Documente Academic
Documente Profesional
Documente Cultură
Manager - 2.8
Integrating
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/99
Table of Contents
Integrating 4
Set Up CA Privileged Access Manager AMI Instance ................................................................ 25
Configure the Server for Proxy .................................................................................................................. 25
Set Up a Whitelist ................................................................................................................................ 25
Set Up a Credential Pair for Federated Tokens .................................................................................. 25
Set Up a User ...................................................................................................................................... 26
Provision an Access Policy ................................................................................................................. 26
Set Up the Proxy Structure ........................................................................................................................ 27
Set Up AWS Proxy Instances ............................................................................................................. 27
Confirm Proxy Registration ................................................................................................................. 28
Set Up an AWS Load Balancer ........................................................................................................... 28
Integrating 5
CA Privileged Access Manager Configuration .................................................................................... 47
Client Configuration ............................................................................................................................. 47
Integrating 6
Examples ................................................................................................................................... 61
HP Service Manager Integration ............................................................................................................... 61
Prerequisites ....................................................................................................................................... 61
Device Configuration ........................................................................................................................... 61
Application Configuration .................................................................................................................... 62
Account Configuration ......................................................................................................................... 62
Password View Policy Configuration ................................................................................................... 63
Query Filter ......................................................................................................................................... 64
Field Values ............................................................................................................................... 64
Operators ................................................................................................................................... 64
Examples ................................................................................................................................... 65
ServiceNow Integration ............................................................................................................................. 65
Device Configuration ........................................................................................................................... 65
Application Configuration .................................................................................................................... 65
Account Configuration ......................................................................................................................... 66
Password View Policy Configuration ................................................................................................... 67
Query Filter ......................................................................................................................................... 68
Field Values ............................................................................................................................... 68
Operators ................................................................................................................................... 68
Examples ................................................................................................................................... 68
Salesforce Service Cloud Integration ........................................................................................................ 69
Device Configuration ........................................................................................................................... 69
Application Configuration .................................................................................................................... 69
Account Configuration ......................................................................................................................... 70
Password View Policy Configuration ................................................................................................... 70
Query Filter ......................................................................................................................................... 71
Field Values ............................................................................................................................... 71
Operators ................................................................................................................................... 71
Examples ................................................................................................................................... 72
Integrating 7
Prerequisites ............................................................................................................................................. 77
CA Single Sign-On Policy Server Configuration ........................................................................................ 77
CA Privileged Access Manager Configuration .......................................................................................... 81
Troubleshooting ......................................................................................................................................... 82
Use Console in Emergency ................................................................................................................. 82
Known Issues ............................................................................................................................................ 83
Agent Configuration Object Internal Server Error ............................................................................... 83
CA PAM Client Failure ........................................................................................................................ 83
Integrating 8
CA Privileged Access Manager - 2.8
Integrating
This section explains how to configure the product so that it can co-operate with external, third-party
devices and servers.
Deploying CA Privileged Access Manager Client (see page 10)
Configuring Targets (see page 16)
Integrating an AWS API Proxy (see page 19)
VMware vCenter and NSX Coordination Integration (see page 30)
VMware NSX API Proxy Integration (see page 45)
Managing Java on Your Client Workstation (see page 46)
Juniper Integration (see page 48)
Integrate a Java Application or Application Server (see page 49)
Integrate with Your Service Desk Solution (see page 51)
CA Privileged Access Manager Server Control Login Integration (see page 73)
CA Single Sign-On Integration (see page 77)
Integrate A2A Applications (see page 84)
Integrate with CA Threat Analytics (see page 87)
22-Mar-2017 9/99
CA Privileged Access Manager - 2.8
The client is available for download (from CA Privileged Access Manager) only while client
access to is enabled. (It is not sufficient to enable the client download checkbox.)
22-Mar-2017 10/99
CA Privileged Access Manager - 2.8
Download
From your client workstation, you can download an installer from the login page. Point to CA
Privileged Access Manager from a compatible browser, and from the GUI login page select either:
Down arrow – Click to open a drop-down menu and select a specific version of four OS types. The
applicable OS releases for each version are identified in CA Privileged Access Manager Release
Notes.
Install
After you download the installer file, run it to extract and open the installer wizard. Set the
installation parameters according to its InstallAnywhere interface.
Note the following information:
License Agreement – The acceptance button is activated only after you scroll the license text to
the bottom of the panel.
Installing... – You cannot click Previous after the software starts installation or has completed it.
22-Mar-2017 11/99
CA Privileged Access Manager - 2.8
Configure
Click the gear icon in the lower-left corner to open the Configuration Settings window. Select the
labeled tab to change the following settings:
Proxy
In case a proxy server to the target CA Privileged Access Manager is needed, specify one of the
following options:
Use system proxy settings for this network – for a workstation OS-managed proxy
Manual system proxy settings for this network – to set a custom target device as the proxy
Default: No Proxy
General
Specify memory requirements for CA Privileged Access Manager Client.
WARNING Due to a bug in the 32-bit Java Runtime Environment, consider this value a maximum for
Windows. If the value is set here to 1201 MB or greater, the client does not start again. In that case,
in the settings.properties file at the installation root, set memory.max=1200 or less to recover.
Cache
Specifies the cache controls where applicable.
Enable Caching – Specifies to store previous versions for the CA Privileged Access Manager Client
to revert to an earlier version. Default = On (checked).
Current Cache Size – Specifies the total size of the cached versions of CA Privileged Access
Manager Client. Default: Total size of cached prior versions.
Clear Cache – Specify to remove all cached versions. (You can remove individual versions by using
the Manage button.)
Max Cache Size, MB (0 = unlimited) –Specify the maximum size of the cache by using the slider or
the field.
Manage – Displays details for all cached versions of CA Privileged Access Manager Client. You can
remove any or all versions.
22-Mar-2017 12/99
CA Privileged Access Manager - 2.8
Certificate
From a table list, specify a certificate authority (C.A.) certificate to be used. The CA Privileged Access
Manager Client is provided with several pre-installed C.A. certificates. You can add more to serve
your needs.
Run
From its installed menu item or shortcut, start the client. The initial client screen allows you to specify
the address of a CA Privileged Access Manager appliance or appliance cluster VIP.
Follow these steps:
Address - Enter the accessible IP4 address or an assigned FQDN. You can also add an optional
port to the address, as in: ADDRESS:PORT
The CA Privileged Access Manager Client cannot use most well-known ports. See Reference
for full list.
WEB – Opens a connection to the server, and then opens the CA Privileged Access Manager Client
browser window to the UI, and closes the console.
CONNECT – Opens a connection to the server, and maintains a status connection window.
Optionally, the CA Privileged Access Manager Client browser window can be opened from the
status window.
You cannot switch the mode between WEB and CONNECT following your connection to the
appliance. First return to the initial connection screen by clicking Cancel and restarting the
client
1. Click Update to update your currently installed client to the latest version automatically. You
might need to restart the client if the update requires it.
Following client release level confirmation, a login transition screen is displayed and then the login
22-Mar-2017 13/99
CA Privileged Access Manager - 2.8
Following client release level confirmation, a login transition screen is displayed and then the login
interface appears.
4. Click Login.
If you had selected WEB, a browser window opens to the CA Privileged Access Manager GUI.
If you close the browser window (using the close box at the upper right), you close and exit both
CA Privileged Access Manager server and client.
If you Log Off, the browser window closes (you do not revert to the login page), and you are
returned to the CA Privileged Access Manager Client login screen.
If you had selected CONNECT, the client window stays open while the connection is made. When
the connection is complete, information about it is displayed in a new screen.
You can use existing CA Privileged Access Manager-configured Services and make ExternalAPI calls
without launching them through the product GUI.
The CA Privileged Access Manager administrator must provide any needed target parameters for
the service, such as its CA Privileged Access Manager-assigned net address, to the end user.
You can click the Launch Web Browser button to maintain both browser and console windows.
If you close the browser window (using the close box in upper right), you can again Launch Web
Browser later and return to the same GUI location, as its state is preserved.
If you Log Off from the GUI, the GUI window closes and the console reverts to the CA Privileged
Access Manager Client login screen.
If you Log Off, the console reverts to the CA Privileged Access Manager Client login screen.
Uninstall
Windows
To remove a Windows CA Privileged Access Manager Client, do so from the Windows Control Panel >
Programs and Features interface.
You can also remove a CA Privileged Access Manager Client installation from its location in the file
directory. At the root level of your CA Privileged Access Manager installation is the directory:
_CA Privileged Access Manager Client_installation
Open this directory to execute the uninstallation wizard named:
Change CA Privileged Access Manager Client Installation
22-Mar-2017 14/99
CA Privileged Access Manager - 2.8
Mac / Linux
To remove either a Mac or a Linux installation, delete the installation directory and its entire contents.
[per Brian Emond IM 4/12/16, following CA Privileged Access Manager Client status meeting
discussion 4/11.]
NOTE An uninstallation wizard like that provided for Windows is also provided with Mac and Linux
installations. However, it does not currently work and so should not be used.[per Volodymyr email 4
/6/16.]
22-Mar-2017 15/99
CA Privileged Access Manager - 2.8
Configuring Targets
A "target" is a CA Privileged Access Manager-specified Device that is a destination for a CA Privileged
Access Manager User and/or is a consumer of certain CA Privileged Access Manager credentials.
Windows OS
Network Level Authentication Login
Windows administrators can configure their servers to require Network Level Authentication (NLA)
before the user is prompted to enter their credentials to lower the risk of DoS attacks. CA Privileged
Access Manager accommodates this network level request so that it can complete connections.
Environment
This feature assumes and addresses the Allow connections only from computers running Remote
Desktop with Network Level Authentication setting configured on the General tab of the RDP-Tcp
Properties dialog.
User Experience
When a user selects the RDP Access Method, the RDP Access Method splash page appears, and then
the CA Privileged Access Manager security window prompts for the NLA-based credentials request.
After the user enters their credentials, CA Privileged Access Manager submits them to the target
device to complete login.
Note: If password push (see next section) is applied to a Device, this login prompt is
overridden.
22-Mar-2017 16/99
CA Privileged Access Manager - 2.8
Note: If NLA is enabled on an RDP server that is configured with the TLS security layer (the
default for Windows Server 2008/2012), the Always prompt for password option is
ignored. That is, users are not prompted for passwords even if the option is enabled. To
support the Always prompt for password mechanism, the RDP server must be configured
with the RDP security Layer.
