CA Privileged Access Manager - 2.8 - ENU - Integrating - 20170322 PDF

CA Privileged Access
Manager - 2.8
Integrating
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/99
Table of Contents
Deploying CA Privileged Access Manager Client ...................................... 10

Configure Appliance Server ...................................................................................................................... 10
Deploy Client Software .............................................................................................................................. 11
Download ............................................................................................................................................ 11
Install ................................................................................................................................................... 11
Configure ............................................................................................................................................. 12
Proxy .......................................................................................................................................... 12
General ...................................................................................................................................... 12
Cache ......................................................................................................................................... 12
Certificate ................................................................................................................................... 13
Run ...................................................................................................................................................... 13
Uninstall ............................................................................................................................................... 14
Windows ..................................................................................................................................... 14
Mac / Linux ................................................................................................................................. 15
Configuring Targets ................................................................................... 16

Windows OS .............................................................................................................................................. 16
Network Level Authentication Login .................................................................................................... 16
Environment ............................................................................................................................... 16
CA Privileged Access Manager Configuration ........................................................................... 16
User Experience ......................................................................................................................... 16
Always Prompt for Password Enforcement ......................................................................................... 17
Environment ............................................................................................................................... 17
CA Privileged Access Manager Configuration ........................................................................... 17
User Experience ......................................................................................................................... 18
Integrating an AWS API Proxy .................................................................. 19

Prerequisites ............................................................................................................................................. 19
Set Up an AWS Environment .................................................................................................................... 19
Set Up AWS Root Level User and Role .............................................................................................. 20
Set Up AWS Network Components .................................................................................................... 21
Set Up a VPC ............................................................................................................................. 21
Set Up an RDS ........................................................................................................................... 22
Set Up a Splunk Server .............................................................................................................. 24
Integrating 4
Set Up CA Privileged Access Manager AMI Instance ................................................................ 25
Configure the Server for Proxy .................................................................................................................. 25
Set Up a Whitelist ................................................................................................................................ 25
Set Up a Credential Pair for Federated Tokens .................................................................................. 25
Set Up a User ...................................................................................................................................... 26
Provision an Access Policy ................................................................................................................. 26
Set Up the Proxy Structure ........................................................................................................................ 27
Set Up AWS Proxy Instances ............................................................................................................. 27
Confirm Proxy Registration ................................................................................................................. 28
Set Up an AWS Load Balancer ........................................................................................................... 28
VMware vCenter and NSX Coordination Integration ................................. 30

VMware NSX integration ........................................................................................................................... 30
Prerequisites ....................................................................................................................................... 30
Coordination with NSX ........................................................................................................................ 31
Access Restrictor ....................................................................................................................... 31
NSX Service Composer Security Controls ................................................................................. 32
Configuration Tasks ............................................................................................................................ 33
Preparation ................................................................................................................................. 33
Register CA Privileged Access Manager in NSX Manager ........................................................ 34
Confirm CA Privileged Access Manager Registration ................................................................ 35
Additional CA Privileged Access Manager Registration Options ............................................... 35
Provisioning Examples ........................................................................................................................ 36
Example 1: Preparation of an NSX Security Policy for CA Privileged Access Manager Use .... 36
Example 2: Dynamic Application of an NSX Security Policy for CA Privileged Access Manager
Session Recording ..................................................................................................................... 37
VMware vCenter and NSX Coordination Reference ................................................................................. 39
VMware Configuration Panel .............................................................................................................. 39
'Add VMware vCenter' Panel ............................................................................................................... 41
'VMware NSX' Panel ........................................................................................................................... 42
VMware NSX API Proxy Integration .......................................................... 45

Auto-activation whitelist ............................................................................................................................. 45
Managing Java on Your Client Workstation .............................................. 46

Clearing Java cache (Windows) ................................................................................................................ 46
Updating Java Heap Setting ...................................................................................................................... 46
JAR File Signing ........................................................................................................................................ 46
Integrating 5
CA Privileged Access Manager Configuration .................................................................................... 47
Client Configuration ............................................................................................................................. 47
Juniper Integration ..................................................................................... 48

User experience ........................................................................................................................................ 48
While logged in to Juniper, open the l ogin page through a Juniper bookmark, and manually log in . ...... 48
Juniper setup ............................................................................................................................................. 48
User experience (after configuration) ........................................................................................................ 48
Integrate a Java Application or Application Server .................................... 49

Setup ......................................................................................................................................................... 49
Using the Privileged Access Manager JDBC Proxy Driver ....................................................................... 49
Integrate with Your Service Desk Solution ................................................ 51

Password View and Update ...................................................................................................................... 51
Auto-Connect Access ................................................................................................................................ 51
CA Normalized Integration Management .................................................................................................. 51
BMC Remedy ITSM Integration ................................................................................................................ 52
Prerequisites ....................................................................................................................................... 52
Device Configuration ........................................................................................................................... 53
Application Configuration .................................................................................................................... 53
Account Configuration ......................................................................................................................... 54
Password View Policy Configuration ................................................................................................... 55
Query Filter ......................................................................................................................................... 55
Field Values ............................................................................................................................... 55
Operators ................................................................................................................................... 56
Examples ................................................................................................................................... 56
CA Service Desk Manager Integration ...................................................................................................... 56
Prerequisites ....................................................................................................................................... 56
CA Service Desk Manager Supported Versions ........................................................................ 56
PIN-Based Authentication .......................................................................................................... 57
Query Filter ......................................................................................................................................... 60
Field Values ............................................................................................................................... 60
Operators ................................................................................................................................... 61
Integrating 6
Examples ................................................................................................................................... 61
HP Service Manager Integration ............................................................................................................... 61
Prerequisites ....................................................................................................................................... 61
Query Filter ......................................................................................................................................... 64
Field Values ............................................................................................................................... 64
Operators ................................................................................................................................... 64
Examples ................................................................................................................................... 65
ServiceNow Integration ............................................................................................................................. 65
Query Filter ......................................................................................................................................... 68
Field Values ............................................................................................................................... 68
Operators ................................................................................................................................... 68
Examples ................................................................................................................................... 68
Salesforce Service Cloud Integration ........................................................................................................ 69
Query Filter ......................................................................................................................................... 71
Field Values ............................................................................................................................... 71
Operators ................................................................................................................................... 71
Examples ................................................................................................................................... 72
CA Privileged Access Manager Server Control Login Integration ............. 73

CA Privileged Access Manager Configuration .......................................................................................... 73
CA Modules Configuration .................................................................................................................. 73
Create a Device .................................................................................................................................. 74
Create an Application .......................................................................................................................... 74
Create an Account .............................................................................................................................. 75
Create a Policy .................................................................................................................................... 75
Test the Login Integration ................................................................................................................... 76
CA Single Sign-On Integration .................................................................. 77
Integrating 7
Prerequisites ............................................................................................................................................. 77
CA Single Sign-On Policy Server Configuration ........................................................................................ 77
CA Privileged Access Manager Configuration .......................................................................................... 81
Troubleshooting ......................................................................................................................................... 82
Use Console in Emergency ................................................................................................................. 82
Known Issues ............................................................................................................................................ 83
Agent Configuration Object Internal Server Error ............................................................................... 83
CA PAM Client Failure ........................................................................................................................ 83
Integrate A2A Applications ........................................................................ 84

Set Up Your Environment for Integration .................................................................................................. 84
Set Up Eclipse for A2A Integration ...................................................................................................... 84
Request Integration Algorithm ................................................................................................................... 85
Integrate with CA Threat Analytics ............................................................ 87

Events ....................................................................................................................................................... 87
Analysis and Risk Level ............................................................................................................................ 88
Mitigations ................................................................................................................................................. 88
Deploy CA Threat Analytics Server ........................................................................................................... 89
Apply Licensing in CA Privileged Access Manager ............................................................................. 89
Install CA Threat Analytics Server into a Virtual Environment ............................................................ 90
CA Threat Analytics Virtual Machine Production Requirements ................................................ 90
Create the CA Threat Analytics VM .................................................................................................... 90
Configure CA Threat Analytics ............................................................................................................ 91
Create a Java KeyStore File ............................................................................................................... 94
Set up SAML Punch-Through Authentication ............................................................................................ 94
Mitigation Effects from CA Threat Analytics .............................................................................................. 97
Threat Analytics Options ..................................................................................................................... 97
Enable Mitigations ...................................................................................................................... 97
Enable a User Warning .............................................................................................................. 98
Identifying Session Recording Characteristics .................................................................................... 98
Risk Level Indicators .................................................................................................................. 98
Filtering Recordings ................................................................................................................... 99
Integrating 8
Integrating
This section explains how to configure the product so that it can co-operate with external, third-party
devices and servers.
Deploying CA Privileged Access Manager Client (see page 10)
Configuring Targets (see page 16)
Integrating an AWS API Proxy (see page 19)
VMware vCenter and NSX Coordination Integration (see page 30)
VMware NSX API Proxy Integration (see page 45)
Managing Java on Your Client Workstation (see page 46)
Juniper Integration (see page 48)
Integrate a Java Application or Application Server (see page 49)
Integrate with Your Service Desk Solution (see page 51)
CA Privileged Access Manager Server Control Login Integration (see page 73)
CA Single Sign-On Integration (see page 77)
Integrate A2A Applications (see page 84)
Integrate with CA Threat Analytics (see page 87)
22-Mar-2017 9/99
Deploying CA Privileged Access Manager

Client
The CA Privileged Access Manager Client enables you to log in to CA Privileged Access Manager and
perform administrator and end-user activities without the use of a customer-installed web browser
and Oracle Java engine, removing the maintenance required to keep Java and browser configurations
compatible with CA Privileged Access Manager. You can run any CA Privileged Access Manager
connection applets and provide a complete substitute for the traditional CA Privileged Access
Manager GUI.
The new client does not interfere in any way with traditional GUI access – both methods can be used
from the same workstation.
You can download a client version compatible with your workstation OS types and install from a
button on the CA Privileged Access Manager GUI login page. Although the JRE is downloaded with the
client, CA Privileged Access Manager-served JARs are downloaded at runtime.
Configure Appliance Server

You can control from the server (appliance) how you use the CA Privileged Access Manager Client
from the Client Settings panel on the Global Settings page.
The client is available for download (from CA Privileged Access Manager) only while client
access to is enabled. (It is not sufficient to enable the client download checkbox.)
Name Format Options Description

Operatin Radio Enabled Specifies whether this appliance (server) accepts and coordinates
g Mode button Disabled connections from a compatible Client.
(applet When set to Disabled (applet only), the other widgets in this panel are
only) also disabled.
Default:
Enabled
Distributi Radio When selected, and when the user selects a client download option
on button from the login page, …
Method and
field
Internet … CA Privileged Access Manager attempts to deliver the client installer
(CA and modules from the (hard-coded) Internet-based CA Delivery
Delivery Network (CDN) location.
Network)
(Default)
22-Mar-2017 10/99

Intranet:htt … CA Privileged Access Manager attempts to deliver the client installer
ps://addres and modules from a server at the designated URL (on an available
s-field/ca- network, whether internal or external). Use this option only when CDN
pam/ is chronically unavailable.
If selected, provide also the FQDN or IP address of download server* in
address field.
*See for server setup instructions.
Downloa Checkb Enabled When Enabled, the client download buttons on the login page appear.
d button ox Default:
on Login Enabled
Page
Deploy Client Software

This topic explains client deployment and use procedures.
Download
From your client workstation, you can download an installer from the login page. Point to CA
Privileged Access Manager from a compatible browser, and from the GUI login page select either:
Download CA Privileged Access Manager Client – Click to download the client.
Down arrow – Click to open a drop-down menu and select a specific version of four OS types. The
applicable OS releases for each version are identified in CA Privileged Access Manager Release
Notes.
Install
After you download the installer file, run it to extract and open the installer wizard. Set the
installation parameters according to its InstallAnywhere interface.
Note the following information:
License Agreement – The acceptance button is activated only after you scroll the license text to
the bottom of the panel.
Choose Install Set – Select one of the following options:
Typical: install the client on the local workstation or
Run: The contents are extracted to a temporary location and executed.
Installing... – You cannot click Previous after the software starts installation or has completed it.
22-Mar-2017 11/99
Configure
Click the gear icon in the lower-left corner to open the Configuration Settings window. Select the
labeled tab to change the following settings:
Proxy
In case a proxy server to the target CA Privileged Access Manager is needed, specify one of the
following options:
Auto-detect proxy settings for this network – for a network-managed proxy
Use system proxy settings for this network – for a workstation OS-managed proxy
Manual system proxy settings for this network – to set a custom target device as the proxy
Automatic proxy configuration URL – to specify a webserver-supplied proxy
Default: No Proxy
General
Specify memory requirements for CA Privileged Access Manager Client.
Default (Windows, Linux x86): 1200 MB
WARNING Due to a bug in the 32-bit Java Runtime Environment, consider this value a maximum for
Windows. If the value is set here to 1201 MB or greater, the client does not start again. In that case,
in the settings.properties file at the installation root, set memory.max=1200 or less to recover.
Default (Mac, Linux x64): 2048 MB
Cache
Specifies the cache controls where applicable.
Enable Caching – Specifies to store previous versions for the CA Privileged Access Manager Client
to revert to an earlier version. Default = On (checked).
Current Cache Size – Specifies the total size of the cached versions of CA Privileged Access
Manager Client. Default: Total size of cached prior versions.
Clear Cache – Specify to remove all cached versions. (You can remove individual versions by using
the Manage button.)
Max Cache Size, MB (0 = unlimited) –Specify the maximum size of the cache by using the slider or
the field.
Cached Versions: [quantity]
Manage – Displays details for all cached versions of CA Privileged Access Manager Client. You can
remove any or all versions.
22-Mar-2017 12/99
Certificate
From a table list, specify a certificate authority (C.A.) certificate to be used. The CA Privileged Access
Manager Client is provided with several pre-installed C.A. certificates. You can add more to serve
your needs.
Run
From its installed menu item or shortcut, start the client. The initial client screen allows you to specify
the address of a CA Privileged Access Manager appliance or appliance cluster VIP.
Follow these steps:
1. Open the client application.
A small console window appears.
1. Enter the following connection parameters for your server appliance.
Address - Enter the accessible IP4 address or an assigned FQDN. You can also add an optional
port to the address, as in: ADDRESS:PORT
The CA Privileged Access Manager Client cannot use most well-known ports. See Reference
for full list.
Connect Mode - Select one of the following options:
WEB – Opens a connection to the server, and then opens the CA Privileged Access Manager Client
browser window to the UI, and closes the console.
CONNECT – Opens a connection to the server, and maintains a status connection window.
Optionally, the CA Privileged Access Manager Client browser window can be opened from the
status window.
You cannot switch the mode between WEB and CONNECT following your connection to the
appliance. First return to the initial connection screen by clicking Cancel and restarting the
client
1. Click Connect to initiate a connection attempt.
If a client update is required, you are notified.
1. Click Update to update your currently installed client to the latest version automatically. You
might need to restart the client if the update requires it.
Following client release level confirmation, a login transition screen is displayed and then the login
22-Mar-2017 13/99
Following client release level confirmation, a login transition screen is displayed and then the login
interface appears.
1. Follow these steps:
2. Enter your Username and Password.
3. Select your applicable Authentication Type.
4. Click Login.
After completing your connection:
If you had selected WEB, a browser window opens to the CA Privileged Access Manager GUI.
If you close the browser window (using the close box at the upper right), you close and exit both
CA Privileged Access Manager server and client.
If you Log Off, the browser window closes (you do not revert to the login page), and you are
returned to the CA Privileged Access Manager Client login screen.
If you had selected CONNECT, the client window stays open while the connection is made. When
the connection is complete, information about it is displayed in a new screen.
You can use existing CA Privileged Access Manager-configured Services and make ExternalAPI calls
without launching them through the product GUI.
The CA Privileged Access Manager administrator must provide any needed target parameters for
the service, such as its CA Privileged Access Manager-assigned net address, to the end user.
You can click the Launch Web Browser button to maintain both browser and console windows.
If you close the browser window (using the close box in upper right), you can again Launch Web
Browser later and return to the same GUI location, as its state is preserved.
If you Log Off from the GUI, the GUI window closes and the console reverts to the CA Privileged
Access Manager Client login screen.
If you Log Off, the console reverts to the CA Privileged Access Manager Client login screen.
Uninstall
Windows
To remove a Windows CA Privileged Access Manager Client, do so from the Windows Control Panel >
Programs and Features interface.
You can also remove a CA Privileged Access Manager Client installation from its location in the file
directory. At the root level of your CA Privileged Access Manager installation is the directory:
_CA Privileged Access Manager Client_installation
Open this directory to execute the uninstallation wizard named:
Change CA Privileged Access Manager Client Installation
22-Mar-2017 14/99
Mac / Linux
To remove either a Mac or a Linux installation, delete the installation directory and its entire contents.
[per Brian Emond IM 4/12/16, following CA Privileged Access Manager Client status meeting
discussion 4/11.]
NOTE An uninstallation wizard like that provided for Windows is also provided with Mac and Linux
installations. However, it does not currently work and so should not be used.[per Volodymyr email 4
/6/16.]
22-Mar-2017 15/99
Configuring Targets
A "target" is a CA Privileged Access Manager-specified Device that is a destination for a CA Privileged
Access Manager User and/or is a consumer of certain CA Privileged Access Manager credentials.
Windows OS
Network Level Authentication Login
Windows administrators can configure their servers to require Network Level Authentication (NLA)
before the user is prompted to enter their credentials to lower the risk of DoS attacks. CA Privileged
Access Manager accommodates this network level request so that it can complete connections.
Environment
This feature assumes and addresses the Allow connections only from computers running Remote
Desktop with Network Level Authentication setting configured on the General tab of the RDP-Tcp
Properties dialog.
CA Privileged Access Manager Configuration

