CA Privileged Access Manager - 2.8 - ENU - Programming - 20170221 PDF

CA Privileged Access
Manager - 2.8
Programming
Date: 21-Feb-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
21-Feb-2017 3/319
Table of Contents
ExternalAPI ............................................................................................... 34
Overview ................................................................................................................................................... 34
Deployment Procedures for Administrators ............................................................................................... 35
Licensing ............................................................................................................................................. 35
Configuration ....................................................................................................................................... 36
Enable the API ........................................................................................................................... 36
Disable the Test Button .............................................................................................................. 36
Provision API Request Credentials ..................................................................................................... 36
Add API Keys for a CA Privileged Access Manager User ................................................................... 37
In the GUI Template ................................................................................................................... 37
As a CSV Import Item ................................................................................................................ 38
Dissociating an API Key from Its User ................................................................................................ 39
Deactivating a Key ..................................................................................................................... 39
Removing a Key ......................................................................................................................... 39
Deployment Procedures for Programmers ................................................................................................ 39
Documentation/Test ............................................................................................................................ 39
Overview .................................................................................................................................... 40
View Documentation ........................................................................................................................... 40
Obtain API Keys .................................................................................................................................. 41
Run Test API Requests ....................................................................................................................... 42
Resetting the Active API Key .............................................................................................................. 42
Implementation .......................................................................................................................................... 42
Case: Provision User, Device, and Auto-Connection Policy Between Them ...................................... 42
Credential Manager APIs .......................................................................... 54

Prepare to Use the Credential CLI and Java API ...................................................................................... 54
Configure Your Client Computer ......................................................................................................... 55
Create a Java Program Using the Credential Manager Java API ............................................................. 56
Use the Credential Manager CLI ............................................................................................................... 58
Install and Configure the Credential Management CLI ....................................................................... 59
Credential Manager CLI Command Execution .................................................................................... 59
CLI Return Values ............................................................................................................................... 60
Example ..................................................................................................................................... 60
Batch Command Execution ................................................................................................................. 61
Example ..................................................................................................................................... 61
Programming 4
Credential Manager CLI Commands ......................................................... 65
addAuthorization ....................................................................................................................................... 65
Example .............................................................................................................................................. 65
Parameters .......................................................................................................................................... 65
TargetAlias.name ....................................................................................................................... 65
TargetAlias.ID ............................................................................................................................ 65
Authorization.targetGroupName ................................................................................................ 66
Authorization.targetGroupId ....................................................................................................... 66
RequestServer.hostName .......................................................................................................... 66
RequestServer.ID ....................................................................................................................... 66
Authorization.requestGroupName .............................................................................................. 66
Authorization.requestGroupId .................................................................................................... 67
RequestScript.name ................................................................................................................... 67
RequestScript.ID ........................................................................................................................ 67
RequestScript.executionPath ..................................................................................................... 67
Authorization.checkExecutionID ................................................................................................ 67
Authorization.executionUser ...................................................................................................... 68
Authorization.checkPath ............................................................................................................ 68
Authorization.checkFilePath ....................................................................................................... 68
Authorization.checkScriptHash .................................................................................................. 68
addFilter .................................................................................................................................................... 68
Example .............................................................................................................................................. 68
Parameters .......................................................................................................................................... 69
Group.ID ..................................................................................................................................... 69
Filter.objectClassId ..................................................................................................................... 69
Filter.attribute ............................................................................................................................. 69
Filter.type ................................................................................................................................... 69
Filter.expression ......................................................................................................................... 69
addGroup .................................................................................................................................................. 69
Example .............................................................................................................................................. 70
Parameters .......................................................................................................................................... 70
Group.name ............................................................................................................................... 70
Group.description ....................................................................................................................... 70
Group.type ................................................................................................................................. 70
Group.dynamic ........................................................................................................................... 70
Group.permissions ..................................................................................................................... 70
addPasswordPolicy ................................................................................................................................... 71
Example .............................................................................................................................................. 71
Parameters .......................................................................................................................................... 71
PasswordPolicy.name ................................................................................................................ 71
Programming 5
PasswordPolicy.description ....................................................................................................... 71
Attribute.passwordPrefix ............................................................................................................ 71
Attribute.composedOfUpperCaseCharacters ............................................................................. 71
Attribute.composedOfLowerCaseCharacters ............................................................................. 72
Attribute.composedOfNumericCharacters ................................................................................. 72
Attribute.composedOfSpecialCharacters ................................................................................... 72
Attribute.specialCharacters ........................................................................................................ 72
Attribute.firstCharacterUpperCase ............................................................................................. 72
Attribute.firstCharacterLowerCase ............................................................................................. 72
Attribute.firstCharacterNumeric .................................................................................................. 73
Attribute.firstCharacterSpecial ................................................................................................... 73
Attribute.firstCharacterSpecials .................................................................................................. 73
Attribute.mustNotContainConsecutiveDuplicateCharacters ....................................................... 73
Attribute.mustNotContainAnyDuplicateCharacters .................................................................... 73
Attribute.mustNotContainCharacters ......................................................................................... 74
Attribute.composedOfMustNotContainCharacters ..................................................................... 74
Attribute.minLength .................................................................................................................... 74
Attribute.maxLength ................................................................................................................... 74
Attribute.minIterationsBeforeReuse ........................................................................................... 74
Attribute.minDaysBeforeReuse .................................................................................................. 74
Attribute.enableMaxPasswordAge ............................................................................................. 75
Attribute.maxPasswordAge ........................................................................................................ 75
addPasswordViewPolicy ........................................................................................................................... 75
Example .............................................................................................................................................. 75
Parameters .......................................................................................................................................... 75
PasswordViewPolicy.name ........................................................................................................ 75
PasswordViewPolicy.description ................................................................................................ 75
PasswordViewPolicy.changePasswordOnView ......................................................................... 76
PasswordViewPolicy.allowChangePasswordOnViewForSso .................................................... 76
PasswordViewPolicy.passwordChangeInterval ......................................................................... 76
PasswordViewPolicy.checkinCheckoutRequired ....................................................................... 76
PasswordViewPolicy.checkinCheckoutInterval .......................................................................... 76
PasswordViewPolicy.dualAuthorization ..................................................................................... 77
PasswordViewPolicy.dualAuthorizationInterval ......................................................................... 77
PasswordViewPolicy.approvers ................................................................................................. 77
PasswordViewPolicy.approverIDs ............................................................................................. 77
PasswordViewPolicy.authenticationRequired ............................................................................ 77
PasswordViewPolicy.enableOneClickApproval ......................................................................... 78
PasswordViewPolicy.passwordViewRequestMaxInterval .......................................................... 78
PasswordViewPolicy.passwordViewRequestMaxDays ............................................................. 78
addRequestScript ...................................................................................................................................... 78
Example .............................................................................................................................................. 78
Programming 6
Parameters .......................................................................................................................................... 78
addRequestServer .................................................................................................................................... 80
Example .............................................................................................................................................. 80
Parameters .......................................................................................................................................... 80
RequestServer.deviceName ...................................................................................................... 80
RequestServer.active ................................................................................................................. 80
RequestServer.autoPatch .......................................................................................................... 81
RequestServer.preserveHostName ........................................................................................... 81
RequestServer.type ................................................................................................................... 81
Attribute.descriptor1 ................................................................................................................... 81
addRequestServerDefaults ....................................................................................................................... 82
Example .............................................................................................................................................. 82
Parameters .......................................................................................................................................... 82
RequestServerDefaults.subnet .................................................................................................. 82
RequestServerDefaults.type ...................................................................................................... 82
RequestServerDefaults.active .................................................................................................... 82
RequestServerDefaults.descriptor1 ........................................................................................... 82
RequestServerDefaults.descriptor2 ........................................................................................... 83
addRole ..................................................................................................................................................... 83
Example .............................................................................................................................................. 83
Parameters .......................................................................................................................................... 83
Role.name .................................................................................................................................. 83
Role.description ......................................................................................................................... 83
Role.permissions ........................................................................................................................ 83
addSite ...................................................................................................................................................... 84
Example .............................................................................................................................................. 84
Parameters .......................................................................................................................................... 84
Site.name ................................................................................................................................... 84
Site.type ..................................................................................................................................... 84
Site.hostName ............................................................................................................................ 84
addSSHKeyPairPolicy ............................................................................................................................... 84
Example .............................................................................................................................................. 84
Parameters .......................................................................................................................................... 85
SSHKeyPairPolicy.name ............................................................................................................ 85
SSHKeyPairPolicy.description ................................................................................................... 85
SSHKeyPairPolicy.keyType ....................................................................................................... 85
SSHKeyPairPolicy.keyLength .................................................................................................... 85
addTargetAccount ..................................................................................................................................... 86
Example .............................................................................................................................................. 86
Programming 7
Parameters .......................................................................................................................................... 86
TargetServer.hostName ............................................................................................................. 86
TargetApplication.name ............................................................................................................. 86
TargetApplication.ID ................................................................................................................... 86
TargetAccount.userName .......................................................................................................... 87
TargetAccount.password ........................................................................................................... 87
TargetAccount.cacheAllow ......................................................................................................... 87
TargetAccount.cacheBehavior ................................................................................................... 87
TargetAccount.cacheDuration .................................................................................................... 88
TargetAccount.privileged ........................................................................................................... 88
TargetAccount.accessType ........................................................................................................ 88
TargetAccount.synchronize ........................................................................................................ 88
PasswordViewPolicy.name ........................................................................................................ 89
useTargetAliasNameParameter ................................................................................................. 89
TargetAccount.compoundAccount ............................................................................................. 89
TargetAccount.compoundServerIDs .......................................................................................... 89
passwordIsBase64Encoded ....................................................................................................... 89
addTargetAlias .......................................................................................................................................... 90
Example .............................................................................................................................................. 90
Parameters .......................................................................................................................................... 90
TargetAccount.userName .......................................................................................................... 90
TargetAccount.ID ....................................................................................................................... 91
addTargetApplication ................................................................................................................................ 91
Example .............................................................................................................................................. 91
Parameters .......................................................................................................................................... 91
TargetServer.ID .......................................................................................................................... 91
TargetApplication.type ............................................................................................................... 92
PasswordPolicy.name ................................................................................................................ 92
PasswordPolicy.ID ..................................................................................................................... 92
Attribute.enableAutoConnectTargetAccount .............................................................................. 93
addTargetServer ....................................................................................................................................... 93
Example .............................................................................................................................................. 93
Programming 8
Parameters .......................................................................................................................................... 94
TargetServer.deviceName ......................................................................................................... 94
addUser ..................................................................................................................................................... 94
Example .............................................................................................................................................. 94
Parameters .......................................................................................................................................... 95
User.userID ................................................................................................................................ 95
User.password ........................................................................................................................... 95
User.authenticationType ............................................................................................................ 95
User.status ................................................................................................................................. 95
User.userGroupIDS .................................................................................................................... 95
User.userGroupNames .............................................................................................................. 96
User.firstName ........................................................................................................................... 96
User.lastName ........................................................................................................................... 96
User.email .................................................................................................................................. 96
User.viewType ........................................................................................................................... 96
addUserGroup ........................................................................................................................................... 97
Example .............................................................................................................................................. 97
Parameters .......................................................................................................................................... 97
UserGroup.name ........................................................................................................................ 97
UserGroup.description ............................................................................................................... 97
UserGroup.roleID ....................................................................................................................... 97
UserGroup.groups ...................................................................................................................... 97
UserGroup.readOnly .................................................................................................................. 98
archiveAuditData ....................................................................................................................................... 98
Example .............................................................................................................................................. 98
Parameters .......................................................................................................................................... 98
endDate ...................................................................................................................................... 98
archiveMetricData ..................................................................................................................................... 99
Example .............................................................................................................................................. 99
Parameters .......................................................................................................................................... 99
endDate ...................................................................................................................................... 99
fileName ..................................................................................................................................... 99
resultLimit ................................................................................................................................. 100
batchSequence ....................................................................................................................................... 100
Example ............................................................................................................................................ 100
Parameters ........................................................................................................................................ 100
inputfile ..................................................................................................................................... 100
outputfile ................................................................................................................................... 100
stopOnError .............................................................................................................................. 101
Programming 9
multipleTransactions ................................................................................................................ 101
canGetCredentials ................................................................................................................................... 101
Example ............................................................................................................................................ 101
Parameters ........................................................................................................................................ 101
TargetAlias.name ..................................................................................................................... 101
RequestScript.name ................................................................................................................. 102
RequestScript.filePath .............................................................................................................. 102
RequestScript.executionPath ................................................................................................... 102
Authorization.executionUser .................................................................................................... 102
RequestServer.hostName ........................................................................................................ 102
RequestServer.osName ........................................................................................................... 102
checkConnectionStatus ........................................................................................................................... 103
Example ............................................................................................................................................ 103
checkDelete ............................................................................................................................................. 103
Example ............................................................................................................................................ 103
Parameters ........................................................................................................................................ 103
TargetServer.ID ........................................................................................................................ 103
RequestServer.ID ..................................................................................................................... 103
checkInAccountPassword ....................................................................................................................... 103
Example ............................................................................................................................................ 104
deleteAuthorization .................................................................................................................................. 104
Example ............................................................................................................................................ 104
Parameters ........................................................................................................................................ 104
Authorization.ID ........................................................................................................................ 104
Authorization.targetGroupName .............................................................................................. 105
Authorization.requestGroupName ............................................................................................ 105
deleteFilter ............................................................................................................................................... 106
Example ............................................................................................................................................ 106
Parameters ........................................................................................................................................ 106
Filter.ID ..................................................................................................................................... 106
deleteGroup ............................................................................................................................................. 106
Example ............................................................................................................................................ 106
Parameters ........................................................................................................................................ 106
Group.ID ................................................................................................................................... 106
Group.name ............................................................................................................................. 107
Group.type ............................................................................................................................... 107
deletePasswordPolicy ............................................................................................................................. 107
Programming 10
Example ............................................................................................................................................ 107
Parameters ........................................................................................................................................ 107
PasswordPolicy.ID ................................................................................................................... 107
PasswordPolicy.name .............................................................................................................. 108
deletePasswordViewPolicy ..................................................................................................................... 108
Example ............................................................................................................................................ 108
Parameters ........................................................................................................................................ 108
PasswordViewPolicy.ID ........................................................................................................... 108
PasswordViewPolicy.name ...................................................................................................... 108
deletePasswordViewRequest .................................................................................................................. 109
Example ............................................................................................................................................ 109
Parameters ........................................................................................................................................ 109
PasswordViewRequest.ID ........................................................................................................ 109
deleteRequestScript ................................................................................................................................ 109
Example ............................................................................................................................................ 109
Parameters ........................................................................................................................................ 109
RequestScript.ID ...................................................................................................................... 109
deleteRequestServer ............................................................................................................................... 110
Example ............................................................................................................................................ 110
Parameters ........................................................................................................................................ 111
RequestServer.deviceName .................................................................................................... 111
RequestServer.ID: The unique ID for the request server. ........................................................ 111
RequestServer.type: The type of the request server. .............................................................. 111
deleteRequestServerDefaults ................................................................................................................. 111
Example ............................................................................................................................................ 111
Parameters ........................................................................................................................................ 112
RequestServerDefaults.ID ....................................................................................................... 112
deleteRole ............................................................................................................................................... 112
Example ............................................................................................................................................ 112
Parameters ........................................................................................................................................ 112
Role.ID ..................................................................................................................................... 112
deleteSite ................................................................................................................................................ 112
Example ............................................................................................................................................ 112
Parameters ........................................................................................................................................ 113
Site.ID ...................................................................................................................................... 113
deleteSSHKeyPairPolicy ......................................................................................................................... 113
Example ............................................................................................................................................ 113
Programming 11
Parameters ........................................................................................................................................ 113
SSHKeyPairPolicy.ID ............................................................................................................... 113
SSHKeyPairPolicy.name .......................................................................................................... 113
deleteSystemProperty ............................................................................................................................. 114
Example ............................................................................................................................................ 114
Parameters ........................................................................................................................................ 114
propertyName .......................................................................................................................... 114
deleteTargetAccount ............................................................................................................................... 114
Example ............................................................................................................................................ 114
Parameters ........................................................................................................................................ 114
TargetServer.hostName ........................................................................................................... 114
TargetApplication.name ........................................................................................................... 115
TargetAccount.userName ........................................................................................................ 115
TargetAccount.ID ..................................................................................................................... 115
deleteTargetAlias .................................................................................................................................... 115
Example ............................................................................................................................................ 116
Parameters ........................................................................................................................................ 116
TargetAlias.ID .......................................................................................................................... 116
deleteTargetApplication ........................................................................................................................... 116
Example ............................................................................................................................................ 116
Parameters ........................................................................................................................................ 117
TargetApplication.ID ................................................................................................................. 117
deleteTargetServer .................................................................................................................................. 117
Example ............................................................................................................................................ 117
Parameters ........................................................................................................................................ 118
TargetServer.ID ........................................................................................................................ 118
TargetServer.deviceName ....................................................................................................... 118
deleteUser ............................................................................................................................................... 118
Example ............................................................................................................................................ 118
Parameters ........................................................................................................................................ 119
User.userID .............................................................................................................................. 119
deleteUserGroup ..................................................................................................................................... 119
Example ............................................................................................................................................ 119
Parameters ........................................................................................................................................ 119
UserGroup.ID ........................................................................................................................... 119
UserGroup.name ...................................................................................................................... 119
disableCLIHostNameCheck .................................................................................................................... 120
Programming 12
Example ............................................................................................................................................ 120
disableFingerprinting ............................................................................................................................... 120
Example ............................................................................................................................................ 120
enableCLIHostNameCheck ..................................................................................................................... 120
Example ............................................................................................................................................ 120
enableFingerprinting ................................................................................................................................ 120
Example ............................................................................................................................................ 120
enableLicense ......................................................................................................................................... 121
Example ............................................................................................................................................ 121
Parameters ........................................................................................................................................ 121
license ...................................................................................................................................... 121
expirePasswordViewRequest .................................................................................................................. 121
Example ............................................................................................................................................ 121
forceCheckInAccountPassword .............................................................................................................. 121
Example ............................................................................................................................................ 121
Parameters ........................................................................................................................................ 122
generateEncryptedPassword .................................................................................................................. 122
Example ............................................................................................................................................ 122
Parameters ........................................................................................................................................ 122
password .................................................................................................................................. 122
getAllScriptHash ...................................................................................................................................... 123
Example ............................................................................................................................................ 123
Parameters ........................................................................................................................................ 123
getAwsManagementConsoleSessionUrl ................................................................................................. 123
Example ............................................................................................................................................ 123
Parameters ........................................................................................................................................ 124
AWS.accessKeyID ................................................................................................................... 124
AWS.secretAccessKey ............................................................................................................ 124
AWS.issuerUrl .......................................................................................................................... 124
AWS.consoleUrl ....................................................................................................................... 124
AWS.signinUrl .......................................................................................................................... 124
AWS.policy ............................................................................................................................... 125
AWS.stsEndpoint ..................................................................................................................... 125
AWS.sessionDuration .............................................................................................................. 125
AWS.urlEncodeOption ............................................................................................................. 125
AWS.federatedUserName ........................................................................................................ 125
getErrorCodes ......................................................................................................................................... 125
Programming 13
Example ............................................................................................................................................ 126
getEventProcessingMetrics ..................................................................................................................... 126
Example ............................................................................................................................................ 126
Parameters ........................................................................................................................................ 126
samplePeriodMinutes ............................................................................................................... 126
getLocalProperty ..................................................................................................................................... 126
Example ............................................................................................................................................ 126
Parameters ........................................................................................................................................ 127
propertyName .......................................................................................................................... 127
getLogs .................................................................................................................................................... 127
Example ............................................................................................................................................ 127
Parameters ........................................................................................................................................ 127
Site.ID ...................................................................................................................................... 127
hostName ................................................................................................................................. 127
maxSize ................................................................................................................................... 128
getMostRecentPasswordHistory ............................................................................................................. 128
getMSOLFederatedSessionCmd ............................................................................................................ 128
Example ............................................................................................................................................ 128
Parameters ........................................................................................................................................ 128
MSOL.stsEndpointUrl ............................................................................................................... 128
MSOL.stsEndpointReferenceUri .............................................................................................. 129
MSOL.portalUrl ........................................................................................................................ 129
MSOL.wctx ............................................................................................................................... 129
reason ...................................................................................................................................... 129
reasonDetails ........................................................................................................................... 129
PasswordViewRequest.requestPeriodStart ............................................................................. 130
PasswordViewRequest.requestPeriodEnd .............................................................................. 130
referenceCode ......................................................................................................................... 130
getNumberOfAccounts ............................................................................................................................ 130
Example ............................................................................................................................................ 130
getRequestServerDefaults ...................................................................................................................... 130
Example ............................................................................................................................................ 131
Parameters ........................................................................................................................................ 131
getScriptHashAsynchronous ................................................................................................................... 131
Example ............................................................................................................................................ 131
Parameters ........................................................................................................................................ 131
getServiceStatus ..................................................................................................................................... 131
Programming 14
Example ............................................................................................................................................ 132
Parameters ........................................................................................................................................ 132
getSystemProperty .................................................................................................................................. 133
Example ............................................................................................................................................ 133
Parameters ........................................................................................................................................ 133
propertyName .......................................................................................................................... 133
listDBClusterMembers ............................................................................................................................. 133
Example ............................................................................................................................................ 133
listDiscoveredAccounts ........................................................................................................................... 133
Example ............................................................................................................................................ 133
Parameters ........................................................................................................................................ 134
listDiscoveredServices ............................................................................................................................ 134
Example ............................................................................................................................................ 134
Parameters ........................................................................................................................................ 134
TargetServer.name .................................................................................................................. 135
discoveryUseProxy .................................................................................................................. 135
listDiscoveredTasks ................................................................................................................................ 135
Example ............................................................................................................................................ 135
Parameters ........................................................................................................................................ 135
TargetServer.name .................................................................................................................. 136
discoveryUseProxy .................................................................................................................. 136
listPasswordViewRequestByApproverSummary ..................................................................................... 136
listPasswordViewRequestByRequestorSummary ................................................................................... 136
listRequestServerDefaults ....................................................................................................................... 137
Example ............................................................................................................................................ 137
Parameters ........................................................................................................................................ 137
RequestServerDefaults.ipAddress ........................................................................................... 137
RequestServerDefaults.type .................................................................................................... 137
renameUser ............................................................................................................................................. 137
Programming 15
Example ............................................................................................................................................ 137
Parameters ........................................................................................................................................ 137
User.userID .............................................................................................................................. 137
User.newUserID ....................................................................................................................... 138
User.gkUserId .......................................................................................................................... 138
resetClientCache ..................................................................................................................................... 138
resetDBHash ........................................................................................................................................... 138
Example ............................................................................................................................................ 138
resetGroupCache .................................................................................................................................... 139
Example ............................................................................................................................................ 139
Parameters ........................................................................................................................................ 139
Group.name ............................................................................................................................. 139
searchAgent ............................................................................................................................................ 139
Example ............................................................................................................................................ 139
Parameters ........................................................................................................................................ 139
Agent.ID ................................................................................................................................... 139
Agent.hostName ...................................................................................................................... 139
Agent.ipAddress ....................................................................................................................... 140
Agent.deviceName ................................................................................................................... 140
Agent.clientVersion .................................................................................................................. 140
Agent.active ............................................................................................................................. 140
Agent.actionRequired ............................................................................................................... 140
Page.Number ........................................................................................................................... 140
Page.Size ................................................................................................................................. 141
Sort.Property ............................................................................................................................ 141
Sort.Direction ........................................................................................................................... 141
searchAuthorization ................................................................................................................................. 141
Example ............................................................................................................................................ 141
Parameters ........................................................................................................................................ 141
Authorization.checkExecutionID .............................................................................................. 142
Authorization.checkPath .......................................................................................................... 142
Authorization.checkFilePath ..................................................................................................... 142
Authorization.checkScriptHash ................................................................................................ 142
TargetAlias.ID .......................................................................................................................... 143
Authorization.targetGroupId ..................................................................................................... 143
Authorization.requestGroupId .................................................................................................. 143
Page.Number ........................................................................................................................... 143
Page.Size ................................................................................................................................. 143
Programming 16
Sort.Property ............................................................................................................................ 144
Sort.Direction ........................................................................................................................... 144
searchFilter .............................................................................................................................................. 144
Example ............................................................................................................................................ 144
Parameters ........................................................................................................................................ 144
Filter.ID ..................................................................................................................................... 144
Group.ID ................................................................................................................................... 144
Filter.attribute ........................................................................................................................... 145
Filter.type ................................................................................................................................. 145
Filter.expression ....................................................................................................................... 145
Filter.objectClassId ................................................................................................................... 145
Page.Number ........................................................................................................................... 145
Page.Size ................................................................................................................................. 145
Sort.Property ............................................................................................................................ 146
Sort.Direction ........................................................................................................................... 146
searchGroup ............................................................................................................................................ 146
Example ............................................................................................................................................ 146
Parameters ........................................................................................................................................ 146
Group.ID ................................................................................................................................... 146
Group.name ............................................................................................................................. 146
Group.description ..................................................................................................................... 147
Group.type ............................................................................................................................... 147
Page.Number ........................................................................................................................... 147
Page.Size ................................................................................................................................. 147
Sort.Property ............................................................................................................................ 147
Sort.Direction ........................................................................................................................... 147
searchPasswordPolicy ............................................................................................................................ 148
Example ............................................................................................................................................ 148
Parameters ........................................................................................................................................ 148
PasswordPolicy.description ..................................................................................................... 148
Page.Number ........................................................................................................................... 148
Page.Size ................................................................................................................................. 148
Sort.Property ............................................................................................................................ 149
Sort.Direction ........................................................................................................................... 149
searchPasswordViewPolicy .................................................................................................................... 149
Example ............................................................................................................................................ 149
Parameters ........................................................................................................................................ 149
PasswordViewPolicy.description .............................................................................................. 149
Page.Number ........................................................................................................................... 150
Page.Size ................................................................................................................................. 150
Programming 17
Sort.Property ............................................................................................................................ 150
Sort.Direction ........................................................................................................................... 150
searchPasswordViewRequest ................................................................................................................. 150
Example ............................................................................................................................................ 150
Parameters ........................................................................................................................................ 151
PasswordViewRequest.requestorID ........................................................................................ 151
PasswordViewRequest.approverID ......................................................................................... 151
PasswordViewRequest.status .................................................................................................. 151
PasswordViewRequest.targetAccountID ................................................................................. 151
PasswordViewRequest.isCheckedOut ..................................................................................... 151
Page.Number ........................................................................................................................... 151
Page.Size ................................................................................................................................. 152
Sort.Property ............................................................................................................................ 152
Sort.Direction ........................................................................................................................... 152
searchPasswordViewRequestByApprover .............................................................................................. 152
Example ............................................................................................................................................ 152
Parameters ........................................................................................................................................ 152
PasswordViewRequest.requestorID ........................................................................................ 152
PasswordViewRequest.targetAccountID ................................................................................. 153
Page.Number ........................................................................................................................... 153
Page.Size ................................................................................................................................. 153
Sort.Property ............................................................................................................................ 153
Sort.Direction ........................................................................................................................... 153
searchPasswordViewRequestByRequestor ............................................................................................ 154
searchPasswordViewRequestByRequestor ...................................................................................... 154
Example ................................................................................................................................... 154
Parameters ............................................................................................................................... 154
searchRequestScript ............................................................................................................................... 155
Example ............................................................................................................................................ 155
Parameters ........................................................................................................................................ 155
Page.Number ........................................................................................................................... 156
Page.Size ................................................................................................................................. 156
Sort.Property ............................................................................................................................ 156
Sort.Direction ........................................................................................................................... 157
searchRequestServer .............................................................................................................................. 157
Example ............................................................................................................................................ 157
Programming 18
Parameters ........................................................................................................................................ 157
RequestServer.ipAddress ........................................................................................................ 158
RequestServer.clientVersion .................................................................................................... 158
RequestServer.active ............................................................................................................... 158
RequestServer.actionRequired ................................................................................................ 158
Page.Number ........................................................................................................................... 158
Page.Size ................................................................................................................................. 158
Sort.Property ............................................................................................................................ 159
Sort.Direction ........................................................................................................................... 159
searchRole .............................................................................................................................................. 159
Example ............................................................................................................................................ 159
Parameters ........................................................................................................................................ 159
Role.ID ..................................................................................................................................... 159
Role.name ................................................................................................................................ 159
Role.description ....................................................................................................................... 159
Page.Number ........................................................................................................................... 160
Page.Size ................................................................................................................................. 160
Sort.Property ............................................................................................................................ 160
Sort.Direction ........................................................................................................................... 160
searchSite ............................................................................................................................................... 160
Example ............................................................................................................................................ 160
searchSSHKeyPairPolicy ........................................................................................................................ 161
searchSSHKeyPairPolicy .................................................................................................................. 161
Example ................................................................................................................................... 161
Parameters ............................................................................................................................... 161
searchTargetAccount .............................................................................................................................. 162
Example ............................................................................................................................................ 162
Parameters ........................................................................................................................................ 162
TargetApplication.type ............................................................................................................. 162
TargetAccount.accessType ...................................................................................................... 163
TargetAccount.cacheAllow (Deprecated) ................................................................................. 163
TargetAccount.cacheBehavior ................................................................................................. 163
TargetAccount.cacheDuration .................................................................................................. 163
TargetAccount.privileged ......................................................................................................... 164
TargetAccount.synchronize ...................................................................................................... 164
Programming 19
TargetAccount.passwordVerified ............................................................................................. 164
Page.Number ........................................................................................................................... 164
Page.Size ................................................................................................................................. 164
Sort.Property ............................................................................................................................ 164
Sort.Direction ........................................................................................................................... 165
searchTargetAlias ................................................................................................................................... 165
Example ............................................................................................................................................ 165
Parameters ........................................................................................................................................ 165
TargetAlias.ID .......................................................................................................................... 166
Page.Number ........................................................................................................................... 166
Page.Size ................................................................................................................................. 166
Sort.Property ............................................................................................................................ 167
Sort.Direction ........................................................................................................................... 167
searchTargetApplication .......................................................................................................................... 167
Example ............................................................................................................................................ 167
Parameters ........................................................................................................................................ 167
TargetServer.ID ........................................................................................................................ 167
Page.Number ........................................................................................................................... 168
Page.Size ................................................................................................................................. 168
Sort.Property ............................................................................................................................ 168
Sort.Direction ........................................................................................................................... 168
searchTargetServer ................................................................................................................................. 169
Example ............................................................................................................................................ 169
Parameters ........................................................................................................................................ 169
TargetServer.ID ........................................................................................................................ 169
TargetServer.ipAddress ........................................................................................................... 169
Page.Number ........................................................................................................................... 169
Page.Size ................................................................................................................................. 170
Sort.Property ............................................................................................................................ 170
Sort.Direction ........................................................................................................................... 170
searchUser .............................................................................................................................................. 170
Example ............................................................................................................................................ 170
Programming 20
Parameters ........................................................................................................................................ 170
UserGroup.ID ........................................................................................................................... 170
User.authenticationType .......................................................................................................... 171
User.status ............................................................................................................................... 171
User.firstName ......................................................................................................................... 171
User.lastName ......................................................................................................................... 171
searchUserGroup .................................................................................................................................... 171
Example ............................................................................................................................................ 171
Parameters ........................................................................................................................................ 172
UserGroup.ID ........................................................................................................................... 172
UserGroup.name ...................................................................................................................... 172
UserGroup.description ............................................................................................................. 172
UserGroup.userID .................................................................................................................... 172
Page.Number ........................................................................................................................... 172
Page.Size ................................................................................................................................. 172
Sort.Property ............................................................................................................................ 173
Sort.Direction ........................................................................................................................... 173
setDisasterRecoverySettings .................................................................................................................. 173
Example ............................................................................................................................................ 173
Parameters ........................................................................................................................................ 173
enable ...................................................................................................................................... 173
setInitProperty ......................................................................................................................................... 173
Example ............................................................................................................................................ 174
Parameters ........................................................................................................................................ 174
propertyName .......................................................................................................................... 174
propertyValue ........................................................................................................................... 174
setLocalProperty ..................................................................................................................................... 174
Example ............................................................................................................................................ 174
Parameters ........................................................................................................................................ 174
propertyName .......................................................................................................................... 174
propertyValues ......................................................................................................................... 175
setPasswordViewReasons ...................................................................................................................... 175
Example ............................................................................................................................................ 175
Parameters ........................................................................................................................................ 175
reasons .................................................................................................................................... 175
setPasswordViewRequestDeleteInterval ................................................................................................ 175
Example ............................................................................................................................................ 175
Parameters ........................................................................................................................................ 176
deleteIntervalDays ................................................................................................................... 176
setReportRowLimit .................................................................................................................................. 176
Example ............................................................................................................................................ 176
Parameters ........................................................................................................................................ 176
Programming 21
rowLimit .................................................................................................................................... 176
setSystemProperty .................................................................................................................................. 176
Example ............................................................................................................................................ 176
Parameters ........................................................................................................................................ 176
propertyName .......................................................................................................................... 176
propertyValues ......................................................................................................................... 177
encryptValue ............................................................................................................................ 177
propertyValueBlankAllowed ..................................................................................................... 177
updateAuthorization ................................................................................................................................ 177
Example ............................................................................................................................................ 177
Parameters ........................................................................................................................................ 177
TargetAlias.ID .......................................................................................................................... 178
Authorization.targetGroupId ..................................................................................................... 178
Authorization.requestGroupId .................................................................................................. 178
Authorization.checkExecutionID .............................................................................................. 178
Authorization.checkPath .......................................................................................................... 179
Authorization.checkFilePath ..................................................................................................... 179
Authorization.checkScriptHash ................................................................................................ 179
updateDBClusterMembers ...................................................................................................................... 179
Example ............................................................................................................................................ 180
Parameters ........................................................................................................................................ 180
database.ID .............................................................................................................................. 180
active ........................................................................................................................................ 180
method ..................................................................................................................................... 180
updateDBPassword ................................................................................................................................. 180
updateDBPassword .......................................................................................................................... 180
Example ................................................................................................................................... 181
Parameters ............................................................................................................................... 181
updateFilter ............................................................................................................................................. 181
Example ............................................................................................................................................ 182
Parameters ........................................................................................................................................ 182
Filter.ID ..................................................................................................................................... 182
Filter.objectClassId ................................................................................................................... 182
Filter.attribute ........................................................................................................................... 182
Filter.type ................................................................................................................................. 182
Filter.expression ....................................................................................................................... 182
updateGroup ........................................................................................................................................... 183
Example ............................................................................................................................................ 183
Programming 22
Parameters ........................................................................................................................................ 183
Group.ID ................................................................................................................................... 183
Group.name ............................................................................................................................. 183
Group.description ..................................................................................................................... 183
Group.type ............................................................................................................................... 183
Group.dynamic ......................................................................................................................... 183
Group.permissions ................................................................................................................... 184
updatePasswordPolicy ............................................................................................................................ 184
Example ............................................................................................................................................ 184
Parameters ........................................................................................................................................ 184
PasswordPolicy.description ..................................................................................................... 184
Attribute.passwordPrefix .......................................................................................................... 185
Attribute.composedOfUpperCaseCharacters ........................................................................... 185
Attribute.composedOfLowerCaseCharacters ........................................................................... 185
Attribute.composedOfNumericCharacters ............................................................................... 185
Attribute.composedOfSpecialCharacters ................................................................................. 185
Attribute.specialCharacters ...................................................................................................... 185
Attribute.firstCharacterUpperCase ........................................................................................... 185
Attribute.firstCharacterLowerCase ........................................................................................... 186
Attribute.firstCharacterNumeric ................................................................................................ 186
Attribute.firstCharacterSpecial ................................................................................................. 186
Attribute.firstCharacterSpecials ................................................................................................ 186
Attribute.mustNotContainConsecutiveDuplicateCharacters ..................................................... 186
Attribute.mustNotContainAnyDuplicateCharacters .................................................................. 186
Attribute.mustNotContainCharacters ....................................................................................... 187
Attribute.composedOfMustNotContainCharacters ................................................................... 187
Attribute.minLength .................................................................................................................. 187
Attribute.maxLength ................................................................................................................. 187
Attribute.minIterationsBeforeReuse ......................................................................................... 187
Attribute.minDaysBeforeReuse ................................................................................................ 187
Attribute.enableMaxPasswordAge ........................................................................................... 188
Attribute.maxPasswordAge ...................................................................................................... 188
updatePasswordViewPolicy .................................................................................................................... 188
Example ............................................................................................................................................ 188
Parameters ........................................................................................................................................ 188
PasswordViewPolicy.description .............................................................................................. 189
PasswordViewPolicy.changePasswordOnView ....................................................................... 189
PasswordViewPolicy.allowChangePasswordOnViewForSso .................................................. 189
Programming 23
PasswordViewPolicy.passwordChangeInterval ....................................................................... 189
PasswordViewPolicy.checkinCheckoutRequired ..................................................................... 189
PasswordViewPolicy.checkinCheckoutInterval ........................................................................ 189
PasswordViewPolicy.dualAuthorization ................................................................................... 190
PasswordViewPolicy.dualAuthorizationInterval ....................................................................... 190
PasswordViewPolicy.approvers ............................................................................................... 190
PasswordViewPolicy.approverIDs ........................................................................................... 190
PasswordViewPolicy.authenticationRequired .......................................................................... 190
PasswordViewPolicy.enableOneClickApproval ....................................................................... 191
PasswordViewPolicy.passwordViewRequestMaxInterval ........................................................ 191
PasswordViewPolicy.passwordViewRequestMaxDays ........................................................... 191
updatePasswordViewRequestStatus ...................................................................................................... 191
Example ............................................................................................................................................ 191
Parameters ........................................................................................................................................ 191
PasswordViewRequest.statusCode ......................................................................................... 192
PasswordViewRequest.approvalReason ................................................................................. 192
PasswordViewRequest.approvalReasonDescription ............................................................... 192
updateRequestScript ............................................................................................................................... 192
Example ............................................................................................................................................ 193
Parameters ........................................................................................................................................ 193
RequestScript.type ................................................................................................................... 194
Attribute.descriptor1 ................................................................................................................. 194
updateRequestServer ............................................................................................................................. 194
Example ............................................................................................................................................ 194
Parameters ........................................................................................................................................ 194
RequestServer.active ............................................................................................................... 195
RequestServer.port .................................................................................................................. 195
RequestServer.updatePortFlag ................................................................................................ 195
RequestServer.acceptPendingFingerprint ............................................................................... 195
RequestServer.preserveHostName ......................................................................................... 196
RequestServer.type ................................................................................................................. 196
Programming 24
RequestServer.patchStatus ..................................................................................................... 196
updateRequestServerDefaults ................................................................................................................ 197
Example ............................................................................................................................................ 197
Parameters ........................................................................................................................................ 197
RequestServerDefaults.subnet ................................................................................................ 197
RequestServerDefaults.type .................................................................................................... 197
RequestServerDefaults.active .................................................................................................. 197
RequestServerDefaults.descriptor1 ......................................................................................... 198
RequestServerDefaults.descriptor2 ......................................................................................... 198
updateRequestServerKey ....................................................................................................................... 198
Example ............................................................................................................................................ 198
Parameters ........................................................................................................................................ 198
updateRole .............................................................................................................................................. 199
Example ............................................................................................................................................ 199
Parameters ........................................................................................................................................ 199
Role.ID ..................................................................................................................................... 199
Role.name ................................................................................................................................ 199
Role.description ....................................................................................................................... 199
Role.permissions ...................................................................................................................... 199
updateServerKey ..................................................................................................................................... 200
updateServerKey .............................................................................................................................. 200
Example ................................................................................................................................... 200
updateSite ............................................................................................................................................... 200
Example ............................................................................................................................................ 200
Parameters ........................................................................................................................................ 200
Site.ID ...................................................................................................................................... 200
Site.name ................................................................................................................................. 200
Site.type ................................................................................................................................... 201
Site.hostName .......................................................................................................................... 201
updateSSHKeyPairPolicy ........................................................................................................................ 201
Example ............................................................................................................................................ 201
Parameters ........................................................................................................................................ 201
SSHKeyPairPolicy.ID ............................................................................................................... 201
SSHKeyPairPolicy.name .......................................................................................................... 201
SSHKeyPairPolicy.description ................................................................................................. 202
SSHKeyPairPolicy.keyType ..................................................................................................... 202
SSHKeyPairPolicy.keyLength .................................................................................................. 202
Programming 25
updateTargetAccount .............................................................................................................................. 202
Example ............................................................................................................................................ 202
Parameters ........................................................................................................................................ 203
TargetAccount.password ......................................................................................................... 203
TargetAccount.cacheAllow (Deprecated) ................................................................................. 203
TargetAccount.cacheBehavior ................................................................................................. 204
TargetAccount.cacheDuration .................................................................................................. 204
TargetAccount.privileged ......................................................................................................... 204
TargetAccount.accessType ...................................................................................................... 204
TargetAccount.synchronize ...................................................................................................... 204
Attribute.changePasswordAfterViewing ................................................................................... 205
useTargetAliasNameParameter ............................................................................................... 206
TargetAccount.compoundAccount ........................................................................................... 206
TargetAccount.compoundServerIDs ........................................................................................ 206
passwordIsBase64Encoded ..................................................................................................... 206
updateTargetAccountDescriptor .............................................................................................................. 206
Example ............................................................................................................................................ 206
Parameters ........................................................................................................................................ 207
updateTargetAccountPassword .............................................................................................................. 208
Example ............................................................................................................................................ 208
Parameters ........................................................................................................................................ 208
groupID .................................................................................................................................... 209
password .................................................................................................................................. 209
confirmPassword ...................................................................................................................... 209
allowUnsynchronized ............................................................................................................... 210
Programming 26
updateTargetAlias ................................................................................................................................... 210
Example ............................................................................................................................................ 210
Parameters ........................................................................................................................................ 210
TargetAlias.ID .......................................................................................................................... 210
updateTargetApplication ......................................................................................................................... 211
Example ............................................................................................................................................ 211
Parameters ........................................................................................................................................ 211
TargetServer.ID ........................................................................................................................ 211
Attribute.enableAutoConnectTargetAccount ............................................................................ 213
updateTargetServer ................................................................................................................................ 213
Example ............................................................................................................................................ 213
Parameters ........................................................................................................................................ 213
TargetServer.ID ........................................................................................................................ 213
updateUser .............................................................................................................................................. 214
Example ............................................................................................................................................ 214
Parameters ........................................................................................................................................ 214
User.userID .............................................................................................................................. 214
User.password ......................................................................................................................... 215
User.authenticationType .......................................................................................................... 215
User.status ............................................................................................................................... 215
User.userGroupIDS .................................................................................................................. 215
User.userGroupNames ............................................................................................................ 215
User.firstName ......................................................................................................................... 216
User.lastName ......................................................................................................................... 216
User.email ................................................................................................................................ 216
User.viewType ......................................................................................................................... 216
User.viewType ......................................................................................................................... 216
updateUserGroup .................................................................................................................................... 216
Programming 27
Example ............................................................................................................................................ 217
Parameters ........................................................................................................................................ 217
UserGroup.ID ........................................................................................................................... 217
UserGroup.name ...................................................................................................................... 217
UserGroup.description ............................................................................................................. 217
UserGroup.roleID ..................................................................................................................... 217
UserGroup.groups .................................................................................................................... 217
UserGroup.readOnly ................................................................................................................ 218
updateUserPassword .............................................................................................................................. 218
Example ............................................................................................................................................ 218
Parameters ........................................................................................................................................ 218
User.password ......................................................................................................................... 218
updateUserStatus .................................................................................................................................... 218
Example ............................................................................................................................................ 219
Parameters ........................................................................................................................................ 219
User.userID .............................................................................................................................. 219
User.status ............................................................................................................................... 219
verifyAccountPassword ........................................................................................................................... 219
Example ............................................................................................................................................ 219
Parameters ........................................................................................................................................ 219
groupID .................................................................................................................................... 220
verifyDBHash .......................................................................................................................................... 220
Example ............................................................................................................................................ 220
viewAccountPassword ............................................................................................................................ 220
Example ............................................................................................................................................ 220
Parameters ........................................................................................................................................ 220
adminUserID ............................................................................................................................ 221
adminPassword ........................................................................................................................ 221
reason ...................................................................................................................................... 221
reasonDetails ........................................................................................................................... 221
selectedComponent ................................................................................................................. 221
ssoType .................................................................................................................................... 221
PasswordViewRequest.requestPeriodStart ............................................................................. 222
PasswordViewRequest.requestPeriodEnd .............................................................................. 222
referenceCode ......................................................................................................................... 222
Credential Manager CLI User Interface Actions ...................................... 223
Programming 28
Methods for Integrating the Credential Manager A2A Client ................... 232
Factors That Determine the Method to Use ............................................................................................ 232
Integrate Applications Using Java ........................................................................................................... 234
Java Integration Process ................................................................................................................... 235
CSPMClient and Related Java Classes ............................................................................................ 236
Integrate Applications Using the A2A Client ............................................................................................ 237
A2A Client Integration Process ......................................................................................................... 237
cspmclient Constraints ...................................................................................................................... 238
cspmclient Usage .............................................................................................................................. 238
cspmclient Return Values ................................................................................................................. 238
Integrate Windows Applications and Scripts Using a Windows DLL ....................................................... 239
MFC DLL Integration Process ........................................................................................................... 239
ATL DLL Integration Process ............................................................................................................ 240
DLL Methods ..................................................................................................................................... 240
DLL Constraints ................................................................................................................................ 241
A2A Integration Return Data ................................................................... 242

