptor2 Descriptor for the target server.
17-Feb-2017 350/416
CA Privileged Access Manager - 2.8
(Filter.objectClassId) (Filter.attribute)
(Attribute.
descriptor2)
Target application Name Name of the target application.
(c.cw.m.tp (http://c.cw.m.tp))
(name)
Type Type (target connector) of the target
application.
(type)
descriptor1 Descriptor for the target application.
(Attribute.
descriptor1)
descriptor2 Descriptor for the target application.
(Attribute.
descriptor2)
Target account accountName Account user name for the target account.
(accessType)
descriptor1 Descriptor for the target account.
(Attribute.
descriptor1)
descriptor2 Descriptor for the target account.
(Attribute.
descriptor2)
Requestor server Host name Host name for the requestor server.
(c.cw.m.rs) (hostName)
ipAddress IP address for the requestor server.
(IPAddress)
descriptor1 Descriptor for the requestor server.
(Attribute.
descriptor1)
descriptor2 Descriptor for the requestor server.
(Attribute.
descriptor2)
17-Feb-2017 351/416
CA Privileged Access Manager - 2.8
(Filter.objectClassId) (Filter.attribute)
Requestor application Name Script name for the requestor application.
(c.cw.m.sc (http://c.cw.m.sc))
(name)
Type Script type for the requestor application.
(type)
descriptor1 Descriptor for the requestor application.
(Attribute.
descriptor1)
descriptor2 Descriptor for the requestor application.
(Attribute.
descriptor2)
File path Path to the script file.
(filePath)
Execution Path Path from which the application is launched.
(executionPath)
When you apply multiple filters within a dynamic target group, filters that use the same attribute (for
example, Host Name) are applied using a logical or relationship. For example, if a target group
contains a server filter for Paris as the host name, and a server filter for Production as the host name,
then the group contains target servers with either Paris or Production in their host name. Filters that
use different attributes are applied using a logical and relationship. For example, if a group contains a
server filter for Paris as the host name, and an account filter for siteAdmin as the account name, then
the group contains only siteAdmin accounts running on servers with Paris in their host name.
For static group assignments, you define the specific servers, applications, and accounts that are
members of the group. Static groups provide precise control over the accounts within the group. On
the UI, selecting an account automatically populates the server and application filters of the static
group with appropriate information. Use static groups to assign specific target accounts to a group
for management.
If no target accounts are defined for the static group, all target accounts associated with the target
applications in the static group are managed.
17-Feb-2017 352/416
CA Privileged Access Manager - 2.8
Credential Manager is preconfigured with the dynamic target group All Targets. The default
Credential Manager Administrator account, super, is assigned to the All Targets group.
Credential Manager allows you to show all the targets that are associated with a specific target
group. This capability allows you to validate that you have set your resource assignments and target
filters appropriately.
2. From the new tab/window menu bar, click Targets, Target Groups. The Group List page
appears.
6. Add filters to a server, application, or account. Repeat this procedure for each filter you want
to add.
a. Click the check box for the filter you want to apply.
The filter attribute is displayed on the screen.
c. Select the filter type from the drop-down list (for example, contains).
17-Feb-2017 353/416
CA Privileged Access Manager - 2.8
7. Click Save.
After you add filters, click Save at the bottom of the page to commit the target group to
Credential Manager.
Use the following procedure to add a dynamic target group from the CLI.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string. Note the ID value, because it is the required Group.ID value in the addFilter
command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<Group>
<name>TokyoTargets</name>
<permissions>[]</permissions>
<type>target</type>
<readOnly>false</readOnly>
<description>Targets in Tokyo</description>
<dynamic>true</dynamic>
<ID>5</ID>
17-Feb-2017 354/416
CA Privileged Access Manager - 2.8
3. Add a filter. For example, adding a target server host name filter:
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<Filter>
<type>contains</type>
<attributeName>hostName</attributeName>
<groupID>5</groupID>
<objectClassID>c.cw.m.ts</objectClassID>
<expression>mydomain</expression>
<ID>7</ID>
<createDate>Thu May 08 09:47:35 EDT 2008</createDate>
<createUser>admin</createUser>
<hash />
<updateDate>Thu May 08 09:47:35 EDT 2008</updateDate>
<updateUser>admin</updateUser>
<extensionType />
</Filter>
</cr.result>
</CommandResult>
2. From the new tab/window menu bar, click Targets, Target Groups. The Group List page
appears.
3. Click the target group that you want to view. The Group Details page appears.
17-Feb-2017 355/416
CA Privileged Access Manager - 2.8
3. Click the target group that you want to view. The Group Details page appears.
4. Click Show. The list of targets matching the criteria within the group displays.
5. Click OK.
2. From the new tab/window menu bar, click Targets, Target Groups. The Group List page
appears.
6. Add the servers, applications, and accounts over which the group should have control.
a. Click + for the entity you want to add. A list of available resources appears. The
following figure shows a typical page that appears when you click + for applications.
c. Click Select.
Note:
All accounts are listed in the Find Account popup. Selecting a specific
account populates the server and application filters with the associated
server and application information for that account.
7. Click Save.
When modifying target group data, click Save at the bottom of the page to commit the
changes to Credential Manager.
17-Feb-2017 356/416
CA Privileged Access Manager - 2.8
When you apply multiple filters within a dynamic requestor group, filters that use the same attribute
(for example, Host Name) are applied using a logical or relationship. For example, if a requestor
group contains a server filter for Paris as the host name, and a server filter for Production as
the host name, then the group contains requestor servers with either Paris or Production in their
host name. Filters that use different attributes are applied using a logical and relationship. For
example, if a group contains a server filter for Paris as the host name, and an account filter for
siteAdmin as the account name, then the group contains only siteAdmin accounts running on
servers with Paris in their host name.
Credential Manager is preconfigured with the dynamic requestor group All Requestors. The
default Credential Manager Administrator account, admin, is assigned to the All Requestors group.
Credential Manager allows you to show all the requestors associated with a specific requestor group.
You can validate that you have set your resource assignments and requestor filters appropriately.
When dealing with many scripts, you can eliminate the need to provision each script manually. Set
the script filters to access all client applications having a particular file or execution path. If you define
Path File or Execution File filters, then all scripts in the path that meet the filter criteria become
members of the script group. The group includes scripts that are defined in the Credential Manager
database and those scripts that are not.
Use the following procedure to add a dynamic requestor group from the GUI.
2. From the new tab/window menu bar, select A2A, Request Groups. The Group List page
appears.
6. Add filters to a client or script. Repeat this procedure for each filter you want to add to the
list.
17-Feb-2017 357/416
6.
c. Select the filter type from the drop-down list (for example: contains).
f. Click Save.
7. Click Save.
When modifying filter data, click Save at the bottom of the page to commit the changes to
Credential Manager.
Use the following procedure to add a dynamic requestor group from the CLI.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string. Note the ID value, because it is the required Group.ID value in the addFilter
command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<Group>
<ID>4</ID>
<createDate>Tue Apr 08 10:21:21 EDT 2008</createDate>
<updateDate>Tue Apr 08 10:21:21 EDT 2008</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>jrLLJH7U5QUFjNux1GD1avKk/qc=</hash>
<name>NewYorkRequestors</name>
<description>Requestors in New York</description>
<type>requestor</type>
<dynamic>true</dynamic>
<readOnly>false</readOnly>
<permissions>[]</permissions>
</Group>
</cr.result>
</CommandResult>
3. Add a filter. For example, adding a requestor server host name filter:
17-Feb-2017 358/416
3. CA Privileged Access Manager - 2.8
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<Filter>
<ID>7</ID>
<createDate>Tue Apr 08 10:23:02 EDT 2008</createDate>
<updateDate>Tue Apr 08 10:23:02 EDT 2008</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>
</hash>
<expression>mydomain</expression>
<type>contains</type>
<objectClassID>c.cw.m.rs</objectClassID>
<attributeName>hostName</attributeName>
<groupID>4</groupID>
</Filter>
</cr.result>
</CommandResult>
2. From the new tab/window menu bar, select A2A, Request Groups. The Group List page
appears.