In CA Privileged Access Manager, provision User access to the target Device described previously.
Note that (as previously) in the Device record only the Device Name, its Address, and the Access
Method: "RDP" are mandatory; however, no additional CA Privileged Access Manager configuration is
required to handle the NLA requirement.
User Experience
When a user selects the RDP Access Method, the RDP Access Method splash page appears, and then
the CA Privileged Access Manager security window prompts for the NLA-based credentials request.
After the user enters their credentials, CA Privileged Access Manager submits them to the target
device to complete login.
Note: If password push (see next section) is applied to a Device, this login prompt is
overridden.
22-Mar-2017 16/99
Always Prompt for Password Enforcement

In the Windows Remote Desktop Services (Terminal Services) Configuration server interface, there is
an option that is labeled Always prompt for password. This option allows the Windows administrator
to force a password prompt even when the client workstation has been configured to connect
automatically.
Note: If NLA is enabled on an RDP server that is configured with the TLS security layer (the
default for Windows Server 2008/2012), the Always prompt for password option is
ignored. That is, users are not prompted for passwords even if the option is enabled. To
support the Always prompt for password mechanism, the RDP server must be configured
with the RDP security Layer.
CA Privileged Access Managercan be configured at the Device Group level to automatically populate
that prompt (with the password obfuscated), and thus force an auto-connection that has been
configured (at the Device level) for any Device in that Device Group.
Environment
This feature assumes and addresses the following setting on a Windows target device.
For example, on Windows Server: Open Start > Administrative Tools > Terminal Services
Configuration, open Terminal Services > Connections, select and right-click RDP-Tcp, select
Properties, select tab Logon Settings. This setting forces the login prompt to always be presented.

The following procedure assumes that you have already prepared Users, Devices, target accounts,
and associated policies for auto-connection access using those target accounts.
1. Log in to CA Privileged Access Manager as an administrator (for example, as "super").
2. Navigate to Devices > Manage Groups.
3. Either double-click an existing Device Group record, or click the Create Device Group link to
open a new record template.
4. Click in the Devices field, and from the drop-down menu, select the target Devices that
require password push when policy is configured for auto-connection.
5. At the bottom of the Device Group template, in the section Enable, select the checkbox
Provide Credentials for "Always Prompt for Password".
6. Navigate to Policy > Manage Policies.
7. Prepare a policy for the User/User Group and the Device Group that you previously
configured, and with Access = "RDP", and Save.
Password push is now enabled.
22-Mar-2017 17/99
User Experience
When a CA Privileged Access Manager User selects the RDP Access Method the following actions
occur:
1. The RDP Access Method splash page appears.
2. The RDP window displays the Windows login screen.
3. CA Privileged Access Manager immediately overrides the login prompt and a 10 second delay
occurs, during which the User sees a countdown screen until auto-connection is effected.
The remote user is logged in.
22-Mar-2017 18/99
Integrating an AWS API Proxy

By deploying an AWS API Proxy, you can manage users API access to the AWS Management Console
through CA PAM. This scenario assumes a network administrator coordinates with (or assumes the
role of) a CA Privileged Access Manager administrator.
Prerequisites
Obtain an AWS (Amazon Web Services) account. (https://aws.amazon.com/). (https://aws.amazon.
com/%29)
Obtain from CA Technologies a (new) Privileged Access Manager license that specifies the desired
number of AWS Proxy User accounts (the maximum number of User accounts that can have Role
= "AWS API Proxy User" assigned), and apply it on the Config, Licensing page.
Obtain from CA Technologies access to the AWS API Proxy AMI in the AWS Management Console.
Follow these steps to deploy AWS API Proxy:
1. Set up AWS Environment (see page 19)
2. Configure the Server for Proxy (see page 25)
3. Set up Proxy Structure (see page 27)
Set Up an AWS Environment

This environment assumes a single CA Privileged Access Manager AWS AMI instance, with other AWS
components, except for the user workstations. Preparing both a User and a Role with root access
provides the widest possible access for federated account operations.
Note
These instructions are based on the AWS Management Console interface as it existed in
August 2016. AWS has revised some interfaces since that time.
Your environment might already have a sufficient AWS environment, including a VPC with at least
one public and two private subnets. Review these procedures to determine if and where they are
applicable to you.
Use the following procedures to set up an AWS environment:
22-Mar-2017 19/99
Set Up AWS Root Level User and Role

Follow these steps:
1. Log in to the AWS Management Console with your AWS Account Username and Password.
2. From the home page, navigate to Services, IAM, Roles
3. Select the Create New Role button.
a. For the Role Name, assign a name. For example, let Role Name = DocDemoRootRole.
b. In the Select Role Type screen, select Role for Cross-Account Access, and click Select
button for the Provide access between AWS accounts you can own option
c. In the next screen, enter your AWS Account ID which you can find under the top-right
drop-down list selection: [your username], My Account . Do not select Require MFA
(as this Role is programmatic-only).
d. In the Attach Policy screen, select AdministratorAccess (to provide root-level access).
e. In the Review screen, confirm your selections, and click Create Role to exit the Create
Role process and return to the Roles list.
4. In the Roles list, select your new Role (for example, DocDemoRootRole)
a. In the Summary screen, select the value for Role ARN. Copy and paste that string to
your text window (used earlier for the user credentials).
5. In the left sidebar menu, navigate to Users.
6. Click the Create New Users button.
a. For Enter User Names, assign 1 to 5 usernames. For example, use one username,
DocDemoRootUser. Select Generate an access key for each user. Click Create.
b. In the confirmation screen that follows, click Show User Security Credentials so that
you can copy and paste these credentials (Access Key ID and Secret Access Key) to an
alternate location for access later in this configuration process (for example, in a plain
text window or file on your workstation).
c. Click Close to create the user, exit the Create User process, and return to the Users list.
7. In the Users list, select your new User (for example, DocDemoRootUser)
a. In the Summary screen, select the value for User ARN and copy and paste that string
to your text window.
b. Select the Permissions tab at the bottom of the screen, and click Attach Policy.
c. In the Attach Policy screen, select AdministratorAccess (to provide root-level access).
Your User and Role are now ready for use later in the deployment process.
22-Mar-2017 20/99
Your User and Role are now ready for use later in the deployment process.
Set Up AWS Network Components

In this scenario, an AWS VPC contains all instances except for the user (client) workstation.
Set Up a VPC
Set up an instance of AWS virtual private cloud.
Follow this procedure:
1. In the AWS Management Console, navigate to Services, VPC, VPC Dashboard
2. Click Start VPC Wizard. The wizard allows you to guide the VPC component creation, including
the subnets, route tables, NAT gateway, and other objects.
a. In the Step 1 screen, select VPC with Public and Private Subnets, and click Select.
b. In the Step 2 screen:
Enter a valid IP CIDR block (for example, 12.0.0.0/16)
Assign a VPC name (for example, DocDemoVPC)
Enter a valid Public subnet (for example, 12.0.0.0/24)
Assign a Private subnet name (for example, Private Subnet 1 - DocDemo)
Enter a valid Private subnet (for example, 12.0.1.0/24)
Assign a Public subnet name (for example, Public Subnet - DocDemo)
Assign an available Elastic IP Allocation ID to provide an accessible IP address on

your NAT gateway.
c. For all other fields (in this example), use the default values.
d. Click Create VPC. A modal progress screen follows. Following the acknowledgment
page, click OK.
3. Select the left menu item Subnets.
a. Confirm that your two initial (private and public) subnets have been created:
i. Click Create Subnet
ii. Assign a Name tag (for example, Private subnet 2 - DocDemo).
iii. Select your new VPC.
iv. Assign a valid CIDR block (for example, 12.0.2.0/24).
22-Mar-2017 21/99
v. Select an Availability Zone that is different from the other private subnet
(here, if the other private subnet is, say, "us-east-1a", we would select, say, "us-
east-1b"). This is a requirement for AWS-specific RDS (relational database) to
ensure failover recovery.
vi. Click Yes, Create.
b. In the Subnets lists, confirm your newly created second private subnet.
Your VPC is now ready for population with instances and services.
Set Up an RDS
Set up an instance of an AWS relational database. The instance is used to store federated tokens so
that they can be reused. It is not necessary to generate one for every API call a user makes. This RDS
can also be shared by multiple proxies that have been set up for load balancing.
These tokens are created using the root role and user account you established earlier. This token is
used by the proxy on behalf of the end user. The token has a limited subset of credentials that are
based on how a policy has been set up in CA Privileged Access Manager. For security, each token has
a limited lifetime of 15 minutes.
Follow this procedure:
1. In the AWS Management Console, navigate to Services, Database, RDS
2. Create a subnet group. In the left menu, click Subnet Groups.
a. Click Create DB Subnet Group.
b. In the Create DB Subnet Group screen, assign a Name (for example,

DocDemoDBSubnetGroup), the VPC ID being used.
c. Two subnets are required. To stage them both for this group:
i. Enter one of the private-subnet Availability Zones you used, with the
corresponding Subnet ID, and click Add
ii. Enter the other of the private-subnet Availability Zones you used, with the
corresponding Subnet ID, and click Add.
d. Click Create to create the DB subnet group and return to the group list.
3. In the left menu, click Instances.
a. Click Launch DB Instance to (first) assign parameters.
b. In the Select Engine screen, select the MySQL tab, and click Select.
c. In the production version options screen, we recommend that you select either the
Production or the DevTest version of MySQL. CA Technologies has tested these
versions. In this example, the DevTest option has been chosen.
22-Mar-2017 22/99
d. Complete the fields in the Instance Specifications panel near the top of the Specify DB
Details screen. We recommend the following specific values (otherwise, use values
appropriate for your environment):
DB Engine Version:Of the series "5.6.x"
Multi-AZ Deployment: Likely not required; if the database is lost, tokens can easily
be replaced
DB Instance Class: "db-t2 micro" is sufficient for proof-of-concept purposes
Storage Type: General Purpose (SSD)
Allocated Storage: 5 GB is sufficient for proof-of-concept purposes.
e. Further down on the Specify DB Details screen, specify the following values in the
Settings panel:
Assign a name as the DB Instance Identifier (for example, DocDemoDBInstance),
Assign a Master Username (for example, DocDemoDBAdmin) and Master

Password.
Note these values in your text notepad for future use.
f. On the Configure Advanced Settings screen, specify the following settings in the
Network & Security panel:
Select the applicable VPC (for example, DocDemoVPC).
Select the applicable Subnet Group (for example, DocDemoSubnetGroup).
Do not make the DB Publicly Accessible to No. The proxy instances in the VPC are
the only consumers of the database. (Credentials are stored in this database. In
general, we recommend that you remove unneeded access wherever possible.)
The Availability Zone is not relevant here (="No Preference").
You can use the default VPC Security Group, as it allows all but only traffic
between members of the same security group.
g. Further down on the Configure Advanced Settings screen, specify the following
settings in the Database Options panel:
Assign a Database Name (for example, DocDemoDB).
Set Database Port to: 3306
Retain the default values for DB Parameter Group (default.mysql5.6) and Option
Group (default.mysql-5-6).
Leave Copy Tags to Snapshots unset.
22-Mar-2017 23/99
Our engine does not currently support encryption, so Enable Encryption is set to:
No
h. Further down in the Configure Advanced Settings screen:
i. In the Backup panel, assign "0" to Backup Retention Period, as it is not

relevant to this application.
ii. In the Monitoring panel, assign "No" to Enable Enhanced Monitoring, as it is

not relevant to this application.
iii. In the Maintenance panel, leave the default values in place.
i. Click Launch DB Instance. It might take a few minutes (but 15-20 is common) to finish
creating so that you can obtain its address for use later.
4. In the RDS Instances screen listing your RDS, select it, and copy the RDS Endpoint specification
to your text file.
Set Up a Splunk Server

Proxy logs are directed to an external handler - they are not delivered for storage to the CA Privileged
Access Manager. AWS API Proxy can direct log output to a Splunk server.
Note: Splunk Light is adequate for test or demo use.
Apply the following list when setting up a Splunk server in AWS:
Use an AWS AMI on which a Splunk server has already been installed. Alternatively, stand up an
AWS AMI OS instance and download a Splunk installer from http://www.splunk.com
In Splunk Data, Data receiving, add a new receiver listening on port 9997 (to accept logs from
CA Privileged Access Manager).
Place the server in the VPC public subnet that you created earlier. Assign it a public IP address
using EIP or instance auto-assign.
For the affected security groups, ensure that they allow inbound traffic to port 9997 (where
Splunk listens on) from anywhere inside the VPC (here, 12.0.0.0/24)
When planning a production server, estimate production storage from log volume you generated
in your test/demo environment.
For the remaining instance configuration, use default AMI instance details.
22-Mar-2017 24/99
Set Up CA Privileged Access Manager AMI Instance

You can use Auto-assign Public IP for a demo or test environment, but could use an EIP instead
for production, so that you can shut down the instance as required without losing its address. If
the server IP address changes, the proxies have to be shut down and reconfigured.
For production, we recommend that you select Enable Termination Protection.
Consider preparing a security group (for example, named: Public Instances) that restricts access to
accept inbound from any source on HTTP, HTTPS, and SSH. This security group allows an
administrator to reach the instance from anywhere, if desired.
Configure the Server for Proxy

Configure the CA Privileged Access Manager server to recognize proxies, and specify user accounts to
communicate with them.
Set Up a Whitelist (see page 25)
Set Up a Credential Pair for Federated Tokens (see page 25)
Set Up a User (see page 26)
Provision an Access Policy (see page 26)
Set Up a Whitelist
Configure the AWS API Proxy whitelist to allow proxies to submit requests to CA Privileged Access
Manager.
Follow these steps:
1. From the AWS Management Console, identify the private subnet into which you set up proxy
instances.
2. In CA Privileged Access Manager, navigate to Config, 3rd Party, AWS API Proxy Auto
Activation Whitelist.
3. In the Whitelisted Subnets text box, specify the private subnet that you established earlier,
which contains the AWS API Proxy instances. For example: 12.0.1.0/24
The AWS API Proxy instances send A2A activation requests. Following activation, CA Privileged
Access Manager allows the A2A-activated proxy to see ("view") proxy credentials.
Set Up a Credential Pair for Federated Tokens

Store the AWS account credentials, the "set of keys" that an AWS API Proxy uses to access AWS. The
credentials are embedded in the federated tokens the proxy uses.
Follow these steps:
22-Mar-2017 25/99
1. In CA Privileged Access Manager, navigate to Policy, Manage Passwords to bring up the

Credential Management GUI.
2. Navigate to Targets, Accounts, and select Add to bring up a blank Account Details screen.
3. Select AWS Access Credential Accounts from the Application Name drop-down list. (This
action also auto-populates the Host Name and Device Name, and resets the other widgets for
AWS Access Credential parameters.)
4. In the account template, do the following tasks:
a. Assign an explanatory or other easy-to-remember name in the User Friendly Account

Name field.
b. From your text file, paste in the Access Key ID and Secret Access Key for your
applicable AWS account.
c. From your text file, paste the ARN into the Access Role Name field.
d. Here, for AWS Cloud Type, select Commercial Cloud. (Contact CA Support if you want
to specify a GovCloud VPC.)
e. Save the account.
Set Up a User
1. Navigate to Users, Manage Users, and select Create User to open a User editing template.
2. Set up the required User fields (that is, Username, Firstname, and the remaining red labelled
widgets.)
3. In Roles, Available Roles, select "AWS API Proxy User".
Provision an Access Policy

