Академический Документы
Профессиональный Документы
Культура Документы
Manager - 2.8
Deploying
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/65
Table of Contents
Deploying 4
Hardware Appliance Specifications ........................................................................................................... 27
Configure Network Connections for the Appliance .................................................................................... 28
Use the LCD Panel to Configure Network Connections ...................................................................... 28
Using the LCD Panel Menu ........................................................................................................ 28
Basic Network Configuration Using the LCD Panel ................................................................... 31
Use the UI to Configure the Network Connections ............................................................................. 33
Use the Console Port to Configure Network Connections .................................................................. 34
Deploying 5
MSSQL ................................................................................................................................................ 48
MySQL ................................................................................................................................................ 48
Oracle .................................................................................................................................................. 48
SPML .................................................................................................................................................. 48
UNIX .................................................................................................................................................... 49
VMware ESX/ESXi .............................................................................................................................. 49
VMware NSX Controller ...................................................................................................................... 49
VMware NSX Manager ....................................................................................................................... 49
WebLogic ............................................................................................................................................ 49
Windows Domain Services ................................................................................................................. 50
Windows Proxy ................................................................................................................................... 50
Install a Windows Proxy for Credential Manager ...................................................................................... 50
Windows Accounts .............................................................................................................................. 51
Windows Proxy Configuration ............................................................................................................. 51
Windows Proxy Auto-Registration ....................................................................................................... 53
Windows Proxy Key ............................................................................................................................ 53
Windows Proxy Requirements ............................................................................................................ 53
Hardware Requirements ............................................................................................................ 53
Operating System Requirements ............................................................................................... 53
Prepare for Windows Proxy Installation .............................................................................................. 54
Install the Windows Proxy ................................................................................................................... 54
Install the Windows Proxy Software ........................................................................................... 55
Start the Windows Proxy ............................................................................................................ 56
Activate the Windows Proxy ....................................................................................................... 56
Install an A2A Client for Credential Management ..................................................................................... 56
A2A Client Hardware Requirements ................................................................................................... 56
A2A Client Operating System Requirements ...................................................................................... 56
A2A Client Workflow ............................................................................................................................ 57
Credential Caching .............................................................................................................................. 58
Preparing the A2A Client for Installation ............................................................................................. 58
Download the A2A Client .................................................................................................................... 59
A2A Client Installation on UNIX .......................................................................................................... 59
Install A2A Client on UNIX Using the Interactive Script ............................................................. 60
Install A2A Client Silently on UNIX ............................................................................................. 60
Post-installation Tasks ............................................................................................................... 61
A2A Client Installation on Windows .................................................................................................... 61
Install A2A Client on Windows ................................................................................................... 61
Install A2A Client Silently on Windows ....................................................................................... 62
Post-installation Tasks on Windows ........................................................................................... 63
Uninstall Credential Manager Components ............................................................................................... 63
Uninstall a Windows Proxy .................................................................................................................. 63
Uninstall an A2A Client on UNIX ......................................................................................................... 64
Deploying 6
Uninstall an A2A Client on Windows ................................................................................................... 64
Deploying 7
CA Privileged Access Manager - 2.8
Deploying
You can deploy CA Privileged Access Manager as a hardware or software appliance. Learn how to
deploy CA PAM in different environments and how to set up clustering for high-availability
deployments.
22-Mar-2017 8/65
CA Privileged Access Manager - 2.8
Deploy CA PAM
The installation or deployment process varies according to which platform you use. The available
options include:
Hardware appliance
VMware OVA VM instances and the hardware appliance can be in the same cluster. The AWS AMI
instance can only be clustered with other AWS AMI instances.
All cluster members must be running the same CA PAM release version.
22-Mar-2017 9/65
CA Privileged Access Manager - 2.8
Behind a Firewall
Deploy CA PAM in the DMZ directly behind a firewall to send high-risk users directly to CA PAM.
This deployment protects devices against users that are authorized to perform upgrades,
maintenance, development, and other administration activities.
For additional security in the DMZ you can integrate CA PAM with a RADIUS-based
multifactor authentication solution like CA Advanced Authentication.
In a Citrix Environment
Together with Citrix XenApp, CA PAM provides a complete entitlement management security
framework that enables companies to satisfy compliance and best practices for increasing
numbers of high-risk users accessing the critical information technology infrastructure.
22-Mar-2017 10/65
CA Privileged Access Manager - 2.8
Restrict IP Addresses
Before you configure your network, ensure that you have assigned and allocated addresses.
VPN: Verify that your IP address allocation does not conflict with what is configured by default for
the SSL VPN (10.8.0.0/16). If there is a conflict with your existing network, change the SSL VPN
address space to an unused network block. The smallest subnet that is permitted is /29.
22-Mar-2017 11/65
CA Privileged Access Manager - 2.8
22-Mar-2017 12/65
CA Privileged Access Manager - 2.8
First deploy the VMware OVA template then configure the virtual appliance network settings. Before
you can configure the network settings, the CA PAM license is required. After you upload the license,
configure the network connection so that it can autoprovision (import) your virtual machine devices.
1. Download the Virtual Appliance OVA from the CA Support site to local environment.
b. In the Inventory Location field, select the Data Center location where you want to
install CA PAM. Click Next.
The OVA template uses the Thick Provision Lazy Zeroed option. Accept the default settings
and click Next.
Thin Provisioning is not supported.
6. Review the settings. Verify that the Power on after deployment check box is not selected.
If any setting is changed, failure to keep this box unchecked results in redeployment of the
OVA template. We recommend editing the settings before the first power-up cycle of the
guest VM instance.
22-Mar-2017 13/65
CA Privileged Access Manager - 2.8
7. Click Next. The OVA template is imported into the VMware host, cluster, or data center
location that you previously selected.
The VMware virtual appliance deployment is complete. Go to the next section to edit the virtual
machine settings.
You can add the additional virtual network adapters even if there are no immediate plans to use
them. Doing so allows for expansion when redeploying a new virtual appliance.
Important! Add the virtual network adapters before the first power-on cycle of the virtual
appliance.
If you are deploying adapters on ESX/ESXi hosts, select the right VM network.
Select the correct network adapter type (Host Only, Bridged, or NAT) when adding virtual
network adapters.
(Optional). If the deployment only requires one virtual network adapter, set adapters two
through eight so they do not connect when the virtual appliance powers on.
22-Mar-2017 14/65
CA Privileged Access Manager - 2.8
(Optional). Set all virtual network adapters with static MAC addresses. You can set a static MAC
address that contains the VMware OUI prefix in compliance with the following format
00:50:56:XX:YY:ZZ
XX is a valid hexadecimal number between 00 and 3F
To avoid conflict with MAC addresses that the vSphere vCenter Server generates, or addresses
that are assigned to the adapters for infrastructure traffic, do not set the value for XX greater
than 3F. See the VMware VSphere documentation for more information about VMware OUI
allocation. To generate MAC addresses that meet the requirements, third-party sites are
available.
The OVA ships with one virtual CPU. You can adjust the virtual CPU settings as high as:
1. Take a snapshot of the instance and make a full clone. This newly cloned instance serves as
the new template for future deployments in your environment.
