Documente Academic
Documente Profesional
Documente Cultură
Manager - 2.8
Programming
Date: 21-Feb-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
21-Feb-2017 3/319
Table of Contents
ExternalAPI ............................................................................................... 34
Overview ................................................................................................................................................... 34
Deployment Procedures for Administrators ............................................................................................... 35
Licensing ............................................................................................................................................. 35
Configuration ....................................................................................................................................... 36
Enable the API ........................................................................................................................... 36
Disable the Test Button .............................................................................................................. 36
Provision API Request Credentials ..................................................................................................... 36
Add API Keys for a CA Privileged Access Manager User ................................................................... 37
In the GUI Template ................................................................................................................... 37
As a CSV Import Item ................................................................................................................ 38
Dissociating an API Key from Its User ................................................................................................ 39
Deactivating a Key ..................................................................................................................... 39
Removing a Key ......................................................................................................................... 39
Deployment Procedures for Programmers ................................................................................................ 39
Documentation/Test ............................................................................................................................ 39
Overview .................................................................................................................................... 40
View Documentation ........................................................................................................................... 40
Obtain API Keys .................................................................................................................................. 41
Run Test API Requests ....................................................................................................................... 42
Resetting the Active API Key .............................................................................................................. 42
Implementation .......................................................................................................................................... 42
Case: Provision User, Device, and Auto-Connection Policy Between Them ...................................... 42
Programming 4
Credential Manager CLI Commands ......................................................... 65
addAuthorization ....................................................................................................................................... 65
Example .............................................................................................................................................. 65
Parameters .......................................................................................................................................... 65
TargetAlias.name ....................................................................................................................... 65
TargetAlias.ID ............................................................................................................................ 65
Authorization.targetGroupName ................................................................................................ 66
Authorization.targetGroupId ....................................................................................................... 66
RequestServer.hostName .......................................................................................................... 66
RequestServer.ID ....................................................................................................................... 66
Authorization.requestGroupName .............................................................................................. 66
Authorization.requestGroupId .................................................................................................... 67
RequestScript.name ................................................................................................................... 67
RequestScript.ID ........................................................................................................................ 67
RequestScript.executionPath ..................................................................................................... 67
Authorization.checkExecutionID ................................................................................................ 67
Authorization.executionUser ...................................................................................................... 68
Authorization.checkPath ............................................................................................................ 68
Authorization.checkFilePath ....................................................................................................... 68
Authorization.checkScriptHash .................................................................................................. 68
addFilter .................................................................................................................................................... 68
Example .............................................................................................................................................. 68
Parameters .......................................................................................................................................... 69
Group.ID ..................................................................................................................................... 69
Filter.objectClassId ..................................................................................................................... 69
Filter.attribute ............................................................................................................................. 69
Filter.type ................................................................................................................................... 69
Filter.expression ......................................................................................................................... 69
addGroup .................................................................................................................................................. 69
Example .............................................................................................................................................. 70
Parameters .......................................................................................................................................... 70
Group.name ............................................................................................................................... 70
Group.description ....................................................................................................................... 70
Group.type ................................................................................................................................. 70
Group.dynamic ........................................................................................................................... 70
Group.permissions ..................................................................................................................... 70
addPasswordPolicy ................................................................................................................................... 71
Example .............................................................................................................................................. 71
Parameters .......................................................................................................................................... 71
PasswordPolicy.name ................................................................................................................ 71
Programming 5
PasswordPolicy.description ....................................................................................................... 71
Attribute.passwordPrefix ............................................................................................................ 71
Attribute.composedOfUpperCaseCharacters ............................................................................. 71
Attribute.composedOfLowerCaseCharacters ............................................................................. 72
Attribute.composedOfNumericCharacters ................................................................................. 72
Attribute.composedOfSpecialCharacters ................................................................................... 72
Attribute.specialCharacters ........................................................................................................ 72
Attribute.firstCharacterUpperCase ............................................................................................. 72
Attribute.firstCharacterLowerCase ............................................................................................. 72
Attribute.firstCharacterNumeric .................................................................................................. 73
Attribute.firstCharacterSpecial ................................................................................................... 73
Attribute.firstCharacterSpecials .................................................................................................. 73
Attribute.mustNotContainConsecutiveDuplicateCharacters ....................................................... 73
Attribute.mustNotContainAnyDuplicateCharacters .................................................................... 73
Attribute.mustNotContainCharacters ......................................................................................... 74
Attribute.composedOfMustNotContainCharacters ..................................................................... 74
Attribute.minLength .................................................................................................................... 74
Attribute.maxLength ................................................................................................................... 74
Attribute.minIterationsBeforeReuse ........................................................................................... 74
Attribute.minDaysBeforeReuse .................................................................................................. 74
Attribute.enableMaxPasswordAge ............................................................................................. 75
Attribute.maxPasswordAge ........................................................................................................ 75
addPasswordViewPolicy ........................................................................................................................... 75
Example .............................................................................................................................................. 75
Parameters .......................................................................................................................................... 75
PasswordViewPolicy.name ........................................................................................................ 75
PasswordViewPolicy.description ................................................................................................ 75
PasswordViewPolicy.changePasswordOnView ......................................................................... 76
PasswordViewPolicy.allowChangePasswordOnViewForSso .................................................... 76
PasswordViewPolicy.passwordChangeInterval ......................................................................... 76
PasswordViewPolicy.checkinCheckoutRequired ....................................................................... 76
PasswordViewPolicy.checkinCheckoutInterval .......................................................................... 76
PasswordViewPolicy.dualAuthorization ..................................................................................... 77
PasswordViewPolicy.dualAuthorizationInterval ......................................................................... 77
PasswordViewPolicy.approvers ................................................................................................. 77
PasswordViewPolicy.approverIDs ............................................................................................. 77
PasswordViewPolicy.authenticationRequired ............................................................................ 77
PasswordViewPolicy.enableOneClickApproval ......................................................................... 78
PasswordViewPolicy.passwordViewRequestMaxInterval .......................................................... 78
PasswordViewPolicy.passwordViewRequestMaxDays ............................................................. 78
addRequestScript ...................................................................................................................................... 78
Example .............................................................................................................................................. 78
Programming 6
Parameters .......................................................................................................................................... 78
RequestServer.hostName .......................................................................................................... 78
addRequestServer .................................................................................................................................... 80
Example .............................................................................................................................................. 80
Parameters .......................................................................................................................................... 80
RequestServer.hostName .......................................................................................................... 80
RequestServer.deviceName ...................................................................................................... 80
RequestServer.active ................................................................................................................. 80
RequestServer.autoPatch .......................................................................................................... 81
RequestServer.preserveHostName ........................................................................................... 81
RequestServer.type ................................................................................................................... 81
Attribute.descriptor1 ................................................................................................................... 81
Attribute.descriptor2 ................................................................................................................... 81
addRequestServerDefaults ....................................................................................................................... 82
Example .............................................................................................................................................. 82
Parameters .......................................................................................................................................... 82
RequestServerDefaults.subnet .................................................................................................. 82
RequestServerDefaults.type ...................................................................................................... 82
RequestServerDefaults.active .................................................................................................... 82
RequestServerDefaults.descriptor1 ........................................................................................... 82
RequestServerDefaults.descriptor2 ........................................................................................... 83
addRole ..................................................................................................................................................... 83
Example .............................................................................................................................................. 83
Parameters .......................................................................................................................................... 83
Role.name .................................................................................................................................. 83
Role.description ......................................................................................................................... 83
Role.permissions ........................................................................................................................ 83
addSite ...................................................................................................................................................... 84
Example .............................................................................................................................................. 84
Parameters .......................................................................................................................................... 84
Site.name ................................................................................................................................... 84
Site.type ..................................................................................................................................... 84
Site.hostName ............................................................................................................................ 84
addSSHKeyPairPolicy ............................................................................................................................... 84
Example .............................................................................................................................................. 84
Parameters .......................................................................................................................................... 85
SSHKeyPairPolicy.name ............................................................................................................ 85
SSHKeyPairPolicy.description ................................................................................................... 85
SSHKeyPairPolicy.keyType ....................................................................................................... 85
SSHKeyPairPolicy.keyLength .................................................................................................... 85
addTargetAccount ..................................................................................................................................... 86
Example .............................................................................................................................................. 86
Programming 7
Parameters .......................................................................................................................................... 86
TargetServer.hostName ............................................................................................................. 86
TargetApplication.name ............................................................................................................. 86
TargetApplication.ID ................................................................................................................... 86
TargetAccount.userName .......................................................................................................... 87
TargetAccount.password ........................................................................................................... 87
TargetAccount.cacheAllow ......................................................................................................... 87
TargetAccount.cacheBehavior ................................................................................................... 87
TargetAccount.cacheDuration .................................................................................................... 88
TargetAccount.privileged ........................................................................................................... 88
TargetAccount.accessType ........................................................................................................ 88
TargetAccount.synchronize ........................................................................................................ 88
Attribute.descriptor1 ................................................................................................................... 88
Attribute.descriptor2 ................................................................................................................... 88
PasswordViewPolicy.name ........................................................................................................ 89
TargetAlias.name ....................................................................................................................... 89
useTargetAliasNameParameter ................................................................................................. 89
TargetAccount.compoundAccount ............................................................................................. 89
TargetAccount.compoundServerIDs .......................................................................................... 89
passwordIsBase64Encoded ....................................................................................................... 89
addTargetAlias .......................................................................................................................................... 90
Example .............................................................................................................................................. 90
Parameters .......................................................................................................................................... 90
TargetServer.hostName ............................................................................................................. 90
TargetApplication.name ............................................................................................................. 90
TargetAccount.userName .......................................................................................................... 90
TargetAccount.ID ....................................................................................................................... 91
TargetAlias.name ....................................................................................................................... 91
addTargetApplication ................................................................................................................................ 91
Example .............................................................................................................................................. 91
Parameters .......................................................................................................................................... 91
TargetServer.ID .......................................................................................................................... 91
TargetServer.hostName ............................................................................................................. 92
TargetApplication.name ............................................................................................................. 92
TargetApplication.type ............................................................................................................... 92
PasswordPolicy.name ................................................................................................................ 92
PasswordPolicy.ID ..................................................................................................................... 92
Attribute.descriptor1 ................................................................................................................... 93
Attribute.descriptor2 ................................................................................................................... 93
Attribute.enableAutoConnectTargetAccount .............................................................................. 93
addTargetServer ....................................................................................................................................... 93
Example .............................................................................................................................................. 93
Programming 8
Parameters .......................................................................................................................................... 94
TargetServer.hostName ............................................................................................................. 94
TargetServer.deviceName ......................................................................................................... 94
Attribute.descriptor1 ................................................................................................................... 94
Attribute.descriptor2 ................................................................................................................... 94
addUser ..................................................................................................................................................... 94
Example .............................................................................................................................................. 94
Parameters .......................................................................................................................................... 95
User.userID ................................................................................................................................ 95
User.password ........................................................................................................................... 95
User.authenticationType ............................................................................................................ 95
User.status ................................................................................................................................. 95
User.userGroupIDS .................................................................................................................... 95
User.userGroupNames .............................................................................................................. 96
User.firstName ........................................................................................................................... 96
User.lastName ........................................................................................................................... 96
User.email .................................................................................................................................. 96
User.viewType ........................................................................................................................... 96
addUserGroup ........................................................................................................................................... 97
Example .............................................................................................................................................. 97
Parameters .......................................................................................................................................... 97
UserGroup.name ........................................................................................................................ 97
UserGroup.description ............................................................................................................... 97
UserGroup.roleID ....................................................................................................................... 97
UserGroup.groups ...................................................................................................................... 97
UserGroup.readOnly .................................................................................................................. 98
archiveAuditData ....................................................................................................................................... 98
Example .............................................................................................................................................. 98
Parameters .......................................................................................................................................... 98
endDate ...................................................................................................................................... 98
archiveMetricData ..................................................................................................................................... 99
Example .............................................................................................................................................. 99
Parameters .......................................................................................................................................... 99
endDate ...................................................................................................................................... 99
fileName ..................................................................................................................................... 99
resultLimit ................................................................................................................................. 100
batchSequence ....................................................................................................................................... 100
Example ............................................................................................................................................ 100
Parameters ........................................................................................................................................ 100
inputfile ..................................................................................................................................... 100
outputfile ................................................................................................................................... 100
stopOnError .............................................................................................................................. 101
Programming 9
multipleTransactions ................................................................................................................ 101
canGetCredentials ................................................................................................................................... 101
Example ............................................................................................................................................ 101
Parameters ........................................................................................................................................ 101
TargetAlias.name ..................................................................................................................... 101
RequestScript.name ................................................................................................................. 102
RequestScript.filePath .............................................................................................................. 102
RequestScript.executionPath ................................................................................................... 102
Authorization.executionUser .................................................................................................... 102
RequestServer.hostName ........................................................................................................ 102
RequestServer.osName ........................................................................................................... 102
checkConnectionStatus ........................................................................................................................... 103
Example ............................................................................................................................................ 103
checkDelete ............................................................................................................................................. 103
Example ............................................................................................................................................ 103
Parameters ........................................................................................................................................ 103
TargetServer.ID ........................................................................................................................ 103
RequestServer.ID ..................................................................................................................... 103
checkInAccountPassword ....................................................................................................................... 103
Example ............................................................................................................................................ 104
deleteAuthorization .................................................................................................................................. 104
Example ............................................................................................................................................ 104
Parameters ........................................................................................................................................ 104
Authorization.ID ........................................................................................................................ 104
TargetAlias.name ..................................................................................................................... 104
RequestServer.hostName ........................................................................................................ 104
RequestScript.name ................................................................................................................. 105
RequestScript.executionPath ................................................................................................... 105
Authorization.targetGroupName .............................................................................................. 105
Authorization.requestGroupName ............................................................................................ 105
deleteFilter ............................................................................................................................................... 106
Example ............................................................................................................................................ 106
Parameters ........................................................................................................................................ 106
Filter.ID ..................................................................................................................................... 106
deleteGroup ............................................................................................................................................. 106
Example ............................................................................................................................................ 106
Parameters ........................................................................................................................................ 106
Group.ID ................................................................................................................................... 106
Group.name ............................................................................................................................. 107
Group.type ............................................................................................................................... 107
deletePasswordPolicy ............................................................................................................................. 107
Programming 10
Example ............................................................................................................................................ 107
Parameters ........................................................................................................................................ 107
PasswordPolicy.ID ................................................................................................................... 107
PasswordPolicy.name .............................................................................................................. 108
deletePasswordViewPolicy ..................................................................................................................... 108
Example ............................................................................................................................................ 108
Parameters ........................................................................................................................................ 108
PasswordViewPolicy.ID ........................................................................................................... 108
PasswordViewPolicy.name ...................................................................................................... 108
deletePasswordViewRequest .................................................................................................................. 109
Example ............................................................................................................................................ 109
Parameters ........................................................................................................................................ 109
PasswordViewRequest.ID ........................................................................................................ 109
deleteRequestScript ................................................................................................................................ 109
Example ............................................................................................................................................ 109
Parameters ........................................................................................................................................ 109
RequestScript.ID ...................................................................................................................... 109
RequestServer.hostName ........................................................................................................ 110
RequestScript.name ................................................................................................................. 110
RequestScript.executionPath ................................................................................................... 110
deleteRequestServer ............................................................................................................................... 110
Example ............................................................................................................................................ 110
Parameters ........................................................................................................................................ 111
RequestServer.hostName ........................................................................................................ 111
RequestServer.deviceName .................................................................................................... 111
RequestServer.ID: The unique ID for the request server. ........................................................ 111
RequestServer.type: The type of the request server. .............................................................. 111
deleteRequestServerDefaults ................................................................................................................. 111
Example ............................................................................................................................................ 111
Parameters ........................................................................................................................................ 112
RequestServerDefaults.ID ....................................................................................................... 112
deleteRole ............................................................................................................................................... 112
Example ............................................................................................................................................ 112
Parameters ........................................................................................................................................ 112
Role.ID ..................................................................................................................................... 112
deleteSite ................................................................................................................................................ 112
Example ............................................................................................................................................ 112
Parameters ........................................................................................................................................ 113
Site.ID ...................................................................................................................................... 113
deleteSSHKeyPairPolicy ......................................................................................................................... 113
Example ............................................................................................................................................ 113
Programming 11
Parameters ........................................................................................................................................ 113
SSHKeyPairPolicy.ID ............................................................................................................... 113
SSHKeyPairPolicy.name .......................................................................................................... 113
deleteSystemProperty ............................................................................................................................. 114
Example ............................................................................................................................................ 114
Parameters ........................................................................................................................................ 114
propertyName .......................................................................................................................... 114
deleteTargetAccount ............................................................................................................................... 114
Example ............................................................................................................................................ 114
Parameters ........................................................................................................................................ 114
TargetServer.hostName ........................................................................................................... 114
TargetApplication.name ........................................................................................................... 115
TargetAccount.userName ........................................................................................................ 115
TargetAccount.ID ..................................................................................................................... 115
deleteTargetAlias .................................................................................................................................... 115
Example ............................................................................................................................................ 116
Parameters ........................................................................................................................................ 116
TargetAlias.name ..................................................................................................................... 116
TargetAlias.ID .......................................................................................................................... 116
deleteTargetApplication ........................................................................................................................... 116
Example ............................................................................................................................................ 116
Parameters ........................................................................................................................................ 117
TargetServer.hostName ........................................................................................................... 117
TargetApplication.name ........................................................................................................... 117
TargetApplication.ID ................................................................................................................. 117
deleteTargetServer .................................................................................................................................. 117
Example ............................................................................................................................................ 117
Parameters ........................................................................................................................................ 118
TargetServer.ID ........................................................................................................................ 118
TargetServer.hostName ........................................................................................................... 118
TargetServer.deviceName ....................................................................................................... 118
deleteUser ............................................................................................................................................... 118
Example ............................................................................................................................................ 118
Parameters ........................................................................................................................................ 119
User.userID .............................................................................................................................. 119
deleteUserGroup ..................................................................................................................................... 119
Example ............................................................................................................................................ 119
Parameters ........................................................................................................................................ 119
UserGroup.ID ........................................................................................................................... 119
UserGroup.name ...................................................................................................................... 119
disableCLIHostNameCheck .................................................................................................................... 120
Programming 12
Example ............................................................................................................................................ 120
disableFingerprinting ............................................................................................................................... 120
Example ............................................................................................................................................ 120
enableCLIHostNameCheck ..................................................................................................................... 120
Example ............................................................................................................................................ 120
enableFingerprinting ................................................................................................................................ 120
Example ............................................................................................................................................ 120
enableLicense ......................................................................................................................................... 121
Example ............................................................................................................................................ 121
Parameters ........................................................................................................................................ 121
license ...................................................................................................................................... 121
expirePasswordViewRequest .................................................................................................................. 121
Example ............................................................................................................................................ 121
forceCheckInAccountPassword .............................................................................................................. 121
Example ............................................................................................................................................ 121
Parameters ........................................................................................................................................ 122
TargetAccount.ID ..................................................................................................................... 122
PasswordViewRequest.ID ........................................................................................................ 122
generateEncryptedPassword .................................................................................................................. 122
Example ............................................................................................................................................ 122
Parameters ........................................................................................................................................ 122
password .................................................................................................................................. 122
getAllScriptHash ...................................................................................................................................... 123
Example ............................................................................................................................................ 123
Parameters ........................................................................................................................................ 123
RequestServer.hostName ........................................................................................................ 123
RequestServer.ID ..................................................................................................................... 123
getAwsManagementConsoleSessionUrl ................................................................................................. 123
Example ............................................................................................................................................ 123
Parameters ........................................................................................................................................ 124
AWS.accessKeyID ................................................................................................................... 124
AWS.secretAccessKey ............................................................................................................ 124
AWS.issuerUrl .......................................................................................................................... 124
AWS.consoleUrl ....................................................................................................................... 124
AWS.signinUrl .......................................................................................................................... 124
AWS.policy ............................................................................................................................... 125
AWS.stsEndpoint ..................................................................................................................... 125
AWS.sessionDuration .............................................................................................................. 125
AWS.urlEncodeOption ............................................................................................................. 125
AWS.federatedUserName ........................................................................................................ 125
getErrorCodes ......................................................................................................................................... 125
Programming 13
Example ............................................................................................................................................ 126
getEventProcessingMetrics ..................................................................................................................... 126
Example ............................................................................................................................................ 126
Parameters ........................................................................................................................................ 126
samplePeriodMinutes ............................................................................................................... 126
getLocalProperty ..................................................................................................................................... 126
Example ............................................................................................................................................ 126
Parameters ........................................................................................................................................ 127
propertyName .......................................................................................................................... 127
getLogs .................................................................................................................................................... 127
Example ............................................................................................................................................ 127
Parameters ........................................................................................................................................ 127
RequestServer.ID ..................................................................................................................... 127
Site.ID ...................................................................................................................................... 127
hostName ................................................................................................................................. 127
maxSize ................................................................................................................................... 128
getMostRecentPasswordHistory ............................................................................................................. 128
getMSOLFederatedSessionCmd ............................................................................................................ 128
Example ............................................................................................................................................ 128
Parameters ........................................................................................................................................ 128
MSOL.stsEndpointUrl ............................................................................................................... 128
MSOL.stsEndpointReferenceUri .............................................................................................. 129
MSOL.portalUrl ........................................................................................................................ 129
MSOL.wctx ............................................................................................................................... 129
TargetAccount.ID ..................................................................................................................... 129
reason ...................................................................................................................................... 129
reasonDetails ........................................................................................................................... 129
PasswordViewRequest.requestPeriodStart ............................................................................. 130
PasswordViewRequest.requestPeriodEnd .............................................................................. 130
referenceCode ......................................................................................................................... 130
getNumberOfAccounts ............................................................................................................................ 130
Example ............................................................................................................................................ 130
getRequestServerDefaults ...................................................................................................................... 130
Example ............................................................................................................................................ 131
Parameters ........................................................................................................................................ 131
RequestServerDefaults.ID ....................................................................................................... 131
getScriptHashAsynchronous ................................................................................................................... 131
Example ............................................................................................................................................ 131
Parameters ........................................................................................................................................ 131
RequestScript.ID ...................................................................................................................... 131
getServiceStatus ..................................................................................................................................... 131
Programming 14
Example ............................................................................................................................................ 132
Parameters ........................................................................................................................................ 132
TargetAccount.ID ..................................................................................................................... 132
TargetServer.hostName ........................................................................................................... 132
TargetApplication.name ........................................................................................................... 132
TargetAccount.userName ........................................................................................................ 132
getSystemProperty .................................................................................................................................. 133
Example ............................................................................................................................................ 133
Parameters ........................................................................................................................................ 133
propertyName .......................................................................................................................... 133
listDBClusterMembers ............................................................................................................................. 133
Example ............................................................................................................................................ 133
listDiscoveredAccounts ........................................................................................................................... 133
Example ............................................................................................................................................ 133
Parameters ........................................................................................................................................ 134
TargetApplication.ID ................................................................................................................. 134
TargetApplication.name ........................................................................................................... 134
listDiscoveredServices ............................................................................................................................ 134
Example ............................................................................................................................................ 134
Parameters ........................................................................................................................................ 134
TargetAccount.ID ..................................................................................................................... 134
TargetAccount.userName ........................................................................................................ 135
TargetApplication.name ........................................................................................................... 135
TargetServer.name .................................................................................................................. 135
discoveryUseProxy .................................................................................................................. 135
listDiscoveredTasks ................................................................................................................................ 135
Example ............................................................................................................................................ 135
Parameters ........................................................................................................................................ 135
TargetAccount.ID ..................................................................................................................... 135
TargetAccount.userName ........................................................................................................ 136
TargetApplication.name ........................................................................................................... 136
TargetServer.name .................................................................................................................. 136
discoveryUseProxy .................................................................................................................. 136
listPasswordViewRequestByApproverSummary ..................................................................................... 136
listPasswordViewRequestByRequestorSummary ................................................................................... 136
listRequestServerDefaults ....................................................................................................................... 137
Example ............................................................................................................................................ 137
Parameters ........................................................................................................................................ 137
RequestServerDefaults.ipAddress ........................................................................................... 137
RequestServerDefaults.type .................................................................................................... 137
renameUser ............................................................................................................................................. 137
Programming 15
Example ............................................................................................................................................ 137
Parameters ........................................................................................................................................ 137
User.userID .............................................................................................................................. 137
User.newUserID ....................................................................................................................... 138
User.gkUserId .......................................................................................................................... 138
resetClientCache ..................................................................................................................................... 138
resetDBHash ........................................................................................................................................... 138
Example ............................................................................................................................................ 138
resetGroupCache .................................................................................................................................... 139
Example ............................................................................................................................................ 139
Parameters ........................................................................................................................................ 139
Group.name ............................................................................................................................. 139
searchAgent ............................................................................................................................................ 139
Example ............................................................................................................................................ 139
Parameters ........................................................................................................................................ 139
Agent.ID ................................................................................................................................... 139
Agent.hostName ...................................................................................................................... 139
Agent.ipAddress ....................................................................................................................... 140
Agent.deviceName ................................................................................................................... 140
Agent.clientVersion .................................................................................................................. 140
Agent.active ............................................................................................................................. 140
Agent.actionRequired ............................................................................................................... 140
Page.Number ........................................................................................................................... 140
Page.Size ................................................................................................................................. 141
Sort.Property ............................................................................................................................ 141
Sort.Direction ........................................................................................................................... 141
searchAuthorization ................................................................................................................................. 141
Example ............................................................................................................................................ 141
Parameters ........................................................................................................................................ 141
Authorization.executionUser .................................................................................................... 141
Authorization.checkExecutionID .............................................................................................. 142
Authorization.checkPath .......................................................................................................... 142
Authorization.checkFilePath ..................................................................................................... 142
Authorization.checkScriptHash ................................................................................................ 142
Authorization.ID ........................................................................................................................ 142
RequestServer.ID ..................................................................................................................... 143
RequestScript.ID ...................................................................................................................... 143
TargetAlias.ID .......................................................................................................................... 143
Authorization.targetGroupId ..................................................................................................... 143
Authorization.requestGroupId .................................................................................................. 143
Page.Number ........................................................................................................................... 143
Page.Size ................................................................................................................................. 143
Programming 16
Sort.Property ............................................................................................................................ 144
Sort.Direction ........................................................................................................................... 144
searchFilter .............................................................................................................................................. 144
Example ............................................................................................................................................ 144
Parameters ........................................................................................................................................ 144
Filter.ID ..................................................................................................................................... 144
Group.ID ................................................................................................................................... 144
Filter.attribute ........................................................................................................................... 145
Filter.type ................................................................................................................................. 145
Filter.expression ....................................................................................................................... 145
Filter.objectClassId ................................................................................................................... 145
Page.Number ........................................................................................................................... 145
Page.Size ................................................................................................................................. 145
Sort.Property ............................................................................................................................ 146
Sort.Direction ........................................................................................................................... 146
searchGroup ............................................................................................................................................ 146
Example ............................................................................................................................................ 146
Parameters ........................................................................................................................................ 146
Group.ID ................................................................................................................................... 146
Group.name ............................................................................................................................. 146
Group.description ..................................................................................................................... 147
Group.type ............................................................................................................................... 147
Page.Number ........................................................................................................................... 147
Page.Size ................................................................................................................................. 147
Sort.Property ............................................................................................................................ 147
Sort.Direction ........................................................................................................................... 147
searchPasswordPolicy ............................................................................................................................ 148
Example ............................................................................................................................................ 148
Parameters ........................................................................................................................................ 148
PasswordPolicy.name .............................................................................................................. 148
PasswordPolicy.description ..................................................................................................... 148
Page.Number ........................................................................................................................... 148
Page.Size ................................................................................................................................. 148
Sort.Property ............................................................................................................................ 149
Sort.Direction ........................................................................................................................... 149
searchPasswordViewPolicy .................................................................................................................... 149
Example ............................................................................................................................................ 149
Parameters ........................................................................................................................................ 149
PasswordViewPolicy.name ...................................................................................................... 149
PasswordViewPolicy.description .............................................................................................. 149
Page.Number ........................................................................................................................... 150
Page.Size ................................................................................................................................. 150
Programming 17
Sort.Property ............................................................................................................................ 150
Sort.Direction ........................................................................................................................... 150
searchPasswordViewRequest ................................................................................................................. 150
Example ............................................................................................................................................ 150
Parameters ........................................................................................................................................ 151
PasswordViewRequest.requestorID ........................................................................................ 151
PasswordViewRequest.approverID ......................................................................................... 151
PasswordViewRequest.status .................................................................................................. 151
PasswordViewRequest.targetAccountID ................................................................................. 151
PasswordViewRequest.isCheckedOut ..................................................................................... 151
Page.Number ........................................................................................................................... 151
Page.Size ................................................................................................................................. 152
Sort.Property ............................................................................................................................ 152
Sort.Direction ........................................................................................................................... 152
