How do I use PAM as a password vault? We will be using it for more in the future, however, I just want to use it to vault my passwords right now. If there is a way to import an existing database of passwords, that would be best. Can anyone help?
This will depend on exactly what you are trying to accomplish. In general you would need to add at least one Device & one Target Application. You can then add accounts to that target application. If you are just using it to hold passwords you only need one Device with one Generic type Target Application, but in most cases you would want to link the accounts to the device they will be used with.
Below is a tech doc I wrote that explains the basic process. Please note that this was written for 2.x, and some of the items have changed locations in 3.x (anything that says Policy > Manage Passwords is now simply under "Credentials").
HOW-TO: Set up a device for RDP or SSH with automatic login in CA PAM.
Hope this helps,
CA Technologies - North America
Thank you very much! This is exactly what I needed to know, Christian! Long time no speak!
For the Access Policy part of it (in the future when I want them linked), it speaks to a "list of users" - is this a step that needs to be completed prior, such as importing AD information?
Thank you again!
The list of users will be the users who can login to PAM from any authenticaiton sources you set up. Most authentication sources like LDAP, SAML or RADIUS can be configured from Configuration > 3rd Party or Configuration > Security. Once the user is in PAM it will populate in the list. It is also possible to use a user group instead of a user, but this guide was made as a quick start for the most basic use case and I expect most people would set it up with the default super account.
It is also possible to "discover" Target Accounts of various types in different ways instead of manually adding them like described in the tech doc. Just search "Discover" in our documentation and it should bring up whichever options you may need. If you have questions on any of it let us know.
FYI: I had some time so I went and created an updated version of this tech doc that is specifically for 3.x. I just submitted it so it won't be available for at least an hour (I would suggest checking back tomorrow if you are interested in it). Here is the link:
Thank you again - I have successfully started setting this up. Related question - is there a way to group passwords under one "account", or will every password show has a separate entry?
For instance, "Application X" has multiple passwords, and I would like to list those all under the "Application X" account. Currently, it appears that I can must list each password as it's own account.
Each account needs its own password. Each password must be attached to a single account (but you can have multiple accounts use the same password if desired).
If you are talking about using a central authority like AD then you only need one target application for many devices, but each account will still need to be listed.
If you are saying that you have an application with no real username, but multiple acceptable passwords then I would suggest adding multiple accounts named something like "Password1" "Password2", this way your users would know its a password not an account.
If you better explain your exact use case I may be able to help better.
For programmatic import of account information from an existing database, please see https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/programming. For a Java-based application you would get details under "Credential Manager APIs”. For shell-based scripts the "Credential Manager CLI Commands” section would be of interest.
Retrieving data ...