3. Click the requestor group that you want to view. The Group Details page appears.
4. Click Show. The list of requestors matching the criteria within the group displays.
5. Click OK.
17-Feb-2017 359/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select A2A, Request Groups. The Group List page
appears.
6. Add the clients and requestors over which the group should have control.
a. Click + for the entity (Client; Script) you want to add. A list of available resources
appears.
c. Click Select.
7. Click Save.
When modifying requestor group data, click Save at the bottom of the page to commit the
changes to Credential Manager.
When selecting available permissions for a role, Credential Manager requires the associated get
permission and list permissions. For example, if you want a user to addAgent or deleteAgent
, you must also add permission to getAgent.
FirecallApprover: This role provides a user with the ability to approve password view requests
only. This role is usually assigned with to users with a view type of General User.
FirecallUser: This role provides a user with the ability to view target account passwords only. This
17-Feb-2017 360/416
CA Privileged Access Manager - 2.8
FirecallUser: This role provides a user with the ability to view target account passwords only. This
role is usually assigned with to users with a view type of General User.
ReadOnly: This role provides a user access to most of the Credential Manager interface, but they
cannot change any information on the pages they access. Users with this role can view target
account passwords. Users with this role are different from users with a view type of General User,
who can access only a very limited subset of the Credential Manager interface.
RequestorAdmin: This role provides a user permission to access and update only requestor
information. You might give this role to personnel doing requestor integration for A2A
integration. Users with this role cannot add script authorizations and do not have access to any
target or user information.
ScriptAuthorizationAdmin: This role allows a user to add script authorizations. You might give
this role to personnel doing requestor integration for A2A integration.
ServerAdmin: This role provides the User access to all Credential Manager administrative
functions, except those provided in the Targets, Applications; Targets, Aliases; A2A or Groups
menus.
System Admin: This is the default role used by Credential Manager to provide access to all
Credential Manager functionality. Do not modify this role.
TargetAdmin: This role allows a user to access and update only target information. You might give
this role to database administrators that need to register and manage database accounts using
Credential Manager. Users with this role can to add and update password policies; however, they
cannot delete password policies. Users with this role do not have access to any requestor or user
information.
UserAdmin: This role allows a user to administer Credential Manager Roles and Credential
Manager User Groups. Users with only this role do not have access to any target or requestor
information, nor to individual User accounts or (regular) User Groups.
ViewReports: This role lets a user generate and view Credential Manager reports.
2. From the new tab/window menu bar, select Groups, Roles. The Roles List page appears.
3. Select the role you want to modify (for example, RequestorAdmin). The available
permissions display on the Role Details page.
5. Click Save.
17-Feb-2017 361/416
CA Privileged Access Manager - 2.8
5. Click Save.
Add a Role
Use the following procedure to add a role from the GUI.
2. From the new tab/window menu bar, select Groups, Roles. The Roles List page appears.
6. Click Save.
For a complete list and description of Role.permissions, see Credential Manager CLI
User Interface Actions (https://docops.ca.com/display/CAPAM28
/Credential+Manager+CLI+User+Interface+Actions).
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<Role>
<ID>11</ID>
<createDate>Tue Apr 08 10:31:28 EDT 2008</createDate>
<updateDate>Tue Apr 08 10:31:28 EDT 2008</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>SD0la6QKWvtwUPILIy5eznW7I7I=</hash>
<name>patchMgrRole</name>
17-Feb-2017 362/416
CA Privileged Access Manager - 2.8
<description>Manages patches</description>
<permissions>[activatePatch, activatePatchNow, addPatch, deletePatch,
deletePatchDetail, getPatchDetail, listPatch, listPatchDetailSummary,
updatePatch, updatePatchDetail, updatePatchDetailList]</permissions>
<readOnly>false</readOnly>
<hidden>false</hidden>
</Role>
</cr.result>
</CommandResult>
Note:
After an upgrade, customers may see a new user group called Base Users. The Base Users
group is a container for users that are not associated to any other user group. CA
Technologies recommends that customers associate any Base Users to other more
meaningful user groups.
Use the following procedure to add an Credential Manager user group from the GUI.
2. From the new tab/window menu bar, select Groups, User Groups. The User Groups page
appears.
6. Select a Role.
9. Click Save.
The Show Users button helps to show the user group members list.
Use the following procedure to add a Credential Manager user group from the CLI.
17-Feb-2017 363/416
CA Privileged Access Manager - 2.8
Use the following procedure to add a Credential Manager user group from the CLI.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<UserGroup>
<name>LonUserGroup</name>
<readOnly>false</readOnly>
<description>London user group</description>
<role />
<roleID>11</roleID>
<groups>[]</groups>
<groupIDs>[2, 3]</groupIDs>
<ID>2</ID>
<createDate>Thu May 08 08:57:16 EDT 2008</createDate>
<createUser>admin</createUser>
<hash>D8VjGl43dB45/altCCiikvXebbw=</hash>
<updateDate>Thu May 08 08:57:16 EDT 2008</updateDate>
<updateUser>admin</updateUser>
<extensionType />
</UserGroup>
</cr.result>
</CommandResult>
17-Feb-2017 364/416
CA Privileged Access Manager - 2.8
In the CA Privileged Access Manager provisioning framework, by specifying a device of type A2A
Either setup can be performed first, except when you are deploying A2A Devices within an AWS VPC.
To deploy an AWS AMI instance as an A2A Device, do not manually add the Device before installing
the A2A Client. Instead, create the instance in AWS, and allow CA Privileged Access Manager import it
automatically. When this happens, CA Privileged Access Manager recognizes the internal IP address
of the device. After you install the A2A Client, it registers with the server using that AWS-internal
address.
1. Activate the request server (A2A Device). This step is not required when the A2A Device has
already been provisioned.
1. The fingerprint for the host on which the client resides, if fingerprinting is enabled
3. DNS
When a requestor application requests credentials, the credentials remain encrypted as they are
transferred over the network. The A2A Client decrypts the credentials before passing them to the
requestor.
17-Feb-2017 365/416
CA Privileged Access Manager - 2.8
Fingerprinting
A server fingerprint consists of a combination of hardware characteristics. Examples: CPU serial
numbers and network IDs. Credential Manager dynamically calculates the fingerprint of the server
executing a script to validate the physical machine identity of the credential requestor.
DNS
Credential Manager uses the client host name as part of the client authentication process. Reverse IP
lookup is also possible, if needed.
If you provision a CA Privileged Access Manager Device before an A2A Client is installed, then
upon receipt of a A2A Client login, Credential Manager automatically updates the request server
information in an active state.
If you install an A2A Client before you provision it in CA Privileged Access Manager, then upon
receipt of an A2A Client login, Credential Manager automatically adds the request server
information in an inactive state. It then flags the request in the GUI for the Credential Manager
administrator to activate.
Authorization Mapping
Credential Manager ensures target credential security by requiring you to authorize requestors to
retrieve the target credentials through a target alias. You can authorize various combinations of
requestors, request servers, and request groups to retrieve credentials for a target alias or for a
target group. Once the request group, request server, and request scripts are registered, Credential
Manager uses authorization mapping to associate them with a target alias or a target group.
When adding the authorization mapping, you can enable system-wide checks for request validation
or you can configure them in the GUI.
17-Feb-2017 366/416
CA Privileged Access Manager - 2.8
Option Scope
Integrity Verification
To support Integrity Verification, the file name, file path, and execution path must be registered in a
specific way. The way depends on the operating system of the client and the integration method
(Java, executable, DLL, or shared object) as described in the following table.