XML Return Schema ............................................................................................................................... 242
XML Return Example .............................................................................................................................. 243
Integrate Java Apps to Use Credential Manager .................................... 245

Integrate a Basic Java App ..................................................................................................................... 245
Example.java Code ........................................................................................................................... 245
Run_example Code .......................................................................................................................... 247
Basic Java Integration with Database Connection ............................................................................ 248
Register Requestor - Basic Java Application .................................................................................... 249
Use the JDBC Wrapper in a Standalone Java Application ...................................................................... 249
Application Code ............................................................................................................................... 250
Integrate a Java Application using JBoss ................................................................................................ 252
Integration Process for JBoss ........................................................................................................... 253
Configure Your Development Environment for JBoss ....................................................................... 253
Deploy and Run the Sample JBoss Application ................................................................................ 254
JBoss Credential Viewer ................................................................................................................... 255
Class File ................................................................................................................................. 255
JBoss Connection Pool with HSQLDB Data Store ............................................................................ 257
Data Source ............................................................................................................................. 258
Register JBoss Requestor ................................................................................................................ 259
Register HSQLDB as a Target Application ....................................................................................... 260
Programming 29
Register Mapping Between Request Server and Target Alias .......................................................... 260
HSQL Database Usage ..................................................................................................................... 261
Integrate a Java Application Using Tomcat ............................................................................................. 261
Integration Process for Tomcat ......................................................................................................... 262
Configure Your Development Environment for Apache Tomcat ....................................................... 263
Deploy and Run the Sample Tomcat Application .............................................................................. 265
Apache Tomcat Credential Viewer .................................................................................................... 265
Class File ................................................................................................................................. 266
Apache Tomcat Connection Pool with HSQLDB Data Store ............................................................ 268
Data Source ............................................................................................................................. 269
Register Apache Tomcat Requestor ................................................................................................. 269
Integrate a Java Application using WebLogic ......................................................................................... 270
Integration Process for WebLogic ..................................................................................................... 271
Configure your Development Environment for WebLogic ................................................................. 271
Deploy and Run the Sample WebLogic Application .......................................................................... 272
WebLogic Credential Viewer ............................................................................................................. 273
Class File ................................................................................................................................. 274
WebLogic Connection Pool with HSQLDB Data Store ..................................................................... 276
Register WebLogic Requestor .......................................................................................................... 279
Integrate a Java Application using WebSphere Community Edition ....................................................... 280
Integration Process for WebSphere CE ............................................................................................ 281
Configure your Development Environment for WebSphere CE ........................................................ 281
Deploy and Run the Sample WebSphere CE Application ................................................................. 285
WebSphere CE Credential Viewer .................................................................................................... 286
Class File ................................................................................................................................. 286
WebSphere CE Connection Pool with HSQLDB Data Store ............................................................ 288
Register WebSphere CE Requestor ................................................................................................. 289
Integrate Apps to Use the Credential Manager A2A Client on UNIX ...... 290
Integrate a Perl Script with A2A Client on UNIX ...................................................................................... 290
Code: Perl Script with A2A Client on UNIX ....................................................................................... 290
Register Requestor - Perl Script with A2A Client on UNIX ............................................................... 291
Integrate a C or C++ Application with A2A Client on UNIX ..................................................................... 291
Code: C Application with A2A Client on UNIX .................................................................................. 292
Register Requestor - C or C++ Application with A2A Client on UNIX ............................................... 294
Integrate a Korn Shell Script with A2A Client on UNIX ........................................................................... 294
Code: Korn shell script with A2A Client on UNIX .............................................................................. 294
Register Requestor - Adding a Korn shell script with A2A Client on UNIX ....................................... 295
Integrate a C Shell Script with A2A Client on UNIX ................................................................................ 296
Code: C Shell Script with A2A Client on UNIX .................................................................................. 296
Programming 30
Register Requestor - C shell Script with A2A Client on UNIX ........................................................... 297
Integrate a PHP Script with A2A Client on UNIX ..................................................................................... 297
Code: PHP Script with A2A Client on UNIX ...................................................................................... 297
Register Requestor - PHP Script with A2A Client on UNIX .............................................................. 298
Integrate a Python Script with A2A Client on UNIX ................................................................................. 298
Code: Python Script with A2A Client on UNIX .................................................................................. 298
Register Requestor - Python Script with A2A Client on UNIX ........................................................... 299
Integrate Apps to Use the Credential Manager A2A Client on Windows ......
300
Integrate a Perl Script with A2A Client on Windows ................................................................................ 300
Code: Perl Script with A2A Client on Windows ................................................................................. 300
Register Requestor - Perl Script with A2A Client on Windows ......................................................... 301
Integrate a Visual Basic Application ........................................................................................................ 301
Code: Visual Basic Application ......................................................................................................... 301
Register Requestor - Visual Basic Application .................................................................................. 303
Integrate a Visual C++ Application .......................................................................................................... 303
Code: Visual C++ Application ........................................................................................................... 303
Register Requestor - Visual C++ Application .................................................................................... 305
Integrate a C#.NET Application using IIS Application Server .................................................................. 306
Integration Process for IIS ................................................................................................................. 306
Deploy and Run the Sample IIS Application ..................................................................................... 307
Configure your Development Environment for IIS ............................................................................. 307
IIS Credential Viewer ......................................................................................................................... 308
Class File ................................................................................................................................. 308
IIS Connection with SQL Server 2005 Express Edition Data Store .................................................. 309
Data Source ............................................................................................................................. 310
Register IIS Requestor ...................................................................................................................... 310
Register SQL Server 2005 Express Edition as a Target Application ................................................ 310
Integrate a Visual Basic, Java, or Windows Script .................................................................................. 311
Visual Basic Script ............................................................................................................................ 311
Code: Visual Basic Script ......................................................................................................... 311
Register Requestor - Visual Basic Script ................................................................................. 312
Java Script ........................................................................................................................................ 312
Code: Java Script ..................................................................................................................... 312
Register Requestor - Java Script ............................................................................................. 313
Windows Script ................................................................................................................................. 313
Code: Windows Script .............................................................................................................. 313
Register Requestor - Windows Script ...................................................................................... 314
Programming 31
Remote HTTP Interface to a Credential Manager A2A Client ................. 315
Access URL from Only the Local Host .................................................................................................... 316
Access URL from Local Host Network .................................................................................................... 316
Access URL from Local Host and Local Host Network ........................................................................... 318
Programming 32
Programming
The content in this section describes how to use the following APIs to create applications that
interact with CA Privileged Access Manager:
ExternalAPI – A REST API that that allows custom applications to configure and provision CA
Privileged Access Manager.
Note: The ExternalAPi is separately licensed. Contact your CA Account Representative for
more information.
Credential Manager CLI – A command-line interface (CLI) that allows you to enter Credential
Manager commands, or scripts of commands, from a command line.
Credential Manager Java API – A Java API that provides access to Credential Manager capabilities
from a Java program.
Contents
ExternalAPI (see page 34)
Credential Manager APIs (see page 54)
Credential Manager CLI Commands (see page 65)
Credential Manager CLI User Interface Actions (see page 223)
Methods for Integrating the Credential Manager A2A Client (see page 232)
A2A Integration Return Data (see page 242)
Integrate Java Apps to Use Credential Manager (see page 245)
Integrate Apps to Use the Credential Manager A2A Client on UNIX (see page 290)
Integrate Apps to Use the Credential Manager A2A Client on Windows (see page 300)
Remote HTTP Interface to a Credential Manager A2A Client (see page 315)
21-Feb-2017 33/319
ExternalAPI
The CA Privileged Access Manager ExternalAPI is a REST API that provides programmatic control over
most functions related to provisioning and managing access such as managing users, devices, and
policies.
Overview
A built-in document explorer can be accessed for the ExternalAPI through the GUI to provide
syntax.
ExternalAPI access is over HTTPS and data that is sent and received is in the form of JSON records.
For more information about JSON, see http://www.json.org/. (http://www.json.org/)
The format of all REST URIs in the CA Privileged Access Manager ExternalAPI is:
https://<xsuite_hostname>/api.php/<api-version>/<resource-name>.json
The <api-version> part of the URI indicates the REST API version.
The final part of the URI is the <resource-name>. This part names the actual REST API "resource"
that determines what response you receive. A REST resource is analogous to an object in object-
oriented programming or a database row in a database system. ExternalAPI resources have
names like "devices", "users", or "services".
Different resources can expect more path parameters, often to identify an individual resource. For
instance, putting all the above together, the URI to a user with the id of 1 would look like:
https://<xsuite_hostname>/api.php/v1/users/1
Supported ExternalAPI resources include:
devices – provides support for managing devices
deviceGroups – provides support for managing device groups
filters – provides support for retrieving the list of command and socket filter lists
logs – provides support for retrieving and searching the session logs
passwords – provides support for viewing and checking out target accounts
policies – provides support for managing policies
roles – provides support for retrieving roles
services – provides support for managing services
sessionRecordings – provides support for retrieving session recordings
21-Feb-2017 34/319
system – provides support managing system processes
tags – provides support for retrieving device tags
users – provides support for managing users
userGroups – provides support for managing user groups
Deployment Procedures for Administrators

To implement ExternalAPI methods in your environment, an administrator must do the following
steps:
1. Apply a license, or verify that CA Privileged Access Manager is licensed, for ExternalAPI.
2. Enable the API (see page 36).
3. Authorize CA PAM Users (see page ) for documentation access and test API calls.
Licensing
If you are upgrading to CA Privileged Access Manager, or if ExternalAPI was not enabled in your
purchased license for version 2.4.4 or later, obtain an ExternalAPI license from your CA Technologies
representative and install it:
1. If your CA Privileged Access Manager or CA Privileged Access Manager cluster is in production

use, we recommend that you use a maintenance window. A window can be enforced on your
users by selecting Config > Diagnostic > Maintenance Mode > On.
2. If you have a CA Privileged Access Manager cluster, turn it off at Config > Synchronization >
Cluster Settings > Turn Cluster Off, and then perform steps 3 through 5 on each cluster
member.
3. Navigate to the Config > Licensing page.
4. In the Install New License panel, click Choose File to select the file you received, and click
Upload License.
The Verify New License shadow window appears.
5. Confirm that ExternalAPI Capability is identified as Enabled, and click Save New License . Your
new license indicates the addition of this capability.
6. If you have a cluster, turn it back on.

To make the API accessible, enable it.
21-Feb-2017 35/319
Configuration
Enable the API
The ExternalAPI must be enabled through a configuration setting on the Config > Security page. This
setting enables external calls to CA Privileged Access Manager using the ExternalAPI for authorized
scripts (see API Keys) and access to online API Explorer documentation for Users provisioned with this
role.
The two API systems available to CA Privileged Access Manager administrators – the new product-
wide ExternalAPI and the previously available Credential Manager CLI – are each enabled or disabled
from the new Config > Security > ExternalAPI Access panel at the bottom of that GUI page. Each is
disabled (unselected) by default.
Select the Enable External REST API checkbox, and then click the Update button.
The settings change is made, and you see:
A message at the top of the page: External API Access has been updated successfully
In Sessions > Logs, a log entry with this Details field message:
ExternalAPI Access has been enabled
The ExternalAPI features are now available through the following interfaces:
The documentation interface,
The test button on each documentation "man" page
You can execute the API method calls from an external source
Disable the Test Button

Within the online documentation is a mechanism to test an API after applying variable settings, and
return output to the documentation interface. This API method test button, labeled "Try it out!" at
the bottom of each API method description, accesses actual data and can change data in the live CA
Privileged Access Manager database. You might not want users to have this ability, so you can hide
this button (for all users).
In the Global Settings > Basic Settings panel, clear the ExternalAPI Buttons: Enable checkbox. (This
setting is Enable by default.)
Provision API Request Credentials

As with any other operation involving CA Privileged Access Manager, API requests must be
authenticated and authorized. The ExternalAPI uses HTTP Basic Authentication with API keys secured
using HTTPS (required for all API operations) for authentication. Authorization is provided by
associating API keys with the same roles that restrict what can be accessed using the standard web
interface.
21-Feb-2017 36/319
Add API Keys for a CA Privileged Access Manager User

In the GUI Template
The API key credentials can be prepared in a GUI User record template as follows:
1. Navigate to Users > Manage Users.
2. Open the record of a User who is authorized to execute API method calls.
At the bottom of record is the new API Keys panel.
3. Click Create New API Key to open a blank new set of API Key fields.
4. Enter at least a Name for this key set, and select the User roles that are appropriate for API
use for this User.
A suffix, in this case – 1, that matches this User ID is attached to this Name. This suffix is
displayed to the right of the Name field. If the API Key is being created simultaneously with
the User record, this suffix will initially appear as – 0 but will be revised to the newly assigned
User ID after the record is saved. The Name field cannot contain white space.
The Available Roles drop-down lists only those roles that your own role as an administrator
allows. For example, if you are a Global Administrator, all roles are listed. If you are
specifically a Delegated Administrator, only the roles of Delegated Administrator, Device
/Group Manager, Policy Manager, and User/Group Manager are available for selection. If a
role selected here is not one that this User has been assigned (for GUI use), you receive a
warning that it is outside the permitted scope for this User. The User record cannot be saved
until you remove the role.
5. If you want to create a key but do not want to activate it at this time, clear the Active
checkbox. Until the checkbox is re-selected, the User is not able to use these credentials to
make API method calls.
6. Create any additional API keys that are needed by again clicking Create New API Key , and
then click Save.
These keys are now:
Stored in the Credential Manager database

These key accounts are for Application Name="ApiKey" (which is of Application Type="Xsuite
API Key"), and are each given an Account Name= <API Key: Name> as assigned in the
originating User record.
You can view them in Credential Manager: Select Targets > Accounts to see them in the
Account List. Select an account record to review the default attributes. The Host Name and
Device Name have the Device placeholder: apikey.xceedium.com
Important!
Do not change any fields (except for Descriptor 1 or Descriptor 2) in the target
application= "ApiKey". Do not create any additional target applications of Application
Type= "Xsuite API Key".
21-Feb-2017 37/319
Provisioned for viewing by User:
There is now a specialized policy record, which for this Device (apikey.xceedium.com),
only Passwords access is permitted.
The User can therefore immediately view the API Key from the Access page. See Obtain
API keys (see page 41).
As a CSV Import Item

API key credentials can be prepared in a CSV import file as follows:
1. Navigate to Users, Import/Export Users.
Note
The CSV template that is available from the Download Sample File link does not
provide an API Keys example. This User attribute is not applicable when ExternalAPI
is unlicensed.
2. In a spreadsheet, column 29 of the CSV file, labeled "API Keys" in the row 1 header cell, is
reserved for those values. Each API Keys column cell has values that are represented by a
concatenation of fields:
name=apiKey1Name/;isActive=[t|f]/;description=descriptionOfApiKey1/;roles=rolename=rolename1Of
The delimiters are:
" If multiple keys are assigned to one User, insert a double-quote character before and
after full cell string.
/; Insert [slash+colon] between each pair of fields in a key.
, Insert [space+comma] between each pair of roles when there are multiple roles in a key.
#& Insert [hash+ampersand] between each pair of keys in a cell.
The User API Key cell in the CSV file (API Keys column of the spreadsheet) should contain the
following string:
"name=test123/;isActive=t/;description=Test 123. description./;roles=roleName=Service Manager
roleUserGroups= roleDeviceGroups=. ,
roleName=Password Manager roleUserGroups=.
roleDeviceGroups=#&name=test234/;isActive=t/;description=Test 234.
description./;roles=roleName=Service Manager roleUserGroups= roleDeviceGroups=. ,
roleName=Password Manager roleUserGroups= roleDeviceGroups="
21-Feb-2017 38/319
3. Upload the completed CSV file in the Users > Import/Export Users > Import Users from CSV
file panel, using the Browse and the Import Users buttons.
Note: You can safely import data from an older format file – one that does not have
API Keys information – to CA Privileged Access Manager.
Dissociating an API Key from Its User

To make an API Key unavailable to the associated User, you can either deactivate it or remove it
entirely.
Deactivating a Key
If you do not want to discard an existing key, you can deactivate it for later reuse. In the key settings,
clear the Active checkbox.
Removing a Key
In the API Keys panel, in the upper-right corner of the provisioning fields for the particular key, is a
small bold x. Mouse over this x to see a box around the fields, then click the x to remove the group of
key widgets entirely.
Deployment Procedures for Programmers

To implement ExternalAPI methods in your environment, a programmer must do the following steps:
1. Access ExternalAPI documentation viewer (see page 39) for constructs.
2. Review example code and this documentation.
3. Implement production applications (see page 42).
Documentation/Test
Users who are preparing a production implementation are able to review documentation and
perform test calls of the API methods within the GUI.
21-Feb-2017 39/319
Note
Executing API method calls in this manner acts on the actual CA Privileged Access Manager
database, but returns messages and output only to fields displayed in the documentation
interface.
Overview
Each API method is presented with a description and its syntax. The API documentation interface
permits you to execute the API method on the existing CA Privileged Access Manager database, and
immediately display return objects within an expansion of the API method window. The bold items
are actual labels in the GUI. For actual GUI examples, see the procedure in View Documentation (see
page 40).
/devices – API method category (example)

get /devices.json/{id}/services – API method structure (example) – appears upon API category
expansion
Description sections – appear when API method structure is expanded:
Implementation Notes – Describes the API function (body appears in line item)
Response Information – Identifies database objects to be reported
Parameters – Describes each input parameter. Populate required fields here to for test response
(below)
Try it out! – Displays API output and other processing information (as identified in Response
sections)
Response sections – These appear after you run the API method call by clicking Try it out! (above):
Request URL – Displays the URL submitted to CA PAM for API method call processing
Response Body – Displays JSON structure returned
Response Code – Displays HTTP status codes returned
Response Headers – Displays response fields of the HTTP transaction
The execution or test button ("Try it out!") can be disabled and hidden, so that no operations can be
performed on active CA Privileged Access Manager settings. See Disable the test button (see page 36
).
View Documentation
Each API method can be examined and tested with varying parameters from the CA Privileged Access
Manager API Explorer.
21-Feb-2017 40/319
1. From any page in the administration GUI, click API Doc in the top right-hand menu. (The link is
not available from the Credential Manager GUI.)
The Xsuite API Explorer opens in a new browser window. Several line items correspond to
database access categories, such as devices and filters. For each category, there are three GUI
operations provided in the menu to the right:
Show/Hide – Toggles the display in the current display mode (List Operations or Expand
Operations) for the API method category.
List Operations – Displays a list of the API methods in that category.
Expand Operations – Displays parameter details (“man pages”) for all API methods in that
category.
2. Click on an API method category line item, such as /users.
The list of API method operations available in that category is displayed, grouped by method:
GET / POST / PUT / DELETE
You can toggle this view open or closed by clicking the API method category label.
3. Click on an API method, such as GET /v1/users.json/{id}.

A specification for the API method appears, with Implementation Notes, Response
Information, and Parameters. You can switch this view open or closed by clicking the API
method label.
After providing any required parameter values, you can obtain credentials (see Obtain API keys (see
page 41)) and then test the API method (see Run test API requests (see page 42)) on the existing
database.
Obtain API Keys

As with any other operation involving CA Privileged Access Manager, API requests must be
authenticated and authorized. CA Privileged Access Manager ExternalAPI uses HTTP Basic
Authentication with API keys secured using HTTPS (required for all API operations) for authentication.
Authorization is provided by associating API keys with the same roles that restrict what can be
accessed using the standard web interface.
After your CA Privileged Access Manager Administrator has provisioned you an API key for API access,
you can retrieve your API key credentials. Follow these steps:
1. Navigate to the Access page.
2. For the Device="apikey.xceedium.com", select Target Applications > Your Target Application
Name > Your API Key Target Account Name.
3. Enter your CA Privileged Access Manager User account password.
4. Retrieve the Target Account credentials for this API Key.

You are now able to test the API input/output and display it through the GUI.
21-Feb-2017 41/319
Run Test API Requests

Each API interface can be examined and tested, using any parameter inputs from the fields provided
in the CA Privileged Access Manager API Explorer.
Most API methods accept standard parameters that can be added to any API-specific parameters you
pass to a method call. These parameters can affect how a request is handled and how a response is
formatted.
See the full sets of parameters and their descriptions in the API Doc interface. All parameters are
optional except where noted. To exclude an optional parameter, exclude it from the request or
include it with an empty value.
In the illustrated example below, the API provides a set of attributes for a (single) CA Privileged
Access Manager User.
1. For the API example shown earlier, you populate a single parameter: the User ID into the
Parameters id field. Make any needed edits to the requested User attribute list (Parameters
fields field).
If you do not have this User ID, you can obtain it from a previous API operation, such as "get
/v1/users.json". This operation retrieves basic information from all User records.
2. Click "Try it out!"

If you have not tried other API methods in this session, you are now prompted for the
credentials of the API Key that was provided to you earlier by your administrator.
3. Enter your credentials.

If your credentials are correct and the parameters are valid, you receive a successful response.
If the request fails for some reason, you receive error feedback.
Resetting the Active API Key

To change which API Keys that are available to you, clear the browser cache and execute a new API
call. When you next execute an API call, you are prompted again for API Key credentials.
For example, in Firefox 35: Open Tools > Options > Privacy > Firefox will: Remember history > clear
your recent history link. With at least the Active Logins checkbox selected in the Details panel, select
the desired Time range to clear, and click OK.
Implementation
Work with CA Technologies Professional Services to prepare client software that can access CA
Privileged Access Manager with API requests. A PHP example using curl follows.
Case: Provision User, Device, and Auto-Connection Policy

Between Them
The following code snippet shows a PHP implementation using ExternalAPI methods.
<?php
21-Feb-2017 42/319
<?php
class APIConstants{
const DEVICE_ENDPOINT_V1 = "/api.php/v1/devices.json";
const DEVICE_GROUP_ENDPOINT_V1 = "/api.php/v1/devicegroups.json";
const GET = "GET";
const POLICIES_ENDPOINT_V1 = "/api.php/v1/policies.json";
const ROLE_GLOBAL_ADMINISTRATOR = 1;
const ROLE_STANDARD_USER = 2;
const ROLE_OPERATIONAL_ADMINISTRATOR = 14;
const POST = "POST";
const PUT = "PUT";
const TWO_DAYS = 172800;
const USER_ENDPOINT_V1 = "/api.php/v1/users.json";
const USER_GROUP_ENDPOINT_V1 = "/api.php/v1/userGroups.json";
}
/**
*
* This function will make a single request to the API.
* @param string $apiKey - api key name and password delimited by colon
* @param string $url - the URL to reach the desired endpoint of the API.
* For a get may include parameters
* @param string $postData - JSON encoded set of parameters
* @param string $httpOperation - GET, POST, PUT, or DELETE
* @return string -1 for failure, otherwise results of request
*/
function makeAPIRequest($apiKey, $url, $postData = null, $httpOperation) {
global $debug;
$httpOperation = strtoupper($httpOperation);
if(!in_array($httpOperation,array("GET","POST","PUT","DELETE"))){
return -1;
}
/*
In real code the url could be validated. This is left out as a distraction
to the point of the cookbook.
*/
if(!empty($postData) && is_null(json_decode($postData))){
error_log("Invalid post data " . print_r($postData,true) .
"\n Post data must be in JSON format.");
return -1;
}
// apiKey must have at least one colon, and not in the first position
if(strpos($apiKey,":") == 0){
error_log("Incorrectly formated api key. Key must consist of api key name, a colon, and the
return -1;

}
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_USERPWD, $apiKey);
switch($httpOperation){
case "GET":
break;
case "PUT":
curl_setopt($ch, CURLOPT_CUSTOMREQUEST,"PUT");
// absence of break is intentional
case "POST":
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_HTTPHEADER,
array('Content-Type: application/json','Content-Length: ' . strlen($postData)));
break;

case "DELETE":
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");
}
21-Feb-2017 43/319
}
/*
* These are useful debug statements
*/
if($debug){
echo "XXX: URL = " . $url . PHP_EOL;
echo "YYY: parameters = " . print_r($postData, true) . PHP_EOL;
echo "ZZZ: httpOperation = " . $httpOperation . PHP_EOL;
}
$data = curl_exec($ch);
if($debug){
echo "AAA: return = " . print_r($data,true) . PHP_EOL;
}
$error = curl_error($ch);
if(!empty($error)){
error_log("CURL request to $url returned error: $error");
$data = -1;
}
curl_close($ch);
return trim($data);
}
/* assume following parameters
* argv[1] = URL component e.g, http://10.1.10.24/ port may be included
* argv[2] = user name for REST API
* argv[3] = password for REST API
* argv[4] = first name of user to be provisioned
* argv[5] = last name of user
* argv[6] = email address of user
* argv[7] = device name
* argv[8] = domain name
* agrv[9] = operating system
* argv[10] = user name for target account
* argv{11] = debug 0 for false any positive for true
*/
if(count($argv) != 12){
// in real code more information would be supplied
echo " Missing required parameters. ". PHP_EOL;
return ;
}
$baseURL = $argv[1];
$apiKey = $argv[2]. ":" . $argv[3];
$firstName = $argv[4];
$lastName = $argv[5];
$email = $argv[6];
$device['deviceName'] = $argv[7];
$device['domainName'] = $argv[8];
$device['os'] = $argv[9];
$userAccountName = $argv[10];
$debug = $argv[11];
$userName = $firstName . "_" . $lastName;
/*
* Determine if the user already exists.
* The user name has to be unique, but since all searches are 'contains ' style, add the first and la
* to reduce the number of substring hits. For this first example we will code the URL manually
*/
$url = "https://" . $baseURL . APIConstants::USER_ENDPOINT_V1 . "?userName=" .urlencode($userName) .
"&firstName=" . urlencode($firstName) ."&lastName=" . urlencode($lastName) .

"&fields=userId,userName,expiration,roles";
$userData = makeAPIRequest($apiKey, $url, null,APIConstants::GET);
//the true in the decode parameter list makes the JSON be turned into PHP associative arrays,
// rather than a mix of arrays and stdClass objects.

$userList = json_decode($userData,true);
/*
* if the user is not found, create it. Have it immediately active, but expiring in 48 hours
21-Feb-2017 44/319
* from now
*/
if($userList['totalRows'] === 0){
// The return from creating a new user is the id of the newly created user
$userId = buildNewUser($userName,$firstName,$lastName,$email);
// add error checking
if($userId == -1){
echo " Failed to add new user " . $userName .". Aborting";
return;
}
}else{
/*
// if the user already exists then
// update the expiration time by two days unless the expiration date is set to unlimited or
* later than 2 days away

// add standard user to the list of roles if they don't already have the role
*/
unset($user);
foreach($userList['users'] AS $userCandidate){
// There can be only one exact match on userName
if($userCandidate['userName'] == $userName){
// null is returned for a successful update
$result = updateUser($userCandidate);
if(!empty($result)){
echo "Update failed with result " . print_r($result,true) .PHP_EOL;
}
$userId = $userCandidate['userId'];
break;
}
}
}
/*
// Add the user to a group, either to give it a desired set of privileges or
* to let the user have access to group level policies
*/
if(isset($userId)){
addUserToGroup($userId, "Standard Role Users");
}
/* now to process the device. Do an OR search to find any devices that match either the device name
* or the domain name

*/
$searchParameters = $device;
unset($searchParameters['os']);
// add extra fields to make device usable - assume typeAccess
$device['typeAccess'] = 't';
$deviceList = findDevice($searchParameters,"OR",
"deviceId,deviceName,domainName,os,typePassword,typeAccess,deviceAccessMethods");
if(isset($deviceList['totalRows'])){
// cases 0 matches - go ahead and create it
switch($deviceList['totalRows']){
case 0:
$deviceId = buildNewDevice($device);
$device['deviceId'] = $deviceId;
// now add an access method
$accessMethodId = updateDevice($device);
break;
case 1:
// confirm both dom name and device name match
// check for access method if missing add it.
$deviceCandidate = $deviceList['devices'][0];
if($deviceCandidate['deviceName'] == $device['deviceName'] &&
$deviceCandidate['domainName'] == $device['domainName']){
$accessMethodId = updateDevice($deviceCandidate);
$deviceId = $deviceCandidate['deviceId'];
}else{ // conflict
echo "Device retrieved was " . $deviceCandidate['deviceName'] .
" with a domain name of " . $deviceCandidate['domainName'] . PHP_EOL;
21-Feb-2017 45/319
" with a domain name of " . $deviceCandidate['domainName'] . PHP_EOL;
echo "Device searched for was " . $device['deviceName'] .
" with a domain name of " . $device['domainName'] . PHP_EOL;
return -1;
}
break;
default:
// find the device that has an exact hit if any and update it
foreach($deviceList['devices'] AS $deviceCandidate){
$foundDevice = false;
if($deviceCandidate['deviceName'] == $device['deviceName'] &&
$deviceCandidate['domainName'] == $device['domainName']){
$accessMethodId = updateDevice($deviceCandidate);
$deviceId = $deviceCandidate['deviceId'];
$foundDevice = true;
break;
}
}
if(!$foundDevice){
echo "Could not find device with name " . $device['deviceName'] .
" and domain name of " . $device['domainName'] . PHP_EOL;
return -1;
}
}
}else{
/*
* problem with query
*/
echo "Device retrieve query had a problem. Details were " . print_r($deviceList,true) . PHP_EOL;
echo "Aborting." . PHP_EOL;

return;
}
/*
* create a policy between the user and the device using the access method we added
*/
$policy = findExistingPolicy($userId,$deviceId);
if($policy === 0){
$policyId = addPolicy($userId,$deviceId,$accessMethodId);
/*
* if we found a policy then we returned the details
*/
}elseif(is_array($policy)){
$policyId = $policy['id'];
/*
* otherwise something went wrong
*/
}elseif ($policy == -1){
return;
}
// check to see if a target application for this device already exists
$targetApplicationId = findTargetApplication($device);
/*
* check to see if array returned, if so check for error code
*/
if(is_array($targetApplicationId)){
foreach($targetApplicationId AS $errorMessage){
/*
* Message 5186 says Device not found or is not a target server.
* Since the device must exist because we found it earlier, it must not be a target server.
* Update the device to be of typePassword (i.e., a target server).

*/
if(strpos($errorMessage['message'],"5186")){
$results = updateDeviceTargetServer($device['deviceId'], 't');
/*
* A successful update returns nothing.
*/
if(empty($results)){
$targetApplicationId = 0;
21-Feb-2017 46/319
$targetApplicationId = 0;

break;
}else{
/*
* More error processing goes here
*/
}
}
}
}
if(empty($targetApplicationId)){
/*
* To demonstrate error handling we will try to add a target application despite the fact that
* the device is not typePassword

*/
$targetApplicationId = addTargetApplication($device);
}
if(!is_numeric($targetApplicationId) || $targetApplicationId < 1){
// error time to abort
return;
}
// if needed add a target account for auto-connect to the target application
$targetAccountId = findTargetAccount($deviceId,$targetApplicationId,$userAccountName);
if(empty($targetAccountId)){
$targetAccountId = addTargetAccount($deviceId,$targetApplicationId,$userAccountName);
}
if($policy === 0){
$policyId = addPolicy($userId,$deviceId,$accessMethodId);
}elseif(is_array($policy)){
$policyId = $policy['id'];
}elseif ($policy == -1){
return;
}
// retrieve the policy again and add the target application for auto-connect
addSSOToPolicy($policy,$accessMethodId,$targetAccountId);
function buildNewUser($userName,$firstName,$lastName,$email){
global $apiKey, $baseURL;
// We can either use stdClass or an associative array to build POST or PUT data.
// This example uses stdClass

$user = new stdClass();
$user->userName = $userName;
$user->firstName = $firstName;
$user->lastName = $lastName;
$user->email = $email;
$user->roles = array(array("roleId"=>2,"userGroups"=>array(),"deviceGroups"=>array()));
$user->password = "password";

$user->expiration = time() + APIConstants::TWO_DAYS;
$parameters = new stdClass();
$parameters->data = $user;
$addUrl = "https://" . $baseURL . APIConstants::USER_ENDPOINT_V1;
return makeAPIRequest($apiKey, $addUrl, json_encode($parameters),APIConstants::POST);
}
/*
* Another way to give users certain roles is to assign them to a user group with those roles.
* As an example we will get the id for a group called Standard Role Users
* This example uses the php http_build_query function to generate the URL encoded parameters
*/
function addUserToGroup($userId,$groupName){
global $apiKey,$baseURL;
$url = "https://" . $baseURL . APIConstants::USER_GROUP_ENDPOINT_V1 . "?" .
http_build_query(array("groupName"=>$groupName,"fields"=>"groupId,groupName,description"));
21-Feb-2017 47/319
$groupData = makeAPIRequest($apiKey, $url,null, APIConstants::GET);

if($groupData == -1){
echo "Failed to get user group list. User " .
$userId . " will not be added to the Standard Role Users group" . PHP_EOL;
}
//the true in the decode parameter list makes the JSON be turned into PHP associative arrays,
// rather than a mix of arrays and stdClass objects.

$groupList = json_decode($groupData,true);
if(isset($groupList['totalRows'])){
switch($groupList['totalRows']){
case 0:
break;
case 1:
$groupId = $groupList['groups'][0]['groupId'];
echo "groupId " . $groupId .PHP_EOL;
break;
default:
foreach($groupList['groups'] AS $userGroup){
if("Standard Role Users" == $userGroup['groupName']){
$groupId = $userGroup['groupId'];
break 2;
}
}
}
if(isset($groupId)){
$url = "https://" .$baseURL . APIConstants::USER_ENDPOINT_V1 . "/" .
$groupId . "/users/" . $userId;
$result = makeAPIRequest($apiKey, $url, null, APIConstants::POST);
}
}else{
echo "totalrows not found" . PHP_EOL;
}
}
function updateUser($userCandidate){
$user['userId'] = $userCandidate['userId'];
$userId = $userCandidate['userId'];
if(!empty($userCandidate['expiration'])){
$newExpirationTime = time() + APIConstants::TWO_DAYS;
$user['expiration'] = ($newExpirationTime > $userCandidate['expiration']) ?
$newExpirationTime : $userCandidate['expiration'];
}
$addStandardUsers = true;
if(count($userCandidate['roles']) > 0){
foreach($userCandidate['roles'] AS $role){
if(in_array($role['roleId'],
array(APIConstants::ROLE_STANDARD_USER,APIConstants::ROLE_GLOBAL_ADMINISTRATOR,
APIConstants::ROLE_OPERATIONAL_ADMINISTRATOR))){
$addStandardUsers = false;
break;
}
}
}
if($addStandardUsers){
$user['roles'] = $userCandidate['roles'];
$user['roles'][] = array("roleId"=>APIConstants::ROLE_STANDARD_USER,
"userGroups"=>array(),
"deviceGroups"=>array());
}
$updateUrl = "https://" . $baseURL . APIConstants::USER_ENDPOINT_V1;
$parameters['data'] = $user;
$result = makeAPIRequest($apiKey, $updateUrl, json_encode($parameters),APIConstants::PUT);
return $result;

}
/**
*
* @param array $searchParms - keys are search fields value are values
* @param string $searchRelationShip AND or OR if there are multiple search parameters
21-Feb-2017 48/319
* @param string $searchRelationShip AND or OR if there are multiple search parameters
* @param string $fields what information about a device you want returned. NULL takes the
* default the API returns

*/
function findDevice(array $searchParameters,$searchRelationship="AND",$fields=null){

$searchParameters['searchRelationship'] = $searchRelationship;
if(!empty($fields)){
$searchParameters['fields'] = $fields;
}
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "?" .
http_build_query($searchParameters);
$deviceData = makeAPIRequest($apiKey, $url, null, APIConstants::GET);
$deviceList = json_decode($deviceData,true);
return $deviceList;
}
function findDeviceById($deviceId,$fields=null){
if(!empty($fields)){
$searchParameters['fields'] = $fields;
}
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "/" . $deviceId;
}
/**
* create a new device
* @return deviceId (int)
* @param array $device
*/
function buildNewDevice($device){
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1;
$deviceId = makeAPIRequest($apiKey, $url,json_encode($device), APIConstants::POST);

return $deviceId;
}
/**
* Updates a device to add an access method.
* @return access method id
*/
function updateDevice(array $device){
$addAccessMethod = true;
if(!empty($device['deviceAccessMethods'])){
foreach($device['deviceAccessMethods'] as $accessMethod){
if((strtoupper($device['os']) == "LINUX" && $accessMethod['type'] == "SSH" &&
isset($accessMethod['id'])) ){

return $accessMethod['id'];
}
}
}
/*
* Always add SSH if one isn't there
*/
$accessMethods = array(
"type" => "SSH",
"port" => 22
);
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "/" .
$device['deviceId'] . "/accessMethods";
$parameters['accessMethods'] = array($accessMethods);
$accessMethodJSON = makeAPIRequest($apiKey, $url, json_encode($parameters), APIConstants::PO
/*
* We know there is only one entry in the array at most
*/
21-Feb-2017 49/319
*/

$accessMethod = json_decode($accessMethodJSON,true);
$addedAccessMethod = $accessMethod[0];
return $addedAccessMethod['id'];
}
/**
* Add a UNIX type target application (Windows Domain/Proxy not supported, Generic too simple)

*/
function addTargetApplication(array $device){
$results = addUnixTargetApplication($device);
if(is_numeric($results)){
$targetApplicationId = $results;
}else{
$errors = json_decode($results,true);
if(is_array($errors)){
// More error processing here
$targetApplicationId = -1;
}
}
// either the actual target application id or -1 for failure to find or error message if one ret
return $targetApplicationId;

}
/**
*
* @return mixed empty array if no target application found,
* int the targetApplication id if found
* array of error messages if found
*/
function findTargetApplication($device){
// first see if the application already exists. Don't specify fields so as to take the default
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "/" . $device['deviceId'] . "/
$parameter['data']['applicationName'] = $device['deviceName'] . " Unix account";
$results = makeAPIRequest($apiKey, $url, json_encode($parameter), APIConstants::GET);
$targetApplications = json_decode($results,true);

// if an empty array was returned the search was successful and there were no matching target ap
if(is_array($targetApplications) && !empty($targetApplications)){

foreach($targetApplications AS $targetApplication){
if(isset($targetApplication['id']) && $parameter['data']['applicationName'] == $targetAp
return $targetApplication['id'];

}else if(!isset($targetApplication['id'])){ // error code returned
echo " Error when trying to search for a target application. Error was " . print_r($
// since there may be multiple error messages return everything, not just this error
return json_decode($results,true);

}
}
}
}
/**
* Add a new target server of type Unix to the specified device
* @return Ambigous <string, number>
*/
function addUnixTargetApplication($device){
$parameter['data']['applicationName'] = $device['deviceName'] . " Unix account";
$parameter['data']['applicationType'] = "unixII";
$attributes = array("sshSessionTimeout"=>60000,"sshPort"=>22,"unixVariant"=>"LINUX",
21-Feb-2017 50/319
$attributes = array("sshSessionTimeout"=>60000,"sshPort"=>22,"unixVariant"=>"LINUX",
"sshUseDefaultCiphers"=>"true");

$parameter['data']['attributes'] = $attributes;
/*
* notice how we use exactly the same URL here as in findTargetApplication.
* The only difference is that the type of transaction is POST.
* The parameters are different, but that isn't part of the URL.
*/
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "/" . $device['deviceId'] .
"/targetApplications";

$results = makeAPIRequest($apiKey, $url, json_encode($parameter), APIConstants::POST);
return $results;

}
/**
* change a device to either be of typePassword (t) or not (f)
* @param integer $deviceId
* @param string $trueOrFalse
*/
function updateDeviceTargetServer($deviceId,$trueOrFalse){
// obviously check if $trueOrFalse is t or f
$parameter['data']['typePassword'] = $trueOrFalse;
$parameter['data']['deviceId'] = $deviceId;
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1;
$results = makeAPIRequest($apiKey, $url, json_encode($parameter), APIConstants::PUT);
}
/**
* Find a target account for a particular target application (and hence for a particular device)

* @param integer $targetApplicationId
* @param string $accountName
* @return mixed - id if successful, error messages if not
*/
function findTargetAccount($deviceId, $targetApplicationId, $accountName){
// same thing - check if target account exists already
$parameter['data']['accountName'] = $accountName;
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "/" . $deviceId . "/targetAppl
$targetAccountResults = makeAPIRequest($apiKey, $url, json_encode($parameter), APIConstants::GET
$targetAccounts = json_decode($targetAccountResults, true);

if(is_array($targetAccounts)){
foreach($targetAccounts as $targetAccount){
if($targetAccount['accountName'] == $accountName){
return $targetAccount['accountId'];
}
}
}
return $targetAccounts;
}
/**
*
* @param int $deviceId
* @param int $targetApplicationId
* @param string $accountName
* @return Ambigous <string, number> int if successful add otherwise
*/
function addTargetAccount($deviceId, $targetApplicationId, $accountName){
$parameter['data']['accountName'] = $accountName;
// special code to tell PA to generate a unique password based on password composition policy
$parameter['data']['password'] = "generate_pass";
21-Feb-2017 51/319
$parameter['data']['password'] = "generate_pass";