searchPasswordViewRequestByApprover .............................................................................................. 152
Example ............................................................................................................................................ 152
Parameters ........................................................................................................................................ 152
PasswordViewRequest.requestorID ........................................................................................ 152
PasswordViewRequest.status .................................................................................................. 153
PasswordViewRequest.targetAccountID ................................................................................. 153
Page.Number ........................................................................................................................... 153
Page.Size ................................................................................................................................. 153
Sort.Property ............................................................................................................................ 153
Sort.Direction ........................................................................................................................... 153
searchPasswordViewRequestByRequestor ............................................................................................ 154
searchPasswordViewRequestByRequestor ...................................................................................... 154
Example ................................................................................................................................... 154
Parameters ............................................................................................................................... 154
searchRequestScript ............................................................................................................................... 155
Example ............................................................................................................................................ 155
Parameters ........................................................................................................................................ 155
RequestServer.ID ..................................................................................................................... 155
RequestScript.name ................................................................................................................. 155
RequestScript.ID ...................................................................................................................... 156
RequestScript.filePath .............................................................................................................. 156
RequestScript.executionPath ................................................................................................... 156
Page.Number ........................................................................................................................... 156
Page.Size ................................................................................................................................. 156
Sort.Property ............................................................................................................................ 156
Sort.Direction ........................................................................................................................... 157
searchRequestServer .............................................................................................................................. 157
Example ............................................................................................................................................ 157
Programming 18
Parameters ........................................................................................................................................ 157
RequestServer.ID ..................................................................................................................... 157
RequestServer.hostName ........................................................................................................ 157
RequestServer.deviceName .................................................................................................... 157
RequestServer.ipAddress ........................................................................................................ 158
RequestServer.clientVersion .................................................................................................... 158
RequestServer.active ............................................................................................................... 158
RequestServer.actionRequired ................................................................................................ 158
Page.Number ........................................................................................................................... 158
Page.Size ................................................................................................................................. 158
Sort.Property ............................................................................................................................ 159
Sort.Direction ........................................................................................................................... 159
searchRole .............................................................................................................................................. 159
Example ............................................................................................................................................ 159
Parameters ........................................................................................................................................ 159
Role.ID ..................................................................................................................................... 159
Role.name ................................................................................................................................ 159
Role.description ....................................................................................................................... 159
Page.Number ........................................................................................................................... 160
Page.Size ................................................................................................................................. 160
Sort.Property ............................................................................................................................ 160
Sort.Direction ........................................................................................................................... 160
searchSite ............................................................................................................................................... 160
Example ............................................................................................................................................ 160
searchSSHKeyPairPolicy ........................................................................................................................ 161
searchSSHKeyPairPolicy .................................................................................................................. 161
Example ................................................................................................................................... 161
Parameters ............................................................................................................................... 161
searchTargetAccount .............................................................................................................................. 162
Example ............................................................................................................................................ 162
Parameters ........................................................................................................................................ 162
TargetAccount.ID ..................................................................................................................... 162
TargetApplication.ID ................................................................................................................. 162
TargetApplication.name ........................................................................................................... 162
TargetApplication.type ............................................................................................................. 162
TargetAccount.userName ........................................................................................................ 163
TargetAccount.accessType ...................................................................................................... 163
TargetAccount.cacheAllow (Deprecated) ................................................................................. 163
TargetAccount.cacheBehavior ................................................................................................. 163
TargetAccount.cacheDuration .................................................................................................. 163
TargetAccount.privileged ......................................................................................................... 164
TargetAccount.synchronize ...................................................................................................... 164
Programming 19
TargetAccount.passwordVerified ............................................................................................. 164
Page.Number ........................................................................................................................... 164
Page.Size ................................................................................................................................. 164
Sort.Property ............................................................................................................................ 164
Sort.Direction ........................................................................................................................... 165
searchTargetAlias ................................................................................................................................... 165
Example ............................................................................................................................................ 165
Parameters ........................................................................................................................................ 165
TargetAlias.name ..................................................................................................................... 165
TargetAccount.ID ..................................................................................................................... 165
TargetAlias.ID .......................................................................................................................... 166
TargetServer.hostName ........................................................................................................... 166
TargetApplication.name ........................................................................................................... 166
TargetAccount.userName ........................................................................................................ 166
Page.Number ........................................................................................................................... 166
Page.Size ................................................................................................................................. 166
Sort.Property ............................................................................................................................ 167
Sort.Direction ........................................................................................................................... 167
searchTargetApplication .......................................................................................................................... 167
Example ............................................................................................................................................ 167
Parameters ........................................................................................................................................ 167
TargetApplication.ID ................................................................................................................. 167
TargetServer.ID ........................................................................................................................ 167
TargetApplication.name ........................................................................................................... 168
TargetApplication.type ............................................................................................................. 168
Page.Number ........................................................................................................................... 168
Page.Size ................................................................................................................................. 168
Sort.Property ............................................................................................................................ 168
Sort.Direction ........................................................................................................................... 168
searchTargetServer ................................................................................................................................. 169
Example ............................................................................................................................................ 169
Parameters ........................................................................................................................................ 169
TargetServer.ID ........................................................................................................................ 169
TargetServer.hostName ........................................................................................................... 169
TargetServer.ipAddress ........................................................................................................... 169
TargetServer.deviceName ....................................................................................................... 169
Page.Number ........................................................................................................................... 169
Page.Size ................................................................................................................................. 170
Sort.Property ............................................................................................................................ 170
Sort.Direction ........................................................................................................................... 170
searchUser .............................................................................................................................................. 170
Example ............................................................................................................................................ 170
Programming 20
Parameters ........................................................................................................................................ 170
UserGroup.ID ........................................................................................................................... 170
User.authenticationType .......................................................................................................... 171
User.status ............................................................................................................................... 171
User.firstName ......................................................................................................................... 171
User.lastName ......................................................................................................................... 171
searchUserGroup .................................................................................................................................... 171
Example ............................................................................................................................................ 171
Parameters ........................................................................................................................................ 172
UserGroup.ID ........................................................................................................................... 172
UserGroup.name ...................................................................................................................... 172
UserGroup.description ............................................................................................................. 172
UserGroup.userID .................................................................................................................... 172
Page.Number ........................................................................................................................... 172
Page.Size ................................................................................................................................. 172
Sort.Property ............................................................................................................................ 173
Sort.Direction ........................................................................................................................... 173
setDisasterRecoverySettings .................................................................................................................. 173
Example ............................................................................................................................................ 173
Parameters ........................................................................................................................................ 173
enable ...................................................................................................................................... 173
setInitProperty ......................................................................................................................................... 173
Example ............................................................................................................................................ 174
Parameters ........................................................................................................................................ 174
propertyName .......................................................................................................................... 174
propertyValue ........................................................................................................................... 174
setLocalProperty ..................................................................................................................................... 174
Example ............................................................................................................................................ 174
Parameters ........................................................................................................................................ 174
propertyName .......................................................................................................................... 174
propertyValues ......................................................................................................................... 175
setPasswordViewReasons ...................................................................................................................... 175
Example ............................................................................................................................................ 175
Parameters ........................................................................................................................................ 175
reasons .................................................................................................................................... 175
setPasswordViewRequestDeleteInterval ................................................................................................ 175
Example ............................................................................................................................................ 175
Parameters ........................................................................................................................................ 176
deleteIntervalDays ................................................................................................................... 176
setReportRowLimit .................................................................................................................................. 176
Example ............................................................................................................................................ 176
Parameters ........................................................................................................................................ 176
Programming 21
rowLimit .................................................................................................................................... 176
setSystemProperty .................................................................................................................................. 176
Example ............................................................................................................................................ 176
Parameters ........................................................................................................................................ 176
propertyName .......................................................................................................................... 176
propertyValues ......................................................................................................................... 177
encryptValue ............................................................................................................................ 177
propertyValueBlankAllowed ..................................................................................................... 177
updateAuthorization ................................................................................................................................ 177
Example ............................................................................................................................................ 177
Parameters ........................................................................................................................................ 177
Authorization.ID ........................................................................................................................ 177
TargetAlias.ID .......................................................................................................................... 178
Authorization.targetGroupId ..................................................................................................... 178
RequestServer.ID ..................................................................................................................... 178
RequestScript.ID ...................................................................................................................... 178
Authorization.requestGroupId .................................................................................................. 178
Authorization.checkExecutionID .............................................................................................. 178
Authorization.executionUser .................................................................................................... 179
Authorization.checkPath .......................................................................................................... 179
Authorization.checkFilePath ..................................................................................................... 179
Authorization.checkScriptHash ................................................................................................ 179
updateDBClusterMembers ...................................................................................................................... 179
Example ............................................................................................................................................ 180
Parameters ........................................................................................................................................ 180
database.ID .............................................................................................................................. 180
active ........................................................................................................................................ 180
method ..................................................................................................................................... 180
updateDBPassword ................................................................................................................................. 180
updateDBPassword .......................................................................................................................... 180
Example ................................................................................................................................... 181
Parameters ............................................................................................................................... 181
updateFilter ............................................................................................................................................. 181
Example ............................................................................................................................................ 182
Parameters ........................................................................................................................................ 182
Filter.ID ..................................................................................................................................... 182
Filter.objectClassId ................................................................................................................... 182
Filter.attribute ........................................................................................................................... 182
Filter.type ................................................................................................................................. 182
Filter.expression ....................................................................................................................... 182
updateGroup ........................................................................................................................................... 183
Example ............................................................................................................................................ 183
Programming 22
Parameters ........................................................................................................................................ 183
Group.ID ................................................................................................................................... 183
Group.name ............................................................................................................................. 183
Group.description ..................................................................................................................... 183
Group.type ............................................................................................................................... 183
Group.dynamic ......................................................................................................................... 183
Group.permissions ................................................................................................................... 184
updatePasswordPolicy ............................................................................................................................ 184
Example ............................................................................................................................................ 184
Parameters ........................................................................................................................................ 184
PasswordPolicy.ID ................................................................................................................... 184
PasswordPolicy.name .............................................................................................................. 184
PasswordPolicy.description ..................................................................................................... 184
Attribute.passwordPrefix .......................................................................................................... 185
Attribute.composedOfUpperCaseCharacters ........................................................................... 185
Attribute.composedOfLowerCaseCharacters ........................................................................... 185
Attribute.composedOfNumericCharacters ............................................................................... 185
Attribute.composedOfSpecialCharacters ................................................................................. 185
Attribute.specialCharacters ...................................................................................................... 185
Attribute.firstCharacterUpperCase ........................................................................................... 185
Attribute.firstCharacterLowerCase ........................................................................................... 186
Attribute.firstCharacterNumeric ................................................................................................ 186
Attribute.firstCharacterSpecial ................................................................................................. 186
Attribute.firstCharacterSpecials ................................................................................................ 186
Attribute.mustNotContainConsecutiveDuplicateCharacters ..................................................... 186
Attribute.mustNotContainAnyDuplicateCharacters .................................................................. 186
Attribute.mustNotContainCharacters ....................................................................................... 187
Attribute.composedOfMustNotContainCharacters ................................................................... 187
Attribute.minLength .................................................................................................................. 187
Attribute.maxLength ................................................................................................................. 187
Attribute.minIterationsBeforeReuse ......................................................................................... 187
Attribute.minDaysBeforeReuse ................................................................................................ 187
Attribute.enableMaxPasswordAge ........................................................................................... 188
Attribute.maxPasswordAge ...................................................................................................... 188
updatePasswordViewPolicy .................................................................................................................... 188
Example ............................................................................................................................................ 188
Parameters ........................................................................................................................................ 188
PasswordViewPolicy.ID ........................................................................................................... 188
PasswordViewPolicy.name ...................................................................................................... 188
PasswordViewPolicy.description .............................................................................................. 189
PasswordViewPolicy.changePasswordOnView ....................................................................... 189
PasswordViewPolicy.allowChangePasswordOnViewForSso .................................................. 189
Programming 23
PasswordViewPolicy.passwordChangeInterval ....................................................................... 189
PasswordViewPolicy.checkinCheckoutRequired ..................................................................... 189
PasswordViewPolicy.checkinCheckoutInterval ........................................................................ 189
PasswordViewPolicy.dualAuthorization ................................................................................... 190
PasswordViewPolicy.dualAuthorizationInterval ....................................................................... 190
PasswordViewPolicy.approvers ............................................................................................... 190
PasswordViewPolicy.approverIDs ........................................................................................... 190
PasswordViewPolicy.authenticationRequired .......................................................................... 190
PasswordViewPolicy.enableOneClickApproval ....................................................................... 191
PasswordViewPolicy.passwordViewRequestMaxInterval ........................................................ 191
PasswordViewPolicy.passwordViewRequestMaxDays ........................................................... 191
updatePasswordViewRequestStatus ...................................................................................................... 191
Example ............................................................................................................................................ 191
Parameters ........................................................................................................................................ 191
PasswordViewRequest.ID ........................................................................................................ 191
PasswordViewRequest.status .................................................................................................. 192
PasswordViewRequest.statusCode ......................................................................................... 192
PasswordViewRequest.approvalReason ................................................................................. 192
PasswordViewRequest.approvalReasonDescription ............................................................... 192
updateRequestScript ............................................................................................................................... 192
Example ............................................................................................................................................ 193
Parameters ........................................................................................................................................ 193
RequestScript.ID ...................................................................................................................... 193
RequestServer.ID ..................................................................................................................... 193
RequestScript.name ................................................................................................................. 193
RequestScript.executionPath ................................................................................................... 193
RequestScript.filePath .............................................................................................................. 193
RequestScript.type ................................................................................................................... 194
Attribute.descriptor1 ................................................................................................................. 194
Attribute.descriptor2 ................................................................................................................. 194
updateRequestServer ............................................................................................................................. 194
Example ............................................................................................................................................ 194
Parameters ........................................................................................................................................ 194
RequestServer.ID ..................................................................................................................... 194
RequestServer.hostName ........................................................................................................ 195
RequestServer.deviceName .................................................................................................... 195
RequestServer.active ............................................................................................................... 195
RequestServer.port .................................................................................................................. 195
RequestServer.updatePortFlag ................................................................................................ 195
RequestServer.acceptPendingFingerprint ............................................................................... 195
RequestServer.preserveHostName ......................................................................................... 196
RequestServer.type ................................................................................................................. 196
Programming 24
RequestServer.patchStatus ..................................................................................................... 196
Attribute.descriptor1 ................................................................................................................. 196
Attribute.descriptor2 ................................................................................................................. 196
updateRequestServerDefaults ................................................................................................................ 197
Example ............................................................................................................................................ 197
Parameters ........................................................................................................................................ 197
RequestServerDefaults.ID ....................................................................................................... 197
RequestServerDefaults.subnet ................................................................................................ 197
RequestServerDefaults.type .................................................................................................... 197
RequestServerDefaults.active .................................................................................................. 197
RequestServerDefaults.descriptor1 ......................................................................................... 198
RequestServerDefaults.descriptor2 ......................................................................................... 198
updateRequestServerKey ....................................................................................................................... 198
Example ............................................................................................................................................ 198
Parameters ........................................................................................................................................ 198
RequestServer.hostName ........................................................................................................ 198
RequestServer.ID ..................................................................................................................... 198
updateRole .............................................................................................................................................. 199
Example ............................................................................................................................................ 199
Parameters ........................................................................................................................................ 199
Role.ID ..................................................................................................................................... 199
Role.name ................................................................................................................................ 199
Role.description ....................................................................................................................... 199
Role.permissions ...................................................................................................................... 199
updateServerKey ..................................................................................................................................... 200
updateServerKey .............................................................................................................................. 200
Example ................................................................................................................................... 200
updateSite ............................................................................................................................................... 200
Example ............................................................................................................................................ 200
Parameters ........................................................................................................................................ 200
Site.ID ...................................................................................................................................... 200
Site.name ................................................................................................................................. 200
Site.type ................................................................................................................................... 201
Site.hostName .......................................................................................................................... 201
updateSSHKeyPairPolicy ........................................................................................................................ 201
Example ............................................................................................................................................ 201
Parameters ........................................................................................................................................ 201
SSHKeyPairPolicy.ID ............................................................................................................... 201
SSHKeyPairPolicy.name .......................................................................................................... 201
SSHKeyPairPolicy.description ................................................................................................. 202
SSHKeyPairPolicy.keyType ..................................................................................................... 202
SSHKeyPairPolicy.keyLength .................................................................................................. 202
Programming 25
updateTargetAccount .............................................................................................................................. 202
Example ............................................................................................................................................ 202
Parameters ........................................................................................................................................ 203
TargetAccount.ID ..................................................................................................................... 203
TargetApplication.ID ................................................................................................................. 203
TargetAccount.userName ........................................................................................................ 203
TargetAccount.password ......................................................................................................... 203
TargetAccount.cacheAllow (Deprecated) ................................................................................. 203
TargetAccount.cacheBehavior ................................................................................................. 204
TargetAccount.cacheDuration .................................................................................................. 204
TargetAccount.privileged ......................................................................................................... 204
TargetAccount.accessType ...................................................................................................... 204
TargetAccount.synchronize ...................................................................................................... 204
Attribute.changePasswordAfterViewing ................................................................................... 205
Attribute.descriptor1 ................................................................................................................. 205
Attribute.descriptor2 ................................................................................................................. 205
PasswordViewPolicy.ID ........................................................................................................... 205
TargetAlias.name ..................................................................................................................... 205
useTargetAliasNameParameter ............................................................................................... 206
TargetAccount.compoundAccount ........................................................................................... 206
TargetAccount.compoundServerIDs ........................................................................................ 206
passwordIsBase64Encoded ..................................................................................................... 206
updateTargetAccountDescriptor .............................................................................................................. 206
Example ............................................................................................................................................ 206
Parameters ........................................................................................................................................ 207
TargetServer.hostName ........................................................................................................... 207
TargetApplication.name ........................................................................................................... 207
TargetAccount.userName ........................................................................................................ 207
TargetAccount.ID ..................................................................................................................... 207
Attribute.descriptor1 ................................................................................................................. 207
Attribute.descriptor2 ................................................................................................................. 208
updateTargetAccountPassword .............................................................................................................. 208
Example ............................................................................................................................................ 208
Parameters ........................................................................................................................................ 208
TargetServer.hostName ........................................................................................................... 208
TargetApplication.name ........................................................................................................... 208
TargetAccount.userName ........................................................................................................ 209
TargetAccount.ID ..................................................................................................................... 209
groupID .................................................................................................................................... 209
password .................................................................................................................................. 209
confirmPassword ...................................................................................................................... 209
allowUnsynchronized ............................................................................................................... 210
Programming 26
TargetAccount.passwordVerified ............................................................................................. 210
updateTargetAlias ................................................................................................................................... 210
Example ............................................................................................................................................ 210
Parameters ........................................................................................................................................ 210
TargetAlias.ID .......................................................................................................................... 210
TargetAccount.ID ..................................................................................................................... 210
TargetAlias.name ..................................................................................................................... 211
updateTargetApplication ......................................................................................................................... 211
Example ............................................................................................................................................ 211
Parameters ........................................................................................................................................ 211
TargetApplication.ID ................................................................................................................. 211
TargetServer.ID ........................................................................................................................ 211
TargetApplication.name ........................................................................................................... 212
TargetApplication.type ............................................................................................................. 212
PasswordPolicy.name .............................................................................................................. 212
PasswordPolicy.ID ................................................................................................................... 212
Attribute.descriptor1 ................................................................................................................. 212
Attribute.descriptor2 ................................................................................................................. 213
Attribute.enableAutoConnectTargetAccount ............................................................................ 213
updateTargetServer ................................................................................................................................ 213
Example ............................................................................................................................................ 213
Parameters ........................................................................................................................................ 213
TargetServer.ID ........................................................................................................................ 213
TargetServer.hostName ........................................................................................................... 213
TargetServer.deviceName ....................................................................................................... 214
Attribute.descriptor1 ................................................................................................................. 214
Attribute.descriptor2 ................................................................................................................. 214
updateUser .............................................................................................................................................. 214
Example ............................................................................................................................................ 214
Parameters ........................................................................................................................................ 214
User.userID .............................................................................................................................. 214
User.password ......................................................................................................................... 215
User.authenticationType .......................................................................................................... 215
User.status ............................................................................................................................... 215
User.userGroupIDS .................................................................................................................. 215
User.userGroupNames ............................................................................................................ 215
User.firstName ......................................................................................................................... 216
User.lastName ......................................................................................................................... 216
User.email ................................................................................................................................ 216
User.viewType ......................................................................................................................... 216
User.viewType ......................................................................................................................... 216
updateUserGroup .................................................................................................................................... 216
Programming 27
Example ............................................................................................................................................ 217
Parameters ........................................................................................................................................ 217
UserGroup.ID ........................................................................................................................... 217
UserGroup.name ...................................................................................................................... 217
UserGroup.description ............................................................................................................. 217
UserGroup.roleID ..................................................................................................................... 217
UserGroup.groups .................................................................................................................... 217
UserGroup.readOnly ................................................................................................................ 218
updateUserPassword .............................................................................................................................. 218
Example ............................................................................................................................................ 218
Parameters ........................................................................................................................................ 218
User.password ......................................................................................................................... 218
updateUserStatus .................................................................................................................................... 218
Example ............................................................................................................................................ 219
Parameters ........................................................................................................................................ 219
User.userID .............................................................................................................................. 219
User.status ............................................................................................................................... 219
verifyAccountPassword ........................................................................................................................... 219
Example ............................................................................................................................................ 219
Parameters ........................................................................................................................................ 219
TargetAccount.ID ..................................................................................................................... 219
groupID .................................................................................................................................... 220
TargetAccount.passwordVerified ............................................................................................. 220
verifyDBHash .......................................................................................................................................... 220
Example ............................................................................................................................................ 220
viewAccountPassword ............................................................................................................................ 220
Example ............................................................................................................................................ 220
Parameters ........................................................................................................................................ 220
TargetAccount.ID ..................................................................................................................... 220
adminUserID ............................................................................................................................ 221
adminPassword ........................................................................................................................ 221
reason ...................................................................................................................................... 221
reasonDetails ........................................................................................................................... 221
selectedComponent ................................................................................................................. 221
ssoType .................................................................................................................................... 221
PasswordViewRequest.requestPeriodStart ............................................................................. 222
PasswordViewRequest.requestPeriodEnd .............................................................................. 222
referenceCode ......................................................................................................................... 222
Programming 28
Methods for Integrating the Credential Manager A2A Client ................... 232
Factors That Determine the Method to Use ............................................................................................ 232
Integrate Applications Using Java ........................................................................................................... 234
Java Integration Process ................................................................................................................... 235
CSPMClient and Related Java Classes ............................................................................................ 236
Integrate Applications Using the A2A Client ............................................................................................ 237
A2A Client Integration Process ......................................................................................................... 237
cspmclient Constraints ...................................................................................................................... 238
cspmclient Usage .............................................................................................................................. 238
cspmclient Return Values ................................................................................................................. 238
Integrate Windows Applications and Scripts Using a Windows DLL ....................................................... 239
MFC DLL Integration Process ........................................................................................................... 239
ATL DLL Integration Process ............................................................................................................ 240
DLL Methods ..................................................................................................................................... 240
DLL Constraints ................................................................................................................................ 241
Programming 29
Register Mapping Between Request Server and Target Alias .......................................................... 260
HSQL Database Usage ..................................................................................................................... 261
Integrate a Java Application Using Tomcat ............................................................................................. 261
Integration Process for Tomcat ......................................................................................................... 262
Configure Your Development Environment for Apache Tomcat ....................................................... 263
Deploy and Run the Sample Tomcat Application .............................................................................. 265
Apache Tomcat Credential Viewer .................................................................................................... 265
Class File ................................................................................................................................. 266
Apache Tomcat Connection Pool with HSQLDB Data Store ............................................................ 268
Data Source ............................................................................................................................. 269
Register Apache Tomcat Requestor ................................................................................................. 269
Integrate a Java Application using WebLogic ......................................................................................... 270
Integration Process for WebLogic ..................................................................................................... 271
Configure your Development Environment for WebLogic ................................................................. 271
Deploy and Run the Sample WebLogic Application .......................................................................... 272
WebLogic Credential Viewer ............................................................................................................. 273
Class File ................................................................................................................................. 274
WebLogic Connection Pool with HSQLDB Data Store ..................................................................... 276
Register WebLogic Requestor .......................................................................................................... 279
Integrate a Java Application using WebSphere Community Edition ....................................................... 280
Integration Process for WebSphere CE ............................................................................................ 281
Configure your Development Environment for WebSphere CE ........................................................ 281
Deploy and Run the Sample WebSphere CE Application ................................................................. 285
WebSphere CE Credential Viewer .................................................................................................... 286
Class File ................................................................................................................................. 286
WebSphere CE Connection Pool with HSQLDB Data Store ............................................................ 288
Register WebSphere CE Requestor ................................................................................................. 289
Integrate Apps to Use the Credential Manager A2A Client on UNIX ...... 290
Integrate a Perl Script with A2A Client on UNIX ...................................................................................... 290
Code: Perl Script with A2A Client on UNIX ....................................................................................... 290
Register Requestor - Perl Script with A2A Client on UNIX ............................................................... 291
Integrate a C or C++ Application with A2A Client on UNIX ..................................................................... 291
Code: C Application with A2A Client on UNIX .................................................................................. 292
Register Requestor - C or C++ Application with A2A Client on UNIX ............................................... 294
Integrate a Korn Shell Script with A2A Client on UNIX ........................................................................... 294
Code: Korn shell script with A2A Client on UNIX .............................................................................. 294
Register Requestor - Adding a Korn shell script with A2A Client on UNIX ....................................... 295
Integrate a C Shell Script with A2A Client on UNIX ................................................................................ 296
Code: C Shell Script with A2A Client on UNIX .................................................................................. 296
Programming 30
Register Requestor - C shell Script with A2A Client on UNIX ........................................................... 297
Integrate a PHP Script with A2A Client on UNIX ..................................................................................... 297
Code: PHP Script with A2A Client on UNIX ...................................................................................... 297
Register Requestor - PHP Script with A2A Client on UNIX .............................................................. 298
Integrate a Python Script with A2A Client on UNIX ................................................................................. 298
Code: Python Script with A2A Client on UNIX .................................................................................. 298
Register Requestor - Python Script with A2A Client on UNIX ........................................................... 299
Integrate Apps to Use the Credential Manager A2A Client on Windows ......
300
Integrate a Perl Script with A2A Client on Windows ................................................................................ 300
Code: Perl Script with A2A Client on Windows ................................................................................. 300
Register Requestor - Perl Script with A2A Client on Windows ......................................................... 301
Integrate a Visual Basic Application ........................................................................................................ 301
Code: Visual Basic Application ......................................................................................................... 301
Register Requestor - Visual Basic Application .................................................................................. 303
Integrate a Visual C++ Application .......................................................................................................... 303
Code: Visual C++ Application ........................................................................................................... 303
Register Requestor - Visual C++ Application .................................................................................... 305
Integrate a C#.NET Application using IIS Application Server .................................................................. 306
Integration Process for IIS ................................................................................................................. 306
Deploy and Run the Sample IIS Application ..................................................................................... 307
Configure your Development Environment for IIS ............................................................................. 307
IIS Credential Viewer ......................................................................................................................... 308
Class File ................................................................................................................................. 308
IIS Connection with SQL Server 2005 Express Edition Data Store .................................................. 309
Data Source ............................................................................................................................. 310
Register IIS Requestor ...................................................................................................................... 310
Register SQL Server 2005 Express Edition as a Target Application ................................................ 310
Integrate a Visual Basic, Java, or Windows Script .................................................................................. 311
Visual Basic Script ............................................................................................................................ 311
Code: Visual Basic Script ......................................................................................................... 311
Register Requestor - Visual Basic Script ................................................................................. 312
Java Script ........................................................................................................................................ 312
Code: Java Script ..................................................................................................................... 312
Register Requestor - Java Script ............................................................................................. 313
Windows Script ................................................................................................................................. 313
Code: Windows Script .............................................................................................................. 313
Register Requestor - Windows Script ...................................................................................... 314
Programming 31
Remote HTTP Interface to a Credential Manager A2A Client ................. 315
Access URL from Only the Local Host .................................................................................................... 316
Access URL from Local Host Network .................................................................................................... 316
Access URL from Local Host and Local Host Network ........................................................................... 318
Programming 32
CA Privileged Access Manager - 2.8
Programming
The content in this section describes how to use the following APIs to create applications that
interact with CA Privileged Access Manager:
ExternalAPI – A REST API that that allows custom applications to configure and provision CA
Privileged Access Manager.
Note: The ExternalAPi is separately licensed. Contact your CA Account Representative for
more information.
Credential Manager CLI – A command-line interface (CLI) that allows you to enter Credential
Manager commands, or scripts of commands, from a command line.
Credential Manager Java API – A Java API that provides access to Credential Manager capabilities
from a Java program.
Contents
ExternalAPI (see page 34)
Credential Manager APIs (see page 54)
Credential Manager CLI Commands (see page 65)
Credential Manager CLI User Interface Actions (see page 223)
Methods for Integrating the Credential Manager A2A Client (see page 232)
A2A Integration Return Data (see page 242)
Integrate Java Apps to Use Credential Manager (see page 245)
Integrate Apps to Use the Credential Manager A2A Client on UNIX (see page 290)
Integrate Apps to Use the Credential Manager A2A Client on Windows (see page 300)
Remote HTTP Interface to a Credential Manager A2A Client (see page 315)
21-Feb-2017 33/319
CA Privileged Access Manager - 2.8
ExternalAPI
The CA Privileged Access Manager ExternalAPI is a REST API that provides programmatic control over
most functions related to provisioning and managing access such as managing users, devices, and
policies.
Overview
A built-in document explorer can be accessed for the ExternalAPI through the GUI to provide
syntax.
ExternalAPI access is over HTTPS and data that is sent and received is in the form of JSON records.
For more information about JSON, see http://www.json.org/. (http://www.json.org/)
The format of all REST URIs in the CA Privileged Access Manager ExternalAPI is:
https://<xsuite_hostname>/api.php/<api-version>/<resource-name>.json
The <api-version> part of the URI indicates the REST API version.
The final part of the URI is the <resource-name>. This part names the actual REST API "resource"
that determines what response you receive. A REST resource is analogous to an object in object-
oriented programming or a database row in a database system. ExternalAPI resources have
names like "devices", "users", or "services".
Different resources can expect more path parameters, often to identify an individual resource. For
instance, putting all the above together, the URI to a user with the id of 1 would look like:
https://<xsuite_hostname>/api.php/v1/users/1
filters – provides support for retrieving the list of command and socket filter lists
logs – provides support for retrieving and searching the session logs
passwords – provides support for viewing and checking out target accounts
21-Feb-2017 34/319
CA Privileged Access Manager - 2.8
1. Apply a license, or verify that CA Privileged Access Manager is licensed, for ExternalAPI.
3. Authorize CA PAM Users (see page ) for documentation access and test API calls.
Licensing
If you are upgrading to CA Privileged Access Manager, or if ExternalAPI was not enabled in your
purchased license for version 2.4.4 or later, obtain an ExternalAPI license from your CA Technologies
representative and install it:
2. If you have a CA Privileged Access Manager cluster, turn it off at Config > Synchronization >
Cluster Settings > Turn Cluster Off, and then perform steps 3 through 5 on each cluster
member.
4. In the Install New License panel, click Choose File to select the file you received, and click
Upload License.
The Verify New License shadow window appears.
5. Confirm that ExternalAPI Capability is identified as Enabled, and click Save New License . Your
new license indicates the addition of this capability.
21-Feb-2017 35/319
CA Privileged Access Manager - 2.8
Configuration
Enable the API
The ExternalAPI must be enabled through a configuration setting on the Config > Security page. This
setting enables external calls to CA Privileged Access Manager using the ExternalAPI for authorized
scripts (see API Keys) and access to online API Explorer documentation for Users provisioned with this
role.
The two API systems available to CA Privileged Access Manager administrators – the new product-
wide ExternalAPI and the previously available Credential Manager CLI – are each enabled or disabled
from the new Config > Security > ExternalAPI Access panel at the bottom of that GUI page. Each is
disabled (unselected) by default.
Select the Enable External REST API checkbox, and then click the Update button.
The settings change is made, and you see:
A message at the top of the page: External API Access has been updated successfully
In Sessions > Logs, a log entry with this Details field message:
The ExternalAPI features are now available through the following interfaces:
You can execute the API method calls from an external source
In the Global Settings > Basic Settings panel, clear the ExternalAPI Buttons: Enable checkbox. (This
setting is Enable by default.)
21-Feb-2017 36/319
CA Privileged Access Manager - 2.8
2. Open the record of a User who is authorized to execute API method calls.
At the bottom of record is the new API Keys panel.
3. Click Create New API Key to open a blank new set of API Key fields.
4. Enter at least a Name for this key set, and select the User roles that are appropriate for API
use for this User.
A suffix, in this case – 1, that matches this User ID is attached to this Name. This suffix is
displayed to the right of the Name field. If the API Key is being created simultaneously with
the User record, this suffix will initially appear as – 0 but will be revised to the newly assigned
User ID after the record is saved. The Name field cannot contain white space.
The Available Roles drop-down lists only those roles that your own role as an administrator
allows. For example, if you are a Global Administrator, all roles are listed. If you are
specifically a Delegated Administrator, only the roles of Delegated Administrator, Device
/Group Manager, Policy Manager, and User/Group Manager are available for selection. If a
role selected here is not one that this User has been assigned (for GUI use), you receive a
warning that it is outside the permitted scope for this User. The User record cannot be saved
until you remove the role.
5. If you want to create a key but do not want to activate it at this time, clear the Active
checkbox. Until the checkbox is re-selected, the User is not able to use these credentials to
make API method calls.
6. Create any additional API keys that are needed by again clicking Create New API Key , and
then click Save.
Important!
Do not change any fields (except for Descriptor 1 or Descriptor 2) in the target
application= "ApiKey". Do not create any additional target applications of Application
Type= "Xsuite API Key".
21-Feb-2017 37/319
CA Privileged Access Manager - 2.8
There is now a specialized policy record, which for this Device (apikey.xceedium.com),
only Passwords access is permitted.