CA Privileged Access Managercan be configured at the Device Group level to automatically populate
that prompt (with the password obfuscated), and thus force an auto-connection that has been
configured (at the Device level) for any Device in that Device Group.
Environment
This feature assumes and addresses the following setting on a Windows target device.
For example, on Windows Server: Open Start > Administrative Tools > Terminal Services
Configuration, open Terminal Services > Connections, select and right-click RDP-Tcp, select
Properties, select tab Logon Settings. This setting forces the login prompt to always be presented.
3. Either double-click an existing Device Group record, or click the Create Device Group link to
open a new record template.
4. Click in the Devices field, and from the drop-down menu, select the target Devices that
require password push when policy is configured for auto-connection.
5. At the bottom of the Device Group template, in the section Enable, select the checkbox
Provide Credentials for "Always Prompt for Password".
7. Prepare a policy for the User/User Group and the Device Group that you previously
configured, and with Access = "RDP", and Save.
Password push is now enabled.
22-Mar-2017 17/99
CA Privileged Access Manager - 2.8
User Experience
When a CA Privileged Access Manager User selects the RDP Access Method the following actions
occur:
3. CA Privileged Access Manager immediately overrides the login prompt and a 10 second delay
occurs, during which the User sees a countdown screen until auto-connection is effected.
The remote user is logged in.
22-Mar-2017 18/99
CA Privileged Access Manager - 2.8
Prerequisites
Obtain an AWS (Amazon Web Services) account. (https://aws.amazon.com/). (https://aws.amazon.
com/%29)
Obtain from CA Technologies a (new) Privileged Access Manager license that specifies the desired
number of AWS Proxy User accounts (the maximum number of User accounts that can have Role
= "AWS API Proxy User" assigned), and apply it on the Config, Licensing page.
Obtain from CA Technologies access to the AWS API Proxy AMI in the AWS Management Console.
Note
These instructions are based on the AWS Management Console interface as it existed in
August 2016. AWS has revised some interfaces since that time.
Your environment might already have a sufficient AWS environment, including a VPC with at least
one public and two private subnets. Review these procedures to determine if and where they are
applicable to you.
22-Mar-2017 19/99
CA Privileged Access Manager - 2.8
1. Log in to the AWS Management Console with your AWS Account Username and Password.
a. For the Role Name, assign a name. For example, let Role Name = DocDemoRootRole.
b. In the Select Role Type screen, select Role for Cross-Account Access, and click Select
button for the Provide access between AWS accounts you can own option
c. In the next screen, enter your AWS Account ID which you can find under the top-right
drop-down list selection: [your username], My Account . Do not select Require MFA
(as this Role is programmatic-only).
d. In the Attach Policy screen, select AdministratorAccess (to provide root-level access).
e. In the Review screen, confirm your selections, and click Create Role to exit the Create
Role process and return to the Roles list.
4. In the Roles list, select your new Role (for example, DocDemoRootRole)
a. In the Summary screen, select the value for Role ARN. Copy and paste that string to
your text window (used earlier for the user credentials).
a. For Enter User Names, assign 1 to 5 usernames. For example, use one username,
DocDemoRootUser. Select Generate an access key for each user. Click Create.
b. In the confirmation screen that follows, click Show User Security Credentials so that
you can copy and paste these credentials (Access Key ID and Secret Access Key) to an
alternate location for access later in this configuration process (for example, in a plain
text window or file on your workstation).
c. Click Close to create the user, exit the Create User process, and return to the Users list.
7. In the Users list, select your new User (for example, DocDemoRootUser)
a. In the Summary screen, select the value for User ARN and copy and paste that string
to your text window.
b. Select the Permissions tab at the bottom of the screen, and click Attach Policy.
c. In the Attach Policy screen, select AdministratorAccess (to provide root-level access).
Your User and Role are now ready for use later in the deployment process.
22-Mar-2017 20/99
CA Privileged Access Manager - 2.8
Your User and Role are now ready for use later in the deployment process.
Set Up a VPC
Set up an instance of AWS virtual private cloud.
2. Click Start VPC Wizard. The wizard allows you to guide the VPC component creation, including
the subnets, route tables, NAT gateway, and other objects.
a. In the Step 1 screen, select VPC with Public and Private Subnets, and click Select.
c. For all other fields (in this example), use the default values.
d. Click Create VPC. A modal progress screen follows. Following the acknowledgment
page, click OK.
a. Confirm that your two initial (private and public) subnets have been created:
22-Mar-2017 21/99
CA Privileged Access Manager - 2.8
v. Select an Availability Zone that is different from the other private subnet
(here, if the other private subnet is, say, "us-east-1a", we would select, say, "us-
east-1b"). This is a requirement for AWS-specific RDS (relational database) to
ensure failover recovery.
b. In the Subnets lists, confirm your newly created second private subnet.
Your VPC is now ready for population with instances and services.
Set Up an RDS
Set up an instance of an AWS relational database. The instance is used to store federated tokens so
that they can be reused. It is not necessary to generate one for every API call a user makes. This RDS
can also be shared by multiple proxies that have been set up for load balancing.
These tokens are created using the root role and user account you established earlier. This token is
used by the proxy on behalf of the end user. The token has a limited subset of credentials that are
based on how a policy has been set up in CA Privileged Access Manager. For security, each token has
a limited lifetime of 15 minutes.
c. Two subnets are required. To stage them both for this group:
i. Enter one of the private-subnet Availability Zones you used, with the
corresponding Subnet ID, and click Add
ii. Enter the other of the private-subnet Availability Zones you used, with the
corresponding Subnet ID, and click Add.
d. Click Create to create the DB subnet group and return to the group list.
b. In the Select Engine screen, select the MySQL tab, and click Select.
c. In the production version options screen, we recommend that you select either the
Production or the DevTest version of MySQL. CA Technologies has tested these
versions. In this example, the DevTest option has been chosen.
22-Mar-2017 22/99
CA Privileged Access Manager - 2.8
d. Complete the fields in the Instance Specifications panel near the top of the Specify DB
Details screen. We recommend the following specific values (otherwise, use values
appropriate for your environment):
Multi-AZ Deployment: Likely not required; if the database is lost, tokens can easily
be replaced
e. Further down on the Specify DB Details screen, specify the following values in the
Settings panel:
f. On the Configure Advanced Settings screen, specify the following settings in the
Network & Security panel:
Do not make the DB Publicly Accessible to No. The proxy instances in the VPC are
the only consumers of the database. (Credentials are stored in this database. In
general, we recommend that you remove unneeded access wherever possible.)
You can use the default VPC Security Group, as it allows all but only traffic
between members of the same security group.
g. Further down on the Configure Advanced Settings screen, specify the following
settings in the Database Options panel:
Retain the default values for DB Parameter Group (default.mysql5.6) and Option
Group (default.mysql-5-6).
22-Mar-2017 23/99
CA Privileged Access Manager - 2.8
Our engine does not currently support encryption, so Enable Encryption is set to:
No
i. Click Launch DB Instance. It might take a few minutes (but 15-20 is common) to finish
creating so that you can obtain its address for use later.
4. In the RDS Instances screen listing your RDS, select it, and copy the RDS Endpoint specification
to your text file.
Use an AWS AMI on which a Splunk server has already been installed. Alternatively, stand up an
AWS AMI OS instance and download a Splunk installer from http://www.splunk.com
In Splunk Data, Data receiving, add a new receiver listening on port 9997 (to accept logs from
CA Privileged Access Manager).
Place the server in the VPC public subnet that you created earlier. Assign it a public IP address
using EIP or instance auto-assign.
For the affected security groups, ensure that they allow inbound traffic to port 9997 (where
Splunk listens on) from anywhere inside the VPC (here, 12.0.0.0/24)
When planning a production server, estimate production storage from log volume you generated
in your test/demo environment.
For the remaining instance configuration, use default AMI instance details.
22-Mar-2017 24/99
CA Privileged Access Manager - 2.8
Consider preparing a security group (for example, named: Public Instances) that restricts access to
accept inbound from any source on HTTP, HTTPS, and SSH. This security group allows an
administrator to reach the instance from anywhere, if desired.
Set Up a Whitelist
Configure the AWS API Proxy whitelist to allow proxies to submit requests to CA Privileged Access
Manager.
1. From the AWS Management Console, identify the private subnet into which you set up proxy
instances.
2. In CA Privileged Access Manager, navigate to Config, 3rd Party, AWS API Proxy Auto
Activation Whitelist.
3. In the Whitelisted Subnets text box, specify the private subnet that you established earlier,
which contains the AWS API Proxy instances. For example: 12.0.1.0/24
The AWS API Proxy instances send A2A activation requests. Following activation, CA Privileged
Access Manager allows the A2A-activated proxy to see ("view") proxy credentials.
22-Mar-2017 25/99
CA Privileged Access Manager - 2.8
2. Navigate to Targets, Accounts, and select Add to bring up a blank Account Details screen.
3. Select AWS Access Credential Accounts from the Application Name drop-down list. (This
action also auto-populates the Host Name and Device Name, and resets the other widgets for
AWS Access Credential parameters.)
b. From your text file, paste in the Access Key ID and Secret Access Key for your
applicable AWS account.
c. From your text file, paste the ARN into the Access Role Name field.
d. Here, for AWS Cloud Type, select Commercial Cloud. (Contact CA Support if you want
to specify a GovCloud VPC.)
Set Up a User
1. Navigate to Users, Manage Users, and select Create User to open a User editing template.
2. Set up the required User fields (that is, Username, Firstname, and the remaining red labelled
widgets.)
2. In the User (Group) field, enter the Username (for example, DocDemoUser) that you created
in "Set Up a User".
3. In the Device (Group) field, enter the virtual device name: xceedium.aws.amazon.com
4. In the upper right, select the Create Policy link to open the policy editing template for this
User-Device pair.
a. In the pop-up window, select the "AWS API Proxy" Service. This action opens the
Credential and AWS Policy fields within the pop-up, to the right.
22-Mar-2017 26/99
5.
b. In the Credential field, enter the "AWS Access Credentials Accounts" type account you
created earlier (for example, DocDemoAccount).
Note: This account is the "root" AWS account that is used to request
(temporary federated) credentials from AWS. It is not a CA Privileged Access
Manager User account like DocDemoUser.
c. In the AWS Policy field, enter the AWS IAM Policy that applies to this User (for
example, DocDemoUser). You can use one of the two preconfigured policies,
"IAMUserAccess" or "PowerUserAccess" (used here), and view, edit, or create a
different one, using the AWS Policies link in the upper right.