$parameter['data']['useAliasNameParameter'] = 't';
$parameter['data']['aliasNames'] = $accountName . ",alias" . $accountName;
$url = "https://" . $baseURL . APIConstants::DEVICE_ENDPOINT_V1 . "/" . $deviceId . "/targetAppl
if(!is_numeric($results)){
// decode if this is a JSON string
$checkResults = json_decode($results, true);
if(!empty($checkResults)){
$results = $checkResults;
}
}
return $results;
}
/**
*
* @param int $userId
* @param int $deviceId
* @return policy object if found, 0 if no policy, -1 if invalid parameters
*/
function findExistingPolicy($userId,$deviceId){
$url = "https://" . $baseURL . APIConstants::POLICIES_ENDPOINT_V1 . "/" . $userId . "/" . $devic
$results = makeAPIRequest($apiKey, $url, null, APIConstants::GET);

$policy = json_decode($results,true);
if(isset($policy['id'])){
return $policy;
}
// most likely results are some kind of error message
if(is_array($policy) && count($policy) > 0){
foreach($policy AS $message){
// Message 12033 - userid and device id were both valid, but no policy between them exis
if(strpos($message['message'],"12033") !== false){

return 0;
}
// Message 12034 - user or group id specified in policy does not exist
echo $message['message'] . PHP_EOL;
return -1;
}
// Message 12035 - device or group id specified in policy does not exist

return -1;
}
// unexpected error
return -1;
}
}
}
/**
* Add a policy between a user and a device for an access method, without specifying auto-connection.
* @param integer $userId

* @param integer $accessMethodId
* @return policy id on success else void
*/
function addPolicy($userId,$deviceId,$accessMethodId){
$url = "https://" . $baseURL . APIConstants::POLICIES_ENDPOINT_V1 . "/" . $userId . "/" . $devic
$accessMethods = array(array("accessMethodId"=>$accessMethodId));

$parameter['accessMethods'] = $accessMethods;
// turn on cli recording
$parameter['cliRecording'] = "t";
21-Feb-2017 52/319
$parameter['cliRecording'] = "t";

if(is_numeric($results)){
return $results;
}
}
/**
* Replace the existing access method for the policy with one that has a target account for auto-conn
* @param array $policy

* @param integer $accessMethodId
* @param integer $targetAccountId
*/
function addSSOToPolicy($policy,$accessMethodId,$targetAccountId){
/**
* Multiple target accounts could be assigned, so the accountIds are an array
*/
$putData = array(array("accessMethodId"=>$accessMethodId,"accountIds"=>array($targetAccountId)))
$url = "https://" . $baseURL . APIConstants::POLICIES_ENDPOINT_V1 . "/" . $policy['id'] .
"/accessMethods";
$results = makeAPIRequest($apiKey, $url,json_encode($putData),APIConstants::PUT);
21-Feb-2017 53/319
Credential Manager APIs

Credential Manager has the following programming interfaces:
A command-line interface (CLI) which permits the entry of a Credential Manager command, or a
script of commands, from a Windows or UNIX/Linux command line.
A Java API which gives access to Credential Manager capabilities from a Java program
Both the CLI and the Java API can also be invoked from a remote (client) computer. The Java API
creates an HTTPS connection from the remote computer to the CA Privileged Access Manager
appliance. The CLI is a command-line program that invokes the Java API to submit commands that are
entered on the Windows or UNIX/Linux command line. The remote computer must be able to
connect with HTTPS through the network to the CA Privileged Access Manager appliance. No matter
which UI is used, the commands and actions available to a user depend on the roles and groups that
are assigned to them.
The Java API provides you with a mechanism to integrate seamlessly Credential Manager with your
Java programs. Most password management user interface actions available through the GUI are also
available through the Java API. The Java API is supported on the Unix, Linux and Windows platforms,
and is packaged in cliTool.jar. The cliTool.jar file contains JavaDocs that describe each of
the interfaces.
The content in this section provides you detailed information about the Credential Manager APIs.
Prepare to Use the Credential CLI and Java API (see page 54)
Create a Java Program Using the Credential Manager Java API (see page 56)
Use the Credential Manager CLI (see page 58)
Prepare to Use the Credential CLI and Java API

This section shows you how to prepare a remote (client) computer so you can invoke the CLI and the
Java API.
To use the remote CLI or the Java API, you need the cliTool corresponding to the release of the
software running on the CA Privileged Access Manager appliance. The cliTool can be downloaded
from the CA Technologies support site. It contains the following files. Copy them to the desired
installation directory:
cliTool.jar
capam_command (for UNIX or Linux CLI access) or capam_command.bat (for Windows CLI
access)
javaAPIExample.java, to help you learn how to use the Java API. See also Java API Example
(https://docops.ca.com/display/CAPAM28/Java+API+Example) for a listing of the javaAPIExample.
java file.
In addition, the Java JRE must also be installed. Credential Manager supports Version 7. The Java JRE
21-Feb-2017 54/319
In addition, the Java JRE must also be installed. Credential Manager supports Version 7. The Java JRE
can be downloaded from http://www.java.com.
If you are creating a Java application that uses the Java API, you also need the Java Version 7 SDK.
Configure Your Client Computer

To establish an HTTPS connection between the CA Privileged Access Manager appliance and your
client computer, the client application must trust theCA Privileged Access Manager certificate.
Use the following procedure to configure your client computer (the remote computer) to trust the CA
Privileged Access Manager certificate and use the CLI or Java API for Credential Manager operations.
Follow these steps:
1. Select Config, Security.
2. Download your CA Privileged Access Manager appliance certificate:
a. Scroll down the Security page to Download Certificate or CSR.
b. Select the certificate in use by the CA Privileged Access Manager appliance.
c. Click Download to copy the certificate to your access computer.
21-Feb-2017 55/319
3. Generate a keystore using that certificate:
Note:
There are many ways in which you can generate the keystore; the following
example illustrates only one method.
a. Use KEYTOOL to import the certificate to your keystore:
For UNIX: $JAVA_HOME/bin/keytool -import -trustcacerts -

file capam.crt -alias cspmserver -keystore capam.
keystore
For Windows: %JAVA_HOME%\bin\keytool -import -trustcacerts

-file capam.crt -alias cspmserver -keystore capam.
keystore
In the previous KEYTOOL examples for UNIX and Windows, customers can substitute
capam.crt for another filename with extension .crt of their choosing. However,
customers must specify the keystore name as capam.keystore.
b. Verify that the certificate was imported by listing the keystore contents:
For UNIX: $JAVA_HOME/bin/keytool -list -v –keystore capam.

keystore
For Windows: %JAVA_HOME%\bin\keytool -list -v –keystore

capam.keystore
c. Put the new keystore file (capam.keystore) in the same directory as cliTool.
jar
Create a Java Program Using the Credential

Manager Java API
To develop a program using the Java API, add the cliTool.jar file as a build path dependency.
The resulting Java program also has a runtime dependency on the cliTool.jar file.
To run a program that uses the Java API, ensure that the cliTool.jar file is part of the classpath.
You access the Java API from a Java program by including the cliTool.jar in your project
classpath.
Use the following procedure to use the Java API to run CLI commands from your Java program.
Follow these steps:
21-Feb-2017 56/319
1. Import the necessary classes. At a minimum, you require:
com.cloakware.cspm.common.AdminAPICommandNames
com.cloakware.cspm.common.AdminAPIParameterNames
com.cloakware.cspm.server.ui.Request
com.cloakware.cspm.server.ui.AdminAPI
com.cloakware.cspm.server.ui.Result
Base Model objects represent elements of the Credential Manager data model. They include
all objects that are derived from the BaseModel class; such as TargetAccount,
TargetApplication, TargetServer, Role, Request, RequestScript, and
RequestServer.
import com.cloakware.cspm.common.AdminAPICommandNames;
import com.cloakware.cspm.common.AdminAPIParameterNames;
import com.cloakware.cspm.server.ui.Request;
import com.cloakware.cspm.server.ui.AdminAPI;
import com.cloakware.cspm.server.ui.Result;
2. Instantiate the AdminAPI class:
AdminAPI adminAPI = new AdminAPI();
3. Log in to the Credential Manager server.

The Java API operates in a session-specific state, which requires you to log in to the CA
Privileged Access Manager appliance.
The CA Privileged Access Manager roles and Password Management groups (PM Groups)
assigned to the user determine their authorization to execute CLI commands. The user must
be a CA Privileged Access Manager user with the password management role, and with
membership in the sufficient PM Groups to execute the commands that are invoked. The CA
Privileged Access Manager group "Operational Administrator" is sufficient to execute CLI
commands, and PM Group "System Admin Group" contains full privileges to execute
password management CLI commands.
adminAPI.login(locationOfKeystore, userId, password);
21-Feb-2017 57/319
4. Perform your CLI commands. You can run CLI commands by:
Creating a Request object and applying the AdminAPI execute method, or
If the command involves a Base Model object, you can create an instance of the Base
Model object and can run the AdminAPI add, update, or delete method.
For example, to add a target server using the Request object and AdminAPI execute
method:
Request myRequest = new Request();

myRequest.setCommand(AdminAPICommandNames.ADD_TARGET_SERVER);
myRequest.setParameter(AdminAPIParameterNames.ADD_TARGET_SERVER_ HOST_NAME, "myh
ost.mycompany.com");
myRequest.setParameter(AdminAPIParameterNames.ADD_TARGET_SERVER_IP_ ADDRESS, "12
.12.12.12");
Result myResult = adminAPI.execute(myRequest);
System.out.println("result: "+ myResult.getStatusMessage());
For example, to add a target server using the TargetServer object and the AdminAPI add
method:
myTargetServer.setHostName("myhost.mydomain2.com");
myTargetServer.setIPAddress("10.12.13.14");
Result myResult = adminAPI.add(myTargetServer);
System.out.println("result: "+ myResult.getStatusMessage());
5. When you have completed performing CLI commands, log out from the Credential Manager
server:
adminAPI.logout();
See also Java API Example (https://docops.ca.com/display/CAPAM28/Java+API+Example).
Use the Credential Manager CLI

The Credential Manager CLI provides administrative access to the password management functions
of the Credential Manager server, such as adding, modifying, and deleting target data and request
data. The CLI also provides access to a limited set of maintenance operations. The Remote CLI is
supported on UNIX, Linux, and Windows platforms.
Tip: The CLI often requires commands that are long. To allow commands to span multiple
lines in UNIX, use the continuation character \ (backslash).
21-Feb-2017 58/319
Note: If a parameter value contains a space, enclose the entire value pair definition in
quotes. For example, enter "TargetApplication.name=AWS Access
Credential Accounts" rather than TargetApplication.name="AWS
Access Credential Accounts".
Install and Configure the Credential Management CLI

Using the CLI requires the additional file capam_command (UNIX/Linux) or capam_command.bat
(Windows). Place this file in the same directory as the capam.keystore and cliTool.jar file
(as described previously). For convenience, you can want to add this directory to your PATH.
On UNIX/Linux, define the variable CAPAM_DIR to point to the remote access installation directory:
export CAPAM_DIR=installationDir
To verify that the remote CLI works, execute a CLI command. For example, run:
capam_command adminUserID=admin capam=mycompany.com cmdName=getErrorCodes
The provided host name (mycompany.com) must match the server name that is used in the
certificate. If the certificate contains an IP address for the CA Privileged Access Manager appliance, it
can be used instead of mycompany.com.
You are prompted for the Credential Manager administrator password before the command
executes.
If the command executes successfully, it produces an XML string. See CLI Return Values (see page 60)
.
Credential Manager CLI Command Execution

The Credential Manager command-line interface (CLI) allows you to interact with the CA Privileged
Access Manager appliance.
Use the following syntax on Windows or UNIX platforms to access the CLI with capam_command:
capam_command adminUserID=<user name> [adminPassword=<password>] [capam=<hostname>]

cmdName=<command> [<parameter>=<value>]
On UNIX, traditional and GNU style aliases for some parameters exist:
capam=<hostname> can also be specified as -n <hostname>
adminUserID=<user name> can also be specified as -u <user name> or --

adminUserID=<user name>
21-Feb-2017 59/319
adminPassword=<password> can also be specified as -p <password> or --

adminPassword=<password>
If you do not specify the password as an option, you are prompted for it before the command is
processed.
The roles that are assigned to the user determine the CLI user authorization. See Add Credential
Manager Roles and Groups (https://docops.ca.com/display/CAPAM28
/Add+Credential+Manager+Roles+and+Groups).
The CLI can process commands individually or as a batch sequence. In both cases, the commands and
argument values are the same.
Both UNIX and Windows platform support the CLI; however, due to restrictions in the number of
arguments that the Windows batch utility permits, you cannot run all commands individually. To
work around this limitation, use the batchSequence command.
CLI Return Values

The CLI returns an XML string for each command. The return string includes a status code, a status
description, and a result that consists of each of the parameters that are associated with the object of
the command. The following XML structure is an example:
<CommandResult>
<cr.itemNumber>0</cr.itemNumber>
<cr.statusCode>400</cr.statusCode>
<cr.statusDescription>Success.</cr.statusDescription>
</CommandResult>
Use the getErrorCodes CLI command to produce a complete list of Credential Manager server
error codes. It takes no parameters. It produces an XML structure listing each error code and its
description.
For improved readability of the output, CA Technologies recommend that you direct the XML
structure to a separate file and then open it with an XML editor.
Example
This example directs the output of the getErrorCodes CLI command to a file named
error_codes.xml.
Use the following procedure to produce a complete list of Credential Manager server error codes.
Follow these steps:
21-Feb-2017 60/319
1. Use the following command:
capam_command -u admin -p <password> capam=mycompany.com

cmdName=getErrorCodes > error_codes.xml
Where <password> is the password of the admin account.

Credential Manager produces an XML command string to the error_codes.xml file.
2. Open the error_codes.xml file with an XML editor, such as Notepad++.
Batch Command Execution

The CLI supports the batchSequence command to perform multiple CLI commands in a single
transaction. The CLI commands are specified as a sequence of XML elements in an XML-formatted
file. Batch processing is primarily intended for batch import of data, such as adding many target
accounts to Credential Manager, however it can be used more generally. Batch processing can also
be used as an interface to the CLI by automated systems.
The XML schema for batch processing is listed in XML Schema for Batch Processing (https://docops.ca.
com/display/CAPAM28/XML+Schema+for+Batch+Processing). Use the XML schema to ensure that the file
used as input to the batchSequence command is well-formatted.
Example
Follow these steps:
1. Create a batch processing XML file to use as input for the batchSequence command. Use
the XML schema in XML Schema for Batch Processing (https://docops.ca.com/display/CAPAM28
/XML+Schema+for+Batch+Processing) to ensure that the file is well formatted.
For example, the following file is named AddAll.xml. The file encloses a CLI request
specifying two commands and their arguments. The two commands add a target application
and a target account within that application:
21-Feb-2017 61/319
<?xml version="1.0" encoding="UTF-8"?>

<CLI_REQUEST
xmlns=”http://www.cloakware.com”
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.cloakware.com/opt/cloakware/cspmserver/tools/cli
/cspmcli.xsd">
<COMMAND name="addTargetServer">
<COMMAND_PARAMETERS>
<PARAMETER>
<NAME>TargetServer.hostName</NAME>
<VALUE>Ottawa-Lab3.cloakware.com</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>TargetServer.ipAddress</NAME>
<VALUE>10.5.0.3</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>Attribute.descriptor1</NAME>
<VALUE>Ottawa</VALUE>
</PARAMETER>
<PARAMETER>
<VALUE>Lab</VALUE>
</PARAMETER>
</COMMAND_PARAMETERS>
</COMMAND>
<COMMAND name="addTargetApplication">
<COMMAND_PARAMETERS>
<PARAMETER>
<NAME>TargetServer.hostName</NAME>
<VALUE>Ottawa-Lab3.cloakware.com</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>TargetApplication.type</NAME>
<VALUE>Generic</VALUE>
</PARAMETER>
<PARAMETER>
<NAME>TargetApplication.name</NAME>
<VALUE>Generic account type</VALUE>
</PARAMETER>
<PARAMETER>
<VALUE>Ottawa</VALUE>
</PARAMETER>
<PARAMETER>
<VALUE>Lab</VALUE>
</PARAMETER>
</COMMAND_PARAMETERS>
</COMMAND>
</CLI_REQUEST>
21-Feb-2017 62/319
2. Run the batch processing command with your file as input.
capam_command capam=pam02.ca.com adminUserID=admin cmdName=batchSequence

inputfile=AddAll.xml outputfile=results.xml
21-Feb-2017 63/319
3. Enter your password at the prompt.

After a brief moment of processing, Credential Manager presents the batch results as follows:
<BatchCommandResult>
<CommandResult>
<cr.commandName>addTargetServer</cr.commandName>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetServer>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Ottawa</Attribute.descriptor1>
<ID>3</ID>
<createDate>Mon Nov 12 17:18:41 EST 2007</createDate>
<updateDate>Mon Nov 12 17:18:41 EST 2007</updateDate>
<createUser>admin</createUser>
<updateUser>admin</updateUser>
<hash>qn/wPB8BBtxfu7/cJMKc3Bn+vCE=</hash>
<hostName>Ottawa-Lab3.cloakware.com</hostName>
<IPAddress>10.5.0.3</IPAddress>
</TargetServer>
</cr.result>
</CommandResult>
<CommandResult>
<cr.commandName>addTargetApplication</cr.commandName>
<cr.statusDescription>Success</cr.statusDescription>
<cr.result>
<TargetApplication>
<Attribute.descriptor2>Lab</Attribute.descriptor2>
<Attribute.descriptor1>Ottawa</Attribute.descriptor1>
<ID>3</ID>
<createDate>Mon Nov 12 17:18:41 EST 2007</createDate>
<updateDate>Mon Nov 12 17:18:41 EST 2007</updateDate>
<hash>I8XvBL6zIT/mCaDwy/F58Q2Z9LI=</hash>
<targetServerID>3</targetServerID>
<type>Generic</type>
<name>Generic account type</name>
<policyID>0</policyID>
</TargetApplication>
</cr.result>
</CommandResult>
</BatchCommandResult>
21-Feb-2017 64/319
Credential Manager CLI Commands

You can use a command line interface to control and configure Credential Manager. This interface
allows administrators to provide scripted functionality to complete management and integration
tasks. The interface supports a limited subset of features that are available through the GUI and a few
commands that are only available through the CLI.
Use the Table of Contents to access the command descriptions.
addAuthorization
Use the addAuthorization command to add an authorization mapping, giving a requesting
application, request server, or request group permission to query credentials for a target alias or
target group. The Windows CLI allows up to nine parameters, including the mandatory adminUserID
and cspmHostName. To enter the addAuthorization command with more than nine parameters, use
the batchSequence command with an XML formatted input file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addAuthorization
RequestServer.hostName=myhostname.mydomain.com RequestScript.name=example.pl
RequestScript.executionPath=/usr/tmp/examples Authorization.checkExecutionID=true
Authorization.executionUser=auser Authorization.checkPath=true TargetAlias.name=myaliasna
Authorization.checkScriptHash=true
Parameters
TargetAlias.name
Specifies the target alias name.
Required Default Valid Values

Value
One of TargetAlias.name, TargetAlias.ID, N/A This value must match the target alias
Authorization.targetGroupName or name registered in CA Privileged Access
Authorization.targetGroupId is required. Manager Credential Manager.
TargetAlias.ID
Specifies the target alias ID.
21-Feb-2017 65/319
Default Valid Values

Required Value
One of TargetAlias.name, TargetAlias.ID, Authorization. N/A Use searchTargetAlias to
targetGroupName or Authorization.targetGroupId is required. retrieve the TargetAlias.ID.
Authorization.targetGroupName
Specifies the target group name.

Value
One of TargetAlias.name, TargetAlias.ID, N/A This value must match the target group
Authorization.targetGroupName or name registered in CA Privileged Access
Authorization.targetGroupId is required. Manager Credential Manager.
Authorization.targetGroupId
Specifies the target group ID.
Required Default Valid

Value Values
One of TargetAlias.name, TargetAlias.ID, Authorization.targetGroupName or N/A Numeric
Authorization.targetGroupId is required. .
RequestServer.hostName
Specifies the request server host name on which the requesting application resides.

Value
One of RequestServer.hostName, RequestServer. N/A This value must match the request server
ID, Authorization.requestGroupName or name registered in CA Privileged Access
Authorization.requestGroupId is required. Manager Credential Manager.
RequestServer.ID
Specifies the request server ID on which the requesting application resides.

Value
One of RequestServer.hostName, RequestServer.ID, N/A Use searchRequestServer
Authorization.requestGroupName or Authorization. to retrieve the
requestGroupId is required. RequestServer.ID.
Authorization.requestGroupName
Specifies the request group name the requesting application is a member of resides.
21-Feb-2017 66/319

Value
One of RequestServer.hostName, RequestServer. N/A This value must match the request group
ID, Authorization.requestGroupName or name registered in CA Privileged Access
Authorization.requestGroupId is required. Manager Credential Manager.
Authorization.requestGroupId
Specifies the request group name the requesting application is a member of resides.

Value Values
One of RequestServer.hostName, RequestServer.ID, Authorization. N/A Numeri
requestGroupName or Authorization.requestGroupId is required. c.
RequestScript.name
Specifies the requesting application name.

Value
One of RequestScript.name or N/A This value must match the script name registered in CA
RequestScript.ID is required. Privileged Access Manager Credential Manager.
RequestScript.ID
Specifies the requesting application ID. Set this value to -1 to specify All request scripts for the
indicated request server. Setting this to -1, will also set Authorization.checkPath, Authorization.
checkFilePath and Authorization.checkScriptHash to false.
Required Default Value Valid Values

yes N/A -1 or use searchRequestScript to retrieve the RequestScript.ID.
RequestScript.executionPath
Specifies the requesting application execution path, as registered in CA Privileged Access Manager
Credential Manager.

Value
Required if N/A This value must match the script execution path registered in CA
RequestScript.name is Privileged Access Manager Credential Manager.
used.
Authorization.checkExecutionID
Set Authorization.checkExecutionID=true to indicate that the execution user ID be validated.
21-Feb-2017 67/319

no false true, false
Authorization.executionUser
A comma delimited list of execution user IDs. The IDs are only validated if Authorization.
checkExecutionID=true.

no N/A String.
Authorization.checkPath
Set Authorization.checkPath=true to indicate that the script execution path be validated.

Authorization.checkFilePath
Set Authorization.checkFilePath=true to indicate that the script file path be validated.

Authorization.checkScriptHash
Set Authorization.checkScriptHash=true to indicate script hash integrity verification be performed.

addFilter
Use the addFilter command to add a filter to a target group or request group. The group must first be
added using the addGroup command.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addFilter Group.ID=3 Filt
21-Feb-2017 68/319
Parameters
Group.ID
Specifies the ID of the request or target group. It must be an integer >= 1.

yes N/A Integer
Filter.objectClassId
Specifies the type of object to filter. Class IDs are specific to group type.

yes N/A c.cw.m.ts, c.cw.m.tp, c.cw.m.ac, c.cw.m.rs, c.cw.m.sc
Filter.attribute
Specifies the filter attribute. If static, attribute must be ID. If dynamic, attributes are specific to
objectClassId.

yes N/A String.
Filter.type
Specifies the filter type. If group is static, only equals is valid.

yes N/A equals, beginswith, contains, endswith, notcontains
Filter.expression
Specifies the filter expression. It group is static, expression can only be an integer >= 1.

yes N/A String, Integer
addGroup
Use the addGroup command to add either a target or request group to CA Privileged Access
Manager. Use the addFilter command to add filters to the group .
21-Feb-2017 69/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addGroup Group.name=Tokyo
Group.description="Targets in Tokyo" Group.type=target
Parameters
Group.name
Specifies the name of the target or request group.

yes N/A String
Group.description
Specifies the description of the group.

no N/A String
Group.type
Set Group.type=requestor for Request groups. Set Group.type=target for Target groups.

yes N/A requestor, target
Group.dynamic
Set Group.dynamic=true for dynamic Request/Target groups, false for static Request/Target groups.

no true true, false
Group.permissions
ArrayList object of filters, or XML encoded ArrayList of filters. If not set, the filters are cleared.

no N/A XML

21-Feb-2017 70/319
addPasswordPolicy
Use the addPasswordPolicy command to add a Password Composition Policy in CA Privileged Access
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addPasswordPolicy
PasswordPolicy.name=passwordPolicyName
Attribute.composedOfUpperCaseCharacters=true Attribute.firstCharacterUpperCase=true
Parameters
PasswordPolicy.name
The name of the password policy.

Yes None String
PasswordPolicy.description
The description of the password policy.

No Blank String
Attribute.passwordPrefix
The prefix for all passwords mandated by your password policy.

No None Constrained by your other settings.
Attribute.composedOfUpperCaseCharacters
Set to true to mandate that your password policy requires upper case characters.

No false true, false
21-Feb-2017 71/319
Attribute.composedOfLowerCaseCharacters
Set to true to mandate that your password policy requires lower case characters.

Attribute.composedOfNumericCharacters
Set to true to mandate that your password policy requires numeric characters.

Attribute.composedOfSpecialCharacters
Set to true to mandate that your password policy requires special characters.

Attribute.specialCharacters
The list of all special characters allowed by your password policy.

No None !#$%()*+,-./:;=?@[\\]^_`{|}~
Attribute.firstCharacterUpperCase
Set to true to mandate that your password policy requires the first character to be upper case. If you
select more than one first character requirement, they are combined. For example, if both Attribute.
firstCharacterUpperCase and Attribute.firstCharacterLowerCase are true, then the policy requires the
first character to be either upper or lower case.

Attribute.firstCharacterLowerCase
Set to true to mandate that your password policy requires the first character to be lower case. If you
firstCharacterUpperCase and Attribute.firstCharacterLowerCase are true, then the policy requires the
first character to be either upper or lower case.
21-Feb-2017 72/319

Attribute.firstCharacterNumeric
Set to true to mandate that your password policy requires the first character to be numeric. If you
firstCharacterUpperCase and Attribute.firstCharacterNumeric are true, then the policy requires the
first character to be either upper case or numeric.

Attribute.firstCharacterSpecial
Set to true to mandate that your password policy requires the first character to be a special
character. If you select more than one first character requirement, they are combined. For example,
if both Attribute.firstCharacterUpperCase and Attribute.firstCharacterSpecial are true, then the policy
requires the first character to be either upper case or a special character.

Attribute.firstCharacterSpecials
The list of all special characters allowed as a first character by your password policy.

No None !#$%()*+,-./:;=?@[\\]^_`{|}~
Attribute.mustNotContainConsecutiveDuplicateCharacters
Set to true to mandate that your password policy does not allow any repeating characters.

Attribute.mustNotContainAnyDuplicateCharacters
Set to true to mandate that your password policy does not allow any duplicate characters.

21-Feb-2017 73/319
Attribute.mustNotContainCharacters
Set to true to mandate that your password policy prohibits certain upper case, lower case, or numeric
characters.

Attribute.composedOfMustNotContainCharacters
The list of all characters that your password policy does not allow. Do not prohibit characters that are
allowed in other attributes.

No Blank ABCDEFGHIJKLMONPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678
9
Attribute.minLength
Set the minimum length of characters to mandate by your password policy.

No 4 Numeric
Attribute.maxLength
Set the maximum length of characters to mandate by your password policy.

No 16 Numeric
Attribute.minIterationsBeforeReuse
Set the minimum number of iterations before a password can be reused.

No 0 Numeric
Attribute.minDaysBeforeReuse
Set the minimum number of days before a password can be reused.

No 0 Numeric
21-Feb-2017 74/319
Attribute.enableMaxPasswordAge
Set to true to enable maximum password age in your password policy.

Attribute.maxPasswordAge
Set the maximum password age in days. After this many days, passwords will have to be changed.

Yes, if Attribute.enableMaxPasswordAge is set to true. None Numeric
addPasswordViewPolicy
Use the addPasswordViewPolicy command to add a password view policy to CA Privileged Access
Manager Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addPasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts PasswordViewPolicy.changePasswordOnView=true
PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterva
Parameters
PasswordViewPolicy.name
The name of the password view policy.

yes N/A String.
PasswordViewPolicy.description
A description of the password view policy.

no N/A String.
21-Feb-2017 75/319
PasswordViewPolicy.changePasswordOnView
Set PasswordViewPolicy.changePasswordOnView=true to indicate that CA Privileged Access Manager
Credential Manager should change the password after a password view request.

PasswordViewPolicy.allowChangePasswordOnViewForSso
Set PasswordViewPolicy.allowChangePasswordOnViewForSso=true to indicate that CA Privileged
Access Manager Credential Manager should change the password after a password SSO request
(retrieved but not viewed)

PasswordViewPolicy.passwordChangeInterval
Determines the length of time (in minutes) before the password is changed if
changePasswordOnView is set to true.

Value
Must be specified if PasswordViewPolicy. 60 Numeric value greater
changePasswordOnView is true. than 0.
PasswordViewPolicy.checkinCheckoutRequired
Set PasswordViewPolicy.checkinCheckoutRequired=true to indicate that an account must be checked
out before the password can be viewed. When checked out, the account's password cannot be
changed.

PasswordViewPolicy.checkinCheckoutInterval
Determines the length of time (in minutes) an account can remain checked out before it is
automatically checked back in by the system.

Value
Must be specified if PasswordViewPolicy. 60 Numeric value greater
checkinCheckoutRequired is true. than 0.
21-Feb-2017 76/319
PasswordViewPolicy.dualAuthorization
Set PasswordViewPolicy.dualAuthorization=true to indicate that a request to view a password must
be approved by another user before proceeding.

PasswordViewPolicy.dualAuthorizationInterval
Determines the default length of time (in minutes) a password view request remains active in the
system.

Value
Must be specified if PasswordViewPolicy.dualAuthorization 60 Numeric value greater
is true. than 0.
PasswordViewPolicy.approvers
The list of users who are authorized to approve or deny password requests for accounts that use this
password policy.

Value
One of PasswordViewPolicy.approvers or PasswordViewPolicy. N/A List of comma-separated
approverIDs must be specified if PasswordViewPolicy. usernames. Example: jbauer,
dualAuthorization is true. mdessler,dpalmer
PasswordViewPolicy.approverIDs
The list of user IDs who are authorized to approve or deny password requests for accounts that use
this password policy.

One of PasswordViewPolicy.approvers or Use searchUser to List of comma-
PasswordViewPolicy.approverIDs must be specified if retrieve a list of separated user IDs.
PasswordViewPolicy.dualAuthorization is true. user IDs Example: 11,19,15
PasswordViewPolicy.authenticationRequired
Set PasswordViewPolicy.authenticationRequired=true to indicate that the requesting user must
provide their password before viewing the account.

no true true, false
21-Feb-2017 77/319
PasswordViewPolicy.enableOneClickApproval
Set PasswordViewPolicy.enableOneClickApproval=true to enable one click dual authorization
approval. When enabled, dual authorization emails will include links to allow the approver to approve
requests without logging into the system.

PasswordViewPolicy.passwordViewRequestMaxInterval
The maximum Interval between the start and end date of a dual authorization password view
request.

no 60 Numeric value greater than 0.
PasswordViewPolicy.passwordViewRequestMaxDays
The maximum number of days in the future that a password view request can be requested.

addRequestScript
Use the addRequestScript command to add a request application to CA Privileged Access Manager
Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addRequestScript
RequestScript.executionPath=/usr/tmp/examples RequestScript.filePath=/usr/tmp/examples
RequestScript.type=Perl
Parameters
The request server host name on which the requesting application resides.
21-Feb-2017 78/319

Value
One of RequestServer.hostName N/A This value must match the request server name
or RequestServer.ID is required. registered in CA Privileged Access Manager Credential
Manager.
RequestServer.ID
The request server ID on which the requesting application resides.

Value
One of RequestServer.hostName or N/A Use searchRequestServer to retreive the
RequestServer.ID is required. RequestServer.ID.
RequestScript.name
The requesting application name.

yes N/A String.
The location from which the requesting application will be executed.

yes N/A String.
RequestScript.filePath
The location in which the requesting application resides.

no N/A String.
RequestScript.type
The programming language in which the requesting application is written.

yes N/A C, C++, C#, csh, Java, ksh, Perl, ksh, VB, VB.NET, VC++, Other
Attribute.descriptor1
A text description field. Use this field as a filter for dynamic authorization groupings.
21-Feb-2017 79/319
no N/A String.

no N/A String.
addRequestServer
Use the addRequestServer command to add a request server (CA Privileged Access Manager
Credential Manager client) to CA Privileged Access Manager Credential Manager. This command can
also be used to register Windows Proxies. CA Technologies recommends that you use the auto-
discovery feature for adding request servers.
Example
cspmserver_admin adminUserID=admin cmdName=addRequestServer
RequestServer.hostName=myhostname.mydomain.com RequestServer.active=true
RequestServer.autoPatch=true RequestServer.type=CLIENT
Parameters
The host name of the request server.

yes N/A String
RequestServer.deviceName
The device name of the request server.

no Same as host name. String
RequestServer.active
Set RequestServer.active=true to activate the request server. Set RequestServer.active=false to
deactivate the request server.
21-Feb-2017 80/319

RequestServer.autoPatch
Set RequestServer.autoPatch=true to indicate that patches should be applied automatically.

RequestServer.preserveHostName
Set RequestServer.preserveHostName=true to indicate that the request server host name should not
be overwritten each time the client registers.
Required Default Value Valid

Values
no Determined by the value of system property setting true, false
"AppDefaultPreserveClientHostName".
RequestServer.type
Set RequestServer.type=CLIENT to indicate that the server is a request server. Set RequestServer.
type=AGENT to indicate that the server is a CA Privileged Access Manager Credential Manager
Windows Proxy.

no CLIENT CLIENT, AGENT

no N/A String

no N/A String
21-Feb-2017 81/319
addRequestServerDefaults
Use the addRequestServerDefaults command to add a request server defaults to CA Privileged Access
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addRequestServerDefaults
RequestServerDefaults.subnet=192.168.0.0/16
RequestServerDefaults.active=true
RequestServerDefaults.type=CLIENT
RequestServerDefaults.descriptor1=awsApiProxy
Parameters
RequestServerDefaults.subnet
The subnet filter to apply defaults to request servers.

yes N/A String
RequestServerDefaults.type
The type filter to apply defaults to request servers.

yes CLIENT, AGENT, ALL
RequestServerDefaults.active
The default setting for RequestServer.active during auto-register.

yes true, false
RequestServerDefaults.descriptor1
The default setting for Attribute.descriptor1 during auto-register.

no String
21-Feb-2017 82/319

no String
addRole
Use the addRole command to add a user role to Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addRole Role.name=myRole
Role.description="Manages patches" Role.permissions="activatePatch,

addPatch,deletePatch,getPatchDetail,listPatch,updatePatch"
Parameters
Role.name
The name of the role.

yes N/A String. A unique name in Credential Manager
Role.description
The description of the role.

no N/A String.
Role.permissions
A comma delimited list of permissions.

Value
yes N/A String. See Credential Manager CLI User Interface Actions (see page 223) for a list
of valid user interface actions.
21-Feb-2017 83/319
addSite
Use the addSite command to add a secondary site to CA Privileged Access Manager when the CA
Privileged Access Manager server is configured for multi-site.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin
cmdName=addSite Site.name=secondary Site.type=secondary
Site.hostName=tokyo1.company.com
Parameters
Site.name
The name of the site being added.

yes N/A String.
Site.type
Use Site.type=secondary if you are adding a secondary site.

yes N/A secondary
Site.hostName
The host name of the site being added. The hostName value is used for site-to-site communication.

yes N/A String. The fully qualified host name.
addSSHKeyPairPolicy
Use the addSSHKeyPairPolicy command to add an SSH Key Pair Policy to CA Privileged Access
Manager.
Example
https://<CAPAM-HOST>/cspm/servlet/adminCLI
21-Feb-2017 84/319
?responseType=xmlResponse
&adminUserID=super
&adminPassword=<PASSWORD>
&cmdName=addSSHKeyPairPolicy
&SSHKeyPairPolicy.name=Testing
&SSHKeyPairPolicy.keyType=RSA
&SSHKeyPairPolicy.keyLength=2048
Parameters
SSHKeyPairPolicy.name
The policy name.

Yes N/A A String
SSHKeyPairPolicy.description
The policy description.

No N/A A String
SSHKeyPairPolicy.keyType
The key type.

Yes N/A RSA or DSA
SSHKeyPairPolicy.keyLength
The key length.

Value
Yes N/A Varies depending on key type. The supported DSA key lengths are 512 and 1024
bits. The supported RSA key lenghts are 1024, 2048 and 4096 bits.
21-Feb-2017 85/319
addTargetAccount
Use addTargetAccount to add a target account to CA Privileged Access Manager Credential Manager.
Additional parameters may be required, depending upon the Target Application Type. For a
description of these additional parameters, see the CA Privileged Access Manager user
documentation for the appropriate turnkey target connector.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetAccount
TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication
TargetAccount.userName=sysop1 TargetAccount.password=sys0p2 TargetAccount.
cacheBehavior=useCacheFirst
TargetAccount.cacheDuration=17 Attribute.descriptor1="Lab" Attribute.descriptor2="Ott
awa"
Parameters
TargetServer.hostName
The host name for the target server on which the target account resides.

Value
Either TargetServer.hostName and N/A This value must match a target server name
TargetApplication.name; or registered in CA Privileged Access Manager
TargetApplication.ID is required. Credential Manager.
TargetApplication.name
The target application name on which the target account is hosted.

Value
One of TargetApplication.name or N/A This value must match a target application name
TargetApplication.ID is required. registered in CA Privileged Access Manager Credential
Manager.
TargetApplication.ID
The target application ID on which the target account is hosted.
21-Feb-2017 86/319

Value
One of TargetApplication.name or N/A Use searchTargetApplication to retrieve the
TargetApplication.ID is required. TargetApplication.ID.
TargetAccount.userName
The user name for the target account.

Value
yes N/A String. TargetAccount.userName must match exactly the user name in the
target application.
TargetAccount.password
The password for the target account.

Value
yes N/A The initial password must be the same as the password on the target account,
unless a user with more privileges (for example, root) is used to synchronize this
password. If a password policy is associated with the target application, the
password value must adhere to the password policy. In addition to compliance
with password policy constraints, a password must be minimum of 1 character and
maximum 255 characters in length.
TargetAccount.cacheAllow
This parameter is deprecated. Use TargetAccount.cacheBehavior.: Set TargetAccount.
cacheAllow=true to have credentials for this account cached in the CA Privileged Access Manager
Credential Manager client.

no true true, false
TargetAccount.cacheBehavior
Set TargetAccount.cacheBehavior=useCacheFirst to have the credentials for this account cached in
the CA Privileged Access Manager Credential Manager client and used first. If TargetAccount.
cacheBehavior=useServerFirst, the credentials for this account are cached in the CA Privileged Access
Manager Credential Manager client but the Server is contacted first. Set TargetAccount.
cacheBehavior=noCache to ensure that the credentials for this account are not cached in the CA
Privileged Access Manager Credential Manager client.

no useCacheFirst useCacheFirst, useServerFirst, noCache
21-Feb-2017 87/319
TargetAccount.cacheDuration
Use TargetAccount.cacheDuration to specify the number of days the account credentials are
permitted to reside in a CA Privileged Access Manager Credential Manager client cache.

no 30 1 - 356
TargetAccount.privileged
Set TargetAccount.privileged=true to indicate that this account is a privileged account. Set
TargetAccount.privileged=false to indicate that this account is an application-to-application account.

TargetAccount.accessType
Use this text field for reference purposes.

no N/A String.
TargetAccount.synchronize
Set TargetAccount.synchronize=true to indicate that the password stored in CA Privileged Access
Manager Credential Manager should be synchronized with the password on the target system. This
functionality is not supported with Target Application Type Generic. This functionality is not
supported when TargetAccount.compoundAccount=true.


no N/A String.

no N/A String.
21-Feb-2017 88/319
The name of a PasswordViewPolicy attached to this account.

no The system default PasswordViewPolicy String
TargetAlias.name
A comma separated list of TargetAlias.name values. This parameter is dependent on the value of
useTargetAliasNameParameter being true.

no N/A comma separated String values
useTargetAliasNameParameter
A flag when true, will add/delete TargetAliases for this account using the values specified in the
TargetAlias.name parameter.

no. false true|false
TargetAccount.compoundAccount
A flag when true, will add/delete Compound TargetServers for this account using the values specified
in the TargetAccount.compoundServerIDs parameter.

TargetAccount.compoundServerIDs
List of target server IDs to use as compound servers

no. n/a comma separated target server ID values
passwordIsBase64Encoded
A flag when true indicates that the specified password has been Base64-encoded and should be first
decoded before being stored.

21-Feb-2017 89/319
addTargetAlias
Use the addTargetAlias command to add a target alias to CA Privileged Access Manager Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetAlias
TargetAccount.userName=sysop1 TargetAlias.name=myaliasname
Parameters

Value
Either TargetServer.hostName, TargetApplication. N/A This value must match a target server
name, and TargetApplication.name; or name registered in CA Privileged Access
TargetApplication.ID is required. Manager Credential Manager.

Value
Either TargetServer.hostName, N/A This value must match a target application
TargetApplication.name, and TargetApplication. name registered in CA Privileged Access
name; or TargetApplication.ID is required. Manager Credential Manager.
The account user name associated with the target alias.

Value
Either TargetServer.hostName, N/A This value must match a target account
TargetApplication.name, and TargetApplication. name registered in CA Privileged Access
name; or TargetApplication.ID is required. Manager Credential Manager.
21-Feb-2017 90/319
TargetAccount.ID
The account ID associated with the target alias.

Value
Either TargetServer.hostName, TargetApplication.name, and N/A Use searchTargetAccount to
TargetApplication.name; or TargetApplication.ID is required. retrieve the TargetAccount.
ID.
TargetAlias.name
The name of this target alias.

Value
yes N/A String. The target alias name must be unique within the CA Privileged Access
Manager Credential Manager server.
addTargetApplication
Use the addTargetApplication command to add a target application to CA Privileged Access Manager
Credential Manager. Additional parameters may be required, depending upon the Target Application
Type.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetApplication
TargetApplication.type=Generic
Attribute.descriptor1="Vienna" Attribute.descriptor2="Lab"
Parameters
TargetServer.ID
The ID of the target server on which the target application is hosted.

Value
One of TargetServer.ID or TargetServer. N/A Use searchTargetServer to retrieve the
hostName is required. TargetServer.ID.
21-Feb-2017 91/319
The host name for the target server on which the target application resides.

Value
One of TargetServer.ID or N/A This value must match a target server name registered in
TargetServer.hostName is CA Privileged Access Manager Credential Manager.
required.
The name of the target application.

yes N/A The target application name must be unique for a given target server.
TargetApplication.type
The target application connector name. Valid values depend upon which target connectors are
installed on your system.

Value
yes N/A Turnkey target connectors include: cisco, CiscoSSH, ldap, mssql, oracle, sybase,
unix, unixAccountViaTelnet, windows, windowsDomainService. In addition, your
system may contain custom target connectors.
PasswordPolicy.name
The name of the password policy associated with accounts belonging to this application.

Value
no null If a password policy is not specified, manually entered passwords are not be
validated against a policy. In addition, CA Privileged Access Manager Credential
Manager generated passwords use the CA Privileged Access Manager Credential
Manager default password policy.
PasswordPolicy.ID
The ID of the password policy associated with accounts belonging to this application.