1. Navigate to Policy, Manage Policies.
2. In the User (Group) field, enter the Username (for example, DocDemoUser) that you created
in "Set Up a User".
3. In the Device (Group) field, enter the virtual device name: xceedium.aws.amazon.com
4. In the upper right, select the Create Policy link to open the policy editing template for this
User-Device pair.
5. Under Services, click Add, and do the following tasks:
a. In the pop-up window, select the "AWS API Proxy" Service. This action opens the
Credential and AWS Policy fields within the pop-up, to the right.
22-Mar-2017 26/99
5.
b. In the Credential field, enter the "AWS Access Credentials Accounts" type account you
created earlier (for example, DocDemoAccount).
Note: This account is the "root" AWS account that is used to request
(temporary federated) credentials from AWS. It is not a CA Privileged Access
Manager User account like DocDemoUser.
c. In the AWS Policy field, enter the AWS IAM Policy that applies to this User (for
example, DocDemoUser). You can use one of the two preconfigured policies,
"IAMUserAccess" or "PowerUserAccess" (used here), and view, edit, or create a
different one, using the AWS Policies link in the upper right.
6. Click Save.
Set Up the Proxy Structure

Set Up AWS Proxy Instances
Stand up one or more instances from the proxy AMI: aws-api-proxy-2.1-release-us-east-1 (or the
corresponding AMI for your AWS region)
1. In the AWS Management Console, navigate to Images, AMIs, and find your proxy AMI.
2. Do the following tasks in "Step 3: Configure Instance Details" of the AMI instance setup
wizard:
a. Place the proxy instances in the one of your two private subnets (here, 12.0.1.0/24)
that has the same AZ as the public subnet. The load balancer function depends on this
placement. This subnet is also specified in the Privileged Access Manager proxy
whitelist (in Config, 3rd Party).
b. For Auto-assign Public IP select the Use subnet setting (Disable), because the proxies
are not exposed outside of the VPC.
c. In the Advanced Details section, in User Data, use the following format, and populate
it (pasting only from a plain text editor) with your case data:
Format:
db = <api-proxy-db>
host = <db-instance.aws-region>.rds.amazonaws.com
user = <db-username>
pass = <password>
xsuite = <IP-address>
splunk = <IP-address>:9997
22-Mar-2017 27/99
proxyname = <aws-api-proxy-name.example.com>
debug = false | true
Example:
db = DocDemoDB
host = DocDemoDBInstance.us-east-1.rds.amazonaws.com
user = DocDBAdmin
pass = DocDemoPW5289331
xsuite = 12.0.1.3
splunk = 12.0.1.5:9997
proxyname = awsapiproxy123.yourcompany.com
debug = false
3. In "Step 6: Configure Security Group", select a security group that permits HTTPS, and the load
balancer can reach it.
4. Other settings are optional.
5. After you initiate the instances, wait about 10 minutes before confirming them in CA
Privileged Access Manager.
Confirm Proxy Registration

In CA Privileged Access Manager, confirm that the proxies have registered as Credential Manager A2A
Clients in CA Privileged Access Manager.
Follow these steps:
1. Navigate to Policy, Manage Passwords.
2. In the Credential Management menu, navigate to A2A, Clients.
3. Confirm registration of your AWS API Proxy instances by checking the following settings:
a. The IP address matches your instance
b. On the Client Details screen, Descriptor 1 is "AWS API Proxy Client"
c. Connection Status shows a green dot.
Set Up an AWS Load Balancer

You want the load balancer to be in a public subnet so that you can reach it. You select targets
(instances that receive LB traffic) based on the Availability Zone of the subnets those instances are in.
The LB is able to send traffic to any instances as long as they are in the same AZ, regardless of public
access of the subnet.
1. In AWS Management Console, navigate to Services, EC2, Load Balancing, Load Balancers.
22-Mar-2017 28/99
2. Click blue button Create Load Balancer to launch its setup wizard.
3. In "Step 1: Define Load Balancer":
a. Assign a Load Balancer name.
b. Create LB inside the proxy VPC.
c. Do not select Create an internal load balancer.
d. For the Listener Configuration:
i. Remove the default HTTP protocol line item.
ii. Add a new protocol line item with Load Balancer Protocol = HTTPS and
Instance Protocol = HTTPS
e. In Select Subnets, select the public subnet that you have prepared
4. In "Step 2: Assign Security Groups", select the security group that you used earlier for your CA
Privileged Access Manager and Splunk server.
5. In "Step 3: Configure Security Settings":
a. Select a certificate that your users and clients are able to verify.
i. For demo/test purposes at least, you can request a new certificate from ACM
(AWS Certificate Manager), or from AWS IAM.
1. In ACM, enter the domain name that you have used for your proxy
instances, prepended with an asterisk (here, *.awsapiproxy123.
yourcompany.com)
2. In IAM, select one from the drop-down list.
b. Select a cipher that you accept at the load balancer. Select from the predefined list if
acceptable, or create a custom security policy.
22-Mar-2017 29/99
VMware vCenter and NSX Coordination

Integration
You can configure CA Privileged Access Manager to coordinate with a VMware installation to import
virtual machines into CA Privileged Access Manager and apply the VMware security settings.
VMware NSX integration (see page 30)
VMware vCenter and NSX Coordination Reference (see page 39)
VMware NSX integration

The CA Privileged Access Manager coordination with an NSX installation engages the following
objects. See Configuration tasks (see page 33) for detailed instructions.
Prerequisites
Verify the following prerequisites:
In VMware:
NSX 6.2 or later installation that is network-available to CA Privileged Access Manager
In CA Privileged Access Manager:
When VMware NSX coordination is activated in CA Privileged Access Manager, the following cluster
synchronization features are not supported:
Clustering over a WAN
Hybrid clusters, in which two or more of the three form types for CA Privileged Access Manager
(hardware, AWS AMI instance, and VMware VMs) are used.
The Access Restrictor (see page ) does not operate on A2A transactions:
Configuration of VMware objects:
Device: a target vCenter; a Target Application for this Device;a Target Account for this
Target Application that is an administrator account
Device: the affiliated NSX Manager; a Target Application for this Device;a Target
Account for this Target Application that is an administrator account
Configuration in of parent vCenter (Config > Add VMware vCenter)
22-Mar-2017 30/99
Configuration and activation of NSX administrator access (Config, VMware NSX)
Following configuration and registration, the NSX and CA Privileged Access Manager effects include:
In CA Privileged Access Manager:
Device imports – vCenter virtual machines are imported (a Device record is created for each VM)
Security controls – Existing NSX Security Tag, Security Group, and Security Policy restrictions are
imposed on vCenter devices imported into CA Privileged Access Manager.
In NSX:
CA Privileged Access Manager Service – A new NSX partner service named "CA Privileged Access
Manager Service" is created, with Profile Configurations for these functions:
Session Recording
Terminate Sessions
CA Privileged Access Manager Re-Authentication
Dynamic effects – As NSX Security Tag, Security Group, and Security Policy definitions are altered
over time, the effects are propagated from NSX to CA Privileged Access Manager.
Access restrictor – CA Privileged Access Manager dynamically pushes its CA Privileged Access
Manager access policies for mirroring as NSX distributed firewall exceptions. Thus these rules are
created as connections open, and are destroyed when those connections close.
Coordination with NSX

When you configure CA Privileged Access Manager to coordinate with an NSX installation, CA
Privileged Access Manager begins sharing objects managed in NSX. Following registration, you can
(manually) specify controls on VMs by applying VMware Security Tags to VMs directly. You can also
use the NSX Service Composer to define Security Groups and to impose Security Policies on those
groups, thus impacting imported CA Privileged Access Manager devices. This process applies two
features illustrated here:
Service Composer integration with CA Privileged Access Manager Service
Dynamic transfer of NSX Security Groups and Security Tag assignment to CA Privileged Access
Manager
Access Restrictor
When CA Privileged Access Manager is registered in NSX, and before it connects to a managed VM (in
that NSX environment), it pushes its access policy for that connection into NSX as a distributed
firewall exception. It instructs NSX to temporarily "poke a hole" through the firewall managing the
VM to allow the CA Privileged Access Manager-authorized connection.
22-Mar-2017 31/99
Permitted Connections Tracked

You can impose a highly restrictive but distributed NSX firewall without concern about it interfering
with CA Privileged Access Manager-managed access to targets. NSX auditing is aided in this manner,
because now the logging and recording capabilities of CA Privileged Access Manager are explicitly
imposed on any connections making it through the otherwise broadly imposed firewall.
Verifiable in NSX Manager

In the NSX Manager Firewall panel, you see the Access Restrictor rule being applied for the active
connection. This rule automatically occupies highest precedence order over other rules and thus is
applicable to the connection. When the CA Privileged Access Manager-managed connection is closed,
this exception rule is deactivated and removed.
NSX Service Composer Security Controls

Three pre-defined NSX Service Profile Configuration controls are provided in the product Service that
is registered when you configure the product to work with a vCenter and an NSX installation
associated with that vCenter.
Any of those Profile Configurations can be specified in an NSX Security Policy. That policy is applied to
an NSX Security Group of VMs. The members of that Security Group might consist of, for example,
those VMs with certain Security Tags or labels, such as "Surveillance_Target", that can be applied at
any time deemed necessary by the administrator.
Dynamic Event Infrastructure

The following NSX callbacks that are built in to the CA Privileged Access Manager Service are created
in NSX when a CA Privileged Access Manager registers to an NSX installation. When any of the
following Service Profiles have been activated in NSX Security Policy applied to Devices imported
from VMware, CA Privileged Access Manager imposes the described actions to the active CA
Privileged Access Manager connection sessions:
Terminate Sessions – Terminate the session, or prevent any future session attempt from
consummating.
User receives a pop-up message during a current session or session attempt.
Works for all connection types. Event is logged and is captured in session recordings.
Session Recording – Switch session recording on or off.
NSX policy overrides CA Privileged Access Manager Policy setting.
Works for RDP, SSH, and Telnet Access Method applets; RDP Applications; all native SSH or Telnet
Services; Xceedium Browser (HTTP and HTTPS). Event is logged and is captured in session
recordings.
CA Privileged Access Manager Re-Authentication – One-time (non-recurring) application to force

Users to re-authenticate to CA Privileged Access Manager.
User receives an interactive pop-up message to submit credentials.
22-Mar-2017 32/99
Provisioning in CA Privileged Access Manager Following NSX Tagging

In CA Privileged Access Manager, the Security Tags that are attached to imported VMs, and the
Security Groups those VMs are members of, are imported with basic device characteristics (name,
address, OS, VMware directory) into CA Privileged Access Manager Device records so that CA
Privileged Access Manager can manage connections to the VMs. Unassigned, but user-defined,
Security Groups and Security Tags are always imported into CA Privileged Access Manager, because
you can provision CA Privileged Access Manager policies before tags are assigned. For example, if the
policies to be used are complex.
Changes in the NSX environment are propagated each time a CA Privileged Access Manager User
loads their Access page. Changes to NSX Security objects are dynamically applied in CA Privileged
Access Manager, because NSX Manager executes callbacks to the product whenever its Security
Groups or Security Tags are updated. The product can make the corresponding adjustments and can
propagate any policy effects.
TIP Assign a Security Group and associated Security Tag the same name when they complement each
other – that is, when the Security Group contains only items with the (single) Security Tag.
These imported tags can then be assigned to Device Groups to impose the desired controls.
When Security Groups or Security Tags are created in an NSX installation running a CA Privileged
Access Manager Service, or they are newly assigned to NSX devices, these changes propagate to CA
Privileged Access Manager in several ways.
When a tag (either local, or VMware-imported Security Group or Security Tag) is assigned to a
Device Group, the Devices that the tag specifies are identified as (uneditable) members of the
Device Group.
If you apply an unused tag to a Device Group and use that group in an active CA Privileged Access
Manager policy, and then later assign the tag to a device in NSX, the corresponding CA Privileged
Access Manager Device and corresponding policy is dynamically activated. The policy becomes
available on the User(s)' Access page.
It is then possible to prepare compact CA Privileged Access Manager policies that are nevertheless
complex and powerful.
Configuration Tasks
Perform the following tasks to activate coordination of an NSX installation with your CA Privileged
Access Manager.
Preparation
You must have the following applied:
VMware vCenter applicable with NSX 6.2.
CA Privileged Access Manager licensing applied: VMware Capability
22-Mar-2017 33/99
Register CA Privileged Access Manager in NSX Manager

VMware configuration has been expanded to allow use of multiple vCenter deployments, and now
(for a single vCenter) allows synchronization of an NSX deployment. The VMware configuration panel
set on the Config > 3rd Party page have been expanded with a new VMware NSX panel.
REQUIREMENTS
CA Privileged Access Manager registration with NSX requires that a single vCenter is configured in
CA Privileged Access Manager. Multiple vCenter configurations, although permitted in CA
Privileged Access Manager, cannot be used while there is an active NSX registration.
PROCEDURE
Preliminary Devices/Accounts provisioning
1. Prepare VMware target Device records:
2. In the CA Privileged Access Manager, navigate to Devices > Manage Devices.
3. Prepare a Device record for vCenter with Address=Your-vCenter-portal-address
4. Prepare a Device record for NSX with Address=Your-NSX-Manager-portal-address
5. Prepare corresponding target accounts to access:
6. Navigate to Policy > Manage Passwords.
7. In the Credential Manager menu, navigate to Targets > Applications:
8. Add a new target application for vCenter.
9. Add a new target application for NSX.
10. In the Credential Manager menu, navigate to Targets > Accounts:
11. Add a new target account for the vCenter target application you created.
12. Add a new target account for the NSX Manager target application you created.
Configuration for vCenter
1. In the GUI, navigate to the Config > 3rd Party page.
2. In the Add VMware vCenter panel:
3. Click your mouse in the vCenter Authentication Device field, and select from the drop-down
list the vCenter Device you prepared earlier.
After you do this, the vCenter User field appears below.
1.
22-Mar-2017 34/99
1. Click your mouse in the vCenter User field, and select from the drop-down list the vCenter
access target account you prepared earlier.
2. In the URL field, enter the URL address of the vCenter. Include the port and any subdirectory
path.
Configuration for NSX

You must previously configure a (single) VMware vCenter.
1. In the VMware NSX panel:
2. Click your mouse in the NSX Authentication Device field, and select from the drop-down list
the NSX Manager Device you prepared earlier.
After you do this, the NSX User field appears below.
1. Click your mouse in the NSX User field, and select from the drop-down list the NSX access
target account you prepared earlier.
2. In the URL field, enter the URL address of the NSX installation. Include the port and any
subdirectory path.
Confirm CA Privileged Access Manager Registration

You can confirm that NSX has created "CA Privileged Access Manager Service" following configuration
in CA Privileged Access Manager by inspecting the Networking & Security Service Definitions in a
vSphere client.
Additional CA Privileged Access Manager Registration Options

Re-register NSX Manager
When you attempt to register an NSX Manager but the registration fails, the VMware NSX panel
remains populated, but the Status changes from Not Configured to Not Registered.
After you correct the issue, you can again attempt registration using the staged settings by
clicking Save.
Otherwise, you may remove all settings by clicking Disable.
Unregister NSX Manager

To unregister CA Privileged Access Manager in NSX:
1. Take care to back out of all corresponding settings you had applied in CA Privileged Access
Manager and NSX.
2. When that is completed, click Unregister in the VMware NSX panel.
3. The currently registered CA Privileged Access Manager Service is removed from NSX, and the
NSX Manager is unregistered in CA Privileged Access Manager.
22-Mar-2017 35/99
Provisioning Examples
Example 1: Preparation of an NSX Security Policy for CA Privileged Access Manager
Use
You can impose any of the above three controls on Devices managed by CA Privileged Access
Manager from within NSX features. The following procedure shows how this process works by
completing the following steps:
Creating Security Policies that specify access controls
Creating Security Groups that dynamically specify a set of devices
Applying those policies to those groups to activate their controls on their devices. These controls
are propagated to CA Privileged Access Manager, and then imposed when CA Privileged Access
Manager Users access VMware-imported Devices.
Following registration of CA Privileged Access Manager with NSX, open your vSphere Client or Web
Client:
1. From the vSphere home, select the Networking & Security item from the left-hand menu.
2. From the new left-hand menu items, select the Service Composer item, and then in the
Service Composer body click the Security Policies tab to display the (currently empty) policies
list.
3. Above the line item list in the far left, click the Create Security Policy icon to open a policy
editing window.
4. Specify a policy that imposes CA Privileged Access Manager session recording, and call it
Session Recording SP:
5. Click the 1 Name and description tab, and enter in the Name field "Session Recording SP".
6. In 2 Guest Introspection Services, click the icon further right to open an editing window. In it:
7. For Service Name, select "CA Privileged Access Manager Service"
8. For Service Profile, Select "Session Recording (Data Collection, … )"
9. Leave the other fields and buttons as is, and click OK.
The editing window now disappears, and you see the new service specification as a line item.
1. In 4 Network Introspection Services, perform the same previous steps for (b), except that
here you edit the Profile field rather than the Service Profile.
2. In the lower right corner, click the Finish button to activate the Security Policy.
22-Mar-2017 36/99
With procedures parallel to the one above for the other two Service Profiles, you can prepare
corresponding policies. Table 1 displays the three Service Profile options currently made available
through CA Privileged Access Manager Service registration.
CA Privileged Access Manager Service: Service Profiles
CA Privileged Access Manager Description