Any changes to the virtual machine settings require a new full clone.
22-Mar-2017 15/65
CA Privileged Access Manager - 2.8
1. From the Main Menu of the utility console, select Basic Network Settings. The Network Setup
screen displays.
2. For the Default Gateway field, enter an IP address of the virtual appliance.
2. For each network enabled network interface, enter an IP address. At least one interface is
required.
6. Verify that the network configuration is valid by contacting (pinging) the configured IP address
from another PC.
The remaining configuration steps can be completed from the CA PAM user interface or Workstation
Client.
22-Mar-2017 16/65
CA Privileged Access Manager - 2.8
1. Log in to the AWS Management Console by selecting AWS Management Console, EC2.
2. Enter the value for the DNS Server that Amazon Web Services assigns.
22-Mar-2017 17/65
CA Privileged Access Manager - 2.8
To start and stop theCA PAM instance from the AWS Management Console, see the Amazon
instructions for starting and stopping an instance (http://docs.aws.amazon.com/AWSEC2/latest
/UserGuide/Stop_Start.html#starting-stopping-instances).
22-Mar-2017 18/65
CA Privileged Access Manager - 2.8
Unpack the Hardware Appliance from the Packaging (see page 19)
Mount the Hardware Appliance in a Rack (see page 21)
Configure Network Connections for the Appliance (see page 27)
Appliance Power Supply Units (see page 27)
Hardware Appliance Specifications (see page 27)
2 Sliding 2 Each sliding rail assembly can be separated into an inner frame and an outer frame
. rail assembly.
a assembl
ies
22-Mar-2017 19/65
CA Privileged Access Manager - 2.8
a Inner 1 The inner frame (or inner rail) has an outer safety lock (see step 2c.) for securing it to the
. rail per outer rail frame assembly. This rail is attached to the appliance.
frame slidi
ng
rail
asse
mbly
b Outer 1 The outer frame assembly consists of two heavy-gauge rail frames (center rail and outer
. rail per rail) attached to each other. Each frame incorporates a ball-bearing slide. One frame
frame slidi attaches and allows extension of the two frames with each other. One frame attaches and
assembl ng allows extension of the inner rail frame with the center rail. The rail assembly has an inner
y rail safety lock (see step 4). This assembly, with two L-shaped brackets, is attached to the rack.
asse
mbly
3 Short 8
. flat-
a head
screws
4 Long 8
a flat-
. head
screws
Screw types for assembling Model X304L
b Nuts 8
. for long
flat-
head
screws
5 Flat 12
a counter
. sink
screws
b Conical 12
. washers
for flat
counter
sink
screws
6 Front 2
a ear
. bracket
s
b Ear 6
. bracket
screws
Ear bracket screws for Model X304L
22-Mar-2017 20/65
CA Privileged Access Manager - 2.8
7 Applian 1
. ce
a chassis
Model X304L appliance chassis
8 Power 2
. cords
a
9 Console 1
a cable 1
. Etherne
b t patch
. cord
a. b.
22-Mar-2017 21/65
CA Privileged Access Manager - 2.8
2. Separate the inner rail frame from the outer and center rail frames on each of the two
assemblies:
b. Slide the inner rail frame all the way to the left. The frame stops at about half its
length:
c. Turn the assembly upside down so that its outer side is visible as shown here:
Model X304L inner rail extended to left, outer side up, with arrow
Model X304L inner rail extended to left, outer side up, with arrow
d. Press down the outer safety lock tab (indicated by the arrow), and – holding the tab
down – pull the inner rail frame firmly to the left so that it is removed.
e. Repeat this inner rail frame separation with the other rail assembly.
22-Mar-2017 22/65
CA Privileged Access Manager - 2.8
3. Attach the inner rail frames and ear brackets to the appliance chassis
a. Align the three indicated mounting holes of the inner rail to the screw holes on the
chassis frame with the outer safety lock tab facing out and the notched end of the rail
that is located at the rear of the unit. (These are connected by vertical dashed lines in
the figure.) Attach it to the appliance using three of the short flat-head screws.
b. Attach one of the two front ear brackets to the chassis using the small black screws
provided in the ear bracket package.
The two attached parts should now appear as in this diagram:
c. Repeat these steps to attach the other inner rail and front ear bracket to the other
side.
Model X304L inner rail and Ear bracket attachment to appliance chassis
Model X304L inner rail and Ear bracket attachment to appliance chassis
Model X304L ear bracket and inner rail frame mounted on the right side of appliance
The L-shaped brackets secure the outer rail frame assembly to the rack. Attach these
brackets to the outer rail assemblies first, before attaching the combination to the
rack.
4. Attach two L-shaped brackets to each of the two outer frame assemblies:
22-Mar-2017 23/65
a.
Model X304L outer rail assembly closed, inner side facing up, with ball bearing
assembly slid to right.
Locate an L-shaped bracket so that the curved edge on the bracket wraps around the
outer rail assembly outer frame (when held up on its side edge as shown), and the left
end of the bracket points down toward you.
Model X304L: Orientation of the L-shaped bracket against outer rail assembly
Model X304L: Orientation of the L-shaped bracket against outer rail assembly
Insert a long flat head screw (see Package Contents Table, Item 4a) through the first
oval hole on the inner frame of the frame assembly, through to the outer frame, then
through the L-shaped bracket long groove, and finally attach (but not tighten) a nut
(see Package Contents Table, Item 4b) to the end of the screw. Repeat this with a
second screw and nut through another pair of rail holes. (The third or fourth hole pair
provides the best support. The additional two hole pairs are intended for alternative
equipment that is not used here.)
Do not tighten the nuts yet because you need to adjust the location of the brackets
when you mount the bracket-rail assembly to the rack.
Model X304L: Front bracket onto outer rail assembly, inner side view, with screw and nut before
attachment
Model X304L: Front bracket onto outer rail assembly, inner side view, with screw and
nut before attachment
Rear bracket: Slide the outer rail away all the way to the right so that the inner safety
lock snaps in place, exposing the screw holes on the outer rail:
22-Mar-2017 24/65
CA Privileged Access Manager - 2.8
Model X304L: Outer rail assembly after sliding the outer rail (on the bottom side) to the right
Model X304L: Outer rail assembly after sliding the outer rail (on the bottom side) to the
right
Attach the second L-shaped bracket to the other end of the outer rail with two long
flat head screws, one through the first or second oval hole (Figure 176) from the
center, and one through the third oval hole near the end.