Execution path: The absolute file path to the class file. UNIX file
paths cannot contain symbolic links.
UNIX executable (cspmclient, Script name: The name of the requestor file that contains the
cspmclient64) Credential Manager executable call.
17-Feb-2017 367/416
CA Privileged Access Manager - 2.8
File path: The absolute path to the requestor file containing the
DLL call.
The absolute file path is the complete path without symbolic links. To print the absolute file path in
UNIX, use the commandpwd–P.
Example Requestors
Each A2A Client includes example applications. The examples are located in the$CSPM_CLIENT_HOME
/cspmclient/examplesdirectory.
The UNIX version of the A2A Client supports symbolic links in the File Path field only.
Script type: C
17-Feb-2017 368/416
CA Privileged Access Manager - 2.8
When entering Credential Manager request script data, you must enter the actual value
for$CSPM_CLIENT_HOME.
Execution path:$CSPM_CLIENT_HOME
\cspmclient\examples\VB_Sample
Script type: VB
Executable: VC_Sample Credential Manager Script name: VC_Sample.exe
MFC DLL
Source directory:VC_Sa File path:$CSPM_CLIENT_HOME
mple \cspmclient\examples\VC_Sample
Execution path:$CSPM_CLIENT_HOME
\cspmclient\examples\VC_Sample
Script type: C
Executable: VBScriptSam Credential Manager Script name:VBSCriptSample.html
ple.html ATL DLL
File path: $CSPM_CLIENT_HOME
Source directory:VB_Scri \cspmclient\examples\VB_Script_Sample
pt_Sample
Execution path:$CSPM_CLIENT_HOME
\cspmclient\examples\VB_Script_Sample
Script type: VB
Executable:JavaScriptSa Credential Manager Script name:JavaScriptSample.htm
mple.htm ATL DLL
File path: $CSPM_CLIENT_HOME
Source directory:Java_Sc \cspmclient\examples\Java_Script_Sample
ript_Sample
Execution path:$CSPM_CLIENT_HOME
\cspmclient\examples\Java_Script_Sample
17-Feb-2017 369/416
CA Privileged Access Manager - 2.8
Important:
Started the A2A Client daemon (UNIX) or service (Windows) so that it is now running
2. From the Device list on that page, identify the A2A Client by specifying its Device Name and or
IP address. Open its record.
4. Click Save to activate the A2A Client in the Credential Manager server, and exit the template.
To deactivate a request server, repeat the previous procedure but clear the Active check box.
Clearing the Device Type: A2A check box also undoes the registration. However, in this case the A2A
Client responds by reregistering the request server. If you change the device Address without
changing the Device Name before the A2A Client reregisters, the A2A Client does not successfully
reregister. The Tomcat log contains an error entry stating that the Credential Manager server “could
not register the [request server because] Device Name [name] already exists.
Add Requestors
To implement A2A scripts, you add requestors in CA Privileged Access Manager. This procedure
assumes that you have registered the request server and set it to the active status. (See Install an
A2A Client for Credential Management (https://docops.ca.com/display/CAPAM28
/Install+an+A2A+Client+for+Credential+Management).) Example Requestors (see page 368) provide
registration data for the examples.
17-Feb-2017 370/416
CA Privileged Access Manager - 2.8
3. Click Add.
The Script Details page appears.
4. Click the magnifying glass to find an existing client or click the + to add a new client.
5. Enter the Script or Application Name, File Path, Execution Path, and script Type.
7. Click Save.
The Script List page updates with the registered request scripts.
Use the following procedure to retrieve the script hash from the GUI.
3. Click Get Script Hash. If you are unable to retrieve the script hash, ensure that the server
hosting the A2A Client is not blocking communication to Credential Manager. By default, A2A
Client listens on port 28888.
4. Click Save.
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
17-Feb-2017 371/416
2.
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<RequestServer>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Vienna</Attribute.descriptor1>
<ID>1</ID>
<createDate>Mon Nov 12 15:45:56 UTC 2007</createDate>
<updateDate>Mon Nov 12 15:45:56 UTC 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>/fvVAT2Ri4AN7zYCsweyB++/9ow=</hash>
<hostName>Vienna-Lab4.cloakware.com</hostName>
<IPAddress>11.2.0.4</IPAddress>
<type>CLIENT</type>
- 145 -
CA Privileged Access Manager Credential Management Implementation Guide
<port>1</port>
<oldKey>
</oldKey>
<currentKey>13a3a6811160561bf8f69acf66f37f24a97b7e2b99b4afbbe61bade35c0b4108991
057
a80ac4c9ecabef1d0657f14ad9911f26061bf0a4feb952e717807a72bd90663f62b2a21c35c11e4
143
31a01b18594eb56c5da497ccf990f23b1855adadf294ba50e93fd25824950c4ef6115db67f61d81
edb
2ebb2cbc619e2cd97786c60bd4c5e9b9a615131e8d8da7001b4b45dcaeca9be3b13a46efe544972
9ad
f9399ef5b67cdfabcbc60f7d298c151e50ec64060d5fd3c5e74652ba4198497c2933f3ef2e15600
e71
74467054f2b19a26fdf5c5d1ee080b0e7d5cc269daa947e59320083de7143c6c8ff757d41a98d8c
aac
e690129a88e5d4e472039f8f2bc7061e7a913e070075e7dc90cdd1a248cf1ea78e5d00c9429535b
502
3068472c817c36fe8a9af1bb615a6d357ace3ec30cfd1a1edf07982b95517a9066f4e0d0ce716a1
0f9
111943a4f9e144ba0a8f198c2a02e58df5eb0b77c7845900af8105eebc7e</currentKey>
<autoPatch>true</autoPatch>
<pendingAcknowledgement>true</pendingAcknowledgement>
<active>true</active>
<actionRequired>false</actionRequired>
<action>
</action>
<currentFingerprint>
</currentFingerprint>
<pendingFingerprint>
</pendingFingerprint>
<currentFingerprintDate>
</currentFingerprintDate>
<pendingFingerprintDate>
</pendingFingerprintDate>
<osName>
</osName>
<osVersion>
17-Feb-2017 372/416
CA Privileged Access Manager - 2.8
</osVersion>
<osArchitecture>
</osArchitecture>
<clientType>
</clientType>
<clientVersion>
</clientVersion>
</RequestServer>
</cr.result>
</CommandResult>
4. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<RequestScript>
<ID>1</ID>
<createDate>Mon Nov 12 15:47:35 UTC 2007</createDate>
<updateDate>Mon Nov 12 15:47:35 UTC 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>/14qoJ1SI63KgaTIKDZD8J5lWvs=</hash>
<name>example.pl</name>
<filePath>/ope/cloakware/cspmclient_v.3.5.0/examples</filePath>
<executionPath>/opt/cloakware/cspmclient_v.3.5.0/examples</executionPath>
<type>Perl</type>
<requestServerID>1</requestServerID>
<scriptHash>
</scriptHash>
</RequestScript>
</cr.result>
</CommandResult>
17-Feb-2017 373/416
CA Privileged Access Manager - 2.8
A mapping to a target group includes all aliases for all accounts in the group. A mapping from a
request server can include all applications (scripts) on the server or can be restricted to a specific
script. A mapping from a request group includes all applications (scripts) in the group.
Execution user ID
Execution path
Note:
Before adding an authorization mapping, add the target alias or target group, request
server, or request server group, and request script if necessary. If there is no verification of
the script (such as integrity verification or execution path), then a request script entry is
not required for an authorization with a request group mapping.