The User can therefore immediately view the API Key from the Access page. See Obtain
API keys (see page 41).
Note
The CSV template that is available from the Download Sample File link does not
provide an API Keys example. This User attribute is not applicable when ExternalAPI
is unlicensed.
2. In a spreadsheet, column 29 of the CSV file, labeled "API Keys" in the row 1 header cell, is
reserved for those values. Each API Keys column cell has values that are represented by a
concatenation of fields:
name=apiKey1Name/;isActive=[t|f]/;description=descriptionOfApiKey1/;roles=rolename=rolename1Of
" If multiple keys are assigned to one User, insert a double-quote character before and
after full cell string.
/; Insert [slash+colon] between each pair of fields in a key.
, Insert [space+comma] between each pair of roles when there are multiple roles in a key.
#& Insert [hash+ampersand] between each pair of keys in a cell.
The User API Key cell in the CSV file (API Keys column of the spreadsheet) should contain the
following string:
roleUserGroups= roleDeviceGroups=. ,
roleName=Password Manager roleUserGroups=.
roleDeviceGroups=#&name=test234/;isActive=t/;description=Test 234.
description./;roles=roleName=Service Manager roleUserGroups= roleDeviceGroups=. ,
21-Feb-2017 38/319
CA Privileged Access Manager - 2.8
3. Upload the completed CSV file in the Users > Import/Export Users > Import Users from CSV
file panel, using the Browse and the Import Users buttons.
Note: You can safely import data from an older format file – one that does not have
API Keys information – to CA Privileged Access Manager.
Deactivating a Key
If you do not want to discard an existing key, you can deactivate it for later reuse. In the key settings,
clear the Active checkbox.
Removing a Key
In the API Keys panel, in the upper-right corner of the provisioning fields for the particular key, is a
small bold x. Mouse over this x to see a box around the fields, then click the x to remove the group of
key widgets entirely.
Documentation/Test
Users who are preparing a production implementation are able to review documentation and
perform test calls of the API methods within the GUI.
21-Feb-2017 39/319
CA Privileged Access Manager - 2.8
Note
Executing API method calls in this manner acts on the actual CA Privileged Access Manager
database, but returns messages and output only to fields displayed in the documentation
interface.
Overview
Each API method is presented with a description and its syntax. The API documentation interface
permits you to execute the API method on the existing CA Privileged Access Manager database, and
immediately display return objects within an expansion of the API method window. The bold items
are actual labels in the GUI. For actual GUI examples, see the procedure in View Documentation (see
page 40).
Implementation Notes – Describes the API function (body appears in line item)
Response Information – Identifies database objects to be reported
Parameters – Describes each input parameter. Populate required fields here to for test response
(below)
Try it out! – Displays API output and other processing information (as identified in Response
sections)
Response sections – These appear after you run the API method call by clicking Try it out! (above):
Request URL – Displays the URL submitted to CA PAM for API method call processing
Response Body – Displays JSON structure returned
Response Code – Displays HTTP status codes returned
Response Headers – Displays response fields of the HTTP transaction
The execution or test button ("Try it out!") can be disabled and hidden, so that no operations can be
performed on active CA Privileged Access Manager settings. See Disable the test button (see page 36
).
View Documentation
Each API method can be examined and tested with varying parameters from the CA Privileged Access
Manager API Explorer.
21-Feb-2017 40/319
CA Privileged Access Manager - 2.8
1. From any page in the administration GUI, click API Doc in the top right-hand menu. (The link is
not available from the Credential Manager GUI.)
The Xsuite API Explorer opens in a new browser window. Several line items correspond to
database access categories, such as devices and filters. For each category, there are three GUI
operations provided in the menu to the right:
Show/Hide – Toggles the display in the current display mode (List Operations or Expand
Operations) for the API method category.
Expand Operations – Displays parameter details (“man pages”) for all API methods in that
category.
The list of API method operations available in that category is displayed, grouped by method:
GET / POST / PUT / DELETE
You can toggle this view open or closed by clicking the API method category label.
After providing any required parameter values, you can obtain credentials (see Obtain API keys (see
page 41)) and then test the API method (see Run test API requests (see page 42)) on the existing
database.
2. For the Device="apikey.xceedium.com", select Target Applications > Your Target Application
Name > Your API Key Target Account Name.
21-Feb-2017 41/319
CA Privileged Access Manager - 2.8
1. For the API example shown earlier, you populate a single parameter: the User ID into the
Parameters id field. Make any needed edits to the requested User attribute list (Parameters
fields field).
If you do not have this User ID, you can obtain it from a previous API operation, such as "get
/v1/users.json". This operation retrieves basic information from all User records.
For example, in Firefox 35: Open Tools > Options > Privacy > Firefox will: Remember history > clear
your recent history link. With at least the Active Logins checkbox selected in the Details panel, select
the desired Time range to clear, and click OK.
Implementation
Work with CA Technologies Professional Services to prepare client software that can access CA
Privileged Access Manager with API requests. A PHP example using curl follows.
<?php
21-Feb-2017 42/319
CA Privileged Access Manager - 2.8
<?php
class APIConstants{
const DEVICE_ENDPOINT_V1 = "/api.php/v1/devices.json";
const DEVICE_GROUP_ENDPOINT_V1 = "/api.php/v1/devicegroups.json";
const GET = "GET";
const POLICIES_ENDPOINT_V1 = "/api.php/v1/policies.json";
const ROLE_GLOBAL_ADMINISTRATOR = 1;
const ROLE_STANDARD_USER = 2;
const ROLE_OPERATIONAL_ADMINISTRATOR = 14;
const POST = "POST";
const PUT = "PUT";
const TWO_DAYS = 172800;
const USER_ENDPOINT_V1 = "/api.php/v1/users.json";
const USER_GROUP_ENDPOINT_V1 = "/api.php/v1/userGroups.json";
}
/**
*
* This function will make a single request to the API.
* @param string $apiKey - api key name and password delimited by colon
* @param string $url - the URL to reach the desired endpoint of the API.
* For a get may include parameters
* @param string $postData - JSON encoded set of parameters
* @param string $httpOperation - GET, POST, PUT, or DELETE
* @return string -1 for failure, otherwise results of request
*/
function makeAPIRequest($apiKey, $url, $postData = null, $httpOperation) {
global $debug;
$httpOperation = strtoupper($httpOperation);
if(!in_array($httpOperation,array("GET","POST","PUT","DELETE"))){
return -1;
}
/*
In real code the url could be validated. This is left out as a distraction
to the point of the cookbook.
*/
if(!empty($postData) && is_null(json_decode($postData))){
error_log("Invalid post data " . print_r($postData,true) .
"\n Post data must be in JSON format.");
return -1;
}
// apiKey must have at least one colon, and not in the first position
if(strpos($apiKey,":") == 0){
error_log("Incorrectly formated api key. Key must consist of api key name, a colon, and the
}
21-Feb-2017 43/319
CA Privileged Access Manager - 2.8
}
/*
* These are useful debug statements
*/
if($debug){
echo "XXX: URL = " . $url . PHP_EOL;
echo "YYY: parameters = " . print_r($postData, true) . PHP_EOL;
echo "ZZZ: httpOperation = " . $httpOperation . PHP_EOL;
}
$data = curl_exec($ch);
if($debug){
echo "AAA: return = " . print_r($data,true) . PHP_EOL;
}
$error = curl_error($ch);
if(!empty($error)){
error_log("CURL request to $url returned error: $error");
$data = -1;
}
curl_close($ch);
return trim($data);
}
/* assume following parameters
* argv[1] = URL component e.g, http://10.1.10.24/ port may be included
* argv[2] = user name for REST API
* argv[3] = password for REST API
* argv[4] = first name of user to be provisioned
* argv[5] = last name of user
* argv[6] = email address of user
* argv[7] = device name
* argv[8] = domain name
* agrv[9] = operating system
* argv[10] = user name for target account
* argv{11] = debug 0 for false any positive for true
*/
if(count($argv) != 12){
// in real code more information would be supplied
echo " Missing required parameters. ". PHP_EOL;
return ;
}
$baseURL = $argv[1];
$apiKey = $argv[2]. ":" . $argv[3];
$firstName = $argv[4];
$lastName = $argv[5];
$email = $argv[6];
$device['deviceName'] = $argv[7];
$device['domainName'] = $argv[8];
$device['os'] = $argv[9];
$userAccountName = $argv[10];
$debug = $argv[11];
/*
* Determine if the user already exists.
* The user name has to be unique, but since all searches are 'contains ' style, add the first and la
* to reduce the number of substring hits. For this first example we will code the URL manually
*/
$url = "https://" . $baseURL . APIConstants::USER_ENDPOINT_V1 . "?userName=" .urlencode($userName) .
/*
* if the user is not found, create it. Have it immediately active, but expiring in 48 hours
21-Feb-2017 44/319
CA Privileged Access Manager - 2.8
* from now
*/
if($userList['totalRows'] === 0){
// The return from creating a new user is the id of the newly created user
$userId = buildNewUser($userName,$firstName,$lastName,$email);
// add error checking
if($userId == -1){
echo " Failed to add new user " . $userName .". Aborting";
return;
}
}else{
/*
// if the user already exists then
// update the expiration time by two days unless the expiration date is set to unlimited or
if(isset($deviceList['totalRows'])){
// cases 0 matches - go ahead and create it
switch($deviceList['totalRows']){
case 0:
$deviceId = buildNewDevice($device);
$device['deviceId'] = $deviceId;
// now add an access method
$accessMethodId = updateDevice($device);
break;
case 1:
// confirm both dom name and device name match
// check for access method if missing add it.
$deviceCandidate = $deviceList['devices'][0];
if($deviceCandidate['deviceName'] == $device['deviceName'] &&
$deviceCandidate['domainName'] == $device['domainName']){
$accessMethodId = updateDevice($deviceCandidate);
$deviceId = $deviceCandidate['deviceId'];
$device['deviceId'] = $deviceId;
}else{ // conflict
echo "Device retrieved was " . $deviceCandidate['deviceName'] .
" with a domain name of " . $deviceCandidate['domainName'] . PHP_EOL;
21-Feb-2017 45/319
CA Privileged Access Manager - 2.8
" with a domain name of " . $deviceCandidate['domainName'] . PHP_EOL;
echo "Device searched for was " . $device['deviceName'] .
" with a domain name of " . $device['domainName'] . PHP_EOL;
return -1;
}
break;
default:
// find the device that has an exact hit if any and update it
foreach($deviceList['devices'] AS $deviceCandidate){
$foundDevice = false;
if($deviceCandidate['deviceName'] == $device['deviceName'] &&
$deviceCandidate['domainName'] == $device['domainName']){
$accessMethodId = updateDevice($deviceCandidate);
$deviceId = $deviceCandidate['deviceId'];
$device['deviceId'] = $deviceId;
$foundDevice = true;
break;
}
}
if(!$foundDevice){
echo "Could not find device with name " . $device['deviceName'] .
" and domain name of " . $device['domainName'] . PHP_EOL;
return -1;
}
}
}else{
/*
* problem with query
*/
echo "Device retrieve query had a problem. Details were " . print_r($deviceList,true) . PHP_EOL;
21-Feb-2017 46/319
CA Privileged Access Manager - 2.8
if(empty($targetAccountId)){
$targetAccountId = addTargetAccount($deviceId,$targetApplicationId,$userAccountName);
}
$policy = findExistingPolicy($userId,$deviceId);
if($policy === 0){
$policyId = addPolicy($userId,$deviceId,$accessMethodId);
}elseif(is_array($policy)){
$policyId = $policy['id'];
}elseif ($policy == -1){
return;
}
// retrieve the policy again and add the target application for auto-connect
$policy = findExistingPolicy($userId,$deviceId);
addSSOToPolicy($policy,$accessMethodId,$targetAccountId);
function buildNewUser($userName,$firstName,$lastName,$email){
global $apiKey, $baseURL;
// We can either use stdClass or an associative array to build POST or PUT data.
}
/*
* Another way to give users certain roles is to assign them to a user group with those roles.
* As an example we will get the id for a group called Standard Role Users
* This example uses the php http_build_query function to generate the URL encoded parameters
*/
function addUserToGroup($userId,$groupName){
global $apiKey,$baseURL;
$url = "https://" . $baseURL . APIConstants::USER_GROUP_ENDPOINT_V1 . "?" .
http_build_query(array("groupName"=>$groupName,"fields"=>"groupId,groupName,description"));
21-Feb-2017 47/319
CA Privileged Access Manager - 2.8
function updateUser($userCandidate){
global $apiKey,$baseURL;
$user['userId'] = $userCandidate['userId'];
$userId = $userCandidate['userId'];
if(!empty($userCandidate['expiration'])){
$newExpirationTime = time() + APIConstants::TWO_DAYS;
$user['expiration'] = ($newExpirationTime > $userCandidate['expiration']) ?
$newExpirationTime : $userCandidate['expiration'];
}
$addStandardUsers = true;
if(count($userCandidate['roles']) > 0){
foreach($userCandidate['roles'] AS $role){
if(in_array($role['roleId'],
array(APIConstants::ROLE_STANDARD_USER,APIConstants::ROLE_GLOBAL_ADMINISTRATOR,
APIConstants::ROLE_OPERATIONAL_ADMINISTRATOR))){
$addStandardUsers = false;
break;
}
}
}
if($addStandardUsers){
$user['roles'] = $userCandidate['roles'];
$user['roles'][] = array("roleId"=>APIConstants::ROLE_STANDARD_USER,
"userGroups"=>array(),
"deviceGroups"=>array());
}
$updateUrl = "https://" . $baseURL . APIConstants::USER_ENDPOINT_V1;
$parameters['data'] = $user;
$result = makeAPIRequest($apiKey, $updateUrl, json_encode($parameters),APIConstants::PUT);
21-Feb-2017 48/319
CA Privileged Access Manager - 2.8
* @param string $fields what information about a device you want returned. NULL takes the
}
/**
* create a new device
* @return deviceId (int)
* @param array $device
*/
function buildNewDevice($device){
global $apiKey,$baseURL;
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1;
$deviceId = makeAPIRequest($apiKey, $url,json_encode($device), APIConstants::POST);
/*
* We know there is only one entry in the array at most
21-Feb-2017 49/319
CA Privileged Access Manager - 2.8
// since there may be multiple error messages return everything, not just this error
21-Feb-2017 50/319
CA Privileged Access Manager - 2.8
}
/**
* Find a target account for a particular target application (and hence for a particular device)
/**
*
* @param int $deviceId
* @param int $targetApplicationId
* @param string $accountName
* @return Ambigous <string, number> int if successful add otherwise
*/
function addTargetAccount($deviceId, $targetApplicationId, $accountName){
global $apiKey, $baseURL;
$parameter['data']['accountName'] = $accountName;
// special code to tell PA to generate a unique password based on password composition policy
21-Feb-2017 51/319
CA Privileged Access Manager - 2.8
if(!is_numeric($results)){
// decode if this is a JSON string
$checkResults = json_decode($results, true);
if(!empty($checkResults)){
$results = $checkResults;
}
}
return $results;
}
/**
*
* @param int $userId
* @param int $deviceId
* @return policy object if found, 0 if no policy, -1 if invalid parameters
*/
function findExistingPolicy($userId,$deviceId){
global $apiKey, $baseURL;
$url = "https://" . $baseURL . APIConstants::POLICIES_ENDPOINT_V1 . "/" . $userId . "/" . $devic
21-Feb-2017 52/319
CA Privileged Access Manager - 2.8
if(is_numeric($results)){
return $results;
}
}
/**
* Replace the existing access method for the policy with one that has a target account for auto-conn
"/accessMethods";
$results = makeAPIRequest($apiKey, $url,json_encode($putData),APIConstants::PUT);
21-Feb-2017 53/319
CA Privileged Access Manager - 2.8
A command-line interface (CLI) which permits the entry of a Credential Manager command, or a
script of commands, from a Windows or UNIX/Linux command line.
A Java API which gives access to Credential Manager capabilities from a Java program
Both the CLI and the Java API can also be invoked from a remote (client) computer. The Java API
creates an HTTPS connection from the remote computer to the CA Privileged Access Manager
appliance. The CLI is a command-line program that invokes the Java API to submit commands that are
entered on the Windows or UNIX/Linux command line. The remote computer must be able to
connect with HTTPS through the network to the CA Privileged Access Manager appliance. No matter
which UI is used, the commands and actions available to a user depend on the roles and groups that
are assigned to them.
The Java API provides you with a mechanism to integrate seamlessly Credential Manager with your
Java programs. Most password management user interface actions available through the GUI are also
available through the Java API. The Java API is supported on the Unix, Linux and Windows platforms,
and is packaged in cliTool.jar. The cliTool.jar file contains JavaDocs that describe each of
the interfaces.
The content in this section provides you detailed information about the Credential Manager APIs.
Prepare to Use the Credential CLI and Java API (see page 54)
Create a Java Program Using the Credential Manager Java API (see page 56)
Use the Credential Manager CLI (see page 58)
To use the remote CLI or the Java API, you need the cliTool corresponding to the release of the
software running on the CA Privileged Access Manager appliance. The cliTool can be downloaded
from the CA Technologies support site. It contains the following files. Copy them to the desired
installation directory:
cliTool.jar
capam_command (for UNIX or Linux CLI access) or capam_command.bat (for Windows CLI
access)
javaAPIExample.java, to help you learn how to use the Java API. See also Java API Example
(https://docops.ca.com/display/CAPAM28/Java+API+Example) for a listing of the javaAPIExample.
java file.
In addition, the Java JRE must also be installed. Credential Manager supports Version 7. The Java JRE
21-Feb-2017 54/319
CA Privileged Access Manager - 2.8
In addition, the Java JRE must also be installed. Credential Manager supports Version 7. The Java JRE
can be downloaded from http://www.java.com.
If you are creating a Java application that uses the Java API, you also need the Java Version 7 SDK.
Use the following procedure to configure your client computer (the remote computer) to trust the CA
Privileged Access Manager certificate and use the CLI or Java API for Credential Manager operations.
21-Feb-2017 55/319
CA Privileged Access Manager - 2.8
Note:
There are many ways in which you can generate the keystore; the following
example illustrates only one method.
In the previous KEYTOOL examples for UNIX and Windows, customers can substitute
capam.crt for another filename with extension .crt of their choosing. However,
customers must specify the keystore name as capam.keystore.
b. Verify that the certificate was imported by listing the keystore contents:
c. Put the new keystore file (capam.keystore) in the same directory as cliTool.
jar
To run a program that uses the Java API, ensure that the cliTool.jar file is part of the classpath.
You access the Java API from a Java program by including the cliTool.jar in your project
classpath.
Use the following procedure to use the Java API to run CLI commands from your Java program.
21-Feb-2017 56/319
CA Privileged Access Manager - 2.8
com.cloakware.cspm.common.AdminAPICommandNames
com.cloakware.cspm.common.AdminAPIParameterNames
com.cloakware.cspm.server.ui.Request
com.cloakware.cspm.server.ui.AdminAPI
com.cloakware.cspm.server.ui.Result
Base Model objects represent elements of the Credential Manager data model. They include
all objects that are derived from the BaseModel class; such as TargetAccount,
TargetApplication, TargetServer, Role, Request, RequestScript, and
RequestServer.
import com.cloakware.cspm.common.AdminAPICommandNames;
import com.cloakware.cspm.common.AdminAPIParameterNames;
import com.cloakware.cspm.server.ui.Request;
import com.cloakware.cspm.server.ui.AdminAPI;
import com.cloakware.cspm.server.ui.Result;
21-Feb-2017 57/319
CA Privileged Access Manager - 2.8
4. Perform your CLI commands. You can run CLI commands by:
If the command involves a Base Model object, you can create an instance of the Base
Model object and can run the AdminAPI add, update, or delete method.
For example, to add a target server using the Request object and AdminAPI execute
method:
For example, to add a target server using the TargetServer object and the AdminAPI add
method:
myTargetServer.setHostName("myhost.mydomain2.com");
myTargetServer.setIPAddress("10.12.13.14");
Result myResult = adminAPI.add(myTargetServer);
System.out.println("result: "+ myResult.getStatusMessage());
5. When you have completed performing CLI commands, log out from the Credential Manager
server:
adminAPI.logout();
Tip: The CLI often requires commands that are long. To allow commands to span multiple
lines in UNIX, use the continuation character \ (backslash).
21-Feb-2017 58/319
CA Privileged Access Manager - 2.8
Note: If a parameter value contains a space, enclose the entire value pair definition in
quotes. For example, enter "TargetApplication.name=AWS Access
Credential Accounts" rather than TargetApplication.name="AWS
Access Credential Accounts".
On UNIX/Linux, define the variable CAPAM_DIR to point to the remote access installation directory:
export CAPAM_DIR=installationDir
To verify that the remote CLI works, execute a CLI command. For example, run:
The provided host name (mycompany.com) must match the server name that is used in the
certificate. If the certificate contains an IP address for the CA Privileged Access Manager appliance, it
can be used instead of mycompany.com.
You are prompted for the Credential Manager administrator password before the command
executes.
If the command executes successfully, it produces an XML string. See CLI Return Values (see page 60)
.
Use the following syntax on Windows or UNIX platforms to access the CLI with capam_command:
On UNIX, traditional and GNU style aliases for some parameters exist:
21-Feb-2017 59/319
CA Privileged Access Manager - 2.8
If you do not specify the password as an option, you are prompted for it before the command is
processed.
The roles that are assigned to the user determine the CLI user authorization. See Add Credential
Manager Roles and Groups (https://docops.ca.com/display/CAPAM28
/Add+Credential+Manager+Roles+and+Groups).
The CLI can process commands individually or as a batch sequence. In both cases, the commands and
argument values are the same.
Both UNIX and Windows platform support the CLI; however, due to restrictions in the number of
arguments that the Windows batch utility permits, you cannot run all commands individually. To
work around this limitation, use the batchSequence command.
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
</CommandResult>
Use the getErrorCodes CLI command to produce a complete list of Credential Manager server
error codes. It takes no parameters. It produces an XML structure listing each error code and its
description.
For improved readability of the output, CA Technologies recommend that you direct the XML
structure to a separate file and then open it with an XML editor.
Example
This example directs the output of the getErrorCodes CLI command to a file named
error_codes.xml.
Use the following procedure to produce a complete list of Credential Manager server error codes.
21-Feb-2017 60/319
CA Privileged Access Manager - 2.8
The XML schema for batch processing is listed in XML Schema for Batch Processing (https://docops.ca.
com/display/CAPAM28/XML+Schema+for+Batch+Processing). Use the XML schema to ensure that the file
used as input to the batchSequence command is well-formatted.
Example
Follow these steps:
1. Create a batch processing XML file to use as input for the batchSequence command. Use
the XML schema in XML Schema for Batch Processing (https://docops.ca.com/display/CAPAM28
/XML+Schema+for+Batch+Processing) to ensure that the file is well formatted.
For example, the following file is named AddAll.xml. The file encloses a CLI request
specifying two commands and their arguments. The two commands add a target application
and a target account within that application:
21-Feb-2017 61/319
CA Privileged Access Manager - 2.8
<COMMAND name="addTargetApplication">
<COMMAND_PARAMETERS>
<PARAMETER>
<NAME>TargetServer.hostName</NAME>
<VALUE>Ottawa-Lab3.cloakware.com</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>TargetApplication.type</NAME>
<VALUE>Generic</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>TargetApplication.name</NAME>
<VALUE>Generic account type</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>Attribute.descriptor1</NAME>
<VALUE>Ottawa</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>Attribute.descriptor2</NAME>
<VALUE>Lab</VALUE>
</PARAMETER>
</COMMAND_PARAMETERS>
</COMMAND>
</CLI_REQUEST>
21-Feb-2017 62/319
CA Privileged Access Manager - 2.8
21-Feb-2017 63/319
CA Privileged Access Manager - 2.8
<BatchCommandResult>
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.commandName>addTargetServer</cr.commandName>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetServer>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Ottawa</Attribute.descriptor1>
<ID>3</ID>
<createDate>Mon Nov 12 17:18:41 EST 2007</createDate>
<updateDate>Mon Nov 12 17:18:41 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>qn/wPB8BBtxfu7/cJMKc3Bn+vCE=</hash>
<hostName>Ottawa-Lab3.cloakware.com</hostName>
<IPAddress>10.5.0.3</IPAddress>
</TargetServer>
</cr.result>
</CommandResult>
<CommandResult>
<cr.itemNumber>1</cr.itemNumber>
<cr.commandName>addTargetApplication</cr.commandName>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetApplication>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Ottawa</Attribute.descriptor1>
<ID>3</ID>
<createDate>Mon Nov 12 17:18:41 EST 2007</createDate>
<updateDate>Mon Nov 12 17:18:41 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>I8XvBL6zIT/mCaDwy/F58Q2Z9LI=</hash>
<targetServerID>3</targetServerID>
<type>Generic</type>
<name>Generic account type</name>
<policyID>0</policyID>
</TargetApplication>
</cr.result>
</CommandResult>
</BatchCommandResult>
21-Feb-2017 64/319
CA Privileged Access Manager - 2.8
addAuthorization
Use the addAuthorization command to add an authorization mapping, giving a requesting
application, request server, or request group permission to query credentials for a target alias or
target group. The Windows CLI allows up to nine parameters, including the mandatory adminUserID
and cspmHostName. To enter the addAuthorization command with more than nine parameters, use
the batchSequence command with an XML formatted input file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addAuthorization
RequestServer.hostName=myhostname.mydomain.com RequestScript.name=example.pl
RequestScript.executionPath=/usr/tmp/examples Authorization.checkExecutionID=true
Authorization.checkScriptHash=true
Parameters
TargetAlias.name
Specifies the target alias name.
TargetAlias.ID
Specifies the target alias ID.
21-Feb-2017 65/319
CA Privileged Access Manager - 2.8
Authorization.targetGroupName
Specifies the target group name.
Authorization.targetGroupId
Specifies the target group ID.
RequestServer.hostName
Specifies the request server host name on which the requesting application resides.
RequestServer.ID
Specifies the request server ID on which the requesting application resides.
Authorization.requestGroupName
Specifies the request group name the requesting application is a member of resides.
21-Feb-2017 66/319
CA Privileged Access Manager - 2.8
Authorization.requestGroupId
Specifies the request group name the requesting application is a member of resides.
RequestScript.name
Specifies the requesting application name.
RequestScript.ID
Specifies the requesting application ID. Set this value to -1 to specify All request scripts for the
indicated request server. Setting this to -1, will also set Authorization.checkPath, Authorization.
checkFilePath and Authorization.checkScriptHash to false.
RequestScript.executionPath
Specifies the requesting application execution path, as registered in CA Privileged Access Manager
Credential Manager.
Authorization.checkExecutionID
Set Authorization.checkExecutionID=true to indicate that the execution user ID be validated.
21-Feb-2017 67/319
CA Privileged Access Manager - 2.8
Authorization.executionUser
A comma delimited list of execution user IDs. The IDs are only validated if Authorization.
checkExecutionID=true.
Authorization.checkPath
Set Authorization.checkPath=true to indicate that the script execution path be validated.
Authorization.checkFilePath
Set Authorization.checkFilePath=true to indicate that the script file path be validated.
Authorization.checkScriptHash
Set Authorization.checkScriptHash=true to indicate script hash integrity verification be performed.
addFilter
Use the addFilter command to add a filter to a target group or request group. The group must first be
added using the addGroup command.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addFilter Group.ID=3 Filt
21-Feb-2017 68/319
CA Privileged Access Manager - 2.8
Parameters
Group.ID
Specifies the ID of the request or target group. It must be an integer >= 1.
Filter.objectClassId
Specifies the type of object to filter. Class IDs are specific to group type.
Filter.attribute
Specifies the filter attribute. If static, attribute must be ID. If dynamic, attributes are specific to
objectClassId.
Filter.type
Specifies the filter type. If group is static, only equals is valid.
Filter.expression
Specifies the filter expression. It group is static, expression can only be an integer >= 1.
addGroup
Use the addGroup command to add either a target or request group to CA Privileged Access
Manager. Use the addFilter command to add filters to the group .
21-Feb-2017 69/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addGroup Group.name=Tokyo
Parameters
Group.name
Specifies the name of the target or request group.
Group.description
Specifies the description of the group.
Group.type
Set Group.type=requestor for Request groups. Set Group.type=target for Target groups.
Group.dynamic
Set Group.dynamic=true for dynamic Request/Target groups, false for static Request/Target groups.
Group.permissions
ArrayList object of filters, or XML encoded ArrayList of filters. If not set, the filters are cleared.
21-Feb-2017 70/319
CA Privileged Access Manager - 2.8
addPasswordPolicy
Use the addPasswordPolicy command to add a Password Composition Policy in CA Privileged Access
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addPasswordPolicy
PasswordPolicy.name=passwordPolicyName
Attribute.composedOfUpperCaseCharacters=true Attribute.firstCharacterUpperCase=true
Parameters
PasswordPolicy.name
The name of the password policy.
PasswordPolicy.description
The description of the password policy.
Attribute.passwordPrefix
The prefix for all passwords mandated by your password policy.
Attribute.composedOfUpperCaseCharacters
Set to true to mandate that your password policy requires upper case characters.
21-Feb-2017 71/319
CA Privileged Access Manager - 2.8
Attribute.composedOfLowerCaseCharacters
Set to true to mandate that your password policy requires lower case characters.
Attribute.composedOfNumericCharacters
Set to true to mandate that your password policy requires numeric characters.
Attribute.composedOfSpecialCharacters
Set to true to mandate that your password policy requires special characters.
Attribute.specialCharacters
The list of all special characters allowed by your password policy.
Attribute.firstCharacterUpperCase
Set to true to mandate that your password policy requires the first character to be upper case. If you
select more than one first character requirement, they are combined. For example, if both Attribute.
firstCharacterUpperCase and Attribute.firstCharacterLowerCase are true, then the policy requires the
first character to be either upper or lower case.
Attribute.firstCharacterLowerCase
Set to true to mandate that your password policy requires the first character to be lower case. If you
select more than one first character requirement, they are combined. For example, if both Attribute.
firstCharacterUpperCase and Attribute.firstCharacterLowerCase are true, then the policy requires the
first character to be either upper or lower case.
21-Feb-2017 72/319
CA Privileged Access Manager - 2.8
Attribute.firstCharacterNumeric
Set to true to mandate that your password policy requires the first character to be numeric. If you
select more than one first character requirement, they are combined. For example, if both Attribute.
firstCharacterUpperCase and Attribute.firstCharacterNumeric are true, then the policy requires the
first character to be either upper case or numeric.
Attribute.firstCharacterSpecial
Set to true to mandate that your password policy requires the first character to be a special
character. If you select more than one first character requirement, they are combined. For example,
if both Attribute.firstCharacterUpperCase and Attribute.firstCharacterSpecial are true, then the policy
requires the first character to be either upper case or a special character.
Attribute.firstCharacterSpecials
The list of all special characters allowed as a first character by your password policy.
Attribute.mustNotContainConsecutiveDuplicateCharacters
Set to true to mandate that your password policy does not allow any repeating characters.
Attribute.mustNotContainAnyDuplicateCharacters
Set to true to mandate that your password policy does not allow any duplicate characters.
21-Feb-2017 73/319
CA Privileged Access Manager - 2.8
Attribute.mustNotContainCharacters
Set to true to mandate that your password policy prohibits certain upper case, lower case, or numeric
characters.
Attribute.composedOfMustNotContainCharacters
The list of all characters that your password policy does not allow. Do not prohibit characters that are
allowed in other attributes.
Attribute.minLength
Set the minimum length of characters to mandate by your password policy.