6. Click Save.
1. In the AWS Management Console, navigate to Images, AMIs, and find your proxy AMI.
2. Do the following tasks in "Step 3: Configure Instance Details" of the AMI instance setup
wizard:
a. Place the proxy instances in the one of your two private subnets (here, 12.0.1.0/24)
that has the same AZ as the public subnet. The load balancer function depends on this
placement. This subnet is also specified in the Privileged Access Manager proxy
whitelist (in Config, 3rd Party).
b. For Auto-assign Public IP select the Use subnet setting (Disable), because the proxies
are not exposed outside of the VPC.
c. In the Advanced Details section, in User Data, use the following format, and populate
it (pasting only from a plain text editor) with your case data:
Format:
db = <api-proxy-db>
host = <db-instance.aws-region>.rds.amazonaws.com
user = <db-username>
pass = <password>
xsuite = <IP-address>
splunk = <IP-address>:9997
22-Mar-2017 27/99
CA Privileged Access Manager - 2.8
proxyname = <aws-api-proxy-name.example.com>
debug = false | true
Example:
db = DocDemoDB
host = DocDemoDBInstance.us-east-1.rds.amazonaws.com
user = DocDBAdmin
pass = DocDemoPW5289331
xsuite = 12.0.1.3
splunk = 12.0.1.5:9997
proxyname = awsapiproxy123.yourcompany.com
debug = false
3. In "Step 6: Configure Security Group", select a security group that permits HTTPS, and the load
balancer can reach it.
5. After you initiate the instances, wait about 10 minutes before confirming them in CA
Privileged Access Manager.
3. Confirm registration of your AWS API Proxy instances by checking the following settings:
1. In AWS Management Console, navigate to Services, EC2, Load Balancing, Load Balancers.
22-Mar-2017 28/99
CA Privileged Access Manager - 2.8
2. Click blue button Create Load Balancer to launch its setup wizard.
ii. Add a new protocol line item with Load Balancer Protocol = HTTPS and
Instance Protocol = HTTPS
e. In Select Subnets, select the public subnet that you have prepared
4. In "Step 2: Assign Security Groups", select the security group that you used earlier for your CA
Privileged Access Manager and Splunk server.
a. Select a certificate that your users and clients are able to verify.
i. For demo/test purposes at least, you can request a new certificate from ACM
(AWS Certificate Manager), or from AWS IAM.
1. In ACM, enter the domain name that you have used for your proxy
instances, prepended with an asterisk (here, *.awsapiproxy123.
yourcompany.com)
b. Select a cipher that you accept at the load balancer. Select from the predefined list if
acceptable, or create a custom security policy.
22-Mar-2017 29/99
CA Privileged Access Manager - 2.8
Prerequisites
Verify the following prerequisites:
In VMware:
When VMware NSX coordination is activated in CA Privileged Access Manager, the following cluster
synchronization features are not supported:
Hybrid clusters, in which two or more of the three form types for CA Privileged Access Manager
(hardware, AWS AMI instance, and VMware VMs) are used.
The Access Restrictor (see page ) does not operate on A2A transactions:
Device: a target vCenter; a Target Application for this Device;a Target Account for this
Target Application that is an administrator account
Device: the affiliated NSX Manager; a Target Application for this Device;a Target
Account for this Target Application that is an administrator account
22-Mar-2017 30/99
CA Privileged Access Manager - 2.8
Following configuration and registration, the NSX and CA Privileged Access Manager effects include:
In CA Privileged Access Manager:
Device imports – vCenter virtual machines are imported (a Device record is created for each VM)
Security controls – Existing NSX Security Tag, Security Group, and Security Policy restrictions are
imposed on vCenter devices imported into CA Privileged Access Manager.
In NSX:
CA Privileged Access Manager Service – A new NSX partner service named "CA Privileged Access
Manager Service" is created, with Profile Configurations for these functions:
Session Recording
Terminate Sessions
Dynamic effects – As NSX Security Tag, Security Group, and Security Policy definitions are altered
over time, the effects are propagated from NSX to CA Privileged Access Manager.
Access restrictor – CA Privileged Access Manager dynamically pushes its CA Privileged Access
Manager access policies for mirroring as NSX distributed firewall exceptions. Thus these rules are
created as connections open, and are destroyed when those connections close.
Dynamic transfer of NSX Security Groups and Security Tag assignment to CA Privileged Access
Manager
Access Restrictor
When CA Privileged Access Manager is registered in NSX, and before it connects to a managed VM (in
that NSX environment), it pushes its access policy for that connection into NSX as a distributed
firewall exception. It instructs NSX to temporarily "poke a hole" through the firewall managing the
VM to allow the CA Privileged Access Manager-authorized connection.
22-Mar-2017 31/99
CA Privileged Access Manager - 2.8
Terminate Sessions – Terminate the session, or prevent any future session attempt from
consummating.
Works for all connection types. Event is logged and is captured in session recordings.
Works for RDP, SSH, and Telnet Access Method applets; RDP Applications; all native SSH or Telnet
Services; Xceedium Browser (HTTP and HTTPS). Event is logged and is captured in session
recordings.
22-Mar-2017 32/99
CA Privileged Access Manager - 2.8
These imported tags can then be assigned to Device Groups to impose the desired controls.
When Security Groups or Security Tags are created in an NSX installation running a CA Privileged
Access Manager Service, or they are newly assigned to NSX devices, these changes propagate to CA
Privileged Access Manager in several ways.
When a tag (either local, or VMware-imported Security Group or Security Tag) is assigned to a
Device Group, the Devices that the tag specifies are identified as (uneditable) members of the
Device Group.
If you apply an unused tag to a Device Group and use that group in an active CA Privileged Access
Manager policy, and then later assign the tag to a device in NSX, the corresponding CA Privileged
Access Manager Device and corresponding policy is dynamically activated. The policy becomes
available on the User(s)' Access page.
It is then possible to prepare compact CA Privileged Access Manager policies that are nevertheless
complex and powerful.
Configuration Tasks
Perform the following tasks to activate coordination of an NSX installation with your CA Privileged
Access Manager.
Preparation
You must have the following applied:
22-Mar-2017 33/99
CA Privileged Access Manager - 2.8
REQUIREMENTS
CA Privileged Access Manager registration with NSX requires that a single vCenter is configured in
CA Privileged Access Manager. Multiple vCenter configurations, although permitted in CA
Privileged Access Manager, cannot be used while there is an active NSX registration.
PROCEDURE
Preliminary Devices/Accounts provisioning
11. Add a new target account for the vCenter target application you created.
12. Add a new target account for the NSX Manager target application you created.
3. Click your mouse in the vCenter Authentication Device field, and select from the drop-down
list the vCenter Device you prepared earlier.
1.
22-Mar-2017 34/99
CA Privileged Access Manager - 2.8
1. Click your mouse in the vCenter User field, and select from the drop-down list the vCenter
access target account you prepared earlier.
2. In the URL field, enter the URL address of the vCenter. Include the port and any subdirectory
path.
2. Click your mouse in the NSX Authentication Device field, and select from the drop-down list
the NSX Manager Device you prepared earlier.
1. Click your mouse in the NSX User field, and select from the drop-down list the NSX access
target account you prepared earlier.
2. In the URL field, enter the URL address of the NSX installation. Include the port and any
subdirectory path.
After you correct the issue, you can again attempt registration using the staged settings by
clicking Save.
1. Take care to back out of all corresponding settings you had applied in CA Privileged Access
Manager and NSX.
3. The currently registered CA Privileged Access Manager Service is removed from NSX, and the
NSX Manager is unregistered in CA Privileged Access Manager.
22-Mar-2017 35/99
CA Privileged Access Manager - 2.8
Provisioning Examples
Example 1: Preparation of an NSX Security Policy for CA Privileged Access Manager
Use
You can impose any of the above three controls on Devices managed by CA Privileged Access
Manager from within NSX features. The following procedure shows how this process works by
completing the following steps:
Applying those policies to those groups to activate their controls on their devices. These controls
are propagated to CA Privileged Access Manager, and then imposed when CA Privileged Access
Manager Users access VMware-imported Devices.
Following registration of CA Privileged Access Manager with NSX, open your vSphere Client or Web
Client:
1. From the vSphere home, select the Networking & Security item from the left-hand menu.
2. From the new left-hand menu items, select the Service Composer item, and then in the
Service Composer body click the Security Policies tab to display the (currently empty) policies
list.
3. Above the line item list in the far left, click the Create Security Policy icon to open a policy
editing window.
4. Specify a policy that imposes CA Privileged Access Manager session recording, and call it
Session Recording SP:
5. Click the 1 Name and description tab, and enter in the Name field "Session Recording SP".
6. In 2 Guest Introspection Services, click the icon further right to open an editing window. In it:
9. Leave the other fields and buttons as is, and click OK.
The editing window now disappears, and you see the new service specification as a line item.
1. In 4 Network Introspection Services, perform the same previous steps for (b), except that
here you edit the Profile field rather than the Service Profile.
2. In the lower right corner, click the Finish button to activate the Security Policy.
22-Mar-2017 36/99
CA Privileged Access Manager - 2.8
With procedures parallel to the one above for the other two Service Profiles, you can prepare
corresponding policies. Table 1 displays the three Service Profile options currently made available
through CA Privileged Access Manager Service registration.
CA Privileged Access Manager Service: Service Profiles
After preparing Security Policies for all three Service Profiles, you will see three Security Policies
listed.
1. From the same location in your vCenter client as you used when preparing Security Policies (
Example 1 (see page 30)), click the Security Groups tab to open its pane.
(The list may be empty except for Activity Monitoring Data Collection.)
1. To record all current and future connection sessions to certain devices, create a Security
Group named Capture Sessions SG:
2. Click the 1 Name and description tab, and enter in the Name field "Capture Sessions SG".
3. In 2 Define dynamic membership, and in the pane at the right named Membership criteria 1:
4. In the lower left drop-down menu, select "Security Tag" to specify that the VMs with a
Security Tag (as defined below) are included in this group.
7. In the lower right corner, click the Finish button to activate the Security Group, as we have
provided the definition that we need for this group.
22-Mar-2017 37/99
CA Privileged Access Manager - 2.8
2. Click the Rank number (here, "3") for the Session Recording SP policy so that the line item is
selected, then right click and select Apply Policy from the pop-up menu.
