Skip to content
CA Privileged Access Manager - 2.8.3
Documentation powered by DocOps

CA Privileged Access Manager Server Control Login Integration

Last update March 27, 2017

As a security administrator, you want to audit the actual user of your server, not the shared local privileged user name. CA Privileged Access Manager Server Control Login Integration allows CA Privileged Access Manager to integrate the login process and information with CA Privileged Access Manager Server Control. When activated, it allows the use of the actual CA Privileged Access Manager user name for auditing in CA Privileged Access Manager Server Control.

CA Privileged Access Manager Configuration

CA Privileged Access Manager Server Control Login Integration configuration includes specific Server Control settings and the creation of an endpoint Device, Account, Application, and Policy.

To use server names instead of IP addresses, verify that DNS Servers are configured in the Network Configuration section. From the CA Privileged Access Manager page, click the Config menu, then Network. In the Network Configuration, verify that the DNS Servers field has DNS IP addresses listed. If none is listed, add your DNS Servers. Click Update in the Network Interfaces section.

CA Modules Configuration

Set up ActiveMQ for Server Control in the Server Control Section of CA Modules. Some information from the CA Privileged Access Manager Server Control setup is required.

  1. From the CA Privileged Access Manager page, click the Config menu, then CA Modules.
    The CA Modules panel appears.
  2. In the Server Control section, check the Enable Login Integration box.
  3. Enter the target server hostname or IP address in the ENTM Host Name or IP field.
  4. Enter the port name, or accept the default 61616.
  5. Check the Use SSL box (the default) if appropriate.
  6. Enter the ActiveMQ Broker Account. The default is "reportserver."
  7. Enter the Password.
  8. Message time-to-live defaults to 60 minutes.
  9. Reply Timeout defaults to 10 seconds.
  10. Click Ping AMQ Console when complete.
  11. Verify that your information is correct. Click Save.

Create a Device

Create a Device for the CA Privileged Access Manager Server Control endpoint.

  1. On the Devices menu, select Manage Devices.
    A list of Devices appears.
  2. Click Create Device.
  3. Enter the host name in the Device Name field.
  4. Enter the IP address in the Address field. You can verify the IP address by clicking the Scan link.
  5. Select the target Operating System.
  6. Select the Password Management option.
  7. Add an Access Method by clicking the access type (such as SSH or RDP).
    Specific access method details appear. Add or alter the information as necessary.
  8. All other fields are optional. Click Help on the Manage Device page for more information.
  9. Click Save when finished, or click Save and Add Target Applications to go directly to the next step.

Create an Application

Create an Application for the CA Privileged Access Manager Server Control endpoint.

  1. On the Policy menu, select Manage Passwords.
    A Loading Credentials Management message appears.
  2. Select Applications on the Targets menu.
  3. Click the Add button.
    The Application Details pane appears.
  4. Enter the host name in the Host Name field. You can use the Find Server magnifying glass icon to select from Devices that have already been created.
  5. Enter the device name in the Device Name field. Selecting a host name with Find Server also populates this field.
  6. Enter the target Application Name.
  7. Select the Application Type. If nothing else applies, select Generic.
    Certain Application Types display more options when selected. For example, Windows Proxy allows selection of Local or Domain Account. Most fields are optional or show a default value.
  8. Click Save when finished.

Create an Account

Create an Account for the CA Privileged Access Manager Server Control endpoint.

  1. If you are not already in Credentials Management, select Manage Passwords on the Policy men.
    A Loading Credentials Management message appears.
  2. Select Accounts on the Targets menu.
  3. Click the Add button.
    The Account Details pane appears.
  4. Enter the host name in the Host Name field. You can use the Find Server magnifying glass icon to select from Devices that have already been created.
  5. Enter the device name in the Device Name field. Selecting a host name with Find Server also populates this field.
  6. Use the Find Application magnifying glass icon to select from Applications that have already been created for the Device. You can use the Add Application plus sign icon to add an application from this page.
  7. Enter the Account Name to use for connecting to the Server Control endpoint.
  8. Enter the Password for the Account Name you selected.
  9. Other fields are optional. At this point, you may want to enable password management options. For more information, see Maximum Password Age.
  10. Click Save when finished.

Create a Policy

Create an Access Policy for the Server Control endpoint.

  1. On the CA Privileged Access Manager access management page, select Manage Policies from the Policy menu.
  2. Click the User Field and select the User for connecting to the CA Privileged Access Manager Server Control device.
  3. Click the Device Field and select the CA Privileged Access Manager Server Control Device.
  4. Click Create Policy to create an Access Policy.
  5. For Access, click Add.
    An appropriate access method appears with a check box.
  6. Check the box.
    A text field appears.
  7. Click in the box.
    Corresponding options appear in the text field.
  8. Select the specific user for this access.
  9. Check the box for Login Integration opposite to CA Privileged Access Manager Server Control.
  10. Other fields are optional.
  11. Click Save when finished.

Test the Login Integration

To test CA Privileged Access Manager Server Control Login Integration, connect through the Access link on the Access Management page. Verify the user name substitution.

  1. Click the Access link on the upper left of the CA Privileged Access Manager home page.
    A list of Device Names appears with corresponding Access Methods and Target Applications.
  2. Click the Access Method link (such as RDP or SSH) for the Server Control Device you are integrating.
    An RDP or SSH session opens to the Device.
  3. For Windows RDP, open PowerShell or the Command prompt. For Linux, use the SSH prompt.
    The prompt includes the local CA Privileged Access Manager Server Control privileged user login, not the CA Privileged Access Manager user.
  4. For Windows, enter "secons –whoami". For Linux, enter "/opt/CA/AccessControl/bin/sewhoami -a".
    CA Privileged Access Manager Server Control secons utility outputs several lines of text.
  5. Find the "PUPM User". This should be CA Privileged Access Manager user, not the local Server Control privileged user.

Was this helpful?

Please log in to post comments.