Value
no null
21-Feb-2017 92/319

Value
Use searchPasswordPolicy to retrieve the PasswordPolicy.ID. If a password policy is
not specified, manually entered passwords are not be validated against a policy. In
addition, CA Privileged Access Manager Credential Manager generated passwords
use the CA Privileged Access Manager Credential Manager default password
policy.

no N/A String.

no N/A String.
Attribute.enableAutoConnectTargetAccount
A boolean value to enable / disable autoConnectTargetAccount for an application instance.

no false true or false
addTargetServer
Use the addTargetServer command to add a target server to CA Privileged Access Manager Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addTargetServer
TargetServer.hostName=myhostname.mydomain.com
Attribute.descriptor1="Lab" Attribute.descriptor2="Vienna"
21-Feb-2017 93/319
Parameters
The host name for the target server.

yes N/A This must be the fully qualified host name as entered in the DNS server.
TargetServer.deviceName
The device name for the target server.

no Same as host name if not specified. String

no N/A String

no N/A String
addUser
Use the addUser command to add a Credential Manager user account. The Windows CLI allows up to
9 parameters, including the mandatory adminUserID and cspmHostName. To enter the addUser
command with more than nine parameters, use the batchSequence command with an XML
formatted input file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addUser User.
userID=demo
User.password="demo123$" User.authenticationType=CSPM User.status=ACTIVE
21-Feb-2017 94/319
User.userGroupIDS=2 User.firstName=Demo User.lastName=User

User.email=jdoe@xceedium.com User.viewType=admin
Parameters
User.userID
The user name of the CA Privileged Access Manager Credential Manager user.

yes N/A String.
User.password
The user's password.

Value
This parameter is required if the N/A String. CA Privileged Access Manager Credential
authentication type is CA Privileged Manager passwords must contain 6-16 characters
Access Manager Credential containing at least one alphabetic, one numeric, and
Manager. one special character.
User.authenticationType
Authentication type of the user.

Value
no CSPM CSPM, LDAP, SecurID, Kerberos, X509 or any installed authentication connector.
See $CSPM_SERVER_HOME/cspmserver/config/authentication.xml for a complete
list of installed authentication connectors.
User.status
Set User.status=ACTIVE for active user accounts and User.Status=SUSPENDED to suspend a user
account.

no ACTIVE ACTIVE or SUSPENDED
User.userGroupIDS
IDs of the User Groups to assign to this user.
21-Feb-2017 95/319

Value
no null Numeric IDs delimited by comma. Use searchUserGroups to retreive user group
IDs. Alternatively, you can specify the User.userGroupNames parameter. Values
must match user groups registered in CA Privileged Access Manager Credential
Manager.
User.userGroupNames
Names of the User Groups to assign to this user.

no null String. A comma delimited list of user group names.
User.firstName
First name of the user.

no N/A String.
User.lastName
Last name of the user.

no N/A String.
User.email
Email address of the user.

mandatory no N/A String.
User.viewType
Determines what GUI view this user has access to - administrative or general

no N/A admin, general
21-Feb-2017 96/319
addUserGroup
Use the addUserGroup command to add a user group to CA Privileged Access Manager Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=addUserGroup
UserGroup.name=OttUserGroup UserGroup.description="Ottawa user group"
UserGroup.roleID=11 UserGroup.groups=3,4
Parameters
UserGroup.name
The user group name.

Value
yes N/A String. A unique Name in CA Privileged Access Manager Credential Manager
UserGroup.description
Description of the group.

no N/A String.
UserGroup.roleID
The role identifier of this group.

Value
yes N/A This value must match a role ID registered in CA Privileged Access Manager
Credential Manager.
UserGroup.groups
An ArrayList of String values or an string ArrayList each element containing a string value of a group
IDs.
21-Feb-2017 97/319

no true N/A
UserGroup.readOnly
The read-only flag for this user group. Warning, read-only cannot be deleted if you make a mistake.

archiveAuditData
Use the archiveAuditData command to remove audit data up to the specified end date from the
Credential Manager database and write it to a file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=archiveAuditData
endDate=2010-01-01
Parameters
endDate
All audit data up to and including the end date is removed from the CA Privileged Access Manager
Credential Manager database and stored in the archive file.

yes N/A YYYY-MM-DD
fileName
The file name (including path) where the archive data will be stored. If the file does not exist, it is
created; otherwise, data is appended. If not specified, this command creates a file within the CA
Privileged Access Manager server installation home directory. The date stamp on the default file
indicates the date/time when the archive command was issued, not the end archive date.

Values
no $CSPM_SERVER_HOME/cspmserver/var/cspmserver_auditlog_YYYY-MM-DD- File path
HHMMSS
21-Feb-2017 98/319
resultLimit
The limit for the number of database records to be processed at a time. Set to -1 to specify no limit.
Caution: A large value results in a larger rollback segment being allocated for each database
transaction.

no 100 Integer
archiveMetricData
Use the archiveMetricData command to remove metric data up to the specified end date from the
Credential Manager database and write it to a file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=archiveMetricData
endDate=2010-01-01
Parameters
endDate
All metric data up to and including the end date is removed from the Credential Manager database
and stored in the archive file.

yes N/A YYYY-MM-DD
fileName
The file name (including path) where the archive data will be stored. If the file does not exist, it is
created; otherwise, data is appended. If not specified, this command creates a file within the CA
Privileged Access Manager server installation home directory. The date stamp on the default file
indicates the date/time when the archive command was issued, not the end archive date.

Values
no $CSPM_SERVER_HOME/cspmserver/var/cspmserver_metric_YYYY-MM-DD- File path
HHMMSS
21-Feb-2017 99/319
resultLimit
The limit for the number of database records to be processed at a time. Set to -1 to specify no limit.
Caution: A large value results in a larger rollback segment being allocated for each database
transaction.

no 100 Integer
batchSequence
Use the batchSequence command for bulk registration. The input to the batchSequence command is
an XML formatted file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=batchSequence
inputfile=myinput.xml
outputfile=results.xml
Parameters
inputfile
The file containing the bulk registration input. The XML format for the input file is documented in
XML Schema for Batch Processing (https://docops.ca.com/display/CAPAM28
/XML+Schema+for+Batch+Processing).

yes N/A String.
outputfile
The file containing the XML formatted output result. If this parameter is not included, the output is
sent to standard out.

no standard output String.
21-Feb-2017 100/319
stopOnError
Set stopOnError=true to indicate that the batch sequence be stopped when an error is encountered.
Set stopOnError=false to indicate that the batch sequence continue with the next command when an
error is encountered. If the data in the input file has dependancies, set stopOnError=true.

multipleTransactions
Set multipleTransactions=true to indicate that the batch sequence be treated as its own transaction.
Set multipleTransactions=false to indicate that the batch sequence be treated as a single transaction.
When the batch sequence is treated as a single transaction (multipleTransactions=false) the
stopOnError is overridden to be true.

no true true, false
canGetCredentials
Use the canGetCredentials command to validate the ability of a specific script to retrieve credentials
without making a credential request. This command does not verify the fingerprint of the request
server or the requesting script hash. This command returns "Success 1" when the query result is true
and "Success 0" when the query result is false. Authorization mappings settings determine which
values are validated. For example, if check execution ID is not set, then the execution ID parameter
value does not affect the output result. The Windows CLI allows up to 9 parameters, including
mandatory adminUserID and cspmHostName. To invoke this command with more than 9 parameters,
use the batchSequence command with an XML formatted input file.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=canGetCredentials
TargetAlias.name=myalias1 RequestScript.name=example.pl
RequestScript.filePath=/usr/tmp/examples RequestScript.executionPath=/usr/tmp
/examples
Authorization.executionUser=admin RequestServer.hostName=myhostname.mydomain.com
RequestServer.osName=win
Parameters
TargetAlias.name
Alias name for which you wish to validate the ability to get credentials.
21-Feb-2017 101/319

yes N/A String
RequestScript.name
Name of the requesting script.

yes N/A String
File path where the requesting script resides.

no N/A String
Path from which the requesting script will be run.

yes N/A String
Username with which the requesting script will be run.

yes N/A String
Request server hostname on which the requesting script is located.

yes N/A String
RequestServer.osName
Operating System name for the request server host. Set this value if the Operating System is
Windows. Any other value sets the Operating System as UNIX-based.

no unix win, unix
21-Feb-2017 102/319
checkConnectionStatus
Use the checkConnectionStatus command to check the status of a client.
Example
cmdName=checkConnectionStatus RequestServer.ID=1000
checkDelete
Use the checkDelete command to check if a target server and/or request server can be deleted (or
were previously deleted)
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=checkDelete
TargetServer.ID=1002 RequestServer.ID=1001
Parameters
TargetServer.ID
The ID of the target server being checked

One or both of TargetServer.ID or RequestServer.ID is required N/A int.
RequestServer.ID
The ID of the request server being checked

One or both of TargetServer.ID or RequestServer.ID is required N/A int.
checkInAccountPassword
Use the checkInAccountPassword command to check in a target account. This command can be run
on a secondary site.
21-Feb-2017 103/319
Example
cmdName=checkInAccountPassword
TargetAccount.ID=1
deleteAuthorization
Use the deleteAuthorization command to delete an existing authorization mapping.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteAuthorization
RequestScript.executionPath=/usr/tmp/examples TargetAlias.name=mytargetalias
Parameters
Authorization.ID
The unique identifier of the Authorization mapping.

Value
Either TargetAlias.name, RequestServer.hostName, RequestScript. N/A Use searchAuthorization
name, and RequestScript.executionPath; or Authorization.ID is to retrieve the
required. Authorization.ID.
TargetAlias.name
The target alias name.

Value
Either TargetAlias.name or N/A This value must match the target alias name registered
Authorization.targetGroupName is in CA Privileged Access Manager Credential Manager.
required
21-Feb-2017 104/319

Value
One of Authorization.requestGroupName, N/A This value must match the request
RequestServer.hostName, or RequestServer. server name registered in CA
hostName/RequestScript.name/RequestScript. Privileged Access Manager Credential
executionPath Manager.
RequestScript.name

Value
One of Authorization.requestGroupName, N/A This value must match the script
RequestServer.hostName, or RequestServer.hostName name registered in CA Privileged
/RequestScript.name/RequestScript.executionPath Access Manager Credential
Manager.
The requesting application execution path, as registered in CA Privileged Access Manager Credential
Manager.

Value
One of Authorization.requestGroupName, N/A This value must match the script
RequestServer.hostName, or RequestServer. execution path registered in CA
Authorization.targetGroupName
The target group name.

Value
Either TargetAlias.name or N/A This value must match the target group name
Authorization.targetGroupName is registered in CA Privileged Access Manager Credential
required Manager.
Authorization.requestGroupName
The request group name.

Value
N/A
21-Feb-2017 105/319

Value
One of Authorization.requestGroupName, This value must match the request
RequestServer.hostName, or RequestServer. group name registered in CA
deleteFilter
Use the deleteFilter command to delete a filter from a target group or request group. The group must
first be added using the addGroup command.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteFilter Filter.
ID=6
Parameters
Filter.ID
The Id of the request or target group

yes N/A N/A
deleteGroup
Use the deleteGroup command to delete a target or request group. This command automatically
deletes filters associated with this group.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteGroup Group.ID=
3
Parameters
Group.ID
ID of the group you wish to delete.
21-Feb-2017 106/319

Value
One of Group.name or N/A Numeric. This value must match the group ID registered in CA
Group.ID is required. Privileged Access Manager Credential Manager.
Group.name
The group name.

Value
One of Group.name or N/A String. This value must match the group name registered in CA
Group.ID is required. Privileged Access Manager Credential Manager.
Group.type
The group type.

Value
Optional unless Group.name is N/A String. This value must match the group type registered
specified, and that value is not in CA Privileged Access Manager Credential Manager.
unique.
deletePasswordPolicy
Use the deletePasswordPolicy command to delete a password policy.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deletePasswordPolicy
PasswordPolicy.name=passwordPolicyName
Parameters
PasswordPolicy.ID
The ID of the password policy.

yes or PasswordPolicy.name null Numeric
21-Feb-2017 107/319
PasswordPolicy.name

yes or PasswordPolicy.ID null String
deletePasswordViewPolicy
Use the deletePasswordViewPolicy command to delete a password view policy from CA Privileged
Access Manager Credential Manager.
Example
cmdName=deletePasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts
Parameters
PasswordViewPolicy.ID
The ID of the password view policy.

Value
One of PasswordViewPolicy. N/A The ID of a password view policy in CA Privileged Access
ID or PasswordViewPolicy. Manager Credential Manager. Use searchPasswordViewPolicy
name is required to retrieve the PasswordViewPolicy.ID.

Value
One of PasswordViewPolicy.ID or N/A A text string matching the name of a password view
PasswordViewPolicy.name is policy in CA Privileged Access Manager Credential
required Manager.
21-Feb-2017 108/319
deletePasswordViewRequest
Use the deletePasswordViewRequest command to delete either a specific password view request or
all expired password view requests
Example
cmdName=deletePasswordViewRequest PasswordViewRequest.ID=1,2,3
Parameters
PasswordViewRequest.ID
The ID of a password view request. Allow to input in comma separated format, such as, id2,id3,id5
etc

no N/A passwordviewrequestid from PasswordViewRequest table
deleteRequestScript
Use the deleteRequestScript command to delete an existing requesting application. Requesting
applications cannot be deleted if there is an authorization mappings associated with the application.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteRequestScript
RequestScript.ID=7,8
Parameters
RequestScript.ID
The requesting application ID you wish to delete. This parameter may contain a comma separate list.

Value
N/A
21-Feb-2017 109/319

Value
Either RequestScript.ID; or RequestServer.hostName, Use searchRequestScript to
RequestScript.name, and RequestScript.executionPath is retrieve the RequestScript.
required. ID.

Value
Either RequestScript.ID; or RequestServer. N/A This value must match the request server
hostName, RequestScript.name, and name registered in CA Privileged Access
RequestScript.executionPath is required. Manager Credential Manager.
RequestScript.name

Value Values
Either RequestScript.ID; or RequestServer.hostName, RequestScript.name, and N/A String.
RequestScript.executionPath is required.
The location from which the requesting application will be executed.

Value Values
Either RequestScript.ID; or RequestServer.hostName, RequestScript.name, and N/A String.
RequestScript.executionPath is required.
deleteRequestServer
Use the deleteRequestServer command to delete an existing request server from Credential
Manager. You cannot delete a request server if there are any authorization mappings or request
scripts associated with the request server.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteRequestServer
RequestServer.hostName=myhostname.mydomain.com
21-Feb-2017 110/319
Parameters

Value
One of RequestServer.hostName, RequestServer. N/A This value must match a request server
hostName, or RequestServer.ID is required. name registered in Credential Manager.
The device name of the request server.

Value
One of RequestServer.hostName, RequestServer. N/A This value must match a request server
hostName, or RequestServer.ID is required. name registered in Credential Manager.
RequestServer.ID: The unique ID for the request server.

Value
One of RequestServer.hostName, RequestServer. N/A Use searchRequestServer to
hostName, or RequestServer.ID is required. retrieve the RequestServer.ID.
RequestServer.type: The type of the request server.

Value Values
If RequestServer.hostName or RequestServer.deviceName is provided, CLIENT CLIENT
RequestServer.type must be provided or else it defaults to CLIENT. /AGENT.
deleteRequestServerDefaults
Use the deleteRequestServerDefaults command to delete a request server defaults in Credential
Manager.
Example
cmdName=deleteRequestServerDefaults
RequestServerDefaults.ID=1001
21-Feb-2017 111/319
Parameters
RequestServerDefaults.ID
The id of the record to delete.

yes N/A Integer
deleteRole
Use the deleteRole command to delete roles from CA Privileged Access Manager Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteRole Role.ID=11
Parameters
Role.ID
The unique ID of the role or a comma delimited list of roles you wish to delete.

yes N/A Numeric.
deleteSite
Use the deleteSite command to delete a site from Credential Manager when the CA Privileged Access
Manager Credential Manager server is configured for multi-site.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteSite Site.ID=1
21-Feb-2017 112/319
Parameters
Site.ID
The ID of the site or a comma delimited list of sites you wish to delete.

yes N/A Numeric. Use searchSite to retrieve the Site.ID.
deleteSSHKeyPairPolicy
Use the deleteSSHKeyPairPolicy command to selete an SSH Key Pair policy.
Example
cmdName=deleteSSHKeyPairPolicy
SSHKeyPairPolicy.name=MySSHKeyPairPolicy
Parameters
SSHKeyPairPolicy.ID
The ID of the SSH Key Pair policy.

Value
Yes if SSHKeyPairPolicy.name is not N/A Numeric or a String of comma-separated
specified numeric values
The name of the SSH Key Pair policy.

Yes if SSHKeyPairPolicy.ID is not specified N/A String
21-Feb-2017 113/319
deleteSystemProperty
Use the deleteSystemProperty command to delete a system property (that is, set isDeleted = 1).
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteSystemProperty
propertyName=test
Parameters
propertyName
The property key name.

yes N/A A valid value is one that exists in the system properties table.
deleteTargetAccount
Use the deleteTargetAccount command to delete an existing target account from CA Privileged
Access Manager Credential Manager. Target accounts cannot be deleted if there is an authorization
mapping associated with the account. Deleting a target account automatically deletes any target
aliases associated with the account.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteTargetAccount
TargetAccount.userName=sysop1
Parameters
The host name of the target server on which the target application is hosted.
21-Feb-2017 114/319

Value
Either TargetServer.hostName, N/A This value must match a target server
TargetApplication.name, and TargetAccount. name registered in CA Privileged Access
userName; or TargetAccount.ID is required. Manager Credential Manager.

Value
Either TargetServer.hostName, N/A This value must match a target application

Value
Either TargetServer.hostName, N/A This value must match a target account
TargetAccount.ID
The ID for the target account.

Value
Either TargetServer.hostName, TargetApplication.name, and N/A Use searchTargetAccount to
TargetAccount.userName; or TargetAccount.ID is required. retrieve the TargetAccount.
ID.
deleteTargetAlias
Use the deleteTargetAlias command to delete an existing target alias from the CA Privileged Access
Manager Credential Manager server. Target aliases cannot be deleted if there is an authorization
mapping associated with the alias.
21-Feb-2017 115/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteTargetAlias
TargetAlias.ID=12
Parameters
TargetAlias.name
The target alias name. This parameter is required if TargetAlias.ID is not specified.

Value
One of TargetAlias.name or N/A The target alias name must match a target alias registered in
TargetAlias.ID is required. CA Privileged Access Manager Credential Manager.
TargetAlias.ID
The target alias unique identifier.

Value
One of TargetAlias.name or TargetAlias.ID is N/A Use searchTargetAlias to retrieve the
required. TargetAlias.ID.
deleteTargetApplication
Use the deleteTargetApplication command to delete an existing target application from CA Privileged
Access Manager Credential Manager. Target applications cannot be deleted if there is an
authorization mapping associated with the application. Deleting a target application automatically
deletes any target accounts and target aliases associated with the application.
Example
cmdName=deleteTargetApplication
21-Feb-2017 116/319
Parameters
The host name of the target server on which the target application is hosted.

Value
Either TargetServer.hostName and N/A This value must match a target server name
The target application name.

Value
Either TargetServer.hostName and N/A This value must match a target application name
The target application ID.

Value
Either TargetServer.hostName and TargetApplication. N/A Use searchTargetApplication to
name; or TargetApplication.ID is required. retrieve the TargetApplication.ID.
deleteTargetServer
Use the deleteTargetServer command to delete an existing target server from CA Privileged Access
Manager Credential Manager. A target server cannot be deleted if there is a target alias associated
with the server. Deleting a target server automatically deletes any target applications and target
accounts associated with the server, never any aliases.
Example
21-Feb-2017 117/319
Parameters
TargetServer.ID
The ID for the target server, or a comma-separated list of IDs.

Value
One of TargetServer.ID, TargetServer.hostName, or N/A Use searchTargetServer to retrieve
TargetServer.deviceName is required. the TargetServer.ID.
The host name of the target server.

Value
One of TargetServer.ID, TargetServer. N/A String. This value must match a target server name
hostName, or TargetServer.deviceName registered in CA Privileged Access Manager
is required. Credential Manager.
The device name of the target server.

Value
One of TargetServer.ID, TargetServer. N/A String. This value must match a target server name
hostName, or TargetServer.deviceName registered in CA Privileged Access Manager
is required. Credential Manager.
deleteUser
Use the deleteUser command to delete a user account or list of user accounts.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteUser User.
userID=demo
21-Feb-2017 118/319
Parameters
User.userID
The user name of the Credential Manager user to be deleted or a comma delimited list of user names
to be deleted.

yes N/A String.
deleteUserGroup
Use the deleteUserGroup command to delete a user group.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=deleteUserGroup
UserGroup.ID=18
Parameters
UserGroup.ID
The user group ID or a comma delimited list of user group IDs you wish to delete.

Value
One of UserGroup.ID or N/A Numeric. A unique user group ID in CA Privileged Access
UserGroup.name is required. Manager Credential Manager.
UserGroup.name
The name of the user group.

Value
One of UserGroup.ID or N/A String. A unique user group name in CA Privileged
UserGroup.name is required. Access Manager Credential Manager.
21-Feb-2017 119/319
disableCLIHostNameCheck
Use the disableCLIHostNameCheck command to disable host name checking when connecting via the
CLI.
Example
cmdName=disableCLIHostNameCheck
disableFingerprinting
Use the disableFingerprinting command to disable hardware fingerprinting for request servers (CA
Privileged Access Manager Credential Manager clients). This command has no parameters. By
default, this feature is disabled.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=disableFingerprinting
enableCLIHostNameCheck
Use the enableCLIHostNameCheck command to force host name checking when connecting via the
CLI.
Example
cmdName=enableCLIHostNameCheck
enableFingerprinting
Use the enableFingerprinting command to enable hardware fingerprinting for request servers (CA
Privileged Access Manager Credential Manager clients). This command has no parameters. By
default, this feature is disabled.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=enableFingerprinting
21-Feb-2017 120/319
enableLicense
Use the enableLicense command to activate your CA Privileged Access Manager Credential Manager
server license.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=enableLicense
license=dae1993ace1473a...
Parameters
license
A CA Privileged Access Manager Credential Manager server license string. See your CA Technologies
sales representative.

yes N/A String.
expirePasswordViewRequest
Use the expirePasswordViewRequest command to expires a password view request.
Example
cmdName=expirePasswordViewRequest PasswordViewRequest.ID=1000
forceCheckInAccountPassword
Use the forceCheckInAccountPassword command to check in a target account checked out by
another user. This command can be run on a secondary site.
Example
cmdName=forceCheckInAccountPassword
TargetAccount.ID=1
21-Feb-2017 121/319
Parameters
TargetAccount.ID
The ID of the target account you are checking in.

Value
One of TargetAccount.ID or N/A Use searchTargetAccount to retrieve
PasswordViewRequest.ID must be specified. the TargetAccount.ID.
The ID of the target account you are checking in.

Value
One of TargetAccount.ID or N/A Use searchPasswordViewRequest or
PasswordViewRequest.ID must be searchPasswordViewRequestByRequestor to retrieve
specified. the PasswordViewRequest.ID.
generateEncryptedPassword
Use the generateEncryptedPassword command to encrypt the password found in Tomcat server.xml
Example
cmdName=generateEncryptedPassword password=cspmpublic
Parameters
password
The password you wish to encrypt.

yes N/A Any String value.
21-Feb-2017 122/319
getAllScriptHash
Use the getAllScriptHash command to refresh each of the script hashes for a given request server. A
script hash value is a SHA-1 message digest value of the script (file).
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getAllScriptHash
Parameters

One of RequestServer.hostName or RequestServer.ID is required. N/A String.
RequestServer.ID
The ID of the request server.

Value
One of RequestServer.hostName or N/A Use searchRequestServer to retrieve the
RequestServer.ID is required. RequestServer.ID.
getAwsManagementConsoleSessionUrl
Use the getAwsManagementConsoleSessionUrl command to retrieve a URL to an authenticated
Amazon Web Services Management Console federation session.
Example
cmdName=getAwsManagementConsoleSessionUrl
AWS.accessKeyID=AKIAIUXQMBKFCROZL5NQ
AWS.secretAccessKey=l2YaoK/or4Jffi+xTlCds0x5mLUdRoCTcvXb/e9y
AWS.consoleUrl=https://console.aws.amazon.com/sns
AWS.issuerUrl=https://www.xceedium.com/
21-Feb-2017 123/319
AWS.signinUrl=https://signin.aws.amazon.com/federation
AWS.sessionDuration=3600
AWS.policy={\"Statement\":[{\"Action\":\"sns:*\",\"\"Effect\":\"Allow\",
\"Resource\":\"*\"}]}
Parameters
AWS.accessKeyID
The AWS access key.

yes N/A ^([A-Z0-9]{20})$
AWS.secretAccessKey
The AWS secret access key.

yes N/A ^([\w/+]{40})$
AWS.issuerUrl
The URL to which the user should be redirected when their federation session expires.

Value
yes N/A https\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\
/\\\+&%\$#_]*)?
AWS.consoleUrl
The URL of the Management Console.

Value
yes N/A https\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\
/\\\+&%\$#_]*)?
AWS.signinUrl
The URL of the AWS federated signin service.

Value
yes N/A
21-Feb-2017 124/319

Value
https\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\
/\\\+&%\$#_]*)?
AWS.policy
A policy that applies to the federated user.

no N/A String
AWS.stsEndpoint
The STS endpoint to use if specified; otherwise, use the default endpoint.

no N/A String
AWS.sessionDuration
The duration, in seconds, that the federation session should last. Acceptable durations are in the
interval [3600 .. 129600].

yes N/A Integer
AWS.urlEncodeOption
Optionally encode the session URL.

no false Boolean
AWS.federatedUserName
The name of the federated user to display in the AWS Management Console.

yes N/A String
getErrorCodes
Use the getErrorCodes command to retrieve an XML list of CA Privileged Access Manager Credential
Manager error codes. This command takes no parameters.
21-Feb-2017 125/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getErrorCodes
getEventProcessingMetrics
Use the getEventProcessingMetrics command to get metrics for processing of notification events
(events sent to clients or proxies). This information can be used to determine the throughput of the
overall CA Privileged Access Manager Credential Manager system in processing events to be sent to
clients and proxies; if the throughput is deemed to be unacceptable, additional CA Privileged Access
Manager Credential Manager servers can be commissioned.
Example
cmdName=getEventProcessingMetrics
samplePeriodMinutes=720
Parameters
samplePeriodMinutes
Sample period in minutes.

no 1440 1 - 1440
getLocalProperty
Example (see page 126)
Parameters (see page 127)
propertyName (see page 127)
Use the getLocalProperty command to retrieve the property value which matches the property name.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getLocalProperty
propertyName=sitename
21-Feb-2017 126/319
Parameters
propertyName

yes N/A A valid value is one that exist in the local properties table.
getLogs
Use the getLogs command to retrieve a ZIP file containing the logs from a siteServer or
requestServer.
Example
cspmserver_admin adminUserID=admin cmdName=getLogs Site.ID=1000
hostName=tomcatServer3.cloakware.com
Parameters
RequestServer.ID
ID of a request server (client or proxy)

yes (requestServer), no (siteServer) None Numeric
Site.ID
ID of a site

yes (siteServer), no (requestServer) None Numeric
hostName
Canonical hostname of a site (i.e.: Tomcat) or a request (i.e. client or proxy) server

yes (siteServer), optional (requestServer) None String
21-Feb-2017 127/319
maxSize
Max. size of the log file in bytes. 0=unlimited

no 20000000 Numeric
getMostRecentPasswordHistory
Use the getMostRecentPasswordHistory command to retrieve the most recent password history for a
target account.
getMSOLFederatedSessionCmd
Use the getMSOLFederatedSessionCmd command to retrieve a federated session request. Generates
a federated session request for presentation to the MSOL portal. The request is returned as a web
form that should be automatically submitted by the caller's browser. Submitting the form launches a
federated session with MSOL.
Example
?responseType=htmlResponse
&adminUserID=super
&cmdName=getMsolFederatedSession
&MSOL.portalUrl=https%3A//login.microsoftonline.com/login.srf
&MSOL.stsEndpointUrl=https%3A//fs.xcdpoc.com/adfs/services/trust/2005
/usernamemixed
&MSOL.stsEndpointReferenceUri=urn%3Afederation%3AMicrosoftOnline
&MSOL.wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%
26ct%3D1361461138%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.
microsoftonline.com%252Flanding.aspx%253Ftarget%253D%25252fdefault.aspx%26lc%3D1033%
26id%3D271346%26
&TargetAccount.ID=100
Parameters
MSOL.stsEndpointUrl
The URL of the Security Token Service (STS) endpoint from which the security token shall be
requested. In general, specify the appropriate URL that's exposed by your organization's Active
Directory Federation Service (AD FS). The endpoint must support the WS-Trust 2005 (username
mixed mode) protocol. For example, https://<ADFS-HOST>/adfs/services/trust/2005
/usernamemixed.

yes N/A URL
21-Feb-2017 128/319
MSOL.stsEndpointReferenceUri
The reference URI to which the security token request applies. When AD FS is federated with MSOL
this value is typically "urn:federation:MicrosoftOnline" (without quotes).

yes N/A URI
MSOL.portalUrl
The URL of the MSOL portal. For example, https://login.microsoftonline.com/login.srf.

yes N/A URL
MSOL.wctx
This parameter contains context information that is relevant to MSOL. Its value should be derived by
following the procedure for "creating a smart link" as described in documentation from Microsoft.
For additional instructions please refer to http://community.office365.com/en-us/wikis/sso/using-
smart-links-or-idp-initiated-authentication-with-office-365.aspx.

yes N/A String.
TargetAccount.ID
The ID of the Target Account that represents the federated user's credentials. The username and
password will be retrieved and sent to AD FS in a security token request. If AD FS successfully
authenticates the credentials then it will issue a security token response that contains SAML
assertions that are good for authenticating the federated user to MSOL.

yes N/A Use searchTargetAccount to retrieve the TargetAccount.ID
reason
The reason you are requesting a password view.

yes N/A String.
reasonDetails
Detailed description of why you wish to view the password.
21-Feb-2017 129/319
no N/A String.
PasswordViewRequest.requestPeriodStart
If the account password view policy has dual authorization enabled, this parameter specifies the start
time of the password view request.

no N/A Date string, of the format yyyy-MM-dd HH:mm
PasswordViewRequest.requestPeriodEnd
If the account password view policy has dual authorization enabled, this parameter specifies the end
time of the password view request.

referenceCode
Reference Code.

no N/A String.
getNumberOfAccounts
Use the getNumberOfAccounts command to retrieve the number of target accounts registered in CA
Privileged Access Manager Credential Manager. This command takes no parameters.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getNumberOfAccounts
getRequestServerDefaults
Use the getRequestServerDefaults command to add a request server defaults to CA Privileged Access
21-Feb-2017 130/319
Example
cmdName=getRequestServerDefaults RequestServerDefaults.ID=1001
Parameters
The id of the record to get.

yes N/A Integer
getScriptHashAsynchronous
Use the getScriptHashAsynchronous command to refresh a script hash for a specified request script
on a request server (CA Privileged Access Manager Credential Manager client).. A script hash value is
a SHA-1 message digest value of the script (file).
Example
cmdName=getScriptHashAsynchronous RequestScript.ID=2
Parameters
RequestScript.ID
The unique ID for the request script.

yes N/A Numeric. Use searchRequestScript to retrieve the RequestScript.ID.
getServiceStatus
Use the getServiceStatus command to inquire the state of services associated with a Windows
domain target account. This command assumes the service information is stored in an extend
attribute named 'serviceInfo'.
21-Feb-2017 131/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getServiceStatus
TargetAccount.ID=24
Parameters
TargetAccount.ID
The ID of the TargetAccount

Value Values
Either TargetAccount.ID or TargetServer.hostName, TargetApplication.name and N/A integer
TargetAccount.userName is required.
The host name of the TargetServer

Value Values
Either TargetAccount.ID or TargetServer.hostName, TargetApplication.name and N/A String
The name of the TargetApplication

Value Values
Either TargetAccount.ID or TargetServer.hostName, TargetApplication.name and N/A String
The user name of the TargetAccount

Value Values
Either TargetAccount.ID or TargetServer.hostName, TargetApplication.name, N/A String
21-Feb-2017 132/319
getSystemProperty
propertyName (see page 133)
Use the getSystemProperty to retrieve the property value which matches the property name.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=getSystemProperty
propertyName=DBVersion
Parameters
propertyName

yes N/A A valid value is one that exists in the system properties table.
listDBClusterMembers
Use the listDBClusterMembers command to retrieve a list of all database cluster members in the
system.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=listDBClusterMembers
listDiscoveredAccounts
Use the listDiscoveredAccounts command to discover accounts on a Windows host or domain
Example
cmdName=listDiscoveredAccounts
21-Feb-2017 133/319
Parameters
the Windows (domain or proxy) target application's id

Value Values
This or both TargetApplication.name and TargetServer.ID must be N/A Numeric.
specified
the Windows (domain or proxy) target application's name

N/A String.
This or both TargetApplication.ID
TargetServer.ID: the id of target application's target server

only if TargetApplication.name is specified N/A Numeric.
listDiscoveredServices
Use the listDiscoveredServices command to discover services on a Windows host
Example
cmdName=listDiscoveredServices
Parameters
TargetAccount.ID
the target account's id of the user whose services are to be discovered

Value Values
This or TargetAccount.userName, TargetApplication.name and TargetServer. N/A Integer.
name must be specified
21-Feb-2017 134/319
The target account name of the user whose services are to be discovered

This or both TargetAccount.ID N/A String.
The target application name

only if TargetAccount.userName is specified N/A String.
TargetServer.name
The name of the target application target server

discoveryUseProxy
Use the proxy associated with the account to do the discovery

No false Boolean.
listDiscoveredTasks
Use the listDiscoveredTasks command to discover tasks on a Windows host run by a given user
Example
cmdName=listDiscoveredServices
Parameters
TargetAccount.ID
The target account id of the user whose tasks are to be discovered
21-Feb-2017 135/319

Value Values
This or TargetAccount.userName, TargetApplication.name and TargetServer. N/A Integer.

name must be specified
The target account's name of the user whose tasks are to be discovered

This or both TargetAccount.ID N/A String.
The target application's name

TargetServer.name
The name of the target application's target server

discoveryUseProxy
Use the proxy associated with the account to do the discovery

No false Boolean.
listPasswordViewRequestByApproverSummary
Use the listPasswordViewRequestByApproverSummary command to returns a list of password view
requests for an approver.
listPasswordViewRequestByRequestorSummary
Use the listPasswordViewRequestByRequestorSummary command to return a list of password view
requests for a requestor.
21-Feb-2017 136/319
listRequestServerDefaults
Use the listRequestServerDefaults command to retrieve a list of Request Server defaults from the CA
Privileged Access Manager Credential Manager datastore.
Example
cmdName=listRequestServerDefaults
Parameters
RequestServerDefaults.ipAddress
The ip filter to apply to search.

no N/A String
The type filter to apply to search.

np CLIENT, AGENT
renameUser
Use the renameUser command to rename a Credential Manager user. (Creates a copy of an existing
user with a new name, and deletes the old user)
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=renameUser User.
userID=demo User.password=demo123$ User.newUserID=demo2
Parameters
User.userID
The user name of the Credential Manager user to be renamed
21-Feb-2017 137/319

yes N/A String.
User.newUserID
The user name of the Credential Manager user to be created

yes N/A String.
User.gkUserId
The Gatekeeper user ID to be associated with this user. If not specified, the existing value will be
preserved.

optional (Credential Manager mode), rejected (PA mode) N/A Integer.
resetClientCache
resetClientCache Informs all active clients that their caches of saved passwords should be reset. Use
resetClientCache to reset all client caches.
Important! CA Technologies strongly recommends that you contact CA Support before

using this command.
Example:
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=resetClientCache
resetDBHash
Use resetDBHash to reset the database hash for an object. The types of objects can be specified as a
comma separated list via the objectClass parameter.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=resetDBHash
objectClass=c.cw.m.ts
21-Feb-2017 138/319
resetGroupCache
Use the resetGroupCache command to refresh the group cache for all groups, or a single group. This
command is asynchronous.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=resetGroupCache
Group.name=test_target_group
Parameters
Group.name
Name of the group you wish to update in the group cache.

Value
No. If not specified, all N/A Numeric. This value must match the group ID registered in CA
groups will be reset. Privileged Access Manager Credential Manager.
searchAgent
Use the searchAgent command to retrieve a detailed listing of all the Windows Proxies registered in
Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchAgent
Parameters
Agent.ID
Filter results for the specified Agent.ID.

no N/A Numeric.
Agent.hostName
Filter results based on the Agent.hostName specified.
21-Feb-2017 139/319

no N/A String.
Agent.ipAddress
Filter results based on the Agent.ipAddress specified.

no N/A String.
Agent.deviceName
Filter results based on the Agent.deviceName specified.

no N/A String.
Agent.clientVersion
Filter results based on the Agent.clientVersion specified.

no N/A String.
Agent.active
Set Agent.active=true to filter results for active agents. Set Agent.active=false to filter results for
inactive agents.

no N/A true, false
Agent.actionRequired
Set Agent.actionRequired=true to filter results for agents with the actionRequired flag set to true. Set
Agent.actionRequired=false to filter results for agents with the actionRequired flag set to false.

no N/A true, false
Page.Number
Specifies which page to return when the results are divided among multiple a pages. This parameter
works in conjunction with Page.Size.
21-Feb-2017 140/319

no 1 Numeric.
Page.Size
Specifies the number of records to return on each page.

no 10000 Numeric.
Sort.Property
Use Sort.Property to specify which field to use for sorting the result.

no RequestServer.hostName RequestServer.ID, RequestServer.hostName
Sort.Direction
Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.Direction=desc to
have the results presented in descending order.

no asc asc, desc
searchAuthorization
Use the searchAuthorization command to retrieve a detailed listing of authorization mappings
registered in Credential Manager, which match the provided search criteria. When no search criteria
are listed all authorization mappings are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchAuthorization
Authorization.checkExecutionID=true
Parameters
Filter results for specified authorization execution user.
21-Feb-2017 141/319

no N/A N/A
Set Authorization.checkExecutionID=true to filter results for authorization mappings that have the
check execution ID flag set to true. Set Authorization.checkExecutionID=false to filter results for script
authorizations. that have the check execution ID flag set to false.

no N/A true, false
Set Authorization.checkPath=true to filter results for authorization mappings that have the check
execution path flag set to true. Set Authorization.checkPath=false to filter results for authorization
mappings that have the check execution path flag set to false.

no N/A true, false
Set Authorization.checkFilePath=true to filter results for authorization mappings that have the check
file path flag set to true. Set Authorization.checkFilePath=false to filter results for authorization
mappings that have the check file path flag set to false.

no N/A true, false
Set Authorization.checkScriptHash=true to filter results for authorization mappings that have the
check script hash flag set to true. Set Authorization.checkScriptHash=false to filter results for
authorization mappings that have the check script hash flag set to false.

no N/A true, false
Authorization.ID
Filter results based on Authorization.ID specified.

no N/A Numeric.
21-Feb-2017 142/319
RequestServer.ID
Filter results based on the RequestServer.ID specified.

no N/A Numeric. Use searchRequestServer to retrieve RequestServer.ID.
RequestScript.ID
Filter results based on the RequestScript.ID specified.

no N/A Numeric. Use searchRequestScript to retrieve RequestScript.ID.
TargetAlias.ID
Filter results based on the TargetAlias.ID specified.

no N/A Numeric. Use searchTargetAlias to retrieve the TargetAlias.ID.
Filter results based on the targetGroupID specified.

no N/A Numeric.
Filter results based on the requestGroupID specified.

no N/A Numeric.
Page.Number

no 1 Numeric.
Page.Size
21-Feb-2017 143/319

no 10000 Numeric.
Sort.Property

Value
no TargetA Authorization.executionUser, Authorization.checkExecutionID, Authorization.
lias.ID checkPath, Authorization.checkFilePath, Authorization.checkScriptHash,
Authorization.ID, RequestServer.ID, RequestScript.ID, TargetAlias.ID, Authorization.
targetGroupId, Authorization.requestGroupId
Sort.Direction

no asc asc, desc
searchFilter
Use the searchFilter command to retrieve a detailed listing of filters which match the provided search
criteria. When no search criteria is listed, all registered filters are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchFilter
Parameters
Filter.ID
Filter results for the specified filter.

no N/A Numeric.
Group.ID
Filter results for the unique identifier of a request or target group.
21-Feb-2017 144/319
no N/A Numeric.
Filter.attribute
The filter attribute. For a detailed listing of valid filter attributes, see CA Privileged Access Manager
user documentation.

no N/A String.
Filter.type
Filter results for the specified filter type.

no N/A equals, beginswith, contains, endswith
Filter.expression
Filter results for the specified filter expression.

no N/A String.
Filter results for the specified object class ID.

no N/A String.
Page.Number

no 1 Numeric.
Page.Size
21-Feb-2017 145/319

no 10000 Numeric.
Sort.Property

Value
no TargetAlias. Group.ID, Filter.ID, Filter.attribute, Filter.type, Filter.expression, Filter.
ID objectClassId
Sort.Direction

no asc asc, desc
searchGroup
Use the searchGroup command to retrieve a list of target groups or request groups.within Credential
Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchGroup
Parameters
Group.ID
Filter results for the specified Group.ID.

no N/A String.
Group.name
Filter results for groups matching the specified name.
21-Feb-2017 146/319

no N/A String.
Group.description
Filter results for groups matching the specified description.

no N/A String.
Group.type
Filter results for groups with the specified group type.

no N/A target, requestor
Page.Number

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property

no Group.name Group.ID, Group.name, Group.description, Group.type, Group.dynamic
Sort.Direction
21-Feb-2017 147/319

no asc asc, desc
searchPasswordPolicy
Use the searchPasswordPolicy command to retrieve a detailed list of all the Password Composition
policies that match the provided search criteria. If no search criteria are specified then all SSH Key
Pair policies are returned.
Example
cspmserver_admin UserInputException cmdName=searchPasswordPolicy
Parameters
PasswordPolicy.name
Filter results for specified policy name.

No N/A String
Filter results for policy descriptions that contain the specified value.

