parda25

REMOTE CLI access to PAM 3.1.1

Blog Post created by parda25 Employee on Mar 11, 2018

Introduction:

CA PAM(Privilege Access Manager) can be accessed by the Credential Manager CLI(Command Line Interface) to perform management functions of the Credential Manager server such as adding, modifying, deleting target data and request data. In this article, I have put together the steps of Remote CLI test which requires certificate of PAM server.

 

Steps:

1. Download 'RemoteCLI zip file' for PAM 3.1.1 from CA support portal(support.ca.com) to local device. ex) In this example, new folder 'C:\CLI11' was created. Once you download and unzip it, you will see below files.

 Machine generated alternative text: Computer  Open  Local Disk (C:)  New folder  CLEII  Organize •  Favorites  Desktop  capam_command  capam_command.bat  cliTooI.jar  RemoteCL1-GEN500000000000989zip  14/09/2017 3:33 PM  14/09/2017 3:33 PM  18/01/2018 3:08 PM  14/02/2018 8:28 AM  File  Windows Batch File  Executable Jar File  WinRAR ZIP archive  Search CLEII  732 KB  705 KB  Recent Places  Downloads  OneDrive - CA Technologies  Libraries  Documents  Music  Pictures  Videos  Computer  Local Disk (C)  C. Local Disk  DEPTS  Network

 

 

2. Download certificate from CA PAM -> config -> security -> download certificate.

Privileged Manuqer Client •  CA Privileged Access Manager  Dashboard Access  Configuration  Configuration  @ 3rd Patty  CA Modules  Sessions Users Services  Devices' Credentials Policies  Coniirmzi:ion:, Root Certificate generated  Settings  O  O  First name Last Name System Info Logout  Configuration  O  CA Threat Analytic  CA PAM Server ct  CA Single Sign-On  Certificate Informatio  Clustering  Date/Time  Database  @ Diagnostics  Exceptions  Licensing  Locale  @ Logs  @ Management Consolf  Monitor  Access Restrictior  Additional Routes  Network Settings  P ower  e Security  Access  Certificates  XSS Checks  Cry ptography  SAML  Certificates  Create Upload  Filename:  Password:  Confirm Password:  DOWNLOAD  Download Set CRL Options Sign Applets  gkcert.crt  Certificates  gkcett.ctt  default.ctt  dppam311a.crt  Private Keys  gkcett.key  dppam311a.key  default.key  CA Bundles (Delete only)  c a-cert.pem  Certificate Revocation List (Delete only)  ca-crl.pem  Copyright CA "Ochnologlcs. Al  nghis roscrvod.  3.1.1.,'1  dppam311a

 

Computer  Local Disk CLEII  Organize  Favorites  Desktop  Include in library  Share with  Name  New folder  capam_command  capam_command.bat  cliTooI: r  dppam311a.crt  RemoteCL1-GEN500000000000989zip  Date modified  14/09/2017 3:33 PM  14/09/2017 3:33 PM  18/01/2018 3:08 PM  7/03/2018 10:54 AM  14/02/2018 8:28 AM  Type  File  Windows Batch File  Executable Jar File  Security Certificate  WinRAR ZIP archive  Search CLEU  Size  732 KB  705 KB  Recent Places  Downloads  OneDrive - CA Technologies  Libraries  Documents  Music  Pictures  Videos  Computer  Local Disk (C)  Local Disk

 

3. Enable CLI Management from CA PAM -> Security -> External API access -> Enable Credential Management CLI.

CA Privileged Access Manager Client - 15535.24595  CA Privileged Access Manager  Devices  Credentials  Disabled  Disabled  Disabled  Disabled  Disabled  Disabled  Disabled  Policies  Enabled  Enabled  Enabled  Enabled  Enabled  Enabled  Enabled  Settings  First name Last Name System Info  Configuration  Dashboard Access  Configuration  Configuration  @ 3rd P any  @ CA Modules  Sessions Users Services  O  ccess  Logout O  O  Certificate Information  Clustering  Date/Time  Database  @ Diagnostics  Exceptions  Licensing  Locale  @ Logs  @ Management Console  Monitor  Access Restriction  Additional Routes  Network Settings  Power  Security  Access  XSS Checks  Cryptography  SAML  @ SNMP  Tools  Upgrade  Access PKb'Smart Card Options  External REST API  Credential Management CLI  VMware Console  Config user  X Forwarded Host Check  QCommand String  QTLS VI .011.1 Connection Allowed  Copyright 2018 CA Technologies. All rights reserved.  -3.1.1.71  - dppam311a

 

4. On your local device, open a cmd and change directory to 'c:\cli311'.

5. Import certificate to JAVA keystore.

 

C:\CLI> "%JAVA_HOME%\bin\keytool" -import -trustcacerts -file dppam311a.crt -alias cspmsvr311 -keystore capam.keystore

: \CL1311 >keeytool —import —trustcacerts —F ile dppam311a.crt —alias  cspmsur311 —  eystore capam.keystore  ' keeytool' is not recognized as an internal or external command.  perable program or batch File .  : \CL1311 >keytool —import —trustcacerts —F ile dppam311a.crt —alias  cspmsur311  -k  ystore capam.keystore  nter keystore password:  wner: CN=dppam311a.pamdom. local. O=CR. S r =NSW.  c=RU  Issuer: CN=dppam311a.pamdom. local. O=CR. S r =NSW.  c=RU  erial number: baeb6ØØØae7a4ee6  alid From: Wed mar 2018 until: Thu mar  ertiF icate Fingerprints:  MDS :  SHRI:  SHR256:  Signature algorithm name .  • SHRS12withRSR  2019  Uersion: 3  xtensions:  1: Objectld: 2.16.840.1.113?30.1.1  etscapeCertr ype [  SSL client  SSL server  2: Objectld: 2.5.29.1? Criticality  ubäectRIternat iueName [  IPAddress: 155.35.245.95  rust this certif icate? [no]:  yes  ertiF icate was added to keystore  Criticality=false  =FaIse

 

6. Test capam CLI

C:\CLI> capam_command adminUserID=super capam=dppam311a.pamdom.local cmdName=getErrorCodes

Outcomes