Symantec Privileged Access Management

  • Private Community

  • 1.  Break Glass Scenario of CA PAM

    Posted Apr 04, 2019 04:32 AM

    I understand that in break glass scenario one root password is not rotated

    but if i have 200 devices which need to physically vault in safe place by CIO. 

    What to then one by one password is note it down?

    what is the best practice to vault that break glass account ?

    Can any body help me??

    Thank you in Advance   



  • 2.  Re: Break Glass Scenario of CA PAM

    Broadcom Employee
    Posted Apr 04, 2019 05:21 AM

    Hi Sudip

    Just to understand your use case: you have 200 devices which you want to move offline (somewhere else) and you need to have the root password for each one. Your concern is that you need to go one by one and view the password, correct ? And I assume you would want to have something like a report with the password for those 200 devices. Is this the situation you are facing ?

    If so I am afraid there is no way from PAM to list all root or break glass passwords, as it might be a security breach. You will definitely have to access each device and write it down



  • 3.  Re: Break Glass Scenario of CA PAM

    Posted Apr 04, 2019 06:13 AM

    yes similar that 

    because for CIO he is not interested write it down one by one ?
    which is tedious job to write down? 

    No option to keep password safely ? 



  • 4.  Re: Break Glass Scenario of CA PAM

    Broadcom Employee
    Posted Apr 04, 2019 07:06 AM

    You may want to try the CLI to do this

     

    https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/viewaccountpassword

     

    Basically create a script that does a loop over the different target account id, and to obtain those use

     

    https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/searchtargetaccount

     

    The idea: use the second command to obtain the id's of the accounts you want to retrieve passwords for and throw it to a file, then use the accounts there to retrieve the passwords using the first command.

     

    Maybe this may help ?



  • 5.  Re: Break Glass Scenario of CA PAM

    Broadcom Employee
    Posted Apr 04, 2019 08:51 AM

    Another option could be to:

    1) setup a targetGroup that includes all of your 200 devices

    2) setup a Scheduled Job that runs the update password and set the devices to "Use the same password" before you take them offline

    3) put single "password" in vault



  • 6.  Re: Break Glass Scenario of CA PAM

    Posted Apr 08, 2019 01:49 AM

    Thank you  

    Can you send the process its really helpful?



  • 7.  Re: Break Glass Scenario of CA PAM

    Broadcom Employee
    Posted Apr 08, 2019 02:00 PM

    not sure what more you want, it is literally what I wrote above.

    1) Create Dynamic targetGroup and setup so your designated Server accounts are listed

    2) setup a Scheduled Job selecting the targetGroup and set to updatePassword and "Use Same Password for All"

          a) OPTION 1, set to "Generate Password = Yes"

          B) OPTION 2, set to "Generate Password = No", and then enter and confirm your injected password.

    3) once job is run, verify all targetAccounts were rotated

    4) go to any of the targetAccounts to view the password, and this will be the same for all devices in the selected group

     

    let me know if you have any other questions?