No N/A String
Page.Number

No 1 Numeric
Page.Size
21-Feb-2017 148/319

No 10000 Numeric
Sort.Property

No PasswordPolicy.name PasswordPolicy.name, PasswordPolicy.description
Sort.Direction

No asc asc, desc
searchPasswordViewPolicy
Use the searchPasswordViewPolicy command to retrieve a list of all password view policies that
match the search criteria. When no search criteria are listed, all password view policies are returned.
Example
cmdName=searchPasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts
Parameters

no N/A Any text string.
The description of the password view policy.
21-Feb-2017 149/319

no N/A Any text string.
Page.Number
Specifies which page to return when the results are divided among multiple pages. This parameter

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property

no PasswordViewPolicy.name PasswordViewPolicy.name, PasswordViewPolicy.description
Sort.Direction

no asc asc, desc
searchPasswordViewRequest
Use the searchPasswordViewRequest command to list the password view requests in the system.
Example
cmdName=searchPasswordViewRequest
PasswordViewRequest.status=pending
21-Feb-2017 150/319
Parameters
PasswordViewRequest.requestorID
Filter results for specified requestorID

no N/A Integer.
PasswordViewRequest.approverID
Filter results for specified approverID

no N/A Integer.
PasswordViewRequest.status
Filter results that contain the value specified.

no N/A One of "approved", "denied", "pending", or "checkout"
PasswordViewRequest.targetAccountID
Filter results for specified target account ID.

no N/A Integer
PasswordViewRequest.isCheckedOut
Filter results for accounts that are checked out.

no N/A "true" or "false"
Page.Number
List all request servers within the specified page.

no 1 N/A
21-Feb-2017 151/319
Page.Size
Specify the size of each page.

no 10000 N/A
Sort.Property

no PasswordView PasswordViewRequest.status, PasswordViewRequest.requestorID,
Request.status PasswordViewRequest.approverID, PasswordViewRequest.
targetAccountID
Sort.Direction

no desc asc, desc
searchPasswordViewRequestByApprover
Use the searchPasswordViewRequestByApprover command to list the password view requests for a
particular approver. The approver is the user executing the command.
Example
cmdName=searchPasswordViewRequestByApprover
Parameters
PasswordViewRequest.requestorID
Filter results for specified requestorID

no N/A Integer.
21-Feb-2017 152/319
Filter results that contain the value specified.

PasswordViewRequest.targetAccountID
Filter results for specified target account ID.

no N/A Integer
Page.Number

no 1 N/A
Page.Size

no 10000 N/A
Sort.Property

no PasswordViewRequ PasswordViewRequest.status, PasswordViewRequest.approverID,
est.status PasswordViewRequest.targetAccountID
Sort.Direction

no desc asc, desc
21-Feb-2017 153/319
searchPasswordViewRequestByRequestor
searchPasswordViewRequestByRequestor (see page 154)
searchPasswordViewRequestByRequestor
Lists the password view requests for a particular requestor. The requestor is the user executing the
command.
Example
cmdName=searchPasswordViewRequestByRequestor
PasswordViewRequest.status=1
Parameters
PasswordViewRequest.approverID: Filter results for specified approverID

no N/A Integer.
PasswordViewRequest.status: Filter results that contain the value specified.

PasswordViewRequest.targetAccountID: Filter results for specified target account ID.

no N/A Integer
PasswordViewRequest.isCheckedOut: Filter results for accounts that are checked out.

no N/A "true" or "false"
Page.Number: List all request servers within the specified page.

no 1 N/A
Page.Size: Specify the size of each page.
21-Feb-2017 154/319
no 10000 N/A
Sort.Property: Use Sort.Property to specify which field to use for sorting the result.

no PasswordViewRequ PasswordViewRequest.status, PasswordViewRequest.approverID,
est.status PasswordViewRequest.targetAccountID
Sort.Direction: Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.
Direction=desc to have the results presented in descending order.

no desc asc, desc
searchRequestScript
Use the searchRequestScript command to retrieve a detailed listing of requesting applications
registered in Credential Manager, which match the provided search criteria. When no search criteria
are listed all registered requesting applications are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchRequestScript
RequestScript.name=example.pl
Parameters
RequestServer.ID
Filter results for specified RequestServer.ID.

no N/A Numeric. Use searchRequestServer to retrieve the RequestServer.ID.
RequestScript.name
Filter results for specified request script name.

no N/A String.
21-Feb-2017 155/319
RequestScript.ID
Filter results for specified RequestScript.ID.

no N/A Numeric.
Filter results for file paths that contain the value specified.

no N/A String.
Filter results for execution paths that contain the value specified.

no N/A String.
Page.Number

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property

no RequestScript RequestServer.ID, RequestScript.name, RequestScript.ID, RequestScript.
.name filePath, RequestScript.executionPath
21-Feb-2017 156/319
Sort.Direction

no asc asc, desc
searchRequestServer
Use the searchRequestServer command to retrieve a detailed listing of request servers (Credential
Manager clients) registered in Credential Manager, which match the provided search criteria. When
no search criteria are listed all registered request servers are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchRequestServer
RequestServer.hostName=mydomain
Parameters
RequestServer.ID
Filter results for specified RequestServer.ID.

no N/A Numeric.
Filter results for request server host names that contain the value specified.

no N/A String.
Filter results for request server device names that contain the value specified.

no N/A String.
21-Feb-2017 157/319
RequestServer.ipAddress
Filter results for IP address that contain the value specified.

no N/A String.
RequestServer.clientVersion
Filter results for request server client version that contain the value specified.

no N/A String.
Set RequestServer.active=true to filter results for request servers that have the active flag set to true.
Set RequestServer.active=false to filter results for request servers that have the active flag set to
false.

no N/A true, false
RequestServer.actionRequired
Set RequestServer.actionRequired=true to filter results for request servers that have the action
required flag set to true. Set RequestServer.actionRequired=false to filter results for request servers
that have the actionRequired flag set to false.

no N/A true, false
Page.Number

no 1 N/A
Page.Size

no 10000 N/A
21-Feb-2017 158/319
Sort.Property

no RequestServer.hostName RequestServer.ID, RequestServer.hostName
Sort.Direction

no asc asc, desc
searchRole
Use the searchRole command to retrieve roles from Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchRole
Parameters
Role.ID
Filter results for specified Role.ID.

yes N/A Numeric.
Role.name
Filter results based on the Role.name specified.

yes N/A String.
Role.description
Filter results based on the Role.description specified.
21-Feb-2017 159/319

no N/A String.
Page.Number
List all roles within the specified page.

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property

no Role.name Role.ID, Role.name, Role.description
Sort.Direction

no asc asc, desc
searchSite
Use the searchSite command to retrieve an XML list of all sites in Credential Manager. This command
takes not parameters.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchSite
21-Feb-2017 160/319
searchSSHKeyPairPolicy
searchSSHKeyPairPolicy (see page 161)
searchSSHKeyPairPolicy
Lists SSH Key Pair policies.
Use this command to retrieve a detailed list of all the SSH Key Pair policies that match the provided
search criteria. If no search criteria are specified then all SSH Key Pair policies are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchSSHKeyPairPolicy
Parameters
SSHKeyPairPolicy.name: Filter results for specified policy name.

No N/A String
SSHKeyPairPolicy.description: Filter results for policy descriptions that contain the specified value.

No N/A String
Page.Number: Specifies which page to return when the results are divided among multiple a pages.
This parameter works in conjunction with Page.Size.

No 1 Numeric
Page.Size: Specifies the number of records to return on each page.

No 10000 Numeric
Sort.Property: Use Sort.Property to specify which field to use for sorting the result.

No SSHKeyPairPolicy.name SSHKeyPairPolicy.name, SSHKeyPairPolicy.description
21-Feb-2017 161/319
Sort.Direction: Set Sort.Direction=asc to have the results presented in ascending order. Set Sort.
Direction=desc to have the results presented in descending order.

No asc asc, desc
searchTargetAccount
Use the searchTargetAccount command to retrieve an XML listing of all target accounts that match
the search criteria. When no search criteria are listed, all target accounts are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchTargetAccount
TargetAccount.userName=root
Parameters
TargetAccount.ID
Filter results for specified TargetAccount.ID.

no N/A Numeric.
Filter results for specified TargetApplication.ID.

no N/A Numeric. Use searchTargetApplication to retrieve the TargetApplication.ID.
Filter results for specified target application name.

no N/A String.
Filter results for specified target application type.
21-Feb-2017 162/319

no N/A String.
Filter results for target account user names that contain the value specified.

no N/A String.
Filter results for target account access types that contain the value specified.

no N/A String
TargetAccount.cacheAllow (Deprecated)
Set TargetAccount.cacheAllow=true to filter results for target accounts that have the cache allow flag
set to true. Set TargetAccount.cacheAllow=false to filter results for target accounts that have the
cache allow flag set to false.

no N/A true, false
the CSPM Client and used first. Set TargetAccount.cacheBehavior=useServerFirst to have the
credentials for this account cached in the CSPM Client but the Server is contacted first. Set
TargetAccount.cacheBehavior=noCache to ensure that the credentials for this account are not cached
in the CSPM Client.

no useCacheFirst useCacheFirst, useServerFirst, noCache
Filter results for specified cache duration value.

no N/A Numeric.
21-Feb-2017 163/319
Set TargetAccount.privileged=true to filter results for target accounts that have the privileged flag set
to true. Set TargetAccount.privileged=false to filter results for target accounts that have the
privileged flag set to false (A2A accounts).

no N/A true, false
Set TargetAccount.synchronized=true to filter results for target accounts that have the synchronize
flag set to true. Set TargetAccount.synchronize=false to filter results for target accounts that have the
synchronize flag set to false.

no N/A true, false
TargetAccount.passwordVerified
Set TargetAccount.passwordVerified=true to filter results for target accounts that have the password
verified flag set to true. Set TargetAccount.passwordVerified=false to filter results for target accounts
that have the password verified flag set to false.

no N/A true, false
Page.Number

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property
Use Sort.Property to specified which field to use for sorting the result.
21-Feb-2017 164/319

Value
no TargetA TargetAccount.ID, TargetApplication.ID, TargetApplication.name,

ccount. TargetApplication.type, TargetAccount.userName, TargetAccount.accessType,
ID TargetAccount.cacheAllow, TargetAccount.cacheDuration, TargetAccount.
privileged, TargetAccount.synchronize, TargetAccount.passwordVerified
Sort.Direction

no asc asc, desc
searchTargetAlias
Use the searchTargetAlias command to retrieve an XML listing of all target aliases that match the
search criteria. When no search criteria are listed all target aliases are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchTargetAlias
TargetAlias.name=test
Parameters
TargetAlias.name
Filter results for target alias names that contain the value specified.

no N/A String.
TargetAccount.ID
Filter results for specified TargetAccount.ID.

no N/A Numeric. Use searchTargetAccount to retrieve the TargetAccount.ID.
21-Feb-2017 165/319
TargetAlias.ID
Filter results for specified TargetAlias.ID.

no N/A Numeric.
Filter results for target server host names that contain the value specified.

no N/A String.
Filter results for target application names that contain the value specified.

no N/A String.
Filter results for target account user names that contain the value specified.

no N/A String.
Page.Number

no 1 Numeric.
Page.Size

no 10000 Numeric.
21-Feb-2017 166/319
Sort.Property

no TargetAlias.name TargetAlias.name, TargetAccount.ID, TargetAlias.ID
Sort.Direction

no asc asc, desc
searchTargetApplication
Use the searchTargetApplication command to retrieve an XML listing of all target applications that
match the search criteria. When no search criteria are listed all target applications are returned.
Example
cmdName=searchTargetApplication TargetApplication.type=oracle
Parameters
Filter results for specified TargetApplication.ID.

no N/A Numeric.
TargetServer.ID
Filter results for specified TargetServer.ID.

no N/A Numeric. Use searchTargetServer to retrieve the TargetServer.ID.
21-Feb-2017 167/319
Filter results for target application names that contain the value specified.

no N/A String.
Filter results for target application types that contain the value specified.

no N/A String.
Page.Number

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property

no TargetApplication. TargetApplication.ID, TargetServer.ID, TargetApplication.name,
name TargetApplication.type
Sort.Direction

no asc asc, desc
21-Feb-2017 168/319
searchTargetServer
Use the searchTargetServer command to retrieve an XML list of all target servers that match the
search criteria. When no search criteria are listed all target servers are returned.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchTargetServer
TargetServer.hostName=mydomain
Parameters
TargetServer.ID
Filter results for target server ID that contain the value specified.

no N/A String.
Filter results for target server host names that contain the value specified.

no N/A String.
TargetServer.ipAddress
Filter results for IP addresses that contain the value specified.

no N/A String.
Filter results for target server device names that contain the value specified.

no N/A String.
Page.Number
21-Feb-2017 169/319

no 1 Numeric.
Page.Size

no 10000 Numeric.
Sort.Property

no TargetServer.hostName TargetServer.hostName, TargetServer.ipAddress
Sort.Direction

no asc asc, desc
searchUser
Use the searchUser command to retrieve a list of Credential Manager users from the Credential
Manager datastore.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchUser UserGroup.
ID=4
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchUser UserGroup.
ID=4 User.authenticationType=CSPM User.status=ACTIVE User.firstName=Demo User.
lastName=User
Parameters
UserGroup.ID
Filter results for users belonging to the specified user group.
21-Feb-2017 170/319

no N/A Numeric. Use searchUserGroup to retrieve the UserGroup.ID.
Filter results on user authenticationType.

no N/A String.
User.status
Filter results on user status.

no N/A ACTIVE.
User.firstName
Filter results on user first name.

no N/A String.
User.lastName
Filter results on user last name.

no N/A String.
searchUserGroup
Use the searchUserGroup command to retrieve a list of user groups from the Credential Manager
datastore. If a user is specified, then only the groups in which that user belongs are displayed.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=searchUserGroup
UserGroup.ID=1
21-Feb-2017 171/319
Parameters
UserGroup.ID
Filter results for user groups matching the specified ID.

no N/A String.
UserGroup.name
Filter results for user groups matching the specified name.

no N/A String.
Filter results for user groups matching the specified description.

no N/A String.
UserGroup.userID
Filter results for user groups in which the specified user belongs.

no N/A String.
Page.Number

no 1 Numeric.
Page.Size

no 10000 Numeric.
21-Feb-2017 172/319
Sort.Property

no UserGroup. UserGroup.ID, UserGroup.name, UserGroup.description, UserGroup.
name userID
Sort.Direction

no asc asc, desc
setDisasterRecoverySettings
Use the setDisasterRecoverySettings command to enable or disable disaster recovery mode.
Example
cmdName=setDisasterRecoverySettings enable=true
Parameters
enable
Set enable=true to enable the disaster recovery mode. Otherwise, set enable=false to disable it.

yes false true, false
setInitProperty
Use the setInitProperty command to change the Credential Manager initialization property (database
username and password) for DB2 databases. For all other databases, use the updateDBPassword
command. This command can be executed at a secondary site.
21-Feb-2017 173/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=setInitProperty
propertyName=dbpassword propertyValue='12345'
Parameters
propertyName
The property to set.

yes N/A dbpassword, dbusername, ddlpassword, ddlusername
propertyValue
String containing the property value.

Value
yes N/A String. In UNIX, if special characters are included, the password must be
enclosed in single quotes.
setLocalProperty
Use the setLocalProperty command to set the site name of a primary or secondary site in a multi-site
Credential Manager installation. setLocalProperty sets the site name in the site-local CA Privileged
Access Manager Credential Manager data store
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=setLocalProperty
propertyName=sitename propertyValues=mySiteName
Parameters
propertyName
The property to set.
21-Feb-2017 174/319

yes N/A sitename
propertyValues

yes N/A String
setPasswordViewReasons
Use the setPasswordViewReasons command to customize the reasons a Credential Manager GUI user
can select for viewing a target account password.
Example
cmdName=setPasswordViewReasons
reasons="System failure|System recovery|System update|Scheduled maintenance|Other"
Parameters
reasons
The list of reasons is delimited by |. In UNIX, the list must be enclosed in quotes.

yes N/A String.
setPasswordViewRequestDeleteInterval
Use the setPasswordViewRequestDeleteInterval command to set the password view request delete
interval
Example
cmdName=SetPasswordViewRequestDeleteInterval
deleteIntervalDays=30
21-Feb-2017 175/319
Parameters
deleteIntervalDays
The number of days to keep Password View Requests

yes N/A Numeric.
setReportRowLimit
Use the setReportRowLimit command to set the maximum number of entries that will be displayed
by reports.
Example
cspmserver_admin adminUserID=admin cmdName=setReportRowLimit rowLimit=10000
Parameters
rowLimit
The maximum number of entries displayed by each report

yes N/A Numeric
setSystemProperty
Use the setSystemProperty command to set a Credential Manager system property.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=setSystemProperty
propertyName=lunaPassword propertyValues='p@ssw0rd!' encryptValue=true
Parameters
propertyName
The property to update (or insert if it does not exist).
21-Feb-2017 176/319

yes N/A String
propertyValues

yes N/A String
encryptValue
Set encryptValue=true to indicate that propertyValues value is to be encrypted. Set
encryptValue=false to indicate that it is not to be encrypted (plaintext).

propertyValueBlankAllowed
updateAuthorization
Use the updateAuthorization command to change authorization mapping information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateAuthorization
Authorization.ID=10 RequestServer.ID=17 RequestScript.ID=2
Authorization.checkExecutionID=true
Authorization.executionUser=auser
Authorization.checkPath=true TargetAlias.ID=6
Parameters
Authorization.ID
The unique ID for the authorization mapping to be changed.

yes N/A Numeric. Use searchAuthorization to retrieve the Authorization.ID.
21-Feb-2017 177/319
TargetAlias.ID
The updated value for the target alias ID.

Value
One of TargetAlias.ID or Authorization. N/A Numeric. Use searchTargetAlias to retrieve
targetGroupId is required. the TargetAlias.ID.
The updated value for the target group ID.

One of TargetAlias.ID or Authorization.targetGroupId is required. N/A Numeric.
RequestServer.ID
The updated value for the request server ID on which the requesting application resides.

Value
Either RequestServer.ID and RequestScript.ID OR N/A Numeric. Use searchRequestServer to
Authorization.requestGroupId is required. retrieve the RequestServer.ID.
RequestScript.ID
The updated value for request script ID.

Value
Either RequestServer.ID and RequestScript.ID OR N/A Numeric. Use searchRequestScript to
Authorization.requestGroupId is required. retrieve the RequestScript.ID.
The updated value for request group ID.

Value Values
Either RequestServer.ID and RequestScript.ID OR Authorization. N/A Numeric.
requestGroupId is required.
Set Authorization.checkExecutionID=true to indicate that the execution user ID be validated.
21-Feb-2017 178/319
yes false true, false
A comma delimited list of execution user IDs. The IDs are only validated if Authorization.
checkExecutionID=true.

yes N/A N/A
Set Authorization.checkPath=true to indicate that the script execution path be validated.

no. If this parameter is not included, the value is reset to null. false true, false
Set Authorization.checkFilePath=true to indicate that the script file path be validated.

Set Authorization.checkScriptHash=true to indicate script hash integrity verification be performed.

updateDBClusterMembers
database.ID (see page 180)
active (see page 180)
method (see page 180)
Use the updateDBClusterMembers command to update information about a database cluster

member.
21-Feb-2017 179/319
Example
cmdName=updateDbClusterMember database.ID=db1 active=false
Parameters
database.ID
ID of the database cluster member to update

yes N/A String.
active
"true" will activate the specified database cluster member, "false" will de-activate it

yes N/A "true" or "false".
method
Optional synchronization strategy values: "full" or "dump-restore"

no "dump-restore" for MySQL 5.6+ or PostgreSQL 9.4+, "full" for Oracle, DB2, "full", "dump-
SQL Server, and MySQL <= 5.5 restore"
updateDBPassword
updateDBPassword (see page 180)
updateDBPassword
Changes the CA Privileged Access Manager Credential Manager datastore administrator password on
all databases except DB2.
Use this command to change the CA Privileged Access Manager Credential Manager datastore
administrator password for DML or DDL user account on all databases except DB2. This command can
be executed at a secondary site. DML (Data Manipulation Language) user can manipulate data within
database tables. DDL (Data Definition Language) user can define the database schema. When DML
and DDL user accounts share the same database username, both their passwords are changed in the
21-Feb-2017 180/319
and DDL user accounts share the same database username, both their passwords are changed in the
init properties table of CA Privileged Access Manager Credential Manager. To change datastore
password in DB2 database use setInitProperty. Warning: Changing the datastore password directly in
database will cause CA Privileged Access Manager Credential Manager to fail to operate; instead, this
command must be used because CA Privileged Access Manager Credential Manager uses proprietary
key-hiding technology to securely store the datastore password.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateDBPassword dbuserTy
dbpassword=cspmpwd updateLoginCredentials=true
Parameters
dbuserType: The CA Privileged Access Manager Credential Manager database user type. Either DML
(Data Manipulation Language) or DDL (Data Definition Language).

yes N/A dml, ddl
dbusername: The CA Privileged Access Manager Credential Manager datastore administrator

username.

yes N/A String
dbpassword: The new CA Privileged Access Manager Credential Manager datastore administrator
password.

Value
yes N/A String. In UNIX, passwords with special characters must be enclosed in single
quotes.
updateLoginCredentials: Useful if you do not want to update the database user account.

no true true, false
updateFilter
Use the updateFilter command to update a target group or request group filter.
21-Feb-2017 181/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateFilter Filter.
ID=6
Filter.objectClassId=c.cw.m.ts Filter.attribute=hostName
Filter.type=contains Filter.expression=Ottawa
Parameters
Filter.ID
The ID of the filter. It must be an integer >= 1.

yes N/A Integer
The type of object to filter. Class IDs are specific to group type.

yes N/A c.cw.m.ts, c.cw.m.tp, c.cw.m.ac, c.cw.m.rs, c.cw.m.sc
Filter.attribute
The filter attribute. If static, attribute must be ID. If dynamic, attributes are specific to objectClassId.

yes N/A String.
Filter.type
The filter type. If group is static, only equals is valid.

yes N/A equals, beginswith, contains, endswith, notcontains
Filter.expression
The filter expression. It group is static, expression can only be an integer >= 1.

21-Feb-2017 182/319
updateGroup
Use the updateGroup command to change a target or request group.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateGroup
Group.ID=5 Group.name="TokyoTargets" Group.description="Targets in Tokyo"
Group.type=target
Parameters
Group.ID
The ID of the group.

One of Group.name or Group.ID is required. N/A Integer
Group.name
The name of the target or request group.

One of Group.name or Group.ID is required. N/A String
Group.description
The description of the group.

no N/A String
Group.type
Set Group.type=requestor for Request groups. Set Group.type=target for Target groups.

yes N/A requestor, target
Group.dynamic
Set Group.dynamic=true for dynamic Request/Target groups, false for static Request/Target groups.
21-Feb-2017 183/319

no true true, false
Group.permissions
ArrayList object of filters, or XML encoded ArrayList of filters. If not set, the filters are cleared.

no N/A XML
updatePasswordPolicy
Use the updatePasswordPolicy command to update a password policy.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updatePasswordPolicy
PasswordPolicy.ID=1 PasswordPolicy.name=passwordPolicyName
Attribute.composedOfUpperCaseCharacters=true Attribute.
firstCharacterUpperCase=true
Parameters
PasswordPolicy.ID
The ID of the password policy.

yes null Numeric
PasswordPolicy.name

yes null String
The description of the password policy.

no Blank String
21-Feb-2017 184/319
Attribute.passwordPrefix
The prefix for all passwords mandated by your password policy.

no None Constrained by your other settings.
Attribute.composedOfUpperCaseCharacters
Set to true if you wish to mandate that your password policy contain upper case characters.

Attribute.composedOfLowerCaseCharacters
Set to true if you wish to mandate that your password policy contain lower case characters.

Attribute.composedOfNumericCharacters
Set to true if you wish to mandate that your password policy contain numeric characters.

Attribute.composedOfSpecialCharacters
Set to true if you wish to mandate that your password policy contain an special characters.

Attribute.specialCharacters
The list of all special characters mandated by your password policy.

no None !#$%()*+,-./:;=?@[\\]^_`{|}~
Attribute.firstCharacterUpperCase
Set to true if you wish to mandate that your password policy contain upper case characters.
21-Feb-2017 185/319
Attribute.firstCharacterLowerCase
Set to true if you wish to mandate that your password policy contain lower case characters.

Attribute.firstCharacterNumeric
Set to true if you wish to mandate that your password policy contain numeric characters.

Attribute.firstCharacterSpecial
Set to true if you wish to mandate that your password policy contain an special characters.

Attribute.firstCharacterSpecials
The list of all special characters mandated by your password policy.

no None !#$%()*+,-./:;=?@[\\]^_`{|}~
Attribute.mustNotContainConsecutiveDuplicateCharacters
Set to true if you wish to mandate that your password policy not allow any repeating characters.

Attribute.mustNotContainAnyDuplicateCharacters
Set to true if you wish to mandate that your password policy not allow any duplicate characters.

21-Feb-2017 186/319
Attribute.mustNotContainCharacters
Set to true if you wish to mandate that your password policy not contain certain upper case, lower
case, or numeric characters.

Attribute.composedOfMustNotContainCharacters
The list of all characters not allowed by your password policy. No overlap allowed with special
characters.

no Blank ABCDEFGHIJKLMONPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678
9
Attribute.minLength
Set the minimum length of characters you wish to mandate by your password policy.

no 4 Numeric
Attribute.maxLength
Set the maximum length of characters you wish to mandate by your password policy.

no 16 Numeric
Attribute.minIterationsBeforeReuse
Set the minimum number of iterations before a password can be reused.

no 0 Numeric
Attribute.minDaysBeforeReuse
Set the minimum number of days before a password can be reused.

no 0 Numeric
21-Feb-2017 187/319
Attribute.enableMaxPasswordAge
Set to true if you wish to enable Maximum password age in your password policy.

Attribute.maxPasswordAge
Set the Maximum password age.

yes (if Attribute.enableMaxPasswordAge is set to true) None Numeric
updatePasswordViewPolicy
Use the updatePasswordViewPolicy command to update a password view policy in Credential
Manager.
Example
cmdName=updatePasswordViewPolicy
PasswordViewPolicy.ID=7 PasswordViewPolicy.checkinCheckoutRequired=true
PasswordViewPolicy.checkinCheckoutInterval=240
Parameters
The ID of the password view policy.

yes N/A Use searchPasswordViewPolicy to retrieve the ID.
The updated name of the password view policy.

No. If not specified, the existing name is preserved. N/A String.
21-Feb-2017 188/319
An updated description of the password view policy.

No. If not specified, the existing description is preserved. N/A String.
PasswordViewPolicy.changePasswordOnView
Set PasswordViewPolicy.changePasswordOnView=true to indicate that CA Privileged Access Manager
Credential Manager should change the password after a password view request.

No. If not specified, the existing value is preserved. false true, false
PasswordViewPolicy.allowChangePasswordOnViewForSso
Set PasswordViewPolicy.allowChangePasswordOnViewForSso=true to indicate that CA Privileged
Access Manager Credential Manager should change the password after a password SSO request
(retrieved but not viewed)

No. If not specified, the existing value is preserved. false true, false
PasswordViewPolicy.passwordChangeInterval
Determines the length of time (in minutes) before the password is changed if
changePasswordOnView is set to true.

Must be specified if PasswordViewPolicy. If not specified, the existing Numeric value
changePasswordOnView is true. value is preserved. greater than 0.
PasswordViewPolicy.checkinCheckoutRequired
Set PasswordViewPolicy.checkinCheckoutRequired=true to indicate that an account must be checked
out before the password can be viewed. When checked out, the account's password cannot be
changed.

If not specified, the existing value is preserved. false true, false
PasswordViewPolicy.checkinCheckoutInterval
Determines the length of time (in minutes) an account can remain checked out before it is
automatically checked back in by the system.
21-Feb-2017 189/319

checkinCheckoutRequired is true. value is preserved. greater than 0.
PasswordViewPolicy.dualAuthorization
Set PasswordViewPolicy.dualAuthorization=true to indicate that a request to view a password must
be approved by another user before proceeding.

PasswordViewPolicy.dualAuthorizationInterval
Determines the default length of time (in minutes) a password view request remains active in the
system, provided the requesting user does not specify a start/end time for the password view
request.

dualAuthorization is true. value is preserved. greater than 0.
PasswordViewPolicy.approvers
The list of users who are authorized to approve or deny password requests for accounts that use this
password policy.

One of PasswordViewPolicy.approvers or If not specified, List of comma-separated
PasswordViewPolicy.approverIDs must be specified if the existing values usernames. Example:
PasswordViewPolicy.dualAuthorization is true. are preserved. jbauer,mdessler,dpalmer
PasswordViewPolicy.approverIDs
The list of user IDs who are authorized to approve or deny password requests for accounts that use
this password policy.

One of PasswordViewPolicy.approvers or Use searchUser to retrieve a list List of comma-
PasswordViewPolicy.approverIDs must be of user IDs. If not specified, the separated user
specified if PasswordViewPolicy. existing values are preserved. IDs. Example:
dualAuthorization is true. 11,19,15
PasswordViewPolicy.authenticationRequired
Set PasswordViewPolicy.authenticationRequired=true to indicate that the requesting user must
provide their password before viewing the account.
21-Feb-2017 190/319

no If not specified, the existing value is preserved. true, false
PasswordViewPolicy.enableOneClickApproval
Set PasswordViewPolicy.enableOneClickApproval=true to enable dual authorization one click
approval. When enabled, dual authorization emails will include links to allow the approver to approve
requests without logging into the system.

PasswordViewPolicy.passwordViewRequestMaxInterval
The maximum Interval between the start and end date of a dual authorization password view
request.

PasswordViewPolicy.passwordViewRequestMaxDays
The maximum number of days in the future that a password view request can be requested.

updatePasswordViewRequestStatus
Use the updatePasswordViewRequestStatus command to approve or deny a password view request.
This command can be run on a secondary site.
Example
cmdName=updatePasswordViewRequestStatus
PasswordViewRequest.ID=1 PasswordViewRequest.status=approved
Parameters
The ID of the password view request.
21-Feb-2017 191/319

Values
yes Use listPasswordViewRequestByApprover to obtain the PasswordViewRequest. Integer

ID
The status of the password view request.

Value
One of PasswordViewRequest.status or PasswordViewRequest. N/A 'approved' or
statusCode is required. 'denied'
PasswordViewRequest.statusCode
The status of the password view request.

Value
One of PasswordViewRequest.status or PasswordViewRequest. N/A 1 (approved) or 2
statusCode is required. (denied)
PasswordViewRequest.approvalReason
The approval reason.

no N/A String
PasswordViewRequest.approvalReasonDescription
The approval reason description.

no N/A String
updateRequestScript
Use the updateRequestScript command to change request application information.
21-Feb-2017 192/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateRequestScript
RequestServer.ID=17
RequestScript.ID=5
RequestScript.name=myExample.class
RequestScript.executionPath=/opt/cloakware/cspmclient/examples
RequestScript.filePath=/opt/cloakware/cspmclient/bin
RequestScript.type=java
Parameters
RequestScript.ID
The unique ID for the request script to be changed.

yes N/A Numeric. Use searchRequestScript to retrieve the RequestScript.ID.
RequestServer.ID
The updated value for the RequestServer.ID.

yes N/A Numeric. Use searchRequestServer to retrieve the RequestServer.ID.
RequestScript.name
The updated value for the request script name.

yes N/A String.
The updated value for the location from which the requesting application will be run.

yes N/A String
The updated value for the location in which the requesting application resides.
21-Feb-2017 193/319

yes N/A N/A
RequestScript.type
The updated value for the programming language in which the requesting application is written.

yes N/A C, C++, C#, csh, Java, ksh, Perl, ksh, VB, VB.NET, VC++, Other
The updated value for the text description field. Use this field as a filter for dynamic authorization
groupings.

no. If this parameter is not included, the value is preserved. N/A String.
groupings.

updateRequestServer
Use the updateRequestServer command to change request server information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateRequestServer
RequestServer.ID=17 RequestServer.hostName=myhostname2.mydomain.com
Attribute.descriptor1="Lab" Attribute.descriptor2="Vienna"
Parameters
RequestServer.ID
The unique ID for the request server to be changed.
21-Feb-2017 194/319

yes N/A Numeric. Use searchRequestServer to retrieve RequestServer.ID.
The updated value for the request server host name.

no. If this parameter is not included, the value is preserved. N/A String
The updated value for the request server device name.

Set RequestServer.active=true to activate the request server. Set RequestServer.active=false to
deactivate to request server.

no. If this parameter is not included, the value is preserved. false true, false
RequestServer.port
The port number the request server listens on for incoming requests. This value is optional.

no. If this parameter is not included, the value is preserved. N/A Integer
RequestServer.updatePortFlag
If this value is set to true and the RequestServer.port is not empty the port will be updated.

no. If this parameter is not included the port is preserved. false true, false
RequestServer.acceptPendingFingerprint
Accepts or denies the pending finger print.

no. If this parameter is not included, the value is preserved. false true, false
21-Feb-2017 195/319
RequestServer.preserveHostName
Set RequestServer.preserveHostName=true to indicate that the request server host name should not
be overwritten each time the client registers

RequestServer.type
Set RequestServer.type=CLIENT to indicate that the server is a request server. Set RequestServer.
type=AGENT to indicate that the server is a CA Privileged Access Manager Credential Manager
Windows Proxy.

Value
no. If this parameter is not included, the value is set to type CLIENT. CLIENT CLIENT,
AGENT
RequestServer.patchStatus
Disable or enable request server patch upgrade, if it set to Disabled request server should not apply
patch, even if newer version found and activated.

no. If this parameter is not included, the value is preserved. Disabled Disabled, Enabled
groupings.

groupings.

21-Feb-2017 196/319
updateRequestServerDefaults
Use the updateRequestServerDefaults command to update a request server defaults in Credential
Manager.
Example
cmdName=updateRequestServerDefaults
RequestServerDefaults.subnet=192.168.0.0/16
RequestServerDefaults.active=true
RequestServerDefaults.type=CLIENT
RequestServerDefaults.descriptor1=awsApiProxy
Parameters
The id of the record to delete.

yes N/A Integer
RequestServerDefaults.subnet
The subnet filter to apply defaults to request servers.

yes N/A String
The type filter to apply defaults to request servers.

yes CLIENT, AGENT, ALL
RequestServerDefaults.active
The default setting for RequestServer.active during auto-register.

yes true, false
21-Feb-2017 197/319

no String

no String
updateRequestServerKey
Use the updateRequestServerKey command to change the Request Server (Credential Manager
client) encryption key.
Example
cmdName=updateRequestServerKey
Parameters

One of RequestServer.hostName or RequestServer.ID is required. N/A String.
RequestServer.ID
The ID of the request server.

Value
One of RequestServer.hostName or N/A Numeric. Use searchRequestServer to retrieve
RequestServer.ID is required. the RequestServer.ID.
21-Feb-2017 198/319
updateRole
Use the command to change role information in Credential Manager.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateRole Role.ID=11
Role.name="Patch Management" Role.description="Manages Patches"
Role.permissions="activatePatch, addPatch,deletePatch,getPatchDetail,listPatch,
listPatchDetailSummary,updatePatch"
Parameters
Role.ID
The ID of the role.

yes N/A Numeric.
Role.name
The name of the role.

Value
yes N/A String. A Unique Name in CA Privileged Access Manager Credential Manager
Role.description
The description of the role.

no. If this parameter is not included, the value is reset to null. N/A String.
Role.permissions
A comma delimited list of permissions.

Value
no. If this parameter is not N/A String. See CA Privileged Access Manager user
included, the value is reset to null. documentation for a list of valid user interface actions.
21-Feb-2017 199/319
updateServerKey
updateServerKey (see page 200)
updateServerKey
Changes the CA Privileged Access Manager Credential Manager server enryption key.
Use this command to update the CA Privileged Access Manager Credential Manager server
encryption key. This command does not take parameters. CAUTION: The updateServerKey command
reads every encrypted record in the database, decrypts it with the old key, re-encrypts it with the
new key, and writes the record back to the database. Before using this command, contact CA
Technology customer support.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateServerKey
updateSite
Use the updateSite command to change secondary site information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateSite Site.ID=2
Site.hostName=tokyo1.company.com
Parameters
Site.ID
The unique ID for the site to be changed.

yes N/A Numeric. Use searchSite to retrieve the Site.ID.
Site.name
The update value for the name of the site.

yes N/A String.
21-Feb-2017 200/319
Site.type
Set Site.type=secondary if the site being added is a secondary site.

yes N/A secondary
Site.hostName
The updated value for the host name of the site being added. The hostName value is used for site-to-
site communication.

Value
no. If this parameter is not included, the N/A String. A fully qualified host name as entered
value is preserved. in the DNS server.
updateSSHKeyPairPolicy
Use the updateSSHKeyPairPolicy command to update an existing SSH Key Pair Policy.
Example
?responseType=xmlResponse
&adminUserID=super
&cmdName=updateSSHKeyPairPolicy
&SSHKeyPairPolicy.name=Testing
&SSHKeyPairPolicy.keyType=DSA
&SSHKeyPairPolicy.keyLength=512
Parameters
SSHKeyPairPolicy.ID
The policy ID.

Yes if SSHKeyPairPolicy.name is not specified; otherwise no N/A An integer >= 0
The policy name.
21-Feb-2017 201/319

Yes if SSHKeyPairPolicy.ID is not specified; otherwise no N/A A String
SSHKeyPairPolicy.description
The policy description.

No N/A A String
SSHKeyPairPolicy.keyType
The key type.

No N/A RSA or DSA
SSHKeyPairPolicy.keyLength
The key length.

Value
No N/A Varies depending on key type. The supported DSA key lengths are 512 and 1024
bits. The supported RSA key lenghts are 1024, 2048 and 4096 bits.
updateTargetAccount
Use the updateTargetAccount command to change target account information, including the target
account password. Alternatively, use updateTargetAccountPassword to change the password.
Additional parameters may be required, depending on the Target Application Type. For a description
of these additional parameters, look up the appropriate turnkey target connector.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateTargetAccount
TargetAccount.ID=12 TargetServer.hostName=myhostname.mydomain.com
TargetApplication.name=myApplication TargetAccount.userName=sysop1
TargetAccount.password='sys0p!@2' TargetAccount.cacheBehavior=useServerFirst
TargetAccount.cacheDuration=17
21-Feb-2017 202/319
Parameters
TargetAccount.ID
The unique ID for the target account to be changed.

yes N/A Numeric. Use searchTargetAccount to retrieve the TargetAccount.ID.
The updated value for TargetApplication.ID.

no N/A Numeric. Use searchTargetApplication to retrieve the TargetApplication.ID.
The updated value for the target account user name.

yes. N/A String.
TargetAccount.password
The updated value for the target account password.

Value
no. If this N/A If a password policy is assigned to the target application, this value must
parameter is not adhere to the password policy. In addition to compliance with password
included, the policy constraints, a password must be minimum of 1 character and
password is not maximum 255 characters in length.
changed.
TargetAccount.cacheAllow (Deprecated)
Deprecated Parameter, use TargetAccount.cacheBehavior: Set TargetAccount.cacheAllow=true to
have credentials for this account cached in the Credential Manager client.

no. If this parameter is not included, the value is preserved. N/A true, false
21-Feb-2017 203/319
the Credential Manager client and used first. Set TargetAccount.cacheBehavior=useServerFirst to
have the credentials for this account cached in the Credential Manager client but the Server is
contacted first. Set TargetAccount.cacheBehavior=noCache to ensure that the credentials for this
account are not cached in the Credential Manager client.

Value
no. If this parameter is not included, the value is useCacheFir useCacheFirst, useServerFirst,
preserved. st noCache
Use TargetAccount.cacheDuration to specify the number of days the account credentials are
permitted to reside in a Credential Manager client cache.

no. If this parameter is not included, the value is preserved. N/A 1 - 356
Set TargetAccount.privileged=true to indicate that this account is a privileged account. Set
TargetAccount.privileged=false to indicate that this account is an application-to-application account.

Use this text field for reference purposes.

Set TargetAccount.synchronize=true to indicate that the password stored in Credential Manager
should be synchronized with the password on the target system. This functionality is not supported
with Target Application Type Generic.

21-Feb-2017 204/319
Attribute.changePasswordAfterViewing
This parameter is no longer used.: Set Attribute.changePasswordAfterViewing=true to indicate that
Credential Manager should change the password after a password view request (either from the GUI
or CLI). This feature applies only to accounts where TargetAccount.synchronize=true. This parameter
is ignored if the Change Password After Viewing feature has been disabled on the Credential
Manager server.

groupings.

groupings.

The ID of a PasswordViewPolicy attached to this account.

No. If this parameter is not included, the value is preserved. N/A Numeric
TargetAlias.name
A comma-separated list of TargetAlias.name values. This parameter is dependent on the value of
useTargetAliasNameParameter being true.

Value
no. If not specified and useTargetAliasNameParameter is set to true, all N/A Comma-separated
associated TargetAliases will be deleted String values
21-Feb-2017 205/319
useTargetAliasNameParameter
A flag when true, will add/delete TargetAliases for this account using the values specified in the
TargetAlias.name parameter.

TargetAccount.compoundAccount
A flag when true, will add/delete Compound TargetServers for this account using the values specified
in the TargetAccount.compoundServerIDs parameter.

TargetAccount.compoundServerIDs
List of compound server IDs, will add/delete compound servers for this account.

no. false Numeric
passwordIsBase64Encoded
A flag when true indicates that the specified password has been Base64-encoded and should be first
decoded before being stored.

updateTargetAccountDescriptor
Use the updateTargetAccountDescriptor command to change the descriptor value of a target
account.
Example
cmdName=updateTargetAccountDescriptor
TargetAccount.ID=5 Attribute.descriptor1=testvalue1 Attribute.
descriptor2=testvalue2
21-Feb-2017 206/319
Parameters

Value
Either TargetServer.hostName, TargetApplication. N/A String. This value must match a
name, and TargetAccount.userName; or target server name registered in
TargetAccount.ID is required. Credential Manager.

Value
Either TargetServer.hostName, TargetApplication. N/A String. This value must match a target
name, and TargetAccount.userName; or application name registered in

Value
Either TargetServer.hostName, N/A String. This target account name must be unique
TargetApplication.name, and for a given target application. This name must
TargetAccount.userName; or match exactly the user name in the target
TargetAccount.ID is required. application.
TargetAccount.ID
The unique identifier of the target account. This value is required if TargetServer.hostName,
TargetApplication.name and TargetAccount.userName are not specified.

Value
Either TargetServer.hostName, TargetApplication.name, N/A Numeric. Use
and TargetAccount.userName; or TargetAccount.ID is searchTargetAccount to retrieve
required. the TargetAccount.ID.
The updated value for the text description field. Use this field as a filter for dynamic target groupings.
21-Feb-2017 207/319
The updated value for the text description field. Use this field as a filter for dynamic target groupings.

updateTargetAccountPassword
Use the updateTargetAccountPassword command to change a target account password to either a
specified password or to automatically generate a new target account password based upon the
associated password policy. By default, this command works only for synchronized accounts. Set the
allowUnsynchronized parameter to true to change the default nature.
Example
cmdName=updateTargetAccountPassword
TargetServer.hostName=myhostname.mydomain.com
TargetApplication.name=myApplication TargetAccount.userName=sysop1
Parameters

Value
Either TargetServer.hostName, TargetApplication. N/A String. This value must match a
name, and TargetAccount.userName; or target server name registered in

Value
N/A
21-Feb-2017 208/319

Value
Either TargetServer.hostName, TargetApplication. String. This value must match a target
name, and TargetAccount.userName; or application name registered in

Value
Either TargetServer.hostName, N/A String. This target account name must be unique
TargetApplication.name, and for a given target application. This name must
TargetAccount.userName; or match exactly the user name in the target
TargetAccount.ID is required. application.
TargetAccount.ID
The unique identifier of the target account. This value is required if TargetServer.hostName,
TargetApplication.name and TargetAccount.userName are not specified.