Attribute.maxLength
Set the maximum length of characters to mandate by your password policy.
Attribute.minIterationsBeforeReuse
Set the minimum number of iterations before a password can be reused.
Attribute.minDaysBeforeReuse
Set the minimum number of days before a password can be reused.
21-Feb-2017 74/319
CA Privileged Access Manager - 2.8
Attribute.enableMaxPasswordAge
Set to true to enable maximum password age in your password policy.
Attribute.maxPasswordAge
Set the maximum password age in days. After this many days, passwords will have to be changed.
addPasswordViewPolicy
Use the addPasswordViewPolicy command to add a password view policy to CA Privileged Access
Manager Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addPasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts PasswordViewPolicy.changePasswordOnView=true
PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterva
Parameters
PasswordViewPolicy.name
The name of the password view policy.
PasswordViewPolicy.description
A description of the password view policy.
21-Feb-2017 75/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.changePasswordOnView
Set PasswordViewPolicy.changePasswordOnView=true to indicate that CA Privileged Access Manager
Credential Manager should change the password after a password view request.
PasswordViewPolicy.allowChangePasswordOnViewForSso
Set PasswordViewPolicy.allowChangePasswordOnViewForSso=true to indicate that CA Privileged
Access Manager Credential Manager should change the password after a password SSO request
(retrieved but not viewed)
PasswordViewPolicy.passwordChangeInterval
Determines the length of time (in minutes) before the password is changed if
changePasswordOnView is set to true.
PasswordViewPolicy.checkinCheckoutRequired
Set PasswordViewPolicy.checkinCheckoutRequired=true to indicate that an account must be checked
out before the password can be viewed. When checked out, the account's password cannot be
changed.
PasswordViewPolicy.checkinCheckoutInterval
Determines the length of time (in minutes) an account can remain checked out before it is
automatically checked back in by the system.
21-Feb-2017 76/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.dualAuthorization
Set PasswordViewPolicy.dualAuthorization=true to indicate that a request to view a password must
be approved by another user before proceeding.
PasswordViewPolicy.dualAuthorizationInterval
Determines the default length of time (in minutes) a password view request remains active in the
system.
PasswordViewPolicy.approvers
The list of users who are authorized to approve or deny password requests for accounts that use this
password policy.
PasswordViewPolicy.approverIDs
The list of user IDs who are authorized to approve or deny password requests for accounts that use
this password policy.
PasswordViewPolicy.authenticationRequired
Set PasswordViewPolicy.authenticationRequired=true to indicate that the requesting user must
provide their password before viewing the account.
21-Feb-2017 77/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.enableOneClickApproval
Set PasswordViewPolicy.enableOneClickApproval=true to enable one click dual authorization
approval. When enabled, dual authorization emails will include links to allow the approver to approve
requests without logging into the system.
PasswordViewPolicy.passwordViewRequestMaxInterval
The maximum Interval between the start and end date of a dual authorization password view
request.
PasswordViewPolicy.passwordViewRequestMaxDays
The maximum number of days in the future that a password view request can be requested.
addRequestScript
Use the addRequestScript command to add a request application to CA Privileged Access Manager
Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addRequestScript
RequestServer.hostName=myhostname.mydomain.com RequestScript.name=example.pl
RequestScript.executionPath=/usr/tmp/examples RequestScript.filePath=/usr/tmp/examples
RequestScript.type=Perl
Parameters
RequestServer.hostName
The request server host name on which the requesting application resides.
21-Feb-2017 78/319
CA Privileged Access Manager - 2.8
RequestServer.ID
The request server ID on which the requesting application resides.
RequestScript.name
The requesting application name.
RequestScript.executionPath
The location from which the requesting application will be executed.
RequestScript.filePath
The location in which the requesting application resides.
RequestScript.type
The programming language in which the requesting application is written.
Attribute.descriptor1
A text description field. Use this field as a filter for dynamic authorization groupings.
21-Feb-2017 79/319
CA Privileged Access Manager - 2.8
no N/A String.
Attribute.descriptor2
A text description field. Use this field as a filter for dynamic authorization groupings.
addRequestServer
Use the addRequestServer command to add a request server (CA Privileged Access Manager
Credential Manager client) to CA Privileged Access Manager Credential Manager. This command can
also be used to register Windows Proxies. CA Technologies recommends that you use the auto-
discovery feature for adding request servers.
Example
cspmserver_admin adminUserID=admin cmdName=addRequestServer
RequestServer.hostName=myhostname.mydomain.com RequestServer.active=true
RequestServer.autoPatch=true RequestServer.type=CLIENT
Parameters
RequestServer.hostName
The host name of the request server.
RequestServer.deviceName
The device name of the request server.
RequestServer.active
Set RequestServer.active=true to activate the request server. Set RequestServer.active=false to
deactivate the request server.
21-Feb-2017 80/319
CA Privileged Access Manager - 2.8
RequestServer.autoPatch
Set RequestServer.autoPatch=true to indicate that patches should be applied automatically.
RequestServer.preserveHostName
Set RequestServer.preserveHostName=true to indicate that the request server host name should not
be overwritten each time the client registers.
RequestServer.type
Set RequestServer.type=CLIENT to indicate that the server is a request server. Set RequestServer.
type=AGENT to indicate that the server is a CA Privileged Access Manager Credential Manager
Windows Proxy.
Attribute.descriptor1
A text description field. Use this field as a filter for dynamic authorization groupings.
Attribute.descriptor2
A text description field. Use this field as a filter for dynamic authorization groupings.
21-Feb-2017 81/319
CA Privileged Access Manager - 2.8
addRequestServerDefaults
Use the addRequestServerDefaults command to add a request server defaults to CA Privileged Access
Manager Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addRequestServerDefaults
RequestServerDefaults.subnet=192.168.0.0/16
RequestServerDefaults.active=true
RequestServerDefaults.type=CLIENT
RequestServerDefaults.descriptor1=awsApiProxy
Parameters
RequestServerDefaults.subnet
The subnet filter to apply defaults to request servers.
RequestServerDefaults.type
The type filter to apply defaults to request servers.
RequestServerDefaults.active
The default setting for RequestServer.active during auto-register.
RequestServerDefaults.descriptor1
The default setting for Attribute.descriptor1 during auto-register.
21-Feb-2017 82/319
CA Privileged Access Manager - 2.8
RequestServerDefaults.descriptor2
The default setting for Attribute.descriptor2 during auto-register.
addRole
Use the addRole command to add a user role to Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addRole Role.name=myRole
Parameters
Role.name
The name of the role.
Role.description
The description of the role.
Role.permissions
A comma delimited list of permissions.
21-Feb-2017 83/319
CA Privileged Access Manager - 2.8
addSite
Use the addSite command to add a secondary site to CA Privileged Access Manager when the CA
Privileged Access Manager server is configured for multi-site.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=addSite Site.name=secondary Site.type=secondary
Site.hostName=tokyo1.company.com
Parameters
Site.name
The name of the site being added.
Site.type
Use Site.type=secondary if you are adding a secondary site.
Site.hostName
The host name of the site being added. The hostName value is used for site-to-site communication.
addSSHKeyPairPolicy
Use the addSSHKeyPairPolicy command to add an SSH Key Pair Policy to CA Privileged Access
Manager.
Example
https://<CAPAM-HOST>/cspm/servlet/adminCLI
21-Feb-2017 84/319
CA Privileged Access Manager - 2.8
?responseType=xmlResponse
&adminUserID=super
&adminPassword=<PASSWORD>
&cmdName=addSSHKeyPairPolicy
&SSHKeyPairPolicy.name=Testing
&SSHKeyPairPolicy.keyType=RSA
&SSHKeyPairPolicy.keyLength=2048
Parameters
SSHKeyPairPolicy.name
The policy name.
SSHKeyPairPolicy.description
The policy description.
SSHKeyPairPolicy.keyType
The key type.
SSHKeyPairPolicy.keyLength
The key length.
21-Feb-2017 85/319
CA Privileged Access Manager - 2.8
addTargetAccount
Use addTargetAccount to add a target account to CA Privileged Access Manager Credential Manager.
Additional parameters may be required, depending upon the Target Application Type. For a
description of these additional parameters, see the CA Privileged Access Manager user
documentation for the appropriate turnkey target connector.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetAccount
TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication
TargetAccount.userName=sysop1 TargetAccount.password=sys0p2 TargetAccount.
cacheBehavior=useCacheFirst
TargetAccount.cacheDuration=17 Attribute.descriptor1="Lab" Attribute.descriptor2="Ott
awa"
Parameters
TargetServer.hostName
The host name for the target server on which the target account resides.
TargetApplication.name
The target application name on which the target account is hosted.
TargetApplication.ID
The target application ID on which the target account is hosted.
21-Feb-2017 86/319
CA Privileged Access Manager - 2.8
TargetAccount.userName
The user name for the target account.
TargetAccount.password
The password for the target account.
TargetAccount.cacheAllow
This parameter is deprecated. Use TargetAccount.cacheBehavior.: Set TargetAccount.
cacheAllow=true to have credentials for this account cached in the CA Privileged Access Manager
Credential Manager client.
TargetAccount.cacheBehavior
Set TargetAccount.cacheBehavior=useCacheFirst to have the credentials for this account cached in
the CA Privileged Access Manager Credential Manager client and used first. If TargetAccount.
cacheBehavior=useServerFirst, the credentials for this account are cached in the CA Privileged Access
Manager Credential Manager client but the Server is contacted first. Set TargetAccount.
cacheBehavior=noCache to ensure that the credentials for this account are not cached in the CA
Privileged Access Manager Credential Manager client.
21-Feb-2017 87/319
CA Privileged Access Manager - 2.8
TargetAccount.cacheDuration
Use TargetAccount.cacheDuration to specify the number of days the account credentials are
permitted to reside in a CA Privileged Access Manager Credential Manager client cache.
TargetAccount.privileged
Set TargetAccount.privileged=true to indicate that this account is a privileged account. Set
TargetAccount.privileged=false to indicate that this account is an application-to-application account.
TargetAccount.accessType
Use this text field for reference purposes.
TargetAccount.synchronize
Set TargetAccount.synchronize=true to indicate that the password stored in CA Privileged Access
Manager Credential Manager should be synchronized with the password on the target system. This
functionality is not supported with Target Application Type Generic. This functionality is not
supported when TargetAccount.compoundAccount=true.
Attribute.descriptor1
A text description field. Use this field as a filter for dynamic authorization groupings.
Attribute.descriptor2
A text description field. Use this field as a filter for dynamic authorization groupings.
21-Feb-2017 88/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.name
The name of a PasswordViewPolicy attached to this account.
TargetAlias.name
A comma separated list of TargetAlias.name values. This parameter is dependent on the value of
useTargetAliasNameParameter being true.
useTargetAliasNameParameter
A flag when true, will add/delete TargetAliases for this account using the values specified in the
TargetAlias.name parameter.
TargetAccount.compoundAccount
A flag when true, will add/delete Compound TargetServers for this account using the values specified
in the TargetAccount.compoundServerIDs parameter.
TargetAccount.compoundServerIDs
List of target server IDs to use as compound servers
passwordIsBase64Encoded
A flag when true indicates that the specified password has been Base64-encoded and should be first
decoded before being stored.
21-Feb-2017 89/319
CA Privileged Access Manager - 2.8
addTargetAlias
Use the addTargetAlias command to add a target alias to CA Privileged Access Manager Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetAlias
TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication
TargetAccount.userName=sysop1 TargetAlias.name=myaliasname
Parameters
TargetServer.hostName
The host name for the target server on which the target account resides.
TargetApplication.name
The target application name on which the target account is hosted.
TargetAccount.userName
The account user name associated with the target alias.
21-Feb-2017 90/319
CA Privileged Access Manager - 2.8
TargetAccount.ID
The account ID associated with the target alias.
TargetAlias.name
The name of this target alias.
addTargetApplication
Use the addTargetApplication command to add a target application to CA Privileged Access Manager
Credential Manager. Additional parameters may be required, depending upon the Target Application
Type.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetApplication
TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication
TargetApplication.type=Generic
Attribute.descriptor1="Vienna" Attribute.descriptor2="Lab"
Parameters
TargetServer.ID
The ID of the target server on which the target application is hosted.
21-Feb-2017 91/319
CA Privileged Access Manager - 2.8
TargetServer.hostName
The host name for the target server on which the target application resides.
TargetApplication.name
The name of the target application.
TargetApplication.type
The target application connector name. Valid values depend upon which target connectors are
installed on your system.
PasswordPolicy.name
The name of the password policy associated with accounts belonging to this application.
PasswordPolicy.ID
The ID of the password policy associated with accounts belonging to this application.
21-Feb-2017 92/319
CA Privileged Access Manager - 2.8
Attribute.descriptor1
A text description field. Use this field as a filter for dynamic authorization groupings.
Attribute.descriptor2
A text description field. Use this field as a filter for dynamic authorization groupings.
Attribute.enableAutoConnectTargetAccount
A boolean value to enable / disable autoConnectTargetAccount for an application instance.
addTargetServer
Use the addTargetServer command to add a target server to CA Privileged Access Manager Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetServer
TargetServer.hostName=myhostname.mydomain.com
Attribute.descriptor1="Lab" Attribute.descriptor2="Vienna"
21-Feb-2017 93/319
CA Privileged Access Manager - 2.8
Parameters
TargetServer.hostName
The host name for the target server.
TargetServer.deviceName
The device name for the target server.
Attribute.descriptor1
A text description field. Use this field as a filter for dynamic authorization groupings.
Attribute.descriptor2
A text description field. Use this field as a filter for dynamic authorization groupings.
addUser
Use the addUser command to add a Credential Manager user account. The Windows CLI allows up to
9 parameters, including the mandatory adminUserID and cspmHostName. To enter the addUser
command with more than nine parameters, use the batchSequence command with an XML
formatted input file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addUser User.
userID=demo
User.password="demo123$" User.authenticationType=CSPM User.status=ACTIVE
21-Feb-2017 94/319
CA Privileged Access Manager - 2.8
Parameters
User.userID
The user name of the CA Privileged Access Manager Credential Manager user.
User.password
The user's password.
User.authenticationType
Authentication type of the user.
User.status
Set User.status=ACTIVE for active user accounts and User.Status=SUSPENDED to suspend a user
account.
User.userGroupIDS
IDs of the User Groups to assign to this user.
21-Feb-2017 95/319
CA Privileged Access Manager - 2.8
User.userGroupNames
Names of the User Groups to assign to this user.
User.firstName
First name of the user.
User.lastName
Last name of the user.
User.email
Email address of the user.
User.viewType
Determines what GUI view this user has access to - administrative or general
21-Feb-2017 96/319
CA Privileged Access Manager - 2.8
addUserGroup
Use the addUserGroup command to add a user group to CA Privileged Access Manager Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addUserGroup
UserGroup.name=OttUserGroup UserGroup.description="Ottawa user group"
UserGroup.roleID=11 UserGroup.groups=3,4
Parameters
UserGroup.name
The user group name.
UserGroup.description
Description of the group.
UserGroup.roleID
The role identifier of this group.
UserGroup.groups
An ArrayList of String values or an string ArrayList each element containing a string value of a group
IDs.
21-Feb-2017 97/319
CA Privileged Access Manager - 2.8
UserGroup.readOnly
The read-only flag for this user group. Warning, read-only cannot be deleted if you make a mistake.
archiveAuditData
Use the archiveAuditData command to remove audit data up to the specified end date from the
Credential Manager database and write it to a file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=archiveAuditData
endDate=2010-01-01
Parameters
endDate
All audit data up to and including the end date is removed from the CA Privileged Access Manager
Credential Manager database and stored in the archive file.
fileName
The file name (including path) where the archive data will be stored. If the file does not exist, it is
created; otherwise, data is appended. If not specified, this command creates a file within the CA
Privileged Access Manager server installation home directory. The date stamp on the default file
indicates the date/time when the archive command was issued, not the end archive date.
21-Feb-2017 98/319
CA Privileged Access Manager - 2.8
resultLimit
The limit for the number of database records to be processed at a time. Set to -1 to specify no limit.
Caution: A large value results in a larger rollback segment being allocated for each database
transaction.
archiveMetricData
Use the archiveMetricData command to remove metric data up to the specified end date from the
Credential Manager database and write it to a file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=archiveMetricData
endDate=2010-01-01
Parameters
endDate
All metric data up to and including the end date is removed from the Credential Manager database
and stored in the archive file.
fileName
The file name (including path) where the archive data will be stored. If the file does not exist, it is
created; otherwise, data is appended. If not specified, this command creates a file within the CA
Privileged Access Manager server installation home directory. The date stamp on the default file
indicates the date/time when the archive command was issued, not the end archive date.
21-Feb-2017 99/319
CA Privileged Access Manager - 2.8
resultLimit
The limit for the number of database records to be processed at a time. Set to -1 to specify no limit.
Caution: A large value results in a larger rollback segment being allocated for each database
transaction.
batchSequence
Use the batchSequence command for bulk registration. The input to the batchSequence command is
an XML formatted file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=batchSequence
inputfile=myinput.xml
outputfile=results.xml
Parameters
inputfile
The file containing the bulk registration input. The XML format for the input file is documented in
XML Schema for Batch Processing (https://docops.ca.com/display/CAPAM28
/XML+Schema+for+Batch+Processing).
outputfile
The file containing the XML formatted output result. If this parameter is not included, the output is
sent to standard out.
21-Feb-2017 100/319
CA Privileged Access Manager - 2.8
stopOnError
Set stopOnError=true to indicate that the batch sequence be stopped when an error is encountered.
Set stopOnError=false to indicate that the batch sequence continue with the next command when an
error is encountered. If the data in the input file has dependancies, set stopOnError=true.
multipleTransactions
Set multipleTransactions=true to indicate that the batch sequence be treated as its own transaction.
Set multipleTransactions=false to indicate that the batch sequence be treated as a single transaction.
When the batch sequence is treated as a single transaction (multipleTransactions=false) the
stopOnError is overridden to be true.
canGetCredentials
Use the canGetCredentials command to validate the ability of a specific script to retrieve credentials
without making a credential request. This command does not verify the fingerprint of the request
server or the requesting script hash. This command returns "Success 1" when the query result is true
and "Success 0" when the query result is false. Authorization mappings settings determine which
values are validated. For example, if check execution ID is not set, then the execution ID parameter
value does not affect the output result. The Windows CLI allows up to 9 parameters, including
mandatory adminUserID and cspmHostName. To invoke this command with more than 9 parameters,
use the batchSequence command with an XML formatted input file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=canGetCredentials
TargetAlias.name=myalias1 RequestScript.name=example.pl
RequestScript.filePath=/usr/tmp/examples RequestScript.executionPath=/usr/tmp
/examples
Authorization.executionUser=admin RequestServer.hostName=myhostname.mydomain.com
RequestServer.osName=win
Parameters
TargetAlias.name
Alias name for which you wish to validate the ability to get credentials.
21-Feb-2017 101/319
CA Privileged Access Manager - 2.8
RequestScript.name
Name of the requesting script.
RequestScript.filePath
File path where the requesting script resides.
RequestScript.executionPath
Path from which the requesting script will be run.
Authorization.executionUser
Username with which the requesting script will be run.
RequestServer.hostName
Request server hostname on which the requesting script is located.
RequestServer.osName
Operating System name for the request server host. Set this value if the Operating System is
Windows. Any other value sets the Operating System as UNIX-based.
21-Feb-2017 102/319
CA Privileged Access Manager - 2.8
checkConnectionStatus
Use the checkConnectionStatus command to check the status of a client.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=checkConnectionStatus RequestServer.ID=1000
checkDelete
Use the checkDelete command to check if a target server and/or request server can be deleted (or
were previously deleted)
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=checkDelete
TargetServer.ID=1002 RequestServer.ID=1001
Parameters
TargetServer.ID
The ID of the target server being checked
RequestServer.ID
The ID of the request server being checked
checkInAccountPassword
Use the checkInAccountPassword command to check in a target account. This command can be run
on a secondary site.
21-Feb-2017 103/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=checkInAccountPassword
TargetAccount.ID=1
deleteAuthorization
Use the deleteAuthorization command to delete an existing authorization mapping.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteAuthorization
RequestServer.hostName=myhostname.mydomain.com RequestScript.name=example.pl
RequestScript.executionPath=/usr/tmp/examples TargetAlias.name=mytargetalias
Parameters
Authorization.ID
The unique identifier of the Authorization mapping.
TargetAlias.name
The target alias name.
RequestServer.hostName
The request server host name on which the requesting application resides.
21-Feb-2017 104/319
CA Privileged Access Manager - 2.8
RequestScript.name
The requesting application name.
RequestScript.executionPath
The requesting application execution path, as registered in CA Privileged Access Manager Credential
Manager.
Authorization.targetGroupName
The target group name.
Authorization.requestGroupName
The request group name.
21-Feb-2017 105/319
CA Privileged Access Manager - 2.8
deleteFilter
Use the deleteFilter command to delete a filter from a target group or request group. The group must
first be added using the addGroup command.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteFilter Filter.
ID=6
Parameters
Filter.ID
The Id of the request or target group
deleteGroup
Use the deleteGroup command to delete a target or request group. This command automatically
deletes filters associated with this group.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteGroup Group.ID=
3
Parameters
Group.ID
ID of the group you wish to delete.
21-Feb-2017 106/319
CA Privileged Access Manager - 2.8
Group.name
The group name.
Group.type
The group type.
deletePasswordPolicy
Use the deletePasswordPolicy command to delete a password policy.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deletePasswordPolicy
PasswordPolicy.name=passwordPolicyName
Parameters
PasswordPolicy.ID
The ID of the password policy.
21-Feb-2017 107/319
CA Privileged Access Manager - 2.8
PasswordPolicy.name
The name of the password policy.
deletePasswordViewPolicy
Use the deletePasswordViewPolicy command to delete a password view policy from CA Privileged
Access Manager Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=deletePasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts
Parameters
PasswordViewPolicy.ID
The ID of the password view policy.
PasswordViewPolicy.name
The name of the password view policy.
21-Feb-2017 108/319
CA Privileged Access Manager - 2.8
deletePasswordViewRequest
Use the deletePasswordViewRequest command to delete either a specific password view request or
all expired password view requests
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=deletePasswordViewRequest PasswordViewRequest.ID=1,2,3
Parameters
PasswordViewRequest.ID
The ID of a password view request. Allow to input in comma separated format, such as, id2,id3,id5
etc
deleteRequestScript
Use the deleteRequestScript command to delete an existing requesting application. Requesting
applications cannot be deleted if there is an authorization mappings associated with the application.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteRequestScript
RequestScript.ID=7,8
Parameters
RequestScript.ID
The requesting application ID you wish to delete. This parameter may contain a comma separate list.
21-Feb-2017 109/319
CA Privileged Access Manager - 2.8
RequestServer.hostName
The request server host name on which the requesting application resides.
RequestScript.name
The requesting application name.
RequestScript.executionPath
The location from which the requesting application will be executed.
deleteRequestServer
Use the deleteRequestServer command to delete an existing request server from Credential
Manager. You cannot delete a request server if there are any authorization mappings or request
scripts associated with the request server.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteRequestServer
RequestServer.hostName=myhostname.mydomain.com
21-Feb-2017 110/319
CA Privileged Access Manager - 2.8
Parameters
RequestServer.hostName
The host name of the request server.
RequestServer.deviceName
The device name of the request server.
deleteRequestServerDefaults
Use the deleteRequestServerDefaults command to delete a request server defaults in Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=deleteRequestServerDefaults
RequestServerDefaults.ID=1001
21-Feb-2017 111/319
CA Privileged Access Manager - 2.8
Parameters
RequestServerDefaults.ID
The id of the record to delete.
deleteRole
Use the deleteRole command to delete roles from CA Privileged Access Manager Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteRole Role.ID=11
Parameters
Role.ID
The unique ID of the role or a comma delimited list of roles you wish to delete.
deleteSite
Use the deleteSite command to delete a site from Credential Manager when the CA Privileged Access
Manager Credential Manager server is configured for multi-site.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteSite Site.ID=1
21-Feb-2017 112/319
CA Privileged Access Manager - 2.8
Parameters
Site.ID
The ID of the site or a comma delimited list of sites you wish to delete.
deleteSSHKeyPairPolicy
Use the deleteSSHKeyPairPolicy command to selete an SSH Key Pair policy.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=deleteSSHKeyPairPolicy
SSHKeyPairPolicy.name=MySSHKeyPairPolicy
Parameters
SSHKeyPairPolicy.ID
The ID of the SSH Key Pair policy.
SSHKeyPairPolicy.name
The name of the SSH Key Pair policy.
21-Feb-2017 113/319
CA Privileged Access Manager - 2.8
deleteSystemProperty
Use the deleteSystemProperty command to delete a system property (that is, set isDeleted = 1).
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteSystemProperty
propertyName=test
Parameters
propertyName
The property key name.
deleteTargetAccount
Use the deleteTargetAccount command to delete an existing target account from CA Privileged
Access Manager Credential Manager. Target accounts cannot be deleted if there is an authorization
mapping associated with the account. Deleting a target account automatically deletes any target
aliases associated with the account.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteTargetAccount
TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication
TargetAccount.userName=sysop1
Parameters
TargetServer.hostName
The host name of the target server on which the target application is hosted.
21-Feb-2017 114/319
CA Privileged Access Manager - 2.8
TargetApplication.name
The target application name on which the target account is hosted.
TargetAccount.userName
The user name for the target account.
TargetAccount.ID
The ID for the target account.
deleteTargetAlias
Use the deleteTargetAlias command to delete an existing target alias from the CA Privileged Access
Manager Credential Manager server. Target aliases cannot be deleted if there is an authorization
mapping associated with the alias.
21-Feb-2017 115/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteTargetAlias
TargetAlias.ID=12
Parameters
TargetAlias.name
The target alias name. This parameter is required if TargetAlias.ID is not specified.
TargetAlias.ID
The target alias unique identifier.
deleteTargetApplication
Use the deleteTargetApplication command to delete an existing target application from CA Privileged
Access Manager Credential Manager. Target applications cannot be deleted if there is an
authorization mapping associated with the application. Deleting a target application automatically
deletes any target accounts and target aliases associated with the application.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=deleteTargetApplication
TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication
21-Feb-2017 116/319
CA Privileged Access Manager - 2.8
Parameters
TargetServer.hostName
The host name of the target server on which the target application is hosted.
TargetApplication.name
The target application name.
TargetApplication.ID
The target application ID.
deleteTargetServer
Use the deleteTargetServer command to delete an existing target server from CA Privileged Access
Manager Credential Manager. A target server cannot be deleted if there is a target alias associated
with the server. Deleting a target server automatically deletes any target applications and target
accounts associated with the server, never any aliases.
Example
21-Feb-2017 117/319
CA Privileged Access Manager - 2.8
Parameters
TargetServer.ID
The ID for the target server, or a comma-separated list of IDs.
TargetServer.hostName
The host name of the target server.
TargetServer.deviceName
The device name of the target server.
deleteUser
Use the deleteUser command to delete a user account or list of user accounts.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteUser User.
userID=demo
21-Feb-2017 118/319
CA Privileged Access Manager - 2.8
Parameters
User.userID
The user name of the Credential Manager user to be deleted or a comma delimited list of user names
to be deleted.
deleteUserGroup
Use the deleteUserGroup command to delete a user group.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteUserGroup
UserGroup.ID=18
Parameters
UserGroup.ID
The user group ID or a comma delimited list of user group IDs you wish to delete.
UserGroup.name
The name of the user group.
21-Feb-2017 119/319
CA Privileged Access Manager - 2.8
disableCLIHostNameCheck
Use the disableCLIHostNameCheck command to disable host name checking when connecting via the
CLI.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=disableCLIHostNameCheck
disableFingerprinting
Use the disableFingerprinting command to disable hardware fingerprinting for request servers (CA
Privileged Access Manager Credential Manager clients). This command has no parameters. By
default, this feature is disabled.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=disableFingerprinting
enableCLIHostNameCheck
Use the enableCLIHostNameCheck command to force host name checking when connecting via the
CLI.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=enableCLIHostNameCheck
enableFingerprinting
Use the enableFingerprinting command to enable hardware fingerprinting for request servers (CA
Privileged Access Manager Credential Manager clients). This command has no parameters. By
default, this feature is disabled.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=enableFingerprinting
21-Feb-2017 120/319
CA Privileged Access Manager - 2.8
enableLicense
Use the enableLicense command to activate your CA Privileged Access Manager Credential Manager
server license.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=enableLicense
license=dae1993ace1473a...
Parameters
license
A CA Privileged Access Manager Credential Manager server license string. See your CA Technologies
sales representative.
expirePasswordViewRequest
Use the expirePasswordViewRequest command to expires a password view request.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=expirePasswordViewRequest PasswordViewRequest.ID=1000
forceCheckInAccountPassword
Use the forceCheckInAccountPassword command to check in a target account checked out by
another user. This command can be run on a secondary site.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=forceCheckInAccountPassword
TargetAccount.ID=1
21-Feb-2017 121/319
CA Privileged Access Manager - 2.8
Parameters
TargetAccount.ID
The ID of the target account you are checking in.
PasswordViewRequest.ID
The ID of the target account you are checking in.
generateEncryptedPassword
Use the generateEncryptedPassword command to encrypt the password found in Tomcat server.xml
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=generateEncryptedPassword password=cspmpublic
Parameters
password
The password you wish to encrypt.
21-Feb-2017 122/319
CA Privileged Access Manager - 2.8
getAllScriptHash
Use the getAllScriptHash command to refresh each of the script hashes for a given request server. A
script hash value is a SHA-1 message digest value of the script (file).
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getAllScriptHash
RequestServer.hostName=myhostname.mydomain.com
Parameters
RequestServer.hostName
The host name of the request server.
RequestServer.ID
The ID of the request server.
getAwsManagementConsoleSessionUrl
Use the getAwsManagementConsoleSessionUrl command to retrieve a URL to an authenticated
Amazon Web Services Management Console federation session.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=getAwsManagementConsoleSessionUrl
AWS.accessKeyID=AKIAIUXQMBKFCROZL5NQ
AWS.secretAccessKey=l2YaoK/or4Jffi+xTlCds0x5mLUdRoCTcvXb/e9y
AWS.consoleUrl=https://console.aws.amazon.com/sns
AWS.issuerUrl=https://www.xceedium.com/
21-Feb-2017 123/319
CA Privileged Access Manager - 2.8
AWS.signinUrl=https://signin.aws.amazon.com/federation
AWS.sessionDuration=3600
AWS.policy={\"Statement\":[{\"Action\":\"sns:*\",\"\"Effect\":\"Allow\",
\"Resource\":\"*\"}]}
Parameters
AWS.accessKeyID
The AWS access key.
AWS.secretAccessKey
The AWS secret access key.
AWS.issuerUrl
The URL to which the user should be redirected when their federation session expires.
AWS.consoleUrl
The URL of the Management Console.
AWS.signinUrl
The URL of the AWS federated signin service.
21-Feb-2017 124/319
CA Privileged Access Manager - 2.8
AWS.policy
A policy that applies to the federated user.
AWS.stsEndpoint
The STS endpoint to use if specified; otherwise, use the default endpoint.
AWS.sessionDuration
The duration, in seconds, that the federation session should last. Acceptable durations are in the
interval [3600 .. 129600].
AWS.urlEncodeOption
Optionally encode the session URL.
AWS.federatedUserName
The name of the federated user to display in the AWS Management Console.
getErrorCodes
Use the getErrorCodes command to retrieve an XML list of CA Privileged Access Manager Credential
Manager error codes. This command takes no parameters.