When you create a dynamic requestor script group using the filter File Path or Execution Path, the
group contains all scripts in the path that satisfy the filter criteria. The group includes those scripts
that are defined in the Credential Manager database and those scripts that are not. When mapping a
script group created with these filters, be attentive to how you set the Check Execution Path and
Check File Path checkboxes in the Authorization Details page to avoid unexpected results. If you
select the Check Execution Path and/or Check File Path checkboxes, the authorization mapping is
restricted to only those scripts that are in the Credential Manager database. Any scripts in the group
that are not defined in the database are excluded from the authorization mapping. If you clear the
checkboxes, all scripts in the group are included in the authorization mapping.
Use the following procedure to add an authorization mapping from the GUI.
2.
17-Feb-2017 374/416
CA Privileged Access Manager - 2.8
2. From the new tab/window menu bar, select A2A, Mappings. The Authorization List page
appears with a list of existing authorizations.
5. Click the magnifying glass to search for a specific target group or alias.
7. Click the magnifying glass to search for a specific A2A requestor group or client.
8. Specify whether the mapping applies to all applications (scripts) on the request server or an
individual application (script). If the mapping applies to an individual script, click the
magnifying glass to find the specific script or type the script name in the field.
This step does not apply for A2A requestor groups because the mapping applies to all scripts
on the requestor servers in the A2A requestor group.
10. Enter one or more execution user IDs. Separate multiple user IDs with commas.
11. If required, select Check Execution Path. Selecting this check box restricts the authorization to
provisioned scripts only.
12. If required, select Check File Path. Selecting this check box restricts the authorization to
provisioned scripts only.
Note:
If Credential Manager does not allow you to select Perform Script Integrity
Validation, Credential Manager does not have a valid script hash. Add the
authorization mapping without checking the Perform Script Integrity Validation, and
run a successful query from the requestor. Then, update the authorization mapping
to select Perform Script Integrity Validation.
17-Feb-2017 375/416
1.
RequestScript.name=example.pl RequestScript.executionPath=/opt/cloakware
/cspmclient_v.3.3.0/examples Authorization.checkExecutionID=true Authorization.
executionUser=root Authorization.checkPath=true Authorization.checkScriptHash=tr
ue
2. Enter your password at the prompt. Credential Manager returns the following XML command
string.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<Authorization>
<ID>1</ID>
<createDate>Mon Nov 12 15:51:06 EST 2007</createDate>
<updateDate>Mon Nov 12 15:51:06 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>XOPh+2zvQDphQ0M4LPzLfyTPoiw=</hash>
<executionUser>root</executionUser>
<targetAliasID>1</targetAliasID>
<scriptID>1</scriptID>
<requestServerID>1</requestServerID>
<checkPath>false</checkPath>
<checkExecutionUser>true</checkExecutionUser>
<checkScriptHash>false</checkScriptHash>
<checkFilePath>false</checkFilePath>
</Authorization>
</cr.result>
</CommandResult>
1. Launch the example with the target alias and bypass cache flags:
17-Feb-2017 376/416
CA Privileged Access Manager - 2.8
1.
Note:
When using Integrity Verification in UNIX, you must use the complete path to
invoke the requestor script.
A successful query provides the user name and password associated with the target alias. For
example, running the Java example on a UNIX-based A2A Client yields the following result:
3. In the VB_Sample window, fill in the Target Alias field, and click Get Script Credentials. A
successful query displays the userID and password in a new pop-up window.
cspmclientd start
17-Feb-2017 377/416
CA Privileged Access Manager - 2.8
cspmclientd stop
Changing a configuration that is not included in the installer. Example; port numbers.
Applying a configuration change after installation. Example: changing the log file location.
$CSPM_CLIENT_HOME/cspmclient/config/cspm_client_config.xml
where $CSPM_CLIENT_HOME is the location and name of your installation directory, for example
17-Feb-2017 378/416
CA Privileged Access Manager - 2.8
where $CSPM_CLIENT_HOME is the location and name of your installation directory, for example
/opt/cloakware.
The following table describes the XML tags in the A2A Client configuration file.
XML Description
Tag
<appl Valid values are cspm or cspm_agent.
icati
ontyp The default value is cspm.
e>
<cach Enables or disables caching for the A2A Client.
eallo
w> The default value is true.
The default value is warning. The off setting means log messages are not generated.
<cspm Specifies the host name of the CA Privileged Access Managerappliance. The installer sets this
serve value.
r>
<cspm The default port on which the CA Privileged Access Manager appliance listens. The default is
serve blank.
r_por
t> For HTTPS, the default is 443. If the server port is changed from 443, you must modify this
value.
<daem The A2A Client uses this port to listen for local requests from client stubs. The daemon
onser validates that the request is local. The default value is 28088.
ver1_
port>
<daem The A2A Client uses this port to listen for local requests from the CA Privileged Access
onser Manager appliance. When this value is set to 1, the A2A client does not listen for external
ver2_ requests. The default value is 28888. When this value is set to 1 the A2A client enables
port> polling (that is, it polls the CA Privileged Access Manager appliance for event information).
<even Specifies the number interval in seconds after which the A2A Client polls the CA Privileged
tpoll Access Manager appliance for events. This entry is optional. If this value is not present, the
ing_i A2A Client uses the default polling interval of 120 seconds.
nterv
al>
<logf Specifies the location of the log file used by the A2A Client, specifically the UNIX daemon, or
ile> Windows service. The installer sets this value.
The log file used by the service and stateless client interface stubs.
17-Feb-2017 379/416
CA Privileged Access Manager - 2.8
XML Description
Tag
<c_lo The default is: C:\WINDOWS\TEMP\cspm_c_client_log.txt on Windows Server
gfile 2008 R2 and /tmp/cspm_c_client_log.txt on UNIX platforms.
>
The log file must be in a directory to which all users of the A2A Client have write access.
<patc Specifies patch management attributes, as in the following XML tags: frequency, starth
h> our, and endhour.
<freq Specifies the frequency at which the A2A Client polls the CA Privileged Access Manager
uency appliance to check for an upgrade.
>
Valid values are daily or weekly. The default value is daily.
<star Determines the interval by which the A2A Client randomly polls the CA Privileged Access
tHour Manager appliance for a version check.
>
Valid values are 0-23. The default value is 0 (12 A.M.).
<endH Determines the interval by which the A2A Client randomly polls the CA Privileged Access
our> Manager appliance for a version check.
3. Click the host name of the server where the A2A client whose logs you want to view is
installed. The Client Details page appears.
When the A2A client is not reachable from the site server, you must log into the site where
the A2A client is registered.
4. Click the Get Logs button. A zip file containing the Tomcat logs directory is downloaded to
your browser. The default maximum file size is 20 MB. You can configure the maximum file
size using the getLogsMaxSize {SystemProperty.
SYSTEM_PROPERTY_MAX_LOG_SIZE} property setting. For further details, see the
description of the setSystemProperty CLI command.
17-Feb-2017 380/416
CA Privileged Access Manager - 2.8
3. Click the host name of the server where the A2A client whose key you want to update is
installed. The Client Details page appears.
You can refresh the script hash for all the request applications on the specified request server (A2A
Client) from the GUI as well as from the CLI.
Use the following procedure to refresh the script hash for all the request applications from the GUI.
3. Click the host name of the server where the A2A client whose script hash you want to refresh
is installed. The Client Details page appears.
To refresh the script hash for all the request applications from the CLI, run the getAllScriptHash
CLI command. For further details, see getAllScriptHash (https://docops.ca.com/display/CAPAM28
/getAllScriptHash).
The following table describes the different A2A Client connection status values and the condition
17-Feb-2017 381/416
CA Privileged Access Manager - 2.8
The following table describes the different A2A Client connection status values and the condition
under which the A2A Client has that status.
Use the following procedure to verify the A2A Client connection status from the GUI.
3. Click the host name of the server where the A2A Client whose status you want to verify is
installed. The Client Details page appears.
The Connection Status field displays the previous connection status icon followed by the last
status updated date and time.
