Symantec Privileged Access Management

  • 1.  How do I setup the password vault?

    Posted Jan 19, 2018 01:59 PM

    How do I use PAM as a password vault? We will be using it for more in the future, however, I just want to use it to vault my passwords right now.  If there is a way to import an existing database of passwords, that would be best.  Can anyone help?



  • 2.  Re: How do I setup the password vault?
    Best Answer

    Broadcom Employee
    Posted Jan 19, 2018 02:28 PM

    Hi Mike,

     

    This will depend on exactly what you are trying to accomplish. In general you would need to add at least one Device & one Target Application. You can then add accounts to that target application. If you are just using it to hold passwords you only need one Device with one Generic type Target Application, but in most cases you would want to link the accounts to the device they will be used with.

     

    Below is a tech doc I wrote that explains the basic process. Please note that this was written for 2.x, and some of the items have changed locations in 3.x (anything that says Policy > Manage Passwords is now simply under "Credentials").

     

    HOW-TO: Set up a device for RDP or SSH with automatic login in CA PAM. 

     

    Hope this helps,

    Christian Lutz

    Support Engineer

    CA Technologies - North America



  • 3.  Re: How do I setup the password vault?

    Posted Jan 19, 2018 02:56 PM

    Thank you very much! This is exactly what I needed to know, Christian! Long time no speak!

     

    For the Access Policy part of it (in the future when I want them linked), it speaks to a "list of users" - is this a step that needs to be completed prior, such as importing AD information?

     

    Thank you again!

     

    Respectfully,

     

    Mike 



  • 4.  Re: How do I setup the password vault?

    Broadcom Employee
    Posted Jan 19, 2018 03:14 PM

    Hi Mike,

     

    The list of users will be the users who can login to PAM from any authenticaiton sources you set up. Most authentication sources like LDAP, SAML or RADIUS can be configured from Configuration > 3rd Party or Configuration > Security. Once the user is in PAM it will populate in the list. It is also possible to use a user group instead of a user, but this guide was made as a quick start for the most basic use case and I expect most people would set it up with the default super account.

     

    It is also possible to "discover" Target Accounts of various types in different ways instead of manually adding them like described in the tech doc. Just search "Discover" in our documentation and it should bring up whichever options you may need. If you have questions on any of it let us know.

     

    Regards,

    Christian Lutz

    Support Engineer

    CA Technologies - North America



  • 5.  Re: How do I setup the password vault?

    Broadcom Employee
    Posted Jan 19, 2018 03:44 PM

    FYI: I had some time so I went and created an updated version of this tech doc that is specifically for 3.x. I just submitted it so it won't be available for at least an hour (I would suggest checking back tomorrow if you are interested in it). Here is the link:

    https://support.ca.com/us/knowledge-base-articles.TEC1927705.html 

     

    Regards,

    Christian Lutz

    Support Engineer

    CA Technologies - North America



  • 6.  Re: How do I setup the password vault?

    Posted Jan 22, 2018 09:45 AM

    Thank you again - I have successfully started setting this up.  Related question - is there a way to group passwords under one "account", or will every password show has a separate entry? 

     

    For instance, "Application X"  has multiple passwords, and I would like to list those all under the "Application X" account. Currently, it appears that I can must list each password as it's own account.



  • 7.  Re: How do I setup the password vault?

    Broadcom Employee
    Posted Jan 22, 2018 11:52 AM

    Each account needs its own password. Each password must be attached to a single account (but you can have multiple accounts use the same password if desired).

     

    If you are talking about using a central authority like AD then you only need one target application for many devices, but each account will still need to be listed.

     

    If you are saying that you have an application with no real username, but multiple acceptable passwords then I would suggest adding multiple accounts named something like "Password1" "Password2", this way your users would know its a password not an account.

     

    If you better explain your exact use case I may be able to help better.

     

    Regards,

    Christian Lutz

    Support Engineer

    CA Technologies - North America



  • 8.  Re: How do I setup the password vault?

    Broadcom Employee
    Posted Jan 19, 2018 03:31 PM

    For programmatic import of account information from an existing database, please see https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/programming. For a Java-based application you would get details under "Credential Manager APIs”. For shell-based scripts the "Credential Manager CLI Commands” section would be of interest.