We're now ready to apply a Security Tag to a VM device, to illustrate how the Security Group picks up
the tagged device for imposition of the policy – and the effect of that policy for CA Privileged Access
Manager.
3. From the new left-hand menu items, select the Hosts and Clusters item.
4. In the left panel (with left tab at top selected), open the tree until you find an (existing) VM to
which you would like to apply this Security Group. In this example, the device is named "BEE".
The VM device ("BEE") has a number of specification panels. Here we want to apply the tag specified
when you created the "Capture Sessions SG" Security Group – that is, Capture Sessions ST:
1. Select the "BEE" line item. Then in the device specification section to the right, in the Security
Tags pane:
2. Click the Manage link in the lower right corner of the pane.
3. In the Assign Security tag pop-up window, click the icon to create the new "Capture Sessions
ST" tag.
4. When created, scroll to the location of the new tag, and select it.
6. Note that not only is the "Capture Sessions ST" tag listed in the Security Tags pane, but also
the "Capture Sessions SG" that uses that tag is also specified in the Security Groups pane.
Because that group has the "Capture Sessions SP" Security Policy applied against it, then when a CA
Privileged Access Manager User attempts a connection session to BEE – whether or not the CA
Privileged Access Manager policy itself specifies session recording – CA Privileged Access Manager
activates recording.
Let's now see how that works in CA Privileged Access Manager.
1. Navigate CA Privileged Access Manager to the Devices > Manage Devices page.
Note: You can also continue instead with a CA Privileged Access Manager-based Device Group that
includes this Device. In place of a fixed, imported tag, manually apply the imported Security Tag as
described in the following steps:
22-Mar-2017 38/99
CA Privileged Access Manager - 2.8
1. Note that there is an editable "CA Privileged Access Manager-assigned-tag-3", but there are
also two tags which – in CA Privileged Access Manager – are not editable: "NSX-SG-Capture
Sessions SG" and "NSX-TAG-Capture Sessions ST".
These reflect the Security Group and Security Tag that were imported from VMware.
3. Create (or open) a policy for BEE (and you, the current administrator User).
Do not assign a recording policy.
Thus, the VMware Security Policy overruled the (empty) CA Privileged Access Manager recording
policy, dynamically imposing session recording.
22-Mar-2017 39/99
CA Privileged Access Manager - 2.8
22-Mar-2017 40/99
CA Privileged Access Manager - 2.8
22-Mar-2017 41/99
CA Privileged Access Manager - 2.8
Examples:https://vcenter.example.com/sdk
https://192.0.2.1:55555/sdk
https://vcenter2.example.com:65123/
Device Sync Checkb checked or Check the box if you want all (non-XsuiteIgnore tagged)
ox unchecked virtual machines (VMs) to be imported upon clicking
Add, and then after each Global VMware vCenter Sync
period.
Add Button Click to execute Click to load this currently staged vCenter specification
to the VMware vCenter Configuration list.
22-Mar-2017 42/99
CA Privileged Access Manager - 2.8
Examples:https://nsx.example.com/
https://192.0.2.1:55555/
https://nsx2.example.com:65123/
Access page Checkbox Selected or When this option is selected, NSX synchronization
runtime unselected with CA Privileged Access Manager is initiated
updates whenever the Access page is loaded.
NOTE This feature increases Access page load time.
Background Checkbox Selected or When this option is selected, CA Privileged Access
updates unselected Manager update is initiated after NSX settings are
updated, and after each vCenter Refresh Interval.
Register Button Click to execute. Register this currently staged NSX specification.
Returns (at top of page) one of:
VMware NSX configuration successfully updated.
VMware NSX partner service was successfully
registered.
VMware NSX partner service was not registered. See
log for details.
Returns (at top of page):
VMware NSX configuration successfully updated.
Save Click to execute.
This label
appears only
after an NSX
registration
attempt.
Disable Button Click to execute. Resets all widgets to default values (empty the fields).
This option This button Returns (at top of page) one of:
appears only appears only VMware NSX partner service was successfully
after a failed after an NSX unregistered.
NSX registration
registration attempt.
attempt.
Click to execute.
22-Mar-2017 43/99
CA Privileged Access Manager - 2.8
22-Mar-2017 44/99
CA Privileged Access Manager - 2.8
Important
If your CA Privileged Access Manager installation allows or you plan to allow use of both
VMware NSX API Proxy and AWS API Proxy, these proxies must be on different subnets.
1. A user sends a REST API request (intended for NSX Manager) to the new CA Technologies
VMware NSX API Proxy. The request uses credentials from CA Privileged Access Manager,
which are valid only for use with this proxy. (They differ from the credentials used by NSX
Manager).
2. The proxy validates the request, obtains the actual (and persistent) NSX Manager credentials
that have been vaulted on CA Privileged Access Manager. It then using those credentials
forwards the request to NSX Manager.
3. The NSX Manager response is passed directly to the user while audit and request syslog
entries are stored in vCenter Log Insight. If configured, CA Privileged Access Manager rotates
the NSX Manager credential.
A VMware NSX API Proxy User role has the accessAll and manageAll privileges, and a
VmwareNsxApiProxy role allows use of the proxy.
Auto-activation whitelist
Only NSX API Proxies which are within specified subnets are permitted to automatically receive NSX
Manager credentials from CA Privileged Access Manager. Such subnets are called "whitelisted
subnets".
Specify these whitelists as follows:
1. Navigate to the Config, 3rd Party page, and scroll to the bottom.
2. In the VMware NSX API Proxy Auto-Activation Whitelist panel, enter a private subnet that
contains the NSX API Proxy instances. Use CIDR form (for example, 10.21.1.0/24), and click
Save.
You receive a green confirmation message at the top of the page: "NSX API Proxy Auto-
Activation Whitelist successfully updated.
22-Mar-2017 45/99
CA Privileged Access Manager - 2.8
-Xmx1024m -Xms1024m
Note
Do not copy-and-paste the string into a word processor (such as Microsoft Word) before
pasting into the Java Control Panel. This action might alter the characters. Instead, if you
want to store the string, use a plain-text application such as Notepad.
To confirm that the heap adjustment has taken effect: When your mouse is in focus in the Java
console, press: m to display the memory values. If successful, the results are close to the settings.
22-Mar-2017 46/99
CA Privileged Access Manager - 2.8
2. Log in as CA Privileged Access Manager User "config", or as another account with at least a
role of Configuration Manager. For example, you can also use "super".
4. In the Upload Certificate or Private Key panel, Browse to your certificate files and Upload
them.
Upload at least the public certificate and private key, and these files must have the same root
name. The public and private key files should end with the ".crt" and ".key" extensions
respectively; for example, you might have "ExampleCorp1.crt" and "ExampleCorp1.key".
5. In the (new) Sign CA Privileged Access Manager Applets panel on that page, Select A
Certificate with the bundle root name you uploaded.
6. To confirm certificate integrity, click Verify Certificate, and note the confirmation message at
the top of the page.
7. After the certificate passes verification, click Sign Applets With Certificate, and wait a few
moments for the CA Privileged Access Manager applets to be signed, and confirmed at the top
of the page.
9. Log out from CA Privileged Access Manager, and then log back in.
Client Configuration
Your clients must be configured to trust the public certificate that is used to sign the CA Privileged
Access Manager JARs:
On each client, add the public certificate of the CA to your Java JRE installation (Java Control
Panel, Security, Manage Certificates, User tab + Certificate Type = "Signer CA" > Import), or to
your browser certificate store.
22-Mar-2017 47/99
CA Privileged Access Manager - 2.8
Juniper Integration
Customers can allow use of manual login to access a CA Privileged Access Manager appliance behind
a Juniper Networks SSL VPN, rather than requiring that they be configured for CA Privileged Access
Manager auto-connection access.
User experience
Juniper setup
1. Log in to Juniper.
For the URL string for that bookmark, append the tag below:
?XSUITE_VPN_LOGIN=1
EXAMPLE https://xsuite.example.com/?XSUITE_VPN_LOGIN=1
Verify that you provide a trailing slash "/" to the CA Privileged Access Manager address/path.
2. Select the Juniper bookmark you created earlier, and open the CA Privileged Access Manager
login page.
22-Mar-2017 48/99
CA Privileged Access Manager - 2.8
Setup
To modify a Java application or application server (such as Weblogic, JBoss, or Tomcat) into a
requestor, modify them to use the Privileged Access Manager JARs and native code libraries:
The JAR files must be in the class path of the requestor. The JAR files are cspmclient.jar and
cwjcafips.jar. They are located in the $CSPM_CLIENT_HOME/cspmclient/lib
directory.
If the requestor needs to use the Privileged Access Manager JDBC proxy, the cloakwareJdbc.
jar file must be in the class path of the requestor. It is located in the $CSPM_CLIENT_HOME
/cspmclient/tools directory.
Setting the class path can be done in the standard Java manner or might be application-specific. The
latter is a common requirement of application servers. See your application documentation for
details.
Using the OS-specific environment variable. The possible environment variables are PATH for
Windows, LD_LIBRARY_PATH for Solaris and Linux, and LIBPATH for AIX.
The JDBC driver's class, which must be in the class path of the requestor
22-Mar-2017 49/99
CA Privileged Access Manager - 2.8
Additional driver parameters, such as the username and password to log in as, the driver buffer
sizes, and so on.
1. Change the driver reference from the original DBMS-specific one to the Privileged Access
Manager JDBC driver. The driver class name becomes com.cloakware.jdbc.
JdbcDriver.
2. Change the JDBC connection string to add information specifying the Privileged Access
Manager JDBC driver name, the target alias that identifies the target account, and the class
name of the original DBMS JDBC driver as follows:
alias is the target alias that is associated with the target account the requestor
uses to log in to the DBMS
CA Technologies also recommends that the username and password fields be cleared out because
they are overwritten by the Privileged Access Manager JDBC proxy driver.
Before: jdbc:oracle:thin:@//dbHost:1521/myService
After: cspm:jdbc:oracle:thin:@//dbHost:1521/myService;
CSPMDriver=oracle.jdbc.OracleDriver;CSPMAlias=myAlias
22-Mar-2017 50/99
CA Privileged Access Manager - 2.8
Salesforce Service Cloud Winter 2015 release (supports password viewing, but not updating)
Auto-Connect Access
Credential Manager Workflow can be applied to user access by applying a Password View Policy to
the privileged user account. The Password View Policy can use a Service Desk Integration to validate
access with a service desk ticket number.