21-Feb-2017 125/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getErrorCodes
getEventProcessingMetrics
Use the getEventProcessingMetrics command to get metrics for processing of notification events
(events sent to clients or proxies). This information can be used to determine the throughput of the
overall CA Privileged Access Manager Credential Manager system in processing events to be sent to
clients and proxies; if the throughput is deemed to be unacceptable, additional CA Privileged Access
Manager Credential Manager servers can be commissioned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=getEventProcessingMetrics
samplePeriodMinutes=720
Parameters
samplePeriodMinutes
Sample period in minutes.
getLocalProperty
Example (see page 126)
Parameters (see page 127)
propertyName (see page 127)
Use the getLocalProperty command to retrieve the property value which matches the property name.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getLocalProperty
propertyName=sitename
21-Feb-2017 126/319
CA Privileged Access Manager - 2.8
Parameters
propertyName
The property key name.
getLogs
Use the getLogs command to retrieve a ZIP file containing the logs from a siteServer or
requestServer.
Example
cspmserver_admin adminUserID=admin cmdName=getLogs Site.ID=1000
hostName=tomcatServer3.cloakware.com
Parameters
RequestServer.ID
ID of a request server (client or proxy)
Site.ID
ID of a site
hostName
Canonical hostname of a site (i.e.: Tomcat) or a request (i.e. client or proxy) server
21-Feb-2017 127/319
CA Privileged Access Manager - 2.8
maxSize
Max. size of the log file in bytes. 0=unlimited
getMostRecentPasswordHistory
Use the getMostRecentPasswordHistory command to retrieve the most recent password history for a
target account.
getMSOLFederatedSessionCmd
Use the getMSOLFederatedSessionCmd command to retrieve a federated session request. Generates
a federated session request for presentation to the MSOL portal. The request is returned as a web
form that should be automatically submitted by the caller's browser. Submitting the form launches a
federated session with MSOL.
Example
https://<CAPAM-HOST>/cspm/servlet/adminCLI
?responseType=htmlResponse
&adminUserID=super
&adminPassword=<PASSWORD>
&cmdName=getMsolFederatedSession
&MSOL.portalUrl=https%3A//login.microsoftonline.com/login.srf
&MSOL.stsEndpointUrl=https%3A//fs.xcdpoc.com/adfs/services/trust/2005
/usernamemixed
&MSOL.stsEndpointReferenceUri=urn%3Afederation%3AMicrosoftOnline
&MSOL.wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%
26ct%3D1361461138%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.
microsoftonline.com%252Flanding.aspx%253Ftarget%253D%25252fdefault.aspx%26lc%3D1033%
26id%3D271346%26
&TargetAccount.ID=100
Parameters
MSOL.stsEndpointUrl
The URL of the Security Token Service (STS) endpoint from which the security token shall be
requested. In general, specify the appropriate URL that's exposed by your organization's Active
Directory Federation Service (AD FS). The endpoint must support the WS-Trust 2005 (username
mixed mode) protocol. For example, https://<ADFS-HOST>/adfs/services/trust/2005
/usernamemixed.
21-Feb-2017 128/319
CA Privileged Access Manager - 2.8
MSOL.stsEndpointReferenceUri
The reference URI to which the security token request applies. When AD FS is federated with MSOL
this value is typically "urn:federation:MicrosoftOnline" (without quotes).
MSOL.portalUrl
The URL of the MSOL portal. For example, https://login.microsoftonline.com/login.srf.
MSOL.wctx
This parameter contains context information that is relevant to MSOL. Its value should be derived by
following the procedure for "creating a smart link" as described in documentation from Microsoft.
For additional instructions please refer to http://community.office365.com/en-us/wikis/sso/using-
smart-links-or-idp-initiated-authentication-with-office-365.aspx.
TargetAccount.ID
The ID of the Target Account that represents the federated user's credentials. The username and
password will be retrieved and sent to AD FS in a security token request. If AD FS successfully
authenticates the credentials then it will issue a security token response that contains SAML
assertions that are good for authenticating the federated user to MSOL.
reason
The reason you are requesting a password view.
reasonDetails
Detailed description of why you wish to view the password.
21-Feb-2017 129/319
CA Privileged Access Manager - 2.8
no N/A String.
PasswordViewRequest.requestPeriodStart
If the account password view policy has dual authorization enabled, this parameter specifies the start
time of the password view request.
PasswordViewRequest.requestPeriodEnd
If the account password view policy has dual authorization enabled, this parameter specifies the end
time of the password view request.
referenceCode
Reference Code.
getNumberOfAccounts
Use the getNumberOfAccounts command to retrieve the number of target accounts registered in CA
Privileged Access Manager Credential Manager. This command takes no parameters.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getNumberOfAccounts
getRequestServerDefaults
Use the getRequestServerDefaults command to add a request server defaults to CA Privileged Access
Manager Credential Manager.
21-Feb-2017 130/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=getRequestServerDefaults RequestServerDefaults.ID=1001
Parameters
RequestServerDefaults.ID
The id of the record to get.
getScriptHashAsynchronous
Use the getScriptHashAsynchronous command to refresh a script hash for a specified request script
on a request server (CA Privileged Access Manager Credential Manager client).. A script hash value is
a SHA-1 message digest value of the script (file).
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=getScriptHashAsynchronous RequestScript.ID=2
Parameters
RequestScript.ID
The unique ID for the request script.
getServiceStatus
Use the getServiceStatus command to inquire the state of services associated with a Windows
domain target account. This command assumes the service information is stored in an extend
attribute named 'serviceInfo'.
21-Feb-2017 131/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getServiceStatus
TargetAccount.ID=24
Parameters
TargetAccount.ID
The ID of the TargetAccount
TargetServer.hostName
The host name of the TargetServer
TargetApplication.name
The name of the TargetApplication
TargetAccount.userName
The user name of the TargetAccount
21-Feb-2017 132/319
CA Privileged Access Manager - 2.8
getSystemProperty
Example (see page 133)
Parameters (see page 133)
propertyName (see page 133)
Use the getSystemProperty to retrieve the property value which matches the property name.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getSystemProperty
propertyName=DBVersion
Parameters
propertyName
The property key name.
listDBClusterMembers
Use the listDBClusterMembers command to retrieve a list of all database cluster members in the
system.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=listDBClusterMembers
listDiscoveredAccounts
Use the listDiscoveredAccounts command to discover accounts on a Windows host or domain
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=listDiscoveredAccounts
21-Feb-2017 133/319
CA Privileged Access Manager - 2.8
Parameters
TargetApplication.ID
the Windows (domain or proxy) target application's id
TargetApplication.name
the Windows (domain or proxy) target application's name
listDiscoveredServices
Use the listDiscoveredServices command to discover services on a Windows host
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=listDiscoveredServices
Parameters
TargetAccount.ID
the target account's id of the user whose services are to be discovered
21-Feb-2017 134/319
CA Privileged Access Manager - 2.8
TargetAccount.userName
The target account name of the user whose services are to be discovered
TargetApplication.name
The target application name
TargetServer.name
The name of the target application target server
discoveryUseProxy
Use the proxy associated with the account to do the discovery
listDiscoveredTasks
Use the listDiscoveredTasks command to discover tasks on a Windows host run by a given user
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=listDiscoveredServices
Parameters
TargetAccount.ID
The target account id of the user whose tasks are to be discovered
21-Feb-2017 135/319
CA Privileged Access Manager - 2.8
TargetAccount.userName
The target account's name of the user whose tasks are to be discovered
TargetApplication.name
The target application's name
TargetServer.name
The name of the target application's target server
discoveryUseProxy
Use the proxy associated with the account to do the discovery
listPasswordViewRequestByApproverSummary
Use the listPasswordViewRequestByApproverSummary command to returns a list of password view
requests for an approver.
listPasswordViewRequestByRequestorSummary
Use the listPasswordViewRequestByRequestorSummary command to return a list of password view
requests for a requestor.
21-Feb-2017 136/319
CA Privileged Access Manager - 2.8
listRequestServerDefaults
Use the listRequestServerDefaults command to retrieve a list of Request Server defaults from the CA
Privileged Access Manager Credential Manager datastore.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=listRequestServerDefaults
Parameters
RequestServerDefaults.ipAddress
The ip filter to apply to search.
RequestServerDefaults.type
The type filter to apply to search.
renameUser
Use the renameUser command to rename a Credential Manager user. (Creates a copy of an existing
user with a new name, and deletes the old user)
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=renameUser User.
userID=demo User.password=demo123$ User.newUserID=demo2
Parameters
User.userID
The user name of the Credential Manager user to be renamed
21-Feb-2017 137/319
CA Privileged Access Manager - 2.8
User.newUserID
The user name of the Credential Manager user to be created
User.gkUserId
The Gatekeeper user ID to be associated with this user. If not specified, the existing value will be
preserved.
resetClientCache
resetClientCache Informs all active clients that their caches of saved passwords should be reset. Use
resetClientCache to reset all client caches.
Example:
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=resetClientCache
resetDBHash
Use resetDBHash to reset the database hash for an object. The types of objects can be specified as a
comma separated list via the objectClass parameter.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=resetDBHash
objectClass=c.cw.m.ts
21-Feb-2017 138/319
CA Privileged Access Manager - 2.8
resetGroupCache
Use the resetGroupCache command to refresh the group cache for all groups, or a single group. This
command is asynchronous.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=resetGroupCache
Group.name=test_target_group
Parameters
Group.name
Name of the group you wish to update in the group cache.
searchAgent
Use the searchAgent command to retrieve a detailed listing of all the Windows Proxies registered in
Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchAgent
Parameters
Agent.ID
Filter results for the specified Agent.ID.
Agent.hostName
Filter results based on the Agent.hostName specified.
21-Feb-2017 139/319
CA Privileged Access Manager - 2.8
Agent.ipAddress
Filter results based on the Agent.ipAddress specified.
Agent.deviceName
Filter results based on the Agent.deviceName specified.
Agent.clientVersion
Filter results based on the Agent.clientVersion specified.
Agent.active
Set Agent.active=true to filter results for active agents. Set Agent.active=false to filter results for
inactive agents.
Agent.actionRequired
Set Agent.actionRequired=true to filter results for agents with the actionRequired flag set to true. Set
Agent.actionRequired=false to filter results for agents with the actionRequired flag set to false.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
21-Feb-2017 140/319
CA Privileged Access Manager - 2.8
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchAuthorization
Use the searchAuthorization command to retrieve a detailed listing of authorization mappings
registered in Credential Manager, which match the provided search criteria. When no search criteria
are listed all authorization mappings are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchAuthorization
Authorization.checkExecutionID=true
Parameters
Authorization.executionUser
Filter results for specified authorization execution user.
21-Feb-2017 141/319
CA Privileged Access Manager - 2.8
Authorization.checkExecutionID
Set Authorization.checkExecutionID=true to filter results for authorization mappings that have the
check execution ID flag set to true. Set Authorization.checkExecutionID=false to filter results for script
authorizations. that have the check execution ID flag set to false.
Authorization.checkPath
Set Authorization.checkPath=true to filter results for authorization mappings that have the check
execution path flag set to true. Set Authorization.checkPath=false to filter results for authorization
mappings that have the check execution path flag set to false.
Authorization.checkFilePath
Set Authorization.checkFilePath=true to filter results for authorization mappings that have the check
file path flag set to true. Set Authorization.checkFilePath=false to filter results for authorization
mappings that have the check file path flag set to false.
Authorization.checkScriptHash
Set Authorization.checkScriptHash=true to filter results for authorization mappings that have the
check script hash flag set to true. Set Authorization.checkScriptHash=false to filter results for
authorization mappings that have the check script hash flag set to false.
Authorization.ID
Filter results based on Authorization.ID specified.
21-Feb-2017 142/319
CA Privileged Access Manager - 2.8
RequestServer.ID
Filter results based on the RequestServer.ID specified.
RequestScript.ID
Filter results based on the RequestScript.ID specified.
TargetAlias.ID
Filter results based on the TargetAlias.ID specified.
Authorization.targetGroupId
Filter results based on the targetGroupID specified.
Authorization.requestGroupId
Filter results based on the requestGroupID specified.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
21-Feb-2017 143/319
CA Privileged Access Manager - 2.8
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchFilter
Use the searchFilter command to retrieve a detailed listing of filters which match the provided search
criteria. When no search criteria is listed, all registered filters are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchFilter
Parameters
Filter.ID
Filter results for the specified filter.
Group.ID
Filter results for the unique identifier of a request or target group.
21-Feb-2017 144/319
CA Privileged Access Manager - 2.8
no N/A Numeric.
Filter.attribute
The filter attribute. For a detailed listing of valid filter attributes, see CA Privileged Access Manager
user documentation.
Filter.type
Filter results for the specified filter type.
Filter.expression
Filter results for the specified filter expression.
Filter.objectClassId
Filter results for the specified object class ID.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
21-Feb-2017 145/319
CA Privileged Access Manager - 2.8
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchGroup
Use the searchGroup command to retrieve a list of target groups or request groups.within Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchGroup
Parameters
Group.ID
Filter results for the specified Group.ID.
Group.name
Filter results for groups matching the specified name.
21-Feb-2017 146/319
CA Privileged Access Manager - 2.8
Group.description
Filter results for groups matching the specified description.
Group.type
Filter results for groups with the specified group type.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
21-Feb-2017 147/319
CA Privileged Access Manager - 2.8
searchPasswordPolicy
Use the searchPasswordPolicy command to retrieve a detailed list of all the Password Composition
policies that match the provided search criteria. If no search criteria are specified then all SSH Key
Pair policies are returned.
Example
cspmserver_admin UserInputException cmdName=searchPasswordPolicy
Parameters
PasswordPolicy.name
Filter results for specified policy name.
PasswordPolicy.description
Filter results for policy descriptions that contain the specified value.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
21-Feb-2017 148/319
CA Privileged Access Manager - 2.8
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchPasswordViewPolicy
Use the searchPasswordViewPolicy command to retrieve a list of all password view policies that
match the search criteria. When no search criteria are listed, all password view policies are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=searchPasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts
Parameters
PasswordViewPolicy.name
The name of the password view policy.
PasswordViewPolicy.description
The description of the password view policy.
21-Feb-2017 149/319
CA Privileged Access Manager - 2.8
Page.Number
Specifies which page to return when the results are divided among multiple pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchPasswordViewRequest
Use the searchPasswordViewRequest command to list the password view requests in the system.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=searchPasswordViewRequest
PasswordViewRequest.status=pending
21-Feb-2017 150/319
CA Privileged Access Manager - 2.8
Parameters
PasswordViewRequest.requestorID
Filter results for specified requestorID
PasswordViewRequest.approverID
Filter results for specified approverID
PasswordViewRequest.status
Filter results that contain the value specified.
PasswordViewRequest.targetAccountID
Filter results for specified target account ID.
PasswordViewRequest.isCheckedOut
Filter results for accounts that are checked out.
Page.Number
List all request servers within the specified page.
21-Feb-2017 151/319
CA Privileged Access Manager - 2.8
Page.Size
Specify the size of each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchPasswordViewRequestByApprover
Use the searchPasswordViewRequestByApprover command to list the password view requests for a
particular approver. The approver is the user executing the command.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=searchPasswordViewRequestByApprover
Parameters
PasswordViewRequest.requestorID
Filter results for specified requestorID
21-Feb-2017 152/319
CA Privileged Access Manager - 2.8
PasswordViewRequest.status
Filter results that contain the value specified.
PasswordViewRequest.targetAccountID
Filter results for specified target account ID.
Page.Number
List all request servers within the specified page.
Page.Size
Specify the size of each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
21-Feb-2017 153/319
CA Privileged Access Manager - 2.8
searchPasswordViewRequestByRequestor
searchPasswordViewRequestByRequestor (see page 154)
Example (see page 154)
Parameters (see page 154)
searchPasswordViewRequestByRequestor
Lists the password view requests for a particular requestor. The requestor is the user executing the
command.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=searchPasswordViewRequestByRequestor
PasswordViewRequest.status=1
Parameters
PasswordViewRequest.approverID: Filter results for specified approverID
21-Feb-2017 154/319
CA Privileged Access Manager - 2.8
no 10000 N/A
Sort.Property: Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction: Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.
Direction=desc to have the results presented in descending order.
searchRequestScript
Use the searchRequestScript command to retrieve a detailed listing of requesting applications
registered in Credential Manager, which match the provided search criteria. When no search criteria
are listed all registered requesting applications are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchRequestScript
RequestScript.name=example.pl
Parameters
RequestServer.ID
Filter results for specified RequestServer.ID.
RequestScript.name
Filter results for specified request script name.
21-Feb-2017 155/319
CA Privileged Access Manager - 2.8
RequestScript.ID
Filter results for specified RequestScript.ID.
RequestScript.filePath
Filter results for file paths that contain the value specified.
RequestScript.executionPath
Filter results for execution paths that contain the value specified.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
21-Feb-2017 156/319
CA Privileged Access Manager - 2.8
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchRequestServer
Use the searchRequestServer command to retrieve a detailed listing of request servers (Credential
Manager clients) registered in Credential Manager, which match the provided search criteria. When
no search criteria are listed all registered request servers are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchRequestServer
RequestServer.hostName=mydomain
Parameters
RequestServer.ID
Filter results for specified RequestServer.ID.
RequestServer.hostName
Filter results for request server host names that contain the value specified.
RequestServer.deviceName
Filter results for request server device names that contain the value specified.
21-Feb-2017 157/319
CA Privileged Access Manager - 2.8
RequestServer.ipAddress
Filter results for IP address that contain the value specified.
RequestServer.clientVersion
Filter results for request server client version that contain the value specified.
RequestServer.active
Set RequestServer.active=true to filter results for request servers that have the active flag set to true.
Set RequestServer.active=false to filter results for request servers that have the active flag set to
false.
RequestServer.actionRequired
Set RequestServer.actionRequired=true to filter results for request servers that have the action
required flag set to true. Set RequestServer.actionRequired=false to filter results for request servers
that have the actionRequired flag set to false.
Page.Number
List all request servers within the specified page.
Page.Size
Specify the size of each page.
21-Feb-2017 158/319
CA Privileged Access Manager - 2.8
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchRole
Use the searchRole command to retrieve roles from Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchRole
Parameters
Role.ID
Filter results for specified Role.ID.
Role.name
Filter results based on the Role.name specified.
Role.description
Filter results based on the Role.description specified.
21-Feb-2017 159/319
CA Privileged Access Manager - 2.8
Page.Number
List all roles within the specified page.
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchSite
Use the searchSite command to retrieve an XML list of all sites in Credential Manager. This command
takes not parameters.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchSite
21-Feb-2017 160/319
CA Privileged Access Manager - 2.8
searchSSHKeyPairPolicy
searchSSHKeyPairPolicy (see page 161)
Example (see page 161)
Parameters (see page 161)
searchSSHKeyPairPolicy
Lists SSH Key Pair policies.
Use this command to retrieve a detailed list of all the SSH Key Pair policies that match the provided
search criteria. If no search criteria are specified then all SSH Key Pair policies are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchSSHKeyPairPolicy
Parameters
SSHKeyPairPolicy.name: Filter results for specified policy name.
SSHKeyPairPolicy.description: Filter results for policy descriptions that contain the specified value.
Page.Number: Specifies which page to return when the results are divided among multiple a pages.
This parameter works in conjunction with Page.Size.
Sort.Property: Use Sort.Property to specify which field to use for sorting the result.
21-Feb-2017 161/319
CA Privileged Access Manager - 2.8
Sort.Direction: Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.
Direction=desc to have the results presented in descending order.
searchTargetAccount
Use the searchTargetAccount command to retrieve an XML listing of all target accounts that match
the search criteria. When no search criteria are listed, all target accounts are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchTargetAccount
TargetAccount.userName=root
Parameters
TargetAccount.ID
Filter results for specified TargetAccount.ID.
TargetApplication.ID
Filter results for specified TargetApplication.ID.
TargetApplication.name
Filter results for specified target application name.
TargetApplication.type
Filter results for specified target application type.
21-Feb-2017 162/319
CA Privileged Access Manager - 2.8
TargetAccount.userName
Filter results for target account user names that contain the value specified.
TargetAccount.accessType
Filter results for target account access types that contain the value specified.
TargetAccount.cacheAllow (Deprecated)
Set TargetAccount.cacheAllow=true to filter results for target accounts that have the cache allow flag
set to true. Set TargetAccount.cacheAllow=false to filter results for target accounts that have the
cache allow flag set to false.
TargetAccount.cacheBehavior
Set TargetAccount.cacheBehavior=useCacheFirst to have the credentials for this account cached in
the CSPM Client and used first. Set TargetAccount.cacheBehavior=useServerFirst to have the
credentials for this account cached in the CSPM Client but the Server is contacted first. Set
TargetAccount.cacheBehavior=noCache to ensure that the credentials for this account are not cached
in the CSPM Client.
TargetAccount.cacheDuration
Filter results for specified cache duration value.
21-Feb-2017 163/319
CA Privileged Access Manager - 2.8
TargetAccount.privileged
Set TargetAccount.privileged=true to filter results for target accounts that have the privileged flag set
to true. Set TargetAccount.privileged=false to filter results for target accounts that have the
privileged flag set to false (A2A accounts).
TargetAccount.synchronize
Set TargetAccount.synchronized=true to filter results for target accounts that have the synchronize
flag set to true. Set TargetAccount.synchronize=false to filter results for target accounts that have the
synchronize flag set to false.
TargetAccount.passwordVerified
Set TargetAccount.passwordVerified=true to filter results for target accounts that have the password
verified flag set to true. Set TargetAccount.passwordVerified=false to filter results for target accounts
that have the password verified flag set to false.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specified which field to use for sorting the result.
21-Feb-2017 164/319
CA Privileged Access Manager - 2.8
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchTargetAlias
Use the searchTargetAlias command to retrieve an XML listing of all target aliases that match the
search criteria. When no search criteria are listed all target aliases are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchTargetAlias
TargetAlias.name=test
Parameters
TargetAlias.name
Filter results for target alias names that contain the value specified.
TargetAccount.ID
Filter results for specified TargetAccount.ID.
21-Feb-2017 165/319
CA Privileged Access Manager - 2.8
TargetAlias.ID
Filter results for specified TargetAlias.ID.
TargetServer.hostName
Filter results for target server host names that contain the value specified.
TargetApplication.name
Filter results for target application names that contain the value specified.
TargetAccount.userName
Filter results for target account user names that contain the value specified.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
21-Feb-2017 166/319
CA Privileged Access Manager - 2.8
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchTargetApplication
Use the searchTargetApplication command to retrieve an XML listing of all target applications that
match the search criteria. When no search criteria are listed all target applications are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=searchTargetApplication TargetApplication.type=oracle
Parameters
TargetApplication.ID
Filter results for specified TargetApplication.ID.
TargetServer.ID
Filter results for specified TargetServer.ID.
21-Feb-2017 167/319
CA Privileged Access Manager - 2.8
TargetApplication.name
Filter results for target application names that contain the value specified.
TargetApplication.type
Filter results for target application types that contain the value specified.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
21-Feb-2017 168/319
CA Privileged Access Manager - 2.8
searchTargetServer
Use the searchTargetServer command to retrieve an XML list of all target servers that match the
search criteria. When no search criteria are listed all target servers are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchTargetServer
TargetServer.hostName=mydomain
Parameters
TargetServer.ID
Filter results for target server ID that contain the value specified.
TargetServer.hostName
Filter results for target server host names that contain the value specified.
TargetServer.ipAddress
Filter results for IP addresses that contain the value specified.
TargetServer.deviceName
Filter results for target server device names that contain the value specified.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
21-Feb-2017 169/319
CA Privileged Access Manager - 2.8
Page.Size
Specifies the number of records to return on each page.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
searchUser
Use the searchUser command to retrieve a list of Credential Manager users from the Credential
Manager datastore.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchUser UserGroup.
ID=4
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchUser UserGroup.
ID=4 User.authenticationType=CSPM User.status=ACTIVE User.firstName=Demo User.
lastName=User
Parameters
UserGroup.ID
Filter results for users belonging to the specified user group.
21-Feb-2017 170/319
CA Privileged Access Manager - 2.8
User.authenticationType
Filter results on user authenticationType.
User.status
Filter results on user status.
User.firstName
Filter results on user first name.
User.lastName
Filter results on user last name.
searchUserGroup
Use the searchUserGroup command to retrieve a list of user groups from the Credential Manager
datastore. If a user is specified, then only the groups in which that user belongs are displayed.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchUserGroup
UserGroup.ID=1
21-Feb-2017 171/319
CA Privileged Access Manager - 2.8
Parameters
UserGroup.ID
Filter results for user groups matching the specified ID.
UserGroup.name
Filter results for user groups matching the specified name.
UserGroup.description
Filter results for user groups matching the specified description.
UserGroup.userID
Filter results for user groups in which the specified user belongs.
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
Page.Size
Specifies the number of records to return on each page.
21-Feb-2017 172/319
CA Privileged Access Manager - 2.8
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.
setDisasterRecoverySettings
Use the setDisasterRecoverySettings command to enable or disable disaster recovery mode.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=setDisasterRecoverySettings enable=true
Parameters
enable
Set enable=true to enable the disaster recovery mode. Otherwise, set enable=false to disable it.
setInitProperty
Use the setInitProperty command to change the Credential Manager initialization property (database
username and password) for DB2 databases. For all other databases, use the updateDBPassword
command. This command can be executed at a secondary site.
21-Feb-2017 173/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=setInitProperty
propertyName=dbpassword propertyValue='12345'
Parameters
propertyName
The property to set.
propertyValue
String containing the property value.
setLocalProperty
Use the setLocalProperty command to set the site name of a primary or secondary site in a multi-site
Credential Manager installation. setLocalProperty sets the site name in the site-local CA Privileged
Access Manager Credential Manager data store
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=setLocalProperty
propertyName=sitename propertyValues=mySiteName
Parameters
propertyName
The property to set.
21-Feb-2017 174/319
CA Privileged Access Manager - 2.8
propertyValues
String containing the property value.
setPasswordViewReasons
Use the setPasswordViewReasons command to customize the reasons a Credential Manager GUI user
can select for viewing a target account password.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=setPasswordViewReasons
reasons="System failure|System recovery|System update|Scheduled maintenance|Other"
Parameters
reasons
The list of reasons is delimited by |. In UNIX, the list must be enclosed in quotes.
setPasswordViewRequestDeleteInterval
Use the setPasswordViewRequestDeleteInterval command to set the password view request delete
interval
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=SetPasswordViewRequestDeleteInterval
deleteIntervalDays=30
21-Feb-2017 175/319
CA Privileged Access Manager - 2.8
Parameters
deleteIntervalDays
The number of days to keep Password View Requests
setReportRowLimit
Use the setReportRowLimit command to set the maximum number of entries that will be displayed
by reports.
Example
cspmserver_admin adminUserID=admin cmdName=setReportRowLimit rowLimit=10000
Parameters
rowLimit
The maximum number of entries displayed by each report
setSystemProperty
Use the setSystemProperty command to set a Credential Manager system property.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=setSystemProperty
propertyName=lunaPassword propertyValues='p@ssw0rd!' encryptValue=true
Parameters
propertyName
The property to update (or insert if it does not exist).
21-Feb-2017 176/319
CA Privileged Access Manager - 2.8
propertyValues
String containing the property value.
encryptValue
Set encryptValue=true to indicate that propertyValues value is to be encrypted. Set
encryptValue=false to indicate that it is not to be encrypted (plaintext).
propertyValueBlankAllowed
Required Default Value Valid Values
no false true, false
updateAuthorization
Use the updateAuthorization command to change authorization mapping information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateAuthorization
Authorization.ID=10 RequestServer.ID=17 RequestScript.ID=2
Authorization.checkExecutionID=true
Authorization.executionUser=auser
Authorization.checkPath=true TargetAlias.ID=6
Parameters
Authorization.ID
The unique ID for the authorization mapping to be changed.
21-Feb-2017 177/319
CA Privileged Access Manager - 2.8
TargetAlias.ID
The updated value for the target alias ID.
Authorization.targetGroupId
The updated value for the target group ID.
RequestServer.ID
The updated value for the request server ID on which the requesting application resides.
RequestScript.ID
The updated value for request script ID.
Authorization.requestGroupId
The updated value for request group ID.
Authorization.checkExecutionID
Set Authorization.checkExecutionID=true to indicate that the execution user ID be validated.
21-Feb-2017 178/319
CA Privileged Access Manager - 2.8
Authorization.executionUser
A comma delimited list of execution user IDs. The IDs are only validated if Authorization.
checkExecutionID=true.
Authorization.checkPath
Set Authorization.checkPath=true to indicate that the script execution path be validated.
Authorization.checkFilePath
Set Authorization.checkFilePath=true to indicate that the script file path be validated.
Authorization.checkScriptHash
Set Authorization.checkScriptHash=true to indicate script hash integrity verification be performed.
updateDBClusterMembers
Example (see page 180)
Parameters (see page 180)
database.ID (see page 180)
active (see page 180)
method (see page 180)
21-Feb-2017 179/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updateDbClusterMember database.ID=db1 active=false
Parameters
database.ID
ID of the database cluster member to update
active
"true" will activate the specified database cluster member, "false" will de-activate it
method
Optional synchronization strategy values: "full" or "dump-restore"
updateDBPassword
updateDBPassword (see page 180)
Example (see page 181)
Parameters (see page 181)
updateDBPassword
Changes the CA Privileged Access Manager Credential Manager datastore administrator password on
all databases except DB2.
Use this command to change the CA Privileged Access Manager Credential Manager datastore
administrator password for DML or DDL user account on all databases except DB2. This command can
be executed at a secondary site. DML (Data Manipulation Language) user can manipulate data within
database tables. DDL (Data Definition Language) user can define the database schema. When DML
and DDL user accounts share the same database username, both their passwords are changed in the
21-Feb-2017 180/319
CA Privileged Access Manager - 2.8
and DDL user accounts share the same database username, both their passwords are changed in the
init properties table of CA Privileged Access Manager Credential Manager. To change datastore
password in DB2 database use setInitProperty. Warning: Changing the datastore password directly in
database will cause CA Privileged Access Manager Credential Manager to fail to operate; instead, this
command must be used because CA Privileged Access Manager Credential Manager uses proprietary
key-hiding technology to securely store the datastore password.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateDBPassword dbuserTy
dbpassword=cspmpwd updateLoginCredentials=true
Parameters
dbuserType: The CA Privileged Access Manager Credential Manager database user type. Either DML
(Data Manipulation Language) or DDL (Data Definition Language).
dbpassword: The new CA Privileged Access Manager Credential Manager datastore administrator
password.
updateLoginCredentials: Useful if you do not want to update the database user account.
updateFilter
Use the updateFilter command to update a target group or request group filter.
21-Feb-2017 181/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateFilter Filter.
ID=6
Filter.objectClassId=c.cw.m.ts Filter.attribute=hostName
Filter.type=contains Filter.expression=Ottawa
Parameters
Filter.ID
The ID of the filter. It must be an integer >= 1.
Filter.objectClassId
The type of object to filter. Class IDs are specific to group type.
Filter.attribute
The filter attribute. If static, attribute must be ID. If dynamic, attributes are specific to objectClassId.
Filter.type
The filter type. If group is static, only equals is valid.
Filter.expression
The filter expression. It group is static, expression can only be an integer >= 1.
21-Feb-2017 182/319
CA Privileged Access Manager - 2.8
updateGroup
Use the updateGroup command to change a target or request group.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateGroup
Group.ID=5 Group.name="TokyoTargets" Group.description="Targets in Tokyo"
Group.type=target
Parameters
Group.ID
The ID of the group.