4. Click the Check Connection Status button. The updated A2A Client connection status is
displayed in Connection Status field with a connection status icon followed by the connection
status updated date and time.
Use the following procedure to verify the A2A Client connection status from the CLI.
2. Use the resulting request server ID in the checkConnectionStatus CLI command. The
following is an example:
3. Enter your password at the prompt. Credential Manager returns the following XML command
string:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
<cr.result>
<RequestServer>
<type>CLIENT</type>
<port>28888</port>
17-Feb-2017 382/416
CA Privileged Access Manager - 2.8
<osName>Windows 7</osName>
<osVersion>7.0</osVersion>
<active>true</active>
<action></action>
<osPlatform>win</osPlatform>
<clientVersionNum>4.4.1</clientVersionNum>
<currentFingerprint>aXrPcM52mlPUH+yqaDqjN6+wi+8=</currentFingerprint>
<currentKey>{1}
fec6fe90d3c5b63aaad9f1f0f084554a426a8909448c7e9239544e5f0de55217a4d9a3d6736317c
2a413a3865e2725de0244323fcd02ce1aea0afd29396145f6</currentKey>
<oldKey>{1}
58005ca6fbf6101d7428cda4580ed8c5437fc5e1ab3e24d3c7c53dcffed3809311a18ff0ce7c7c5
175a769b8f4e762f012b6783450f4b4b4d60e9131c32223a2</oldKey>
<pendingAcknowledgement>false</pendingAcknowledgement>
<osArchitecture>x86</osArchitecture>
<patchStatus>Idle</patchStatus>
<previousClientVersion></previousClientVersion>
<pendingFingerprint></pendingFingerprint>
<pendingFingerprintDate></pendingFingerprintDate>
<actionRequired>false</actionRequired>
<connectionStatus>1</connectionStatus>
<preserveHostName>false</preserveHostName>
<clientType>java</clientType>
<siteID>1000</siteID>
<connectionStatusUpdateDate>Thu May 05 11:39:43 UTC 2011<
/connectionStatusUpdateDate>
<currentFingerprintDate>2011-05-05 10:00:42.477</currentFingerprintDate>
<lastPatchStatusChangeDate></lastPatchStatusChangeDate>
<hostName>xp-sushma.cpa.intra</hostName>
<IPAddress>192.168.0.230</IPAddress>
<ID>1001</ID>
<Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid>
<Attribute.descriptor1></Attribute.descriptor1>
<Attribute.descriptor2></Attribute.descriptor2>
<createDate>Thu May 05 10:00:42 UTC 2011</createDate>
<updateDate>Thu May 05 10:59:00 UTC 2011</updateDate>
<updateUser>CSPM_CLIENT</updateUser>
<extensionType></extensionType>
<createUser>CSPM_CLIENT</createUser>
<hash>j3kMJ+3DBi/EQXSV76bdZ5Or15Q=</hash>
</RequestServer>
</cr.result>
</CommandResult>
$CSPM_CLIENT_HOME/cspmclient/config/data/.cspmclient.dat
17-Feb-2017 383/416
CA Privileged Access Manager - 2.8
where $CSPM_CLIENT_HOME is the location and name of your installation directory, for example
/opt/cloakware.
Use the following procedure to reconfigure an A2A Client to use a different CA Privileged Access
Manager appliance.
1. Stop the A2A Client. See Stop the A2A Client (see page ).
2. Navigate to $CSPM_CLIENT_HOME/cspmclient/config/data/.
4. Update the <cspmserver> entry in the A2A Client configuration with your new server
name. The following is an example:
<cspmserver>new_server.company.com</cspmserver>
The configuration file is located at $CSPM_CLIENT_HOME/cspmclient/config
/cspm_client_config.xml.
5. Restart the A2A Client. See Start the A2A Client (see page ).
Administrators should reconfigure their DNS server entry rather than hardcode entries into the
A2A Client configuration file.
2.
17-Feb-2017 384/416
CA Privileged Access Manager - 2.8
2. Enter XML entries for cspmserver and cspmserver_port as shown in the following
example:
This example specifies three pairs of entries; one pair for each the servers. The order of the
entries in the file determines the connection order.
The A2A Client can poll the CA Privileged Access Manager appliance for event data. Administrators
can configure how the A2A Client retrieves event information by modifying the A2A Client
configuration file.
Important:
To enable event polling you must set the external listening port value to 1 in the A2A Client
configuration file.
When event polling is enabled, the A2A client contacts the CA Privileged Access Manager appliance at
17-Feb-2017 385/416
CA Privileged Access Manager - 2.8
When event polling is enabled, the A2A client contacts the CA Privileged Access Manager appliance at
a regular poll interval and queries the CA Privileged Access Manager appliance for event data. Events
are placed in the queue and remain in the queue until the A2A Client issues a request to retrieve
event data.
Note:
Always exercise caution when configuring event polling. Enabling event polling increases
network traffic between the CA Privileged Access Manager appliance and A2A Client. If too
many A2A Clients run event polling it can create performance reductions at the appliance
because it increases the requests sent to the appliance.
Note:
CA Technologies recommends you use WordPad when editing the configuration file
in Windows.
2. In the A2A Client configuration file, modify the XML tags as follows:
<daemonserver2_port>1</daemonserver2_port>
3. To change the default polling interval, for example from 120 seconds to 180 seconds, add the
following element:
<eventpolling_interval>180</eventpolling_interval>
17-Feb-2017 386/416
CA Privileged Access Manager - 2.8
Reports
You can generate reports from Credential Manager data. Credential Manager stores audit, metric,
and event data in the database. Using this data, Credential Manager can produce three types of
reports: activity, metric, SQL, or command.
Activity: Pulls data from the auditlog table in the Credential Manager database. These reports are
not customizable. An example is the Administrative Activities report.
Metrics: Pulls data from XML blocks within entries in the metrics table of the Credential Manager
database. All entries are available to the report. These reports can be customized. An example is
the Account Request report.
SQL: Generates reports by executing SQL queries on the database. These reports can be
customized. An example is the Orphaned Request Server report.
Credential Manager can produce a defined set of reports using these report types. The reports reflect
the time zone that the user selects or UTC. All reports are based on Coordinated Universal Time
(UTC). You can customize metrics and SQL reports to produce more reports.
Note:
Credential Manager uses pop-ups to display reports. Some web browsers might block pop-
ups. We recommend that you configure your browser to allow all pop-ups.
Use the following procedure to set the number of Credential Manager report entries.
2. From the new tab/window menu bar, select Settings, General Settings. The General Settings
page appears.
3. In the Maximum Number of Report Entries field, enter the desired number or report entries.
The default is 5000.
17-Feb-2017 387/416
CA Privileged Access Manager - 2.8
4. Click Save.
Available Reports
The following list describes available Credential Manager reports for CA Privileged Access Manager:
Account Password Updates: Displays a listing of accounts whose password was updated.
Account Requests: Displays account password retrieval requests. You can filter this report by:
Execution user ID
Accounts with Expired Passwords: Displays a list of accounts with expired passwords.
Accounts with Incorrect Passwords: Displays a listing of accounts whose password have not
verified.
Administrative Activities: Displays administrative activities. You can filter this report by:
User name
Automatically Updated Expired Passwords: Displays a list of accounts that are updated to comply
with applicable Maximum Age policy.
Cluster State: Displays a listing of cluster state changes. You can filter this report by the origin
host name.
List all Target Accounts in a Target Group: Displays a listing of all target accounts in a group.
List all Target Applications in a Target Group: Displays a listing of all applications in a target
group.
List all Target Servers in a Target Group: Displays a listing of all target servers in a target group.
17-Feb-2017 388/416
CA Privileged Access Manager - 2.8
List all Target Servers in a Target Group: Displays a listing of all target servers in a target group.
