Symantec Privileged Access Management

I want to change 200 device root password in bulk is it possible???? that password is visible to only the admin of CA Pam????

Hello Sudip, Yes, this is possible. You define a target group, see https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/implementing/protect-privileged-account-credentials/delegate-password-management-tasks-to-groups/add-credential-manager-target-groups. Then you define a scheduled job to change the passwords for all accounts in this target group. You can select to use the same password for all. You can have PAM generate the password, or set a specific password. If you wanted to do this periodically, you would let PAM generate the password of course.

Hello Ralf, Yes that's true i agree on that 

but my question is we don't rotate that password but change the root password at 1 month

that changed password needs to be view for we PAM gets  down the directly access to the Devices.

Is it possible ?

Hi Sudip, I am sorry, but I can't figure out what use case you are referring to. Do you want the passwords managed by PAM or not? If yes, you configure a scheduled job to update it every month. You configure roles and policies in PAM to control which PAM users are allowed to use the password for auto-connect, and which PAM users are allowed to view the password directly. What exactly is it that you are having trouble with?

Hello Ralf,

Can you please suggest me how to manage root account for break glass scenario????

Bcoz in our scenario root account password is vault by password authority person.

He will change password every 1 month but question is while we rotated password from PAM

we don't know the password. if any problem occurs in pam how to access device for that scenario 

Password rotated PAM is OK but for rotated can we viewed all password one by one and noted or 

is there any mechanism that we can view the all device root password ???? 

Sudip, I am not sure what your concern is. Are you worried that PAM may become inaccessible and no one knows the passwords because they are only stored in PAM? You should be able to avoid this with a multi-site PAM cluster. You should also schedule regular database backups that you can restore in a DR environment when needed. Note that you can only restore databases on nodes that were clustered with the originating node at one point in the past, see https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/administrating/maintenance/configuration-and-database-backups/restore-the-database-to-a-new-appliance

Sudip,

Break-Glass scenarios can be dealt with in several ways.  We really recommend that you have a secondary PAM cluster in a remote location so that you can always access your passwords via PAM.  However there will often be one or two passwords that need to be kept outside of PAM.

In this case you can do it manually... having someone view the password on the first of the month (or whenever it changes) and write down the password and store in a safe.  This wouldn't be ideal for 200 servers, but you shouldn't need to store 200 server root accounts.

If you really MUST store a lot of passwords in a break-glass situation, then I recommend that you use the PAM API's to retrieve those passwords and print them out.  Such a script would have several steps... 1. Query PAM for the deviceid's of those devices.  2. Query PAM for the target application ID's associated with those devices.  3.  Query PAM for the target account ID's associated with those devices.  Finally 4. Query PAM for the password associated with those target account ID's.

Attached is a sample Powershell script that will do this... you will need to enable the API and create an API key to use it.  Please do not use this script for production use, it's a demo with no error checking and minimal testing.  Have someone in your organization develop a proper solution in a language of their choice.  Also, keep in mind that the resulting output is very sensitive information and you will want to take precautions in handling it.

# This is a simple demo of the PAM API
# The script will prompt you for your api key, and will get the all target account 
# passwords for all devices in the device group specified below.

$apiURL = "https://demoPamServer.mydomain.com/api.php"
$deviceGroupName = "demoDeviceGroup"


# This section is to prevent errors when connecting to a PAM system with a self signed certificate.
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
    Add-Type -TypeDefinition  @"
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public static class TrustEverything
    {
        private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
            SslPolicyErrors sslPolicyErrors) { return true; }
        public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
        public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
    }
"@
} [TrustEverything]::SetCallback()


# prompt for an API key
if (-not $apikey) {$apikey = Get-Credential -Message "Enter your API key"}

# run an API call to get group id for group name
$results = Invoke-RestMethod -Uri "$apiURL/v1/deviceGroups.json?fields=groupId&groupName=$deviceGroupName" -Method Get -Credential $apikey
$groupId = $results.groupId

# run an API call to get the devices in that group
$devices = Invoke-RestMethod -Uri "$apiURL/v1/deviceGroups.json/$groupId/devices" -Method Get -Credential $apikey
$devices = $devices.PsObject.Properties

# loop over devices
ForEach ($device in $devices) {
    $deciceId = $device.Value
    $deviceName = $device.Name
   
    # run an API call to get all of the target applications on the device
    $targetApps = Invoke-RestMethod -Uri "$apiURL/v1/devices.json/$deviceId/targetApplications?fields=id" -Method Get -Credential $apikey
   
    # loop over the target applications
    ForEach ($targetAppId in $targetApps.id) {
      
        # run an API call to get all of the target accounts for the device and target application
        $targetAccts = Invoke-RestMethod -Uri "$apiURL/v1/devices.json/$deviceId/targetApplications/$targetAppId/TargetAccounts" -Method Get -Credential $apikey
      
        # loop over the target accounts
        ForEach ($targetAcct in $targetAccts) {
       
        # run an API call to get the password for the target account
        $pw = Invoke-RestMethod -Uri "$apiURL/v1/passwords.json/$($targetAcct.accountId)?reason=Other&reasonDetails=Break%20Glass%20Storage" -Method Get -Credential $apikey
           
            # if the server uses a public key return that for the password, otherwise return the password
            if($pw.publickey) {
                $password = "Public Key"
            } else {
                $password = $($pw.password)
            }

            # display the passwords to the screen
            write-host "$deviceName\$($targetAcct.accountName): $password"

            # write the results to a tab delimited csv file
            "$deviceName`t$($targetAcct.accountName)`t$password" | Out-File "$PSScriptRoot\output.csv" -Append

        }
    }
}