from Kristen Malzone (CA) to Everyone:
Hi Sandra! Thanks for joining!
from Kristen Malzone (CA) to Everyone:
Welcome to Office Hours! We'll get started in a few minutes
from Kristen Malzone (CA) to Everyone:
Please ReTweet: https://twitter.com/CA_Community/status/730773356551778305
from Kristen Malzone (CA) to Everyone:
Hi Bill & James! Welcome to Office Hours!
from Kristen Malzone (CA) to Everyone:
We'll get started in a few minutes/
from Bill to Everyone:
Good morning
from Kristen Malzone (CA) to Everyone:
Morning!
from Kristen Malzone (CA) to Everyone:
Alright - Let's get started!
from Kristen Malzone (CA) to Everyone:
Welcome to Office Hours for CA Privileged Access Management!
from Kristen Malzone (CA) to Everyone:
We're here to answer your questions in real-time about CA Privileged Access Manager (formerly XSuite) and CA Privileged Access Manager Server Control (formerly CA Privileged Identity Manager/ControlMinder).
from Kristen Malzone (CA) to Everyone:
There is no audio. All conversation happens right here in the chat window.
from Kristen Malzone (CA) to Everyone:
So, who's got the first question today?
from Reatesh Sanghi (CA) to Everyone:
Hello All
from Kristen Malzone (CA) to Everyone:
@Sanal Thanks for joining today!
from Kristen Malzone (CA) to Everyone:
@Sanal Do you have a question for our CA Privileged Access Management product team?
from Sanal to Everyone:
yes
from Kristen Malzone (CA) to Everyone:
In case you missed it, CA Privileged Access Manager v2.6 is now GA! Read more: https://communities.ca.com/message/241882068
from Sanal to Everyone:
I saw PAM can be integrated SAP GUI software.
from Sanal to Everyone:
with some third party tool
from Sanal to Everyone:
could you explain what is the kind of integration available and other tool required.
from Shahn Soomro (CA) to Everyone:
@Sanal...are you talking about using MS Published Applications method as the the 3rd Party tool?
from Steven McCullar to Everyone:
@Sanal, which third party tool are you referring to?
from Shahn Soomro (CA) to Everyone:
One way you can integrate with just about any desktop app is publish the app through Remote Desktop App and use CA PAM RDP application method to supply runtime credentials
from Sanal to Everyone:
ok
from Sanal to Everyone:
So does this require any additional tools or it is native integration?
from Sanal to Everyone:
can we have SSO, password change etc?
from Shahn Soomro (CA) to Everyone:
password change is done through account password managementl if the SAP GUI credentials are vaulted with CA PAM
from Reatesh Sanghi (CA) to Everyone:
@Sanal, are you looking at PAM and Siteminder integration here or some other SSO Application?
from Sanal to Everyone:
not with Siteminder
from Sanal to Everyone:
we have only CA PAM. the SSO is working with general apps
from Shahn Soomro (CA) to Everyone:
Depending on how you define your access/password view policies and Password Composition policies ..the credenials (useraname/password) are supplied to the application at runtime...and account password is changed based on PVP and PCP..
from Shahn Soomro (CA) to Everyone:
in other words it is not advisable to change the password of the account out of band if it is being managed by CA PAM.
from Sanal to Everyone:
i got it.
from Shahn Soomro (CA) to Everyone:
@Sanal..hope that answers your questions
from Sanal to Everyone:
but my question is whether CA PAM can manage password of SAP application account
from Sanal to Everyone:
in terms of password change
from Shahn Soomro (CA) to Everyone:
that will depend on where is the account/password stored. I have seen many SAP implementations point to MS AD for authentication..of course that is easiest way for us to manage accounts used in SAP
from Sanal to Everyone:
our SAP is using application account not AD
from Shahn Soomro (CA) to Everyone:
native accounts can be stored in DB ...we can managed that too..but I am afriad we do not have a native connector for SAP accounts management. ,.however there is one more triick we can do
from Sanal to Everyone:
ok
from Sanal to Everyone:
can i get some details about this integration?
from Sanal to Everyone:
how it can be done?
from Shahn Soomro (CA) to Everyone:
you can allow storage of SAP admin accounts as "accounts without synch"...so we have the pasword ..which can be supplied to app at runtime .. but not managed directly by CA PAM
from Sanal to Everyone:
ok.
from Steven McCullar to Everyone:
@sanal, you mentioned a 3rd party app before, what is that app?