Model X304L: Rear bracket onto left outer rail assembly, inner side view, with screw and nut
before attachment
Model X304L: Rear bracket onto left outer rail assembly, inner side view, with screw
and nut before attachment
b. Repeat these steps to attach the other two L-shaped brackets to the other outer rail
assembly. When you turn the assembly around so that its outer edge faces you, it
should appear with the brackets loosely mounted (for now):
Model X304L: Outer and center rails with brackets (loosely) attached (Step 4), front at left, outer
side view
Model X304L: Outer and center rails with brackets (loosely) attached (Step 4), front at
left, outer side view
a. Install the outer rail with the attached bracket to the front rack post by using two
countersink screws and, if the rack holes are not pre-threaded (which might require
clips), the conical washers provided. Note that the front end of the rail assembly has a
black plastic H-shaped component.
b. Extend and adjust the rear bracket to meet the depth of the rack and secure it to the
22-Mar-2017 25/65
CA Privileged Access Manager - 2.8
b. Extend and adjust the rear bracket to meet the depth of the rack and secure it to the
rack post with two countersink screws and conical washers.
c. Repeat steps (a) and (b) above to install the other rail to the other side of the rack.
d. You can now use a wrench to tighten the nuts and the screws that attach the L-shaped
brackets to each of the rails.
Model X304L: Right side rail, with the front bracket attached, mounted at the front right side of
rack
Model X304L: Right side rail, with the front bracket attached, mounted at the front
right side of rack
6. Place the appliance (with ear brackets and inner rails attached) in the rack, as shown here:
7. Slide the appliance into the frame. As you do, hold the tabs on the outer safety locks (as in 2.
d.) on the left and right sides of the appliance, so that the appliance can slide all the way in,
while the attached inner rails are prevented from sliding back out.
8. Attach the ear brackets to the frame through their remaining (center) holes.
9. Connect the Ethernet patch cable to an Ethernet port on the front panel (example: port 1,
which corresponds to GB1 in the LCD and GUI interfaces), and to the network.
22-Mar-2017 26/65
CA Privileged Access Manager - 2.8
10. Connect the power cords to the two PSUs and to outlets.
If the power supplied to the appliance is interrupted (power fails or a supply unit is removed or
unseated), the unit sounds a steady alarm tone. This alarm continues until the silence switch turns
off the alarm.
The silence switch is a small button at the back of the unit, immediately to the left of the power
supplies. Press the silence switch to turn off the alarm. After the switch is pressed, it is reset only
after the power is restored and recycled back to each appliance. Power restoration means that each
power supply is seated in the appliance, and that each power cord is plugged in to a live power
outlet.
Item Description
System components
Chassis 1U IPC
Power Supply Redundant dual hot-swappable 300-W Power Supply Units (PSUs)
System Board Intel C226 Chipset (Lynx Point PCH)
CPU Intel Xeon processor
Memory 16-GB DDR3 1600MHz DIMM with ECC support
Primary Storage 80-GB Solid-State Drive (SSD)
Secondary Storage (Backup) 80-GB Solid-State Drive (SSD)
Display 2 line x 20 character LCD
Standard interfaces
Network Eight (8) 1-Gigabit Ethernet Ports
22-Mar-2017 27/65
CA Privileged Access Manager - 2.8
Item Description
LCD inputs Four-button control
Serial One RJ-45 Console Serial Port
USB ports Not functional
Physical specifications
Height 1.73" (44 mm)
Width 17.0" (431 mm)
Depth 18.4" (468 mm)
Unit Weight 15.4 lb (7 kg)
Enclosure Fits standard 19" rack
Environmental specifications
Storage Environment -20 Celsius to 70 Celsius
5 - 95 percent RH, noncondensing
Operating Environment 0 Celsius to 40 Celsius
5 - 90 percent RH, noncondensing
Cooling Processor: Passive heatsink System: 3x cooling fan
Use the LCD Panel to Configure Network Connections (see page 28)
Use the UI to Configure the Network Connections (see page 33)
Use the Console Port to Configure Network Connections (see page 34)
To connect to a device that cannot auto-negotiate speed or the duplex mode such as older
switches and hubs, use the UI .
22-Mar-2017 28/65
CA Privileged Access Manager - 2.8
The LCD Menu Control has four buttons under the LCD Menu Panel, from left to right: < ^ v >. These
buttons function as follows:
Button Functions
< (left arrow) Move Left
Undo/Cancel
> (right arrow) Move Right
Enter/Confirm
^ (up arrow) Move up
Increase value
v (down arrow) Move down
Decrease value
Note: Older hardware appliances have an ENTER and an ESC button instead of the left and
right arrows. Use the ENTER button to move right or to confirm an entry. Use the ESC
button to move left or undo an entry.
The LCD menu includes the following options to operate the appliance:
Network Setup
This option allows the installer to provide the required network configuration to get the appliance
operational. Use the Up or the Down arrows to navigate through the menu.
Reset Password
This option resets the configuration password to the default password. Select the left arrow and the
password is reset. A message displays after a successful reset.
Menu item 2: Reset Password After selecting >: Password reset! After about 30 seconds:
Reboot
This option reboots the appliance. After you power down and restart the appliance, the LCD displays
the Network Setup screen.
Menu item 3: Reboot After selecting >: Rebooting... After about 60 seconds: Shuts down, Boots
22-Mar-2017 29/65
CA Privileged Access Manager - 2.8
Power Off
This option turns off the power, displaying the following message:
Menu item 4: Poweroff After selecting >: Powering off... After about 30 seconds:
The power switch remains in the "on" position, but you can toggle it off.
Halt
The Halt command stops all processes. The power is still on, but the device is unusable because all
processes are stopped. The LCD has the following display:
Menu item 5: Halt After selecting >: Halted. After about 15 seconds: Shuts down
Use the Halt command when the power must remain on. For example, if a monitoring system raises
alarms due to power loss, use Halt.
Factory Default
This option resets the appliance configuration and provisioning database to their originally shipped,
factory-default values. Use the left arrow to return to the Factory Default menu.
Menu item 6: Factory Default After selecting >: Reset Defaults? 60 seconds... Hot reboot
ENTER to reset
Important! Do not use the Factory Default option when CA PAM is in an active cluster. To
determine whether a cluster is active, go to the Synchronization page and verify that the
synchronization status is ON.
Turn On FIPS
This option turns on FIPS mode. As of version 5.2.1, the appliance achieved Federal Information
Processing Standards FIPS 140-2 Level 2 certification. When FIPS mode is activated to comply with
this standard, the LCD and the non-compliant SSL encryption algorithms are disabled.
FIPS mode is fully compatible with PKI smartcard use, including the US DoD CAC system. Non-
compliant SSL encryption algorithms have been preserved specifically for legacy browser support.
The LCD Menu option turns on the FIPS flag and reboots the appliance when it switches to FIPS
mode.
Important! FIPS mode is available with the product, but the National Institute of Standards
22-Mar-2017 30/65
CA Privileged Access Manager - 2.8
Important! FIPS mode is available with the product, but the National Institute of Standards
and Technology ( NIST) has not yet certified this functionality.
Use FIPS mode only when applicable. FIPS mode does not support all browser configurations.
After the FIPS mode is activated, the LCD is no longer available for configuration. Use the UI to
make all subsequent changes.
To operate with socket filters in FIPS mode, the monitored devices must have release 2.7 or later
Socket Filter Agents (SFAs).
If for any reason FIPS activation fails, the LCD displays: PATCH FAILED / UPGRADE ABORTED. If this
failure happens, the appliance cannot be revalidated until after it is returned to CA Technologies.
