Skip to content
CA Privileged Access Manager - 2.8.3
Documentation powered by DocOps

Integrate a Java Application or Application Server

Last update February 16, 2017

The following method has been tested with a WebLogic version 12.2.1 application server.

Setup

To modify a Java application or application server (such as Weblogic, JBoss, or Tomcat) into a requestor, modify them to use the Privileged Access Manager JARs and native code libraries:

  • The JAR files must be in the   class path of the requestor. The JAR files are cspmclient.jar and cwjcafips.jar. They are located in the $CSPM_CLIENT_HOME/cspmclient/lib directory.
  • If the requestor needs to use the Privileged Access Manager JDBC proxy, the cloakwareJdbc.jar file must be in the  class path of the requestor. It is located in the $CSPM_CLIENT_HOME/cspmclient/tools directory.
  • The requestor’s library path must include $CSPM_CLIENT_HOME/cspmclient/lib.

Setting the class path can be done in the standard Java manner or might be application-specific. The latter is a common requirement of application servers. See your application documentation for details.

The library path can be set:

  • As part of the requestor Java invocation using the -Djava.library.path syntax
  • Using the OS-specific environment variable. The possible environment variables are PATH for Windows, LD_LIBRARY_PATH for Solaris and Linux, and LIBPATH for AIX.

Using the Privileged Access Manager JDBC Proxy Driver

The Privileged Access Manager JDBC driver is a proxy for the original Database Management System (DBMS) JDBC driver. Without A2A, the requestor has a JDBC connection to a DBMS. The requestor is configured with

  • The JDBC driver's class, which must be in the class path of the requestor
  • Information about where it is connecting (the DBMS' hostname, and so on)
  • Additional driver parameters, such as the username and password to log in as, the driver buffer sizes, and so on.

To use Privileged Access Manager JDBC driver:

  1. Change the driver reference from the original DBMS-specific one to the Privileged Access Manager JDBC driver. The driver class name becomes com.cloakware.jdbc.JdbcDriver.
  2. Change the JDBC connection string to add information specifying the Privileged Access Manager JDBC driver name, the target alias that identifies the target account, and the class name of the original DBMS JDBC driver as follows:
    1. Prefix the JDBC connection string with cspm.
    2. Suffix the JDBC connection string with ;CSPMDriver=targetDriverClassName;CSPMAlias=alias where:
      • targetDriverClassName is the class name of the original DBMS JDBC driver (such as oracle.jdbc.driver.OracleDriver for Oracle, com.microsoft.sqlserver.jdbc.SQLServerDriver for Microsoft SQL Server, com.mysql.jdbc.Driver for MySQL, org.postgresql.Driver for Postgres, or com.ibm.db2.jcc.DB2Driver for DB2)
      • alias is the target alias that is associated with the target account the requestor uses to log in to the DBMS

CA Technologies also recommends that the username and password fields be cleared out because they are overwritten by the Privileged Access Manager JDBC proxy driver.

The following example shows a modified connection string to an Oracle database:

  • Before: jdbc:oracle:thin:@//dbHost:1521/myService
  • After: cspm:jdbc:oracle:thin:@//dbHost:1521/myService;CSPMDriver=oracle.jdbc.OracleDriver;CSPMAlias=myAlias

Was this helpful?

Please log in to post comments.