parda25

How to install, configure and test A2A with RedHat7

Blog Post created by parda25 Employee on May 22, 2018

This article is to show on how to configure A2A client agent on RedHat 7 / Centos 7 and test with example code.

 

1. Go to product download page in support.ca.com after logging in and search Privileged Access Manager. Select PAM version and download "CA Privileged App to App Manager Debian" product.

 

https://support  .ca.com/us/download-center.html  GIS service desk da NEW ER CA Technologies Inter... Shared Documents- SuccessFactors: Home Soft Skills ECM KB Site  O  CA Support Universe News CA Communiti... Security8U/PAM-dE  Solutions  MENU  Products  Education & Training  Services & Support  HOME  Partners  MY ACCOUNT  Search  CART  Sign Out  MY CASES  pack Business Users DEBIAN  CA Privileged Access Manager for AWS Management Console with  FIPS IOpack Business Users DEBIAN  CA Privileged Access Manager AWS API Proxy DEBIAN  CA Privileged Access Manager AWS API Proxy with FIPS DEBIAN  CA Privileged Access Manager AMI (Amazon) Appliance DEBIAN  CA Privileged Access Manager AMI (Amazon) Appliance with FIPS  CA Privileged App to App Manager DEBIAN  CA Privileged App to App Manager with FIPS DEBIAN  CA Privileged Access Manager MSP DEBIAN  Welcome back„.  3.2  3.2  311  3.2  311  311  3.01  3.2  3.2  Daniel  0000  0000  0000  0000  0000  0001  0000  0000  0000  Showing 31  - 40 of 46

 

  1. Transfer "Unix A2A agent zip" file to target Linux server.

 

  1. Unzip file

 

[root@parda25-I9298 tmp]# unzip Unix\ A2A_GEN500000000000518.zip -d ./a2aclient

Archive: Unix A2A_GEN500000000000518.zip

   creating: ./a2aclient/packages/

inflating: ./a2aclient/packages/cloakware_cspm_full_client_rhel50_x86.tar.gz

inflating: ./a2aclient/packages/cloakware_cspm_full_client_sol10.tar.gz

 

  1. Go to unzipped folder and change mode of setup_unix file to run.

 

[root@parda25-I9298 a2aclient]# chmod u+x setup_unix

 

 

  1. Create directory for A2A client to be installed in target server and run setup_unix.

 

usage: setup_unix <Linux|SolarisSparc> <32|64> <installDir> <serverFQDN or serverAddress>

[root@parda25-I9298 a2aclient]# mkdir ~/a2a

[root@parda25-I9298 a2aclient]# ./setup_unix Linux 64 ~/a2a/ 155.35.245.84

 

..

Remember to set and export CSPM_CLIENT_HOME=/root/a2a//catech, or

"include" /root/a2a//catech/cspmclient/bin/.cspmclientrc

in all CAPAM A2A Client user's environment (/etc/[rc|profile] files)

 

***** CAPAM A2A Client Setup Process Finished Successfully *****

 

 

  1. start a2a client deamon

[root@parda25-I9298 bin]# ./cspmclientd start

 

Client Daemon 7388 started

Now seed the local encryption with a unique password

Cache persistence is turned off. Authentication is not required!

 

 

  1. Go to PAM client and set up for A2A test.

 1) Device -> Manage device -> Enable Access, Password Management and A2A

CA Privileged Access Manager Client - 155.3524584  CA Privileged Access Manager  Cashboard  ewces  lumn:  Name  Daniel-  Daniel-  OCI  Dev-ce  Dev-RH  esx-cen  ESX-Wi  ESX-Wi  gilmi06-  i-03755  i-05247  i-Od133  ninpa  parda25  parda25  Radius  sanre01  Sanwi  SMTP  tapzaz  voged01  voged01  voged01  voged01  voged01  voged01  of 34 Items  Update Device parda25-i9298.ca.com  Basic Into Tags Access Methods Services Monitoring  Terminal  Transparent Login  First name Last Name System Info  Groups  SAVE AND ADD TARGET APPLICATIONS  2  Logout  DEVICES  Name:  Address:  Description:  Location:  Operating System.  Device Type:  parda2S-i929&ca.com  parda2S-i929&ca.com  Linux  Access  Password Management  Target Server  Description 1:  Description 2:  A2A  Request Client  Description 1:  Description 2:  Active:  Preserve Hostname:  SCAN