Menu item 7 (if set): Turn on FIPS After selecting >: [several process messages]
1. Connect the desired number of Ethernet cable connections to ports 1 through 8 on the
appliance. These ports correspond to GB1 through GB8 in the LCD and UI interfaces.
2. Connect the power cord, first to the appliance and then to an outlet.
a. Turn on the power switch on the back of the appliance. Hold the switch until the unit
powers on.
4. Navigate to the Network Setup menu item on the screen, and press the right arrow (>).
The first screen is the Default Gateway:
Default Gateway
000.000.000.000
5. To configure the Default Gateway IP address, set the value of a digit for each digit position in
the address. Use the up and down arrows to go through and select an integer from 0 to 9.
Move to the other positions in the IP address using the > (forward) or < (backward) arrows.
Complete this process for each address you want to configure.
22-Mar-2017 31/65
CA Privileged Access Manager - 2.8
Each octet is expressed on the display using three digits. For each octet that is less than 100,
the first characters are zero. For example, the address 10.44.146.3 is expressed in the LCD as
010.044.146.003
Note: These settings are saved when the Save option later in the procedure. For the
settings to take effect after saving, the appliance must first be rebooted.
6. After you have set the last position in the IP address, press > to go to the next screen Interface
Setup.
To cancel the Network Setup and return to the Network Setup menu, press the left arrow.
7. Press > to go to the Pick Interface screen. This screen shows the interface available for
configuration.
a. Use the arrows to select the label GB1 through GB8 corresponding to the label of the
desired Ethernet port (1 through 8).
b. Use the up and down arrows to go through and select an integer from 0 to 9
8. After setting the interface, enter the netmask for the same interface, on the Netmask for GBn
screen.
9. At the final Interface Setup screen, enter one of the following options. Use the up and down
arrows to position the arrow on the option and press > to enter this selection.
Interface Setup
Cont/Sav/eXit C
Select X (exit) to discard all network settings that you configured after the last save and
restore the previous settings.
10. From Network Setup, navigate to Reboot, and press the forward arrow (>).
22-Mar-2017 32/65
CA Privileged Access Manager - 2.8
The following steps assume that you have installed the appliance.
1. Configure a PC with a static IP address of: 192.168.98.x, where x is not 100. The IP address of
GB1 as shipped is 192.168.98.100.
2. Connect this PC directly to the 1 port on the front of the appliance. Port 1 corresponds to GB1
in the UI. This port is auto-sensing, so you do not need a crossover if using a laptop with the
same.
3. Open a Java-enabled browser and enter the following URL, including the slash at the end
https://192.168.98.100/config/
b. In the Windows Security pop-up window which follows, enter the default
configuration username/password (config/config)
5. Set the appropriate values in the Network Configuration and Network Interfaces sections.
6. (Optional) Speed autosensing does not work with all network appliances. If you experience
connectivity issues, set the Speed and Duplex settings to static values f or the network
interfaces.
8. Click Restart Networking to commit your changes. While the network is restarting, the
appliance is temporarily unavailable.
9. After the browser refreshes, use the Toolbar: Log Off button (in the upper-right corner) to end
your session.
10. Confirm that your settings have been correctly configured by accessing the login page using
your newly assigned address.
22-Mar-2017 33/65
CA Privileged Access Manager - 2.8
Speed: 115200
Data bits: 8
Stop bits: 1
Parity: none
22-Mar-2017 34/65
CA Privileged Access Manager - 2.8
Each system in a cluster is identical to one another in all aspects. Data is processed and stored at all
sites simultaneously. Not all data is synchronized across the cluster. Provisioning data, which changes
regularly, is primarily synchronized. Provisioning data includes users, devices, and the policy
associations between them. The policy data includes access methods, services, filters, and recording
settings. The provisioning data also includes all global settings, except for the branding logo.
A cluster is accessible using a virtual IP Address (VIP) name or address, and it is protected by secure
communication.
22-Mar-2017 35/65
CA Privileged Access Manager - 2.8
All appliances in a cluster require a fixed set of static IP addresses, including at least one private IP
and one public IP. The hardware appliance and VMware OVA virtual appliance use a single IP address
for VIP. The AWS AMI instance uses a private-public IP pair. The public IP uses the Elastic IP (EIP) for
external connectivity into AWS EC2. EIP requires external AWS API calls which trigger billing costs
each time.
When a request comes in to the VIP address or name, a one-time HTTP redirect to the individual
appliance occurs. Rerouting can be avoided by going directly to an individual IP address of the
appliance.
If the appliance managing the VIP is not accessible, another appliance assumes the VIP. If the product
goes down, the user loses their HTTP and applet sessions, and must reload the VIP to log in again and
start new sessions.
Programs can also access the CA PAM server through VIPs, such as CLI, Java APIs, A2As, and Windows
Proxy clients. CLI and Java API do not trigger HTTP redirects. If CA PAM goes down, CLI failover is
transparent because it defaults to using request-based authentication. Java API failover requires
relogin to start a new session. A2A and Windows Proxy clients also can access the product through a
VIP. The client access does not trigger HTTP redirects. If the appliance goes down, client failover is
transparent because they use request-base authentication.
You must provision a VIP, but users, programs, and clients can ignore it, and only use the load
balancer. Sticky sessions are mandatory for users, programs, and clients.
If the sticky appliance goes down, session-based entities must log in again, including users of the UI
and applets, and programs using the Server API through the Java API library. If the sticky appliance
goes down, request-based entities fail over transparently, such as programs using the CLI. A2A and
Windows Proxy clients fail over transparently.
WAN clustering with VLAN is supported with a single, virtual gateway. If communication breaks
between nodes in the cluster the ICMP connectivity is implicitly tied to WAN connectivity. If
communication breaks down, CA PAM cannot detect WAN loss because ICMP polls only the local
gateway in each data center. WAN clustering without VLAN is only conditionally supported.
22-Mar-2017 36/65
CA Privileged Access Manager - 2.8
Network connectivity
Network connectivity problems can lead to database deactivation for some cluster members.
Deactivation of cluster members ensures that those members with outdated information do not
propagate it. If the cluster is operating properly, each member knows that the same databases
are deactivated.
If links between members are broken but each member can still contact its gateway, target
devices, and other resources, the divided cluster behaves as if the other members are offline. The
database servers for each member are unaware that other nodes are still active. The result is that
more than one member of each cluster takes the primary role and tries accessing the database.
The cluster status that is shown in the UI displays a different combination of activated and
deactivated databases for each cluster member. For example, in a three member cluster, the first
member might show deactivation in members 2 and 3, while the second and third members then
shows deactivation in member 1. This division of clusters is more likely in a WAN environment.
For a cluster across a WAN, if the WAN link goes down, each member can still contact its gateway
and each member considers itself the primary member. The UI shows conflicting status, that is,
each member thinks the other member is deactivated. Each member is active but updates only
the local database. The result can be that the same scheduled jobs running and changes are saved
only locally. All the databases get out of sync. When the administrator finally brings the cluster
back in sync, the data from one member overwrites the data in the other, and some data is lost.