Group.name
The name of the target or request group.
Group.description
The description of the group.
Group.type
Set Group.type=requestor for Request groups. Set Group.type=target for Target groups.
Group.dynamic
Set Group.dynamic=true for dynamic Request/Target groups, false for static Request/Target groups.
21-Feb-2017 183/319
CA Privileged Access Manager - 2.8
Group.permissions
ArrayList object of filters, or XML encoded ArrayList of filters. If not set, the filters are cleared.
updatePasswordPolicy
Use the updatePasswordPolicy command to update a password policy.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updatePasswordPolicy
PasswordPolicy.ID=1 PasswordPolicy.name=passwordPolicyName
Attribute.composedOfUpperCaseCharacters=true Attribute.
firstCharacterUpperCase=true
Parameters
PasswordPolicy.ID
The ID of the password policy.
PasswordPolicy.name
The name of the password policy.
PasswordPolicy.description
The description of the password policy.
21-Feb-2017 184/319
CA Privileged Access Manager - 2.8
Attribute.passwordPrefix
The prefix for all passwords mandated by your password policy.
Attribute.composedOfUpperCaseCharacters
Set to true if you wish to mandate that your password policy contain upper case characters.
Attribute.composedOfLowerCaseCharacters
Set to true if you wish to mandate that your password policy contain lower case characters.
Attribute.composedOfNumericCharacters
Set to true if you wish to mandate that your password policy contain numeric characters.
Attribute.composedOfSpecialCharacters
Set to true if you wish to mandate that your password policy contain an special characters.
Attribute.specialCharacters
The list of all special characters mandated by your password policy.
Attribute.firstCharacterUpperCase
Set to true if you wish to mandate that your password policy contain upper case characters.
21-Feb-2017 185/319
CA Privileged Access Manager - 2.8
Attribute.firstCharacterLowerCase
Set to true if you wish to mandate that your password policy contain lower case characters.
Attribute.firstCharacterNumeric
Set to true if you wish to mandate that your password policy contain numeric characters.
Attribute.firstCharacterSpecial
Set to true if you wish to mandate that your password policy contain an special characters.
Attribute.firstCharacterSpecials
The list of all special characters mandated by your password policy.
Attribute.mustNotContainConsecutiveDuplicateCharacters
Set to true if you wish to mandate that your password policy not allow any repeating characters.
Attribute.mustNotContainAnyDuplicateCharacters
Set to true if you wish to mandate that your password policy not allow any duplicate characters.
21-Feb-2017 186/319
CA Privileged Access Manager - 2.8
Attribute.mustNotContainCharacters
Set to true if you wish to mandate that your password policy not contain certain upper case, lower
case, or numeric characters.
Attribute.composedOfMustNotContainCharacters
The list of all characters not allowed by your password policy. No overlap allowed with special
characters.
Attribute.minLength
Set the minimum length of characters you wish to mandate by your password policy.
Attribute.maxLength
Set the maximum length of characters you wish to mandate by your password policy.
Attribute.minIterationsBeforeReuse
Set the minimum number of iterations before a password can be reused.
Attribute.minDaysBeforeReuse
Set the minimum number of days before a password can be reused.
21-Feb-2017 187/319
CA Privileged Access Manager - 2.8
Attribute.enableMaxPasswordAge
Set to true if you wish to enable Maximum password age in your password policy.
Attribute.maxPasswordAge
Set the Maximum password age.
updatePasswordViewPolicy
Use the updatePasswordViewPolicy command to update a password view policy in Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updatePasswordViewPolicy
PasswordViewPolicy.ID=7 PasswordViewPolicy.checkinCheckoutRequired=true
PasswordViewPolicy.checkinCheckoutInterval=240
Parameters
PasswordViewPolicy.ID
The ID of the password view policy.
PasswordViewPolicy.name
The updated name of the password view policy.
21-Feb-2017 188/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.description
An updated description of the password view policy.
PasswordViewPolicy.changePasswordOnView
Set PasswordViewPolicy.changePasswordOnView=true to indicate that CA Privileged Access Manager
Credential Manager should change the password after a password view request.
PasswordViewPolicy.allowChangePasswordOnViewForSso
Set PasswordViewPolicy.allowChangePasswordOnViewForSso=true to indicate that CA Privileged
Access Manager Credential Manager should change the password after a password SSO request
(retrieved but not viewed)
PasswordViewPolicy.passwordChangeInterval
Determines the length of time (in minutes) before the password is changed if
changePasswordOnView is set to true.
PasswordViewPolicy.checkinCheckoutRequired
Set PasswordViewPolicy.checkinCheckoutRequired=true to indicate that an account must be checked
out before the password can be viewed. When checked out, the account's password cannot be
changed.
PasswordViewPolicy.checkinCheckoutInterval
Determines the length of time (in minutes) an account can remain checked out before it is
automatically checked back in by the system.
21-Feb-2017 189/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.dualAuthorization
Set PasswordViewPolicy.dualAuthorization=true to indicate that a request to view a password must
be approved by another user before proceeding.
PasswordViewPolicy.dualAuthorizationInterval
Determines the default length of time (in minutes) a password view request remains active in the
system, provided the requesting user does not specify a start/end time for the password view
request.
PasswordViewPolicy.approvers
The list of users who are authorized to approve or deny password requests for accounts that use this
password policy.
PasswordViewPolicy.approverIDs
The list of user IDs who are authorized to approve or deny password requests for accounts that use
this password policy.
PasswordViewPolicy.authenticationRequired
Set PasswordViewPolicy.authenticationRequired=true to indicate that the requesting user must
provide their password before viewing the account.
21-Feb-2017 190/319
CA Privileged Access Manager - 2.8
PasswordViewPolicy.enableOneClickApproval
Set PasswordViewPolicy.enableOneClickApproval=true to enable dual authorization one click
approval. When enabled, dual authorization emails will include links to allow the approver to approve
requests without logging into the system.
PasswordViewPolicy.passwordViewRequestMaxInterval
The maximum Interval between the start and end date of a dual authorization password view
request.
PasswordViewPolicy.passwordViewRequestMaxDays
The maximum number of days in the future that a password view request can be requested.
updatePasswordViewRequestStatus
Use the updatePasswordViewRequestStatus command to approve or deny a password view request.
This command can be run on a secondary site.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updatePasswordViewRequestStatus
PasswordViewRequest.ID=1 PasswordViewRequest.status=approved
Parameters
PasswordViewRequest.ID
The ID of the password view request.
21-Feb-2017 191/319
CA Privileged Access Manager - 2.8
PasswordViewRequest.status
The status of the password view request.
PasswordViewRequest.statusCode
The status of the password view request.
PasswordViewRequest.approvalReason
The approval reason.
PasswordViewRequest.approvalReasonDescription
The approval reason description.
updateRequestScript
Use the updateRequestScript command to change request application information.
21-Feb-2017 192/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateRequestScript
RequestServer.ID=17
RequestScript.ID=5
RequestScript.name=myExample.class
RequestScript.executionPath=/opt/cloakware/cspmclient/examples
RequestScript.filePath=/opt/cloakware/cspmclient/bin
RequestScript.type=java
Parameters
RequestScript.ID
The unique ID for the request script to be changed.
RequestServer.ID
The updated value for the RequestServer.ID.
RequestScript.name
The updated value for the request script name.
RequestScript.executionPath
The updated value for the location from which the requesting application will be run.
RequestScript.filePath
The updated value for the location in which the requesting application resides.
21-Feb-2017 193/319
CA Privileged Access Manager - 2.8
RequestScript.type
The updated value for the programming language in which the requesting application is written.
Attribute.descriptor1
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
Attribute.descriptor2
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
updateRequestServer
Use the updateRequestServer command to change request server information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateRequestServer
RequestServer.ID=17 RequestServer.hostName=myhostname2.mydomain.com
Attribute.descriptor1="Lab" Attribute.descriptor2="Vienna"
Parameters
RequestServer.ID
The unique ID for the request server to be changed.
21-Feb-2017 194/319
CA Privileged Access Manager - 2.8
RequestServer.hostName
The updated value for the request server host name.
RequestServer.deviceName
The updated value for the request server device name.
RequestServer.active
Set RequestServer.active=true to activate the request server. Set RequestServer.active=false to
deactivate to request server.
RequestServer.port
The port number the request server listens on for incoming requests. This value is optional.
RequestServer.updatePortFlag
If this value is set to true and the RequestServer.port is not empty the port will be updated.
RequestServer.acceptPendingFingerprint
Accepts or denies the pending finger print.
21-Feb-2017 195/319
CA Privileged Access Manager - 2.8
RequestServer.preserveHostName
Set RequestServer.preserveHostName=true to indicate that the request server host name should not
be overwritten each time the client registers
RequestServer.type
Set RequestServer.type=CLIENT to indicate that the server is a request server. Set RequestServer.
type=AGENT to indicate that the server is a CA Privileged Access Manager Credential Manager
Windows Proxy.
RequestServer.patchStatus
Disable or enable request server patch upgrade, if it set to Disabled request server should not apply
patch, even if newer version found and activated.
Attribute.descriptor1
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
Attribute.descriptor2
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
21-Feb-2017 196/319
CA Privileged Access Manager - 2.8
updateRequestServerDefaults
Use the updateRequestServerDefaults command to update a request server defaults in Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updateRequestServerDefaults
RequestServerDefaults.subnet=192.168.0.0/16
RequestServerDefaults.active=true
RequestServerDefaults.type=CLIENT
RequestServerDefaults.descriptor1=awsApiProxy
Parameters
RequestServerDefaults.ID
The id of the record to delete.
RequestServerDefaults.subnet
The subnet filter to apply defaults to request servers.
RequestServerDefaults.type
The type filter to apply defaults to request servers.
RequestServerDefaults.active
The default setting for RequestServer.active during auto-register.
21-Feb-2017 197/319
CA Privileged Access Manager - 2.8
RequestServerDefaults.descriptor1
The default setting for Attribute.descriptor1 during auto-register.
RequestServerDefaults.descriptor2
The default setting for Attribute.descriptor2 during auto-register.
updateRequestServerKey
Use the updateRequestServerKey command to change the Request Server (Credential Manager
client) encryption key.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updateRequestServerKey
RequestServer.hostName=myhostname.mydomain.com
Parameters
RequestServer.hostName
The host name of the request server.
RequestServer.ID
The ID of the request server.
21-Feb-2017 198/319
CA Privileged Access Manager - 2.8
updateRole
Use the command to change role information in Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateRole Role.ID=11
Role.name="Patch Management" Role.description="Manages Patches"
Role.permissions="activatePatch, addPatch,deletePatch,getPatchDetail,listPatch,
listPatchDetailSummary,updatePatch"
Parameters
Role.ID
The ID of the role.
Role.name
The name of the role.
Role.description
The description of the role.
Role.permissions
A comma delimited list of permissions.
21-Feb-2017 199/319
CA Privileged Access Manager - 2.8
updateServerKey
updateServerKey (see page 200)
Example (see page 200)
updateServerKey
Changes the CA Privileged Access Manager Credential Manager server enryption key.
Use this command to update the CA Privileged Access Manager Credential Manager server
encryption key. This command does not take parameters. CAUTION: The updateServerKey command
reads every encrypted record in the database, decrypts it with the old key, re-encrypts it with the
new key, and writes the record back to the database. Before using this command, contact CA
Technology customer support.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateServerKey
updateSite
Use the updateSite command to change secondary site information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateSite Site.ID=2
Site.hostName=tokyo1.company.com
Parameters
Site.ID
The unique ID for the site to be changed.
Site.name
The update value for the name of the site.
21-Feb-2017 200/319
CA Privileged Access Manager - 2.8
Site.type
Set Site.type=secondary if the site being added is a secondary site.
Site.hostName
The updated value for the host name of the site being added. The hostName value is used for site-to-
site communication.
updateSSHKeyPairPolicy
Use the updateSSHKeyPairPolicy command to update an existing SSH Key Pair Policy.
Example
https://<CAPAM-HOST>/cspm/servlet/adminCLI
?responseType=xmlResponse
&adminUserID=super
&adminPassword=<PASSWORD>
&cmdName=updateSSHKeyPairPolicy
&SSHKeyPairPolicy.name=Testing
&SSHKeyPairPolicy.keyType=DSA
&SSHKeyPairPolicy.keyLength=512
Parameters
SSHKeyPairPolicy.ID
The policy ID.
SSHKeyPairPolicy.name
The policy name.
21-Feb-2017 201/319
CA Privileged Access Manager - 2.8
SSHKeyPairPolicy.description
The policy description.
SSHKeyPairPolicy.keyType
The key type.
SSHKeyPairPolicy.keyLength
The key length.
updateTargetAccount
Use the updateTargetAccount command to change target account information, including the target
account password. Alternatively, use updateTargetAccountPassword to change the password.
Additional parameters may be required, depending on the Target Application Type. For a description
of these additional parameters, look up the appropriate turnkey target connector.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateTargetAccount
TargetAccount.ID=12 TargetServer.hostName=myhostname.mydomain.com
TargetApplication.name=myApplication TargetAccount.userName=sysop1
TargetAccount.password='sys0p!@2' TargetAccount.cacheBehavior=useServerFirst
TargetAccount.cacheDuration=17
21-Feb-2017 202/319
CA Privileged Access Manager - 2.8
Parameters
TargetAccount.ID
The unique ID for the target account to be changed.
TargetApplication.ID
The updated value for TargetApplication.ID.
TargetAccount.userName
The updated value for the target account user name.
TargetAccount.password
The updated value for the target account password.
TargetAccount.cacheAllow (Deprecated)
Deprecated Parameter, use TargetAccount.cacheBehavior: Set TargetAccount.cacheAllow=true to
have credentials for this account cached in the Credential Manager client.
21-Feb-2017 203/319
CA Privileged Access Manager - 2.8
TargetAccount.cacheBehavior
Set TargetAccount.cacheBehavior=useCacheFirst to have the credentials for this account cached in
the Credential Manager client and used first. Set TargetAccount.cacheBehavior=useServerFirst to
have the credentials for this account cached in the Credential Manager client but the Server is
contacted first. Set TargetAccount.cacheBehavior=noCache to ensure that the credentials for this
account are not cached in the Credential Manager client.
TargetAccount.cacheDuration
Use TargetAccount.cacheDuration to specify the number of days the account credentials are
permitted to reside in a Credential Manager client cache.
TargetAccount.privileged
Set TargetAccount.privileged=true to indicate that this account is a privileged account. Set
TargetAccount.privileged=false to indicate that this account is an application-to-application account.
TargetAccount.accessType
Use this text field for reference purposes.
TargetAccount.synchronize
Set TargetAccount.synchronize=true to indicate that the password stored in Credential Manager
should be synchronized with the password on the target system. This functionality is not supported
with Target Application Type Generic.
21-Feb-2017 204/319
CA Privileged Access Manager - 2.8
Attribute.changePasswordAfterViewing
This parameter is no longer used.: Set Attribute.changePasswordAfterViewing=true to indicate that
Credential Manager should change the password after a password view request (either from the GUI
or CLI). This feature applies only to accounts where TargetAccount.synchronize=true. This parameter
is ignored if the Change Password After Viewing feature has been disabled on the Credential
Manager server.
Attribute.descriptor1
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
Attribute.descriptor2
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
PasswordViewPolicy.ID
The ID of a PasswordViewPolicy attached to this account.
TargetAlias.name
A comma-separated list of TargetAlias.name values. This parameter is dependent on the value of
useTargetAliasNameParameter being true.
21-Feb-2017 205/319
CA Privileged Access Manager - 2.8
useTargetAliasNameParameter
A flag when true, will add/delete TargetAliases for this account using the values specified in the
TargetAlias.name parameter.
TargetAccount.compoundAccount
A flag when true, will add/delete Compound TargetServers for this account using the values specified
in the TargetAccount.compoundServerIDs parameter.
TargetAccount.compoundServerIDs
List of compound server IDs, will add/delete compound servers for this account.
passwordIsBase64Encoded
A flag when true indicates that the specified password has been Base64-encoded and should be first
decoded before being stored.
updateTargetAccountDescriptor
Use the updateTargetAccountDescriptor command to change the descriptor value of a target
account.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updateTargetAccountDescriptor
TargetAccount.ID=5 Attribute.descriptor1=testvalue1 Attribute.
descriptor2=testvalue2
21-Feb-2017 206/319
CA Privileged Access Manager - 2.8
Parameters
TargetServer.hostName
The host name for the target server on which the target account resides.
TargetApplication.name
The target application name on which the target account is hosted.
TargetAccount.userName
The user name for the target account.
TargetAccount.ID
The unique identifier of the target account. This value is required if TargetServer.hostName,
TargetApplication.name and TargetAccount.userName are not specified.
Attribute.descriptor1
The updated value for the text description field. Use this field as a filter for dynamic target groupings.
21-Feb-2017 207/319
CA Privileged Access Manager - 2.8
no. If this parameter is not included, the value is preserved. N/A String.
Attribute.descriptor2
The updated value for the text description field. Use this field as a filter for dynamic target groupings.
updateTargetAccountPassword
Use the updateTargetAccountPassword command to change a target account password to either a
specified password or to automatically generate a new target account password based upon the
associated password policy. By default, this command works only for synchronized accounts. Set the
allowUnsynchronized parameter to true to change the default nature.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updateTargetAccountPassword
TargetServer.hostName=myhostname.mydomain.com
TargetApplication.name=myApplication TargetAccount.userName=sysop1
Parameters
TargetServer.hostName
The host name for the target server on which the target account resides.
TargetApplication.name
The target application name on which the target account is hosted.
21-Feb-2017 208/319
CA Privileged Access Manager - 2.8
TargetAccount.userName
The user name for the target account.
TargetAccount.ID
The unique identifier of the target account. This value is required if TargetServer.hostName,
TargetApplication.name and TargetAccount.userName are not specified.
groupID
The unique identifier of the target group for which the passwords will be updated.
password
The password for the target account.
confirmPassword
The password for the target account.
21-Feb-2017 209/319
CA Privileged Access Manager - 2.8
allowUnsynchronized
Allows the password to be updated for non-synchronized accounts.
TargetAccount.passwordVerified
boolean
updateTargetAlias
Use the updateTargetAlias command to change target alias information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateTargetAlias
TargetAlias.ID=12 TargetAccount.ID=5 TargetAlias.name=myaliasname
Parameters
TargetAlias.ID
The unique ID for the target alias to be changed.
TargetAccount.ID
The updated value for the TargetAccount.ID.
21-Feb-2017 210/319
CA Privileged Access Manager - 2.8
TargetAlias.name
The updated value for the target alias name
updateTargetApplication
Use the updateTargetApplication command to change target application information. Additional
parameters may be required, depending on the Target Application Type. For a description of these
additional parameters, look up the appropriate turnkey target connector. Prior to running
updateTargetApplication, use searchTargetApplication to retrieve current parameter values.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=updateTargetApplication
TargetApplication.ID=5 TargetServer.ID=8
TargetApplication.name=myApplication TargetApplication.type=Generic
Parameters
TargetApplication.ID
The unique ID for the target application to be changed.
TargetServer.ID
The updated value for the ID of the target server on which the target application is hosted.
21-Feb-2017 211/319
CA Privileged Access Manager - 2.8
TargetApplication.name
The updated value for the name of the target application.
TargetApplication.type
The updated value for the target application connector name. Valid values depend upon which target
connectors are installed on your system. If this parameter is not included, the target application type
is preserved.
PasswordPolicy.name
The updated value for the name of the password policy that is applied to all accounts on associated
with this application.
PasswordPolicy.ID
The updated value for the ID of the password policy that is applied to all accounts on associated with
this application.
Attribute.descriptor1
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
21-Feb-2017 212/319
CA Privileged Access Manager - 2.8
no. If this parameter is not included, the value is preserved. N/A String.
Attribute.descriptor2
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
Attribute.enableAutoConnectTargetAccount
A boolean value to enable / disable autoConnectTargetAccount for an application instance.
updateTargetServer
Use the updateTargetServer command to change target server information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateTargetServer
TargetServer.ID=17 TargetServer.hostName=myhostname2.mydomain.com Attribute.
descriptor1="Lab"
Attribute.descriptor2="Vienna"
Parameters
TargetServer.ID
The unique ID for the target server to be changed.
TargetServer.hostName
The updated value for the host name of target server.
21-Feb-2017 213/319
CA Privileged Access Manager - 2.8
TargetServer.deviceName
The updated value for the device name of target server.
Attribute.descriptor1
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
Attribute.descriptor2
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.
updateUser
Use the updateUser command to change Credential Manager user information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUser User.
userID=demo
User.password=demo123$ User.authenticationType=CSPM User.status=ACTIVE
User.userGroupIDS=1,2 User.firstName=Demo User.lastName=User
Parameters
User.userID
The unique user name for the Credential Manager user to be changed.
21-Feb-2017 214/319
CA Privileged Access Manager - 2.8
User.password
The updated value for the user's password.
User.authenticationType
The updated value for authentication type of the user.
User.status
The updated value for the user account status.
User.userGroupIDS
The updated value for IDs of the User Groups to assign to this user.
User.userGroupNames
The updated value for names of the User Groups to assign to this user.
21-Feb-2017 215/319
CA Privileged Access Manager - 2.8
User.firstName
The updated value for the first name of the user.
User.lastName
The updated value for the last name of the user.
User.email
The updated value for the email address of the user.
User.viewType
Determines what GUI view this user has access to - administrative or general
User.viewType
GK user ID
updateUserGroup
Use the updateUserGroup command to change information for a user group.
21-Feb-2017 216/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUserGroup
UserGroup.ID=2 UserGroup.name=updatedUserGroupName
UserGroup.description="Updated user group description"
UserGroup.roleID=11 UserGroup.groups=3,4
Parameters
UserGroup.ID
The user group ID.
UserGroup.name
The user group name.
UserGroup.description
The description of the group.
UserGroup.roleID
The role identifier of this group.
UserGroup.groups
A comma delimited list of group IDs.
21-Feb-2017 217/319
CA Privileged Access Manager - 2.8
UserGroup.readOnly
The read only flag for the user group.
updateUserPassword
Use the updateUserPassword command to change the password of a Credential Manager user
account. A user may only use this command to update their own password when the account
authentication type is CSPM.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUserPassword
User.password=t1ger@
Parameters
User.password
The new password.
updateUserStatus
Use the updateUserStatus command to change the status of a user account to either ACTIVE or
SUSPENDED. When the status is set to ACTIVE, the number of failed login attempts is reset to 0.
21-Feb-2017 218/319
CA Privileged Access Manager - 2.8
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUserStatus
userID=demo status=ACTIVE
Parameters
User.userID
The user name.
User.status
The new user status.
verifyAccountPassword
Use the verifyAccountPassword command to verify the account password of a synchronized user or
of all synchronized accounts in a target group (optionally excluding verified or non-verified accounts).
Example
cspmserver_admin cspmHostName=paHost adminUserID=admin cmdName=verifyAccountPassword
groupID=1234 TargetAccount.passwordVerified=false
Parameters
TargetAccount.ID
The target account's id
21-Feb-2017 219/319
CA Privileged Access Manager - 2.8
groupID
The target group's id
TargetAccount.passwordVerified
boolean
verifyDBHash
The verifyDBHash command verifies the hash value of most BaseModel objects stored in DB. Use the
verifyDBHash command to verify the data integrity of all Agents, Authorizations, RequestServers,
Scripts, TargetAccounts, TargetAliases, TargetApplications, and TargetServers within CPA.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=verifyDBHash
viewAccountPassword
Use the viewAccountPassword command to retrieve a target account password. This command can
be run on a secondary site if disaster recovery is enabled.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=viewAccountPassword
TargetAccount.ID=5
reason="Power outage reason" reasonDetails="Recover Tuesday am"
Parameters
TargetAccount.ID
The ID of the target account for which you are seeking the password.
21-Feb-2017 220/319
CA Privileged Access Manager - 2.8
adminUserID
Your Credential Manager user name.
adminPassword
Your Credential Manager user password.
reason
The reason you are requesting a password view.
reasonDetails
Detailed description of why you wish to view the password.
selectedComponent
Compound server id
ssoType
SSO type implies password used but not viewed, so change is controlled by CPoV &&
AllowCpovOnSso
21-Feb-2017 221/319
CA Privileged Access Manager - 2.8
PasswordViewRequest.requestPeriodStart
If the account's password view policy has dual authorization enabled, this parameter specifies the
start time of the password view request.
PasswordViewRequest.requestPeriodEnd
If the account's password view policy has dual authorization enabled, this parameter specifies the
end time of the password view request.
referenceCode
Reference Code.
21-Feb-2017 222/319
CA Privileged Access Manager - 2.8
Use the following table to determine what actions the user can perform when creating roles that
assign user permissions.
21-Feb-2017 223/319
CA Privileged Access Manager - 2.8
21-Feb-2017 224/319
CA Privileged Access Manager - 2.8
21-Feb-2017 225/319
CA Privileged Access Manager - 2.8
21-Feb-2017 226/319
CA Privileged Access Manager - 2.8
21-Feb-2017 227/319
CA Privileged Access Manager - 2.8
21-Feb-2017 228/319
CA Privileged Access Manager - 2.8
21-Feb-2017 229/319
CA Privileged Access Manager - 2.8
21-Feb-2017 230/319
CA Privileged Access Manager - 2.8
21-Feb-2017 231/319
CA Privileged Access Manager - 2.8
The following table provides you with recommended integration methods. The format of the XML
return data is described in Return Data (see page 242).
21-Feb-2017 232/319
CA Privileged Access Manager - 2.8
21-Feb-2017 233/319
CA Privileged Access Manager - 2.8
$CSPM_CLIENT_HOME/cspmclient/lib/cspmclient.jar
$CSPM_CLIENT_HOME/cspmclient/lib/cwjcafips.jar
$CSPM_CLIENT_HOME/cspmclient/lib/cwjssefips.jar
PATH (Windows)
LD_LIBRARY_PATH (UNIX)
21-Feb-2017 234/319
CA Privileged Access Manager - 2.8
The requesting application creates an instance of the CSPMClient class when it is required.
2. Set the path of the library folder containing CA Technologies native libraries:
For Windows, add the following Java option to the script that launches the Java
application:
-Djava.library.path=%CSPM_CLIENT_HOME%\cspmclient\lib
3. Set the path of the folder containing the client configuration file. For UNIX and Windows, set
the CSPM_CLIENT_HOME environment variable. This is the location of the client installation
directory.
UNIX example:
-Dcspm_client_config_file=$CSPM_CLIENT_HOME/config
/cspm_client_config.xml
Windows example:
-Dcspm_client_config_file=%CSPM_CLIENT_HOME%
\config\cspm_client_config.xml
4. If the CSPM_CLIENT_HOME value is not set, then for the Java CSPMClient class, use the
current option in the Java command-line option to specify the configuration file location
value. If no value is specified, use the default installation location values for
CSPM_CLIENT_HOME.
5. Modify your source code to call the CSPMClient class as in Integrate a Basic Java Application
(see page 245):
21-Feb-2017 235/319
5.
The following table lists the methods that are available from the (com.cloakware.cspm.
client.CSPMClient) Java class.
Method Description
CSPMClient() Constructor. Takes no parameters.
void retrieveCredentials(String Retrieves the credentials (account name and password) for
targetAlias) the given target alias. Takes one parameter:
target alias of type java.lang.String.
void retrieveCredentials(String Retrieves the credentials (account name and password) for
targetAlias, String bypassCacheFlag) the given target alias. Takes the following parameters:
target alias of type java.lang.String
bypass cache flag (either true or false)
If the flag is set to true, the local cache is bypassed and the
query goes directly to the Credential Manager Server.
String getUserId() Returns the account name from the last retrieveCredentials
call.
String getPassword() Returns the password from the last retrieveCredentials call.
String getStatusCode() Returns the statusCode of type String from the last
retrieveCredentials call.
21-Feb-2017 236/319
CA Privileged Access Manager - 2.8
Method Description
String getXMLData() Gets the data from the last retrieveCredentials invocation.
Specify –x to retrieve the output as an XML data string.
Typically, you integrate an application using the A2A Client (cspmclient, cspmclient64,
cspmclient.exe or cspmclient64.exe) when the requestor is:
Written in C
Note:
b. Read standard output to get the return codes generated by the A2A Client. For code
definitions, see Return Data (see page 242).
21-Feb-2017 237/319
CA Privileged Access Manager - 2.8
cspmclient Constraints
The default return value is space-delimited. As a result, account names and passwords cannot
contain spaces.
The string null is reserved. Account names and passwords cannot be the string null.
cspmclient Usage
For UNIX or Linux, use one of the following commands:
Parameter Description
String Predefined target account alias, which is used to retrieve the account credentials (user
targetAlias name and password).
String Specifying true directs the A2A Client to bypass the local cache and retrieve account
bypassCach credentials directly from the Credential Manager Server. The default is false.
eFlag
-b Short form option for setting bypassCacheFlag to true.
-x Specifies to return output as an XML data string.
Return Description
Value
Contains an integer value. See Return Data (see page 242).
21-Feb-2017 238/319
CA Privileged Access Manager - 2.8
Return Description
Value
Return
Code
UserID Contains the account name. If the attempt was unsuccessful, the account name is set to
the string null.
Passwor Contains the account password. If the attempt was unsuccessful, the password is set to the
d string null.
message Contains the error messages text string. If the attempt was unsuccessful, the message text
of the associated errors is returned.
Both Credential Manager DLLs are COM components. These DLLs allow linking to Windows
applications and Windows client scripts that support COM DLLs. The application or script should
create a new instance of the COM component when it is required.
The Windows DLLs are thread-safe if they are not used as a singleton.
1. Import the Type Library file (TLB) by adding the following statements in your code:
The #import directive incorporates the information from the type library. The content of
the type library is converted into C++ classes to allow you to create the COM component. The
named_guids argument creates the CLSID and IID to use in CoCreateInstance.
21-Feb-2017 239/319
2.
CA Privileged Access Manager - 2.8
3. Call the retrieveCredentials method to retrieve the credentials for a given class. The
following call is an example:
DLL Methods
The following methods are available from the Credential Manager MFC DLL and the Credential
Manager ATL DLL.
Method Description
long retrieveCredentials( Retrieves the credentials (account name and password) for the given
String targetAlias, String target alias.
bypassCacheFlag, String
xmlOutput ) Returns the statusCode of the getCredentials call.
21-Feb-2017 240/319
CA Privileged Access Manager - 2.8
DLL Constraints
Both Credential Manager Windows DLLs are only available for Windows platforms.
21-Feb-2017 241/319
CA Privileged Access Manager - 2.8
<xs:element name="credential">
<xs:complexType>
<xs:all>
<xs:element name="TargetAlias" type="xs:string"/>
<xs:element name="TargetAccount" type="xs:string"/>
<xs:element name="TargetApplication" type="xs:string"/>
<xs:element name="TargetServer" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="requestresult">
<xs:complexType>
<xs:all>
<xs:element name="errorcode" type="xs:string"/>
<xs:element name="errormessage" type="xs:string"/>
<xs:element name="credential"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="TargetAlias"/>
<xs:element name="TargetAccount"/>
<xs:element name="TargetApplication"/>
<xs:element name="TargetServer"/>
</xs:schema>
Note:
When you use target connectors, there might be extra extended attributes that are defined
within the target connector. The extended attributes are also returned in the XML return
string. The schema that is used for these additional elements is defined in the configuration
file for the specific target connector.