Service: Service Profiles
Session Recording (Data Toggles the CA Privileged Access Manager-based session recording
Collection, Vulnerability policy: Where CA Privileged Access Manager policy for a
Management) connection has recording off, NSX turns it on, and vice versa.
Terminate Sessions Terminates current connection sessions and prevents new sessions
(Vulnerability Management, from being initiated.
Data Collection)
CA Privileged Access Manager Suspends current CA Privileged Access Manager User login session
Re-Authentication (Data (s) and forces the User(s) to re-authenticate.
Collection, Vulnerability Where re-authentication succeeds, the login session resumes and
Management) the previous session state is restored.
Where re- authentication fails, the login session is terminated.
After preparing Security Policies for all three Service Profiles, you will see three Security Policies
listed.
Example 2: Dynamic Application of an NSX Security Policy for CA Privileged Access

Manager Session Recording
With an NSX Security Policy in place to toggle CA Privileged Access Manager session recording, you
can prepare an example of that Service Profile in action:
1. From the same location in your vCenter client as you used when preparing Security Policies (
Example 1 (see page 30)), click the Security Groups tab to open its pane.
(The list may be empty except for Activity Monitoring Data Collection.)
1. To record all current and future connection sessions to certain devices, create a Security
Group named Capture Sessions SG:
2. Click the 1 Name and description tab, and enter in the Name field "Capture Sessions SG".
3. In 2 Define dynamic membership, and in the pane at the right named Membership criteria 1:
4. In the lower left drop-down menu, select "Security Tag" to specify that the VMs with a
Security Tag (as defined below) are included in this group.
5. In the lower center drop-down menu, select "Equals to".
6. In the field to the lower right, enter "Capture Sessions ST".
7. In the lower right corner, click the Finish button to activate the Security Group, as we have
provided the definition that we need for this group.
Apply the Security Policy we created earlier to this Security Group:
22-Mar-2017 37/99
Apply the Security Policy we created earlier to this Security Group:
1. Click again the Security Policies tab to open its pane.
2. Click the Rank number (here, "3") for the Session Recording SP policy so that the line item is
selected, then right click and select Apply Policy from the pop-up menu.
3. Select the Capture Sessions SG group and click OK.
We're now ready to apply a Security Tag to a VM device, to illustrate how the Security Group picks up
the tagged device for imposition of the policy – and the effect of that policy for CA Privileged Access
Manager.
1. Navigate from the vSphere home:
2. Select the vCenter item from the left-hand menu.
3. From the new left-hand menu items, select the Hosts and Clusters item.
4. In the left panel (with left tab at top selected), open the tree until you find an (existing) VM to
which you would like to apply this Security Group. In this example, the device is named "BEE".
The VM device ("BEE") has a number of specification panels. Here we want to apply the tag specified
when you created the "Capture Sessions SG" Security Group – that is, Capture Sessions ST:
1. Select the "BEE" line item. Then in the device specification section to the right, in the Security
Tags pane:
2. Click the Manage link in the lower right corner of the pane.
3. In the Assign Security tag pop-up window, click the icon to create the new "Capture Sessions
ST" tag.
4. When created, scroll to the location of the new tag, and select it.
5. Click OK to close the pop-up.
6. Note that not only is the "Capture Sessions ST" tag listed in the Security Tags pane, but also
the "Capture Sessions SG" that uses that tag is also specified in the Security Groups pane.
Because that group has the "Capture Sessions SP" Security Policy applied against it, then when a CA
Privileged Access Manager User attempts a connection session to BEE – whether or not the CA
Privileged Access Manager policy itself specifies session recording – CA Privileged Access Manager
activates recording.
Let's now see how that works in CA Privileged Access Manager.
1. Navigate CA Privileged Access Manager to the Devices > Manage Devices page.
2. Open the Device record for "BEE".
Note: You can also continue instead with a CA Privileged Access Manager-based Device Group that
includes this Device. In place of a fixed, imported tag, manually apply the imported Security Tag as
described in the following steps:
22-Mar-2017 38/99
1. Note that there is an editable "CA Privileged Access Manager-assigned-tag-3", but there are
also two tags which – in CA Privileged Access Manager – are not editable: "NSX-SG-Capture
Sessions SG" and "NSX-TAG-Capture Sessions ST".
These reflect the Security Group and Security Tag that were imported from VMware.
2. Navigate to the Policy, Manage Policies page.
3. Create (or open) a policy for BEE (and you, the current administrator User).
Do not assign a recording policy.
4. Navigate to the Access page, and open a connection session to BEE.
5. Navigate to the Sessions, Session Recordings page.

You see near the top of the line items that a session recording has begun to BEE.
Thus, the VMware Security Policy overruled the (empty) CA Privileged Access Manager recording
policy, dynamically imposing session recording.
VMware vCenter and NSX Coordination Reference

You can configure vCenter coordination with an associated NSX installation, and the import from
multiple vCenter installations when NSX is not used.
VMware Configuration Panel

This panel shows the currently configured vCenter installations and their global CA Privileged Access
Manager controls. Use Add VMware vCenter to populate this panel.

vCent Enume 5 minutes Specifies the elapsed time between
er rated 15 minutes each import refresh and the previous
Refres 30 minutes refresh. All active provisions are
h 60 minutes refreshed simultaneously.
Interv Default: 60 Minutes The four options correspond to fixed
al times on the clock (as set in Config >
Date/Time):
For a setting of 5 minutes, if a
provision was made Active="YES" (or
selected) at, for example, 11:12, it is
then refreshed at the next time
marker used by this option: 11:15,
then again at 11:20, then at 11:25,
and so on.
For 15 minutes, refresh would occur
at 11:15, then at 11:30, then at 11:45,
etc.
When a provision has been made
Active (or has been Add'ed with
Device Sync selected), it is imported,
22-Mar-2017 39/99

and then the first refresh occurs at the
first-time marker (as shown in the
example above), rather than following
a full-length interval.
A provision continues to be refreshed
until it is Remove'd or you set Active="
NO".
Global Checkb Unchecked <img class="emoticon emoticon- Forces all vCenter Account
VMwa ox light-off" title="(gray lightbulb)" data- combinations to the Active="YES"
re emoticon-name="light-off" src=" (refresh = on) state. When selected,
Sync https://docops.ca.com/s/en_GB/6220 import of newly active provisions
/de9b463eb65c5ca13c0266eed77e2bf49f4c6f occurs at the next fixed refresh time
e8.116/_/images/icons/emoticons/lightbulb. marker.
png" alt="(gray lightbulb)" border="0">
Checked
Default: Unchecked <img class="emoticon
emoticon-light-off" title="(gray lightbulb)"
data-emoticon-name="light-off" src="
https://docops.ca.com/s/en_GB/6220
/de9b463eb65c5ca13c0266eed77e2bf49f4c6f
e8.116/_/images/icons/emoticons/lightbulb.
png" alt="(gray lightbulb)" border="0">
List
of
config
ured
vCent
er
provis
ions:
Edit Button Edit button: Toggles the edit mode of this line item:
colum The Edit button opens the line item
n for editing (turns on edit mode).
The Save button saves any changes to
the currently staged line item values
or (URL and Active widgets), and closes
the line item for editing (turns off edit
Save button: mode).
Initially, the edit mode is turned off.
vCent String Displays the vCenter Authentication

er Device – vCenter User combination
Accou
nt
colum
n
URL String Edit mode on: Displays the previously saved URL for
colum in URL URL string can be edited this line item.
n format
22-Mar-2017 40/99

Active Edit Edit mode off: Edit mode off:
colum mode YES or NO YES: Configuration is scheduled to
n off: sync periodically (imports from
Enume vCenter) after each vCenter Refresh
rated Interval.
NO: Configuration is not scheduled to
sync periodically (does not import
from vCenter).
Edit Edit mode on: Edit mode on:
mode checked or Checked: After clicking Save button,
on: unchecked configuration will periodically sync
Checkb (import from vCenter) after each
ox vCenter Refresh Interval.
Unchecked: After clicking Save button,
configuration will not periodically sync
(import from vCenter)
Remo Button Click to execute Removes this entire provisioning line
ve item.
colum
n
Test Button Click to execute Tests the connection for this line item
colum provision to the Authentication Device
n and vCenter URL.
'Add VMware vCenter' Panel

Use this panel to configure and activate a vCenter in CA Privileged Access Manager.
Column Name Format Options Description

When NSX has been registered for this CA Privileged Access Manager:
The message "Multi vCenter Servers are not supported when NSX is configured" appears in this
panel. No widgets are available.
When NSX has not been registered for this CA Privileged Access Manager (through the VMware NSX
panel):
vCenter Enume Drop-down list of Choose the Device that hosts the authentication server
Authentication rated all provisioned CA for this account (from all currently provisioned CA
Device Privileged Access Privileged Access Manager Devices), either a targeted
Manager Devices vCenter or an external server such as LDAP that
authenticates vCenter users.
vCenter User Enume Drop-down list of Choose a VMware vCenter user account from those
This field appears rated all provisioned that have been provisioned in Credential Manager as
only after vCenter target accounts in the above vCenter Authentication
'vCenter Authentication Device.
Authentication Device target
Device' is accounts
populated
22-Mar-2017 41/99

URL String Properly formed Enter the vCenter URL, ordinarily – but not exclusively
URL – of the form:
https://address\[:port\]/sdk
Examples:https://vcenter.example.com/sdk
https://192.0.2.1:55555/sdk
https://vcenter2.example.com:65123/
Device Sync Checkb checked or Check the box if you want all (non-XsuiteIgnore tagged)
ox unchecked virtual machines (VMs) to be imported upon clicking
Add, and then after each Global VMware vCenter Sync
period.
Add Button Click to execute Click to load this currently staged vCenter specification
to the VMware vCenter Configuration list.
'VMware NSX' Panel

When a single vCenter has been configured, this panel can be used to register and activate CA
Privileged Access Manager sharing in NSX.

When a vCenter has not been configured for this CA Privileged Access Manager:
The message "VMware vCenter Server is not configured" appears in this panel. No widgets are
visible.
When a vCenter has been configured for this CA Privileged Access Manager (through the Add
VMware vCenter panel):
Status Text Not Configured Initial status: No NSX is registered.
Registered Most recent registration was successful: The NSX
Not Registered configuration that is shown is registered.
Most recent registration failed: The NSX
configuration that is shown is not currently registered.
Updated following a status change in CA Privileged
Access Manager NSX registration. Not directly
editable.
NSX Enumerated Drop-down list Choose the Device that hosts the authentication
Authentication of all server for this account (from all currently provisioned
Device provisioned CA CA Privileged Access Manager Devices), either a
Privileged targeted vCenter or an external server such as LDAP
Access Manager that authenticates vCenter users.
Devices
NSX User Enumerated Choose a VMware vCenter user account from those
This field that have been provisioned in Credential Manager as
appears only target accounts in the above NSX Authentication
Device.
22-Mar-2017 42/99

after 'NSX Drop-down list
Authentication of all
Device' is provisioned NSX
populated Authentication
Device target
accounts
URL String Properly formed Enter the NSX URL, ordinarily – but not exclusively –
URL of the form:
https://address\[:port\]/
Examples:https://nsx.example.com/
https://192.0.2.1:55555/
https://nsx2.example.com:65123/
Access page Checkbox Selected or When this option is selected, NSX synchronization
runtime unselected with CA Privileged Access Manager is initiated
updates whenever the Access page is loaded.
NOTE This feature increases Access page load time.
Background Checkbox Selected or When this option is selected, CA Privileged Access
updates unselected Manager update is initiated after NSX settings are
updated, and after each vCenter Refresh Interval.
Register Button Click to execute. Register this currently staged NSX specification.
Returns (at top of page) one of:
VMware NSX configuration successfully updated.
VMware NSX partner service was successfully
registered.
VMware NSX partner service was not registered. See
log for details.
Returns (at top of page):
VMware NSX configuration successfully updated.
Save Click to execute.
This label
appears only
after an NSX
registration
attempt.
Disable Button Click to execute. Resets all widgets to default values (empty the fields).
This option This button Returns (at top of page) one of:
appears only appears only VMware NSX partner service was successfully
after a failed after an NSX unregistered.
NSX registration
registration attempt.
attempt.
Click to execute.
22-Mar-2017 43/99

Unregister Unregisters this NSX, and Resets all widgets to default
This option values (empty the fields).
appears only Returns (at top of page) one of:
after a VMware NSX configuration successfully updated.
successful NSX VMware NSX partner service was successfully
registration. unregistered.
Test Button Click to execute. Test that CA Privileged Access Manager can
This button communicate with the configured NSX Manager.
appears only Returns (at top of page) one of:
after an NSX Connected successfully to NSX Manager
registration
attempt.
22-Mar-2017 44/99
VMware NSX API Proxy Integration

VMware NSX API Proxy requires licensing from CA Technologies for a specific number of proxy users.
The proxy is available for deployment in VMware OVA file format.
Important
If your CA Privileged Access Manager installation allows or you plan to allow use of both
VMware NSX API Proxy and AWS API Proxy, these proxies must be on different subnets.
The use case flow is:
1. A user sends a REST API request (intended for NSX Manager) to the new CA Technologies
VMware NSX API Proxy. The request uses credentials from CA Privileged Access Manager,
which are valid only for use with this proxy. (They differ from the credentials used by NSX
Manager).
2. The proxy validates the request, obtains the actual (and persistent) NSX Manager credentials
that have been vaulted on CA Privileged Access Manager. It then using those credentials
forwards the request to NSX Manager.
3. The NSX Manager response is passed directly to the user while audit and request syslog
entries are stored in vCenter Log Insight. If configured, CA Privileged Access Manager rotates
the NSX Manager credential.
A VMware NSX API Proxy User role has the accessAll and manageAll privileges, and a
VmwareNsxApiProxy role allows use of the proxy.
Auto-activation whitelist
Only NSX API Proxies which are within specified subnets are permitted to automatically receive NSX
Manager credentials from CA Privileged Access Manager. Such subnets are called "whitelisted
subnets".
Specify these whitelists as follows:
1. Navigate to the Config, 3rd Party page, and scroll to the bottom.
2. In the VMware NSX API Proxy Auto-Activation Whitelist panel, enter a private subnet that
contains the NSX API Proxy instances. Use CIDR form (for example, 10.21.1.0/24), and click
Save.
You receive a green confirmation message at the top of the page: "NSX API Proxy Auto-
Activation Whitelist successfully updated.
22-Mar-2017 45/99
Managing Java on Your Client Workstation
Clearing Java cache (Windows)

To help prevent mismatched CA Privileged Access Manager Java cache contents during or after
upgrading:
To clear the Oracle Java cache in Windows, open the Control Panel > Java, and remove all
"Temporary Files".
Updating Java Heap Setting

We recommend that you adjust your Java heap so that with 4-GB total memory, 1024 MB is allocated
to it.
An example of the adjustment mechanism would be to Assign the Java maximum heap size value in
Runtime Parameters:
-Xmx1024m -Xms1024m
Note
Do not copy-and-paste the string into a word processor (such as Microsoft Word) before
pasting into the Java Control Panel. This action might alter the characters. Instead, if you
want to store the string, use a plain-text application such as Notepad.
To confirm that the heap adjustment has taken effect: When your mouse is in focus in the Java
console, press: m to display the memory values. If successful, the results are close to the settings.
JAR File Signing

By default, CA Privileged Access Manager JARs are signed and are validated against a public
Certificate Authority (CA). For many customers, this arrangement is sufficient and no further action is
required. However, if your end users do not have access to the public Internet, this feature provides
an alternative to signing CA Privileged Access Manager applets using an internal CA.
If you are considering self-signing, we suggest you discuss this first with Support.
22-Mar-2017 46/99

You can have CA Privileged Access Manager sign its JAR files using certificates issued from any CA,
including one located in your internal network, isolated from the Internet. To set the signing
certificate:
1. Have your organization CA administrator prepare a code-signing certificate for use by CA

