In a scenario where all the privileged accounts are managed by CA PAM, and for some reason PAM appliance is down during business hours. Meanwhile administrators need to access the target systems for various issues, how can we achieve that.
That is a very common question that I have experienced when deploying CA PAM. The answer really depends in enterprise's security requirements. Some of the sites that I have worked with have created master accounts for each of their primary systems (LDAP, TACACs, Linux, SQL...) and set these accounts up in PAM with Password View Policies that do not rotate the account, then they have had a designated 'Trusted Agent' print or copy these accounts and passwords, store them in a security envelope in a safe or sufficiently secured area that meets enterprise security requirements.
Others have used the Credentials Management command line tools (Reference the CA-PAM_CM_Implementation_Guide-v2.pdf) to export specific accounts on a regular basis and save them, while keeping the password expiration implemented and updating their break glass accounts according to the credential rotation schedule. This is really something that needs to be discussed internally within the organization.
Proper deployment and management of PAM can help reduce outages with cluster replication, and true redundant systems for management (i.e. power, infrastructure, alternate site..etc.).
Is your question answered? If yes, can you please mark it as answered?
CA Support Delivery Manager
Retrieving data ...