Value
Either TargetServer.hostName, TargetApplication.name, N/A Numeric. Use
and TargetAccount.userName; or TargetAccount.ID is searchTargetAccount to retrieve
required. the TargetAccount.ID.
groupID
The unique identifier of the target group for which the passwords will be updated.

no N/A Numeric. Use searchGroup to retrieve the groupID.
password

no generated password The password must conform to any applied password policies.
confirmPassword
21-Feb-2017 209/319

no generated The password must conform to any applied password policies. This must
password have the same value as password.
allowUnsynchronized
Allows the password to be updated for non-synchronized accounts.

Value
no false String. Set the value to true to allow updates of unsynchronized accounts.
boolean

No nothing (update all true to update only verified accounts, false to verify accounts that
accounts) failed verification
updateTargetAlias
Use the updateTargetAlias command to change target alias information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateTargetAlias
TargetAlias.ID=12 TargetAccount.ID=5 TargetAlias.name=myaliasname
Parameters
TargetAlias.ID
The unique ID for the target alias to be changed.

yes N/A Numeric. Use searchTargetAlias to retrieve the TargetAlias.ID.
TargetAccount.ID
The updated value for the TargetAccount.ID.
21-Feb-2017 210/319

yes N/A Numeric. Use searchTargetAccount to retrieve the TargetAccount.ID.
TargetAlias.name
The updated value for the target alias name

Value
no. If this parameter is not N/A String. The target alias name must be unique within the CA
included, the value is set to null Privileged Access Manager Credential Manager server.
updateTargetApplication
Use the updateTargetApplication command to change target application information. Additional
parameters may be required, depending on the Target Application Type. For a description of these
additional parameters, look up the appropriate turnkey target connector. Prior to running
updateTargetApplication, use searchTargetApplication to retrieve current parameter values.
Example
cmdName=updateTargetApplication
TargetApplication.ID=5 TargetServer.ID=8
TargetApplication.name=myApplication TargetApplication.type=Generic
Parameters
The unique ID for the target application to be changed.

yes N/A Use SearchTargetApplication to retrieve the TargetApplication.ID.
TargetServer.ID
The updated value for the ID of the target server on which the target application is hosted.

yes N/A Use searchTargetServer to retrieve the TargetServer.ID.
21-Feb-2017 211/319
The updated value for the name of the target application.

The updated value for the target application connector name. Valid values depend upon which target
connectors are installed on your system. If this parameter is not included, the target application type
is preserved.

Value
yes N/A See the addTargetApplication command for a list of valid application types.
PasswordPolicy.name
The updated value for the name of the password policy that is applied to all accounts on associated
with this application.

Value
no. If PasswordPolicy.name or N/A If a password policy is not specified, manually entered
PasswordPolicy.ID is not passwords are not validated against a policy. In addition,
included, the password policy Credential Manager generated passwords use the Credential
is preserved. Manager default password policy.
PasswordPolicy.ID
The updated value for the ID of the password policy that is applied to all accounts on associated with
this application.

Value
no. If PasswordPolicy. N/A Use searchPasswordPolicy to retrieve PasswordPolicy.ID. If a
name or PasswordPolicy. password policy is not selected, manually entered passwords are
ID is not included, the not validated against a policy. In addition, Credential Manager
password policy is generated passwords use the Credential Manager default
preserved. password policy.
groupings.
21-Feb-2017 212/319
groupings.

Attribute.enableAutoConnectTargetAccount
A boolean value to enable / disable autoConnectTargetAccount for an application instance.

updateTargetServer
Use the updateTargetServer command to change target server information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateTargetServer
TargetServer.ID=17 TargetServer.hostName=myhostname2.mydomain.com Attribute.
descriptor1="Lab"
Attribute.descriptor2="Vienna"
Parameters
TargetServer.ID
The unique ID for the target server to be changed.

yes N/A Use searchTargetServer to retrieve the TargetServer.ID
The updated value for the host name of target server.
21-Feb-2017 213/319

yes N/A This must be the fully qualified host name as entered in the DNS server.
The updated value for the device name of target server.

no N/A String
groupings.

groupings.

updateUser
Use the updateUser command to change Credential Manager user information.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUser User.
userID=demo
User.password=demo123$ User.authenticationType=CSPM User.status=ACTIVE
User.userGroupIDS=1,2 User.firstName=Demo User.lastName=User
Parameters
User.userID
The unique user name for the Credential Manager user to be changed.
21-Feb-2017 214/319

yes N/A String.
User.password
The updated value for the user's password.

Value
This parameter is required if the N/A String. Credential Manager passwords must contain 6-16
authentication type is characters containing at least one alphabetic, one numeric,
Credential Manager. and one special character.
The updated value for authentication type of the user.

Value
no. If this parameter CSPM CSPM, LDAP, SecurID, Kerberos, X509 or any installed authentication
is not included, the connector. See $CSPM_SERVER_HOME/cspmserver/config
value is preserved. /authentication.xml for a complete list of installed authentication
connectors.
User.status
The updated value for the user account status.

Value
no. If this parameter is not ACTIVE ACTIVE or SUSPENDED. Set to ACTIVE for active user
included, the value is preserved. accounts and to SUSPENDED to suspend a user account.
User.userGroupIDS
The updated value for IDs of the User Groups to assign to this user.

Value
no. If this parameter N/A Numeric IDs delimited by comma. Use listUserGroups to retrieve User
is not included, the Group IDs. Alternatively, you can specify the User.userGroupNames
value is preserved. parameter. Values must match User Groups registered in Credential
Manager.
User.userGroupNames
The updated value for names of the User Groups to assign to this user.
21-Feb-2017 215/319

Value
no. If this parameter is not N/A String containing the User Group names delimited by comma.
included, the value is Values must match User Groups registered in Credential
preserved. Manager.
User.firstName
The updated value for the first name of the user.

User.lastName
The updated value for the last name of the user.

User.email
The updated value for the email address of the user.

no N/A String.
User.viewType
Determines what GUI view this user has access to - administrative or general

no. If this parameter is not included, the existing value is preserved N/A admin, general
User.viewType
GK user ID

no -1 1, 2, 1000, 1001
updateUserGroup
Use the updateUserGroup command to change information for a user group.
21-Feb-2017 216/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUserGroup
UserGroup.ID=2 UserGroup.name=updatedUserGroupName
UserGroup.description="Updated user group description"
UserGroup.roleID=11 UserGroup.groups=3,4
Parameters
UserGroup.ID
The user group ID.

yes N/A Numeric. A unique user group ID.
UserGroup.name
The user group name.

yes N/A String. A unique user group name.
The description of the group.

no. If this parameter is not included it will be reset to null. N/A String.
UserGroup.roleID
The role identifier of this group.

Value
yes N/A Numeric. This value must match a role ID registered in CA Privileged Access
UserGroup.groups
A comma delimited list of group IDs.
21-Feb-2017 217/319

Value
no. If this parameter is not included it will be reset N/A Numeric. Comma delimited list of
to null. group IDs.
UserGroup.readOnly
The read only flag for the user group.

no N/A true (you cannot toggle from true to false, so false is invalid)
updateUserPassword
Use the updateUserPassword command to change the password of a Credential Manager user
account. A user may only use this command to update their own password when the account
authentication type is CSPM.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUserPassword
User.password=t1ger@
Parameters
User.password
The new password.

Value
yes N/A String. Credential Manager user passwords must be between 6 and 16 characters
in length, and can contain alpha, numeric and special characters.
updateUserStatus
Use the updateUserStatus command to change the status of a user account to either ACTIVE or
SUSPENDED. When the status is set to ACTIVE, the number of failed login attempts is reset to 0.
21-Feb-2017 218/319
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=updateUserStatus
userID=demo status=ACTIVE
Parameters
User.userID
The user name.

yes N/A String.
User.status
The new user status.

yes N/A ACTIVE, SUSPENDED
verifyAccountPassword
Use the verifyAccountPassword command to verify the account password of a synchronized user or
of all synchronized accounts in a target group (optionally excluding verified or non-verified accounts).
Example
cspmserver_admin cspmHostName=paHost adminUserID=admin cmdName=verifyAccountPassword
groupID=1234 TargetAccount.passwordVerified=false
Parameters
TargetAccount.ID
The target account's id

Either this or groupID must be specified. N/A A whole number.
21-Feb-2017 219/319
groupID
The target group's id

Either this or TargetAccount.ID must be specified. N/A A whole number
boolean

No nothing (verify all true to verify only verified accounts, false to verify accounts that
accounts) failed verification .
verifyDBHash
The verifyDBHash command verifies the hash value of most BaseModel objects stored in DB. Use the
verifyDBHash command to verify the data integrity of all Agents, Authorizations, RequestServers,
Scripts, TargetAccounts, TargetAliases, TargetApplications, and TargetServers within CPA.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=verifyDBHash
viewAccountPassword
Use the viewAccountPassword command to retrieve a target account password. This command can
be run on a secondary site if disaster recovery is enabled.
Example
cspmserver_admin cspmHostName=paServer adminUserID=admin cmdName=viewAccountPassword
TargetAccount.ID=5
reason="Power outage reason" reasonDetails="Recover Tuesday am"
Parameters
TargetAccount.ID
The ID of the target account for which you are seeking the password.
21-Feb-2017 220/319

yes N/A Use searchTargetAccount to retrieve the TargetAccount.ID.
adminUserID
Your Credential Manager user name.

Value
yes N/A String. User must be a valid Credential Manager user with permission to view
passwords.
adminPassword
Your Credential Manager user password.

yes N/A String.
reason
The reason you are requesting a password view.

yes N/A String.
reasonDetails
Detailed description of why you wish to view the password.

no N/A String.
selectedComponent
Compound server id

no N/A Integer
ssoType
SSO type implies password used but not viewed, so change is controlled by CPoV &&
AllowCpovOnSso
21-Feb-2017 221/319

no N/A "Browser", "RDP", "SSH", "VNC", "AWSAPI", "Telnet", "Other"
PasswordViewRequest.requestPeriodStart
If the account's password view policy has dual authorization enabled, this parameter specifies the
start time of the password view request.

PasswordViewRequest.requestPeriodEnd
If the account's password view policy has dual authorization enabled, this parameter specifies the
end time of the password view request.

referenceCode
Reference Code.

no N/A String.
21-Feb-2017 222/319
Credential Manager CLI User Interface Actions

The following table summarizes each command and indicates which interfaces support it.
Use the following table to determine what actions the user can perform when creating roles that
assign user permissions.
Command Interface Description

activatePatch GUI Sets the active flag for patches.
activatePatch GUI A ctivates selected patch deployments in the system.
Deployments
addAgent GUI Adds a Credential Manager Windows Proxy.
addAuthorizat GUI and Adds an authorization mapping.
ion CLI
addFilter GUI and Adds a filter to a target group or request group.
CLI
addGroup GUI and Adds a target or request group.
CLI
addPassword GUI and Adds password policies.
Policy CLI
addPassword GUI and Adds a password view policy.
ViewPolicy CLI
addPatch GUI Loads a Credential Manager client patch in the Credential Manager server.
addRequestSc GUI and Adds a request application.
ript CLI
addRequestSe GUI and Adds a request server.
rver CLI
addRequestSe GUI and Adds a request server defaults.
rverDefaults CLI
addRole GUI and Adds a role.
CLI
addScheduleJ GUI Schedules a target account update or verify for later execution.
ob
addSite GUI and Adds a site to a multi site configuration.
CLI
addSSHKeyPai CLI Adds an SSH Key Pair Policy to CA Privileged Access Manager.
rPolicy
addTargetAcc GUI and Adds a target account.
ount CLI
addTargetAlia GUI and Adds a target alias.
s CLI
Adds target applications.
21-Feb-2017 223/319

addTargetApp GUI and
lication CLI
addTargetSer GUI and Adds a target server.
ver CLI
addUser GUI and Adds a user.
CLI
addUserGrou GUI and Adds a user group.
p CLI
archiveAuditD CLI Archives audit data.
ata
archiveMetric CLI Archives metric data.
Data
autoConnectT GUI Allows the user to auto-connect to a target account.
argetAccount
batchSequenc CLI Provides bulk registration for CLI commands.
e
canGetCreden CLI Validates a specified A2A request can retrieve credentials from Credential
tials Manager.
checkConnect GUI and Checks the connection status of a client.
ionStatus CLI
checkDelete CLI Checks if a target server and/or request server can be deleted (or were
(internal previously deleted)
/GK
only)
checkInAccou GUI and Checks in an account that was previously checked out by a user viewing the
ntPassword CLI password.
deleteAgent GUI Deletes a Credential Manager Windows Proxy.
deleteAuthori GUI and Deletes an authorization mapping.
zation CLI
deleteFilter GUI and Deletes a filter to a target group or request group.
CLI
deleteGroup GUI and Deletes a target or request group.
CLI
deletePasswo GUI and Deletes a password policy.
rdPolicy CLI
deletePasswo GUI and Deletes a password view policy.
rdViewPolicy CLI
deletePasswo CLI and Deletes either a specific password view request or all expired password view
rdViewReques GUI requests
t
deletePatch GUI Removes a Credential Manager client patch from the Credential Manager
server.
Deletes a request application.
21-Feb-2017 224/319

deleteReques GUI and
tScript CLI
deleteReques GUI and Deletes a request server (Credential Manager client).
tServer CLI
deleteReques GUI and Deletes a request server defaults.
tServerDefaul CLI
ts
deleteRole GUI and Deletes a role.
CLI
deleteSchedul GUI Used to delete a scheduled job.
eJob
deleteSite GUI and Deletes a site from a multi-site configuration.
CLI
deleteSSHKey GUI and Deletes an SSH Key Pair policy.
PairPolicy CLI
deleteSystem CLI Delete a system property (ie: set isDeleted = 1).
Property
deleteTargetA GUI and Deletes a target account.
ccount CLI
deleteTargetA GUI and Deletes a target alias.
lias CLI
deleteTargetA GUI and Deletes a target application.
pplication CLI
deleteTargetS GUI and Delete a target server.
erver CLI
deleteUser GUI and Deletes a user.
CLI
deleteUserGr GUI and Deletes a user group.
oup CLI
disableCLIHos CLI Disables Host Name verification when authenticating via CLI.
tNameCheck
disableFinger GUI and Disables the Credential Manager client hardware fingerprinting feature.
printing CLI
enableCLIHost CLI Forces host name checking when connecting vis the CLI.
NameCheck
enableFingerp GUI and Enables the Credential Manager client hardware fingerprinting feature.
rinting CLI
enableLicense GUI and Activates a Credential Manager license.
CLI
expirePasswo GUI and expires a password view request.
rdViewReques CLI
t
Checks in an account that is checked out by another user.
21-Feb-2017 225/319

forceCheckInA GUI and
ccountPasswo CLI
rd
generateEncry CLI Generates an encrypted String from the value passed in.
ptedPassword
generateRepo GUI Generates Credential Manager reports.
rt
getAgent GUI Retrieves a Credential Manager Windows proxy.
getAllScriptHa GUI and Refreshes the script hash for all the request applications on the specified
sh CLI request server ( Credential Manager client).
getAuthorizati GUI Retrieves an authorization mapping.
on
getAwsManag CLI Retrieves a URL to an authenticated Amazon Web Services Management
ementConsole Console federation session.
SessionUrl
getErrorCodes CLI Retrieves the list of Credential Manager server error codes.
getEventProc CLI Gets metrics for notification event processing.
essingMetrics
getGroup GUI Retrieves a target group or request group.
getLocalPrope CLI Retrieves the property value which matches the property name.
rty
getLogs GUI and Retrieves a ZIP file containing the logs from a siteServer or requestServer.
CLI
getMetric GUI Retrieves metric data.
getMostRece Internal Retrieves the most recent password history for a target account.
ntPasswordHi
story
getMSOLFede CLI Generates a federated session request for presentation to the MSOL portal.
ratedSessionC The request is returned as a web form that should be automatically
md submitted by the caller's browser. Submitting the form launches a federated
session with MSOL.
getNumberOf GUI and Retrieves the number of target accounts registered in Credential Manager.
Accounts CLI
getPasswordH GUI Retrieves the password history for a target account.
istory
getPasswordV GUI Retrieves a single password view policy from the DB by ID or name
iewPolicy
getReportDat GUI A command to retrieve data for a named report
a
getRequestSe GUI and Gets a request server defaults.
rverDefaults CLI
getScheduleJo GUI Gets a scheduled job.
b
21-Feb-2017 226/319

getScript GUI Retrieves a request application.
getScriptHash GUI and Refreshes the script hash for a specified request script on a request server
Asynchronous CLI (Credential Manager client).
getServiceStat CLI Gets the status of services associated with a Windows Domain Service
us target account. This command assumes the service information is stored in
an extend attribute named 'serviceInfo'.
getSite GUI Retrieves a site.
getSystemPro CLI Retrieves the property value which matches the property name.
perty
getTargetAcco GUI Retrieves a target account.
unt
getTargetAlias GUI Retreives a target alias.
getTargetAppl GUI Retrieves a target application.
ication
getTargetServ GUI Retrieves a target server.
er
getUser GUI Retrieves a user.
getUserGroup GUI Retrieves a user group.
listAuthorizati GUI Lists authorization mappings.
on
listDBCluster GUI and Lists database cluster members in the system.
Members CLI
listGroups GUI Lists user groups.
listMetrics GUI Retrieves metric data.
listPasswordH GUI Lists the password history for target accounts.
istory
listPasswordVi GUI and Returns a list of password view requests for an approver.
ewRequestBy CLI
ApproverSum
mary
listPasswordVi GUI and Returns a list of password view requests for a requestor.
ewRequestBy CLI
RequestorSu
mmary
listPasswordVi GUI Returns a list of password view requests.
ewRequestSu
mmary
listPatch GUI Lists the Credential Manager client patches loaded in the Credential
Manager server.
listPatchDeplo GUI Lists the patch deployments.
ymentSumma
ry
listReports GUI Lists the available reports.
21-Feb-2017 227/319

listRequestScr GUI Lists request applications.
ipt
listRequestSer CLI Lists Request Server defaults.
verDefaults
listScheduleJo GUI Lists scheduled password validation and updates.
b
listTargetAcco GUI Lists target accounts.
unts
listTargetAlias GUI Lists target aliases.
es
listTargetAppl GUI Lists target applications.
ications
listUsers GUI Lists Credential Manager users.
renameUser CLI Creates a copy of an existing user with a new name, and deletes the old user
resetClientCac CLI Informs all active clients that their caches of saved passwords should be
he reset. We strongly recommends that you contact CA Support before using
this command.
resetDBHash GUI and Resets the database hash for an object.
CLI
resetGroupCa CLI Resets the group cache for all groups, or a single group. This command is
che asynchronous.
searchAgent CLI Lists Credential Manager Windows Proxies.
searchAuditLo GUI Lists audit log records.
g
searchAuthori CLI Lists authorization mappings.
zation
searchFilter GUI and Lists filters.
CLI
searchGroup CLI Lists target groups or request groups.
searchPasswo CLI Lists Password Composition Policies.
rdPolicy
searchPasswo GUI and Lists password view policies in the system.
rdViewPolicy CLI
searchPasswo GUI and Lists the password view requests in the system.
rdViewReques CLI
t
searchPasswo GUI and Lists the password view requests for a particular approver. The approver is
rdViewReques CLI the user executing the command.
tByApprover
searchPasswo GUI and Lists the password view requests for a particular requestor. The requestor is
rdViewReques CLI the user executing the command.
tByRequestor
CLI Lists request applications.
21-Feb-2017 228/319

searchReques
tScript
searchReques GUI and Lists request servers.
tServer CLI
searchRole CLI Lists roles.
searchServerK GUI Lists all the server keys.
ey
searchSite GUI and Lists sites.
CLI
searchSSHKey CLI Lists SSH Key Pair policies.
PairPolicy
searchTargetA CLI Lists target accounts.
ccount
searchTargetA CLI Lists target aliases.
lias
searchTargetA CLI Lists target applications.
pplication
searchTargetS GUI and Lists target servers.
erver CLI
searchUser CLI Lists users.
searchUserGr CLI Lists user groups.
oup
setDisasterRe GUI and Configures the disaster recovery settings.
coverySetting CLI
s
setInitPropert CLI Sets the initialization property (database username and password) for DB2
y databases.
setLocalPrope CLI Sets the site name in the site-local Credential Manager datastore.
rty
setPasswordV CLI Sets the password view reasons text for GUI display.
iewReasons
setPasswordV GUI and Sets the Password View Request Delete Interval
iewRequestDe CLI
leteInterval
setReportRow GUI and Sets the maximum number of entries that reports displey.
Limit CLI
setSystemPro CLI Sets a Credential Manager system property.
perty
showGroup GUI A command that retrieves the contents of a Requestor or Target group.
updateAgent GUI Changes a Proxy.
updateAuthor GUI and Changes an authorization mapping.
ization CLI
21-Feb-2017 229/319

updateCompo GUI Changes a target compound server.
undServers
updateDBClus GUI and Update information about a database cluster member.
terMembers CLI
updateDBPass CLI Changes the Credential Manager datastore administrator password on all
word databases except DB2.
updateFilter GUI and Updates a filter in a target group or request group.
CLI
updateGroup CLI and Changes target and request groups.
GUI
updatePassw GUI Changes a password history item.
ordHistory
updatePassw GUI and Updates password policies.
ordPolicy CLI
updatePassw GUI and Updates a password view policy.
ordViewPolicy CLI
updatePassw GUI and Updates status of password view request to 'approved' or 'denied'.
ordViewRequ CLI
estStatus
updateReques GUI and Changes a request application.
tScript CLI
updateReques GUI and Changes a request server.
tServer CLI
updateReques GUI and Updates a request server defaults.
tServerDefaul CLI
ts
updateReques GUI and Changes a request server ( Credential Manager client) encryption key.
tServerKey CLI
updateRole GUI and Changes a role.
CLI
updateServer CLI Changes the Credential Manager server encryption key.
Key
updateSite GUI and Changes site information.
CLI
updateSSHKe CLI Updates an existing SSH Key Pair Policy in CA Privileged Access Manager.
yPairPolicy
updateTarget GUI and Changes a target account.
Account CLI
updateTarget CLI Changes a target account descriptor value.
AccountDescri
ptor
updateTarget GUI and Changes a target account password.
AccountPassw CLI
ord
21-Feb-2017 230/319
updateTarget GUI and Changes target aliases.

Alias CLI
updateTarget GUI and Changes target applications.
Application CLI
updateTarget GUI and Changes target servers.
Server CLI
updateUser GUI and Changes user information.
CLI
updateUserGr GUI and Changes a user group.
oup CLI
updateUserPa CLI Changes a user password.
ssword
updateUserSt GUI and Enable or disable a the access of a Credential Manager user to the system.
atus CLI
verifyAccount GUI and Verifies a synchronized account password or all synchronized accounts in a
Password CLI target group (optionally excluding verified or non verified accounts.
verifyDBHash CLI Verifies the hash value of most BaseModel objects stored in DB.
viewAccountP GUI and Allows the user to view an account password.
assword CLI
21-Feb-2017 231/319
Methods for Integrating the Credential

Manager A2A Client
This content describes the methods that Credential Manager provides for integration.
Factors That Determine the Method to Use (see page 232)

Integrate Applications Using Java (see page 234)
Integrate Applications Using the A2A Client (see page 237)
Integrate Windows Applications and Scripts Using a Windows DLL (see page 239)
Factors That Determine the Method to Use

The method that you use to integrate depends on the following factors:
The programming language in which your application is written
The operating system on which your requestor resides
The type of A2A Client that is installed on the request server
The following table provides you with recommended integration methods. The format of the XML
return data is described in Return Data (see page 242).
Client Type Language Integration Method Example

and OS Type
A2A client on Java CSPMClient.jar Integrate Java Applications. (see
all platforms page 245)
See Integrate Applications using Java
(see page ).
A2A client on Perl cspmclient Integrate a Perl Script with A2A
UNIX Client on UNIX. (see page 290)
See Integrate Applications using the
C++ Integrate a C or C++ Application
A2A Client (see page ).
with A2A Client on UNIX. (see
page 291)
C Integrate a C or C++ Application
page 291)
Korn Integrate a Korn Shell Script with
Shell A2A Client on UNIX. (see page 294
)
C Shell Integrate a C Shell Script with A2A
Client on UNIX. (see page 296)
PHP
21-Feb-2017 232/319

and OS Type
Integrate a PHP Script with A2A
Python Integrate a Python Script with
A2A Client on UNIX. (see page 298
)
A2A Client on Perl cspmclient.exe Integrate a Perl Script with A2A
Windows Client on Windows. (see page 300)
Visual cspmclientc.dll Integrate a Visual Basic
Basic Application. (see page 301)
See Integrate Windows Applications
Visual Integrate a Visual C++ Application.
and Scripts using a Windows DLL (see
C++ (see page 303)
page ).
C# Integrate a C#.NET Application
using IIS Application Server. (see
page 306)
Visual cspmclientatl.dll Integrate a Script. (see page 311)
Basic
Script See Integrate Windows Applications
page ).
JavaScript cspmclientatl.dll Integrate a Script. (see page 311)

page ).
A2A 64-bit Java CSPMClient.jar Integrate Java Applications. (see
Client on all page 245)
platforms See Integrate Applications using Java
(see page ).
A2A 64-bit Perl cspmclient64 Integrate a Perl Script with A2A
Client on UNIX Client on UNIX. (see page 290)
C++ Integrate a C or C++ Application
page 291)
C Integrate a C or C++ Application
page 291)
Korn Integrate a Korn Shell Script with
Shell A2A Client on UNIX. (see page 294
)
C Shell Integrate a C Shell Script with A2A
PHP Integrate a PHP Script with A2A
21-Feb-2017 233/319

and OS Type
Python Integrate a Python Script with
A2A Client on UNIX. (see page 298
)
A2A 64-bit Perl cspmclient64.exe Integrate a Perl Script with A2A
Client on Client on Windows. (see page 300)
Windows See Integrate Applications using the
Visual cspmclientc64.dll Integrate a Visual Basic
Basic Application. (see page 301)
Visual Integrate a Visual C++ Application.
C++ (see page 303)
page ).
C# Integrate a C#.NET Application
using IIS Application Server. (see
page 306)
Visual cspmclientatl64.dll Integrate a Script. (see page 311)
Basic
Script See Integrate Windows Applications
JavaScript
page ).
Integrate Applications Using Java

Use the CSPMClient Java class when integrating a Java application or an application that can
launch external Java applications.
Add the following references to the classpath of the requesting application:
$CSPM_CLIENT_HOME/cspmclient/lib/cspmclient.jar
$CSPM_CLIENT_HOME/cspmclient/lib/cwjcafips.jar
$CSPM_CLIENT_HOME/cspmclient/lib/cwjssefips.jar
Also, add the $CSPM_CLIENT_HOME/cspmclient/lib/ directory to the Java library path of

the requesting application using one of the following methods:
If your application server supports them, add $CSPM_CLIENT_HOME/cspmclient/lib/ to

one of the following environment variables:
PATH (Windows)
LD_LIBRARY_PATH (UNIX)
Add $CSPM_CLIENT_HOME/cspmclient/lib/ to the java.library.path property

of the requesting application
Specify $CSPM_CLIENT_HOME/cspmclient/lib/ in a configuration file or parameter that
21-Feb-2017 234/319
Specify $CSPM_CLIENT_HOME/cspmclient/lib/ in a configuration file or parameter that

your application server uses to obtain the Java library path for applications
The requesting application creates an instance of the CSPMClient class when it is required.
Java Integration Process

The A2A Client uses Java 7, Update 80.
Follow these steps:
1. Add the cspmclient.jar, cwjcafips.jar, and cwjssefips.jar files to your

classpath. The files are located in $CSPM_CLIENT_HOME/cspmclient/lib.
2. Set the path of the library folder containing CA Technologies native libraries:
For UNIX, set to $CSPM_CLIENT_HOME/cspmclient/lib, or add the following Java

option to the script that launches your Java application:
-Djava.library.path=$CSPM_CLIENT_HOME/cspmclient/lib
For Windows, add the following Java option to the script that launches the Java
application:
-Djava.library.path=%CSPM_CLIENT_HOME%\cspmclient\lib
3. Set the path of the folder containing the client configuration file. For UNIX and Windows, set
the CSPM_CLIENT_HOME environment variable. This is the location of the client installation
directory.
UNIX example:
-Dcspm_client_config_file=$CSPM_CLIENT_HOME/config
/cspm_client_config.xml
Windows example:
-Dcspm_client_config_file=%CSPM_CLIENT_HOME%
\config\cspm_client_config.xml
4. If the CSPM_CLIENT_HOME value is not set, then for the Java CSPMClient class, use the
current option in the Java command-line option to specify the configuration file location
value. If no value is specified, use the default installation location values for
CSPM_CLIENT_HOME.
For UNIX, use /opt/cloakware
For Windows, use c:\cspm\cloakware
5. Modify your source code to call the CSPMClient class as in Integrate a Basic Java Application
(see page 245):
a. Add import classes: import com.cloakware.cspm.client.CSPMClient.
b. Instantiate the CSPMClient.class.
21-Feb-2017 235/319
5.
c. Call retrieveCredentials to retrieve the credentials.
6. Add the requestor to Credential Manager. See Add Requestors (https://docops.ca.com/display

/CAPAM28/Add+Requestors).
7. Add authorization mapping to Credential Manager. See Add Authorization Mappings (

https://docops.ca.com/display/CAPAM28/Add+Authorization+Mappings).
CSPMClient and Related Java Classes

The cwjcafips and cwjssefips classes do not have any methods that you can use but they are
dependencies of the CSPMClient class.
The following table lists the methods that are available from the (com.cloakware.cspm.
client.CSPMClient) Java class.
Method Description
CSPMClient() Constructor. Takes no parameters.
void retrieveCredentials(String Retrieves the credentials (account name and password) for
targetAlias) the given target alias. Takes one parameter:
target alias of type java.lang.String.
targetAlias, String bypassCacheFlag) the given target alias. Takes the following parameters:
target alias of type java.lang.String
bypass cache flag (either true or false)
If the bypass cache flag is set to true, the local cache is

bypassed and the query goes directly to the Credential
Manager Server.
targetAlias, String bypassCacheFlag, the given target alias. Takes the following parameters:
String xmlOutput) target alias of type java.lang.String
bypass cache flag (either true or false)
String xmlOutput. Specify –x to retrieve the output as an
XML data string. It is an optional parameter.
If the flag is set to true, the local cache is bypassed and the
query goes directly to the Credential Manager Server.
String getUserId() Returns the account name from the last retrieveCredentials
call.
String getPassword() Returns the password from the last retrieveCredentials call.
String getStatusCode() Returns the statusCode of type String from the last
retrieveCredentials call.
For code definitions, see Return Data (see page 242).

String getMessages() Returns any error messages.
21-Feb-2017 236/319
Method Description
String getXMLData() Gets the data from the last retrieveCredentials invocation.
Specify –x to retrieve the output as an XML data string.
Integrate Applications Using the A2A Client

Use the A2A Client (cspmclient, cspmclient64, cspmclient.exe or cspmclient64.
exe) when integrating with a non-Java application. The requestor launches the A2A Client.
Typically, you integrate an application using the A2A Client (cspmclient, cspmclient64,
cspmclient.exe or cspmclient64.exe) when the requestor is:
Written in C
Written in C++ or C# and you do not want to use a COM component
Using a scripting language such as Perl
Note:
Do not call the cspmclient, cspmclient64, cspmclient.exe or

cspmclient64.exe interfaces directly from the command line. They must be called by
a requestor. Also, the requestor cannot be a Bourne Shell script. However, the requestor
can be a Korn shell script.
A2A Client Integration Process

Use the following process to integrate an application using the A2A Client (cspmclient,
cspmclient64, cspmclient.exe or cspmclient64.exe):
1. Set up environment variables.

As an option, you can add the A2A Client to the PATH variable if you do not want to hardcode
the path of the A2A Client application in your application.
2. Modify your application:
a. For UNIX or Linux, call cspmclient or cspmclient64 to retrieve credentials. For

Windows, call cspmclient.exe or cspmclient64.exe.
b. Read standard output to get the return codes generated by the A2A Client. For code
definitions, see Return Data (see page 242).

21-Feb-2017 237/319

cspmclient Constraints
The default return value is space-delimited. As a result, account names and passwords cannot
contain spaces.
The string null is reserved. Account names and passwords cannot be the string null.
cspmclient Usage
For UNIX or Linux, use one of the following commands:
For the 32-bit Client: cspmclient targetAlias [bypassCacheFlag] [-b] [-x]
For the 64-bit Client: cspmclient64 targetAlias [bypassCacheFlag] [-b] [-x]
For Windows, use the following commands:
For the 32-bit Client: cspmclient.exe targetAlias [bypassCacheFlag] [-b] [-

x]
For the 64-bit Client: cspmclient64.exe targetAlias [bypassCacheFlag] [-b]

[-x]
Parameter Description
String Predefined target account alias, which is used to retrieve the account credentials (user
targetAlias name and password).
String Specifying true directs the A2A Client to bypass the local cache and retrieve account
bypassCach credentials directly from the Credential Manager Server. The default is false.
eFlag
-b Short form option for setting bypassCacheFlag to true.
-x Specifies to return output as an XML data string.
cspmclient Return Values

The cspmclient, cspmclient64, cspmclient.exe and cspmclient64.exe interfaces
return the return code, userID, and password as a space delimited string.
Return Description
Value
Contains an integer value. See Return Data (see page 242).
21-Feb-2017 238/319
Return Description
Value
Return
Code
UserID Contains the account name. If the attempt was unsuccessful, the account name is set to
the string null.
Passwor Contains the account password. If the attempt was unsuccessful, the password is set to the
d string null.
message Contains the error messages text string. If the attempt was unsuccessful, the message text
of the associated errors is returned.
Integrate Windows Applications and Scripts

Using a Windows DLL
Use Windows Dynamic Link Library (DLL) to integrate a Windows application or a Windows client
script that supports COM components. Credential Manager provides the following DLLs:
Microsoft Foundation Class (MFC) DLL(cspmclientc.dll or cspmclientc64.dll). The

Credential Manager MFC DLL works with applications written with Visual Basic or in C, C++, or C#.
You cannot use the MFC DLL with scripts.
Active Template Library (ATL) DLL(cspmclientatl.dll or cspmclientatl64.dll). The

Credential Manager ATL DLL works with .NET applications and supports Visual Basic script and
JavaScript.
Both Credential Manager DLLs are COM components. These DLLs allow linking to Windows
applications and Windows client scripts that support COM DLLs. The application or script should
create a new instance of the COM component when it is required.
The Windows DLLs are thread-safe if they are not used as a singleton.
MFC DLL Integration Process

The integration process varies depending on the language that is used to write the application. The
following is a typical process to integrate a C++ application using the Credential Manager MFC DLL:
1. Import the Type Library file (TLB) by adding the following statements in your code:
#import "$CSPM_CLIENT_HOME/cspmclient/lib/cspmclientc.tlb" named_guids using namespac
The #import directive incorporates the information from the type library. The content of
the type library is converted into C++ classes to allow you to create the COM component. The
named_guids argument creates the CLSID and IID to use in CoCreateInstance.
2. Create the COM component:
21-Feb-2017 239/319
2.
Iccspmclientc *icspmClient = NULL;

HRESULT hr = CoCreateInstance(CLSID_ccspmclientc, NULL,
CLSCTX_INPROC_SERVER, DIID_Iccspmclientc, (void**)&icspmClient );
3. Call the retrieveCredentials method to retrieve the credentials for a given class. The
following call is an example:
long retValue = icspmClient->retrieveCredentials("alias", "true", "");


ATL DLL Integration Process

The integration process varies depending on the scripting language. For examples, refer to Integrate a
Script (see page 311).
DLL Methods
The following methods are available from the Credential Manager MFC DLL and the Credential
Manager ATL DLL.
Method Description
long retrieveCredentials( Retrieves the credentials (account name and password) for the given
String targetAlias, String target alias.
bypassCacheFlag, String
xmlOutput ) Returns the statusCode of the getCredentials call.
Takes the following parameters:

String targetAlias. This is the predefined target account alias,
which is used to retrieve the account credentials (account name
and password).
String bypassCacheFlag. Specify true to indicate that the
credential should be retrieved from the Credential Manager Server
or should specify false to retrieve the credential from the local
cache.
String xmlOutput. Specify -x to retrieve the output as an XML
data string. This is an optional parameter.
String getUserID() Returns the account name from the last retrieveCredentials
call.
String getPassword() Returns the password from the last retrieveCredentials call.
String getXMLData() Gets the data from the last retrieveCredentials call.
String getMessage() Gets the error message from the last retrieveCredentials call.
21-Feb-2017 240/319
DLL Constraints
Both Credential Manager Windows DLLs are only available for Windows platforms.
21-Feb-2017 241/319
A2A Integration Return Data

Each of the integration methods provides two ways to receive return data—string-based or XML-
based. The default behavior returns the return code, account name, and password as strings.
Optionally, you can request that the return data be formatted as an XML string.
XML Return Schema

When you request an XML return string, the following schema is used:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
<xs:element name="credential">
<xs:complexType>
<xs:all>
<xs:element name="TargetAlias" type="xs:string"/>
<xs:element name="TargetAccount" type="xs:string"/>
<xs:element name="TargetApplication" type="xs:string"/>
<xs:element name="TargetServer" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="requestresult">
<xs:complexType>
<xs:all>
<xs:element name="errorcode" type="xs:string"/>
<xs:element name="errormessage" type="xs:string"/>
<xs:element name="credential"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="TargetAlias"/>
<xs:element name="TargetAccount"/>
<xs:element name="TargetApplication"/>
<xs:element name="TargetServer"/>
</xs:schema>
Note:
When you use target connectors, there might be extra extended attributes that are defined
within the target connector. The extended attributes are also returned in the XML return
string. The schema that is used for these additional elements is defined in the configuration
file for the specific target connector.
21-Feb-2017 242/319
XML Return Example

The following XML code is an example of an XML return string:
<?xml version="1.0" encoding="utf-8" ?>

<requestresult>
<errorcode>400</errorcode>
<errormessage>Success</errormessage>
<credential>
<TargetAlias>
<ID>1</ID>
<createDate>Thu Jun 07 12:18:52 EDT 2008</createDate>
<updateDate>Thu Jun 07 12:18:52 EDT 2007</updateDate>
<hash>Ph6g7JFExM30gT5pGvW965bKCQ0=</hash>
<name>test</name>
<accountID>1</accountID>
</TargetAlias>
<TargetAccount>
<Attribute.descriptor2 />
<Attribute.descriptor1>desc</Attribute.descriptor1>
<ID>1</ID>
<createDate>Tue May 29 11:28:41 EDT 2007</createDate>
<updateDate>Fri Jun 08 15:20:42 EDT 2007</updateDate>
<hash>R7n+cRYTppkycxWfJiasOZGHNhI=</hash>
<targetApplicationID>1</targetApplicationID>
<userName>testaccount</userName>
<password>W8H8U06H4saHxUo4</password>
<accessType>readwrite</accessType>
<cacheBehavior>noCache</cacheBehavior>
<cacheDuration>30</cacheDuration>
<privileged>false</privileged>
<synchronize>false</synchronize>
<passwordVerified>false</passwordVerified>
<lastVerified>2007-06-08 15:20:42.0</lastVerified>
</TargetAccount>
<TargetApplication>
<ID>1</ID>
<createDate>Tue May 29 11:25:50 EDT 2007</createDate>
<updateDate>Tue May 29 11:25:50 EDT 2007</updateDate>
<hash>ylAVsl74hPLzqfwl42NsGnTsJfM=</hash>
<targetServerID>1</targetServerID>
21-Feb-2017 243/319
<type>Generic</type>
<name>testapp</name>
<policyID>0</policyID>
</TargetApplication>
<TargetServer>
<ID>1</ID>
<createDate>Thu Jun 07 12:14:26 EDT 2007</createDate>
<updateDate>Thu Jun 07 12:14:26 EDT 2007</updateDate>
<hash>Od4/9xliVS+1yefQOGbe8BdbxVk=</hash>
<hostName>testtest</hostName>
<ipAddress />
</TargetServer>
</credential>
</requestresult>
21-Feb-2017 244/319
Integrate Java Apps to Use Credential

Manager
This content in this section provides guidelines and examples of Java applications that have been
integrated to use Credential Manager to retrieve target account credentials.
Integrate a Basic Java App (see page 245)
Use the JDBC Wrapper in a Standalone Java Application (see page 249)
Integrate a Java Application using JBoss (see page 252)
Integrate a Java Application Using Tomcat (see page 261)
Integrate a Java Application using WebLogic (see page 270)
Integrate a Java Application using WebSphere Community Edition (see page 280)
Integrate a Basic Java App

The following example files are provided:
Example.java source file
Run_example shell script executable
Example.class Java executable
If you installed an A2A Client on UNIX, soft copies of these files are located in the
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples directory. Other A2A Client
installations do not include soft copies of these files.
Example.java Code
/*
* An example class to demonstrate calling the CSPMClient class.
*
* Note:
*
* You will need to ensure that the library path to the cspm library directory
* is set by one of the following methods:
*
* a. Adding /opt/cloakware/cspmclient/lib to LD_LIBRARY_PATH, or
*
* b. Passing the following option on the java command line:
* -Djava.library.path=/opt/cloakware/cspmclient/lib
*/
public class Example {
21-Feb-2017 245/319
/**
* Main entry point.
*
* @param args[0], String target alias
*
* @param args[1], bypass cache flag. If set to:
*
* "true", the cspm client will call the cspm server system
*
* "false", the cspm client will 1st search the local cache
*@param args[2], xmlOption. (Optional) If set to:
*
* "-x", Gives the XML data.
* @return int 0 if successful, 100 if an exception ocurred, otherwise
* documented error codes for the CSPMClient class.
*
*/
public static void main(String[] args) {
try {
//check the arguments
if(args.length != 2) {
System.out.println("Missing CLI arguments");
System.exit(256);
}
//initialize
String targetAlias = args[0];
String bypassCache = args[1];
String xmlOption= args[2];
CSPMClient testInterface = new CSPMClient();
If(args.length>2){
xmlOption-args[2];
testInterface.retrieveCredentials(targetAlias, bypassCache, xmlOption);
}else}
//get the result

String statusCode = testInterface.getStatusCode();
String userId = testInterface.getUserId();
String password = testInterface.getPassword();
String xmlData = testInterface.getXMLData();
System.out.println("Status Code: " + statusCode);

System.out.println("UsedId: " + userId);
System.out.println("Password: " + password);
System.out.println("XML Data: " + XmlData);
//set the return value

if ( statusCode.equals("400") ) {
System.out.println("PASSED");
21-Feb-2017 246/319
System.exit(0);
} else {
System.out.println("FAILED");
System.exit(Integer.parseInt(statusCode));
}
} catch (Exception e) {
e.printStackTrace();
System.exit(100);
}
}
}
Run_example Code
The Run_example shell script calls Example.class. When executing the Java call, the -D option
sets system property values that are used by the executing program as follows:
-Djava.library.path. This option sets the Java library path; that is, the location of the
$CSPM_CLIENT_HOME/cspmclient/lib directory. This option can also be set with the
environment variable LD_LIBRARY_PATH (LIBPATH on AIX).
-Dcspm_client_config_file. This option specifies the client configuration file directory. Use this file
if the configuration file is in a non-standard location (that is, not in /opt).
#!/bin/sh
# This is an EXAMPLE script making use of Example.class in the same directory.
#
# All 2 Run_example CLI arguments are MANDATORY!
# Validate the command line parameters
if [ ! $# = 2 ]
then
echo " "
echo " syntax: $0 target_alias bypass_cache"
echo
exit 1
fi
# Setup Global Variables
CLASS_NAME=Example
CONFIG_FILE=/opt/cloakware/cspmclient/config/cspm_client_config.xml
JAVA_BINDIR=/opt/cloakware/cspmclient_thirdparty/java/bin
LIB=/opt/cloakware/cspmclient/lib
LOCAL_DIR=`pwd`;
CLASS_PATH=/opt/cloakware/cspmclient/lib/cspmclient.jar:$LOCAL_DIR
#Execute JAVA class
$JAVA_BINDIR/java -classpath $CLASS_PATH -Djava.library.path=$LIB \
-Dcspm_client_config_file=$CONFIG_FILE $CLASS_NAME $1 $2
21-Feb-2017 247/319
Basic Java Integration with Database Connection

Your installed A2A Client does not contain a soft copy of the following script.
/**
* A sample java class to connect to a database.
*/
import java.sql.*;
import com.cloakware.cspm.client.CSPMClient;
public class DBConnect {
private int LOGIN_FAILED_CODE = 2003;

private String URL = "jdbc:mysql://host:port/database?autoReconnect=true";
private String DRIVER_CLASS = "com.mysql.jdbc.Driver";
// private String userID = "scott";
// private String password = "tiger";
private String TARGET_ALIAS = "TestAccount";

private CSPMClient cspmClient;
// ....
/**
* Initialize credentials attribute and retrieve the credentials.
*/
private void initialize() {

cspmClient = new CSPMClient ();
cspmClient.retrieveCredentials( TARGET_ALIAS );
}
private Connection getConnection() {

Driver driver = null;
Connection connection = null;
// check for initialization

if (cspmClient == null ) initialize();
// check for system error

if ( !cspmClient.getStatusCode().equals( "400" ) ) {
// do some error handling.