21-Feb-2017 242/319
CA Privileged Access Manager - 2.8
21-Feb-2017 243/319
CA Privileged Access Manager - 2.8
<type>Generic</type>
<name>testapp</name>
<policyID>0</policyID>
</TargetApplication>
<TargetServer>
<Attribute.descriptor2 />
<Attribute.descriptor1 />
<ID>1</ID>
<createDate>Thu Jun 07 12:14:26 EDT 2007</createDate>
<updateDate>Thu Jun 07 12:14:26 EDT 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>Od4/9xliVS+1yefQOGbe8BdbxVk=</hash>
<hostName>testtest</hostName>
<ipAddress />
</TargetServer>
</credential>
</requestresult>
21-Feb-2017 244/319
CA Privileged Access Manager - 2.8
If you installed an A2A Client on UNIX, soft copies of these files are located in the
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples directory. Other A2A Client
installations do not include soft copies of these files.
Example.java Code
/*
* An example class to demonstrate calling the CSPMClient class.
*
* Note:
*
* You will need to ensure that the library path to the cspm library directory
* is set by one of the following methods:
*
* a. Adding /opt/cloakware/cspmclient/lib to LD_LIBRARY_PATH, or
*
* b. Passing the following option on the java command line:
* -Djava.library.path=/opt/cloakware/cspmclient/lib
*/
21-Feb-2017 245/319
CA Privileged Access Manager - 2.8
/**
* Main entry point.
*
* @param args[0], String target alias
*
* @param args[1], bypass cache flag. If set to:
*
* "true", the cspm client will call the cspm server system
*
* "false", the cspm client will 1st search the local cache
*@param args[2], xmlOption. (Optional) If set to:
*
* "-x", Gives the XML data.
* @return int 0 if successful, 100 if an exception ocurred, otherwise
* documented error codes for the CSPMClient class.
*
*/
try {
//check the arguments
if(args.length != 2) {
System.out.println("Missing CLI arguments");
System.exit(256);
}
//initialize
String targetAlias = args[0];
String bypassCache = args[1];
String xmlOption= args[2];
If(args.length>2){
xmlOption-args[2];
testInterface.retrieveCredentials(targetAlias, bypassCache, xmlOption);
}else}
21-Feb-2017 246/319
CA Privileged Access Manager - 2.8
System.exit(0);
} else {
System.out.println("FAILED");
System.exit(Integer.parseInt(statusCode));
}
} catch (Exception e) {
e.printStackTrace();
System.exit(100);
}
}
}
Run_example Code
The Run_example shell script calls Example.class. When executing the Java call, the -D option
sets system property values that are used by the executing program as follows:
-Djava.library.path. This option sets the Java library path; that is, the location of the
$CSPM_CLIENT_HOME/cspmclient/lib directory. This option can also be set with the
environment variable LD_LIBRARY_PATH (LIBPATH on AIX).
-Dcspm_client_config_file. This option specifies the client configuration file directory. Use this file
if the configuration file is in a non-standard location (that is, not in /opt).
#!/bin/sh
# This is an EXAMPLE script making use of Example.class in the same directory.
#
# All 2 Run_example CLI arguments are MANDATORY!
# Validate the command line parameters
if [ ! $# = 2 ]
then
echo " "
echo " syntax: $0 target_alias bypass_cache"
echo
exit 1
fi
# Setup Global Variables
CLASS_NAME=Example
CONFIG_FILE=/opt/cloakware/cspmclient/config/cspm_client_config.xml
JAVA_BINDIR=/opt/cloakware/cspmclient_thirdparty/java/bin
LIB=/opt/cloakware/cspmclient/lib
LOCAL_DIR=`pwd`;
CLASS_PATH=/opt/cloakware/cspmclient/lib/cspmclient.jar:$LOCAL_DIR
#Execute JAVA class
$JAVA_BINDIR/java -classpath $CLASS_PATH -Djava.library.path=$LIB \
-Dcspm_client_config_file=$CONFIG_FILE $CLASS_NAME $1 $2
21-Feb-2017 247/319
CA Privileged Access Manager - 2.8
/**
* A sample java class to connect to a database.
*/
import java.sql.*;
import com.cloakware.cspm.client.CSPMClient;
try {
Class.forName(DRIVER_CLASS);
connection = DriverManager.getConnection( URL
, cspmClient.getUserId()
, cspmClient.getPassword() );
21-Feb-2017 248/319
CA Privileged Access Manager - 2.8
} catch ( ClassNotFoundException ce ) {
// ....
} catch ( SQLException e ) {
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension. For example, Run_example.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, specify the absolute paths without links.
21-Feb-2017 249/319
CA Privileged Access Manager - 2.8
This content provides a description of how to use the JDBC wrapper in a standalone Java application
using the provided example application code as a model. The pattern for the connection URL is
cspm:<URL>;CSPMDriver=<target_driver>;CSPMAlias=<alias> where:
<alias> represents the target alias representing the credentials to use when connecting
In the provided example, the connection URL, which shows a connection to a MySQL database cspm
on host milocspm.cloakware.com using the MySQL driver and alias jdbcdemo, is:
Cspm:jdbc:mysql://milocspm.cloakware.com:3306/cspm;CSPMDriver=com.mysql.jdbc.Driver;
CSPMAlias=jdbcdemo
To compile the application, you need the cspmclient.jar and cloakwareJdbc.jar files that
are included with the client.
To execute the application, you need the previously mentioned JAR files and the vendor-specific JDBC
driver JAR file, which in this case is mysql-connector-java-5.1.8-bin.jar because the connection is to a
MySQL database.
When executing the application, identify the location of the client configuration file, cspm_
client_config.xml, and the directory where the native code libraries reside specifying the
following JVM options respectively:-Dcspm_client_config_file=<path>/cspm_client_config.xml
-Djava.library.path=<path>/cloakware/cspmclient/lib
Application Code
package com.cloakware.ps.jdbcdemo;
import java.sql.*;
public JdbcDemoApp() {
try {
21-Feb-2017 250/319
CA Privileged Access Manager - 2.8
runDemo();
} catch ( Exception ex ) {
ex.printStackTrace();
} finally {
try {
if ( m_connection != null )
m_connection.close();
} catch ( SQLException ex ) {
}
try {
System.out.println( "executing query" );
Statement st = m_connection.createStatement();
ResultSet rs = st.executeQuery( QUERY );
while ( rs.next() ) {
System.out.println( "result= " + rs.getInt( 1 ) );
}
} catch ( SQLException ex ) {
ex.printStackTrace();
}
new JdbcDemoApp();
21-Feb-2017 251/319
CA Privileged Access Manager - 2.8
This example uses a credential viewer and an HSQLDB data store to show the following functionality:
The credential viewer shows you how to view credentials that are stored in the Credential
Manager server using the CSPMClient Java class. Use this example for simple integration and to
test the ability to connect to Credential Manager and retrieve credentials. The example displays
the credentials to the screen.
The HSQLDB data store shows you how to configure a data store using the Credential Manager
JdbcDriver Java class to retrieve credentials and connect to an HSQLDB data store. The example
retrieves credentials and uses them to access a data store.
This example is available on all A2A Client installations in the following directories, for:
UNIX:
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java/JBoss_Sample
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/JBoss_Sample
File Description
ClassFact Class factory that is used to create the objects that are used in the example web
ory.java application. The class allows you to create the CSPMClient class and to perform a
lookup in the Initial Context to retrieve the data source that is used to get a connection
to the database.
Credentia Servlet class that is used to connect to the Credential Manager server to retrieve
lsViewer. credentials.
java
Connectio Servlet class that is used to create 10 connections to a database and execute a basic
nTester. SQL statement. The class retrieves the DataSource class using the ClassFactory
java class.
Configuration file showing how to configure a data source using the HSQLDB driver.
21-Feb-2017 252/319
CA Privileged Access Manager - 2.8
cspm_conn
ect_hsql_
org-ds.
xml
cspm_conn Configuration file showing how to configure a data source using the Credential
ect_hsql- Manager JdbcDriver. The target driver is HSQLDB.
ds.xml
1. Configure the development environment. See Configure your Development Environment for
JBoss (see page ).
2. Optionally, integrate the A2A Client to retrieve credentials. See JBoss Credential Viewer (see
page 255).
3. Create or modify the data source file. See JBoss Connection Pool with HSQLDB Data Store (see
page 257).
The example contains an Apache ANT build file that is located in the build directory that you can use
to create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for JBoss development.
6. Set the HSQL_HOME environment variable to the path where you installed HSQL (for
21-Feb-2017 253/319
CA Privileged Access Manager - 2.8
6. Set the HSQL_HOME environment variable to the path where you installed HSQL (for
example, opt/tools/hsqldb).
Use the following procedure to configure your environment for A2A Client integration with JBoss.
UNIX:
-Djava.library.path=$CSPM_CLIENT_HOME\lib
-Dcspm_client_config_file=$CSPM_CLIENT_HOME\config\cspm_client_config.xml
Windows:
-Djava.library.path=%CSPM_CLIENT_HOME%\lib
-Dcspm_client_config_file=%CSPM_CLIENT_HOME%\config\cspm_client_config.xml
2. Copy the cloakwareJdbc.jar file that is located in the A2A Client tools directory to
the Jboss default deployment directory:
UNIX:
Source: $CSPM_CLIENT_HOME/cspmclient/tools
Destination: $JBOSS_HOME/server/default/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cspmclient/tools
Destination: %JBOSS_HOME%/server/default/lib
3. Copy the cspmclient.jar file that is located in the A2A Client lib folder to the JBoss
default deployment lib folder.
Note: Perform Step 2 and Step 3 using the ANT build file that is located in the following
directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/JBoss_Sample/build
Windows: %CSPM_CLIENT_HOME%/examples/java/JBoss_Sample/build
21-Feb-2017 254/319
CA Privileged Access Manager - 2.8
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/JBoss_Sample/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/JBoss_Sample/build
7. Display the credential viewer web application by loading the following page:
http://localhost:8080/cspmJBossSample.
Class File
package com.cloakware.cspm.sample.web;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.cloakware.jdbc.StatusCodeMapping;
import com.cloakware.cspm.client.CSPMClient;
import com.cloakware.cspm.sample.ClassFactory;
/**
* This servlet class is used to retrieve credentials using the
* CSPMClient class.<br>
* <br>
* The user enters a CSPMAlias Name and the servlet displays the information
* returned by the CSPMClient class. <br>
* <br>
* Since the CSPMClient class only returns a status code, the base class
* provides a class to convert the status code to a more meaningful sentence.
*/
21-Feb-2017 255/319
CA Privileged Access Manager - 2.8
/**
* The doGet method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to get.
* The method retrieves the alias name and the value of the checkbox
* indicating if the CSPMClient cache needs to be bypassed. It then calls
* the retrieveCredentials method of the CSPMClient class and displays the
* results. An error message is displayed if the alias name is missing.
*
* @param request the request send by the client to the server
* @param response the response send by the server to the client
* @throws ServletException if an error occurred
* @throws IOException if an error occurred
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// if we have an alias
if (alias != null && !"".equals(alias)) {
// Class used to retrieve the credential.
21-Feb-2017 256/319
CA Privileged Access Manager - 2.8
To integrate the A2A Client to your application, change the JDBC driver that is used by the data
source. The Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is
recognized as a Credential Manager JDBC URL. In the data source configuration, provide information
regarding the targeted driver and the alias to use in the special Credential Manager style JDBC URL.
The Credential Manager style JDBC URL format is:
cspm:[url];CSPMDriver=target.driver;CSPMAlias=alias
Follow the prefix with the normal JDBC URL, omitting any user/password specification; for
example, jdbc:hsqldb:hsql://localhost:9001/cspm1.
21-Feb-2017 257/319
CA Privileged Access Manager - 2.8
Set the URL to contain the CSPMDriver that indicates an explicit JDBC driver to use.
Assign the CSPMAlias, which is the alias for the database user in the Credential Manager
server, to the URL.
To use the Credential Manager JDBC driver, you need to modify to attributes in the configuration file.
This low-level driver management for connection acquisition means that all new connections
obtained for a user whose database password has been changed (by the Credential Manager server)
are made using the new password. This action occurs automatically without any knowledge or
intervention by any owning data source.
While new connections are obtained using the new password, old connections that were obtained
using an old password can linger in the data source pool. Also, if the Credential Manager alias is
changed to a new user, then a connection pool has (at least temporarily) a mixture of connections for
different actual database users.
Such connection management by the CA Technologies driver ensures that database password
changes are transparent to the activities of the data source.
The XML file that is used in the example is located in one of the following locations:
UNIX: $CSPM_CLIENT_HOME/cspmclient/examples/java/JBoss_Sample/main
/resources/datasources
Windows: %CSPM_CLIENT_HOME%/cspmclient/examples/java/JBoss_Sample
/main/resources/datasources
Data Source
<?xml version="1.0" encoding="UTF-8"?>
<!-- The Hypersonic embedded database JCA connection factory config -->
<datasources>
<local-tx-datasource>
<!-- The jndi name of the DataSource, it is prefixed with java:/ -->
<jndi-name>jdbc/CSPMSampleDS</jndi-name>
<connection-url>
cspm:jdbc:hsqldb:hsql://localhost:9001/cspm1;
CSPMAlias=hsql;CSPMDriver=org.hsqldb.jdbcDriver
</connection-url>
21-Feb-2017 258/319
CA Privileged Access Manager - 2.8
<track-statements />
<prepared-statement-cache-size>32</prepared-statement-cache-size>
</local-tx-datasource>
</datasources>
Parameter Description
Script Name com.cloakware.cspm.sample.web.CredentialsViewer
Execution Path C:\jboss-4.2.2.GA\bin
Type Java
Parameter Description
Script Name com.cloakware.client.jdbc.JdbcDriver
Execution Path C:\jboss-4.2.2.GA\bin
Type Java
21-Feb-2017 259/319
CA Privileged Access Manager - 2.8
Parameter Description
Application Name HSQLDB Server
Application Type HSQL
DB Port 9001
Parameter Description
Application HSQLDB Server
Account Name sa
Password admin
Database Name cspm1
Parameter Description
Application HSQLDB Server
Account Name TestUser
Password Test
Database Name cspm1
A2A Account selected
Change Process Select:
Parameter Description
Targets Alias Name hsql
Application HSQLDB Server
Account TestUser
Parameter Description
21-Feb-2017 260/319
CA Privileged Access Manager - 2.8
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/ApacheTomcat/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/ApacheTomcat/build
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/ApacheTomcat/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/ApacheTomcat/build
21-Feb-2017 261/319
CA Privileged Access Manager - 2.8
Deploy and Run the Sample Tomcat Application (see page 265)
Apache Tomcat Credential Viewer (see page 265)
Apache Tomcat Connection Pool with HSQLDB Data Store (see page 268)
Register Apache Tomcat Requestor (see page 269)
This example uses a credential viewer and an HSQLDB data store to show the following functionality:
The credential viewer shows you how to view credentials that are stored in the Credential
Manager server using the CSPMClient Java class. Use this example for simple integration and to
test the ability to connect to Credential Manager and retrieve credentials. The example displays
the credentials to the screen.
The HSQLDB data store shows you how to configure a data store using the Credential Manager
JdbcDriver Java class to retrieve credentials and connect to an HSQLDB data store. The example
retrieves credentials and uses them to access a data store.
This example is available on all A2A Client installations in one of the following directories:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/Tomcat_Sample
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/Tomcat_Sample
File Description
ClassFa Class factory that is used to create the objects that are used in the example web
ctory. application. The class allows you to create the CSPMClient class and to perform a
java lookup in the Initial Context to retrieve the data source that is used to get a connection to
the database.
Credent Servlet class that is used to connect to the Credential Manager server to retrieve
ialsVie credentials.
wer.
java
Connect Servlet class that is used to create 10 connections to a database and execute a basic SQL
ionTest statement. The class retrieves the DataSource class using the ClassFactory class.
er.java
context Configuration file showing you how to configure a database resource using the HSQLDB
.xml driver and a second resource using the Credential ManagerJdbcDriver Java class.
1. Configure your development environment. See Configure your Development Environment for
Apache Tomcat (see page ).
2.
21-Feb-2017 262/319
CA Privileged Access Manager - 2.8
2. Optionally, integrate the A2A Client to retrieve credentials. See Apache Tomcat Credential
Viewer (see page 265).
3. Create or modify the context file. See Apache Tomcat Connection Pool with HSQLDB Data
Store (see page 268).
4. Register the requestor. See Register Apache Tomcat Requestor (see page 269).
The example contains an Apache ANT build file that is located in the build directory that you can use
to create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for Apache Tomcat development.
5. Set the HSQL_HOME environment variable to the path where you installed HSQL (for
example, opt/tools/hsqldb).
Use the following procedure to configure your environment for A2A Client integration with Apache
Tomcat.
1. Copy the cspmclient.jar file that is located in the A2A Client lib directory to the
Apache Tomcat Common Lib directory:
UNIX:
Source: $CSPM_CLIENT_HOME/cloakware/cspmclient/lib
Destination: $APACHE TOMCAT_HOME/common/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cloakware/cspmclient/lib
Destination: %APACHE TOMCAT_HOME%/common/lib
2. Copy the cloakwareJdbc.jar file that is located in the A2A Client tools directory to
21-Feb-2017 263/319
CA Privileged Access Manager - 2.8
2. Copy the cloakwareJdbc.jar file that is located in the A2A Client tools directory to
the Apache Tomcat Common Lib directory:
UNIX:
Source: $CSPM_CLIENT_HOME/cspmclient/tools
Destination: $APACHE TOMCAT_HOME/common/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cspmclient/tools
Destination: %APACHE TOMCAT_HOME%/common/lib
Note: Perform Steps 1 and using the ANT build file that is located in the following
directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/Tomcat_Sample
/build
Windows: %CSPM_CLIENT_HOME%/examples/java/Tomcat_Sample
/build
UNIX:
-Djava.library.path=$CSPM_CLIENT_HOME\lib
-Dcspm_client_config_file=$CSPM_CLIENT_HOME\config\cspm_client_config.xml
Windows:
-Djava.library.path=%CSPM_CLIENT_HOME%\lib
-Dcspm_client_config_file=$CSPM_CLIENT_HOME%\config\cspm_client_config.xml
Substitute CSPM_CLIENT_HOME with the install directory of the client (for example, c:
\cloakware\cspmclient).
Note: Perform Step 2 and Step 3 using the ANT build file that is located in the
following directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/Tomcat_Sample
/build
Windows: %CSPM_CLIENT_HOME%/examples/java/Tomcat_Sample
21-Feb-2017 264/319
CA Privileged Access Manager - 2.8
Windows: %CSPM_CLIENT_HOME%/examples/java/Tomcat_Sample
/build
2. With a text editor (such as Notepad or Vim), edit the build.properties file that is located in the
following directories:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/Tomcat_Sample/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/Tomcat_Sample/build
3. Change the value of the dir.server property (for example, to C:/Program Files
/Apache Software Foundation/Tomcat 5.5) and save the file.
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/Tomcat_Sample/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/Tomcat_Sample/build
21-Feb-2017 265/319
CA Privileged Access Manager - 2.8
Class File
package com.cloakware.cspm.sample.web;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.cloakware.jdbc.StatusCodeMapping;
import com.cloakware.cspm.client.CSPMClient;
import com.cloakware.cspm.sample.ClassFactory;
/**
* This servlet class is used to retrieve credentials using the
* CSPMClient class.<br>
* <br>
* The user enters a CSPMAlias Name and the servlet displays the information
* returned by the CSPMClient class. <br>
* <br>
* Since the CSPMClient class only returns a status code, the base class
* provides a class to convert the status code to a more meaningful sentence.
*/
public class CredentialsViewer extends HttpServlet {
/* Attribute names */
private final String ERROR_MSG = "errorMsg";
21-Feb-2017 266/319
CA Privileged Access Manager - 2.8
/**
* The doGet method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to get.
* The method retrieves the alias name and the value of the checkbox
* indicating if the CSPMClient cache needs to be bypassed. It then calls
* the retrieveCredentials method of the CSPMClient class and displays the
* results. An error message is displayed if the alias name is missing.
*
* @param request the request send by the client to the server
* @param response the response send by the server to the client
* @throws ServletException if an error occurred
* @throws IOException if an error occurred
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// if we have an alias
if (alias != null && !"".equals(alias)) {
// Class used to retrieve the credential.
CSPMClient cspmClient = ClassFactory.getCSPMClient();
21-Feb-2017 267/319
CA Privileged Access Manager - 2.8
.getRequestDispatcher(TARGET_JSP);
To integrate the A2A Client with your application, change the JDBC driver that is used by the data
source. The Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is
recognized as a Credential Manager JDBC URL. In the data source configuration, provide information
regarding the targeted driver and the alias to use in the special Credential Manager style JDBC URL.
The Credential Manager style JDBC URL format is:
cspm:[url];CSPMDriver=target.driver;CSPMAlias=alias
Follow the prefix by the normal JDBC URL, omitting any user/password specification; for example,
jdbc:hsqldb:hsql://localhost:9001/cspm1.
Set the URL to contain the CSPMDriver that indicates an explicit JDBC driver to use.
Assign the CSPMAlias, which is the alias for the database user in the Credential Manager
server, to the URL.
Use the following procedure to modify to attributes in the configuration file to use the Credential
Manager JDBC driver.
This low-level driver management for connection acquisition means that all new connections
obtained for a user whose database password has been changed (by the Credential Manager server)
are made using the new password. This action occurs automatically without any knowledge or
intervention by any owning data source.
While new connections are obtained using the new password, old connections that were obtained
using an old password might linger in the data source pool. Also, if the CA Technologies alias is
changed to a new user, then a connection pool has (at least temporarily) a mixture of connections for
different actual database users.
Such connection management by the CA Technologies driver ensures that database password
21-Feb-2017 268/319
CA Privileged Access Manager - 2.8
Such connection management by the CA Technologies driver ensures that database password
changes are transparent to the activities of the data source.
The XML file that is used in the example is located in the following locations:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/Tomcat_Sample/main/resources/META-INF
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/Tomcat_Sample/main/resources/META-INF
Data Source
<Context docBase="SampleDataSources">
Parameter Description
Script Name com.cloakware.cspm.sample.web.CredentialsViewer
Execution Path C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin
Type Java
Parameter Description
Script Name com.cloakware.client.jdbc.JdbcDriver
Execution Path C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin
Type Java
HSQLDB is an SQL relational database engine that is written in Java. It is used in the example as the
database server. See also:
Register Mapping between Request Server and Target Alias (see page )
21-Feb-2017 269/319
CA Privileged Access Manager - 2.8
Register Mapping between Request Server and Target Alias (see page )
This example uses a credential viewer and an HSQLDB data store to show the following:
The credential viewer shows you how to view credentials stored in the Credential Manager server
using the CSPMClient Java class. Use this example for simple integration and to test the ability to
connect to Credential Manager and retrieve credentials. The example displays the credentials to
the screen.
The HSQLDB data store shows you how to configure a data store using the Credential Manager
JdbcDriver Java class to retrieve credentials and connect to an HSQLDB data store. The example
retrieves credentials and uses them to access a data store.
This example is available on all A2A Client installations, in the following directories, for:
UNIX:
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/WebLogic_Sample
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/WebLogic_Sample
File Description
ClassFa Class factory used to create the objects used in the example Web application. The class
ctory. allows you to create the CSPMClient class and to perform a lookup in the Initial
java Context to retrieve the data source used to get a connection to the database.
Credent Servlet class used to connect to the Credential Manager server to retrieve credentials.
ialsVie
wer.
java
Connect Servlet class used to create 10 connections to a database and execute a basic SQL
ionTest statement. The class retrieves the DataSource class using the ClassFactory class.
er.java
21-Feb-2017 270/319
CA Privileged Access Manager - 2.8
2. Optionally, integrate the A2A Client to retrieve credentials. See WebLogic Credential Viewer
(see page 273).
3. Create or modify the data source file. See WebLogic Connection Pool with HSQLDB Data Store
(see page 276).
4. Register the requestor. See Register WebLogic Requestor (see page 279).
The example contains an Apache ANT build file located in the build directory that you can use to
create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for WebLogic development.
2. With the WebLogic Configuration Wizard application, create a domain called cspmSample
using the default settings. Consult the WebLogic documentation for further assistance.
6. Set the HSQL_HOME environment variable to the path where you installed HSQL (for
example, opt/tools/hsqldb).
Use the following process to configure your environment for A2A Client integration with WebLogic.
UNIX:
21-Feb-2017 271/319
1.
CA Privileged Access Manager - 2.8
UNIX:
-Djava.library.path=$CSPM_CLIENT_HOME\lib
-Dcspm_client_config_file=$CSPM_CLIENT_HOME\config\cspm_client_config.xml
Windows:
-Djava.library.path=%CSPM_CLIENT_HOME%\lib
-Dcspm_client_config_file=%CSPM_CLIENT_HOME%\config\cspm_client_config.xml
2. Copy the cspmclient.jar file located in the A2A Client lib directory to the lib
directory for your WebLogic domain:
UNIX:
Source: $CSPM_CLIENT_HOME/cloakware/cspmclient/lib
Destination: $WEBLOGIC_HOME/user_projects/domains/$YOUR_DOMAIN/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cloakware/cspmclient/lib
Destination: %WEBLOGIC_HOME%/user_projects/domains/%YOUR_DOMAIN%
/lib
3. Copy the cloakwareJdbc.jar file located in the A2A Client tools directory to the
WebLogic home directory:
UNIX:
Source: $CSPM_CLIENT_HOME/cspmclient/tools
Destination: $WEBLOGIC_HOME/user_projects/domains/$YOUR_DOMAIN/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cspmclient/tools
Destination: %WEBLOGIC_HOME%/user_projects/domains/%YOUR_DOMAIN%
/lib
Step 1 and Step 2 are performed by the ANT build file located in the following directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/WebLogic_Sample/build
Windows: %CSPM_CLIENT_HOME%/examples/java/WebLogic_Sample/build
1. Make sure WebLogic is running and using the domain you created in Configure your
Development Environment for WebLogic (see page 271).
2.
21-Feb-2017 272/319
CA Privileged Access Manager - 2.8
2. With a text editor (such as NotePad or Vim), edit the build.properties file located in
the following locations, for:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/WebLogic_Sample/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/WebLogic_Sample/build
3. Change the value of the following properties and save the file:
dir.bea. Points to the location where Bea WebLogic Server 10.0 is installed (for example,
C:/bea)
weblogic.domain. WebLogic domain to use for the deployment. This should match the
cspmSample domain name you created in Configure your Development Environment for
WebLogic (see page 271).
weblogic.server. Name of the server instance to use for the deployment (for example,
AdminServer)
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/WebLogic_Sample/build
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/WebLogic_Sample/build
21-Feb-2017 273/319
CA Privileged Access Manager - 2.8
Class File
package com.cloakware.cspm.sample.web;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.cloakware.jdbc.StatusCodeMapping;
import com.cloakware.cspm.client.CSPMClient;
import com.cloakware.cspm.sample.ClassFactory;
/**
* This servlet class is used to retrieve credentials using the
* CSPMClient class.<br>
* <br>
* The user enters a CSPMAlias Name and the servlet displays the information
* returned by the CSPMClient class. <br>
* <br>
* Since the CSPMClient class only returns a status code, the base class
* provides a class to convert the status code to a more meaningful sentence.
*/
public class CredentialsViewer extends HttpServlet {
/* Attribute names */
private final String ERROR_MSG = "errorMsg";
/* Error message */
private final String MSG_ALIAS_EMPTY = "Alias cannot be empty";
/* Response page */
private final String TARGET_JSP = "/index.jsp";
/**
* Constructor of the object.
*/
public CredentialsViewer() {
super();
}
21-Feb-2017 274/319
CA Privileged Access Manager - 2.8
/**
* Destruction of the servlet. <br>
*/
public void destroy() {
// Just puts "destroy" string in log
super.destroy();
}
/**
* The doGet method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to get.
* The method retrieves the alias name and the value of the checkbox
* indicating if the CSPMClient cache needs to be bypassed. It then calls
* the retrieveCredentials method of the CSPMClient class and displays the
* results. <br>
* <br>
* An error message is displayed if the alias name is missing.
*
* @param request
* the request send by the client to the server
* @param response
* the response send by the server to the client
* @throws ServletException
* if an error occurred
* @throws IOException
* if an error occurred
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// if we have an alias
if (alias != null && !"".equals(alias)) {
// Class used to retrieve the credential.
CSPMClient cspmClient = ClassFactory.getCSPMClient();
21-Feb-2017 275/319
CA Privileged Access Manager - 2.8
request.setAttribute(RETURN_CODE, cspmClient.getStatusCode());
String statusMsg = StatusCodeMapping
.getStatusText(cspmClient);
request.setAttribute(RETURN_MSG, statusMsg);
request.setAttribute(USERNAME, cspmClient.getUserId());
request.setAttribute(PASSWORD, cspmClient.getPassword());
} else {
// return an error message.
request.setAttribute(ERROR_MSG, MSG_ALIAS_EMPTY);
request.removeAttribute(RETURN_CODE);
}
To integrate the A2A Client to your application, change the JDBC driver used by the data source. The
Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is recognized
as an Credential Manager JDBC URL. In the data source configuration you need to provide
information regarding the targeted driver and the alias to use in the special Credential Manager style
JDBC URL. The Credential Manager style JDBC URL format is:
cspm:[url];CSPMDriver=target.driver;CSPMAlias=alias
Follow the prefix by the normal JDBC URL, omitting any user/password specification; for example,
jdbc:hsqldb:hsql://localhost:9001/cspm1.
Set the URL to contain the CSPMDriver that indicates an explicit JDBC driver to use.
Assig, the CSPMAlias, which is the alias for the database user in the Credential Manager server,
to the URL.
This low-level driver management for connection acquisition means that all new connections
obtained for a user whose database password has been changed (by the Credential Manager server)
are made using the new password. This action occurs automatically without any knowledge or
intervention by any owning data source.
While new connections are obtained using the new password, old connections that were obtained
21-Feb-2017 276/319
CA Privileged Access Manager - 2.8
While new connections are obtained using the new password, old connections that were obtained
using an old password may linger in the data source pool. Also, if the Credential Manager alias is
changed to a totally new user, then a connection pool has (at least temporarily) a mixture of
connections for different actual database users.
Such connection management by the CA Technologies driver ensures that database password
changes are completely transparent to the activities of the data source.
You can configure your data source either with the WebLogic console interface or with the ANT
scripts provided with this example.
The ANT scripts provided with this example automatically configure the required data sources, so this
step is optional.
Execute the following steps in the WebLogic console to create the data source that uses a Credential
Manager JDBC driver. Before starting make sure HSQLDB is running. See HSQL Database Usage (see
page ).
Use the following procedure to configure your data source using the WebLogic console.
1. From the main window of the console, navigate to Services > JDBC > Data Sources.
3. Click New.
7. Click Next.
9. Click Next.
21-Feb-2017 277/319
CA Privileged Access Manager - 2.8
22. Click Test Connection. WebLogic should display “Connection test succeeded” at the top of the
panel.
The following Apache ANT target shows you how to create a connection pool using the Credential
Manager JDBC Driver and the data source.