Fix any broken links and then restart the cluster as soon as possible. The cluster member order during
any restart is crucial. Configure the member with the latest data as new the primary member. If it is
not clear which member has the latest data, call CA Support.
Re-synchronization
Re-synchronization is a resource-consuming, snapshot restoration process. The time to resync is the
cluster is proportional to the database size, cluster size, and network speed. Try to avoid
resynchronization wherever possible. Plan carefully to avoid connectivity loss.
22-Mar-2017 37/65
CA Privileged Access Manager - 2.8
Network Requirements
Your environment must satisfy the following network requirements:
High Network Availability - Clustering uses synchronous SQL replication, which requires a high
network uptime to avoid network loss. If the network is down, each cluster member times out
after 20 seconds and that member s deactivated. A deactivated cluster member can cause
synchronization problems.
Primary DNS uptime to avoid latency in the product UI and its subsystems. Maintain the
primary DNS server to avoid failover to a secondary DNS.
Unique appliance host names. If host names are the same, logging, and other metrics are
negatively impacted.
Register host names and IP addresses in the DNS for forward and reverse look-ups.
Internet Control Message Protocol (ICMP) - The internal active-active control uses ICMP ping to
monitor network conditions.
ICMP connectivity and LAN gateway require high uptime to reduce the cost of network
loss.
Failed ICMP triggers a cluster member to enter isolation mode, implying that a communication
failure between members is in progress. Restored ICMP during an isolated mode triggers an
automated merge recovery. A merge recovery requires service download proportional to DB size
and cluster size. The cluster automatically stops, then one database is copied and restored on all
the other appliances, and then the cluster restarts.
Network Time Protocol (NTP) - The product is pre-configured with default NTP servers, but these
require Internet access. If the cluster is not routed to the Internet, local LAN NTP servers are
required to ensure that each cluster node is set to the same time.
NTP server connectivity is checked during startup. If the times between appliances differ by 3
seconds or more, the cluster does not start. After a cluster starts, NTP server connectivity is
not monitored so external monitoring is required.
22-Mar-2017 38/65
CA Privileged Access Manager - 2.8
TCP - Do not permit TCP blocking, throttling, or traffic shaping on any part of the LAN, VLAN, or
WAN for the following ports and protocols:
Socket Filter Agent (SFA) clients: TCP/8850 (plus protocol-specific ports for RDP, SSH, and
other access methods)
Appliance Requirements
Note the following appliance requirements:
Use only IPv4 addresses. Use only IPv4 addresses for addressing appliances in a cluster.
Ensure all cluster members use the same firmware release. Verify that each cluster member is
running the same release of the product firmware. If not all members are at the same release
(patch) version, upgrade all members to the latest release in the cluster.
Use only a private IPv4 address for the VIP (Virtual Management IP), as the cluster members are
not on the same subnet.
Confirm that your NTP servers are running properly then turn on the cluster. Look the Date/Time
page > NTP Status panel (aactrl output) to see that the following conditions are met:
"remote" column: At least one primary NTP server (denoted with a *) is available
"offset" column: The absolute value of this field must be less than 3000
"when" column: This field must be less than 5 times the value in the poll column (the poll
frequency)
Look for a summary message in the session logs, and then immediately address the NTP servers.
An example log message with an unacceptable value is shown:
NTP problem on member 10.0.0.21. NTP Server: *6.175.209.17: Offset: 1.1.51
(should be < 3000), Poll: 64, When: undefined (when should be < poll *5)
22-Mar-2017 39/65
CA Privileged Access Manager - 2.8
1. Create an AWS virtual private cloud (VPC) with at least one public subnet in which to locate
your cluster. Assign an AWS Security Group that permits intra-subnet communication,
inbound and outbound traffic through port 3306 (for the MySQL requirement of Credential
Manager).
2. Configure the members of your AWS cluster and assign them to the VPC you created. Note
the local subnet address for each.
3. Create an elastic IP address (EIP) for each member of your cluster and assign it to that
member. Note which EIP is assigned to which instance.
4. Create an extra EIP to serve as the cluste VIP address, but do not assign this EIP to any
instance.
Cluster Configuration
Configure a high-availability synchronized cluster from the Synchronization option in the UI.
Configure each appliance in the cluster individually then activate the cluster by turning on
synchronization. The exception to this rule is the configuration of third-party authentication, which is
replicated.
For each cluster member, configure each node completely as it was a standalone system. When you
set up your cluster, all cluster members must be on the same subnet.
If CA PAM is unlicensed, upload a license. Complete this task by selecting the Licensing menu. The
Hardware ID is different for each cluster member, but all licensing settings must be the same for
all cluster members.
22-Mar-2017 40/65
CA Privileged Access Manager - 2.8
In the Network menu, ensure that the Hostname is different for each each member. Otherwise,
conflicts occur in data reporting, logging, and recording.
Configure a Cluster
In a cluster, there is a primary appliance and secondary appliances. The primary appliance is the first
appliance in the Cluster Member list of the UI. All other members are secondary appliances. For load
balancing, traffic is directed to the cluster member handling the lowest load. The lowest load is
determined by the fewest number of open sessions.
3. Enter any passphrase and select Generate Key. An encryption key is generated and placed in
the Key field. Use the same key for all cluster members.
4. (AWS Clusters Only) Select the AWS Provision in which the cluster is located.
5. (Hardware appliance only). In the Interface section, verify that the GB1 interface is selected as
the port for cluster management. The cluster port must be the same on all members in the
cluster.
6. For the primary appliance, specify the Virtual Management IP field (Cluster Settings), the
address through which users access the cluster. Follow these guidelines:
If the cluster is not behind a firewall, enter the local IP address of the primary appliance.
If a cluster is behind a firewall or on an AMI instance, specify the local IP address followed
by a comma and the NAT address. If you are setting up an AWS AMI cluster, assign any
available local address.
If you are configuring a WAN-based cluster, specify a private address. If not all members
are on the same subnet, this VIP must also be outside the subnet of any cluster member.
7. In the Virtual Management IP Domain Name field, enter the virtual host name of the cluster.
The entry must be a fully qualified domain name. For example, capam.forwardinc.local.com (
http://capam.forwardinc.local.com/).
Following AWS cluster synchronization, the EIP of the VIP is associated with the primary appliance.
22-Mar-2017 41/65
CA Privileged Access Manager - 2.8
Following AWS cluster synchronization, the EIP of the VIP is associated with the primary appliance.
1. In the Cluster Settings, select Add IP and add the local address of each cluster member. The
address of the primary node must be first in the list. If a cluster member stops running, the IP
Address List shows the cluster members in the order that you want them to recover.
If the cluster is not behind a firewall, enter the local IP address of the primary member.
If a cluster is behind a firewall or in an AWS cloud, specify the local IP address of the
primary node followed by a comma and the NAT address. If you are setting up an AWS
cluster, assign any available local address.
4. Repeat this procedure for each appliance you want to add to the cluster.
The following tables show examples of the address format you must use in the cluster configuration.