You receive the public certificate and private key for signing the CA Privileged Access Manager
JARs. You also receive the public key of the CA that issues this certificate with its CRL.
2. Log in as CA Privileged Access Manager User "config", or as another account with at least a
role of Configuration Manager. For example, you can also use "super".
3. Navigate to Config, Security.
4. In the Upload Certificate or Private Key panel, Browse to your certificate files and Upload
them.
Upload at least the public certificate and private key, and these files must have the same root
name. The public and private key files should end with the ".crt" and ".key" extensions
respectively; for example, you might have "ExampleCorp1.crt" and "ExampleCorp1.key".
5. In the (new) Sign CA Privileged Access Manager Applets panel on that page, Select A
Certificate with the bundle root name you uploaded.
6. To confirm certificate integrity, click Verify Certificate, and note the confirmation message at
the top of the page.
7. After the certificate passes verification, click Sign Applets With Certificate, and wait a few
moments for the CA Privileged Access Manager applets to be signed, and confirmed at the top
of the page.
8. Clear your Java cache.
9. Log out from CA Privileged Access Manager, and then log back in.
Client Configuration
Your clients must be configured to trust the public certificate that is used to sign the CA Privileged
Access Manager JARs:
On each client, add the public certificate of the CA to your Java JRE installation (Java Control
Panel, Security, Manage Certificates, User tab + Certificate Type = "Signer CA" > Import), or to
your browser certificate store.
22-Mar-2017 47/99
Juniper Integration
Customers can allow use of manual login to access a CA Privileged Access Manager appliance behind
a Juniper Networks SSL VPN, rather than requiring that they be configured for CA Privileged Access
Manager auto-connection access.
User experience
While logged in to Juniper, open the l ogin page

through a Juniper bookmark, and manually log in .
Juniper setup
1. Log in to Juniper.
2. Set up a bookmark to the CA Privileged Access Manager login page:
For the URL string for that bookmark, append the tag below:
?XSUITE_VPN_LOGIN=1
EXAMPLE https://xsuite.example.com/?XSUITE_VPN_LOGIN=1
Verify that you provide a trailing slash "/" to the CA Privileged Access Manager address/path.
User experience (after configuration)

1. Log in to Juniper.
2. Select the Juniper bookmark you created earlier, and open the CA Privileged Access Manager
login page.
3. Log in to CA Privileged Access Manager.
22-Mar-2017 48/99
Integrate a Java Application or Application

Server
The following method has been tested with a WebLogic version 12.2.1 application server.
Setup
To modify a Java application or application server (such as Weblogic, JBoss, or Tomcat) into a
requestor, modify them to use the Privileged Access Manager JARs and native code libraries:
The JAR files must be in the class path of the requestor. The JAR files are cspmclient.jar and
cwjcafips.jar. They are located in the $CSPM_CLIENT_HOME/cspmclient/lib
directory.
If the requestor needs to use the Privileged Access Manager JDBC proxy, the cloakwareJdbc.
jar file must be in the class path of the requestor. It is located in the $CSPM_CLIENT_HOME
/cspmclient/tools directory.
The requestor’s library path must include $CSPM_CLIENT_HOME/cspmclient/lib.
Setting the class path can be done in the standard Java manner or might be application-specific. The
latter is a common requirement of application servers. See your application documentation for
details.
The library path can be set:
As part of the requestor Java invocation using the -Djava.library.path syntax
Using the OS-specific environment variable. The possible environment variables are PATH for
Windows, LD_LIBRARY_PATH for Solaris and Linux, and LIBPATH for AIX.
Using the Privileged Access Manager JDBC Proxy

Driver
The Privileged Access Manager JDBC driver is a proxy for the original Database Management System
(DBMS) JDBC driver. Without A2A, the requestor has a JDBC connection to a DBMS. The requestor is
configured with
The JDBC driver's class, which must be in the class path of the requestor
Information about where it is connecting (the DBMS' hostname, and so on)
22-Mar-2017 49/99
Additional driver parameters, such as the username and password to log in as, the driver buffer
sizes, and so on.
To use Privileged Access Manager JDBC driver:
1. Change the driver reference from the original DBMS-specific one to the Privileged Access
Manager JDBC driver. The driver class name becomes com.cloakware.jdbc.
JdbcDriver.
2. Change the JDBC connection string to add information specifying the Privileged Access
Manager JDBC driver name, the target alias that identifies the target account, and the class
name of the original DBMS JDBC driver as follows:
a. Prefix the JDBC connection string with cspm.
b. Suffix the JDBC connection string with ;

CSPMDriver=targetDriverClassName;CSPMAlias=alias where:
targetDriverClassName is the class name of the original DBMS JDBC driver

(such as oracle.jdbc.driver.OracleDriver for Oracle, com.
microsoft.sqlserver.jdbc.SQLServerDriver for Microsoft SQL
Server, com.mysql.jdbc.Driver for MySQL, org.postgresql.Driver
for Postgres, or com.ibm.db2.jcc.DB2Driver for DB2)
alias is the target alias that is associated with the target account the requestor
uses to log in to the DBMS
CA Technologies also recommends that the username and password fields be cleared out because
they are overwritten by the Privileged Access Manager JDBC proxy driver.
The following example shows a modified connection string to an Oracle database:
Before: jdbc:oracle:thin:@//dbHost:1521/myService
After: cspm:jdbc:oracle:thin:@//dbHost:1521/myService;
CSPMDriver=oracle.jdbc.OracleDriver;CSPMAlias=myAlias
22-Mar-2017 50/99
Integrate with Your Service Desk Solution

As a system administrator, you configure CA Privileged Access Manager to provision privileged
account access to your service desk solution. CA Privileged Access Manager uses CA Normalized
Integration Management behind the scenes to integrate with third-party help desk solutions.
Password View and Update

CA Privileged Access Manager administrators create Password View Polices to apply to Accounts. The
Password View Policy can use a Service Desk Integration to validate access with a service desk ticket
number. When users request to view the password of a privileged help desk account, they provide a
ticket number for validation. The following IT Service Management products have password update
or view capabilities:
BMC Remedy version 8.1
CA Service Desk Manager r12.6, r12.7, r12.9, and r14.1
HP Service Manager version 9.32
ServiceNow Eureka, Fuji, and Geneva versions
Salesforce Service Cloud Winter 2015 release (supports password viewing, but not updating)
Auto-Connect Access
Credential Manager Workflow can be applied to user access by applying a Password View Policy to
the privileged user account. The Password View Policy can use a Service Desk Integration to validate
access with a service desk ticket number.
CA Normalized Integration Management

CA Privileged Access Manager includes a pre-existing Device, two Applications, and two Accounts for
CA Normalized Integration Management (CA NIM). The Device is a Target Server for CA Normalized
Integration Management. The Device displays on the Manage Devices page, but cannot be edited. CA
NIM works behind the scenes without need for user intervention. You have two CA Normalized
Integration Management applications and accounts: one for User Management, one for Service
Management.
Before you proceed, change the passwords for the two Accounts, both named "nimadmin," from
their default passwords.
Follow these steps:
1. Log in to the CA Privileged Access Manager Credential Manager by selecting Manage
22-Mar-2017 51/99
1. Log in to the CA Privileged Access Manager Credential Manager by selecting Manage

Passwords from the Policy menu.
2. Select Accounts from the Targets menu.
3. Click the nimadmin Account Name for the CA Normalized Integration Management for Service
Management application.
4. Enter a new password in the Password field, select Update both the Password Authority
Server and the target, and click Save.
A message displays: "The account was saved successfully."
5. Repeat this procedure for the nimadmin Account for the CA Normalized Integration
Management for User Management application.
Navigate to your service desk solution for its specific integration procedures:
BMC Remedy (see page 52)
CA Service Desk Manager (see page 56)
HP Service Manager (see page 61)
ServiceNow (see page 65)
Salesforce Service Cloud (see page 69)
BMC Remedy ITSM Integration

Prerequisites
Before you configure the settings for BMC Remedy ITSM, copy the SDK JAR files from the BMC
Remedy System. These files enable communication between CA Privileged Access Manager and BMC
Remedy.
Follow these steps:
1. On the BMC Remedy system, go to the following directory:

\\bmc\Software\ARSystem\Arserver\api\lib
2. Copy the following SDK JAR files:
arapi8*.jar
arutil81*.jar
3. Save the copied JAR files to a location accessible to the CA Privileged Access Manager system.
4. In CA Privileged Access Manager, select 3rd Party from the Config menu.
22-Mar-2017 52/99
5. Scroll to the Remedy Service Desk Configuration section. Use the Choose File button to
browse for the JAR files individually. Use the Upload button to upload each file, one at a time.
Note: If you are load balancing, you have to upload the JAR files to each server. The files are
the same for Windows and Linux.
6. Restart the app server by clicking the Restart Tomcat button. Wait until the process
completes.
A message displays: "Tomcat restarted successfully."
Device Configuration
To integrate with BMC Remedy ITSM, create a target server device.
Follow these steps:
1. Navigate to Manage Devices under the Devices menu. Click the Create Device link.
2. Enter the Device Name and Address.
3. Select the Operating System.
4. Select the Type of device.
5. Enter a description. The description displays on the Devices panel as Description.
6. The remaining values are optional, and are described in Device Setup (https://docops.ca.com
/display/CAPAM28/Device+Setup).
7. Click Save.
Application Configuration
Next, set up an Application for BMC Remedy.
Follow these steps:
1. Load Credentials Management by selecting Manage Passwords under the Policy menu.
2. Navigate to Applications under the Targets menu. Click the Add button.
The Application Details panel appears.
3. Click the Find Server magnifying glass icon to select the Remedy device you created.
The Host Name and Device Name are populated.
4. Enter "Remedy" or similar into the Application Name field.
5. Select Remedy from the Application Type drop-down list.

The Remedy Details box is added to the Application Details panel. Each ITSM solution has its
own detail fields.
22-Mar-2017 53/99
6. Select a Password Composition Policy if you have created one, or leave the default "None."
7. Add Descriptor 1 and 2, optionally.
8. Enter the Port or accept the default of 0.
9. Enter the BMC Remedy Client URL. The initial field value suggests the correct format for the
URL (http://bmc_client_host_name:8080/arsys).
10. If Remedy uses a proxy, enter the parameters as appropriate.
11. Click Save.
Account Configuration
Set up the Account using the Device and Application you have already set up.
Follow these steps:
1. If you are not already there, load Credentials Management by selecting Manage Passwords
under the Policy menu.
2. Navigate to Accounts under the Targets menu. Click the Add button.
The Accounts Details panel appears.
3. Click the Find Server magnifying glass icon to select the Remedy device you created.
4. Click the Find Application magnifying glass icon to select the Remedy application you created.
The Remedy Account Details box is added to the Application Details panel, with the Change
Process selection.
5. Enter a name into the Account Name field.
6. Leave the Password View Policy as Default unless you already have one to use.
7. Enter a password or click the Generate Password icon. Generating a password disables the
Show Password check box.
Note: The remaining password-related fields are read-only. The maximum age and expiration
fields are determined by the Password Composition Policy, if any. See Password Composition
Policies (https://docops-dev.ca.com/display/CAPAM/Password+Composition+Policies) for more
information about Password Composition Policies.
8. Choose a Synchronized option. The default is to change only the Password Authority Server.
To change the password on the target server also, choose "Update both."
9. In the Remedy Account Details box, select the Change Process. Choose whether the Account
can change its own password, or indicate another account. If the user does not have
permission to change passwords, use another account. Selecting "Use the following account
to change password" displays a list of existing accounts to choose from.
10.
22-Mar-2017 54/99
10. You can optionally select an Owner User Name from the list of users on the CA Privileged
Account Manager system.
11. Click Save.

The Message "The account was saved successfully" appears.
Password View Policy Configuration

Each target account is associated with a password view policy, either the default policy or a policy
that you create. See Password View Policies (https://docops-dev.ca.com/display/CAPAM
/Password+View+Policies) for more information. Using Service Desk Integration in a Password View
Policy requires the user to enter a service desk ticket number.
Follow these steps:
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.
The Password View Policy Details panel appears.
3. Select Remedy from the Service Desk Integration drop-down list.

A box appears with specific Remedy configuration fields. Reason Required For View and
Reason Required For Auto-Connect are checked. These options are required for service desk
integration. A warning appears if you try to clear either checkbox .
4. Enter the Remedy Server name, the Remedy Application name, and the Account name.
5. You can be more specific in your ticket number request by limiting the type of ticket or by
using a query filter. Ticket Type defaults to All. Incident, Problem, Change, and Request are
also available. See Query Filter (see page 55) for details about Query Filters.
6. You can use more credential workflows methods, such as dual authorization and re-
authentication. See Password View Policies (https://docops-dev.ca.com/display/CAPAM
/Password+View+Policies) for more information.
7. Click Save.
A message appears: "The Password View Policy Has Been Saved Successfully"
Query Filter
The Query Filter field enables you to create Queries with combinations of values to filter which
service desk tickets are used for validation.
Field Values
Impact: high, low, medium, minor
Priority: critical, high, low, medium
22-Mar-2017 55/99
Status: assigned, cancelled, closed, inprogress, new, pending, resolved
Urgency: critical, high, low, medium
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
Examples
status==active
status!=closed
status==open
(urgency==critical&&priority==high)||status==inprogress&&impact==high
CA Service Desk Manager Integration

Prerequisites
Before you configure the settings for CA Service Desk Manager, verify that you have an appropriate
version. To enable password updates by CA Privileged Access Manager, ensure that CA Service Desk
Manager is configured for PIN-based authentication.
CA Service Desk Manager Supported Versions

CA Service Desk Manager r12.6, r12.7, r12.9, and r14.1
Fixes applied based on your version of CA Service Desk Manager and the operating system it is
running on:
r12.7
T52Y226 (only Linux is supported)
r12.9
T52Y220 – Windows
T52Y223 – Linux
22-Mar-2017 56/99
T52Y223 – Linux
T52Y224 – Solaris
T52Y225 – AIX
CA Service Desk Manager REST Services are installed and deployed. REST Services are not
deployed by default. To deploy them, use the following command:
pdm_rest_util –deploy
For more information, see your CA Service Desk Manager documentation.
PIN-Based Authentication
CA Service Desk Manager contact records do not have a "password" field, but another field is used
for the password. A CA Service Desk Manager administrator can specify a contact record field such as
contact_num or email_address to be used for passwords. This means that updating a password
through CA Privileged Access Manager updates that same field.
To enable PIN-based authentication, follow these steps:
1. On the CA Service Desk Manager s ystem, navigate to Administration, Security and Role
Management, Access Types.
2. Select the Access Type for which you are enabling PIN-based authentication.
3. On the Web Authentication tab, select PIN from the Validation Type drop-down list.
4. Click Save.
For more information, see:
Configuring CA Service Desk Manager User Accounts (https://docops.ca.com/ca-service-management/14-1

/en/administering/configuring-ca-service-desk-manager/configuring-user-accounts) (https://docops.ca.com/ca-
service-management/14-1/en/administering/configuring-ca-service-desk-manager/how-to-set-up-the-data-
partition/create-an-access-type)
Creating a CA Service Desk Manager Access Type (https://docops.ca.com/ca-service-management/14-1/en

/administering/configuring-ca-service-desk-manager/how-to-set-up-the-data-partition/create-an-access-type) (
https://docops.ca.com/ca-service-management/14-1/en/administering/configuring-ca-service-desk-manager
/setting-up-security/user-authentication)
Configuring CA Service Desk Manager User Authentication (https://docops.ca.com/ca-service-management

/14-1/en/administering/configuring-ca-service-desk-manager/setting-up-security/user-authentication)
To integrate with CA Service Desk Manager, create a new target server device.
Follow these steps:
22-Mar-2017 57/99
5. Enter a description. This description displays on the Devices panel as Description.
7. Click Save.
Next, set up an Application for CA Service Desk Manager.
Follow these steps:
3. Click the Find Server magnifying glass icon to select the CA SDM device you created.
4. Enter "CA SDM" or similar into the Application Name field.
5. Select "CA SDM" from the Application Type drop-down list.

An additional details box is added to the Application Details panel. Each ITSM solution has its
own detail fields.
8. Enter the SOAP Protocol, SOAP Port, REST Protocol, and REST Port.
9. Enter the DefaultAttachmentRepositoryName.
10. Enter the PIN Field (such as contact_num or email_address) that CA Service Desk Manager is
using as password.
11. Click Save.
22-Mar-2017 58/99
Follow these steps:
3. Click the Find Server magnifying glass icon to select the CA SDM device you created.
4. Click the Find Application magnifying glass icon to select the CA SDM application you created.
The CA SDM Account Details box is added to the Application Details panel, with the Change
Process selection.
7. Enter a password or click the Generate Password icon. Generating a password disables the
Show Password check box.
information.
8. Select a Synchronized option. The default is to change only the Password Authority Server. To
change the password on the target server also, select "Update both."
9. In the CA SDM Account Details box, select the Change Process. Select whether the Account
can change its own password, or indicate another account. If the user does not have
permission to change passwords, use another account. Selecting "Use the following account
to change password" displays a list of existing accounts to select from.
11. Click Save.