Orphaned Request Servers: Displays a list of request servers with no activity for one year.
View Password Requests: Displays a listing of view account password requests from the admin
UI.
Generate Reports
The GUI allows you to generate various reports on demand. They are listed on the Reports page of
the GUI. Audit, metric, and event data can be archived through the CLI.
2. From the new tab/window menu bar, select Reports.The Reports page appears.
3. Select the report that you want to generate, for example, Administrative Activities.
The relevant report request popup appears.
4. If applicable, select a Quick Date range, or enter the Start and End Dates for the report.
Reports cover the period from 00:00:00 (midnight) of the start day to 23:59:59 of the end day.
5. Specify any additional parameters, including filters, that are specific for your report.
7. If your time zone is not already set to be UTC, select whether to use UTC or your time zone.
Note:
Your Web browser might first ask you to allow the report to be displayed
17-Feb-2017 389/416
CA Privileged Access Manager - 2.8
Schedule Reports
Credential Manager allows you to schedule jobs that run the selected report and emails the output to
the selected recipients. Recipients can be selected from all Credential Manager users with a valid
email address.
You can schedule report jobs with the following recurrence: daily, weekly, monthly, yearly, or after an
arbitrary number of days. Alternatively, you can schedule the report to occur only once at a specified
time.
To view the status of scheduled jobs, generate the Scheduled Jobs Report. See Generate Reports (see
page 389).
2. From the new tab/window menu bar, select Reports, Scheduled Jobs. The Scheduled Job List
page appears.
4. Enter the Job Name, which is a text description for the job.
5. Select the date and time for the initial job run.
6. Enter the Recurrence criteria. The Recurrence area updates based on your selection.
7. In the Report Name field, select the type of report you want to generate.
8. Select the Quick Dates for the timeframe that you want the report to cover. Reports cover the
period from 00:00:00 (midnight) of the start day to 23:59:59 of the end day. The Start Date
and End Date fields update automatically, and are recalculated each time that the report is
run.
9. If your time zone is not UTC, select whether to display the report times in UTC or your time
zone.
10. Select the output format: HTML on the current page, CSV export file, or PDF generated
document.
11. Move the desired email recipients from the Available Recipients list to the Selected Recipients
list. As a default, the logged-in user is saved in the Selected Recipients list.
17-Feb-2017 390/416
CA Privileged Access Manager - 2.8
You can configure an email attachment size through the reportAttachmentLimit system
property as shown in the following example:
The following table shows the details of the reportAttachmentLimit system property:
17-Feb-2017 391/416
CA Privileged Access Manager - 2.8
System Properties
The following table details the system properties available in Credential Manager. You can set the
following system properties through the setSystemProperty CLI command.
To set a system property, you must specify the name of the system property, set its value and
encryptValue parameter (if applicable) with the setSystemProperty CLI command.
17-Feb-2017 392/416
CA Privileged Access Manager - 2.8
If this
proper
ty is
not
set to
any
value,
its
defaul
t
value
is
consid
ered
as 10.
targetAc False N/A Set
countPas the
swordEx proper
pirationE ty
nabled value
to
True
to
enable
autom
atic
updati
ng of
expire
d
passw
ords.
N/A
17-Feb-2017 393/416
CA Privileged Access Manager - 2.8
17-Feb-2017 394/416
CA Privileged Access Manager - 2.8
17-Feb-2017 395/416
CA Privileged Access Manager - 2.8
17-Feb-2017 396/416
CA Privileged Access Manager - 2.8
17-Feb-2017 397/416
CA Privileged Access Manager - 2.8
17-Feb-2017 398/416
CA Privileged Access Manager - 2.8
17-Feb-2017 399/416
CA Privileged Access Manager - 2.8
17-Feb-2017 400/416
CA Privileged Access Manager - 2.8
import java.util.ArrayList;
import java.util.List;
import com.cloakware.cspm.common.AdminAPICommandNames;
import com.cloakware.cspm.common.AdminAPIParameterNames;
import com.cloakware.cspm.server.bo.Authorization;
import com.cloakware.cspm.server.bo.Filter;
import com.cloakware.cspm.server.bo.Group;
import com.cloakware.cspm.server.bo.PasswordPolicy;
import com.cloakware.cspm.server.bo.PasswordViewPolicy;
import com.cloakware.cspm.server.bo.RequestScript;
import com.cloakware.cspm.server.bo.RequestServer;
import com.cloakware.cspm.server.bo.Role;
import com.cloakware.cspm.server.bo.TargetAccount;
import com.cloakware.cspm.server.bo.TargetAlias;
import com.cloakware.cspm.server.bo.TargetApplication;
import com.cloakware.cspm.server.bo.TargetServer;
import com.cloakware.cspm.server.bo.User;
import com.cloakware.cspm.server.bo.UserGroup;
import com.cloakware.cspm.server.ui.AdminAPI;
import com.cloakware.cspm.server.ui.AdminAPIFactory;
import com.cloakware.cspm.server.ui.Request;
import com.cloakware.cspm.server.ui.Result;
/**
* An implementation of a Java API based application.
*
* This program does not contain a complete list of commands and parameters.
* Refer to the Java Documentation for the Password
* Authority Java API or the CLI Documentation for the complete list.
*
* This program can be instantiated in your own program or can be executed
* through the Command Line.
*
* The Password Authority cliTool.jar must be in your Class Path to
* use this application.
*
* This application should only be used in Password Authority version 4.2.1 or
* above and Java 1.5 or above.
*
*/
17-Feb-2017 401/416
CA Privileged Access Manager - 2.8
//Target Server
private static final String TARGET_SERVER_HOST_NAME =
"hostname.cloakware.com";
//Target Application
private static final String TARGET_APPLICATION_NAME = "Target Application";
private static final String TARGET_APPLICATION_TYPE = "unix";
private static final String SSH_PORT_ATTRIBUTE = "sshPort";
private static final String SSH_PORT = "22";
//Target Account
private static final String TARGET_ACCOUNT_USER_NAME = "username";
private static final String TARGET_ACCOUNT_USER_PASSWORD = "password123!";
private static final String USE_OTHER_ACCOUNT_TO_CHANGE_PASSWORD_ATTRIBUTE =
"useOtherAccountToChangePassword";
//Target Alias
private static final String TARGET_ALIAS_NAME = "targetAlias";
//Request Server
private static final String REQUEST_SERVER_HOST_NAME =
"requestserver.cloakware.com";
//Request Script
private static final String REQUEST_SCRIPT_NAME = "example.pl";
private static final String REQUEST_SCRIPT_EXECUTION_PATH = "C:\\test";
private static final String REQUEST_SCRIPT_FILE_PATH = "C:\\test";
17-Feb-2017 402/416
CA Privileged Access Manager - 2.8
//Target Group
private static final String TARGET_GROUP_NAME = "targetGroup";
//Request Group
private static final String REQUEST_GROUP_NAME = "requestGroup";
//Filter
private static final String FILTER_EXPRESSION = REQUEST_SERVER_HOST_NAME;
//Role
private static final String ROLE_NAME = "roleName";
private static final String ROLE_ADD_REQUEST_SERVER = "addRequestServer";
private static final String ROLE_UPDATE_REQUEST_SERVER =
"updateRequestServer";
private static final String ROLE_DELETE_REQUEST_SERVER =
"deleteRequestServer";
//User Group
private static final String USER_GROUP_NAME = "userGroup";
private static final String USER_GROUP_DESCRIPTION = "userGroupDescription";
//User
private static final String USER_USER_NAME = "userName";
private static final String USER_USER_PASSWORD = "admin4cspm!";
//Password Policy
private static final String PASSWORD_POLICY_NAME = "passwordPolicy";
private static final String PASSWORD_POLICY_DESCRIPTION =
"passwordPolicyDesc";
private static final int MINIMUM_PASSWORD_LENGTH = 3;
private static final int MAXIMUM_PASSWORD_LENGTH = 8;
/**
* This application can be run with no arguments or the following:
* key store - Password Authority Key Store
* user - Password Authority user name
* password - Password of the user
* host name - Password Authority Server
*
* The order of the arguments is fixed, however the arguments are
17-Feb-2017 403/416
CA Privileged Access Manager - 2.8
javaAPIExample.init(args);
javaAPIExample.runJavaAPIExample();
javaAPIExample.logout();
}
/**
* Initializes the Java API object and logs in to the Password Authority
* Server. The String Array should contain the location of a Password
* Authority key store, a Password Authority user name, the password of
* that user, and the host name of a Password Authority Server. The order
* of the arguments is fixed. If the String Array is null, the default
* values will be used.