Cluster Member Local or AWS VPC IP, NAT (or AWS EIP)
Primary: 10.0.0.61,107.23.143.123
Secondary 1: 10.0.0.60,107.23.143.126
Secondary 2: 10.0.0.59,107.23.143.129
Example 2: Local and NAT, each member using a Local IP address with a NAT FQDN:
22-Mar-2017 42/65
CA Privileged Access Manager - 2.8
Example 3: Local and NAT, each member using a local IP address with a NAT FQDN and Port
Turn On a Cluster
After the cluster members are added, you can turn on the cluster.
1. On the Config, Synchronization page of the primary member, select Turn Cluster On.
22-Mar-2017 43/65
CA Privileged Access Manager - 2.8
4. On the UI dashboard, you see a section Appliance Cluster Status. You see all the members
that you added to the cluster.
Deactivate a Cluster
Shut down a cluster under the following conditions:
1. On the Config, Synchronization page of any cluster member, select Turn Cluster Off.
The Synchronization page shows an the Turn Cluster On button for each member of the cluster. At
that point, the cluster is down.
When you reestablish the cluster, the cluster resynchronizes, and t he data from the primary member
overwrites the data of any secondary members. If the primary database becomes corrupted,
designate a different node as the primary after the cluster becomes active.
Cluster Recovery
If not all requirements for VLAN or WAN clustering can be met, use the following configuration
approaches to safeguard disaster recovery:
At the cluster primary member site, deploy two running systems and one that is not running.
Schedule configuration and database backups from the primary members to a secondary data
center.
Place redundant cluster members in the secondary member site, but do not deploy them until
needed.
1.
22-Mar-2017 44/65
CA Privileged Access Manager - 2.8
1. Restore Secondary cluster members. Manually restore primary configuration and database
backups onto the secondary members while preventing primary members from coming back
online.
c. Restore primary members while preventing secondary members from coming back
online.
22-Mar-2017 45/65
CA Privileged Access Manager - 2.8
daemonserv
er_port
28888 CA Privileged A2A Client A2A Client Used for A2A client stub requests.
Access Manager configuration
appliance file:
daemonserv
er1_port
28088 A2A requesting A2A client A2A Client Local to an A2A Client host
application daemon configuration
file:
daemonserv
er2_port
The CA Privileged Access Manager appliance uses TCP port 5900. Network security scans typically
assume that TCP port 5900 is used by a VNC server. For that reason, security scans might erroneously
indicate that the CA Privileged Access Manager appliance has a security vulnerability.
22-Mar-2017 46/65
CA Privileged Access Manager - 2.8
Refer to the following tables for the list of default ports used by the various target connectors. If a
target connector is not listed here, then it does not require firewall ports to be open.
AS/400
Default Port Source Destination Configurable Applicability
449 CA Privileged Access Manager appliance Target server No
8475 CA Privileged Access Manager appliance Target server No
8476 CA Privileged Access Manager appliance Target server No
The AS/400 target connector uses an IBM package named “Toolbox for Java and JTOpen”. Ports 449
and 8476 are associated with non-SSL services (as-svrmap and as-signon for user ID and
password validation). Their SSL-enabled service runs on port 8476 (as-signon). For details, see
http://www-03.ibm.com/systems/power/software/i/toolbox/.
Cisco
Default Source Destination Configurable Applicability
Port
22 CA Privileged Access Manager Target In target If ssh is used
appliance server application
23 CA Privileged Access Manager Target In target If Telnet is used
appliance server application
Juniper JUNOS
Default Source Destination Configurable Applicability
Port
22 CA Privileged Access Manager Target In target application
appliance server
22-Mar-2017 47/65
CA Privileged Access Manager - 2.8
LDAP
Default Port Source Destination Configurable Applicability
389 CA Privileged Access Manager appliance LDAP server In target application
MSSQL
Default Source Destination Configurable Applicability
Port
1433 CA Privileged Access Manager Microsoft SQL Server In target
appliance database host application
MySQL
Default Source Destination Configurable Applicability
Port
3306 CA Privileged Access Manager MySQL server database In target
appliance host application
Oracle
Default Source Destination Configurable Applicability
Port
1521 CA Privileged Access Manager Oracle server database In target
appliance host application
SPML
Default Source Destination Configurable Applicability
Port
8080 CA Privileged Access Manager Target In target application
appliance server
22-Mar-2017 48/65
CA Privileged Access Manager - 2.8
UNIX
Default Source Destination Configurable Applicability
Port
22 CA Privileged Access Manager Target In target If ssh is used
appliance server application
23 CA Privileged Access Manager Target In target If Telnet is used
appliance server application
VMware ESX/ESXi
Default Source Destination Configurable Applicability
Port
443 CA Privileged Access Manager Target In target application
appliance server
WebLogic
Default Source Destination Configurable Applicability
Port
7001 CA Privileged Access Manager Target In target application
appliance server
22-Mar-2017 49/65
CA Privileged Access Manager - 2.8
daemonserver
1_port
Windows Proxy
Default Source Destination Configurable Applicability
Port
389 and Windows Proxy AD Domain No Domain accounts
636 Controllers
636 CA Privileged Access AD Domain No Domain accounts
Manager appliance Controllers
27077 CA Privileged Access Windows Proxy Windows Proxy Sybase database
Manager appliance configuration file: communications
daemonserver1_p
ort
Allows Credential Manager to manage local and domain user accounts and local and network
service accounts.
Manages accounts on the local host where the Proxy is installed, and on remote hosts that are
within the same domain or workgroup.
(Optional) Verifies passwords and changes passwords for user accounts and service accounts.
22-Mar-2017 50/65
CA Privileged Access Manager - 2.8
Windows Accounts
The following table describes the different types of Windows user accounts. Windows service
accounts are special accounts that allow system administrators to control the level of permission that
is granted to a Windows service. Windows services that access network resources might require a
restart when the associated user account password is changed.
22-Mar-2017 51/65
CA Privileged Access Manager - 2.8
You can install as many Windows Proxies as you want. However, you must install a minimum of one
Windows Proxy for each domain or workgroup. The Windows Proxy is a service that must run as
either a domain administrator or local administrator. By default, the Windows Proxy installs with
local service permissions, which must be updated if it is managing passwords over a network
connection.
The following table lists the target host and target account registration notes associated with the
various Windows Proxy installation options.
Windows Target Target host configuration notes Target Account Registration notes
Proxy user
service account
runs as type
Domain Domain The domain administrator must When adding the target account, select the
administrat have local administrator option Use Proxy credentials to change
or privileges on the target host. password.
Domain Local The account being managed When adding the target account, the account
administrat (on the target host) must have that is selected to manage passwords must
or (target Log on local user rights. have Local Administrator privileges.
host)
Local Domain Not recommended Not recommended
administrat
or
(Proxy
host)
Local Local None When adding the target account, the account
administrat that is selected to manage passwords must
or (target have local administrator privileges.
host)
(Proxy
host)
Important! If CA PAM manages the administrator account that the Windows Proxy service
runs as, do not configure this account to change its own password. The Windows service
cannot restart itself after a password change. Rather, use a second Windows Proxy running
as a different account to manage the service account using a separate target application
that only uses the remote proxy. When you configure the Windows target account for the
Windows Proxy, discover the proxy service and set the Start/Restart option to allow CA
PAM to restart the service on password change.