from Sanal to Everyone:
i saw in some document that SAP is not natively supported and need some third party
from Shahn Soomro (CA) to Everyone:
you will need to manage (change etc) account password directly in SAP or using your IDM solution (e-g; CA IDM )....and supply us new password when changed
from Sanal to Everyone:
ok. got it
from Kristen Malzone (CA) to Everyone:
Does anyone else have a question for our product team today?? Sanal is bringing all of the action today!
from Shahn Soomro (CA) to Everyone:
Yes..I am not sure which 3rd parrty you are referring to. but CA PAM does not have a native connector for SAP User Management
from Shinu Abdulu to Everyone:
I have a basic question. Can we use Oracle client running in user's desktop with PAM? Similar to how we use Putty with Client Applications configuration.
from Sanal to Everyone:
it is mentioned in the document - "CA Privileged Access Manager v2.5 Platform Support Matrix"
from Sanal to Everyone:
"Others requiring 3rd party license" section
from Shahn Soomro (CA) to Everyone:
@Shinu... you can use a local application client (oracale i no exception) from user' desktop by defining it as TCP/UDP service in CA PAM.. you may have to play with it a bit to test the correct port combination etc...but its doable and has been done in the field
from Shinu Abdulu to Everyone:
so Oracle use Sqlnet protocol and which is not supported in PAM. so how do i define it as a TCP/UDP service?
from Shinu Abdulu to Everyone:
when i checked, i dont see it listed in the application protocol
from Shahn Soomro (CA) to Everyone:
AFAIk, Sqlnet runs on top of TCP...so it should be doable...indeed we do not support non TCP/UDP protocols that...can i get back to you directly about oracle client integration ?
from Shahn Soomro (CA) to Everyone:
i many be able to locate an instance where we have successfully achrieved it
from Shinu Abdulu to Everyone:
sure, thanks.. that would be really helpful.
from Sanal to Everyone:
I have a question regarding Entrst integration
from Sanal to Everyone:
Entrust
from Sanal to Everyone:
Does PAM support Entrst 2FA natively, or we can only use RADIUS
from Shahn Soomro (CA) to Everyone:
@Sanal..you will need to use RADIUS based integration
from Sanal to Everyone:
ok.
from Sanal to Everyone:
Other question is on backup and archiving of session recording
from Sanal to Everyone:
what is possible here
from Steven McCullar to Everyone:
@Sanal video sessions are stored in a mount [point you provide
from Steven McCullar to Everyone:
you can store them and manage in a SAN for example
from Steven McCullar to Everyone:
the videos can only be viewed via PAM but can be managed
from Steven McCullar to Everyone:
...managed and archived
from Steven McCullar to Everyone:
you would have to restore them to view them in PAM
from Sanal to Everyone:
can i purge the files from the share and then restore from backup if required?
from Sanal to Everyone:
and then viewed by pam?
from Steven McCullar to Everyone:
yes they are files
from Sanal to Everyone:
is it possible to identify the file for a spesific target server or admin?
from Steven McCullar to Everyone:
you mean outside of PAM?
from Sanal to Everyone:
yes in the file system
from Adam Roll (CA) to Everyone:
@sanal - While the recording file name itself does not contain the name of the server or the admin, there is an inf file that is associated to the recording which contains the account and servername along with a few other meta data items.
from Sanal to Everyone:
so is it possible to replay a file after restoring to the same location
from Sanal to Everyone:
?
from Kristen Malzone (CA) to Everyone:
15 minutes left! Get your final questions in now!
from Sanal to Everyone:
what should be the steps to follow for this to work?
from Steven McCullar to Everyone:
yes that is the way to handle it
from Adam Roll (CA) to Everyone:
@sanal - Yes if you archive a session off to a tape backup for example. if you restore it to the mount point and click play recording for that specific session, you will be able to play it back.
from Sanal to Everyone:
ok
from Sanal to Everyone:
so we need to restore all the related files isn't it?
from Sanal to Everyone:
i mean inf and other
from Steven McCullar to Everyone:
for each video
from Adam Roll (CA) to Everyone:
@sanal - Yes that is correct
from Sanal to Everyone:
ok thanks
from Sanal to Everyone:
Thanks for the answers
from Kristen Malzone (CA) to Everyone:
@Sanal - Thanks for joining today!
from Sanal to Everyone:
Thanks
from Kristen Malzone (CA) to Everyone:
That's all the time we have for today! Thanks for joining this month's Office Hours session for CA Privileged Access Management. I'll post next month's session in the CA Security Community as well as a the transcript from today.
from Kristen Malzone (CA) to Everyone:
Have a great weekend everyone!