}
try {
Class.forName(DRIVER_CLASS);
connection = DriverManager.getConnection( URL
, cspmClient.getUserId()
, cspmClient.getPassword() );
21-Feb-2017 248/319
} catch ( ClassNotFoundException ce ) {
// ....
} catch ( SQLException e ) {
// DOUBLE PASS CHECK (OPTIONAL)

// check for login failed
if ( e.getErrorCode() == LOGIN_FAILED_CODE ) {
// try again, bypass Password Authority cache, go directly to
Password Authority server
cspmClient.retrieveCredentials( TARGET_ALIAS, "true" );
if ( !cspmClient.getStatusCode().equals( "400" ) ) {
// do some error handling.
}
try {
connection = DriverManager.getConnection( URL
, cspmClient.getUserId()
, cspmClient.getPassword());
} catch ( SQLException e2 ) {
// do stuff
}
}
}
return connection;
}
// ....
}
Register Requestor - Basic Java Application

See Add and Run Credential Manager A2A Requestors (https://docops.ca.com/display/CAPAM28
/Add+and+Run+Credential+Manager+A2A+Requestors) for the procedure to register your requestor with
Credential Manager. You need the following data:
Script name. The name of the requestor file that contains the Credential Manager executable call
including the file extension. For example, Run_example.
File path. The absolute path to the application file that contains the executable call.
Execution path. The absolute path from which the application is launched.
Script type. The requestor script type. For example, Java.
When entering the file and execution paths, specify the absolute paths without links.
Use the JDBC Wrapper in a Standalone Java

Application
This content provides a description of how to use the JDBC wrapper in a standalone Java application
21-Feb-2017 249/319
This content provides a description of how to use the JDBC wrapper in a standalone Java application
using the provided example application code as a model. The pattern for the connection URL is
cspm:<URL>;CSPMDriver=<target_driver>;CSPMAlias=<alias> where:
<URL> represents the usual vendor-specific JDBC URL
<target_driver> represents the classname of the JDBC driver
<alias> represents the target alias representing the credentials to use when connecting
In the provided example, the connection URL, which shows a connection to a MySQL database cspm
on host milocspm.cloakware.com using the MySQL driver and alias jdbcdemo, is:
Cspm:jdbc:mysql://milocspm.cloakware.com:3306/cspm;CSPMDriver=com.mysql.jdbc.Driver;
CSPMAlias=jdbcdemo
To compile the application, you need the cspmclient.jar and cloakwareJdbc.jar files that
are included with the client.
To execute the application, you need the previously mentioned JAR files and the vendor-specific JDBC
driver JAR file, which in this case is mysql-connector-java-5.1.8-bin.jar because the connection is to a
MySQL database.
When executing the application, identify the location of the client configuration file, cspm_
client_config.xml, and the directory where the native code libraries reside specifying the
following JVM options respectively:-Dcspm_client_config_file=<path>/cspm_client_config.xml
-Djava.library.path=<path>/cloakware/cspmclient/lib
Application Code
package com.cloakware.ps.jdbcdemo;
import java.sql.*;
public class JdbcDemoApp {

private static final String
JDBC_DRIVER_CLASS_NAME = "com.cloakware.jdbc.JdbcDriver";
private static final String
JDBC_URL = "cspm:jdbc:mysql://milocspm.cloakware.com:3306/cspm;CSPMDriver=com.mysql.
jdbc.Driver;CSPMAlias=jdbcdemo";
private Connection m_connection = null;
public JdbcDemoApp() {
try {
System.out.println( "instantiating the JDBC driver" );
Class.forName( JDBC_DRIVER_CLASS_NAME ).newInstance();
21-Feb-2017 250/319
System.out.println( "invoking the driver to obtain a connection to the database" );
m_connection = DriverManager.getConnection( JDBC_URL );
runDemo();
} catch ( Exception ex ) {
ex.printStackTrace();
} finally {
try {
if ( m_connection != null )
m_connection.close();
} catch ( SQLException ex ) {
}
private void runDemo() {
final String QUERY = "select count(*) from init_properties;";
try {
System.out.println( "executing query" );
Statement st = m_connection.createStatement();
ResultSet rs = st.executeQuery( QUERY );
while ( rs.next() ) {
System.out.println( "result= " + rs.getInt( 1 ) );
}
} catch ( SQLException ex ) {
ex.printStackTrace();
}
public static void main(String[] args) {
new JdbcDemoApp();
21-Feb-2017 251/319
Integrate a Java Application using JBoss

This content describes an example that uses the A2A Client to manage the credentials that are used
by a Java container JDBC connection pool within a JBoss application server version 4.2.2.
Integration Process for JBoss (see page 253)

Configure Your Development Environment for JBoss (see page 253)
Deploy and Run the Sample JBoss Application (see page 254)
JBoss Credential Viewer (see page 255)
JBoss Connection Pool with HSQLDB Data Store (see page 257)
Register JBoss Requestor (see page 259)
Register HSQLDB as a Target Application (see page 260)
Register Mapping Between Request Server and Target Alias (see page 260)
HSQL Database Usage (see page 261)
This example uses a credential viewer and an HSQLDB data store to show the following functionality:
The credential viewer shows you how to view credentials that are stored in the Credential
Manager server using the CSPMClient Java class. Use this example for simple integration and to
test the ability to connect to Credential Manager and retrieve credentials. The example displays
the credentials to the screen.
The HSQLDB data store shows you how to configure a data store using the Credential Manager
JdbcDriver Java class to retrieve credentials and connect to an HSQLDB data store. The example
retrieves credentials and uses them to access a data store.
This example is available on all A2A Client installations in the following directories, for:
UNIX:
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java/JBoss_Sample
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/examples/java
/JBoss_Sample
File Description
ClassFact Class factory that is used to create the objects that are used in the example web
ory.java application. The class allows you to create the CSPMClient class and to perform a
lookup in the Initial Context to retrieve the data source that is used to get a connection
to the database.
Credentia Servlet class that is used to connect to the Credential Manager server to retrieve
lsViewer. credentials.
java
Connectio Servlet class that is used to create 10 connections to a database and execute a basic
nTester. SQL statement. The class retrieves the DataSource class using the ClassFactory
java class.
Configuration file showing how to configure a data source using the HSQLDB driver.
21-Feb-2017 252/319
cspm_conn
ect_hsql_
org-ds.
xml
cspm_conn Configuration file showing how to configure a data source using the Credential
ect_hsql- Manager JdbcDriver. The target driver is HSQLDB.
ds.xml
Integration Process for JBoss

Use the following process to modify your application to use the Credential Manager server to manage
credentials:
1. Configure the development environment. See Configure your Development Environment for
JBoss (see page ).
2. Optionally, integrate the A2A Client to retrieve credentials. See JBoss Credential Viewer (see
page 255).
3. Create or modify the data source file. See JBoss Connection Pool with HSQLDB Data Store (see
page 257).
4. Register requestor. See Register JBoss Requestor (see page 259).
Configure Your Development Environment for JBoss

Configure your development environment for both JBoss development and Credential Manager
integration.
The example contains an Apache ANT build file that is located in the build directory that you can use
to create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for JBoss development.
Follow these steps:
1. Install JBoss Application Server 4.2.2 GA. See http:http://sourceforge.net/projects/jboss/files

/JBoss/JBoss-4.2.2.GA (http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.2.GA).
2. Set the JBOSS_HOME environment variable. See https://docs.jboss.org/jbossas/docs

/Installation_And_Getting_Started_Guide/5/html/setting_JBOSS_HOME.html.
3. Install Apache ANT 1.6.5 or above. See http://ant.apache.org/bindownload.cgi.
4. Set the ANT_HOME environment variable. See http://ant.apache.org/manual/install.html.
5. Install the Java Database HSQLDB 1.8.0. See http://sourceforge.net/project/showfiles.php?

group_id=23316.
6. Set the HSQL_HOME environment variable to the path where you installed HSQL (for
21-Feb-2017 253/319
example, opt/tools/hsqldb).
Use the following procedure to configure your environment for A2A Client integration with JBoss.
Follow these steps:
1. Create or add to the JAVA_OPTS environment variable:
UNIX:
-Djava.library.path=$CSPM_CLIENT_HOME\lib
-Dcspm_client_config_file=$CSPM_CLIENT_HOME\config\cspm_client_config.xml
Windows:
-Djava.library.path=%CSPM_CLIENT_HOME%\lib
-Dcspm_client_config_file=%CSPM_CLIENT_HOME%\config\cspm_client_config.xml
2. Copy the cloakwareJdbc.jar file that is located in the A2A Client tools directory to
the Jboss default deployment directory:
UNIX:
Source: $CSPM_CLIENT_HOME/cspmclient/tools
Destination: $JBOSS_HOME/server/default/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cspmclient/tools
Destination: %JBOSS_HOME%/server/default/lib
3. Copy the cspmclient.jar file that is located in the A2A Client lib folder to the JBoss
default deployment lib folder.
Note: Perform Step 2 and Step 3 using the ANT build file that is located in the following
directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/JBoss_Sample/build
Windows: %CSPM_CLIENT_HOME%/examples/java/JBoss_Sample/build
Enter ant deploy.driver.lib from that directory.
Deploy and Run the Sample JBoss Application

Use the following procedure to compile and run the sample web application using an Apache Ant
task.
Follow these steps:
1. Verify that the JBoss application server is running (default configuration).
21-Feb-2017 254/319
2. Open a command line window.
3. Navigate to one of the following directories:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/JBoss_Sample/build
/JBoss_Sample/build
4. Start the HSQLDB server by entering ant start.hsqldb.
5. Compile and deploy the example by entering ant.
6. Open a Web Browser.
7. Display the credential viewer web application by loading the following page:
http://localhost:8080/cspmJBossSample.
JBoss Credential Viewer

This example servlet shows you how to use the A2A Client class to retrieve the credentials.
The CSPMClient class is created using a class factory.
Class File
package com.cloakware.cspm.sample.web;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.cloakware.jdbc.StatusCodeMapping;
import com.cloakware.cspm.sample.ClassFactory;
/**
* This servlet class is used to retrieve credentials using the
* CSPMClient class.<br>
* <br>
* The user enters a CSPMAlias Name and the servlet displays the information
* returned by the CSPMClient class. <br>
* <br>
* Since the CSPMClient class only returns a status code, the base class
* provides a class to convert the status code to a more meaningful sentence.
*/
21-Feb-2017 255/319
public class CredentialsViewer extends HttpServlet {

/* Attribute names */
private final String ERROR_MSG = "errorMsg";
/* Parameter names and attributes when refreshing the page */

private final String ALIAS_NAME = "aliasName";
private final String BYPASS_CACHE = "byPassCache";
/* Attributes used when displaying credentials/response from
* the CSPMClient class.
*/
private final String RETURN_CODE = "returnCode";
private final String RETURN_MSG = "returnMsg";
private final String USERNAME = "username";
private final String PASSWORD = "password";
/* Error message */
private final String MSG_ALIAS_EMPTY = "Alias cannot be empty";
/* Response page */
private final String TARGET_JSP = "/index.jsp";
/**
* Constructor of the object.
*/
public CredentialsViewer() {
super();
}
/**
* The doGet method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to get.
* The method retrieves the alias name and the value of the checkbox
* indicating if the CSPMClient cache needs to be bypassed. It then calls
* the retrieveCredentials method of the CSPMClient class and displays the
* results. An error message is displayed if the alias name is missing.
*
* @param request the request send by the client to the server
* @param response the response send by the server to the client
* @throws ServletException if an error occurred
* @throws IOException if an error occurred
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Retrieve the parameters

String alias = (String)request.getParameter(ALIAS_NAME);
Object byPassCache = request.getParameter(BYPASS_CACHE);
// Make sure to redisplay the alias name.
request.setAttribute(ALIAS_NAME, alias);
request.setAttribute(BYPASS_CACHE,
(byPassCache != null) ? "checked" : null);
// if we have an alias
if (alias != null && !"".equals(alias)) {
// Class used to retrieve the credential.
21-Feb-2017 256/319
CSPMClient cspmClient = ClassFactory.getCSPMClient();
// Retrieve the credentials.

if (byPassCache == null) {
cspmClient.retrieveCredentials(alias);
} else {
cspmClient.retrieveCredentials(alias, "true");
}
// Set the credentials in the request

request.removeAttribute(ERROR_MSG);
request.setAttribute(RETURN_CODE, cspmClient.getStatusCode());
String statusMsg = StatusCodeMapping
.getStatusText(cspmClient);
request.setAttribute(RETURN_MSG, statusMsg);
request.setAttribute(USERNAME, cspmClient.getUserId());
request.setAttribute(PASSWORD, cspmClient.getPassword());
} else {
// return an error message.
request.setAttribute(ERROR_MSG, MSG_ALIAS_EMPTY);
request.removeAttribute(RETURN_CODE);
}
// Get the request dispatcher

RequestDispatcher dispatcher = getServletContext()
.getRequestDispatcher(TARGET_JSP);
// Forward to the jsp file to display the credentials

dispatcher.forward(request, response);
}
}
JBoss Connection Pool with HSQLDB Data Store

This example shows you how to create or modify a data source to use the Credential Manager server
for credential retrieval. The data source definitions are saved in files ending with the suffix ds.xml and
are located in the deployment folder.
To integrate the A2A Client to your application, change the JDBC driver that is used by the data
source. The Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is
recognized as a Credential Manager JDBC URL. In the data source configuration, provide information
regarding the targeted driver and the alias to use in the special Credential Manager style JDBC URL.
The Credential Manager style JDBC URL format is:
cspm:[url];CSPMDriver=target.driver;CSPMAlias=alias
Form the Credential Manager URL as follows:
Ensure that it begins with the cspm: prefix.
Follow the prefix with the normal JDBC URL, omitting any user/password specification; for
example, jdbc:hsqldb:hsql://localhost:9001/cspm1.
21-Feb-2017 257/319
Set the URL to contain the CSPMDriver that indicates an explicit JDBC driver to use.
Assign the CSPMAlias, which is the alias for the database user in the Credential Manager
server, to the URL.
To use the Credential Manager JDBC driver, you need to modify to attributes in the configuration file.
Follow these steps:
1. Set connection-url as specified previously.
2. Set driver-class to com.cloakware.jdbc.JdbcDriver.
This low-level driver management for connection acquisition means that all new connections
obtained for a user whose database password has been changed (by the Credential Manager server)
are made using the new password. This action occurs automatically without any knowledge or
intervention by any owning data source.
While new connections are obtained using the new password, old connections that were obtained
using an old password can linger in the data source pool. Also, if the Credential Manager alias is
changed to a new user, then a connection pool has (at least temporarily) a mixture of connections for
different actual database users.
Such connection management by the CA Technologies driver ensures that database password
changes are transparent to the activities of the data source.
The XML file that is used in the example is located in one of the following locations:
UNIX: $CSPM_CLIENT_HOME/cspmclient/examples/java/JBoss_Sample/main
/resources/datasources
Windows: %CSPM_CLIENT_HOME%/cspmclient/examples/java/JBoss_Sample
/main/resources/datasources
Data Source

<datasources>
<local-tx-datasource>

<jndi-name>jdbc/CSPMSampleDS</jndi-name>
<connection-url>
cspm:jdbc:hsqldb:hsql://localhost:9001/cspm1;
CSPMAlias=hsql;CSPMDriver=org.hsqldb.jdbcDriver
</connection-url>


<driver-class>com.cloakware.jdbc.JdbcDriver</driver-class>
21-Feb-2017 258/319


<user-name></user-name>
<password></password>


<min-pool-size>5</min-pool-size>


<max-pool-size>10</max-pool-size>


<idle-timeout-minutes>1</idle-timeout-minutes>
<track-statements />
<prepared-statement-cache-size>32</prepared-statement-cache-size>


<metadata>
<type-mapping>Hypersonic SQL</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
Register JBoss Requestor

Credential Manager. Use the following data.
Script Name com.cloakware.cspm.sample.web.CredentialsViewer
Execution Path C:\jboss-4.2.2.GA\bin
Type Java
Script Name com.cloakware.client.jdbc.JdbcDriver
Execution Path C:\jboss-4.2.2.GA\bin
Type Java
21-Feb-2017 259/319
Register HSQLDB as a Target Application

See Configure Credential Manager Targets (https://docops.ca.com/display/CAPAM28
/Configure+Credential+Manager+Targets) for the procedure to register HSQLDB as a target application
with Credential Manager. Use the following data.
Application Name HSQLDB Server
Application Type HSQL
DB Port 9001
Application HSQLDB Server
Account Name sa
Password admin
Database Name cspm1
Account Name TestUser
Password Test
Database Name cspm1
A2A Account selected
Change Process Select:
- Use the following account to change password: SA
Targets Alias Name hsql
Account TestUser
Register Mapping Between Request Server and Target Alias

See Add Authorization Mappings (https://docops.ca.com/display/CAPAM28/Add+Authorization+Mappings)
for the procedure to register the mapping between the request server and the target alias. Use the
following data.
21-Feb-2017 260/319
Target Alias Hsql

Request Server Select your request server
Script all
HSQL Database Usage

HSQLDB is an SQL relational database engine that is written in Java. It is used in the example as the
database server.
Use the following procedure to start the database server.
Follow these steps:
/ApacheTomcat/build
/ApacheTomcat/build
Use the following procedure to shut down the database server.
Follow these steps:
/ApacheTomcat/build
/ApacheTomcat/build
3. Shut down the HSQLDB server by entering ant shutdown.hsqldb.
Integrate a Java Application Using Tomcat

This content describes an example that uses the A2A Client to manage the credentials that are used
by a Java container JDBC connection pool within an Apache Tomcat v5.5 Application Server.
Integration Process for Tomcat (see page 262)

Configure Your Development Environment for Apache Tomcat (see page 263)
21-Feb-2017 261/319
Deploy and Run the Sample Tomcat Application (see page 265)
Apache Tomcat Credential Viewer (see page 265)
Apache Tomcat Connection Pool with HSQLDB Data Store (see page 268)
Register Apache Tomcat Requestor (see page 269)
This example uses a credential viewer and an HSQLDB data store to show the following functionality:
The credential viewer shows you how to view credentials that are stored in the Credential
Manager server using the CSPMClient Java class. Use this example for simple integration and to
test the ability to connect to Credential Manager and retrieve credentials. The example displays
the credentials to the screen.
This example is available on all A2A Client installations in one of the following directories:
/Tomcat_Sample
/Tomcat_Sample
File Description
ClassFa Class factory that is used to create the objects that are used in the example web
ctory. application. The class allows you to create the CSPMClient class and to perform a
java lookup in the Initial Context to retrieve the data source that is used to get a connection to
the database.
Credent Servlet class that is used to connect to the Credential Manager server to retrieve
ialsVie credentials.
wer.
java
Connect Servlet class that is used to create 10 connections to a database and execute a basic SQL
ionTest statement. The class retrieves the DataSource class using the ClassFactory class.
er.java
context Configuration file showing you how to configure a database resource using the HSQLDB
.xml driver and a second resource using the Credential ManagerJdbcDriver Java class.
Integration Process for Tomcat

credentials:
1. Configure your development environment. See Configure your Development Environment for
Apache Tomcat (see page ).
2.
21-Feb-2017 262/319
2. Optionally, integrate the A2A Client to retrieve credentials. See Apache Tomcat Credential
Viewer (see page 265).
3. Create or modify the context file. See Apache Tomcat Connection Pool with HSQLDB Data
Store (see page 268).
4. Register the requestor. See Register Apache Tomcat Requestor (see page 269).
Configure Your Development Environment for Apache

Tomcat
Configure your development environment for both Apache Tomcat development and Credential
Manager integration.
The example contains an Apache ANT build file that is located in the build directory that you can use
to create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for Apache Tomcat development.
Follow these steps:
1. Install Apache Tomcat Application Server v5.5. See http://archive.apache.org/dist/tomcat

/tomcat-5.

group_id=23316.
Use the following procedure to configure your environment for A2A Client integration with Apache
Tomcat.
Follow these steps:
1. Copy the cspmclient.jar file that is located in the A2A Client lib directory to the
Apache Tomcat Common Lib directory:
UNIX:
Source: $CSPM_CLIENT_HOME/cloakware/cspmclient/lib
Destination: $APACHE TOMCAT_HOME/common/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cloakware/cspmclient/lib
Destination: %APACHE TOMCAT_HOME%/common/lib
21-Feb-2017 263/319
the Apache Tomcat Common Lib directory:
UNIX:
Destination: $APACHE TOMCAT_HOME/common/lib
Windows:
Destination: %APACHE TOMCAT_HOME%/common/lib
Note: Perform Steps 1 and using the ANT build file that is located in the following
directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/Tomcat_Sample
/build
Windows: %CSPM_CLIENT_HOME%/examples/java/Tomcat_Sample
/build
3. Open the Apache Tomcat Properties dialog.
4. Click the Java tab.
5. Add the following text in the Java Options edit field:
UNIX:
Windows:
-Dcspm_client_config_file=$CSPM_CLIENT_HOME%\config\cspm_client_config.xml
Substitute CSPM_CLIENT_HOME with the install directory of the client (for example, c:
\cloakware\cspmclient).
6. Restart Apache Tomcat. (Stop and start the service.)
Note: Perform Step 2 and Step 3 using the ANT build file that is located in the
following directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/Tomcat_Sample
/build
21-Feb-2017 264/319
/build
Deploy and Run the Sample Tomcat Application

Use the following procedure to compile and deploy the sample web application using an Apache Ant
task.
Follow these steps:
1. Verify that Apache Tomcat is running.
2. With a text editor (such as Notepad or Vim), edit the build.properties file that is located in the
following directories:
/Tomcat_Sample/build
3. Change the value of the dir.server property (for example, to C:/Program Files
/Apache Software Foundation/Tomcat 5.5) and save the file.
9. Load the following page: http://localhost:8088/cspmTomcatSample.
Apache Tomcat Credential Viewer

This example servlet shows you how to use the CSPMClient class to retrieve the credentials.
21-Feb-2017 265/319
Class File
/**
* <br>
* <br>
*/

*/
/* Error message */
/* Response page */
/**
*/
super();
}
21-Feb-2017 266/319
/**
*
* results. An error message is displayed if the alias name is missing.
*
* @param request the request send by the client to the server
* @param response the response send by the server to the client
* @throws ServletException if an error occurred
* @throws IOException if an error occurred
*/


} else {
}

} else {
}

21-Feb-2017 267/319

}
}
Apache Tomcat Connection Pool with HSQLDB Data Store

This example shows you how to create or modify a resource to use the Credential Manager server for
credential retrieval. You can add the data source definitions to the context.xml file located in the
META-INF directory of the WAR file.
To integrate the A2A Client with your application, change the JDBC driver that is used by the data
source. The Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is
recognized as a Credential Manager JDBC URL. In the data source configuration, provide information
regarding the targeted driver and the alias to use in the special Credential Manager style JDBC URL.
The Credential Manager style JDBC URL format is:
Ensure that it begins with the cspm: prefix.
Follow the prefix by the normal JDBC URL, omitting any user/password specification; for example,
jdbc:hsqldb:hsql://localhost:9001/cspm1.
server, to the URL.
Use the following procedure to modify to attributes in the configuration file to use the Credential
Manager JDBC driver.
Follow these steps:
1. Set url as specified previously.
2. Set driverClassName to com.cloakware.jdbc.JdbcDriver.
using an old password might linger in the data source pool. Also, if the CA Technologies alias is
changed to a new user, then a connection pool has (at least temporarily) a mixture of connections for
different actual database users.
21-Feb-2017 268/319
changes are transparent to the activities of the data source.
The XML file that is used in the example is located in the following locations:
/Tomcat_Sample/main/resources/META-INF
/Tomcat_Sample/main/resources/META-INF
Data Source
<Context docBase="SampleDataSources">
<Resource name="jdbc/CSPMSampleDS" auth="Container"

type="javax.sql.DataSource" maxActive="10" maxIdle="5" maxWait="10000"
username="hsql" password=""
driverClassName="com.cloakware.jdbc.JdbcDriver"
url="cspm:jdbc:hsqldb:hsql://localhost:9001/cspm1;
CSPMAlias=hsql;
CSPMDriver=org.hsqldb.jdbcDriver"
removeAbandoned="true"
removeAbandonedTimeout="30"
logAbandoned="true" />
</Context>
Register Apache Tomcat Requestor

Credential Manager. Use the following data:
Execution Path C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin
Type Java
Execution Path C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin
Type Java
HSQLDB is an SQL relational database engine that is written in Java. It is used in the example as the
database server. See also:
Register HSQLDB as a Target Application (see page )
Register Mapping between Request Server and Target Alias (see page )
21-Feb-2017 269/319
HSQL Database Usage (see page )
Integrate a Java Application using WebLogic

This example uses the A2A Client to manage the credentials used by a Java container JDBC
connection pool within a BEA WebLogic Server® 10.0.
Integration Process for WebLogic (see page 271)

Configure your Development Environment for WebLogic (see page 271)
Deploy and Run the Sample WebLogic Application (see page 272)
WebLogic Credential Viewer (see page 273)
WebLogic Connection Pool with HSQLDB Data Store (see page 276)
Register WebLogic Requestor (see page 279)
This example uses a credential viewer and an HSQLDB data store to show the following:
The credential viewer shows you how to view credentials stored in the Credential Manager server
using the CSPMClient Java class. Use this example for simple integration and to test the ability to
connect to Credential Manager and retrieve credentials. The example displays the credentials to
the screen.
This example is available on all A2A Client installations, in the following directories, for:
UNIX:
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/WebLogic_Sample
/WebLogic_Sample
File Description
ClassFa Class factory used to create the objects used in the example Web application. The class
ctory. allows you to create the CSPMClient class and to perform a lookup in the Initial
java Context to retrieve the data source used to get a connection to the database.
Credent Servlet class used to connect to the Credential Manager server to retrieve credentials.
ialsVie
wer.
java
Connect Servlet class used to create 10 connections to a database and execute a basic SQL
er.java
21-Feb-2017 270/319
Integration Process for WebLogic

credentials:
1. Configure development environment. See Configure your Development Environment for

WebLogic (see page 271)
2. Optionally, integrate the A2A Client to retrieve credentials. See WebLogic Credential Viewer
(see page 273).
3. Create or modify the data source file. See WebLogic Connection Pool with HSQLDB Data Store
(see page 276).
4. Register the requestor. See Register WebLogic Requestor (see page 279).
Configure your Development Environment for WebLogic

You must configure your development environment for both WebLogic development and Credential
Manager integration.
The example contains an Apache ANT build file located in the build directory that you can use to
create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for WebLogic development.
Follow these steps:
1. Install WebLogic Server 10.0. See http://www.oracle.com/technetwork/middleware/ias

/downloads/101310-085449.html.
2. With the WebLogic Configuration Wizard application, create a domain called cspmSample
using the default settings. Consult the WebLogic documentation for further assistance.

group_id=23316.
Use the following process to configure your environment for A2A Client integration with WebLogic.
Follow these steps:
1. Create or add to the JAVA_OPTIONS environment variable:
UNIX:
21-Feb-2017 271/319
1.
UNIX:
Windows:
2. Copy the cspmclient.jar file located in the A2A Client lib directory to the lib
directory for your WebLogic domain:
UNIX:
Source: $CSPM_CLIENT_HOME/cloakware/cspmclient/lib
Destination: $WEBLOGIC_HOME/user_projects/domains/$YOUR_DOMAIN/lib
Windows:
Source: %CSPM_CLIENT_HOME%/cloakware/cspmclient/lib
Destination: %WEBLOGIC_HOME%/user_projects/domains/%YOUR_DOMAIN%
/lib
3. Copy the cloakwareJdbc.jar file located in the A2A Client tools directory to the
WebLogic home directory:
UNIX:
Destination: $WEBLOGIC_HOME/user_projects/domains/$YOUR_DOMAIN/lib
Windows:
Destination: %WEBLOGIC_HOME%/user_projects/domains/%YOUR_DOMAIN%
/lib
Step 1 and Step 2 are performed by the ANT build file located in the following directories:
UNIX: $CSPM_CLIENT_HOME/examples/java/WebLogic_Sample/build
Windows: %CSPM_CLIENT_HOME%/examples/java/WebLogic_Sample/build
Deploy and Run the Sample WebLogic Application

Use the following procedure to compile and run the sample web application using an Apache Ant
task.
Follow these steps:
1. Make sure WebLogic is running and using the domain you created in Configure your
Development Environment for WebLogic (see page 271).
2.
21-Feb-2017 272/319
2. With a text editor (such as NotePad or Vim), edit the build.properties file located in
the following locations, for:
/WebLogic_Sample/build
3. Change the value of the following properties and save the file:
dir.bea. Points to the location where Bea WebLogic Server 10.0 is installed (for example,
C:/bea)
weblogic.adminurl. Administration console URL (for example, t3://localhost:7001)
weblogic.domain. WebLogic domain to use for the deployment. This should match the
cspmSample domain name you created in Configure your Development Environment for
WebLogic (see page 271).
weblogic.server. Name of the server instance to use for the deployment (for example,
AdminServer)
weblogic.username. Administration console username (for example, weblogic)
weblogic.password. Administration console password (for example, weblogic)
5. Change directory to the following, for:
9. Load the following page: http://localhost:7001/cspmWeblogicSample.
WebLogic Credential Viewer

21-Feb-2017 273/319
Class File
/**
* <br>
* <br>
*/

*/
/* Error message */
/* Response page */
/**
*/
super();
}
21-Feb-2017 274/319
/**
* Destruction of the servlet. <br>
*/
public void destroy() {
// Just puts "destroy" string in log
super.destroy();
}
/**
*
* results. <br>
* <br>
* An error message is displayed if the alias name is missing.
*
* @param request
* the request send by the client to the server
* @param response
* the response send by the server to the client
* @throws ServletException
* if an error occurred
* @throws IOException
*/


} else {
}

21-Feb-2017 275/319
} else {
}


}
}
WebLogic Connection Pool with HSQLDB Data Store

for credential retrieval. You can create data source definitions using the WebLogic Server
administration console or with Apache ANT scripts. The scripts use the wlconfig custom ANT task.
To integrate the A2A Client to your application, change the JDBC driver used by the data source. The
Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is recognized
as an Credential Manager JDBC URL. In the data source configuration you need to provide
information regarding the targeted driver and the alias to use in the special Credential Manager style
JDBC URL. The Credential Manager style JDBC URL format is:
Ensure it begins with the cspm: prefix.
Assig, the CSPMAlias, which is the alias for the database user in the Credential Manager server,
to the URL.
21-Feb-2017 276/319
using an old password may linger in the data source pool. Also, if the Credential Manager alias is
changed to a totally new user, then a connection pool has (at least temporarily) a mixture of
connections for different actual database users.
changes are completely transparent to the activities of the data source.
You can configure your data source either with the WebLogic console interface or with the ANT
scripts provided with this example.
The ANT scripts provided with this example automatically configure the required data sources, so this
step is optional.
Execute the following steps in the WebLogic console to create the data source that uses a Credential
Manager JDBC driver. Before starting make sure HSQLDB is running. See HSQL Database Usage (see
page ).
Use the following procedure to configure your data source using the WebLogic console.
Follow these steps:
1. From the main window of the console, navigate to Services > JDBC > Data Sources.
2. Click Lock & Edit.
3. Click New.
4. Enter a value for Name; for example, ExamplesDS.
5. Enter a value for JNDI Name; for example ExamplesDS.
6. For Database Type, select Other.
7. Click Next.
8. Select the appropriate Transaction Options.
9. Click Next.
10. For Database Name, enter cspm1.
11. For Host Name, enter localhost.
12. For Port, enter 9001.
13. Leave Database User Name blank.
14. Leave Password and Confirm Password blank.
15. Click Next.
16. For Driver Class Name, enter com.cloakware.jdbc.JdbcDriver.
21-Feb-2017 277/319
17. For URL, enter:

cspm:jdbc:hsqldb:hsql://localhost:9001/cspm1;CSPMAlias=hsql;
CSPMDriver=org.hsqldb.jdbcDriver
18. Leave Database User Name blank.
19. Leave Password and Confirm Password blank.
20. Leave Properties blank.
21. Leave Test Table Name blank.
22. Click Test Connection. WebLogic should display “Connection test succeeded” at the top of the
panel.
23. Click Next.
24. Select the target server.
25. Click Finish.
26. Click Activate Changes.
The following Apache ANT target shows you how to create a connection pool using the Credential
Manager JDBC Driver and the data source.
To configure data source using the WebLogic WLConfig Apache Ant task:
<!—- Define the wlconfig task -->

<taskdef name="wlconfig" classname="weblogic.ant.taskdefs.management.WLConfig">
<classpath path="${dir.bea.server.lib}/weblogic.jar"/>
</taskdef>
<!—- Define used to create a DataSource using Cloakware JdbcDriver -->

<target name="datasource.create" depends="">
<wlconfig url="${weblogic.adminurl}"
username="${weblogic.username}"
password="${weblogic.password}">
<query domain="${weblogic.domain}"
type="Server" name="${weblogic.server}"
property="adminserver"/>
<create type="JDBCConnectionPool" name="${datasource.pool.name}"

property="datasource.pool.cspm" >
<set attribute="CapacityIncrement" value="1"/>
<set attribute="DriverName" value="com.cloakware.jdbc.JdbcDriver"/>
<set attribute="InitialCapacity" value="5"/>
<set attribute="MaxCapacity" value="10"/>
<set attribute="RefreshMinutes" value="0"/>
<set attribute="ShrinkPeriodMinutes" value="1"/>
<set attribute="ShrinkFrequencySeconds" value="30"/>
<set attribute="ShrinkingEnabled" value="true"/>
21-Feb-2017 278/319
<set attribute="TestConnectionsOnRelease" value="false"/>

<set attribute="TestConnectionsOnReserve" value="true"/>
<set attribute="URL" value="cspm:jdbc:hsqldb:hsql://localhost:9001/cspm1;
CSPMAlias=hsql;
CSPMDriver=org.hsqldb.jdbcDriver"/>
<set attribute="Targets" value="${adminserver}"/>
<set attribute="TestTableName" value="PUBLIC.TESTTBL"/>
</create>
<create type="JDBCDataSource"
name="${datasource.ds.name}"
property="datasource.cspm">
<set attribute="JNDIName" value="CSPM${datasource.jndi.name}"/>
<set attribute="PoolName" value="CSPM${datasource.pool.name}"/>
<set attribute="Targets" value="${adminserver}"/>
</create>
</wlconfig>
</target>
Register WebLogic Requestor

Execution Path C:\bea\user_projects\domains\cloakware
Type Java
Execution Path C:\bea\user_projects\domains\cloakware
Type Java
HSQLDB is an SQL relational database engine written in Java. It is used in the example as the database
server. See also:
21-Feb-2017 279/319
Integrate a Java Application using WebSphere

Community Edition
This example uses the A2A Client to manage the credentials used by a Java container JDBC
connection pool within WebSphere Application Server Community Edition (WebSphere CE).
Integration Process for WebSphere CE (see page 281)

Configure your Development Environment for WebSphere CE (see page 281)
Deploy and Run the Sample WebSphere CE Application (see page 285)
WebSphere CE Credential Viewer (see page 286)
WebSphere CE Connection Pool with HSQLDB Data Store (see page 288)
Register WebSphere CE Requestor (see page 289)
This example uses a credential viewer and an HSQLDB data store to show the following:
using the CSPMClient Java class. Use this example for simple integration and to test the ability
to connect to Credential Manager and retrieve credentials. The example displays the credentials
to the screen.
JdbcDriver Java class to retrieve credentials and connect to an HSQLDB data store. The
example retrieves credentials and uses them to access a data store.
This example is available on all A2A Client installations in the following directories:
UNIX:
$CSPM_CLIENT_HOME/cloakware/cspmclient/examples/java
/WebSphere_Sample
/WebSphere_Sample
File Description
ClassFa Class factory used to create the objects used in the example Web application. The class
ctory. allows you to create the CSPMClient class and to perform a lookup in the Initial
java Context to retrieve the data source used to get a connection to the database.
Credent Servlet class used to connect to the Credential Manager server to retrieve credentials.
ialsVie
wer.
java
Connect Servlet class used to create 10 connections to a database and execute a basic SQL
er.java
21-Feb-2017 280/319
Integration Process for WebSphere CE

credentials:
1. Configure development environment. See Configure your Development Environment for

WebSphere CE (see page 281).
2. Optionally, integrate the A2A Client to retrieve credentials. See WebSphere CE Credential
Viewer (see page 286).
3. Create or modify the data source file. See WebSphere CE Connection Pool with HSQLDB Data
Store (see page 288).
4. Register requestor. See Register WebSphere CE Requestor (see page 289).
Configure your Development Environment for WebSphere

CE
You must configure your development environment for both WebSphere CE development and
Credential Manager integration.
The example contains an Apache ANT build file located in the build directory that you can use to
create the WAR file and to deploy it. The build file is compatible with ANT 1.6.5 and above.
Use the following procedure to configure your environment for WebSphere CE development.
Follow these steps:
1. Install WebSphere Application Server Community Edition 2.0. See http://www.ibm.com

/developerworks/downloads/ws/wasce/.

group_id=23316.
Use the following procedure to configure your environment for A2A Client integration with
WebSphere CE.
Follow these steps:
1. Create or add to the JAVA_OPTS environment variable:
21-Feb-2017 281/319
1.
UNIX:
Windows:
2. Edit the $WEBSPHERE_HOME/var/config/config.xml file. Locate the <gbean

name="TomcatAJPConnector"> XML element and modify the port attribute below it as
follows:
From:
<gbean name="TomcatAJPConnector">
<attribute name="host">${ServerHostname}</attribute>
<attribute name="port">${AJPPortPrimary}</attribute>
To:
<gbean name="TomcatAJPConnector">
<attribute name="host">${ServerHostname}</attribute>
<attribute name="port">8010</attribute>
3. Register the cspmclient.jar file with WebSphere CE as an artifact. To do so, log in to the
Administration Console and select Common Libs as follows:
a. Click Browse to locate the cspmclient.jar in the following locations:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/lib
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/lib
b. Enter cspmclient for Group.
c. Enter cspmclient for Artifact.
d. Enter 3.5 for Version.
e. Enter jar for Type.
f. Click Install to add the JAR file to the repository.
4. Register the cloakwareJdbc.jar file with WebSphere CE as an artifact. To do so, log in to

the Administration Console and select Common Libs as follows:
a. Click Browse to locate the cloakwareJdbc.jar in the following locations:
UNIX: $CSPM_CLIENT_HOME/cloakware/cspmclient/tools
Windows: %CSPM_CLIENT_HOME%/cloakware/cspmclient/tools
b. Enter cloakwareJdbc for Group.
c. Enter cloakwareJdbc for Artifact.
21-Feb-2017 282/319
Use the following process to configure your environment for HSQLDB.
Follow these steps:
1. Register the hsqldb.jar file with WebSphere CE as an artifact. To do so, log in to the
Administration Console and select Common Libs as follows:
a. Click Browse to locate the hsqldb.jar in the following locations:
UNIX: $HSQL_HOME/lib
Windows: %HSQL_HOME%/lib
b. Enter hsqldb for Group.
c. Enter hsqldb for Artifact.
d. Enter 1.8.0.2 for Version.
Use the following procedure to configure your database pool using the WebSphere CE Administration
Console.
Complete the following steps in the WebSphere CE console to create the data source that uses a
Credential Manager JDBC driver. Before starting, make sure HSQLDB is running. See HSQL Database
Usage (see page ).
Follow these steps:
1. From the main window of the console, navigate to the Database Pools display.
2. Click “Using the Geronimo database pool wizard” to create a new database pool.
3. Enter a value for Name of Database Pool. For the example Web application, you must enter
CSPMSampleDS.
4. Select Other for Database Type.
5. Click Next.
6. For JDBC Driver Class, enter com.cloakware.jdbc.JdbcDriver.
7. For Driver JAR, press the Ctrl key and select all of the following:
cspmclient/cspmclient/3.5/jar
21-Feb-2017 283/319
7. CA Privileged Access Manager - 2.8
cspmclient/cspmclient/3.5/jar
cloakwareJdbc/cloakwareJdbc/3.5/jar
hsqldb/hsqldb/1.8.0.2/jar
8. Leave DB User Name blank.
9. Leave DB Password and Confirm Password blank.
10. Click Next.
11. For JDBC Connect URL, enter:

cspm:jdbc:hsqldb:hsql://localhost:9001/cspm1;CSPMAlias=hsql;CSPMDriver=org.hsqldb.
jdbcDriver
12. Leave the Connection Pool Parameters blank.
13. Click Test Connection. WebSphere CE displays “Connected to HSQL Database Engine 1.8.0” at
the top of the panel.
14. Click Deploy.
To run the sample WebSphere CE application, create a second database pool as follows:
Follow these steps:
1. From the main window of the console, navigate to the Database Pools display.
2. Click “Using the Geronimo database pool wizard” to create a new database pool.
3. Enter SampleDS as the value for Name of Database Pool.
4. Select Other for Database Type.
5. Click Next.
6. Enter org.hsqldb.jdbcDriver for JDBC Driver Class.
7. Select hsqldb/hsqldb/1.8.0.2/jar for Driver JAR.
8. Enter TestUser for DB User Name.
9. Enter Test for DB Password and Confirm Password.
10. Click Next.
11. Enter jdbc:hsqldb:hsql://localhost:9001/cspm1 for JDBC Connect URL.
12. Leave the Connection Pool Parameters blank.
13. Click Test Connection. WebSphere CE displays “Connected to HSQL Database Engine 1.8.0” at
the top of the panel.
21-Feb-2017 284/319
14. Click Deploy.
Deploy and Run the Sample WebSphere CE Application