Before you proceed, change the passwords for the two Accounts, both named "nimadmin," from
their default passwords.
22-Mar-2017 51/99
CA Privileged Access Manager - 2.8
3. Click the nimadmin Account Name for the CA Normalized Integration Management for Service
Management application.
4. Enter a new password in the Password field, select Update both the Password Authority
Server and the target, and click Save.
A message displays: "The account was saved successfully."
5. Repeat this procedure for the nimadmin Account for the CA Normalized Integration
Management for User Management application.
Navigate to your service desk solution for its specific integration procedures:
arapi8*.jar
arutil81*.jar
3. Save the copied JAR files to a location accessible to the CA Privileged Access Manager system.
4. In CA Privileged Access Manager, select 3rd Party from the Config menu.
22-Mar-2017 52/99
CA Privileged Access Manager - 2.8
5. Scroll to the Remedy Service Desk Configuration section. Use the Choose File button to
browse for the JAR files individually. Use the Upload button to upload each file, one at a time.
Note: If you are load balancing, you have to upload the JAR files to each server. The files are
the same for Windows and Linux.
6. Restart the app server by clicking the Restart Tomcat button. Wait until the process
completes.
A message displays: "Tomcat restarted successfully."
Device Configuration
To integrate with BMC Remedy ITSM, create a target server device.
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
6. The remaining values are optional, and are described in Device Setup (https://docops.ca.com
/display/CAPAM28/Device+Setup).
7. Click Save.
Application Configuration
Next, set up an Application for BMC Remedy.
1. Load Credentials Management by selecting Manage Passwords under the Policy menu.
2. Navigate to Applications under the Targets menu. Click the Add button.
The Application Details panel appears.
3. Click the Find Server magnifying glass icon to select the Remedy device you created.
The Host Name and Device Name are populated.
22-Mar-2017 53/99
CA Privileged Access Manager - 2.8
6. Select a Password Composition Policy if you have created one, or leave the default "None."
9. Enter the BMC Remedy Client URL. The initial field value suggests the correct format for the
URL (http://bmc_client_host_name:8080/arsys).
Account Configuration
Set up the Account using the Device and Application you have already set up.
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Accounts under the Targets menu. Click the Add button.
The Accounts Details panel appears.
3. Click the Find Server magnifying glass icon to select the Remedy device you created.
The Host Name and Device Name are populated.
4. Click the Find Application magnifying glass icon to select the Remedy application you created.
The Remedy Account Details box is added to the Application Details panel, with the Change
Process selection.
6. Leave the Password View Policy as Default unless you already have one to use.
7. Enter a password or click the Generate Password icon. Generating a password disables the
Show Password check box.
Note: The remaining password-related fields are read-only. The maximum age and expiration
fields are determined by the Password Composition Policy, if any. See Password Composition
Policies (https://docops-dev.ca.com/display/CAPAM/Password+Composition+Policies) for more
information about Password Composition Policies.
8. Choose a Synchronized option. The default is to change only the Password Authority Server.
To change the password on the target server also, choose "Update both."
9. In the Remedy Account Details box, select the Change Process. Choose whether the Account
can change its own password, or indicate another account. If the user does not have
permission to change passwords, use another account. Selecting "Use the following account
to change password" displays a list of existing accounts to choose from.
10.
22-Mar-2017 54/99
CA Privileged Access Manager - 2.8
10. You can optionally select an Owner User Name from the list of users on the CA Privileged
Account Manager system.
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.
The Password View Policy Details panel appears.
4. Enter the Remedy Server name, the Remedy Application name, and the Account name.
5. You can be more specific in your ticket number request by limiting the type of ticket or by
using a query filter. Ticket Type defaults to All. Incident, Problem, Change, and Request are
also available. See Query Filter (see page 55) for details about Query Filters.
6. You can use more credential workflows methods, such as dual authorization and re-
authentication. See Password View Policies (https://docops-dev.ca.com/display/CAPAM
/Password+View+Policies) for more information.
7. Click Save.
A message appears: "The Password View Policy Has Been Saved Successfully"
Query Filter
The Query Filter field enables you to create Queries with combinations of values to filter which
service desk tickets are used for validation.
Field Values
Impact: high, low, medium, minor
22-Mar-2017 55/99
CA Privileged Access Manager - 2.8
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
Examples
status==active
status!=closed
status==open
(urgency==critical&&priority==high)||status==inprogress&&impact==high
Fixes applied based on your version of CA Service Desk Manager and the operating system it is
running on:
r12.7
r12.9
T52Y220 – Windows
T52Y223 – Linux
22-Mar-2017 56/99
CA Privileged Access Manager - 2.8
T52Y223 – Linux
T52Y224 – Solaris
T52Y225 – AIX
CA Service Desk Manager REST Services are installed and deployed. REST Services are not
deployed by default. To deploy them, use the following command:
pdm_rest_util –deploy
PIN-Based Authentication
CA Service Desk Manager contact records do not have a "password" field, but another field is used
for the password. A CA Service Desk Manager administrator can specify a contact record field such as
contact_num or email_address to be used for passwords. This means that updating a password
through CA Privileged Access Manager updates that same field.
1. On the CA Service Desk Manager s ystem, navigate to Administration, Security and Role
Management, Access Types.
2. Select the Access Type for which you are enabling PIN-based authentication.
3. On the Web Authentication tab, select PIN from the Validation Type drop-down list.
4. Click Save.
Device Configuration
To integrate with CA Service Desk Manager, create a new target server device.
Follow these steps:
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
22-Mar-2017 57/99
CA Privileged Access Manager - 2.8
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
6. The remaining values are optional, and are described in Device Setup (https://docops.ca.com
/display/CAPAM28/Device+Setup).
7. Click Save.
Application Configuration
Next, set up an Application for CA Service Desk Manager.
Follow these steps:
1. Load Credentials Management by selecting Manage Passwords under the Policy menu.
2. Navigate to Applications under the Targets menu. Click the Add button.
The Application Details panel appears.
3. Click the Find Server magnifying glass icon to select the CA SDM device you created.
The Host Name and Device Name are populated.
6. Select a Password Composition Policy if you have created one, or leave the default "None."
8. Enter the SOAP Protocol, SOAP Port, REST Protocol, and REST Port.
10. Enter the PIN Field (such as contact_num or email_address) that CA Service Desk Manager is
using as password.
22-Mar-2017 58/99
CA Privileged Access Manager - 2.8
Account Configuration
Set up the Account using the Device and Application you have already set up.
Follow these steps:
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Accounts under the Targets menu. Click the Add button.
The Accounts Details panel appears.
3. Click the Find Server magnifying glass icon to select the CA SDM device you created.
The Host Name and Device Name are populated.
4. Click the Find Application magnifying glass icon to select the CA SDM application you created.
The CA SDM Account Details box is added to the Application Details panel, with the Change
Process selection.
6. Leave the Password View Policy as Default unless you already have one to use.
7. Enter a password or click the Generate Password icon. Generating a password disables the
Show Password check box.
Note: The remaining password-related fields are read-only. The maximum age and expiration
fields are determined by the Password Composition Policy, if any. See Password Composition
Policies (https://docops-dev.ca.com/display/CAPAM/Password+Composition+Policies) for more
information.
8. Select a Synchronized option. The default is to change only the Password Authority Server. To
change the password on the target server also, select "Update both."
9. In the CA SDM Account Details box, select the Change Process. Select whether the Account
can change its own password, or indicate another account. If the user does not have
permission to change passwords, use another account. Selecting "Use the following account
to change password" displays a list of existing accounts to select from.
10. You can optionally select an Owner User Name from the list of users on the CA Privileged
Account Manager system.
22-Mar-2017 59/99
CA Privileged Access Manager - 2.8
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.The
Password View Policy Details panel appears.
3. Select CA Service Desk Manager from the Service Desk Integration drop-down list.
A box appears with specific CA SDM configuration fields. Reason Required For View and
Reason Required For Auto-Connect are selected. These options are required for service desk
integration. A warning appears if you try to clear either checkbox.
4. Enter the CA SDM Server name, the CA SDM Application name, and the Account name.
5. You can be more limit your ticket number request by the type of ticket or by using a query
filter. Ticket Type defaults to All. Incident, Problem, Change, and Request are also available.
See Query Filter (see page 60) for details about Query Filters.
6. You can use more credential workflows methods, such as dual authorization and re-
authentication. See Password View Policies (https://docops-dev.ca.com/display/CAPAM
/Password+View+Policies) for more information.
7. Click Save.
A message appears: "The Password View Policy Has Been Saved Successfully"
Query Filter
The Query Filter field enables you to create Queries with combinations of values that are used to
filter which service desk tickets are used for validation.
Field Values
Impact: entireorganization, multiplegroups, none, oneperson, singlegroup, smallgroup
22-Mar-2017 60/99
CA Privileged Access Manager - 2.8
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
Examples
status== acknowledged
status!=closed
status==open
(urgency==immediate&&priority==highpriority)||status==inprogress&&impact==none
Device Configuration
To integrate with HP Service Manager, create a target server device.
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
22-Mar-2017 61/99
CA Privileged Access Manager - 2.8
6. The remaining values are optional, and are described in Device Setup (https://docops.ca.com
/display/CAPAM28/Device+Setup).
7. Click Save.
Application Configuration
Next, set up an Application for HP Service Manager.
1. Load Credentials Management by selecting Manage Passwords under the Policy menu.
2. Navigate to Applications under the Targets menu. Click the Add button.
The Application Details panel appears.
3. Click the Find Server magnifying glass icon to select the HP Service Manager device you
created.
The Host Name and Device Name are populated.
4. Enter "HP Service Manager" or similar into the Application Name field.
5. Select "HP Service Manager" from the Application Type drop-down list.
An HP Service Manager Details box is added to the Application Details panel. Each ITSM
solution has its own detail fields.
6. Select a Password Composition Policy if you have created one, or leave the default "None."
9. Enter the HP SM Client URL. The initial field value suggests the correct format for the URL (
http://hpsm-host-name:port-number/webtier-9.32 ).
Account Configuration
Set up the Account using the Device and Application you have already set up.
22-Mar-2017 62/99
CA Privileged Access Manager - 2.8
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Accounts under the Targets menu. Click the Add button.
The Accounts Details panel appears.
