Symantec Privileged Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

  • 1.  How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Posted Apr 11, 2018 11:38 AM

    Hi CA People

     

    Hi We need extract the certificate for the components of CA PAM this include CA PAM Server Control and Threat Analytics for PAM. This procedure is for enabling https as secure site, please let me know if this is the procedure. You could send some link or document for this.

     

    Thanks



  • 2.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Broadcom Employee
    Posted Apr 11, 2018 05:22 PM

    Hi Julian,

    You can retrieve the certificate of any secure server by using a browser like Google Chrome to connect and then clicking on the security report/lock icon. Or are you asking about procedures to install new server certificates?



  • 3.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Posted Apr 11, 2018 05:48 PM

    Hi Ralf

     

    The first step is extract the certificate at format  .csr or .pem, this for validate for the certifying entity, after we have to install o replace this certificate. 

     

    For PAM SC i working at this document  ( How to Replace the Default SSL Certificates - CA Privileged Access Manager Server Control - 14.0 - CA Technologies Docum… ) but the file eta2_server.p12 have a password and i unknow this.



  • 4.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Broadcom Employee
    Posted Apr 11, 2018 06:04 PM

    Hi Julian, At which point in the process are you blocked because you don't know this password?



  • 5.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Posted Apr 11, 2018 06:29 PM

    Hi Ralf

     

    in section "replace the jboss certificate with the custom certificate" at step 5.

     

    I search and find this two certificates and try to import the certificate to the JBoss keystore

     

     

    Thanks



  • 6.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Broadcom Employee
    Posted Apr 11, 2018 07:03 PM

    Julian, I work on PAM, not PAM SC. But reading through the procedure it appears there are steps missing. It talks about creating the pem files for the new certificate chain and new server certificate with private key, but not how to put them in a keystore. I see that the following community post has a link to a document that includes this step: https://communities.ca.com/thread/241793955-pam-sc-entm-web-certification . Other than that I'll have to let one of my PAM SC support team members comment further on it.

    For PAM itself, the procedure to create and load a certificate is documented at https://docops.ca.com/ca-privileged-access-manager/3-0-1/EN/implementing/configure-your-server/configure-security-settings/create-a-self-signed-certificate-or-a-certificate-signing-request

    If you use certificate authorities that are not known to PAM yet, you may have to upload the CA certificate chain prior to loading the certificate so that PAM can validate it. The Configuration > Security >  Certificates -> Upload page allows upload of CA Bundles (Root CA certs), intermediate certificates and CRLs.



  • 7.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Posted Apr 12, 2018 10:12 AM

    Hi Ralf

    I am reading the documents but clearly they are more precise. I appreciate you if you have a response from your team.

     

    Thank you very much



  • 8.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Posted Apr 17, 2018 12:24 PM

    Hi Ralf

    I have generated the certificate and I have sent it to the certifying entity, this certificate is returned to me in .pem format but when I try to upload it to PAM it generates the error of the image and I do not know how to proceed.

     

     

    Some idea for this ?



  • 9.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Broadcom Employee
    Posted Apr 17, 2018 10:02 PM

    Hi Julian, I am confused about what you did. If you created the CSR using PAM following instructions at https://docops.ca.com/ca-privileged-access-manager/3-0-1/EN/implementing/configure-your-server/configure-security-settings/create-a-self-signed-certificate-or-a-certificate-signing-request, you would import the certificate only because the private key would be on the PAM server already. But above you show a "Certificate with Private Key" selection. Does that imply that you created the CSR outside of PAM and now want to import the certificate with private key? In that case, make sure the private key is included in what you import. If you did create the CSR using PAM, please note the following step in the procedure at the above link:

     

    4. Rename the certificate that is received from the third party if necessary, so that:

       a) Its base name is the same as the one that originally generated.

       b) Its extension is ".crt".
    For example, if the original PEM name was abc.pem, the uploaded file must be named abc.crt



  • 10.  Re: How extract or generate certificate for CA PAM SC, CA PAM Threat Analytics

    Broadcom Employee
    Posted Apr 12, 2018 02:01 PM

    Hello Riano,

     

    find the predefined value of keystorePass=

    in <jboss>\server\default\deploy\jboss-web.deployer\server.xml

     

    I am suggesting to open a Support case should you still face issues with the above procedure to change the certificates of the various component of PAM Server Control Server.

     

    Best Regards,

    Andreas