Symantec Privileged Access Management

  • 1.  Weblogic account in 2.8.2

    Posted Apr 13, 2017 06:57 AM

    Hi

     

    I'm having problems defining new weblogic accounts in CA PAM 2.8.2.

    Even if I choose "Update only the Password Authority Server" , it gives an error saying that I must define a change process account. (WebLogic 10 Account Details -> Change Process).

    On version 2.8.1 , this didn't happened when I defined the existing accounts.

    It makes sense to have an "change process account" if I only want to store the password ? Does anyone have this same issue ?

    Thanks

    Best regards



  • 2.  Re: Weblogic account in 2.8.2

    Broadcom Employee
    Posted Apr 13, 2017 12:45 PM

    Hi Nuno,

     

    I just tested this on 2.7.0, 2.8.0, 2.8.1 & 2.8.2 and I am seeing the same behavior you mentioned above in all 4 releases. 

     

    This behavior does seem strange to me, especially since it does still happen when using "Update only the Password Authority Server" as you pointed out. I would suggest opening a support ticket for this.

     

    -Christian



  • 3.  Re: Weblogic account in 2.8.2

    Broadcom Employee
    Posted Apr 27, 2017 11:44 AM

    Hi Nuno, 
    We detected this with another colleague. I found a workaround to fix this meantime. 

    There's a new attribute for Weblogic accounts: useOtherAccountToChangePassword. To configure the first Target Account, you will need to do it using the CLI. 

    Windows Domain Services Target Connector - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation 
    The parameter useOtherAccountToChangePassword has to be set to false. If after creating this account, you want to create another target account  (weblogic type) you will see that the first account created is now available to be selected in the Change Process.
    If you don't want to select any account, you will have to create the account by commandline.

     

     

    1) Create the New Target Account:
    https://docops.ca.com/ca-privileged-access-manager/2-8-2/EN/programming/credential-manager-cli-commands/addtargetaccount


    >capam_command cspmHostName=<PAM IP> UserID=super cmdName=addTargetAccount TargetServer.hostName=<Server hostname> TargetApplication.name=<Application Name> TargetAccount.userName=<username> TargetAccount.password=<password> Attribute.useOtherAccountToChangePassword=false TargetAccount.privileged=true 

     

    2) If you need to update an existing target account then check the command line updateTargetAccount:
    https://docops.ca.com/ca-privileged-access-manager/2-8-2/EN/programming/credential-manager-cli-commands/updatetargetaccount

     

    For eg: >capam_command cspmHostName=<PAM IP> UserID=super cmdName=updateTargetAccount TargetAccount.ID=<TargetAccount ID> TargetAccount.userName=<TargetAccountName> TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false


    Remember that you have to add the argument: useOtherAccountToChangePassword=false

     

    Hope to this be helpful.

    Regards,

    Celeste



  • 4.  Re: Weblogic account in 2.8.2

    Posted Apr 27, 2017 02:15 PM

    Hi

     

    I update the existing account by command line and it shows useOtherAccountToChangePassword=false.

    But I'm still not able to change that account using the web interface. For example to add an descriptor.

     

    Thanks



  • 5.  Re: Weblogic account in 2.8.2

    Broadcom Employee
    Posted Apr 28, 2017 03:19 AM

    Hi Nuno, 
    That is correct. Unfortunatelly If you are not going to select another account to have permission to change the password (in Change Process), you will have to update the account settings via command line. This is a bug.

    If you want to add a description, you will have to add these arguments in the updateTarget command.

     

    for eg: 
    capam_command cspmHostName=<PAM IP> UserID=super cmdName=updateTargetAccount TargetAccount.ID=<TargetAccount ID> TargetAccount.userName=<TargetAccountName> TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false Attribute.descriptor1=<Despcription>  TargetAccount.synchronize=<true/false>

     

    Set TargetAccount.synchronize=true to indicate that the password stored in Credential Manager should be synchronized with the password on the target system. This functionality is not supported with Target Application Type Generic.

     

    Find more arguments in the link provided previously: 

    updateTargetAccount - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation 

     

    For further information let us know.

    Thanks,
    Regards,

    Celeste



  • 6.  Re: Weblogic account in 2.8.2

    Posted Apr 28, 2017 04:08 AM

    Hi

    Ok. I understand.

    Thanks for this workaround.

    Best regards

    NM