3. Click the Find Server magnifying glass icon to select the HP Service Manager device you
created.
The Host Name and Device Name are populated.
4. Click the Find Application magnifying glass icon to select the HP Service Manager application
you created.
The HP Service Manager Account Details box is added to the Application Details panel, with
the Change Process selection.
6. Leave the Password View Policy as Default unless you already have one to use.
8. Choose a Synchronized option. The default is to change only the Password Authority Server.
To change the password on the target server also, choose "Update both."
9. In the HP Service Manager Account Details box, select the Change Process. Choose whether
the Account can change its own password, or indicate another account. If the user does not
have permission to change passwords, use another account.
Selecting "Use the following account to change password" displays a list of existing accounts
to choose from.
10. You can optionally select an Owner User Name from the list of users on the CA Privileged
Account Manager system.
1. If you are not already there, load Credentials Management by selecting Manage Passwords
22-Mar-2017 63/99
CA Privileged Access Manager - 2.8
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.
The Password View Policy Details panel appears.
3. Select HP Service Manager from the Service Desk Integration drop-down list.
A box appears with specific HP Service Manager configuration fields. Reason Required For
View and Reason Required For Auto-Connect are selected. These options are required for
service desk integration. A warning appears if you try to clear either checkbox.
4. Enter the HP Service Manager Server name, the HP Service Manager Application name, and
the Account name.
5. You can be more specific in your ticket number request by limiting the type of ticket or by
using a query filter. Ticket Type defaults to All. Incident, Problem, Change, and Request are
also available. See Query Filter (see page 64) for details about Query Filters.
6. You can use more credential workflows methods, such as dual authorization and re-
authentication. See Password View Policies (https://docops-dev.ca.com/display/CAPAM
/Password+View+Policies) for more information.
7. Click Save.
A message appears: "The Password View Policy Has Been Saved Successfully"
Query Filter
The Query Filter field enables you to create Queries with combinations of values to filter which
service desk tickets are used for validation.
Field Values
Impact: enterprise, multiple users, site/dept, user
Status: accepted, closed, open, pending change, pending customer, pending other, pending
vendor, referred, rejected, replaced problem, resolved, work in progress
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
22-Mar-2017 64/99
CA Privileged Access Manager - 2.8
Examples
status== accepted
status!=closed
status==open
(urgency==critical&&impact==enterprise)||status==open&&urgency==high
ServiceNow Integration
Device Configuration
To integrate with ServiceNow, create a target server device.
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
6. The remaining values are optional, and are described in Device Setup (https://docops.ca.com
/display/CAPAM28/Device+Setup).
7. Click Save.
Application Configuration
Next, set up an Application for ServiceNow.
1. Load Credentials Management by selecting Manage Passwords under the Policy menu.
2. Navigate to Applications under the Targets menu. Click the Add button.
The Application Details panel appears.
3. Click the Find Server magnifying glass icon to select the ServiceNow device you created.
The Host Name and Device Name are populated.
22-Mar-2017 65/99
CA Privileged Access Manager - 2.8
6. Select a Password Composition Policy if you have created one, or leave the default "None."
8. Enter the ServiceNow URL. The initial field value suggests the correct format for the URL
(https://servicenow-host-name).
9. Enter the ServiceNow Client URL. The initial field value suggests the correct format for the
URL (https://servicenow-host-name).
10. If the ServiceNow instance uses a Custom Endpoint, enter "true" in the Custom Endpoint field.
If not, leave the default setting of "false."
Account Configuration
Set up the Account using the Device and Application you have already set up.
Follow these steps:
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Accounts under the Targets menu. Click the Add button.
The Accounts Details panel appears.
3. Click the Find Server magnifying glass icon to select the ServiceNow device you created.
The Host Name and Device Name are populated.
4. Click the Find Application magnifying glass icon to select the ServiceNow application you
created.
The ServiceNow Account Details box is added to the Application Details panel, with the
Change Process selection.
6. Leave the Password View Policy as Default unless you already have one to use.
7.
22-Mar-2017 66/99
CA Privileged Access Manager - 2.8
8. Choose a Synchronized option. The default is to change only the Password Authority Server.
To change the password on the target server also, choose "Update both."
9. In the ServiceNow Account Details box, select the Change Process. Choose whether the
Account can change its own password, or indicate another account. If the user does not have
permission to change passwords, use another account.
Selecting "Use the following account to change password" displays a list of existing accounts
to choose from.
10. You can optionally select an Owner User Name from the list of users on the CA Privileged
Account Manager system.
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.
The Password View Policy Details panel appears.
4. Enter the ServiceNow Server name, the ServiceNow Application name, and the Account name.
5. You can be more specific in your ticket number request by limiting the type of ticket or by
using a query filter. Ticket Type defaults to All. Incident, Problem, Change, and Request are
also available. See Query Filter (see page 68) for details about Query Filters.
6.
22-Mar-2017 67/99
CA Privileged Access Manager - 2.8
6. You can use more credential workflows methods, such as dual authorization and re-
authentication. See Password View Policies (https://docops-dev.ca.com/display/CAPAM
/Password+View+Policies) for more information.
7. Click Save.
A message appears: "The Password View Policy Has Been Saved Successfully"
Query Filter
The Query Filter field enables you to create Queries with combinations of values to filter which
service desk tickets are used for validation.
Field Values
Impact: high, low, medium
Status: active, awaiting evidence, awaiting problem, awaiting user info, closed, new, resolved
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
Examples
status== active
status!=closed
status==new
(urgency==high&&impact==high)||status==open&&(urgency==high||urgency==medium)
22-Mar-2017 68/99
CA Privileged Access Manager - 2.8
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
6. The remaining values are optional, and are described in Device Setup (https://docops.ca.com
/display/CAPAM28/Device+Setup).
7. Click Save.
Application Configuration
Next, set up an Application for Salesforce Service Cloud.
1. Load Credentials Management by selecting Manage Passwords under the Policy menu.
2. Navigate to Applications under the Targets menu. Click the Add button.
The Application Details panel appears.
3. Click the Find Server magnifying glass icon to select the Salesforce Service Cloud device you
created.
The Host Name and Device Name are populated.
4. Enter "Salesforce Service Cloud" or similar into the Application Name field.
6. Select a Password Composition Policy if you have created one, or leave the default "None."
8. Click Save.
22-Mar-2017 69/99
CA Privileged Access Manager - 2.8
Account Configuration
Set up the Account using the Device and Application you have already set up.
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Accounts under the Targets menu. Click the Add button.
The Accounts Details panel appears.
3. Click the Find Server magnifying glass icon to select the Salesforce Service Cloud device you
created.
The Host Name and Device Name are populated.
4. Click the Find Application magnifying glass icon to select the Salesforce Service Cloud
application you created.
6. Leave the Password View Policy as Default unless you already have one to use.
8. You can optionally select an Owner User Name from the list of users on the CA Privileged
Account Manager system.
9. Click Save.
The Message "The account was saved successfully" appears.
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.
The Password View Policy Details panel appears.
22-Mar-2017 70/99
CA Privileged Access Manager - 2.8
3. Select Salesforce Service Cloud from the Service Desk Integration drop-down list.
A box appears with specific Salesforce Service Cloud configuration fields. R eason Required
For View and Reason Required For Auto-Connect are selected. These options are required for
service desk integration. A warning appears if you try to clear either checkbox.
4. Enter the SFDC Server name, the SFDC Application name, and the SFDC Account name.
5. Enter the SFDC Login Endpoint URL. The initial field value suggests the correct format for the
URL (https://login.salesforce.com/services/Soap/u/32.0).
6. Enter the SFDC Service Cloud Client URL. The initial field value suggests the correct format for
the URL (https://sfdc-instance-name).
7. Enter the Date Format of Salesforce Service Cloud. The default is yyyy-MM-dd'T'HH:mm:ss.
SSS'Z'.
8. Enter Case Object, Case Comment Object, and Attachment Object according to Salesforce
Service Cloud configuration.
9. See Query Filter (see page 71) for details about Query Filters.
11. You can use more credential workflows methods, such as dual authorization. See Password
View Policies (https://docops-dev.ca.com/display/CAPAM/Password+View+Policies) for more
information.
Query Filter
The Query Filter field enables you to create Queries with combinations of values to filter which
service desk cases are used for validation.
Field Values
Status: new, escalated, on hold, waiting on customer, working, researching, closed
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
22-Mar-2017 71/99
CA Privileged Access Manager - 2.8
Examples
status== new
status!=closed
22-Mar-2017 72/99
CA Privileged Access Manager - 2.8
To use server names instead of IP addresses, verify that DNS Servers are configured in the
Network Configuration section. From the CA Privileged Access Manager page, click the
Config menu, then Network. In the Network Configuration, verify that the DNS Servers field
has DNS IP addresses listed. If none is listed, add your DNS Servers. Click Update in the
Network Interfaces section.
CA Modules Configuration
Set up ActiveMQ for Server Control in the Server Control Section of CA Modules. Some information
from the CA Privileged Access Manager Server Control setup is required.
1. From the CA Privileged Access Manager page, click the Config menu, then CA Modules.
The CA Modules panel appears.
2. In the Server Control section, check the Enable Login Integration box.
3. Enter the target server hostname or IP address in the ENTM Host Name or IP field.
22-Mar-2017 73/99
CA Privileged Access Manager - 2.8
Create a Device
Create a Device for the CA Privileged Access Manager Server Control endpoint.
4. Enter the IP address in the Address field. You can verify the IP address by clicking the Scan
link.
7. Add an Access Method by clicking the access type (such as SSH or RDP).
Specific access method details appear. Add or alter the information as necessary.
8. All other fields are optional. Click Help on the Manage Device page for more information.
9. Click Save when finished, or click Save and Add Target Applications to go directly to the next
step.
Create an Application
Create an Application for the CA Privileged Access Manager Server Control endpoint.
4. Enter the host name in the Host Name field. You can use the Find Server magnifying glass icon
to select from Devices that have already been created.
5. Enter the device name in the Device Name field. Selecting a host name with Find Server also
populates this field.
22-Mar-2017 74/99
CA Privileged Access Manager - 2.8
Create an Account
Create an Account for the CA Privileged Access Manager Server Control endpoint.
1. If you are not already in Credentials Management, select Manage Passwords on the Policy
men.
A Loading Credentials Management message appears.
4. Enter the host name in the Host Name field. You can use the Find Server magnifying glass icon
to select from Devices that have already been created.