2) Create Target Application

CA Privileged Access Manager Client - 155.3524584  CA Privileged Access Manager  Dashboard Access  Target Applicatio  Column:  Application Name  A2Atest  AWS API Proxy Access  AWS Access Credenti  ApiKey  CA Normalized Integra  CA Normalized Integra  CAPAM Database3ac  Cen7RadiusApp  Radiapp  Sanwiapp  VMware NSX Proxy T  dclapp-wos  dcapp-proxy  esx-cen7app-xterm  esxcen7app  esxwin10app  esxwin12app  parda25-cen7-ldap  smtpapp  Add Target Application  Application Script Processor  Host Name:  Device Name:  Application Name:  Application Type:  Password Composition Policy:  Descriptor 1:  Desc riptor 2:  Credentials Script SSH-2  parda2S-i929&ca.com  parda2S-i929&ca.com  a2a-centos  UNIX  None  Telnet  Account Discovery  First name Last Name System Info Logout O  O  wsamazon.com  wsamazomcom  diuncom  com  com  sxvmwarezom

 

3) Create Target Account as A2A

CA Privileged Access Manager Client - 155.3524584  CA Privileged Access Manager  Dashboard Access  Target Account  Devices  Credentials •  Q  Policies  Protocol:  Password:  Show Password:  Settings  First name Last Name System Info Logout O  Configuration  O  Action  Column:  Account Namk  administrator  AKIAdMYdK3„  caadmin  caadmin  CATapApiUser-  danielJ3ark@c_  dpark  dpark  Idapadm  MCApiKey-2  nimadmin  nimadmin  rdptest@sydp__  root  root  root  root  root  Add Target ACCOUnt  Account Password Compound Servers UNIX  Host Name:  Device Name:  Application Name:  Account Name:  Password View Policy:  Account Type:  Access Type:  Descriptor 1:  Desc riptor 2:  Aliases:  Cache Behavior:  Cache Expiry Days:  parda2S-i929&ca.com  parda2S-i929&ca.com  a2a-centos  Default  A2A Account  use Cache First  30  SSH-2 Password or Keyboard-Interactive,  Copyright 2018 CA Technologies. All rights reserved.

8. Configure A2A settings

1) Manage A2A -> Script

CA Privileged Access Manager Client - 155.3524584  CA Privileged Access Manager  First name Last Name System Info Logout O  Dashboard Access  A2A Scripts  Column:  Name  example.pl  Sessions  Value:  Client  Add A2A Script  parda  Client:  Device Name:  ScriptJApp Name:  Execution Path:  File Path:  Type:  Hash:  Descriptor 1:  Desc riptor 2:  Devices  Credentials •  FILTER  RESET  Policies  FILTER  Settings  MV VIEWS  Configuration  O  Ty pe  parda2S-i929&ca.com  parda2S-i929&ca.com  example.pl  / rootJa2a/catec hJcs pmclient/exam ples  / rootJa2a/catec hJcs pmclient/examples/example.pl  perl  Copyright 2018 CA Technologies. All rights reserved.

2) Manage 2A2 -> A2A Clients

CA Privileged Access Manager Client - 15535.24584  CA Privileged Access Manager  O  First name Last Name System Info Logout  Dashboard Access  A2A Clients  Column:  Host Name  parda25-ig131 ca com  cacom  Sessions Users Services  Value:  IP Address  10 131 13967  10.131.173.19  Devices  Credentials  FILTER  RESET  Policies  ca com  FILTER  Settings  MV VIEWS  Version  4.13.1  4.13.1  Configuration  Active  Device Name  Dev-RHEL7  Warning  Connection Status

 3) Manage A2A -> Mapping

CA Privileged Access Manager Client - 15535.24584  CA Privileged Access Manager  techry,laeies  Dashboard Access  Sessions Users Services  Devices  Credentials  Policies  Settings  MV VIEWS  Configuration  A2A Authorization Mappings  RESET  First name Last Name System Info  UPDATE  Logout O  DELETE  Column:  1000  1001  1002  1003  Value:  Target Alias I (Group)  (AWS API Proxy Access Accounts)  (VMware NSX API Proxy Access Accounts)  (a2atest)  a2atest  FILTER  FILTER  Client I (Request Group)  (A'.vs API Proxy Clients)  (VMware NSX API Proxy Clients)  parda25-ig131.ca.com  (Requestors)  Script  examole.ol  Execution User  www-data  www-data

 

  1. Test. SSH to target server and run example perl script to get credential.

[root@parda25-I9298 examples]# ./example.pl a2atest true

Return Code: 400

UserID:   root

Password:       Password01

PASSED

[root@parda25-I9298 examples]#

Outcomes