Use the following procedure to compile and run the sample web application using an Apache ANT
task.
Follow these steps:
1. Ensure WebSphere CE is running and you have completed the following:
The steps to configure your environment for A2A Client integration with WebSphere CE,
described in Configure your Development Environment for WebSphere CE (see page 281)
The steps to configure your environment for HSQLDB, described in Configure your
Development Environment for WebSphere CE (see page 281)
The steps to configure your database pool using the WebSphere CE Administration
Console, described in WebSphere CE Connection Pool with HSQLDB Data Store (see page
288)
The steps to run the sample WebSphere CE application, described in WebSphere CE

Connection Pool with HSQLDB Data Store (see page 288)
2. With a text editor (such as NotePad or Vim), edit the build.properties file located in
the following directories:
UNIX: $CSPM_CLIENT_HOME/cspmclient/examples/java
/WebSphere_Sample/build
Windows: %CSPM_CLIENT_HOME%/cspmclient/examples/java
3. Change the value of the dir.server property (for example, to C:/Program Files
/IBM/WebSphere/AppServerCommunityEdition) and save the file.
5. Change directory to the following:
UNIX: $CSPM_CLIENT_HOME/cspmclient/examples/java
Windows: %CSPM_CLIENT_HOME%/cspmclient/examples/java
21-Feb-2017 285/319
9. Load the following page: https://localhost:8443/cspmWebsphereSample
WebSphere CE Credential Viewer

Class File
/**
* <br>
* <br>
*/

*/
/* Error message */
21-Feb-2017 286/319
/* Response page */
/**
*/
super();
}
/**
* Destruction of the servlet. <br>
*/
public void destroy() {
// Just puts "destroy" string in log
super.destroy();
}
/**
*
* results. <br>
* <br>
* An error message is displayed if the alias name is missing.
*
* @param request
* the request send by the client to the server
* @param response
* the response send by the server to the client
* @throws ServletException
* @throws IOException
*/

21-Feb-2017 287/319

} else {
}

} else {
}


}
}
WebSphere CE Connection Pool with HSQLDB Data Store

for credential retrieval. The data source definitions are created with the WebSphere CE
Administration Console.
To integrate the A2A Client to your application, change the JDBC driver used by the data source. The
Credential Manager JDBC driver acts as a proxy JDBC driver serving any JDBC URL that is recognized
as an Credential Manager JDBC URL. In the data source configuration you need to provide
information regarding the targeted driver and the alias to use in the special Credential Manager style
JDBC URL. The Credential Manager style JDBC URL format is:
Ensure it begins with the cspm: prefix.
21-Feb-2017 288/319
server, to the URL.
intervention by any owning database pool.
using an old password may linger in the database pool. Also, if the Credential Manager alias is
changes are completely transparent to the database pool’s activities.
Register WebSphere CE Requestor

Execution Path C:\Program Files (x86)\IBM\WebSphere\AppServerCommunityEdition\bin
Type Java
Execution Path C:\Program Files (x86)\IBM\WebSphere\AppServerCommunityEdition\bin
Type Java
HSQLDB is an SQL relational database engine written in Java. It is used in the example as the database
server. See also:
21-Feb-2017 289/319
Integrate Apps to Use the Credential Manager

A2A Client on UNIX
This section includes examples of UNIX applications that have been integrated to use Credential
Manager to retrieve target account credentials using the A2A Client.
Integrate a Perl Script with A2A Client on UNIX (see page 290)
Integrate a C or C++ Application with A2A Client on UNIX (see page 291)
Integrate a Korn Shell Script with A2A Client on UNIX (see page 294)
Integrate a C Shell Script with A2A Client on UNIX (see page 296)
Integrate a PHP Script with A2A Client on UNIX (see page 297)
Integrate a Python Script with A2A Client on UNIX (see page 298)
Integrate a Perl Script with A2A Client on UNIX

This example uses the example.pl script in the $CSPM_CLIENT_HOME/cspmclient
/examples directory. It uses a UNIX executable to integrate the A2A Client ( cspmclient).
Code: Perl Script with A2A Client on UNIX

#!/usr/bin/perl -w
use strict;
use lib "/opt/cloakware/cspmclient/lib";
use CSPM_CLIENT;
my ($alias, $answer, $bypass_cache, $command, $password, $rc, $userid, $msg, @a

ray,$isXMLOutput, $argv);
$msg="";
$bypass_cache = "";
$alias = "";
$isXMLOutput = 0;
foreach $argv (@ARGV){

if($argv eq "-x"){
$isXMLOutput = 1;
}
}
# $GETCR = "GET CRedentials" ; defined in the CSPM_CLIENT.pm
# it is the main and only call when using Perl to retrieve
# the userid and password from the Password Authority Server
$command = qq{$GETCR @ARGV};

$answer = `$command`;
21-Feb-2017 290/319
if($isXMLOutput){
print qq($answer\n);
}else{
@array = split(/\s+/, $answer);
print qq(Return Code: $array[0]\n);
print qq(UserID: $array[1]\n);
print qq(Password: $array[2]\n);
if ($array[0] ne "400" ) {
for my $i (3..$#array){
$msg = $msg." ".$array[$i];
}
print qq(Message: $msg\n);
} else {
print qq(PASSED\n);
}
}
# End of Main
__END__
Register Requestor - Perl Script with A2A Client on UNIX

including the file extension; for example, example.pl.
Script type. The requestor script type; for example, Perl.
When entering the file and execution paths, you must specify the absolute paths without links.
Integrate a C or C++ Application with A2A Client

on UNIX
This example uses the example.c script in the $CSPM_CLIENT_HOME/cspmclient
/examples directory. It uses a UNIX executable to integrate the A2A Client ( cspmclient).
The path to the binary client depends on CSPM_CLIENT_HOME being set. For the A2A Client, the
path is $CSPM_CLIENT_HOME/cspmclient/bin/cspmclient.
21-Feb-2017 291/319
The A2A Client (cspmclient) accepts up to two command line arguments. This example accepts
and passes those arguments from the command line:
argv[1]. Provides the target alias name. This argument is mandatory.
argv[2]. Provides the Bypass Cache Flag, which can be true or false. The default is false.
This argument is optional.
The example.c script has been compiled to produce the example_c_interface_java

executable also located in the $CSPM_CLIENT_HOME/cspmclient/examples directory.
Code: C Application with A2A Client on UNIX

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define CSPM_CLIENT_BINARY "/cspmclient/bin/cspmclient"

#define BUF_SIZE 256
int main (int argc, char **argv)

{
FILE *results_file;
/* Declarations, Allocations & Initializations */
int error = 0;
char *cspm_client_home, *return_code, *userid, *password;
char a_buffer[BUF_SIZE];
char command[BUF_SIZE];
char bypass_cache_flag[BUF_SIZE];
memset(a_buffer,'\0',BUF_SIZE);
memset(command,'\0',BUF_SIZE);
memset(bypass_cache_flag,'\0',BUF_SIZE);
/* Validate Command Line Arguments */
if ( argv[1] == NULL ) {
printf("\nERROR: arg[1] cannot be NULL\n\n");
exit(1);
}
if ( argv[2] == NULL ) {
printf("\nNo Bypass Cache Flag provided - will use the default\n");
sprintf(bypass_cache_flag, "%s", "false");
} else {
sprintf(bypass_cache_flag, "%s", argv[2]);
}
21-Feb-2017 292/319
/* Get the CSPM_CLIENT_HOME */
cspm_client_home=getenv("CSPM_CLIENT_HOME");
if ( cspm_client_home == NULL ) {
printf("\nGlobal Environment Variable CSPM_CLIENT_HOME is not set\n");
exit(1);
}
/*
Command Line Creation
NOTE: No space in the format string for the first 2 list elements - %s%s
*/
sprintf (
command,
"%s%s %s %s",
cspm_client_home,
CSPM_CLIENT_BINARY,
argv[1],
bypass_cache_flag
);
/* We will be using a popen call to execute but also to retrieve

the standard output returned by the client execution */
results_file = popen(command, "r");
while ( fgets(a_buffer,BUF_SIZE,results_file) != NULL ) {
/* Parse the output to retrieve the fields we are interested in */
if( (return_code = (char *) strtok(a_buffer," ")) != NULL ) {

if ( (userid = (char *) strtok(NULL," ")) != NULL ) {
if ( (password = (char *) strtok(NULL," ")) == NULL )
error = 1;
}
else
error = 1;
}
else
error = 1;
}
pclose(results_file);
/* Print results */
if ( error ) {
printf("\nFailed to retrieve the credentials\n");
exit(99);
} else {
21-Feb-2017 293/319
printf("\nreturn_code:\t%s\n",return_code);
printf("userid:\t\t%s\n",userid);
printf("password:\t%s\n",password);
}
}
Register Requestor - C or C++ Application with A2A Client

on UNIX
including the file extension. For example, example.c.
Script type. The requestor script type. For example, C or C++.
Integrate a Korn Shell Script with A2A Client on

UNIX
This example uses the example.ksh script in the $CSPM_CLIENT_HOME/cspmclient
/examples directory. It uses a UNIX executable to integrate the A2A Client (cspmclient).
The example applies to the Korn shell (#!/bin/ksh).
The path to the binary client depends on CSPM_CLIENT_HOME being set.
and passes these arguments from the command line:
$1. Provides the target alias name. This argument is mandatory.
$2. Provides the Bypass Cache Flag, which can be true or false. The default is false. This
argument is optional.
Code: Korn shell script with A2A Client on UNIX

#!/bin/ksh
CSPM_CLIENT_BINARY="/cspmclient/bin/cspmclient"
21-Feb-2017 294/319
# Validate Required Arguments
if [ ! CSPM_CLIENT_HOME ]
then
echo "Global Environment Variable CSPM_CLIENT_HOME is not set"
echo "Aborting..."
exit 1
fi
if [ ! $1 ]
then
echo "No Target Alias provided "
echo "Aborting..."
exit 2
else
target_alias="$1"
fi
if [ ! $2 ]
then
bypass_cache="false"
else
bypass_cache="$2"
fi
# Action
command="$CSPM_CLIENT_HOME$CSPM_CLIENT_BINARY $target_alias $bypass_cache"
result=`$command`
return_code=ècho $result | awk '{print($1)}'`

userid=ècho $result | awk '{print($2)}'`
password=ècho $result | awk '{print($3)}'`
echo "Return Code: $return_code"

echo "User ID: $userid"
echo "Password: $password"
Register Requestor - Adding a Korn shell script with A2A

Client on UNIX
including the file extension; for example, example.ksh.
21-Feb-2017 295/319
Script type. The requestor script type; for example, Korn shell script.
Integrate a C Shell Script with A2A Client on UNIX

This example uses the example.csh script in the $CSPM_CLIENT_HOME/cspmclient
/examples directory. It uses a UNIX executable to integrate the A2A Client (cspmclient).
The path to the binary client depends on CSPM_CLIENT_HOME being set.
and passes these two arguments from the command line:
$1. This argument provides the target alias name. This argument is mandatory.
$2. This argument provides the Bypass Cache Flag, which can be true or false. The default is
false. This argument is optional.
Code: C Shell Script with A2A Client on UNIX

#!/bin/csh
set CSPM_CLIENT_BINARY="/cspmclient/bin/cspmclient"
# Validate Required Arguments
if ( $CSPM_CLIENT_HOME == "" ) then

echo "Global Environment Variable CSPM_CLIENT_HOME is not set"
echo "Aborting..."
exit 1
endif
if ( $1 == "" ) then
echo "No Target Alias provided "
echo "Aborting..."
exit 2
else
set target_alias="$1"
endif
if ( $2 == "") then
set bypass_cache="false"
else
set bypass_cache="$2"
endif
# Action
21-Feb-2017 296/319
set command="$CSPM_CLIENT_HOME$CSPM_CLIENT_BINARY $target_alias $bypass_cache"
set result=`$command`
set return_code=ècho $result | awk '{print($1)}'`

set userid=ècho $result | awk '{print($2)}'`
set password=ècho $result | awk '{print($3)}'`
echo "Return Code: $return_code"

echo "User ID: $userid"
echo "Password: $password"
Register Requestor - C shell Script with A2A Client on UNIX

including the file extension; for example, example.csh.
Script type. The requestor script type; for example, C shell script.
Integrate a PHP Script with A2A Client on UNIX

The following PHP script uses a UNIX executable to integrate the A2A Client ( cspmclient). Your
installed A2A Client does not contain a soft copy of this script.
Code: PHP Script with A2A Client on UNIX

<?php
##########################################
#
# Php example. To execute, do:
# prompt> php test2.php
#
##########################################
$alias="test";
$bypassCacheFlag="false";
21-Feb-2017 297/319
$data = getCredential($alias,$bypassCacheFlag);
echo "Return code: $data[retCode]\n";
echo "User name: $data[user]\n";
echo "Password: $data[password]\n";
function getCredential($inAlias,$inFlag){
$exec = "/opt/cloakware/cspmclient/bin/cspmclient";
$command = "$exec $inAlias $inFlag";
$hndl=popen($command,'r') or die ("Unable to open pipe for command $command\n");
echo "About to execute command: $command\n";

$retVal=fread($hndl,2096) or die ("Unable to execute command $command\n");
$n = sscanf($retVal, "%s %s %s", $retCode, $user, $password);
$arr=array("retCode" => $retCode,
"user" => $user,
"password" => $password);
return $arr;
}
?>
Register Requestor - PHP Script with A2A Client on UNIX

including the file extension; for example, the name of the PHP script example given in Code: PHP
Script with A2A Client on UNIX (see page ).
Script type. The requestor script type; for example, PHP.
Integrate a Python Script with A2A Client on UNIX

The following Python script uses a UNIX executable to integrate the A2A Client ( cspmclient). Your
installed A2A Client does not contain a soft copy of this script.
Code: Python Script with A2A Client on UNIX

#!/usr/bin/env python
21-Feb-2017 298/319
import commands
import os,time
import sys
def getCredential(alias, cacheflag, optflag):

cmd = "/opt/cloakware/cspmclient/bin/cspmclient" +" "+ alias+" "+cacheflag+" "+opt
flag
# print cmd
f=os.popen(cmd)
retVal= f.read()
print retVal
if __name__ == "__main__":
alias=""
cacheflag=""
optflag=""
argc = len(sys.argv)
if argc > 1:
alias=sys.argv[1]
if (argc == 3) and (argc != "-x"):
cacheflag = sys.argv[2]
elif (argc == 3) and (argc == "-x"):
optflag = sys.argv[2]
elif (argc == 4):
optflag = sys.argv[3]
else:
dummy=1
getCredential(alias, cacheflag, optflag)
Register Requestor - Python Script with A2A Client on UNIX

including the file extension. For example, the name of the Python script example given in Code:
Python Script with A2A Client on UNIX (see page ).
Script type. The requestor script type; for example, Python.
21-Feb-2017 299/319
Integrate Apps to Use the Credential Manager

A2A Client on Windows
The content in this section provides examples of Windows applications that have been integrated to
use Credential Manager to retrieve target account credentials using the A2A Client.
If you are using A2A Clients and the data returned (accounts and passwords) is limited to ANSI
characters, no character set conversion is required. The client returns ANSI characters as single-byte
UTF-8 characters. However, if you are using A2A Clients and the data returned includes non-ANSI UTF-
8 characters, a character conversion may be required. Contact CA Support for assistance, and
reference UTF-16 conversion.
Integrate a Perl Script with A2A Client on Windows (see page 300)
Integrate a Visual Basic Application (see page 301)
Integrate a Visual C++ Application (see page 303)
Integrate a C#.NET Application using IIS Application Server (see page 306)
Integrate a Visual Basic, Java, or Windows Script (see page 311)
Integrate a Perl Script with A2A Client on

Windows
The following Perl script uses a Windows Perl Module (CSPM_CLIENT_WIN.pm) to integrate the
A2A Client (cspmclient.exe). Your installed A2A Client contains CSPM_CLIENT_WIN.pm but
does not contain a soft copy of the following script.
Code: Perl Script with A2A Client on Windows (see page 300)
Register Requestor - Perl Script with A2A Client on Windows (see page 301)
Code: Perl Script with A2A Client on Windows

#!/c:/perl/bin/perl -w
#Example to show how to get account info by using perl in windows.
#Need to: 1) Include a module, CSPM_CLIENT_WIN.pm.
# 2) Use the $EXEC string from the module.
# 3) Add Target server alias.
use strict;
use warnings;
use lib "c:/cspm/cloakware/cspmclient/lib";
use CSPM_CLIENT_WIN;
my $exec=$EXEC . "targetAlias" ;
my $param=`$exec`;
my @param2 = split(/\s+/,$param);
21-Feb-2017 300/319
my $errorCode=$param2[0];
if($errorCode eq '400')
{
my $userID=$param2[1];
my $passWd=$param2[2];
print "userId = " . $userID . "\n";
print "password = " . $passWd . "\n";
}
else
{
print "Failed to retrieve credentials... errorcode=" . $errorCode;
}
Register Requestor - Perl Script with A2A Client on Windows

including the file extension; for example, the name of the Perl script example given in Code: Perl
Script with A2A Client on Windows (see page ).
Script type. The requestor script type; for example, Perl.
Integrate a Visual Basic Application

This example uses a Visual Basic project (Project1.vbp) and the VB_Sample.exe executable in
the $CSPM_CLIENT_HOME\cloakware\cspmclient\examples\VB_Sample directory. It
uses the CA Technologies MFC DLL (cspmclientc.dll) to integrate the A2A Client.
Code: Visual Basic Application (see page 301)
Register Requestor - Visual Basic Application (see page 303)
Code: Visual Basic Application

' From within your VB project:
' Select Project
' Projects
' From the References window, select Browse.
' Navigate to c:\cspm\cloakware\cspmclient\lib\
' Select the cspmclientc.dll file.
21-Feb-2017 301/319
'
' Your project will now have a reference to the cspmclientc.dll.
'
' Next you need to uncommment the line - 'Dim X As New ccspmclientc' from the
Command1_Click() method
'
Private Sub Command1_Click()
'*** Uncomment the following line

'Dim X As New ccspmclientc
Dim ret As Long

Dim userId As String
Dim password As String
Dim targetAlias As String
Dim options As String
Dim xml As String
Dim bypassCache As String
Dim xmlOutput As Boolean
xmlOutput = False
bypassCache = "false"
targetAlias = Me.targetAliasName
If (Me.bypassCacheCheck.Value = vbChecked) Then

bypassCache = "true"
options = options + "-b"
End If
If (Me.xmlOutputCheck.Value = vbChecked) Then

options = options + " -x"
xmlOutput = True
End If
'Uncomment the line - 'Dim X As New ccspmclientc' - at the begining of this method i
f you get an error on this line.
ret = X.retrieveCredentials(targetAlias, bypassCache, options)
If (xmlOutput) Then
Me.results = X.getXMLData
Else
If (ret = 400) Then
userId = X.getUserId()
password = X.getPassword()
xml = X.getXMLData
MsgBox "userId = " + userId + ", password=" + password + Chr$(13) + xml,

vbOKOnly, Me.Caption
21-Feb-2017 302/319
Else
MsgBox "Failed to process request with errorCode: " + CStr(ret), vbOKOnly, Me.
Caption
End If
End If
End Sub
Register Requestor - Visual Basic Application

including the file extension; for example, VB_Sample.exe.
Script type. The requestor script type; for example, Visual Basic.
Integrate a Visual C++ Application

This example uses the VC_Sample.dsp project file and the VC_Sample.cpp file in the
$CSPM_CLIENT_HOME\cloakware\cspmclient\examples\VC_Sample directory. It uses
the CA Technologies MFC DLL to integrate the A2A Client.
Code: Visual C++ Application (see page )
Register Requestor - Visual C++ Application (see page )
Code: Visual C++ Application

// VC_Sample.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <afxwin.h>
#include <atlbase.h>
#include "stdafx.h"
#import "c:\cspm\cloakware\cspmclient\lib\cspmclientc.tlb"
#define ERROR_CODE_SUCCESS400
#define ERROR_CODE_BADPARAM407
21-Feb-2017 303/319
int main(int argc, char* argv[])

{
USES_CONVERSION;
_bstr_t targetAlias = _bstr_t("sample");
_bstr_t bypassFlg = _bstr_t("false");
_bstr_t bstrUserId, bstrPassword, bstrXMLData, bstrMessage;
_bstr_t cliOpt = _bstr_t("");
char* userId;
char* password;
char* xmlData;
char* message;
char *szTmp;
BOOL isXMLOutput = FALSE;
HRESULT hr;
CLSID cls;
using namespace Cspmclientc;
if(argc>1)
{
targetAlias = _bstr_t(argv[1]);
for (int pos = 2; pos < argc; pos++){
if(pos == 2 && argv[pos][0] != '-'){
bypassFlg = _bstr_t(argv[pos]);
}else{
if(!strcmp(argv[pos],"-x"))
isXMLOutput = TRUE;
cliOpt = cliOpt+ " "+_bstr_t(argv[pos]);
}
}
// Intializing the com component
CoInitialize(NULL);
hr = CLSIDFromProgID(OLESTR("cspmclientc.ccspmclientc"), &cls);
Iccspmclientc *t;
hr = CoCreateInstance(cls,NULL,CLSCTX_INPROC_SERVER, __uuidof(Iccspmclientc),(LPVOID
*) &t);
//printf("Retrieving credentials for %s\n",(char* )targetAlias);

int retVal = -1;
retVal = t->retrieveCredentials(targetAlias,bypassFlg,cliOpt); //call method
if(isXMLOutput){
bstrXMLData = t->getXMLData();
xmlData = OLE2T(bstrXMLData);
SysFreeString(bstrXMLData);
printf("Block data: %s\n", xmlData);
}else if(retVal==ERROR_CODE_SUCCESS){
bstrUserId = t->getUserId();
bstrPassword = t->getPassword();
21-Feb-2017 304/319
userId= OLE2T(bstrUserId);
password= OLE2T(bstrPassword);
printf("ErrorCode: %i\n",retVal);
printf("UserID: %s\n", userId);
printf("Password: %s\n", password);
SysFreeString(bstrUserId);
SysFreeString(bstrPassword);
}else{
bstrMessage = t->getMessage();
message = OLE2T(bstrMessage);
printf("ErrorCode: %i\n",retVal);
printf("UserID: %s\n", "null");
printf("Password: %s\n", "null");
printf("Message: %s\n", message);
SysFreeString(bstrMessage);
}
t->Release();
CoUninitialize();
}else{
printf("ErrorCode: %i\n",ERROR_CODE_BADPARAM);
printf("UserID: %s\n", "null");
printf("Password: %s\n", "null");
}
return 0;
}
Register Requestor - Visual C++ Application

including the file extension; for example, VC_Sample.cpp.
Script type. The requestor script type; for example, Visual C++.
21-Feb-2017 305/319
Integrate a C#.NET Application using IIS

Application Server
This example uses the A2A Client to manage the credentials used by a C#.NET connection class within
an Internet Information Service (IIS) application server. The example uses a Windows DLL (
cspmclientc.dll) to integrate the A2A Client.
Integration Process for IIS (see page 306)

Deploy and Run the Sample IIS Application (see page 307)
Configure your Development Environment for IIS (see page 307)
IIS Credential Viewer (see page 308)
IIS Connection with SQL Server 2005 Express Edition Data Store (see page 309)
Register IIS Requestor (see page 310)
Register SQL Server 2005 Express Edition as a Target Application (see page 310)
This example uses a credential viewer and an SQL Server 2005 Express Edition data store to show the
following:
using the CSPMClient COM component. Use this example for simple integration and to test the
ability to connect to Credential Manager and retrieve credentials. The example displays the
credentials to the screen.
The SQL Server 2005 Express Edition data store shows you how to configure a connection string
used by the Connection class to retrieve credentials and connect to an SQL Server 2005
Express Edition data store. The example retrieves credentials and uses them to access a data
store.
This example is available on A2A Client Windows installations, in the

$CSPM_CLIENT_HOME\cloakware\cspmclient\examples\Csharp\IIS directory:
File Description
ConnectionF Class used to create an SQLConnection object. The object is used to connect to
actory.cs the data store and perform SQL queries.
CspmClientC Implementation of the CSPMClient interface. The class is used to retrieve the
omObject.cs credentials from the CA Privileged Access Manager appliance.
Connect. ASP page used to open a connection to a data store. The page creates the Connect
aspx ion object using the ConnectionFactory class.
Web.config Configuration file showing how to configure a connection string for SQL Server 2005
Express Edition. The connection string is passed to the ConnectionFactory
class.
Integration Process for IIS

Use the following procedure to modify your application to use Credential Manager to manage
credentials.
21-Feb-2017 306/319
Follow these steps:
1. Configure development environment. See Configure your Development Environment for IIS
(see page 307).
2. Optionally, integrate the A2A Client to retrieve credentials. See IIS Credential Viewer (see
page 308).
3. Create or modify the context file. See IIS Connection with SQL Server 2005 Express Edition
Data Store (see page 309).
4. Register requestor. See Register IIS Requestor (see page 310).
Deploy and Run the Sample IIS Application

Use the following procedure to compile and deploy the sample Web application using Visual Studio
2005.
Follow these steps:
1. Ensure IIS is running.
2. Open the IIS Manager and create a virtual directory called iCSPM.
3. Open Visual Studio 2005 with Visual C# 2005.
4. Build the solution.
5. Click iCSPM project.
6. Select Publish iCSPM to deploy the application to IIS.
7. Open a Web browser.
8. Load the following page: http://localhost/iCSPM/.
Configure your Development Environment for IIS

You must configure your development environment for IIS development.
The example contains a Visual Studio 2005 project that you can use to build the Web application and
to deploy it.
Use the following procedure to configure your environment for IIS development.
Follow these steps:
1. Install ASP.NET Framework 2.0. See http://msdn2.microsoft.com/en-us/netframework

/default.aspx.
21-Feb-2017 307/319
2. Ensure the Internet Information Service (IIS) is installed.

Note: If the target server is running a 64-bit version of Windows, ensure the 32-bit version of
the ASP.NET Framework is enabled.
3. Enable the 32-bit version of ASP.NET. Access http://support.microsoft.com/kb/894435 and

read section “ASP.NET 2.0, 32-bit version”.
4. Install SQL Server 2005 Express Edition. See http://msdn2.microsoft.com/en-us/express

/bb410791.aspx.
5. Ensure the Microsoft Visual Studio 2005 and Microsoft Visual C# are installed.
IIS Credential Viewer

You create the CSPMClient class using a class factory.
Class File
import javax.servlet.ServletException; namespace iCSPM
{
public partial class Default : System.Web.UI.Page
{
private const string ERR_MISSING_ALIAS = "Alias cannot be empty";
protected void ViewBtn_Click(Object sender, EventArgs e)

{
// if the alias is missing
if (aliasName.Text.Length == 0)
{
// Report the error
errorMsg.Visible = true;
errorMsg.Text = ERR_MISSING_ALIAS;
}
else
{
// Hide the error message field
errorMsg.Visible = false;
// Show the result table.

resultTable.Visible = true;
// Create CSPMClient COM Object

CspmClientObject obj;
if (useComObject.Checked)
21-Feb-2017 308/319
{
obj = new CspmClientComObject();
}
else
{
obj = new CspmClientObject();
}
// Retrieve the credentials

Int32 statusCode = obj.RetrieveCredentials(aliasName.Text,
byPassCache.Checked ? "true" : "false", "");
// Initialize the return values.

returnCode.Text = statusCode.ToString();
returnMsg.Text = obj.GetStatusMsg(statusCode);
username.Text = obj.GetUserId;
password.Text = obj.GetPassword;
// Done with the object.

obj.Dispose();
}
}
}
}
IIS Connection with SQL Server 2005 Express Edition Data

Store
This example shows you how to create or modify a connection string used by the Credential Manager
ConnectionFactory class. Use the ConfigurationManager class to retrieve the connection
string from the Web.config file.
To integrate the A2A Client with your application, change the mechanism to create the connection.
The Credential ManagerConnectionFactory retrieves the credentials using the A2A Client
interface and then creates an SqlConnection object. In the Web.config file, you need to add
the information regarding the alias to use. You add the alias as a parameter at the end of the
connection string. The User ID and password parameters need to remain in the connection
string as placeholders for the credentials, but leave them blank. The following is an example:
server=(local)\SQLExpress;database=CSPMTest;uid=;pwd=;CSPMAlias=sql_svr
This management for connection acquisition means that all new connections obtained for a user
whose database password has been changed (by the Credential Manager server) are made using the
new password. This action occurs automatically without any knowledge or intervention by the
owning connection pool.
using an old password may linger in the connection pool. Also, if the Credential Manager alias is
Such connection management ensures that database password changes are completely transparent
21-Feb-2017 309/319
Such connection management ensures that database password changes are completely transparent
to connection activities.
The configuration file used in the example is located in

$CSPM_CLIENT_HOME\cloakware\cspmclient\examples\Csharp\IIS.
Data Source
<configuration>
<connectionStrings>
<add name="CSPMSampleDS"
connectionString="server=(local)\SQLExpress;
database=CSPMTest;uid=;pwd=;
CSPMAlias=sql_svr"
providerName="System.Data.SqlClient"/>
</connectionStrings>
</configuration>
Register IIS Requestor

Script Name w3wp.exe
Execution Path C:\WINDOWS\SysWOW64\inetsrv
Type C
Register SQL Server 2005 Express Edition as a Target

Application
Application Name SQL Server 2005 Express Edition
Application Type MSSQL
Instance SQLEXPRESS
Application SQL Server 2005 Express Edition
Application Name admin
21-Feb-2017 310/319
Password admin
Target Alias Name sql_svr
Application SQL Server 2005 Express Edition
Account admin
Integrate a Visual Basic, Java, or Windows Script

Scripts can be run from any application, such as Microsoft Internet Explorer.
Visual Basic Script (see page 311)

Java Script (see page 312)
Windows Script (see page 313)
Visual Basic Script

This example uses a Visual Basic script sample (VBScriptSample.html) in the
$CSPM_CLIENT_HOME\cloakware\cspmclient\examples\VB_Script_Sample
directory. It uses the CA Technologies ATL DLL (cspmclientatl.dll) to integrate the A2A Client.
Code: Visual Basic Script

<html>
<head>
</head>
<body>
<script type="text/vbscript">
dim myobj
dim ret
set myobj = CreateObject("cspmclientatl.ccspmclientatl")

document.write(" cspmclientatl dll is loaded. ")
ret= myobj.retrieveCredentials( "test","false", "whatever")

document.write(" The return value is: " & ret & ".")
ret= myobj.getUserId()
document.write(" User: " & ret & ",")
ret= myobj.getPassword()
document.write(" Password: " & ret & ",")
ret= myobj.getXMLData()
document.write(" XML data is: " & ret)
21-Feb-2017 311/319
</script>
</body>
</html>
Register Requestor - Visual Basic Script

You need the following data to register your requestor with Credential Manager:
including the file extension; for example, VBScriptSample.html.
Script type. The requestor script type; for example, Visual Basic.
When entering the file and execution paths, you must specify the absolute paths without links. When
an executable or script is run from a mapped network drive, Windows report the execution path
using the UNC path. Use the UNC path when defining script path and execution path.
Java Script
This example uses a Java script sample (JavaScriptSample.htm) in the
$CSPM_CLIENT_HOME\cloakware\cspmclient\examples\Java_Script_Sample
directory. It uses the CA Technologies ATL DLL (cspmclientatl.dll) to integrate the A2A Client.
Code: Java Script

<html>
<body>
<script type="text/javascript">
document.write("Client interface with Java Script");
try {
var XLApp = new ActiveXObject("cspmclientatl.ccspmclientatl");
var retCode = XLApp.retrieveCredentials("test", "true", "no");

alert("The return code: "+ retCode);
alert("The user name: " + XLApp.getUserId());
alert("The password: " + XLApp.getPassword());
} catch (e) {
alert("error: "+e.message);
}
</script>
21-Feb-2017 312/319
</body>
</html>
Register Requestor - Java Script

You need the following data to register your requestor with Credential Manager:
including the file extension; for example, JavaScriptSample.htm.
Script type. The requestor script type; for example, Java.
an executable or script is run from a mapped network drive, Windows report the execution path
Windows Script
This example uses a Windows script sample. It uses the CA Technologies ATL DLL (
cspmclientatl.dll) to integrate the A2A Client. Your installed A2A Client does not contain a
soft copy of the following script.
Code: Windows Script

Option Explicit
dim ret
dim cspmclient
dim credentialsRetrieved
dim success
dim bypasscache
'Instantiate the cspmclient

set cspmclient= CreateObject("cspmclientatl.ccspmclientatl")
'Retrieve the credentials using the cache first

bypasscache="false"
ret= cspmclient.retrieveCredentials( "test",bypassCache , "true")
if(ret = "400") then

WScript.Echo "accountName=" & cspmclient.getUserId()
WScript.Echo "password=" & cspmclient.getPassword()
21-Feb-2017 313/319
'try to use it
'success = connectToApp(accountName,password)
success = false
'Retrieve credentials bypassing cache in the event of failure

if(success=false) then
bypasscache="true"
ret= cspmclient.retrieveCredentials( "test",bypassCache , "true")
if(ret = "400") then
WScript.Echo "accountName=" & cspmclient.getUserId()
WScript.Echo "password=" & cspmclient.getPassword()
'success = connectToApp(accountName,password)
else
WScript.Echo "Failed to retrieve credentials"
end if
end if
else
WScript.Echo "Failed to retrieve credentials"
end if
WScript.Quit
Register Requestor - Windows Script

including the file extension; for example, the name of the Windows script example given in
Windows Script (see page 313).
Script type. The requestor script type; for example, WScript.
an executable or script is run from a mapped network drive, Windows reports the execution path
21-Feb-2017 314/319
Remote HTTP Interface to a Credential

Manager A2A Client
The A2A Client supports HTTP requests for credentials. You can retrieve credentials of a target
account alias by entering a URL in your Web browser.
Access the URL to see the credentials in the following cases:
Only the local host (where the A2A Client is installed). See Access URL from only the Local Host
(see page ).
Only the systems within the network of the local host. See Access URL from Local Host Network
(see page 316).
Both the local host and the systems within its network. See Access URL from Local Host and Local
Host Network (see page 318).
To enable this functionality, add the httpRequestScriptAddress tag and the

httpRequestScriptPort tag in the client configuration file. The configuration file is named
cspm_client_config.xml. It is located in the $CSPM_CLIENT_HOME/cspmclient
/config directory. After you add the tags, restart the A2A Client daemon (on UNIX) or the A2A
Client service (on Windows).
To disable this feature, remove or comment out the httpRequestScriptAddress tag and and
the httpRequestScriptPort tag in the cspm_client_config.xml file.
The following XML code is an example of the cspm_client_config.xml file with the tags.
<?xml version="1.0" encoding="utf-8" ?>

<configuration>
<applicationtype>cspm</applicationtype>
<cacheallow>true</cacheallow>
<loglevel>FINE</loglevel>
<cspmserver>rh5x32stout2.cpa.intra</cspmserver>
<cspmserver_port></cspmserver_port>
<httpRequestScriptAddress>0.0.0.0</httpRequestScriptAddress>
<httpRequestScriptPort>12345</httpRequestScriptPort>
<daemonserver1_port>28088</daemonserver1_port>
<daemonserver2_port>28888</daemonserver2_port>
<logfile>/opt/cloakware/cspmclient/log/cspm_client_log.txt</logfile>
<c_logfile>/tmp/cspm_c_client_log.txt</c_logfile>
<patch>
<frequency>daily</frequency>
<starthour>0</starthour>
<endhour>5</endhour>
</patch>
<operation>production</operation>
</configuration>
To authorize a requestor (script) to retrieve credentials through a URL, the authorization mappings
21-Feb-2017 315/319
To authorize a requestor (script) to retrieve credentials through a URL, the authorization mappings
between the target alias and the request server must contain at least one script that produces URLs
with the formats described in the following sections. See Add Authorization Mappings (https://docops.
ca.com/display/CAPAM28/Add+Authorization+Mappings) for more details on authorization mapping.
Access URL from Only the Local Host

This case enables access from only the local host system where the A2A client is installed.
For this case, add the following tags to the cspm_client_config.xml file:
<httpRequestScriptAddress>localhost</httpRequestScriptAddress>
You can also specify the loop back IP address of the local host instead of the literal term
localhost. For example, the following tags are equivalent:
<httpRequestScriptAddress>127.0.0.1</httpRequestScriptAddress>
<httpRequestScriptAddress>localhost</httpRequestScriptAddress>
<httpRequestScriptPort><port_no></httpRequestScriptPort>, where <port_no.

> is the port number of the local host. The following tag is an example:
<httpRequestScriptPort>12345</httpRequestScriptPort>
For this case, use the following URL format on the local host system to get credentials:
http://<system>:<portnumber>/requestScript/retrieveCredentials?
aliasName=<targetalias>&bypassCache=false&contentType=html, where:
<system> is the literal term localhost or the loop back IP address of the local host. This must
match what was specified in the <httpRequestScriptAddress> tag for the A2A client on
the system.
<portnumber> is any valid and unused port number of the local host. This must match what was
specified in the <httpRequestScriptPort> tag for the A2A client on the system.
<targetalias> is the target alias for which credentials must be fetched
The following URL is an example:
http://127.0.0.1:12345/requestScript/retrieveCredentials?
aliasName=testalias&bypassCache=false&contentType=html
Access URL from Local Host Network

This case enables access from only the systems that share the local network of the local host, but not
from the local host itself.
21-Feb-2017 316/319
<httpRequestScriptAddress><myhostname>.<mydomain></httpRequestScriptAddress>
<myhostname> is the host name or the loop back IP address of the system where the A2A
Client is installed
<mydomain> is the domain of the system where the A2A Client is installed
<httpRequestScriptPort><port_no></httpRequestScriptPort>, where <port_no

> is any valid and unused port number of the system where the A2A Client is installed
For this case, use the following URL format on any system on the local network of the local host to
get credentials:
http://<myhostname>.<mydomain>:<portnumber>/requestScript
/retrieveCredentials?aliasName=<targetalias>
&bypassCache=false&contentType=html, where:
<myhostname> is the host name or the loop back IP address of the system where the A2A Client
is installed. This must match what was specified in the <httpRequestScriptAddress> tag
for the A2A client on the system.
<mydomain> is the domain of the system where the A2A Client is installed. This must match what
was specified in the <httpRequestScriptPort> tag for the A2A client on the system.
<portnumber> is port number to access the local host. This must match what was specified in the
<httpRequestScriptPort> tag for the A2A client on the system.
The following URL is an example:
http://rh5x32stout.cpa.intra:12345/requestScript/retrieveCredentials?
In the previous example:
rh5x32stout is the host name of a system that shares the local host network
cpa.intra is the domain of the system where the A2A Client is installed
12345 is port number to access the local host. This must match what was specified in the
testalias is the target alias for which credentials must be fetched
21-Feb-2017 317/319
Access URL from Local Host and Local Host

Network
This case enables access from the systems that share the local network of the local host and from the
local host itself.
<httpRequestScriptAddress>0.0.0.0</RequestScriptAddress>
<httpRequestScriptPort><port_no></httpRequestScriptPort>, where
<port_no> is any valid and unused port number of the system where the A2A Client is installed
For this case, use the following URL format on the local host system to get credentials:
http://<system>:<portnumber>/requestScript/retrieveCredentials?
aliasName=<targetalias>&bypassCache=false&contentType=html, where:
<system> is the literal term localhost or the loop back IP address of the local host
<portnumber> is any valid and unused port number of the local host
For this case, use the following URL format on any system on the local network of the local host to
get credentials:
http://<myhostname>.<mydomain>:<portnumber>/requestScript
/retrieveCredentials?aliasName=<targetalias>
&bypassCache=false&contentType=html, where:
<myhostname> is the host name or the loop back IP address of the system where the A2A Client
is installed.
<mydomain> is the domain of the system where the A2A Client is installed.
<portnumber> is port number to access the local host. This must match what was specified in the
The following is an example or the URL to use from the local host system to get credentials:
http://127.0.0.1:12345/requestScript/retrieveCredentials?
The following is an example of the URL to use from a system on the local network of the local host to
get credentials:
21-Feb-2017 318/319
http://rh5x32stout.cpa.intra:12345/requestScript/retrieveCredentials?
In the previous example:
rh5x32stout is the host name of a system that shares the network of the local host
cpa.intra is the domain of the system where the A2A Client is installed
12345 is port number to access the local host. This must match what was specified in the
testalias is the target alias for which credentials must be fetched
21-Feb-2017 319/319

CA Privileged Access Manager - 2.8 - ENU - Programming - 20170221 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CA Privileged Access Manager - 2.8 - ENU - Programming - 20170221 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

CA Privileged Access

The manufacturer of this Documentation is CA.

Credential Manager APIs .......................................................................... 54

Credential Manager CLI User Interface Actions ...................................... 223

A2A Integration Return Data ................................................................... 242

Integrate Java Apps to Use Credential Manager .................................... 245

Supported ExternalAPI resources include:

devices – provides support for managing devices

deviceGroups – provides support for managing device groups

policies – provides support for managing policies

roles – provides support for retrieving roles

services – provides support for managing services

sessionRecordings – provides support for retrieving session recordings

system – provides support managing system processes

tags – provides support for retrieving device tags

users – provides support for managing users

userGroups – provides support for managing user groups

Deployment Procedures for Administrators

2. Enable the API (see page 36).

1. If your CA Privileged Access Manager or CA Privileged Access Manager cluster is in production

3. Navigate to the Config > Licensing page.

6. If you have a cluster, turn it back on.

ExternalAPI Access has been enabled

The documentation interface,

The test button on each documentation "man" page

Disable the Test Button

Provision API Request Credentials

Add API Keys for a CA Privileged Access Manager User

1. Navigate to Users > Manage Users.

These keys are now:

Stored in the Credential Manager database

Provisioned for viewing by User:

As a CSV Import Item

1. Navigate to Users, Import/Export Users.

The delimiters are:

"name=test123/;isActive=t/;description=Test 123. description./;roles=roleName=Service Manager

roleName=Password Manager roleUserGroups= roleDeviceGroups="

Dissociating an API Key from Its User

Deployment Procedures for Programmers

1. Access ExternalAPI documentation viewer (see page 39) for constructs.

2. Review example code and this documentation.

3. Implement production applications (see page 42).

/devices – API method category (example)

List Operations – Displays a list of the API methods in that category.

2. Click on an API method category line item, such as /users.

3. Click on an API method, such as GET /v1/users.json/{id}.

Obtain API Keys

1. Navigate to the Access page.

3. Enter your CA Privileged Access Manager User account password.

4. Retrieve the Target Account credentials for this API Key.

Run Test API Requests

2. Click "Try it out!"

3. Enter your credentials.

Resetting the Active API Key

Case: Provision User, Device, and Auto-Connection Policy

return -1;

$ch = curl_init();

break;

$userName = $firstName . "_" . $lastName;

"&firstName=" . urlencode($firstName) ."&lastName=" . urlencode($lastName) .

// rather than a mix of arrays and stdClass objects.

* later than 2 days away

* or the domain name