22-Mar-2017 59/99

Follow these steps:
2. Navigate to Password View Policies under the Workflow menu. Click the Add button.The
Password View Policy Details panel appears.
3. Select CA Service Desk Manager from the Service Desk Integration drop-down list.
A box appears with specific CA SDM configuration fields. Reason Required For View and
Reason Required For Auto-Connect are selected. These options are required for service desk
integration. A warning appears if you try to clear either checkbox.
4. Enter the CA SDM Server name, the CA SDM Application name, and the Account name.
5. You can be more limit your ticket number request by the type of ticket or by using a query
filter. Ticket Type defaults to All. Incident, Problem, Change, and Request are also available.
See Query Filter (see page 60) for details about Query Filters.
7. Click Save.
Query Filter
The Query Filter field enables you to create Queries with combinations of values that are used to
filter which service desk tickets are used for validation.
Field Values
Impact: entireorganization, multiplegroups, none, oneperson, singlegroup, smallgroup
Priority: highpriority, lowpriority, medium-highpriority, medium-lowpriority, mediumpriority,

none
Severity: allhandsescalation, escalated, hdmgrescalation, mgrescal, supervisorescal
22-Mar-2017 60/99
Status: acknowledged, analysiscomplete, approvalinprogress, approved, avoided,

awaitingenduserresponse, awaitingvendor, cancelled, closed, closedunresolved, closerequested,
fixed, fixinprogress, hold, inprogress, knownerror, open, pendingchange, problem-closed,
problem-fixed, problem-open, rejected, researching, resolved, sa-abandon, sa-resolved
Urgency: immediate, quickly, soon, veryquickly, whenpossible
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
Examples
status== acknowledged
status!=closed
status==open
(urgency==immediate&&priority==highpriority)||status==inprogress&&impact==none
HP Service Manager Integration

Prerequisites
Before you configure the settings for HP Service Manager, ensure that HP Service Manager uses GMT
as the time zone . If not, when you use the time stamp to search for users, the search fails. See your
HP Service Manager documentation for more information.
To integrate with HP Service Manager, create a target server device.
Follow these steps:
22-Mar-2017 61/99
7. Click Save.
Next, set up an Application for HP Service Manager.
Follow these steps:
3. Click the Find Server magnifying glass icon to select the HP Service Manager device you
created.
4. Enter "HP Service Manager" or similar into the Application Name field.
5. Select "HP Service Manager" from the Application Type drop-down list.
An HP Service Manager Details box is added to the Application Details panel. Each ITSM
solution has its own detail fields.
8. Enter the Port or accept the default of 13080.
9. Enter the HP SM Client URL. The initial field value suggests the correct format for the URL (
http://hpsm-host-name:port-number/webtier-9.32 ).
10. Enter the Enabled Protocol or accept the default of http.
11. If HP Service Manager uses a proxy, enter the parameters as appropriate.
12. Click Save.
Follow these steps:
22-Mar-2017 62/99
Follow these steps:
3. Click the Find Server magnifying glass icon to select the HP Service Manager device you
created.
4. Click the Find Application magnifying glass icon to select the HP Service Manager application
you created.
The HP Service Manager Account Details box is added to the Application Details panel, with
the Change Process selection.
7. Enter a password or click the Generate Password icon.

Generating a password disables the Show Password check box.
information.
9. In the HP Service Manager Account Details box, select the Change Process. Choose whether
the Account can change its own password, or indicate another account. If the user does not
have permission to change passwords, use another account.
Selecting "Use the following account to change password" displays a list of existing accounts
to choose from.
11. Click Save.


Follow these steps:
22-Mar-2017 63/99
3. Select HP Service Manager from the Service Desk Integration drop-down list.
A box appears with specific HP Service Manager configuration fields. Reason Required For
View and Reason Required For Auto-Connect are selected. These options are required for
service desk integration. A warning appears if you try to clear either checkbox.
4. Enter the HP Service Manager Server name, the HP Service Manager Application name, and
the Account name.
7. Click Save.
Query Filter
Field Values
Impact: enterprise, multiple users, site/dept, user
Status: accepted, closed, open, pending change, pending customer, pending other, pending
vendor, referred, rejected, replaced problem, resolved, work in progress
Urgency: average, critical, high, low
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
22-Mar-2017 64/99
Examples
status== accepted
status!=closed
status==open
(urgency==critical&&impact==enterprise)||status==open&&urgency==high
ServiceNow Integration
To integrate with ServiceNow, create a target server device.
Follow these steps:
7. Click Save.
Next, set up an Application for ServiceNow.
Follow these steps:
3. Click the Find Server magnifying glass icon to select the ServiceNow device you created.
22-Mar-2017 65/99
4. Enter "ServiceNow" or similar into the Application Name field.
5. Select "ServiceNow" from the Application Type drop-down list.

A ServiceNow Details box is added to the Application Details panel. Each ITSM solution has its
own detail fields.
8. Enter the ServiceNow URL. The initial field value suggests the correct format for the URL
(https://servicenow-host-name).
9. Enter the ServiceNow Client URL. The initial field value suggests the correct format for the
URL (https://servicenow-host-name).
10. If the ServiceNow instance uses a Custom Endpoint, enter "true" in the Custom Endpoint field.
If not, leave the default setting of "false."
11. If ServiceNow uses a proxy, enter the parameters as appropriate.
12. Click Save.
Follow these steps:
3. Click the Find Server magnifying glass icon to select the ServiceNow device you created.
4. Click the Find Application magnifying glass icon to select the ServiceNow application you
created.
The ServiceNow Account Details box is added to the Application Details panel, with the
Change Process selection.
7.
22-Mar-2017 66/99

information.
9. In the ServiceNow Account Details box, select the Change Process. Choose whether the
Account can change its own password, or indicate another account. If the user does not have
permission to change passwords, use another account.
Selecting "Use the following account to change password" displays a list of existing accounts
to choose from.
11. Click Save.


Follow these steps:
3. Select ServiceNow from the Service Desk Integration drop-down list.

A box appears with specific ServiceNow configuration fields. Reason Required For View and
Reason Required For Auto-Connect are selected. These options are required for service desk
integration. A warning appears if you try to clear either checkbox.
4. Enter the ServiceNow Server name, the ServiceNow Application name, and the Account name.
6.
22-Mar-2017 67/99
7. Click Save.
Query Filter
Field Values
Impact: high, low, medium
Priority: critical, high, low, moderate, planning
Severity: high, low, medium
Status: active, awaiting evidence, awaiting problem, awaiting user info, closed, new, resolved
Urgency: high, low, medium
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
Examples
status== active
status!=closed
status==new
(urgency==high&&impact==high)||status==open&&(urgency==high||urgency==medium)
22-Mar-2017 68/99
Salesforce Service Cloud Integration

To integrate with Salesforce Service Cloud, create a target server device.
Follow these steps:
7. Click Save.
Next, set up an Application for Salesforce Service Cloud.
Follow these steps:
3. Click the Find Server magnifying glass icon to select the Salesforce Service Cloud device you
created.
4. Enter "Salesforce Service Cloud" or similar into the Application Name field.
5. Select "Generic" from the Application Type drop-down list.
8. Click Save.
22-Mar-2017 69/99
Follow these steps:
3. Click the Find Server magnifying glass icon to select the Salesforce Service Cloud device you
created.
4. Click the Find Application magnifying glass icon to select the Salesforce Service Cloud
application you created.

information.
9. Click Save.

Follow these steps:
22-Mar-2017 70/99
3. Select Salesforce Service Cloud from the Service Desk Integration drop-down list.
A box appears with specific Salesforce Service Cloud configuration fields. R eason Required
For View and Reason Required For Auto-Connect are selected. These options are required for
service desk integration. A warning appears if you try to clear either checkbox.
4. Enter the SFDC Server name, the SFDC Application name, and the SFDC Account name.
5. Enter the SFDC Login Endpoint URL. The initial field value suggests the correct format for the
URL (https://login.salesforce.com/services/Soap/u/32.0).
6. Enter the SFDC Service Cloud Client URL. The initial field value suggests the correct format for
the URL (https://sfdc-instance-name).
7. Enter the Date Format of Salesforce Service Cloud. The default is yyyy-MM-dd'T'HH:mm:ss.
SSS'Z'.
8. Enter Case Object, Case Comment Object, and Attachment Object according to Salesforce
Service Cloud configuration.
9. See Query Filter (see page 71) for details about Query Filters.
10. If SFDC uses a proxy, enter the parameters as appropriate.
11. You can use more credential workflows methods, such as dual authorization. See Password
View Policies (https://docops-dev.ca.com/display/CAPAM/Password+View+Policies) for more
information.
12. Click Save.

Query Filter
service desk cases are used for validation.
Field Values
Status: new, escalated, on hold, waiting on customer, working, researching, closed
Priority: critical, high, medium, low
Operators
== (equals)
&& (and)
|| (or)
!= (not equals)
22-Mar-2017 71/99
Examples
status== new
status!=closed
( status ==new&&priority==critical)||status==working&& priority=high
22-Mar-2017 72/99
CA Privileged Access Manager Server Control

Login Integration
As a security administrator, you want to audit the actual user of your server, not the shared local
privileged user name. CA Privileged Access Manager Server Control Login Integration allows CA
Privileged Access Manager to integrate the login process and information with CA PAM Server
Control. When activated, it allows the use of the actual CA Privileged Access Manager user name for
auditing in CA Privileged Access Manager Server Control.

CA Privileged Access Manager Server Control Login Integration configuration includes specific Server
Control settings and the creation of an endpoint Device, Account, Application, and Policy.
To use server names instead of IP addresses, verify that DNS Servers are configured in the
Network Configuration section. From the CA Privileged Access Manager page, click the
Config menu, then Network. In the Network Configuration, verify that the DNS Servers field
has DNS IP addresses listed. If none is listed, add your DNS Servers. Click Update in the
Network Interfaces section.
CA Modules Configuration
Set up ActiveMQ for Server Control in the Server Control Section of CA Modules. Some information
from the CA Privileged Access Manager Server Control setup is required.
1. From the CA Privileged Access Manager page, click the Config menu, then CA Modules.
The CA Modules panel appears.
2. In the Server Control section, check the Enable Login Integration box.
3. Enter the target server hostname or IP address in the ENTM Host Name or IP field.
4. Enter the port name, or accept the default 61616.
5. Check the Use SSL box (the default) if appropriate.
6. Enter the ActiveMQ Broker Account. The default is "reportserver."
7. Enter the Password.
8. Message time-to-live defaults to 60 minutes.
9. Reply Timeout defaults to 10 seconds.
22-Mar-2017 73/99
9. Reply Timeout defaults to 10 seconds.
10. Click Ping AMQ Console when complete.
11. Verify that your information is correct. Click Save.
Create a Device
Create a Device for the CA Privileged Access Manager Server Control endpoint.
1. On the Devices menu, select Manage Devices.

A list of Devices appears.
2. Click Create Device.
3. Enter the host name in the Device Name field.
4. Enter the IP address in the Address field. You can verify the IP address by clicking the Scan
link.
5. Select the target Operating System.
6. Select the Password Management option.
7. Add an Access Method by clicking the access type (such as SSH or RDP).
Specific access method details appear. Add or alter the information as necessary.
8. All other fields are optional. Click Help on the Manage Device page for more information.
9. Click Save when finished, or click Save and Add Target Applications to go directly to the next
step.
Create an Application
Create an Application for the CA Privileged Access Manager Server Control endpoint.
1. On the Policy menu, select Manage Passwords.

A Loading Credentials Management message appears.
2. Select Applications on the Targets menu.
3. Click the Add button.

The Application Details pane appears.
4. Enter the host name in the Host Name field. You can use the Find Server magnifying glass icon
to select from Devices that have already been created.
5. Enter the device name in the Device Name field. Selecting a host name with Find Server also
populates this field.
6. Enter the target Application Name.
22-Mar-2017 74/99
6. Enter the target Application Name.
7. Select the Application Type. If nothing else applies, select Generic.

Certain Application Types display more options when selected. For example, Windows Proxy
allows selection of Local or Domain Account. Most fields are optional or show a default value.
8. Click Save when finished.
Create an Account
Create an Account for the CA Privileged Access Manager Server Control endpoint.
1. If you are not already in Credentials Management, select Manage Passwords on the Policy
men.
A Loading Credentials Management message appears.
2. Select Accounts on the Targets menu.
3. Click the Add button.

The Account Details pane appears.
4. Enter the host name in the Host Name field. You can use the Find Server magnifying glass icon
to select from Devices that have already been created.
5. Enter the device name in the Device Name field. Selecting a host name with Find Server also
populates this field.
6. Use the Find Application magnifying glass icon to select from Applications that have already
been created for the Device. You can use the Add Application plus sign icon to add an
application from this page.
7. Enter the Account Name to use for connecting to the Server Control endpoint.
8. Enter the Password for the Account Name you selected.
9. Other fields are optional. At this point, you may want to enable password management
options. For more information, see Maximum Password Age (https://docops.ca.com/display
/CAPAM28/Maximum+Password+Age).
Create a Policy
Create an Access Policy for the Server Control endpoint.
1. On the CA Privileged Access Manager access management page, select Manage Policies from
the Policy menu.
2. Click the User Field and select the User for connecting to the CA PAM Server Control device.
3. Click the Device Field and select the CA PAM Server Control Device.
22-Mar-2017 75/99
3. Click the Device Field and select the CA PAM Server Control Device.
4. Click Create Policy to create an Access Policy.
5. For Access, click Add.

An appropriate access method appears with a check box.
6. Check the box.

A text field appears.
7. Click in the box.

Corresponding options appear in the text field.
8. Select the specific user for this access.
9. Check the box for Login Integration opposite to CA PAM Server Control.
10. Other fields are optional.
Test the Login Integration

To test CA Privileged Access Manager Server Control Login Integration, connect through the Access
link on the Access Management page. Verify the user name substitution.
1. Click the Access link on the upper left of the CA Privileged Access Manager home page.
A list of Device Names appears with corresponding Access Methods and Target Applications.
2. Click the Access Method link (such as RDP or SSH) for the Server Control Device you are
integrating.
An RDP or SSH session opens to the Device.
3. For Windows RDP, open PowerShell or the Command prompt. For Linux, use the SSH prompt.
The prompt includes the local CA Privileged Access Manager Server Control privileged user
login, not the CA Privileged Access Manager user.
4. For Windows, enter "secons –whoami". For Linux, enter "/opt/CA/AccessControl/bin

/sewhoami -a".
CA Privileged Access Manager Server Control secons utility outputs several lines of text.
5. Find the "PUPM User". This should be CA Privileged Access Manager user, not the local Server
Control privileged user.
22-Mar-2017 76/99
CA Single Sign-On Integration

As a security administrator, you can integrate CA Privileged Access Manager with CA Single Sign-On.
You can use CA Single Sign-On to protect resources on the product itself.
Important
CA Privileged Access Manager does not support integration with CA Single Sign-On for AWS
instances in this version.
Prerequisites
CA Single Sign-On Policy Server requires manual set-up before setting up CA Privileged Access
Manager. Depending on the resources that you want to protect, you configure many of the
following objects on the Policy Server:
Agent, Agent Configuration Object, Host Configuration Object, Directory Object, Authentication
Scheme Object, and either an Application, Domain, or Realm Object.
User Store supported by CA Single Sign-On (such as Active Directory)
CA Single Sign-On Policy Server Configuration

Before you set up SSO on CA Privileged Access Manager, configure these objects in the SiteMinder
Administrative UI.
1. Create an Agent.
a. On the Infrastructure menu, select Agent, then Agents on its submenu. Click the
Create Agent button on the right. Click OK to accept the option "Create a new object
of type Agent."
b. For Name, enter the Fully Qualified Domain Name of the host CA Privileged Access
Manager.
2. Create an Agent Configuration Object.
a. On the Agent menu, select Agent Configuration Objects. Click the Create Agent
Configuration button.
b. Select the option "Create a copy of an object of type Agent Configuration." The
ApacheDefaultSettings object is selected by default. Click OK.
c. Enter a Name for the agent configuration object.
22-Mar-2017 77/99
c. Enter a Name for the agent configuration object.
Note
Use the value of the Name field in the CA Privileged Access Manager SSO
configuration.
d. Of the many Parameters displayed, only these parameters change:
AgentName: Enter the Name of the Agent object created in Step 1. Click OK.
DefaultAgentName: Enter the Name of the Agent object created in Step 1. Click
OK.
HttpsPorts: Enter the CA PAM HTTPS port, such as 443.
GetPortFromHeaders: Enter yes.
LogoffUri: Enter the Logoff page, such as "/logoff.php".
e. Click Submit.
3. Create or modify an existing Host Configuration Object.
a. Under the Hosts menu, select Host Configuration Objects.
b. Click Create Host Configuration to create one, or edit one by clicking the pencil
opposite its Name field. For example, use DefaultHostSettings.
Note
Use the value of the Name field in the CA Privileged Access Manager SSO
configuration.
c. Ensure that the Host address for the Policy Server field is the IP address of the Policy
Server.
d. Click Submit.
4. Create a Directory Object.
a. Under the Directory menu, select User Directories.
b. Click the Create User Directory button on the right.
c. Complete the following fields, according to your customer environment.
22-Mar-2017 78/99
c.
In the Name field, enter a name for the user directory.
In the Server field, enter the IP address and port.
In the Administrator Credentials section, select Require Credentials.
In the Username, enter a user DN who has at least read access to the user
directory. For example: CN=test,OU=Administrators,OU=IT,CN=doejo01
Enter the password for this user in the Password and Confirm Password fields.
In the LDAP Settings section, set the LDAP Search Root, enter a DN.For example:
OU=Administrators,DC=company,DC=inc
Under LDAP User DN Lookup, for Start, enter "(sAMAccountName=".
In the End field, enter ")".
Under User Attributes, set the Universal ID field as "sAMAccountName".
In the Disabled Flag field, enter "carLicense".
In the Password field, enter "unicodePwd".
In the Password Data field, enter "audio".
d. Click the Submit button.
5. Create an Authentication Scheme Object.
a. Under the Authentication menu, select Authentication Schemes. Click the Create
Authentication Scheme button on the right.
b. Select the option "Create a new object of type Authentication Scheme."
c. Complete the following fields:
In the Name field, enter HTMLForm.
In Authentication Scheme Type, select HTML Form Template.
In the Scheme Setup section, select Use Relative Target.
For Target, enter /siteminderagent/forms/pamlogin.fcc.
Accept the default values for the remaining fields.
d. Click submit.
6.
22-Mar-2017 79/99
6. Set up an Application, Domain, or Realm Object.