5. Enter the device name in the Device Name field. Selecting a host name with Find Server also
populates this field.
6. Use the Find Application magnifying glass icon to select from Applications that have already
been created for the Device. You can use the Add Application plus sign icon to add an
application from this page.
7. Enter the Account Name to use for connecting to the Server Control endpoint.
9. Other fields are optional. At this point, you may want to enable password management
options. For more information, see Maximum Password Age (https://docops.ca.com/display
/CAPAM28/Maximum+Password+Age).
Create a Policy
Create an Access Policy for the Server Control endpoint.
1. On the CA Privileged Access Manager access management page, select Manage Policies from
the Policy menu.
2. Click the User Field and select the User for connecting to the CA PAM Server Control device.
3. Click the Device Field and select the CA PAM Server Control Device.
22-Mar-2017 75/99
CA Privileged Access Manager - 2.8
3. Click the Device Field and select the CA PAM Server Control Device.
9. Check the box for Login Integration opposite to CA PAM Server Control.
1. Click the Access link on the upper left of the CA Privileged Access Manager home page.
A list of Device Names appears with corresponding Access Methods and Target Applications.
2. Click the Access Method link (such as RDP or SSH) for the Server Control Device you are
integrating.
An RDP or SSH session opens to the Device.
3. For Windows RDP, open PowerShell or the Command prompt. For Linux, use the SSH prompt.
The prompt includes the local CA Privileged Access Manager Server Control privileged user
login, not the CA Privileged Access Manager user.
5. Find the "PUPM User". This should be CA Privileged Access Manager user, not the local Server
Control privileged user.
22-Mar-2017 76/99
CA Privileged Access Manager - 2.8
Important
CA Privileged Access Manager does not support integration with CA Single Sign-On for AWS
instances in this version.
Prerequisites
CA Single Sign-On Policy Server requires manual set-up before setting up CA Privileged Access
Manager. Depending on the resources that you want to protect, you configure many of the
following objects on the Policy Server:
Agent, Agent Configuration Object, Host Configuration Object, Directory Object, Authentication
Scheme Object, and either an Application, Domain, or Realm Object.
1. Create an Agent.
a. On the Infrastructure menu, select Agent, then Agents on its submenu. Click the
Create Agent button on the right. Click OK to accept the option "Create a new object
of type Agent."
b. For Name, enter the Fully Qualified Domain Name of the host CA Privileged Access
Manager.
a. On the Agent menu, select Agent Configuration Objects. Click the Create Agent
Configuration button.
b. Select the option "Create a copy of an object of type Agent Configuration." The
ApacheDefaultSettings object is selected by default. Click OK.
22-Mar-2017 77/99
CA Privileged Access Manager - 2.8
Note
Use the value of the Name field in the CA Privileged Access Manager SSO
configuration.
AgentName: Enter the Name of the Agent object created in Step 1. Click OK.
DefaultAgentName: Enter the Name of the Agent object created in Step 1. Click
OK.
e. Click Submit.
b. Click Create Host Configuration to create one, or edit one by clicking the pencil
opposite its Name field. For example, use DefaultHostSettings.
Note
Use the value of the Name field in the CA Privileged Access Manager SSO
configuration.
c. Ensure that the Host address for the Policy Server field is the IP address of the Policy
Server.
d. Click Submit.
22-Mar-2017 78/99
CA Privileged Access Manager - 2.8
c.
In the Username, enter a user DN who has at least read access to the user
directory. For example: CN=test,OU=Administrators,OU=IT,CN=doejo01
Enter the password for this user in the Password and Confirm Password fields.
In the LDAP Settings section, set the LDAP Search Root, enter a DN.For example:
OU=Administrators,DC=company,DC=inc
a. Under the Authentication menu, select Authentication Schemes. Click the Create
Authentication Scheme button on the right.
d. Click submit.
6.
22-Mar-2017 79/99
CA Privileged Access Manager - 2.8
a. Under the Policies menu, select Application, Applications. Click the Create Application
button on the right.
In the Component Name field, enter Global Settings for our example.
Select the Agent that you created in Step 1 (the Fully Qualified Domain Name of
the host CA Privileged Access Manager). Click OK.
Select the User Directory object that you created in Step 4. Click the arrow to move
it to the Selected Members panel. Click OK.
Click OK.
Click OK.
22-Mar-2017 80/99
CA Privileged Access Manager - 2.8
Click OK.
In the Applications panel, edit CA Privileged Access Manager by clicking the pencil
icon.
Select the box for All Users under the Roles column, in the Global Settings row.
c. Click submit.
1. On the Config menu, select CA Modules, and find the CA Single Sign-On Configuration section.
Policy Servers IP Address and Port – Use either IPv4 or IPv6 address. If you specify a port,
use a colon. If you specify a port in IPv6, enclose the IP address in square brackets.
Trusted Host Name – The name that is used to register the CA SSO Policy Server with CA
PAM.
FIPS_VALUE
This setting corresponds to one of the three Federal Information Processing Standard
(FIPS) modes in which CA Single Sign-On operates.
COMPAT
FIPS-compatibility mode uses algorithms existing in previous versions of CA Single Sign-
On to encrypt sensitive data to maintain compatibility.
MIGRATE
FIPS-migration mode enables you to transition from FIPS–compatibility mode to FIPS–
only mode.
22-Mar-2017 81/99
CA Privileged Access Manager - 2.8
ONLY
FIPS-only mode ensures that the Agent only accepts session keys, Agent Keys, and
shared secrets that are encrypted using FIPS-compliant algorithms.
Activate – turns on SSO, but does not take effect until the web server is restarted (with
the Restart Apache button).
Disable - If CA Single Sign-On integration is "Currently enabled," this button disables it.
Reset button – returns the previous values of the fields on the CA Single Sign-On
Configuration form.
Restart Apache – Once activated, the CA PAM Apache server requires a restart for the SSO
integration to take effect.
Download Form – The standard CA Single Sign-On login form has been modified for use
with the main CA PAM frame. Download this form (pamlogin_xx-XX.fcc), alter it if
necessary, and copy it to the desired location. Change the Target field value to the new
form name and location.
Download Log – Download the latest log file record of this instance of the CA Single Sign-
On Web Agent. This file might be useful for troubleshooting if problems arise in the
configuration of this CA module integration.
2. Click the Activate button to save your configuration of CA SiteMinder Web Agent and turn on
Single Sign-On.
3. For the changes to take effect, click the Restart Apache button to restart the web server.
4. To test the SSO feature, log in to CA Privileged Access Manager. Attempt to access the
resource you are protecting.
The SSO login screen appears. If the SSO login screen does not appear, the SSO integration has
failed.
Troubleshooting
Use Console in Emergency
If CA Privileged Access Manager is inaccessible, and you need to disable SSO, use the Utility Console.
If you have a VM, use an admin app such as vSphere to access the console. On the Console Main
Menu, there is a new menu item for SSO. Select Disable CA Single Sign-On.
22-Mar-2017 82/99
CA Privileged Access Manager - 2.8
Known Issues
Agent Configuration Object Internal Server Error
If an invalid Agent Configuration Object is specified, the web agent does not report an error. The user
gets a success message and is prompted to restart. They do and then they cannot get back into CA
PAM. They get this message:
Please contact the server administrator, or support.ca.com and inform them of the time the error occ
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server error was encountered while trying to use an ErrorDocument to ha
To enter CA Privileged Access Manager in this situation, disable SSO with the Utility Console. If you
have a VM, use an admin such as vSphere to access the console. On the Console Main Menu, there is
a new menu item for SSO. Select Disable CA Single Sign-On.
22-Mar-2017 83/99
CA Privileged Access Manager - 2.8
1. Install the A2A Client. See Install an A2A Client for Credential Management (https://docops.ca.
com/display/CAPAM28/Install+an+A2A+Client+for+Credential+Management).
For a UNIX environment, source the .cspmclientrc file or set up the environment
variables that are contained within the file. The .cspmclientrc file is located in:
$CSPM_CLIENT_HOME/cspmclient/bin.
For Microsoft Visual Studio, you do not need to register the DLL. It was done during A2A
client installation.
For Eclipse, add the cspmclient.jar file to the build path. This allows Eclipse to
compile your application. See the procedure that is described in Set Up Eclipse for A2A
Integration (see page ).
22-Mar-2017 84/99
CA Privileged Access Manager - 2.8
Integration methods for implementing the credential request are described in Methods for
Integrating the Credential Manager A2A Client (https://docops.ca.com/display/CAPAM28
/Methods+for+Integrating+the+Credential+Manager+A2A+Client).
Typically, when you integrate your application or script with the A2A client, you use the cached
version of the credential. However, the supplied credentials only give the requestor access to the
data if the A2A client cache is up-to-date. The following algorithm uses the cached credentials for the
first login attempt. If the login fails the A2A client cache is overridden, credentials are retrieved
directly from the CA Privileged Access Manager appliance, and a second login is attempted. By using
the cached credentials for the first login attempt, you help reduce the load on the CA Privileged
Access Manager appliance and improve performance. However, the tradeoff is potentially incurring a
failed login attempt if the cached credential has gone stale.
A failed login attempt can trigger an auditable security incident and possibly an account lockout
condition if the number of failed login attempts exceeds the maximum that the policy allows.
22-Mar-2017 85/99
CA Privileged Access Manager - 2.8
22-Mar-2017 86/99
CA Privileged Access Manager - 2.8
1. CA Privileged Access Manager collects Event data and forwards it to the CA Threat Analytics
service.
2. CA Threat Analytics performs continuous Analysis on the collected data. Whenever the
service changes the Risk Level of any user, this result is sent back to CA Privileged Access
Manager.
3. CA Privileged Access Manager can apply Mitigations against users, depending on the analysis
results.
Events
First, the CA Privileged Access Manager client component collects the session event data and sends it
to the CA Threat Analytics server.
End User
22-Mar-2017 87/99
CA Privileged Access Manager - 2.8
Good
Suspect
Bad
CA Privileged Access Manager forwards new event data immediately to the CA Threat Analytics
server. Entities other than CA Privileged Access Manager servers might also forward events for some
or all the same users. If the data specifies a user that does not exist, CA Threat Analytics prepares a
record and begins compiling data for that user.