To configure data source using the WebLogic WLConfig Apache Ant task:
<query domain="${weblogic.domain}"
type="Server" name="${weblogic.server}"
property="adminserver"/>
21-Feb-2017 278/319
CA Privileged Access Manager - 2.8
<create type="JDBCDataSource"
name="${datasource.ds.name}"
property="datasource.cspm">
<set attribute="JNDIName" value="CSPM${datasource.jndi.name}"/>
<set attribute="PoolName" value="CSPM${datasource.pool.name}"/>
<set attribute="Targets" value="${adminserver}"/>
</create>
</wlconfig>
</target>
Parameter Description
Script Name com.cloakware.cspm.sample.web.CredentialsViewer
Execution Path C:\bea\user_projects\domains\cloakware
Type Java
Parameter Description
Script Name com.cloakware.client.jdbc.JdbcDriver
Execution Path C:\bea\user_projects\domains\cloakware
Type Java
HSQLDB is an SQL relational database engine written in Java. It is used in the example as the database
server. See also:
Register Mapping between Request Server and Target Alias (see page )
21-Feb-2017 279/319
CA Privileged Access Manager - 2.8
This example uses a credential viewer and an HSQLDB data store to show the following:
The credential viewer shows you how to view credentials stored in the Credential Manager server
using the CSPMClient Java class. Use this example for simple integration and to test the ability
to connect to Credential Manager and retrieve credentials. The example displays the credentials
to the screen.
The HSQLDB data store shows you how to configure a data store using the Credential Manager
JdbcDriver Java class to retrieve credentials and connect to an HSQLDB data store. The
example retrieves credentials and uses them to access a data store.
This example is available on all A2A Client installations in the following directories:
UNIX:
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/WebSphere_Sample
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/WebSphere_Sample
File Description
ClassFa Class factory used to create the objects used in the example Web application. The class
ctory. allows you to create the CSPMClient class and to perform a lookup in the Initial
java Context to retrieve the data source used to get a connection to the database.
Credent Servlet class used to connect to the Credential Manager server to retrieve credentials.
ialsVie
wer.
java
Connect Servlet class used to create 10 connections to a database and execute a basic SQL
ionTest statement. The class retrieves the DataSource class using the ClassFactory class.
er.java
21-Feb-2017 280/319
CA Privileged Access Manager - 2.8
2. Optionally, integrate the A2A Client to retrieve credentials. See WebSphere CE Credential
Viewer (see page 286).
3. Create or modify the data source file. See WebSphere CE Connection Pool with HSQLDB Data
Store (see page 288).
The example contains an Apache ANT build file located in the build directory that you can use to
create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for WebSphere CE development.
5. Set the HSQL_HOME environment variable to the path where you installed HSQL (for
example, opt/tools/hsqldb).
Use the following procedure to configure your environment for A2A Client integration with
WebSphere CE.
21-Feb-2017 281/319
1.
CA Privileged Access Manager - 2.8
UNIX:
-Djava.library.path=$CSPM_CLIENT_HOME\lib
-Dcspm_client_config_file=$CSPM_CLIENT_HOME\config\cspm_client_config.xml
Windows:
-Djava.library.path=%CSPM_CLIENT_HOME%\lib
-Dcspm_client_config_file=%CSPM_CLIENT_HOME%\config\cspm_client_config.xml
3. Register the cspmclient.jar file with WebSphere CE as an artifact. To do so, log in to the
Administration Console and select Common Libs as follows:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/lib
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/lib
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/tools
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/tools
21-Feb-2017 282/319
CA Privileged Access Manager - 2.8
1. Register the hsqldb.jar file with WebSphere CE as an artifact. To do so, log in to the
Administration Console and select Common Libs as follows:
UNIX: $HSQL_HOME/lib
Windows: %HSQL_HOME%/lib
Use the following procedure to configure your database pool using the WebSphere CE Administration
Console.
Complete the following steps in the WebSphere CE console to create the data source that uses a
Credential Manager JDBC driver. Before starting, make sure HSQLDB is running. See HSQL Database
Usage (see page ).
1. From the main window of the console, navigate to the Database Pools display.
2. Click “Using the Geronimo database pool wizard” to create a new database pool.
3. Enter a value for Name of Database Pool. For the example Web application, you must enter
CSPMSampleDS.
5. Click Next.
7. For Driver JAR, press the Ctrl key and select all of the following:
cspmclient/cspmclient/3.5/jar
21-Feb-2017 283/319
7. CA Privileged Access Manager - 2.8
cspmclient/cspmclient/3.5/jar
cloakwareJdbc/cloakwareJdbc/3.5/jar
hsqldb/hsqldb/1.8.0.2/jar
13. Click Test Connection. WebSphere CE displays “Connected to HSQL Database Engine 1.8.0” at
the top of the panel.
To run the sample WebSphere CE application, create a second database pool as follows:
1. From the main window of the console, navigate to the Database Pools display.
2. Click “Using the Geronimo database pool wizard” to create a new database pool.
5. Click Next.
13. Click Test Connection. WebSphere CE displays “Connected to HSQL Database Engine 1.8.0” at
the top of the panel.
21-Feb-2017 284/319
CA Privileged Access Manager - 2.8
The steps to configure your environment for A2A Client integration with WebSphere CE,
described in Configure your Development Environment for WebSphere CE (see page 281)
The steps to configure your environment for HSQLDB, described in Configure your
Development Environment for WebSphere CE (see page 281)
The steps to configure your database pool using the WebSphere CE Administration
Console, described in WebSphere CE Connection Pool with HSQLDB Data Store (see page
288)
2. With a text editor (such as NotePad or Vim), edit the build.properties file located in
the following directories:
UNIX: $CSPM_CLIENT_HOME/cspmclient/examples/java
/WebSphere_Sample/build
Windows: %CSPM_CLIENT_HOME%/cspmclient/examples/java
/WebSphere_Sample/build
3. Change the value of the dir.server property (for example, to C:/Program Files
/IBM/WebSphere/AppServerCommunityEdition) and save the file.
UNIX: $CSPM_CLIENT_HOME/cspmclient/examples/java
/WebSphere_Sample/build
Windows: %CSPM_CLIENT_HOME%/cspmclient/examples/java
/WebSphere_Sample/build
21-Feb-2017 285/319
CA Privileged Access Manager - 2.8
Class File
package com.cloakware.cspm.sample.web;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.cloakware.jdbc.StatusCodeMapping;
import com.cloakware.cspm.client.CSPMClient;
import com.cloakware.cspm.sample.ClassFactory;
/**
* This servlet class is used to retrieve credentials using the
* CSPMClient class.<br>
* <br>
* The user enters a CSPMAlias Name and the servlet displays the information
* returned by the CSPMClient class. <br>
* <br>
* Since the CSPMClient class only returns a status code, the base class
* provides a class to convert the status code to a more meaningful sentence.
*/
public class CredentialsViewer extends HttpServlet {
/* Attribute names */
private final String ERROR_MSG = "errorMsg";
/* Error message */
private final String MSG_ALIAS_EMPTY = "Alias cannot be empty";
21-Feb-2017 286/319
CA Privileged Access Manager - 2.8
/* Response page */
private final String TARGET_JSP = "/index.jsp";
/**
* Constructor of the object.
*/
public CredentialsViewer() {
super();
}
/**
* Destruction of the servlet. <br>
*/
public void destroy() {
// Just puts "destroy" string in log
super.destroy();
}
/**
* The doGet method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to get.
* The method retrieves the alias name and the value of the checkbox
* indicating if the CSPMClient cache needs to be bypassed. It then calls
* the retrieveCredentials method of the CSPMClient class and displays the
* results. <br>
* <br>
* An error message is displayed if the alias name is missing.
*
* @param request
* the request send by the client to the server
* @param response
* the response send by the server to the client
* @throws ServletException
* if an error occurred
* @throws IOException
* if an error occurred
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// if we have an alias
if (alias != null && !"".equals(alias)) {
// Class used to retrieve the credential.
CSPMClient cspmClient = ClassFactory.getCSPMClient();
21-Feb-2017 287/319
CA Privileged Access Manager - 2.8
To integrate the A2A Client to your application, change the JDBC driver used by the data source. The
Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is recognized
as an Credential Manager JDBC URL. In the data source configuration you need to provide
information regarding the targeted driver and the alias to use in the special Credential Manager style
JDBC URL. The Credential Manager style JDBC URL format is:
cspm:[url];CSPMDriver=target.driver;CSPMAlias=alias
Follow the prefix by the normal JDBC URL, omitting any user/password specification; for example,
jdbc:hsqldb:hsql://localhost:9001/cspm1.
Set the URL to contain the CSPMDriver that indicates an explicit JDBC driver to use.
21-Feb-2017 288/319
CA Privileged Access Manager - 2.8
Set the URL to contain the CSPMDriver that indicates an explicit JDBC driver to use.
Assign the CSPMAlias, which is the alias for the database user in the Credential Manager
server, to the URL.
This low-level driver management for connection acquisition means that all new connections
obtained for a user whose database password has been changed (by the Credential Manager server)
are made using the new password. This action occurs automatically without any knowledge or
intervention by any owning database pool.
While new connections are obtained using the new password, old connections that were obtained
using an old password may linger in the database pool. Also, if the Credential Manager alias is
changed to a totally new user, then a connection pool has (at least temporarily) a mixture of
connections for different actual database users.
Such connection management by the CA Technologies driver ensures that database password
changes are completely transparent to the database pool’s activities.
Parameter Description
Script Name com.cloakware.cspm.sample.web.CredentialsViewer
Execution Path C:\Program Files (x86)\IBM\WebSphere\AppServerCommunityEdition\bin
Type Java
Parameter Description
Script Name com.cloakware.client.jdbc.JdbcDriver
Execution Path C:\Program Files (x86)\IBM\WebSphere\AppServerCommunityEdition\bin
Type Java
HSQLDB is an SQL relational database engine written in Java. It is used in the example as the database
server. See also:
Register Mapping between Request Server and Target Alias (see page )
21-Feb-2017 289/319
CA Privileged Access Manager - 2.8
use strict;
use lib "/opt/cloakware/cspmclient/lib";
use CSPM_CLIENT;
$msg="";
$bypass_cache = "";
$alias = "";
$isXMLOutput = 0;
21-Feb-2017 290/319
CA Privileged Access Manager - 2.8
if($isXMLOutput){
print qq($answer\n);
}else{
@array = split(/\s+/, $answer);
print qq(Return Code: $array[0]\n);
print qq(UserID: $array[1]\n);
print qq(Password: $array[2]\n);
if ($array[0] ne "400" ) {
for my $i (3..$#array){
$msg = $msg." ".$array[$i];
}
print qq(Message: $msg\n);
} else {
print qq(PASSED\n);
}
}
# End of Main
__END__
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, example.pl.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links.
The path to the binary client depends on CSPM_CLIENT_HOME being set. For the A2A Client, the
path is $CSPM_CLIENT_HOME/cspmclient/bin/cspmclient.
21-Feb-2017 291/319
CA Privileged Access Manager - 2.8
The A2A Client (cspmclient) accepts up to two command line arguments. This example accepts
and passes those arguments from the command line:
argv[2]. Provides the Bypass Cache Flag, which can be true or false. The default is false.
This argument is optional.
int error = 0;
char a_buffer[BUF_SIZE];
char command[BUF_SIZE];
char bypass_cache_flag[BUF_SIZE];
memset(a_buffer,'\0',BUF_SIZE);
memset(command,'\0',BUF_SIZE);
memset(bypass_cache_flag,'\0',BUF_SIZE);
if ( argv[1] == NULL ) {
printf("\nERROR: arg[1] cannot be NULL\n\n");
exit(1);
}
if ( argv[2] == NULL ) {
printf("\nNo Bypass Cache Flag provided - will use the default\n");
sprintf(bypass_cache_flag, "%s", "false");
} else {
sprintf(bypass_cache_flag, "%s", argv[2]);
}
21-Feb-2017 292/319
CA Privileged Access Manager - 2.8
cspm_client_home=getenv("CSPM_CLIENT_HOME");
if ( cspm_client_home == NULL ) {
printf("\nGlobal Environment Variable CSPM_CLIENT_HOME is not set\n");
exit(1);
}
/*
Command Line Creation
NOTE: No space in the format string for the first 2 list elements - %s%s
*/
sprintf (
command,
"%s%s %s %s",
cspm_client_home,
CSPM_CLIENT_BINARY,
argv[1],
bypass_cache_flag
);
pclose(results_file);
/* Print results */
if ( error ) {
printf("\nFailed to retrieve the credentials\n");
exit(99);
} else {
21-Feb-2017 293/319
CA Privileged Access Manager - 2.8
printf("\nreturn_code:\t%s\n",return_code);
printf("userid:\t\t%s\n",userid);
printf("password:\t%s\n",password);
}
}
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension. For example, example.c.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links.
The A2A Client (cspmclient) accepts up to two command line arguments. This example accepts
and passes these arguments from the command line:
$2. Provides the Bypass Cache Flag, which can be true or false. The default is false. This
argument is optional.
21-Feb-2017 294/319
CA Privileged Access Manager - 2.8
if [ ! CSPM_CLIENT_HOME ]
then
echo "Global Environment Variable CSPM_CLIENT_HOME is not set"
echo "Aborting..."
exit 1
fi
if [ ! $1 ]
then
echo "No Target Alias provided "
echo "Aborting..."
exit 2
else
target_alias="$1"
fi
if [ ! $2 ]
then
bypass_cache="false"
else
bypass_cache="$2"
fi
# Action
result=`$command`
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, example.ksh.
File path. The absolute path to the application file that contains the executable call.
21-Feb-2017 295/319
CA Privileged Access Manager - 2.8
Execution path. The absolute path from which the application is launched.
Script type. The requestor script type; for example, Korn shell script.
When entering the file and execution paths, you must specify the absolute paths without links.
The A2A Client (cspmclient) accepts up to two command line arguments. This example accepts
and passes these two arguments from the command line:
$1. This argument provides the target alias name. This argument is mandatory.
$2. This argument provides the Bypass Cache Flag, which can be true or false. The default is
false. This argument is optional.
if ( $1 == "" ) then
echo "No Target Alias provided "
echo "Aborting..."
exit 2
else
set target_alias="$1"
endif
if ( $2 == "") then
set bypass_cache="false"
else
set bypass_cache="$2"
endif
# Action
21-Feb-2017 296/319
CA Privileged Access Manager - 2.8
set result=`$command`
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, example.csh.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
Script type. The requestor script type; for example, C shell script.
When entering the file and execution paths, you must specify the absolute paths without links.
##########################################
#
# Php example. To execute, do:
# prompt> php test2.php
#
##########################################
$alias="test";
$bypassCacheFlag="false";
21-Feb-2017 297/319
CA Privileged Access Manager - 2.8
$data = getCredential($alias,$bypassCacheFlag);
echo "Return code: $data[retCode]\n";
echo "User name: $data[user]\n";
echo "Password: $data[password]\n";
function getCredential($inAlias,$inFlag){
$exec = "/opt/cloakware/cspmclient/bin/cspmclient";
$command = "$exec $inAlias $inFlag";
$hndl=popen($command,'r') or die ("Unable to open pipe for command $command\n");
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, the name of the PHP script example given in Code: PHP
Script with A2A Client on UNIX (see page ).
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links.
21-Feb-2017 298/319
CA Privileged Access Manager - 2.8
import commands
import os,time
import sys
if __name__ == "__main__":
alias=""
cacheflag=""
optflag=""
argc = len(sys.argv)
if argc > 1:
alias=sys.argv[1]
if (argc == 3) and (argc != "-x"):
cacheflag = sys.argv[2]
elif (argc == 3) and (argc == "-x"):
optflag = sys.argv[2]
elif (argc == 4):
optflag = sys.argv[3]
else:
dummy=1
getCredential(alias, cacheflag, optflag)
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension. For example, the name of the Python script example given in Code:
Python Script with A2A Client on UNIX (see page ).
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links.
21-Feb-2017 299/319
CA Privileged Access Manager - 2.8
If you are using A2A Clients and the data returned (accounts and passwords) is limited to ANSI
characters, no character set conversion is required. The client returns ANSI characters as single-byte
UTF-8 characters. However, if you are using A2A Clients and the data returned includes non-ANSI UTF-
8 characters, a character conversion may be required. Contact CA Support for assistance, and
reference UTF-16 conversion.
Integrate a Perl Script with A2A Client on Windows (see page 300)
Integrate a Visual Basic Application (see page 301)
Integrate a Visual C++ Application (see page 303)
Integrate a C#.NET Application using IIS Application Server (see page 306)
Integrate a Visual Basic, Java, or Windows Script (see page 311)
use strict;
use warnings;
use lib "c:/cspm/cloakware/cspmclient/lib";
use CSPM_CLIENT_WIN;
my $exec=$EXEC . "targetAlias" ;
my $param=`$exec`;
my @param2 = split(/\s+/,$param);
21-Feb-2017 300/319
CA Privileged Access Manager - 2.8
my $errorCode=$param2[0];
if($errorCode eq '400')
{
my $userID=$param2[1];
my $passWd=$param2[2];
print "userId = " . $userID . "\n";
print "password = " . $passWd . "\n";
}
else
{
print "Failed to retrieve credentials... errorcode=" . $errorCode;
}
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, the name of the Perl script example given in Code: Perl
Script with A2A Client on Windows (see page ).
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links.
21-Feb-2017 301/319
CA Privileged Access Manager - 2.8
'
' Your project will now have a reference to the cspmclientc.dll.
'
' Next you need to uncommment the line - 'Dim X As New ccspmclientc' from the
Command1_Click() method
'
bypassCache = "false"
targetAlias = Me.targetAliasName
'Uncomment the line - 'Dim X As New ccspmclientc' - at the begining of this method i
f you get an error on this line.
ret = X.retrieveCredentials(targetAlias, bypassCache, options)
If (xmlOutput) Then
Me.results = X.getXMLData
Else
If (ret = 400) Then
userId = X.getUserId()
password = X.getPassword()
xml = X.getXMLData
21-Feb-2017 302/319
CA Privileged Access Manager - 2.8
Else
MsgBox "Failed to process request with errorCode: " + CStr(ret), vbOKOnly, Me.
Caption
End If
End If
End Sub
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, VB_Sample.exe.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
Script type. The requestor script type; for example, Visual Basic.
When entering the file and execution paths, you must specify the absolute paths without links.
#import "c:\cspm\cloakware\cspmclient\lib\cspmclientc.tlb"
#define ERROR_CODE_SUCCESS400
#define ERROR_CODE_BADPARAM407
21-Feb-2017 303/319
CA Privileged Access Manager - 2.8
if(argc>1)
{
targetAlias = _bstr_t(argv[1]);
for (int pos = 2; pos < argc; pos++){
if(pos == 2 && argv[pos][0] != '-'){
bypassFlg = _bstr_t(argv[pos]);
}else{
if(!strcmp(argv[pos],"-x"))
isXMLOutput = TRUE;
cliOpt = cliOpt+ " "+_bstr_t(argv[pos]);
}
}
// Intializing the com component
CoInitialize(NULL);
hr = CLSIDFromProgID(OLESTR("cspmclientc.ccspmclientc"), &cls);
Iccspmclientc *t;
hr = CoCreateInstance(cls,NULL,CLSCTX_INPROC_SERVER, __uuidof(Iccspmclientc),(LPVOID
*) &t);
}else if(retVal==ERROR_CODE_SUCCESS){
bstrUserId = t->getUserId();
bstrPassword = t->getPassword();
21-Feb-2017 304/319
CA Privileged Access Manager - 2.8
userId= OLE2T(bstrUserId);
password= OLE2T(bstrPassword);
printf("ErrorCode: %i\n",retVal);
printf("UserID: %s\n", userId);
printf("Password: %s\n", password);
SysFreeString(bstrUserId);
SysFreeString(bstrPassword);
}else{
bstrMessage = t->getMessage();
message = OLE2T(bstrMessage);
printf("ErrorCode: %i\n",retVal);
printf("UserID: %s\n", "null");
printf("Password: %s\n", "null");
printf("Message: %s\n", message);
SysFreeString(bstrMessage);
}
t->Release();
CoUninitialize();
}else{
printf("ErrorCode: %i\n",ERROR_CODE_BADPARAM);
printf("UserID: %s\n", "null");
printf("Password: %s\n", "null");
}
return 0;
}
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, VC_Sample.cpp.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
Script type. The requestor script type; for example, Visual C++.
When entering the file and execution paths, you must specify the absolute paths without links.
21-Feb-2017 305/319
CA Privileged Access Manager - 2.8
This example uses a credential viewer and an SQL Server 2005 Express Edition data store to show the
following:
The credential viewer shows you how to view credentials stored in the Credential Manager server
using the CSPMClient COM component. Use this example for simple integration and to test the
ability to connect to Credential Manager and retrieve credentials. The example displays the
credentials to the screen.
The SQL Server 2005 Express Edition data store shows you how to configure a connection string
used by the Connection class to retrieve credentials and connect to an SQL Server 2005
Express Edition data store. The example retrieves credentials and uses them to access a data
store.
File Description
ConnectionF Class used to create an SQLConnection object. The object is used to connect to
actory.cs the data store and perform SQL queries.
CspmClientC Implementation of the CSPMClient interface. The class is used to retrieve the
omObject.cs credentials from the CA Privileged Access Manager appliance.
Connect. ASP page used to open a connection to a data store. The page creates the Connect
aspx ion object using the ConnectionFactory class.
Web.config Configuration file showing how to configure a connection string for SQL Server 2005
Express Edition. The connection string is passed to the ConnectionFactory
class.
21-Feb-2017 306/319
CA Privileged Access Manager - 2.8
1. Configure development environment. See Configure your Development Environment for IIS
(see page 307).
2. Optionally, integrate the A2A Client to retrieve credentials. See IIS Credential Viewer (see
page 308).
3. Create or modify the context file. See IIS Connection with SQL Server 2005 Express Edition
Data Store (see page 309).
2. Open the IIS Manager and create a virtual directory called iCSPM.
The example contains a Visual Studio 2005 project that you can use to build the Web application and
to deploy it.
Use the following procedure to configure your environment for IIS development.
21-Feb-2017 307/319
CA Privileged Access Manager - 2.8
5. Ensure the Microsoft Visual Studio 2005 and Microsoft Visual C# are installed.
Class File
package com.cloakware.cspm.sample.web;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException; namespace iCSPM
{
public partial class Default : System.Web.UI.Page
{
private const string ERR_MISSING_ALIAS = "Alias cannot be empty";
21-Feb-2017 308/319
CA Privileged Access Manager - 2.8
{
obj = new CspmClientComObject();
}
else
{
obj = new CspmClientObject();
}
To integrate the A2A Client with your application, change the mechanism to create the connection.
The Credential ManagerConnectionFactory retrieves the credentials using the A2A Client
interface and then creates an SqlConnection object. In the Web.config file, you need to add
the information regarding the alias to use. You add the alias as a parameter at the end of the
connection string. The User ID and password parameters need to remain in the connection
string as placeholders for the credentials, but leave them blank. The following is an example:
server=(local)\SQLExpress;database=CSPMTest;uid=;pwd=;CSPMAlias=sql_svr
This management for connection acquisition means that all new connections obtained for a user
whose database password has been changed (by the Credential Manager server) are made using the
new password. This action occurs automatically without any knowledge or intervention by the
owning connection pool.
While new connections are obtained using the new password, old connections that were obtained
using an old password may linger in the connection pool. Also, if the Credential Manager alias is
changed to a totally new user, then a connection pool has (at least temporarily) a mixture of
connections for different actual database users.
Such connection management ensures that database password changes are completely transparent
21-Feb-2017 309/319
CA Privileged Access Manager - 2.8
Such connection management ensures that database password changes are completely transparent
to connection activities.
Data Source
<configuration>
<connectionStrings>
<add name="CSPMSampleDS"
connectionString="server=(local)\SQLExpress;
database=CSPMTest;uid=;pwd=;
CSPMAlias=sql_svr"
providerName="System.Data.SqlClient"/>
</connectionStrings>
</configuration>
Parameter Description
Script Name w3wp.exe
Execution Path C:\WINDOWS\SysWOW64\inetsrv
Type C
Parameter Description
Application Name SQL Server 2005 Express Edition
Application Type MSSQL
Instance SQLEXPRESS
Parameter Description
Application SQL Server 2005 Express Edition
Application Name admin
21-Feb-2017 310/319
CA Privileged Access Manager - 2.8
Password admin
Parameter Description
Target Alias Name sql_svr
Application SQL Server 2005 Express Edition
Account admin
dim myobj
dim ret
ret= myobj.getUserId()
document.write(" User: " & ret & ",")
ret= myobj.getPassword()
document.write(" Password: " & ret & ",")
ret= myobj.getXMLData()
document.write(" XML data is: " & ret)
21-Feb-2017 311/319
CA Privileged Access Manager - 2.8
</script>
</body>
</html>
You need the following data to register your requestor with Credential Manager:
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, VBScriptSample.html.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
Script type. The requestor script type; for example, Visual Basic.
When entering the file and execution paths, you must specify the absolute paths without links. When
an executable or script is run from a mapped network drive, Windows report the execution path
using the UNC path. Use the UNC path when defining script path and execution path.
Java Script
This example uses a Java script sample (JavaScriptSample.htm) in the
$CSPM_CLIENT_HOME\cloakware\cspmclient\examples\Java_Script_Sample
directory. It uses the CA Technologies ATL DLL (cspmclientatl.dll) to integrate the A2A Client.
<script type="text/javascript">
document.write("Client interface with Java Script");
try {
var XLApp = new ActiveXObject("cspmclientatl.ccspmclientatl");
} catch (e) {
alert("error: "+e.message);
}
</script>
21-Feb-2017 312/319
CA Privileged Access Manager - 2.8
</body>
</html>
You need the following data to register your requestor with Credential Manager:
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, JavaScriptSample.htm.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links. When
an executable or script is run from a mapped network drive, Windows report the execution path
using the UNC path. Use the UNC path when defining script path and execution path.
Windows Script
This example uses a Windows script sample. It uses the CA Technologies ATL DLL (
cspmclientatl.dll) to integrate the A2A Client. Your installed A2A Client does not contain a
soft copy of the following script.
dim ret
dim cspmclient
dim credentialsRetrieved
dim success
dim bypasscache
21-Feb-2017 313/319
CA Privileged Access Manager - 2.8
'try to use it
'success = connectToApp(accountName,password)
success = false
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension; for example, the name of the Windows script example given in
Windows Script (see page 313).
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
When entering the file and execution paths, you must specify the absolute paths without links. When
an executable or script is run from a mapped network drive, Windows reports the execution path
using the UNC path. Use the UNC path when defining script path and execution path.
21-Feb-2017 314/319
CA Privileged Access Manager - 2.8
Only the local host (where the A2A Client is installed). See Access URL from only the Local Host
(see page ).
Only the systems within the network of the local host. See Access URL from Local Host Network
(see page 316).
Both the local host and the systems within its network. See Access URL from Local Host and Local
Host Network (see page 318).
To disable this feature, remove or comment out the httpRequestScriptAddress tag and and
the httpRequestScriptPort tag in the cspm_client_config.xml file.
The following XML code is an example of the cspm_client_config.xml file with the tags.
To authorize a requestor (script) to retrieve credentials through a URL, the authorization mappings
21-Feb-2017 315/319
CA Privileged Access Manager - 2.8
To authorize a requestor (script) to retrieve credentials through a URL, the authorization mappings
between the target alias and the request server must contain at least one script that produces URLs
with the formats described in the following sections. See Add Authorization Mappings (https://docops.
ca.com/display/CAPAM28/Add+Authorization+Mappings) for more details on authorization mapping.
For this case, add the following tags to the cspm_client_config.xml file:
<httpRequestScriptAddress>localhost</httpRequestScriptAddress>
You can also specify the loop back IP address of the local host instead of the literal term
localhost. For example, the following tags are equivalent:
<httpRequestScriptAddress>127.0.0.1</httpRequestScriptAddress>
<httpRequestScriptAddress>localhost</httpRequestScriptAddress>
<httpRequestScriptPort>12345</httpRequestScriptPort>
For this case, use the following URL format on the local host system to get credentials:
http://<system>:<portnumber>/requestScript/retrieveCredentials?
aliasName=<targetalias>&bypassCache=false&contentType=html, where:
<system> is the literal term localhost or the loop back IP address of the local host. This must
match what was specified in the <httpRequestScriptAddress> tag for the A2A client on
the system.
<portnumber> is any valid and unused port number of the local host. This must match what was
specified in the <httpRequestScriptPort> tag for the A2A client on the system.
http://127.0.0.1:12345/requestScript/retrieveCredentials?
aliasName=testalias&bypassCache=false&contentType=html
For this case, add the following tags to the cspm_client_config.xml file:
21-Feb-2017 316/319
CA Privileged Access Manager - 2.8
For this case, add the following tags to the cspm_client_config.xml file:
<httpRequestScriptAddress><myhostname>.<mydomain></httpRequestScriptAddress>
<myhostname> is the host name or the loop back IP address of the system where the A2A
Client is installed
<mydomain> is the domain of the system where the A2A Client is installed
For this case, use the following URL format on any system on the local network of the local host to
get credentials:
http://<myhostname>.<mydomain>:<portnumber>/requestScript
/retrieveCredentials?aliasName=<targetalias>
&bypassCache=false&contentType=html, where:
<myhostname> is the host name or the loop back IP address of the system where the A2A Client
is installed. This must match what was specified in the <httpRequestScriptAddress> tag
for the A2A client on the system.
<mydomain> is the domain of the system where the A2A Client is installed. This must match what
was specified in the <httpRequestScriptPort> tag for the A2A client on the system.
<portnumber> is port number to access the local host. This must match what was specified in the
<httpRequestScriptPort> tag for the A2A client on the system.
http://rh5x32stout.cpa.intra:12345/requestScript/retrieveCredentials?
aliasName=testalias&bypassCache=false&contentType=html
rh5x32stout is the host name of a system that shares the local host network
cpa.intra is the domain of the system where the A2A Client is installed
12345 is port number to access the local host. This must match what was specified in the
<httpRequestScriptPort> tag for the A2A client on the system.
21-Feb-2017 317/319
CA Privileged Access Manager - 2.8
For this case, add the following tags to the cspm_client_config.xml file:
<httpRequestScriptAddress>0.0.0.0</RequestScriptAddress>
<httpRequestScriptPort><port_no></httpRequestScriptPort>, where
<port_no> is any valid and unused port number of the system where the A2A Client is installed
For this case, use the following URL format on the local host system to get credentials:
http://<system>:<portnumber>/requestScript/retrieveCredentials?
aliasName=<targetalias>&bypassCache=false&contentType=html, where:
<system> is the literal term localhost or the loop back IP address of the local host
<portnumber> is any valid and unused port number of the local host
For this case, use the following URL format on any system on the local network of the local host to
get credentials:
http://<myhostname>.<mydomain>:<portnumber>/requestScript
/retrieveCredentials?aliasName=<targetalias>
&bypassCache=false&contentType=html, where:
<myhostname> is the host name or the loop back IP address of the system where the A2A Client
is installed.
<mydomain> is the domain of the system where the A2A Client is installed.
<portnumber> is port number to access the local host. This must match what was specified in the
<httpRequestScriptPort> tag for the A2A client on the system.
The following is an example or the URL to use from the local host system to get credentials:
http://127.0.0.1:12345/requestScript/retrieveCredentials?
aliasName=testalias&bypassCache=false&contentType=html
The following is an example of the URL to use from a system on the local network of the local host to
get credentials:
21-Feb-2017 318/319
CA Privileged Access Manager - 2.8
http://rh5x32stout.cpa.intra:12345/requestScript/retrieveCredentials?
aliasName=testalias&bypassCache=false&contentType=html
rh5x32stout is the host name of a system that shares the network of the local host
cpa.intra is the domain of the system where the A2A Client is installed
12345 is port number to access the local host. This must match what was specified in the
<httpRequestScriptPort> tag for the A2A client on the system.
21-Feb-2017 319/319