The accounts that the two Windows Proxy services run as must both be in the
Administrators group on their proxy hosts so that they can manage each other. The proxies
can then be used to manage other accounts on either host, or on remote hosts, with target
applications that have both proxies selected for high availability.
22-Mar-2017 52/65
CA Privileged Access Manager - 2.8
When verifying the passwords of Windows Proxy target applications, Credential Manager connects to
target servers using the Windows Proxy.
When adding a domain controller target server, use the domain controller NetBIOS name as the
target server host name.
A Windows Proxy host does not need to be created in CA PAM as a Device. There is no managed
object (requiring a Device Type assignment) that corresponds to a proxy host. Thus, no installed
proxy appears in the Device list. However, this does not prevent the same host from being the target
of a CA PAM managed object. That is, the same host can otherwise be used for access or password
management as a CA PAM device.
Hardware Requirements
The Windows Proxy requires 128 MB of RAM and 180 MB of hard drive space. The Windows Proxy
log file requires 50 MB.
22-Mar-2017 53/65
CA Privileged Access Manager - 2.8
Installation of more than one Windows Proxy on the same host is not supported. Installing into the
same directory overwrites the Windows Proxy already installed in that directory. Always uninstall an
existing Windows Proxy before installing a newer version.
Verify that DNS resolution of the Windows Proxy host succeeds on the CA PAM appliance.
Verify that DNS resolution of the CA PAM appliance succeeds on the Windows Proxy host.
Do the following steps to disable Windows Simple File Sharing on all Windows servers with
accounts being managed through the Windows Proxy:
1. Click Start.
2. Select My Computer.
4. Click View.
The Windows Proxy cannot synchronize and update accounts if simple file sharing is enabled. The
Windows Proxy error log returns a 1326-ERROR_LOGON_FAILURE message if simple file sharing is
enabled.
If DNS resolution of the CA Privileged Access Manager appliance fails on the Windows Proxy host, the
Windows Proxy hosts file (C:\Windows\System32\drivers\etc\hosts) requires an entry
for the CA Privileged Access Manager appliance.
You can install the Windows Proxy and an A2A Client on the same Windows host. Do not, however,
use the same installation folder for both the Windows Proxy and the A2A Client. The installation of
either component overwrites the Credential Manager component that is already installed in that
folder.
22-Mar-2017 54/65
CA Privileged Access Manager - 2.8
Note: The InstallAnywhere wizard fails when you execute it from an account that contains
special characters. To avoid this error, start the installation by right-clicking on the
executable file and selecting the Run As option. The Run As dialog opens and prompts for
an alternate username and password to use for the installation. Specify the account
credentials and continue with the installation.
1. Log in to the CA Technologies Support website and navigate to Knowledge Base, Downloads,
Client Packages.
6. In Choose Install Folder window, enter or select the folder where you want to install the
proxy, and click Next.
We recommend that you do not use a space character in the root folder, the name of the
installation location, or the folder name.
The Server Information window appears.
7. In the Server Information window, enter the Fully Qualified Domain Name (FQDN) of the CA
PAM appliance in the Server Name field and click Next.
The Pre-Installation Summary window appears.
8. In the Pre-Installation Summary window, validate the installation information then click Install
.
The Installing Password Authority Windows Proxy window appears and shows the progress
of the installation.
When the installation finishes, the Install Complete window appears.
22-Mar-2017 55/65
CA Privileged Access Manager - 2.8
Navigate to Start, Control Panel, Administrative Tools, Services, select cspmagentd in the
Services list and click Start.
A2A Client Platform Operating Minimum Patch Level 32-bit A2A 64-bit A2A
System Client Client
Windows 7 6.1.7600 Yes Yes
Windows 8.1 Any level Yes Yes
Windows Server 2008 R2 6.0.6001 Yes Yes
22-Mar-2017 56/65
CA Privileged Access Manager - 2.8
A2A Client Platform Operating Minimum Patch Level 32-bit A2A 64-bit A2A
System Client Client
Windows Server 2012 R2 Any level Yes Yes
AIX Contact CA Technologies No No
Support
OS/400 Contact CA Technologies No No
Support
Solaris 10 (SPARC) Generic_118833-36 Yes Yes
Solaris 10 (x86) Generic_118833-36 No Yes
Solaris 11 Any level Yes Yes
SuSE Linux Enterprise Server 11 2.6.5-7.316 Yes Yes
Red Hat Enterprise Linux 6 (64-bit) Any level Yes1 Yes
Red Hat Enterprise Linux 7 (64-bit) Any level Yes1 Yes
Debian 7 Any level Yes Yes
TABLE NOTE 1: For Red Hat Enterprise Linux 6 and 7, gtk2.i686 32-bit compatibility libraries must
be installed on your Red Hat Enterprise Linux 6 or 7 64-bit host.
Installation of more than one A2A Client on the same host is not supported. Installing into the same
directory overwrites the A2A Client that is already installed in that directory.
If an A2A Client host is a 64-bit platform, you can install either the 32-bit client or the 64-bit client.
Install the 64-bit client to integrate with 64-bit applications or install the 32-bit client to integrate
with 32-bit applications. On 64-bit Windows hosts the 64-bit client is in fact a combined 32-/64-bit
client.
The A2A Client runs as a daemon or service and requires a Java Virtual Machine (JVM). The A2A Client
can be installed on either a 32-bit or 64-bit operating system.
CA Privileged Access Manager represents the A2A Client host as a managed object "Device” of type
“A2A”. You can configure this object using the GUI before installing the A2A Client. If you do not, CA
Privileged Access Manager configures it for you automatically during A2A Client installation. You can
install the A2A Client using an interactive script or a silent process.
22-Mar-2017 57/65
CA Privileged Access Manager - 2.8
After you install the A2A Client, you then start the daemon or service. Once the A2A Client has
started, the request server automatically registers itself in CA Privileged Access Manager, but in an
inactive state. (It is registered as the managed object “Device” that is mentioned previously.) Activate
the request server in Credential Manager to start receiving credentials.
Credential Caching
To reduce network traffic and increase reliability, the A2A Client locally caches credentials as
specified in the target account details. When target credentials are cached, the A2A Client does not
need to access CA Privileged Access Manager to process the target credentials request. The A2A
Client uses the same application logic as CA Privileged Access Manager to ensure that it provides
credentials only in response to authorized credential requests.
When a user or a scheduled update triggers a change of target account passwords, Credential
Manager sends notification of the change to any A2A Client that might be caching the password. This
ensures that A2A Clients do not cache target passwords that are out of date.
The A2A Client maintains the cache in memory and can be optionally configured for storage on hard
disk. The hard disk cache is read only when the A2A Client launches. The primary intent of the hard
disk cache is to provide recovery of the cache after a power failure. It also provides more availability
in the event the CA Privileged Access Manager appliance is not available.
Ensure that all A2A Client compatibility requirements are met. See A2A Client Requirements (see
page 56) for details.
Ensure that firewalls do not block the necessary communication ports. See Default Port Settings
(see page 46) for details.