Meanwhile, for each new event, CA Threat Analytics analyzes received data against data for the user
and their past behavior. As a result of the analysis, CA Threat Analytics might change the existing risk
level, and then notify CA Privileged Access Manager. CA Threat Analytics does not always change a
risk level shortly after receiving event data. It might do so later, depending on other factors that are
not visible from the perspective of CA Privileged Access Manager. Later, CA Privileged Access
Manager might respond to the status change by applying user mitigations.
Mitigations
CA Privileged Access Manager can be configured to apply mitigations to users upon risk level change.
When and a user risk level changes, it can initiate actions against that user.
Session Recording - CA Privileged Access Manager begins a session recording for any current
connection session, records it until the end of the session, and then records all future connection
sessions in their entirety.
Re-authentication - CA Privileged Access Manager suspends any current user login session and
any active connection sessions, and forces the user to re-authenticate their login session through
a pop-up window.
When the risk level changes for a user, CA Threat Analytics immediately notifies CA Privileged Access
Manager, which might initiate mitigations on that user.
For these two risk levels, the following mitigations are applied to the user:
Because recordings span over time, the following rules also apply to Session Recording mitigation:
22-Mar-2017 88/99
CA Privileged Access Manager - 2.8
If the user risk level changes from Good to Suspect or from Good to Bad
And the user has a connection session in progress that is not being recorded:
If the user risk level changes from Suspect to Good or from Bad to Good:
And the user has a connection session in progress that is being recorded
Next Steps:
1. Obtain from CA Technologies a CA Privileged Access Manager license file with Threat Analytics
licensing activated.
22-Mar-2017 89/99
2.
CA Privileged Access Manager - 2.8
c. In the Install New License panel, Choose File to browse for the license file, and select
Upload License File.
CPU: 8 cores
Memory: 16 GB
Storage: 1 TB
1. Using the import tools available in your virtualization environment, import the CA Threat
Analytics OVA file. Create a virtual machine with at least the minimum production
requirements. For more guidance on how to size the virtual machine, contact CA Support.
3. Set up networking. Using the ncurses interface that is provided by a virtual machine console,
follow these steps:
b. Log in with the user name netcfg and the password netcfg.
c. In the NetworkManager TUI, select Edit a connection to edit "Wired Connection 1."
d. Provide a static IP address, a gateway address, a DNS server address, and a hostname,
to the VM .
e. Select OK.
22-Mar-2017 90/99
CA Privileged Access Manager - 2.8
i. Select Quit.
j. Open a browser to the server name or IP address that you specified in the connection
configuration.
e. For JKS File, select Choose File to upload a Java Keystore file. A valid JKS file has a valid
X.509 server certificate and trust chain. See Create a Java KeyStore File (see page 94)
for information about creating a JKS file.
g. Select Save.
c. Select Update.
A message appears stating "External API Access has been updated successfully".
22-Mar-2017 91/99
CA Privileged Access Manager - 2.8
f. Confirm that the Account Name CATapApiUser-x exists, where x is a number. This
account contains credentials that are used by CA Threat Analytics to complete
configuration. Under the Action column, select the "eye" icon to view the password
and copy it for later use.
2. Configure CA Threat Analytics engine to use the CA Privileged Access Manager adapter.
c. Navigate to Services.
f. Provide the parameters for the CA Privileged Access Manager API Connection.
ii. Username - the username of a user with CA Threat Analytics API Access (such
as CATapApiUser-x)
iii. Password – the password of the user with CA Threat Analytics API Access. Use
the password that you copied from the CATapApiUser-x Account in CA
Privileged Access Manager.
g. Click Test to validate the provided parameters and verify connectivity to CA Privileged
Access Manager.
3. Generate an API Auth Token from within the Threat Analytics UI.
e. Capture the Token and Service Identifier by copying or downloading them. You need
both for the Threat Analytics API Configuration in CA Privileged Access Manager.
i. Manually copy the Token. The UI shows you the Token and the CA PAM Service
22-Mar-2017 92/99
e.
CA Privileged Access Manager - 2.8
i. Manually copy the Token. The UI shows you the Token and the CA PAM Service
Identifier in the token confirmation window after saving it. Copy the Token and
the Service Identifier and follow the instructions for configuring them in CA
Privileged Access Manager.
ii. Download the Token. You can also download the Token and Service Identifier
information for safe keeping and later reference. Click Download Token.
f. Close the New Auth Token confirmation window. Once you close this window, the
token is no longer visible.
4. Specify the CA Threat Analytics service that receives the CA Privileged Access Manager usage
data for processing. Follow these steps on each appliance:
i. Enter an IP address or FQDN for the service host in Threat Analytics Address.
For the following two steps, refer also to the CA Threat Analytics
documentation:
ii. For the Threat Analytics Auth Token, enter the authentication token string
provided to the administrator by the CA Threat Analytics server. This token is
analogous to a password for access to that server.
iii. For the Threat Analytics Service ID, enter the service identifier string provided
to the administrator by the CA Threat Analytics server. This identifier is
analogous to a username for access to that server.
iv. To turn SSL Validation off, select this checkbox. This option can be appropriate
for testing.
d. To test the validity of the connection, select Test and observe the feedback message.
For example: "Successfully connected to CA Threat Analytics server"
Next Steps:
22-Mar-2017 93/99
CA Privileged Access Manager - 2.8
Here are some sample steps to help you create your own JKS. The sample commands use the
following placeholders:
1. Use the openssl command to combine the CA, CRT, and KEY into a P12.
openssl pkcs12 -export -in <CRT> -inkey <KEY> -out <P12> -name <ALIAS> -CAfile <CA> -caname root
keytool -importkeystore -destkeystore <JKS> -srckeystore <P12> -srcstoretype PKCS12 -alias <ALIAS>
keytool -import -alias root -keystore < JKS> -trustcacerts -file <CRT>
3. Use this JKS file when setting up security for CA Threat Analytics. See the SSL section of Deploy
CA Threat Analytics Server (see page 91).
With SAML enabled, you can still log in to the Threat Analytics interface with the local
22-Mar-2017 94/99
CA Privileged Access Manager - 2.8
With SAML enabled, you can still log in to the Threat Analytics interface with the local
"admin" user. This user can be deleted once SAML Authentication is established. However,
we recommend retaining it to ensure Threat Analytics UI accessibility if the SAML
integration fails. To log in with the "admin" user after SAML Authentication is established,
navigate to https://your.ip/users/sign_in.
To set up SAML authentication from the CA Privileged Access Manager UI to the CA Threat Analytics
UI, follow these steps:
ii. Scroll back down to the Xsuite SAML IdP Configuration panel.
iii. Set the Entity ID, which is the same as the CA Privileged Access Manager
domain. Include the protocol. For example: https://pam.fqdn.com (https://pam.
fqdn.com)
iv. Set the Fully Qualified Hostname. This name is the same as the CA Privileged
Access Manager domain, without the protocol prefix. For example: pam.fqdn.
com
viii. Scroll back down to the Xsuite SAML IdP Configuration panel.
ix. Click Download IdP Metadata and save the SAML metadata XML file.
b. Log in as "admin" with password P@ssword1234. (Change this default password using
the Password tab.)
c. Navigate to Security.
e. For SAML Metadata File, select Choose File, and browse for the metadata file from CA
Privileged Access Manager. For example: idp-metadata.xml
22-Mar-2017 95/99
CA Privileged Access Manager - 2.8
f. Click Save.
The CA Threat Analytics home page appears.
h. Under Issuer, enter the FQDN of the CA Threat Analytics appliance, including the
protocol.
i. Under Assertion Consumer Service URL, change the domain to the FQDN of the TA
appliance. For example: rename it to the server name instead of localhost.
j. Calculate the fingerprint of the Identity ProviderCertificate downloaded from PAM and
paste it in the Identity ProviderCertificate Fingerprint field. For example, use samltool.
com/fingerprint.php (http://samltool.com/fingerprint.php).
Note
l. Click Save.
PostgreSQL Database
3. Log in to CA Threat Analytics using CA Privileged Access Manager to verify that CA Privileged
Access Manager users can authenticate to Threat Analytics.
The Dashboard now includes an Analytics tile with a CA Threat Analytics icon and caption.
Click this icon as a "punch-through" to CA Threat Analytics.
22-Mar-2017 96/99
CA Privileged Access Manager - 2.8
Analytics Tile
Next Step:
To enable user activity mitigations on a licensed appliance or cluster, follow these steps:
4. At the bottom of the page, select Save Global Settings to begin applying mitigation actions
22-Mar-2017 97/99
CA Privileged Access Manager - 2.8
4. At the bottom of the page, select Save Global Settings to begin applying mitigation actions
immediately.
4. At the bottom of the page, select Save Global Settings to begin providing the warning
message immediately.
Following every login, each user sees the configured message near the top of their landing
page.
For a user with a connection session (to a target device) whose threat level changed from Good to
Suspect, recording is started, and the (new) recording line item is marked in the Risk column with
a yellow dot.
This marking remains following completion of the recording. It remains even when the user
threat level changes (from Suspect to Good).
For a user with connection session (to a target device) actively being recorded and whose threat
level changed from Good to Bad, recording is started, and the (new) recording line item is marked
in the Risk column with a red square.
This marking remains following completion of the recording. It remains even when the user
threat level changes (from Bad, to Suspect or to Good).
22-Mar-2017 98/99
CA Privileged Access Manager - 2.8
For a user with connection session (to a target device) actively being recorded and whose threat
level changed from Suspect to Bad, the ongoing recording is uninterrupted, and the recording line
item is remains marked in the Risk column with a yellow dot.
This marking remains following completion of the recording. It remains even when the user
threat level changes (from Bad, to Suspect or to Good).
However, if the threat level remains Bad at the time a new recording is started, that recording
is marked in the Risk column with a red square.
When the threat level is elevated for any particular user as a session recording starts, the
applicable indicator is applied to that recording.
Filtering Recordings
You can filter the Session Recordings page to display only those recordings that have been triggered
following Threat Analytics user risk level elevation, and by timestamp and violation tags.
a. To restrict the list on DateTime, enter in either or both of the From and To fields a date
/time as formatted in the recordings list. Use a full date-time specification. For
example: 2016-10-26 15:01:36 GMT +0300 or a portion of that string that can be
interpreted starting from the left, such as:
b. To list only those recordings in which a user (socket filter or command filter) violation
has occurred, select Contains violation.
c. To list only those recordings with a specific risk level, select one or more of "Good",
"Suspect", or "Bad" in Risk.
To select any two or three filters, hold down the Ctrl key and select each that you
want.
22-Mar-2017 99/99