*
* @param args - The Java API arguments
*/
public void init(String[] args) {
adminAPI = new AdminAPI();
/**
* A helper method which runs all add, update, search, view and delete
* example methods.
*
*/
public void runJavaAPIExample() {
//Add
17-Feb-2017 404/416
CA Privileged Access Manager - 2.8
addTargetServer();
addTargetApplication();
addTargetAccount();
addTargetAlias();
addRequestServer();
addRequestScript();
addAuthorization();
addTargetGroup();
addRequestGroup();
addFilter();
addRole();
addUserGroup();
addUser();
addPasswordPolicy();
addPasswordViewPolicy();
//Update
updateUserGroup();
//Search
searchRequestServer();
//Delete
deletePasswordViewPolicy();
deletePasswordPolicy();
deleteUser();
deleteUserGroup();
deleteRole();
deleteRequestGroup();
deleteTargetGroup();
deleteAuthorization();
deleteTargetAlias();
deleteTargetServer();
deleteRequestScript();
deleteRequestServer();
}
/**
* Logs out of the Password Authority Server.
*/
public void logout() {
adminAPI.logout();
}
/**
* Adds a Target Server.
*/
public void addTargetServer() {
//Create a TargetServer instance by using AdminAPIFactory
targetServer = AdminAPIFactory.createTargetServer();
17-Feb-2017 405/416
CA Privileged Access Manager - 2.8
targetServer.setHostName(TARGET_SERVER_HOST_NAME);
//Use the add method to create a Target Server
result = adminAPI.add(targetServer);
System.out.println("addTargetServer: "+ result.getStatusMessage());
//Retrieves a target server object from the result of the add command.
targetServer = result.getValueAsTargetServer();
/**
* Adds a Target Application.
*/
public void addTargetApplication() {
//Create a Unix TargetApplication instance by using AdminAPIFactory
targetApplication = AdminAPIFactory.createTargetApplication();
targetApplication.setTargetServerID(targetServer.getID());
targetApplication.setName(TARGET_APPLICATION_NAME);
targetApplication.setType(TARGET_APPLICATION_TYPE);
targetApplication.setExtendedAttribute(SSH_PORT_ATTRIBUTE,
SSH_PORT);
result = adminAPI.add(targetApplication);
System.out.println("addTargetApplication: "+ result.getStatusMessage());
targetApplication = result.getValueAsTargetApplication();
}
/**
* Adds a Target Account.
*/
public void addTargetAccount() {
//Create a TargetAccount instance by using AdminAPIFactory
targetAccount = AdminAPIFactory.createTargetAccount();
targetAccount.setTargetApplicationID(targetApplication.getID());
targetAccount.setUserName(TARGET_ACCOUNT_USER_NAME);
targetAccount.setPassword(TARGET_ACCOUNT_USER_PASSWORD);
targetAccount.setPrivileged(false);
//change setSynchronize to true if the Target Account is
//to be synchronized.
targetAccount.setSynchronize(false);
targetAccount.setExtendedAttribute
(USE_OTHER_ACCOUNT_TO_CHANGE_PASSWORD_ATTRIBUTE,
String.valueOf(false));
result = adminAPI.add(targetAccount);
System.out.println("addTargetAccount: "+ result.getStatusMessage());
targetAccount = result.getValueAsTargetAccount();
}
17-Feb-2017 406/416
CA Privileged Access Manager - 2.8
/**
* Adds a Target Alias.
*/
public void addTargetAlias() {
//Create a TargetAlias instance by using AdminAPIFactory
targetAlias = AdminAPIFactory.createTargetAlias();
targetAlias.setAccountID(targetAccount.getID());
targetAlias.setName(TARGET_ALIAS_NAME);
result = adminAPI.add(targetAlias);
System.out.println("addTargetAlias: "+ result.getStatusMessage());
targetAlias = result.getValueAsTargetAlias();
}
/**
* Adds a Request Server.
*/
public void addRequestServer() {
//Create a RequestServer instance by using AdminAPIFactory
requestServer = AdminAPIFactory.createRequestServer();
requestServer.setHostName(REQUEST_SERVER_HOST_NAME);
result = adminAPI.add(requestServer);
System.out.println("addRequestServer: "+ result.getStatusMessage());
requestServer = result.getValueAsRequestServer();
}
/**
* Adds a Request Script.
*/
public void addRequestScript() {
//Create a RequestScript instance by using
AdminAPIFactory
requestScript = AdminAPIFactory.createRequestScript();
requestScript.setRequestServerID(requestServer.getID());
requestScript.setName(REQUEST_SCRIPT_NAME);
requestScript.setExecutionPath(REQUEST_SCRIPT_EXECUTION_PATH);
requestScript.setFilePath(REQUEST_SCRIPT_FILE_PATH);
requestScript.setType(REQUEST_SCRIPT_TYPE);
result = adminAPI.add(requestScript);
System.out.println("addRequestScript: "+ result.getStatusMessage());
requestScript = result.getValueAsRequestScript();
}
/**
* Adds an Authorization.
*/
public void addAuthorization() {
//Create an Authorization instance by using AdminAPIFactory
authorization = AdminAPIFactory.createAuthorization();
authorization.setRequestServerID(requestServer.getID());
authorization.setScriptID(requestScript.getID());
authorization.setTargetAliasID(targetAlias.getID());
result = adminAPI.add(authorization);
System.out.println("addAuthorization: "+ result.getStatusMessage());
17-Feb-2017 407/416
CA Privileged Access Manager - 2.8
authorization = result.getValueAsAuthorization();
}
/**
* Adds a Target Group.
*/
public void addTargetGroup() {
//Create a Target Group instance by using AdminAPIFactory
targetGroup = AdminAPIFactory.createGroup();
targetGroup.setName(TARGET_GROUP_NAME);
targetGroup.setType(Group.TYPE_TARGET);
result = adminAPI.add(targetGroup);
System.out.println("addTargetGroup: "+ result.getStatusMessage());
targetGroup = result.getValueAsGroup();
}
/**
* Adds a Request Group.
*/
public void addRequestGroup() {
//Create a Request Group instance by using AdminAPIFactory
requestGroup = AdminAPIFactory.createGroup();
requestGroup.setName(REQUEST_GROUP_NAME);
requestGroup.setType(Group.TYPE_REQUESTOR);
result = adminAPI.add(requestGroup);
System.out.println("addRequestGroup: "+ result.getStatusMessage());
requestGroup = result.getValueAsGroup();
}
/**
* Adds a Filter to an existing Group.
*/
public void addFilter() {
//A filter can only be added to an existing group.
Filter filter = AdminAPIFactory.createFilter();
//Set the group id to the id of an existing group object.
filter.setGroupID(requestGroup.getID());
//AttributeName is the field on which to create the filter.
filter.setAttributeName(RequestServer.BEAN_PROPERTY_HOSTNAME);
filter.setType(Filter.TYPE_CONTAINS);
//The object class id can be set to the CLASS_ID of any of the supported
//objects.
filter.setObjectClassID(RequestServer.CLASS_ID);
filter.setExpression(FILTER_EXPRESSION);
result = adminAPI.add(filter);
System.out.println("addFilter: "+ result.getStatusMessage());
filter = result.getValueAsFilter();
}
/**
* Adds a Role with add, update and delete Request Server permissions.