Verify that the A2A Client correctly resolves theCA Privileged Access Manager appliance name
through DNS. If DNS resolution fails, correct the issue. If it cannot be corrected, place the
following entry in the A2A Client host file:
On UNIX: /etc/hosts
On Windows: C:\Windows\System32\drivers\etc\hosts
Verify that the CA Privileged Access Manager appliance resolves the DNS name of the A2A Client
host. Use the GUI under Config, Tools. If it does not resolve the name of the A2A Client host, then
correct the issue.
Create an alternate installation directory if you do not want to install in the default directory
/opt/cloakware or C:\cspm
DNS resolution can be verified after the A2A Client has started.
22-Mar-2017 58/65
CA Privileged Access Manager - 2.8
DNS resolution can be verified after the A2A Client has started.
3. Click Add.
4. Clicking the magnifying glass on the Request line displays a list of A2A Clients, their host
name, and IP address. Verify that the A2A Client in question is displayed.
1. From the target system, log in to the Download Center on the CA Support Site:
https://support.ca.com/irj/portal/DownloadCenter.
2. Enter "CA Privileged App to App Manager - DEBIAN" in the Enter the Product Name here, or
select from dropdown field:
3. Select the product version from the Select a Release dropdown list.
4. Select Go.
5. Select the Download button associated with A2A Manager - Windows or A2A Manager - Unix
, as appropriate.
6. Select a download method and download the .zip file to local storage.
Installation of more than one A2A Client on the same host is not supported. Installing into the same
directory overwrites the A2A Client that is already installed in that directory.
If the A2A Client host is a 64-bit platform, you can install either the 32-bit client or the 64-bit client.
Install the 64-bit client to integrate with 64-bit applications or install the 32-bit client to integrate
with 32-bit applications.
On UNIX, you can install A2A Client using the interactive script on one host, save the configuration
file, and then copy and update the configuration file to another host and install it there silently. The
installation account requires write access to the installation directory.
22-Mar-2017 59/65
CA Privileged Access Manager - 2.8
1. Open a shell window and navigate to the clients/unix subdirectory in the unzipped A2A Client
installation package:
cd <INSTALL_DIR>/clients/unix
3. When prompted select whether to install the 32-bit A2A Client or the 64-bit A2A Client.
4. When prompted, confirm that you want to continue with the installation.
The following message appears:
By default the Password Authority Client will be installed in
the /opt directory.
You also have the option to install it in another directory. In
both cases, /opt or another directory, you must ensure first
that adequate free hard disk space is available (see the README
file).
5. When prompted select whether to install in the default directory or in an alternate directory.
The alternate installation directory must already exist.
6. When prompted, enter the fully qualified domain name of CA Privileged Access Manager
appliance. This name must match the name in the CA Privileged Access Manager appliance
SSL certificate.
7. When prompted, save the A2A Client setup in a configuration file. Saving a configuration file
can be useful if you plan to install the A2A Client on several hosts.
8. When prompted, accept the default configuration values or enter an alternate directory path
and file name.
10. Auto-register the A2A Client (request server) in the GUI by starting the daemon. Enter the
following text:
cspmclientd start
22-Mar-2017 60/65
CA Privileged Access Manager - 2.8
1. Verify the settings in your configuration file for the system on which you plan to install.
The A2A Client installs on the system using the settings that are defined in the A2A Client
configuration file.
Post-installation Tasks
After you install the A2A Client, activate the request server.
Installation of more than one A2A Client on the same host is not supported. Installing into the same
directory overwrites the A2A Client that is already installed in that directory.
If the A2A Client host is a 64-bit platform, you can install either the 32-bit or the 64-bit A2A Client.
Install the 64-bit client to integrate with 64-bit applications or install the 32-bit client to integrate
with 32-bit applications.
The InstallAnywhere wizard fails when you execute it from an account that contains special
characters. To avoid this error, start the installation by right-clicking on the executable file and
selecting the Run As option. The Run As dialog opens and prompts for an alternate username and
password to use for the installation. Specify the account credentials and continue with the
installation.
1. Open a Command window and navigate to the clients/win subdirectory in the unzipped
installation package.
22-Mar-2017 61/65
CA Privileged Access Manager - 2.8
4. In the Choose Install Folder window, enter or select the folder where you want to install A2A
Client and click Next.
We recommend that you do not use the space character in the root folder name of the
installation location or the folder name where the A2A Client is installed.
The Server Information window appears.
5. In the Server Information window, enter the Fully Qualified Domain Name (FQDN) of the CA
Privileged Access Manager appliance in the Server Name field and click Next.
The Choose Log Directory window appears.
6. Enter a specific path name for the installation log file directory or use the default path name
and click Next.
The Pre-Installation Summary window appears.
7. In the Pre-Installation Summary window, validate the installation information then click Install
. The Installing Password Authority Client window appears and shows the progress of the
installation.
When the installation finishes, the Install Complete window appears.
9. Auto-register the A2A Client (request server) by starting the CSPMClient service:
Open a command window and enter: net start cspmclientd
–or–
Click Start > Control Panel, Administrative Tools, Services.
Select cspmclientd in the Services list and click Start.
Follow these steps:Open a Command window and navigate to the clients/win subdirectory in
the unzipped installation package.
1. Open a Command Prompt window and navigate to the directory where the installation file (
setup_windows64_java or setup_windows32_java.exe) is located.
22-Mar-2017 62/65
2.
Use the Control Panel Add/Remove Programs option: Click on the Windows Proxy entry
Navigate to:
C:
\cspm_agent\Cloakware\cspmclient\Uninstall_Password_Authority_Windows_Prox
,
Double-click Uninstall Password Authority.exe.
22-Mar-2017 63/65
CA Privileged Access Manager - 2.8
Ensure that you enclose the file name within double quotes.
The greeting window appears followed by the Uninstall Windows Proxy window.
3. Click Uninstall.
The Uninstall Windows Proxy status window appears.
When the uninstall finishes, the Uninstall Complete window appears. You might need to
remove files manually. If so, the uninstaller identifies the files that must be manually
removed.
4. Click Done.
rmdir cloakware
1. (Optional) Remove the configuration file (default name and location /tmp/CSPM_Client.
config):
a. Go to the directory that contains your saved configuration file. For example, type the
following text:
cd /tmp
1.
22-Mar-2017 64/65
CA Privileged Access Manager - 2.8
Use the Control Panel Add/Remove Programs option: Click on the Password Authority
Client entry
Navigate to:
%CSPM_CLIENT_HOME%\cspmclient\Uninstall_Password_Authority,
where CSPM_CLIENT_HOME is the A2A Client installation directory, for example, C:
\CSPM\Cloakware
Double-click Uninstall Password Authority.exe.
Ensure that you enclose the file name within double quotes.
The greeting window appears followed by the Uninstall window.
Click Uninstall.
The Uninstall status window appears.
When the uninstall finishes, the Uninstall Complete window appears. You might need to
remove files manually. If so, the uninstaller identifies the files that must be manually
removed.
3. Click Done.
22-Mar-2017 65/65