Depending upon how you want to protect your resources, select Application, Domain, or
Realm. In this example, we demonstrate setting up an Application Object. We show how to
set up protection for the Global Settings page of CA Privileged Access Manager. You likely
want to protect more than one web page. For more information about setting up these
objects, see the CA Single Sign-On documentation.
a. Under the Policies menu, select Application, Applications. Click the Create Application
button on the right.
b. Complete the following fields:
In the Name field, enter CA Privileged Access Manager.
In the Component Name field, enter Global Settings for our example.
In the Resource Filter field, enter /entry.php for our example.
In the Default Resource Protection field, select Unprotected.
In the Authentication Scheme field, select HTMLForm.
Click Lookup Agent/Agent Group.
Select the Agent that you created in Step 1 (the Fully Qualified Domain Name of
the host CA Privileged Access Manager). Click OK.
Click the Add/Remove button in the User Directories section.
Select the User Directory object that you created in Step 4. Click the arrow to move
it to the Selected Members panel. Click OK.
Select the Resources tab, and click the Create button.
In the Name field, enter Global Settings for our example.
In the Resource field, enter *feat=config.
Select the box for Regular Expression.
In the Action field, select Get and Post.
Click OK.
Select the Roles tab, and click the Create button.
Select "Create a new object of type Role." Click OK.
In the Name field, enter All Users.
For "Role applies to", select All Users.
Click OK.
22-Mar-2017 80/99
Click OK.
Click Submit to create the Application object.
In the Applications panel, edit CA Privileged Access Manager by clicking the pencil
icon.
Select the Policies tab.
Select the box for All Users under the Roles column, in the Global Settings row.
c. Click submit.

Once the CA Single Sign-On Policy Server configuration steps are complete, follow these steps on CA
1. On the Config menu, select CA Modules, and find the CA Single Sign-On Configuration section.
Policy Servers IP Address and Port – Use either IPv4 or IPv6 address. If you specify a port,
use a colon. If you specify a port in IPv6, enclose the IP address in square brackets.
Policy Server User Name
Policy Server Password
Host Configuration Object – from CA SSO setup (such as DefaultHostSettings)
Agent Configuration Object – from CA SSO setup

Note: If this setting is incorrect, it causes the resource that is protected by this integration
to become inaccessible. See Use Console in Emergency (see page 82) for more
information.
Trusted Host Name – The name that is used to register the CA SSO Policy Server with CA
PAM.
FIPS_VALUE
This setting corresponds to one of the three Federal Information Processing Standard
(FIPS) modes in which CA Single Sign-On operates.
COMPAT
FIPS-compatibility mode uses algorithms existing in previous versions of CA Single Sign-
On to encrypt sensitive data to maintain compatibility.
MIGRATE
FIPS-migration mode enables you to transition from FIPS–compatibility mode to FIPS–
only mode.
22-Mar-2017 81/99
ONLY
FIPS-only mode ensures that the Agent only accepts session keys, Agent Keys, and
shared secrets that are encrypted using FIPS-compliant algorithms.
Activate – turns on SSO, but does not take effect until the web server is restarted (with
the Restart Apache button).
Disable - If CA Single Sign-On integration is "Currently enabled," this button disables it.
Reset button – returns the previous values of the fields on the CA Single Sign-On
Configuration form.
Restart Apache – Once activated, the CA PAM Apache server requires a restart for the SSO
integration to take effect.
Download Form – The standard CA Single Sign-On login form has been modified for use
with the main CA PAM frame. Download this form (pamlogin_xx-XX.fcc), alter it if
necessary, and copy it to the desired location. Change the Target field value to the new
form name and location.
Download Log – Download the latest log file record of this instance of the CA Single Sign-
On Web Agent. This file might be useful for troubleshooting if problems arise in the
configuration of this CA module integration.
2. Click the Activate button to save your configuration of CA SiteMinder Web Agent and turn on
Single Sign-On.
3. For the changes to take effect, click the Restart Apache button to restart the web server.
4. To test the SSO feature, log in to CA Privileged Access Manager. Attempt to access the
resource you are protecting.
The SSO login screen appears. If the SSO login screen does not appear, the SSO integration has
failed.
Troubleshooting
Use Console in Emergency
If CA Privileged Access Manager is inaccessible, and you need to disable SSO, use the Utility Console.
If you have a VM, use an admin app such as vSphere to access the console. On the Console Main
Menu, there is a new menu item for SSO. Select Disable CA Single Sign-On.
22-Mar-2017 82/99
Known Issues
Agent Configuration Object Internal Server Error
If an invalid Agent Configuration Object is specified, the web agent does not report an error. The user
gets a success message and is prompted to restart. They do and then they cannot get back into CA
PAM. They get this message:
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request
Please contact the server administrator, or support.ca.com and inform them of the time the error occ
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server error was encountered while trying to use an ErrorDocument to ha
To enter CA Privileged Access Manager in this situation, disable SSO with the Utility Console. If you
have a VM, use an admin such as vSphere to access the console. On the Console Main Menu, there is
a new menu item for SSO. Select Disable CA Single Sign-On.
CA PAM Client Failure

When using the CA PAM Client to connect to your CA Privileged Access Manager instance, use the
FQDN rather than the IP address. The Fully Qualified Domain Name succeeds, but the IP address fails
without raising an error.
22-Mar-2017 83/99
Integrate A2A Applications

The concept of request integration refers to the process of replacing the hard-coded user names and
passwords in an application with Credential Manager credential requests. This application is a
“requesting application” or “requestor.”
The request integration process involves the following steps:
1. Set up your Environment for Integration (see page )
2. Request Integration Algorithm (see page 85)
3. Add your requestor to Credential Manager. See Add Requestors (https://docops.ca.com/display

/CAPAM28/Add+Requestors).
4. Adding an authorization mapping to Credential Manager. See Add Authorization Mappings (

https://docops.ca.com/display/CAPAM28/Add+Authorization+Mappings).
Set Up Your Environment for Integration

Follow these steps:
1. Install the A2A Client. See Install an A2A Client for Credential Management (https://docops.ca.
com/display/CAPAM28/Install+an+A2A+Client+for+Credential+Management).
2. Do the setup steps that are specific to your integration environment:
For a UNIX environment, source the .cspmclientrc file or set up the environment
variables that are contained within the file. The .cspmclientrc file is located in:
$CSPM_CLIENT_HOME/cspmclient/bin.
For Microsoft Visual Studio, you do not need to register the DLL. It was done during A2A
client installation.
For Eclipse, add the cspmclient.jar file to the build path. This allows Eclipse to
compile your application. See the procedure that is described in Set Up Eclipse for A2A
Integration (see page ).
Set Up Eclipse for A2A Integration

Use the following procedure to add the cspmclient.jar file to the build path.
Follow these steps:
1. Open the project Properties dialog.
2. Select Java Build Path.
22-Mar-2017 84/99
2. Select Java Build Path.
3. Click the Libraries tab.
4. Click Add External JARs.
5. Browse to the $CSPM_CLIENT_HOME/cspmclient/lib folder and select the following

files: cspmclient.jar, cwjssefips.jar and cwjcafips.jar.
6. Close the Properties dialog.
Request Integration Algorithm

"Request integration" is the process of modifying your existing requestor to use Credential Manager
to retrieve credential information instead of using hard-coded user names and passwords.
Integration methods for implementing the credential request are described in Methods for
Integrating the Credential Manager A2A Client (https://docops.ca.com/display/CAPAM28
/Methods+for+Integrating+the+Credential+Manager+A2A+Client).
Typically, when you integrate your application or script with the A2A client, you use the cached
version of the credential. However, the supplied credentials only give the requestor access to the
data if the A2A client cache is up-to-date. The following algorithm uses the cached credentials for the
first login attempt. If the login fails the A2A client cache is overridden, credentials are retrieved
directly from the CA Privileged Access Manager appliance, and a second login is attempted. By using
the cached credentials for the first login attempt, you help reduce the load on the CA Privileged
Access Manager appliance and improve performance. However, the tradeoff is potentially incurring a
failed login attempt if the cached credential has gone stale.
A failed login attempt can trigger an auditable security incident and possibly an account lockout
condition if the number of failed login attempts exceeds the maximum that the policy allows.
22-Mar-2017 85/99
22-Mar-2017 86/99
Integrate with CA Threat Analytics

CA Threat Analytics analyzes user activity data supplied to it by CA Privileged Access Manager. CA
Threat Analytics sends back user-specific risk assessment decisions so that CA Privileged Access
Manager can appropriately control, or mitigate, user activity. Future user actions are dynamically
controlled in an automated and predictable way that is based on their historical access behavior.
The integration of the two servers follows this sequence:
1. CA Privileged Access Manager collects Event data and forwards it to the CA Threat Analytics
service.
2. CA Threat Analytics performs continuous Analysis on the collected data. Whenever the
service changes the Risk Level of any user, this result is sent back to CA Privileged Access
Manager.
3. CA Privileged Access Manager can apply Mitigations against users, depending on the analysis
results.
Events
First, the CA Privileged Access Manager client component collects the session event data and sends it
to the CA Threat Analytics server.
These events include:
Logging in to CA Privileged Access Manager (or attempting to)
Logging out of CA Privileged Access Manager
Opening or closing a connection from CA Privileged Access Manager to a target device or

endpoint
For each event, data is collected on the following objects:
Login or connection session begun or finished
End User
Client workstation or other server access device
CA Privileged Access Manager server appliance
22-Mar-2017 87/99
Analysis and Risk Level

At the CA Threat Analytics server, there might be a set of historical data on a set of End Users. Each
existing user has a risk level status that is assigned one of the following values:
Good
Suspect
Bad
CA Privileged Access Manager forwards new event data immediately to the CA Threat Analytics
server. Entities other than CA Privileged Access Manager servers might also forward events for some
or all the same users. If the data specifies a user that does not exist, CA Threat Analytics prepares a
record and begins compiling data for that user.
Meanwhile, for each new event, CA Threat Analytics analyzes received data against data for the user
and their past behavior. As a result of the analysis, CA Threat Analytics might change the existing risk
level, and then notify CA Privileged Access Manager. CA Threat Analytics does not always change a
risk level shortly after receiving event data. It might do so later, depending on other factors that are
not visible from the perspective of CA Privileged Access Manager. Later, CA Privileged Access
Manager might respond to the status change by applying user mitigations.
Mitigations
CA Privileged Access Manager can be configured to apply mitigations to users upon risk level change.
When and a user risk level changes, it can initiate actions against that user.
Two types of mitigation are enforced currently:
Session Recording - CA Privileged Access Manager begins a session recording for any current
connection session, records it until the end of the session, and then records all future connection
sessions in their entirety.
Re-authentication - CA Privileged Access Manager suspends any current user login session and
any active connection sessions, and forces the user to re-authenticate their login session through
a pop-up window.
When the risk level changes for a user, CA Threat Analytics immediately notifies CA Privileged Access
Manager, which might initiate mitigations on that user.
For these two risk levels, the following mitigations are applied to the user:
Suspect: Session Recording
Bad: Both Session Recording and Re-authentication
Because recordings span over time, the following rules also apply to Session Recording mitigation:
22-Mar-2017 88/99
If the user risk level changes from Good to Suspect or from Good to Bad
And the user has a connection session in progress that is not being recorded:
A new recording of that session begins immediately.
Recording continues until the end of that session.
Subsequent connection sessions are recorded from beginning to end.
If the user risk level changes from Suspect to Good or from Bad to Good:
And the user has a connection session in progress that is being recorded
Recording continues until the end of that session.
Unless the applicable user-device policy specifies session recording, subsequent

connection sessions are not recorded.
Next Steps:
Deploy CA Threat Analytics Server (see page 89)
Set up SAML Punch-Through Authentication (see page 94)
Mitigation Effects from CA Threat Analytics (see page 97)
Deploy CA Threat Analytics Server

As a system administrator, you install CA Threat Analytics as a virtual machine image into your
network to integrate with CA Privileged Access Manager.
Apply Licensing in CA Privileged Access Manager

CA Threat Analytics is a separately licensed component of CA Privileged Access Manager. You might
already have CA Threat Analytics licensing if you are deploying a new CA Privileged Access Manager
appliance or cluster. Other wise, to activate CA Threat Analytics on your currently installed CA
Privileged Access Manager appliance or a cluster, follow these steps:
1. Obtain from CA Technologies a CA Privileged Access Manager license file with Threat Analytics
licensing activated.
2. For each appliance:
a. Log in as super, or with an equivalent role such as Global Administrator.
22-Mar-2017 89/99
2.
b. Navigate to Config, Licensing.
c. In the Install New License panel, Choose File to browse for the license file, and select
Upload License File.
d. In the pop-up dialog, select Save New License.
Install CA Threat Analytics Server into a Virtual Environment

CA Threat Analytics is distributed as a virtual machine (VM) image in Open Virtualization Format
(OVA). This virtual machine can be imported into any virtualization environment that supports OVA,
including VMware ESX Server.
CA Threat Analytics Virtual Machine Production Requirements

The following minimum requirements are for production use of your CA Threat Analytics server
virtual machine:
CPU: 8 cores
Memory: 16 GB
Storage: 1 TB
Create the CA Threat Analytics VM

To create a CA Threat Analytics virtual machine, follow these steps:
1. Using the import tools available in your virtualization environment, import the CA Threat
Analytics OVA file. Create a virtual machine with at least the minimum production
requirements. For more guidance on how to size the virtual machine, contact CA Support.
2. Start the virtual machine.
3. Set up networking. Using the ncurses interface that is provided by a virtual machine console,
follow these steps:
a. Open a console to your virtual machine.
b. Log in with the user name netcfg and the password netcfg.
c. In the NetworkManager TUI, select Edit a connection to edit "Wired Connection 1."
d. Provide a static IP address, a gateway address, a DNS server address, and a hostname,
to the VM .
e. Select OK.
f. Quit the network configuration interface to restart networking.
22-Mar-2017 90/99
g. Log in to the console again.
h. In the NetworkManager TUI, select Activate a connection to activate " Wired

Connection 1 ."
i. Select Quit.
j. Open a browser to the server name or IP address that you specified in the connection
configuration.
4. Set up SSL by providing a Java KeyStore file (JKS).