*/
public void addRole() {
17-Feb-2017 408/416
CA Privileged Access Manager - 2.8
/**
* Adds a User Group.
*/
public void addUserGroup() {
ArrayList newGroups = new ArrayList();
/**
* Adds a Password Authority User.
*/
public void addUser() {
ArrayList userGroupIDs = new ArrayList();
/**
* Adds a Password Composition Policy
*/
17-Feb-2017 409/416
CA Privileged Access Manager - 2.8
/**
* Adds a Password View Policy
*/
public void addPasswordViewPolicy() {
//Create a PasswordViewPolicy instance by using AdminAPIFactory
passwordViewPolicy = AdminAPIFactory.createPasswordViewPolicy();
passwordViewPolicy.setName(PASSWORD_VIEW_POLICY_NAME);
passwordViewPolicy.setChangePasswordOnView(true);
result = adminAPI.add(passwordViewPolicy);
System.out.println("addPasswordViewPolicy: " +
result.getStatusMessage());
passwordViewPolicy = result.getValueAsPasswordViewPolicy();
}
/**
* Updates an existing User Group.
*/
public void updateUserGroup() {
//An update uses an object retrieved via a search command or
//the output of a previous add or update.
userGroup.setDescription(USER_GROUP_DESCRIPTION);
result = adminAPI.update(userGroup);
System.out.println("updateUserGroup: "+ result.getStatusMessage());
userGroup = result.getValueAsUserGroup();
System.out.println("updateUserGroup description: " +
userGroup.getDescription());
}
/**
* Searches for a Request Server host name.
*
* If a parameter is specified, all matching Request Servers are
* returned. If no parameter is specified, all Request Servers are
* returned.
*/
public void searchRequestServer() {
RequestServer searchRequestServer;
17-Feb-2017 410/416
CA Privileged Access Manager - 2.8
List resultList;
if (resultList.size() > 0) {
searchRequestServer = (RequestServer) resultList.get(0);
System.out.println("searchRequestServer host name: " +
searchRequestServer.getHostName());
}
}
/**
* Views a Target Account Password. The result depends on the Password
* View Policy of the Target Account.
*/
public void viewTargetAccountPassword() {
TargetAccount viewPasswordAccount;
//To view a password, a Request object must be created and passed to
//the AdminAPI execute method.
request = new Request();
request.setCommand(AdminAPICommandNames.VIEW_ACCOUNT_PASSWORD);
request.setParameter(
AdminAPIParameterNames.
VIEW_ACCOUNT_PASSWORD_TARGET_ACCOUNT_ID,
targetAccount.getID());
request.setParameter(
AdminAPIParameterNames.VIEW_ACCOUNT_PASSWORD_ADMIN_USER_ID,
VIEW_TARGET_ACCOUNT_USER_NAME);
request.setParameter(
AdminAPIParameterNames.
VIEW_ACCOUNT_PASSWORD_ADMIN_PASSWORD,
VIEW_TARGET_ACCOUNT_USER_PASSWORD);
request.setParameter(
AdminAPIParameterNames.VIEW_ACCOUNT_PASSWORD_REASON,
VIEW_TARGET_ACCOUNT_REASON);
result = adminAPI.execute(request);
System.out.println("viewTargetAccountPassword: "+
result.getStatusMessage());
if (result.getWarningMessage() != null &&
result.getWarningMessage().length() > 0) {
System.out.println("viewTargetAccountPassword: " +
result.getWarningMessage());
17-Feb-2017 411/416
CA Privileged Access Manager - 2.8
}
viewPasswordAccount = result.getValueAsTargetAccount();
System.out.println("viewTargetAccountPassword password:" +
viewPasswordAccount.getPassword());
}
/**
* Deletes an existing Password View Policy.
*/
public void deletePasswordViewPolicy() {
//Delete a PasswordViewPolicy
result = adminAPI.delete(passwordViewPolicy);
//The delete method will return the deleted object for future reference.
passwordViewPolicy = result.getValueAsPasswordViewPolicy();
System.out.println("deletePasswordViewPolicy: " +
result.getStatusMessage());
}
/**
* Deletes a Password Composition Policy.
*/
public void deletePasswordPolicy() {
//Delete a PasswordPolicy
result = adminAPI.delete(passwordPolicy);
System.out.println("deletePasswordPolicy: "+ result.getStatusMessage());
}
/**
* Deletes a Password Authority user.
*/
public void deleteUser() {
result = adminAPI.delete(user);
System.out.println("deleteUser: "+ result.getStatusMessage());
}
/**
* Deletes a Role.
*/
public void deleteRole() {
result = adminAPI.delete(role);
System.out.println("deleteRole: "+ result.getStatusMessage());
}
/**
* Deletes a User Group.
*/
public void deleteUserGroup() {
result = adminAPI.delete(userGroup);
System.out.println("deleteUserGroup: "+ result.getStatusMessage());
}
/**
* Deletes a Request Group.
17-Feb-2017 412/416
CA Privileged Access Manager - 2.8
*/
public void deleteRequestGroup() {
//Delete a Group
result = adminAPI.delete(requestGroup);
System.out.println("deleteRequestGroup: "+ result.getStatusMessage());
}
/**
* Deletes a Target Group.
*/
public void deleteTargetGroup() {
//Delete a Group
result = adminAPI.delete(targetGroup);
System.out.println("deleteTargetGroup: "+ result.getStatusMessage());
}
/**
* Deletes an Authorization.
*/
public void deleteAuthorization() {
//Delete the Authorization
result = adminAPI.delete(authorization);
System.out.println("deleteAuthorization: "+ result.getStatusMessage());
}
/**
* Deletes a Target Alias.
*/
public void deleteTargetAlias() {
//Delete the Target Alias
result = adminAPI.delete(targetAlias);
System.out.println("deleteTargetAlias: "+ result.getStatusMessage());
}
/**
* Deletes a Target Server. Deleting a Target Server will also delete
* all associated Target Applications and Target Accounts.
*/
public void deleteTargetServer() {
//Delete the Target Server
result = adminAPI.delete(targetServer);
System.out.println("deleteTargetServer: "+ result.getStatusMessage());
}
/**
* Deletes a Request Script.
*/
public void deleteRequestScript() {
//Delete the Request Script
result = adminAPI.delete(requestScript);
System.out.println("deleteRequestScript: "+ result.getStatusMessage());
}
17-Feb-2017 413/416
CA Privileged Access Manager - 2.8
/**
* Deletes a Request Server.
*/
public void deleteRequestServer() {
//Delete the Request Server
result = adminAPI.delete(requestServer);
System.out.println("deleteRequestServer: "+ result.getStatusMessage());
}
}
17-Feb-2017 414/416
CA Privileged Access Manager - 2.8
<xs:schema xmlns="http://www.cloakware.com"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.cloakware.com"
elementFormDefault="qualified">
<xs:element name="PARAMETER">
<xs:complexType>
<xs:sequence>
<xs:element name="NAME" type="xs:string"
minOccurs="1" maxOccurs="1"/>
<xs:element name="VALUE" type="xs:string"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="COMMAND_PARAMETERS">
<xs:complexType>
<xs:sequence>
<xs:element ref="PARAMETER" minOccurs="1"
maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="COMMAND">
<xs:complexType>
<xs:sequence>
<xs:element ref="COMMAND_PARAMETERS"
minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
17-Feb-2017 415/416
CA Privileged Access Manager - 2.8
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
17-Feb-2017 416/416