The CA Threat Analytics OVA ships with a default JKS that contains a self-signed certificate.
This JKS allows CA Threat Analytics to work on initial installation, and is appropriate for test
instances. To be cryptographically secure and trusted in production, replace the default JKS
with one containing your own security certificate. If you opt out of using SSL, select the SSL
Validation off (see page 93) box during the configuration of CA Privileged Access Manager
for CA Threat Analytics.
a. Navigate to the CA Threat Analytics Administration page. For example: https://

ServerIPaddress:3000
b. Log in with the user name admin and password P@ssword1234.
c. Change the password using the Password tab.
d. Go to the Security tab.
e. For JKS File, select Choose File to upload a Java Keystore file. A valid JKS file has a valid
X.509 server certificate and trust chain. See Create a Java KeyStore File (see page 94)
for information about creating a JKS file.
f. Provide th e appropriate Server Alias and JKS Password.
g. Select Save.
h. Navigate to the CA Threat Analytics Administration home.
i. Restart the Threat Analytics Engine by clicking its Restart button.
Configure CA Threat Analytics

1. Enable CA Threat Analytics to communicate with CA Privileged Access Manager using its API. F
ollow these steps:
a. Navigate to Config, Security, External API Access.
b. Select Enable External REST API.
c. Select Update.
A message appears stating "External API Access has been updated successfully".
d. Select Admin, Policy, Manage Passwords.
22-Mar-2017 91/99
d. Select Admin, Policy, Manage Passwords.

The Credential Manager menu opens in a new tab or window.
e. In the Credential Manager menu, navigate to Targets, Accounts.
f. Confirm that the Account Name CATapApiUser-x exists, where x is a number. This
account contains credentials that are used by CA Threat Analytics to complete
configuration. Under the Action column, select the "eye" icon to view the password
and copy it for later use.
2. Configure CA Threat Analytics engine to use the CA Privileged Access Manager adapter.
a. Navigate to the CA Threat Analytics Engine. For example, https://serverIPaddress
b. Log in as "admin" with password P@ssword1234. (Change this default password!)
c. Navigate to Services.
d. Select “CA PAM” from the Services list.
e. Select the Configuration tab.
f. Provide the parameters for the CA Privileged Access Manager API Connection.
i. Host – The IP Address or hostname of the CA Privileged Access Manager

instance. (Do not include https://.)
ii. Username - the username of a user with CA Threat Analytics API Access (such
as CATapApiUser-x)
iii. Password – the password of the user with CA Threat Analytics API Access. Use
the password that you copied from the CATapApiUser-x Account in CA
g. Click Test to validate the provided parameters and verify connectivity to CA Privileged
Access Manager.
h. Once validated, click Save Configuration.
3. Generate an API Auth Token from within the Threat Analytics UI.
a. While still in Services, CA PAM, select the Auth Tokens tab.
b. Click New Auth Token.
c. In the window, provide a token Name and optional Description.
d. Click Create Token.
e. Capture the Token and Service Identifier by copying or downloading them. You need
both for the Threat Analytics API Configuration in CA Privileged Access Manager.
i. Manually copy the Token. The UI shows you the Token and the CA PAM Service
22-Mar-2017 92/99
e.
i. Manually copy the Token. The UI shows you the Token and the CA PAM Service
Identifier in the token confirmation window after saving it. Copy the Token and
the Service Identifier and follow the instructions for configuring them in CA
ii. Download the Token. You can also download the Token and Service Identifier
information for safe keeping and later reference. Click Download Token.
f. Close the New Auth Token confirmation window. Once you close this window, the
token is no longer visible.
4. Specify the CA Threat Analytics service that receives the CA Privileged Access Manager usage
data for processing. Follow these steps on each appliance:
1. a. Navigate to Config, CA Modules.
b. Scroll to the Threat Analytics panel, and provide these specifications:
i. Enter an IP address or FQDN for the service host in Threat Analytics Address.
For the following two steps, refer also to the CA Threat Analytics
documentation:
ii. For the Threat Analytics Auth Token, enter the authentication token string
provided to the administrator by the CA Threat Analytics server. This token is
analogous to a password for access to that server.
iii. For the Threat Analytics Service ID, enter the service identifier string provided
to the administrator by the CA Threat Analytics server. This identifier is
analogous to a username for access to that server.
iv. To turn SSL Validation off, select this checkbox. This option can be appropriate
for testing.
c. Save the service specification to activate it.
d. To test the validity of the connection, select Test and observe the feedback message.
For example: "Successfully connected to CA Threat Analytics server"
Next Steps:
Set up SAML Punch-Through Authentication (see page 94)
22-Mar-2017 93/99
Create a Java KeyStore File

You create a Java KeyStore file (JKS) to store security certificates for SSL communications between CA
Threat Analytics and CA Privileged Access Manager. The CA Threat Analytics OVA ships with a default
JKS that contains a self-signed certificate. This JKS allows CA Threat Analytics to work on initial
installation, and is appropriate for test instances. To be cryptographically secure and trusted in
production, replace the default JKS with one containing your own security certificate.
Here are some sample steps to help you create your own JKS. The sample commands use the
following placeholders:
CA = PEM-encoded issuing certificate authority
CRT = PEM-encoded X.509 signed certificate file
KEY = PEM-encoded X.509 private key file
ALIAS = An arbitrary name (letters, numbers, dashes)
P12 = Filename for the temporary .p12 file
JKS = Filename for the output .jks file
Follow these steps:
1. Use the openssl command to combine the CA, CRT, and KEY into a P12.
openssl pkcs12 -export -in <CRT> -inkey <KEY> -out <P12> -name <ALIAS> -CAfile <CA> -caname root
2. Use the keytool commands to convert the P12 into a keystore.
keytool -importkeystore -destkeystore <JKS> -srckeystore <P12> -srcstoretype PKCS12 -alias <ALIAS>

keytool -import -alias root -keystore < JKS> -trustcacerts -file <CRT>
3. Use this JKS file when setting up security for CA Threat Analytics. See the SSL section of Deploy
CA Threat Analytics Server (see page 91).
Set up SAML Punch-Through Authentication

Set up SAML-based authentication within CA Threat Analytics to allow authorized CA Privileged
Access Manager users to authenticate seamlessly to the Threat Analytics interface. This seamless
authentication is also known as "punch-through." Although it is optional, punch-through seamless
authentication is a convenient way to connect to CA Threat Analytics.
With SAML enabled, you can still log in to the Threat Analytics interface with the local
22-Mar-2017 94/99
With SAML enabled, you can still log in to the Threat Analytics interface with the local
"admin" user. This user can be deleted once SAML Authentication is established. However,
we recommend retaining it to ensure Threat Analytics UI accessibility if the SAML
integration fails. To log in with the "admin" user after SAML Authentication is established,
navigate to https://your.ip/users/sign_in.
To set up SAML authentication from the CA Privileged Access Manager UI to the CA Threat Analytics
UI, follow these steps:
1. In CA Privileged Access Manager, follow these steps:
a. On the main menu, select Config, Security.
b. In the Xsuite SAML IdP Configuration panel, follow these steps:
i. Click the Enable IDP button.

After a while, this message appears: "Xsuite SAML IdP Enabled Successfully!"
ii. Scroll back down to the Xsuite SAML IdP Configuration panel.
iii. Set the Entity ID, which is the same as the CA Privileged Access Manager
domain. Include the protocol. For example: https://pam.fqdn.com (https://pam.
fqdn.com)
iv. Set the Fully Qualified Hostname. This name is the same as the CA Privileged
Access Manager domain, without the protocol prefix. For example: pam.fqdn.
com
v. Select the Signature Algorithm.
vi. Select the IdP Certificate from the drop-down list.
vii. Click the Update IdP Configuration button.

After a while, this message appears: "Xsuite SAML IdP Configuration Updated!"
viii. Scroll back down to the Xsuite SAML IdP Configuration panel.
ix. Click Download IdP Metadata and save the SAML metadata XML file.
2. On the CA Threat Analytics server, follow these steps:
a. Navigate to the CA Threat Analytics Administrative Application page.
b. Log in as "admin" with password P@ssword1234. (Change this default password using
the Password tab.)
c. Navigate to Security.
d. Under Authentication Mode, select “SAML from Identity Provider metadata”.
e. For SAML Metadata File, select Choose File, and browse for the metadata file from CA
Privileged Access Manager. For example: idp-metadata.xml
22-Mar-2017 95/99
f. Click Save.
The CA Threat Analytics home page appears.
g. Return to Security, Authentication Mode.

The Authentication Mode panel displays new fields, mostly populated from the SAML
file.
h. Under Issuer, enter the FQDN of the CA Threat Analytics appliance, including the
protocol.
i. Under Assertion Consumer Service URL, change the domain to the FQDN of the TA
appliance. For example: rename it to the server name instead of localhost.
j. Calculate the fingerprint of the Identity ProviderCertificate downloaded from PAM and
paste it in the Identity ProviderCertificate Fingerprint field. For example, use samltool.
com/fingerprint.php (http://samltool.com/fingerprint.php).
Note
Use an unformatted version of the fingerprint, without colons. For example,

use A73390FE15A34E5F68D0C1B0197FE8A93B4A7D98, not A7:33:90:FE:15:
A3:4E:5F:68:D0:C1:B0:19:7F:E8:A9:3B:4A:7D:98.
k. Verify that Compress Request is set to “Yes”, which is the default.
l. Click Save.
The CA Threat Analytics home page appears.
m. Restart these CA Threat Analytics services by clicking their Restart buttons.
PostgreSQL Database
Threat Analytics Engine

Restarting might take a few minutes.
3. Log in to CA Threat Analytics using CA Privileged Access Manager to verify that CA Privileged
Access Manager users can authenticate to Threat Analytics.
The Dashboard now includes an Analytics tile with a CA Threat Analytics icon and caption.
Click this icon as a "punch-through" to CA Threat Analytics.
22-Mar-2017 96/99
Analytics Tile
Next Step:
Mitigation Effects from CA Threat Analytics

As Threat Analytics mitigations are applied to CA Privileged Access Manager users, you can observe
their effects and can take action as needed. First, activate one or more options in CA Privileged
Access Manager settings for Threat Analytics.
Threat Analytics Options

Enable Mitigations
When you enable mitigations, CA Privileged Access Manager will take action in response to user risk
level elevation. Actions include session recording and re-authentication. For more information about
CA Privileged Access Manager mitigations and CA Threat Analytics, see Integrate with CA Threat
Analytics (see page 87).
To enable user activity mitigations on a licensed appliance or cluster, follow these steps:
1. Navigate to Global Settings.
2. Scroll to the Threat Analytics panel.
3. Select Enable Mitigations.
4. At the bottom of the page, select Save Global Settings to begin applying mitigation actions
22-Mar-2017 97/99
4. At the bottom of the page, select Save Global Settings to begin applying mitigation actions
immediately.
Enable a User Warning

Users can be notified upon login that data about their activities is being collected. This notification
occurs whether or not mitigations have been activated. To enable or edit the optional user warning, f
ollow these steps:
1. Navigate to Global Settings.
2. Scroll to the Threat Analytics panel.
3. Select Analytics Warning.

Immediately below this option, a new text field appears for you to enter your message.
Initially, it contains a default user message: "CA Privileged Access Manager is collecting and
analyzing limited information about your client system and sessions." Enter your own custom
plain text message if appropriate.
4. At the bottom of the page, select Save Global Settings to begin providing the warning
message immediately.
Following every login, each user sees the configured message near the top of their landing
page.
Identifying Session Recording Characteristics

Use these indicators and filters in CA Privileged Access Manager to identify session recordings that CA
Threat Analytics triggers as risk assessments.
Risk Level Indicators

When your Threat Analytics-activated CA Privileged Access Manager records sessions in response to
an elevated threat level, each recording row has a color-coded indicator. This indicator identifies the
associated threat level at the time recording was activated. These indicators are not applied when
the applicable user-device policy specifies session recording.
For a user with a connection session (to a target device) whose threat level changed from Good to
Suspect, recording is started, and the (new) recording line item is marked in the Risk column with
a yellow dot.
This marking remains following completion of the recording. It remains even when the user
threat level changes (from Suspect to Good).
For a user with connection session (to a target device) actively being recorded and whose threat
level changed from Good to Bad, recording is started, and the (new) recording line item is marked
in the Risk column with a red square.
threat level changes (from Bad, to Suspect or to Good).
22-Mar-2017 98/99
For a user with connection session (to a target device) actively being recorded and whose threat
level changed from Suspect to Bad, the ongoing recording is uninterrupted, and the recording line
item is remains marked in the Risk column with a yellow dot.
threat level changes (from Bad, to Suspect or to Good).
However, if the threat level remains Bad at the time a new recording is started, that recording
is marked in the Risk column with a red square.
When the threat level is elevated for any particular user as a session recording starts, the
applicable indicator is applied to that recording.
Filtering Recordings
You can filter the Session Recordings page to display only those recordings that have been triggered
following Threat Analytics user risk level elevation, and by timestamp and violation tags.
Follow these steps:
1. Navigate to Sessions, Session Recordings.
2. Click inside the Search field. A drop-down panel appears.
3. Apply one or more filters:
a. To restrict the list on DateTime, enter in either or both of the From and To fields a date
/time as formatted in the recordings list. Use a full date-time specification. For
example: 2016-10-26 15:01:36 GMT +0300 or a portion of that string that can be
interpreted starting from the left, such as:
Date and time only: 2016-10-26 15:01:36
Date only: 2016-10-26
b. To list only those recordings in which a user (socket filter or command filter) violation
has occurred, select Contains violation.
c. To list only those recordings with a specific risk level, select one or more of "Good",
"Suspect", or "Bad" in Risk.
To select any two or three filters, hold down the Ctrl key and select each that you
want.
To remove a filter, click its corresponding Clear link.
22-Mar-2017 99/99

CA Privileged Access Manager - 2.8 - ENU - Integrating - 20170322 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CA Privileged Access Manager - 2.8 - ENU - Integrating - 20170322 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

CA Privileged Access

The manufacturer of this Documentation is CA.

Deploying CA Privileged Access Manager Client ...................................... 10

Configuring Targets ................................................................................... 16

Integrating an AWS API Proxy .................................................................. 19

VMware vCenter and NSX Coordination Integration ................................. 30

VMware NSX API Proxy Integration .......................................................... 45

Managing Java on Your Client Workstation .............................................. 46

Juniper Integration ..................................................................................... 48

Integrate a Java Application or Application Server .................................... 49

Integrate with Your Service Desk Solution ................................................ 51

CA Privileged Access Manager Server Control Login Integration ............. 73

CA Single Sign-On Integration .................................................................. 77

Integrate A2A Applications ........................................................................ 84

Integrate with CA Threat Analytics ............................................................ 87

Deploying CA Privileged Access Manager

Configure Appliance Server

Name Format Options Description

Name Format Options Description

Deploy Client Software

Download CA Privileged Access Manager Client – Click to download the client.

Choose Install Set – Select one of the following options:

Typical: install the client on the local workstation or

Run: The contents are extracted to a temporary location and executed.

Auto-detect proxy settings for this network – for a network-managed proxy

Automatic proxy configuration URL – to specify a webserver-supplied proxy

Default (Windows, Linux x86): 1200 MB

Default (Mac, Linux x64): 2048 MB

Cached Versions: [quantity]

1. Open the client application.

A small console window appears.

1. Enter the following connection parameters for your server appliance.

Connect Mode - Select one of the following options:

1. Click Connect to initiate a connection attempt.

If a client update is required, you are notified.

1. Follow these steps:

2. Enter your Username and Password.

3. Select your applicable Authentication Type.

After completing your connection:

CA Privileged Access Manager Configuration

Always Prompt for Password Enforcement

CA Privileged Access Manager Configuration

1. Log in to CA Privileged Access Manager as an administrator (for example, as "super").

2. Navigate to Devices > Manage Groups.

6. Navigate to Policy > Manage Policies.

1. The RDP Access Method splash page appears.

2. The RDP window displays the Windows login screen.

Integrating an AWS API Proxy

Follow these steps to deploy AWS API Proxy:

1. Set up AWS Environment (see page 19)

2. Configure the Server for Proxy (see page 25)

3. Set up Proxy Structure (see page 27)

Set Up an AWS Environment

Use the following procedures to set up an AWS environment:

Set Up AWS Root Level User and Role

2. From the home page, navigate to Services, IAM, Roles

3. Select the Create New Role button.

5. In the left sidebar menu, navigate to Users.

6. Click the Create New Users button.

Set Up AWS Network Components

Follow this procedure:

1. In the AWS Management Console, navigate to Services, VPC, VPC Dashboard

b. In the Step 2 screen: