Skip to content
CA Privileged Access Manager - 2.8
Documentation powered by DocOps

Global Settings Menu Bar Reference

Last update February 21, 2017

Use the Global Settings screen to set global options.

Basic Settings

Option Default Units Description
    0 Generally: A value of zero (0) removes the restrictions that the particular setting is intended to enforce.
Default Auth Method Local   Select from a drop-down list the default authentication method that appears on the login page.

Options: LOCAL, LDAPRSA, RADIUS, TACACS+, LDAP+RSA, LDAP+RADIUS

Note: At least one user must be created with the chosen authentication method before this option is available.

Default Page Size 30 Devices Number of device line items to display on Access page (immediately following login).

Table Refresh Interval

60 Seconds The default refresh interval for Discovery Scan tables. 0 indicates no refresh.
Scan Purge Interval 30 Days Number of days to keep Discovery scans.
Login Timeout 10 minutes

Set the maximum length of login inactivity before a login session closes out and requires reauthentication from the login page. (“Inactivity” refers to a lack of data communication between the User client and the CA PAM appliance, or idle time.)

If this value is not zero, every CA PAM User login begins a countdown at the start of the session. While this User maintains active (live) connections to back-end (target) devices, the timeout stops counting down and resets itself to the Login Timeout value. When (all) connections are closed, the countdown starts again from that value.

To turn off the timeout feature, set this value to zero.

Note: Login as opposed to Connection Sessions: Do not confuse a “login session” with a “connection session." A Login Session is when a User logs in to CA PAM (to perform either connection or administrative activity). A Connection Session is when a User connects (and logs in) to a back-end or target device.

The Credential Manager activity timeout is:

Unconfigurable - Credential Manager menus currently have a fixed timeout of 30 minutes. Regardless of the Login Timeout setting here, or activity in the rest of the menu, a Credential Manager menu tab closes after 30 minutes.

Independent of Login Timeout - When the Login Timeout value is non-zero (in other words, is operational), and when you perform activity exclusively in the Credential Manager menu for a time exceeding that value, CA PAM will log you out (of all activity) as if your session had been idle. In other words, Credential Manager activity is not recognized against the Login Timeout clock.

Applet Timeout 10 minutes

Set the maximum length of connection inactivity during an applet session to a backend (target) device before the User session is logged out.

If this value is not zero, every CA PAM User login begins a countdown at the start of the session. While this User maintains active (live) connections to back-end (target) device, this timeout counts down. When its value becomes zero, the applet provides a popup message to the user.

Note: Login as opposed to Connection Sessions: Do not confuse a “login session” with a “connection session." A Login Session is when a User logs in to CA PAM (to perform either connection or administrative activity). A Connection Session is when a User connects (and logs in) to a back-end or target device.

Default Device Type     Defines the Device template fields that are available when creating a Device. The choices can be overridden on the template itself.
  • Options that are currently licensed have active (usable) checkboxes. An exception to this rule is that initially (at CA PAM first use), Access is active and checked even before it is licensed.
  • Active options that are currently being used have checked checkboxes.

As shown in the example in Basic Settings:

  • Access is being used by default; its options are always available in the Manage Devices template.
  • Password Management is available for default use (because it is licensed), but is not currently being used. It also shows up as an (unselected) option on the Manage Devices template.
  • A2A is not available because it is not licensed. It does not appear as an item at all in the Manage Devices page.
    Access     Initially: Checkbox is active and checked.
    Password
    Management
    Checkbox is active only when a Password Management license has been activated in Config, License.
    A2A     Checkbox is active only when an A2A license has been activated in Config, License.
External API Buttons     Enables External API. Checking Enable turns on the Try It Out button in the API documentation interface.

Passwords

Option Default Units Description
  0   Generally: A value of zero (0) removes the restrictions that the particular setting is intended to enforce.
Security Level 2   Set the level of complexity required in user passwords. Default is Level 2.

0 – New Password … The New Password (only) must be different from the previous password.

1 – 0+ Length Constraints … Level 0 characteristics, and in addition, Password length must be as defined by the Min Length and Max Length fields.

2 – 1+ Require [a-zA-Z0-9] … All Levels 0, 1 characteristic, and in addition Password must have at least one alphabet character and at least one-digit character.

3 – 2+ Both Upper and Lower Case … All Levels 0, 1, 2 characteristics, and in addition Password must have at least one Upper Case and at least one Lower Case alphabetic character.

4 – 3+ Special Character … All Levels 0, 1, 2, 3 characteristics, and in addition, Password must contain at least one special character from among: ! @ # $ % ^ & * ( ).

5 – DoD Strong Password … All Levels 0, 1, 2, 3 characteristics, and in addition Password must meet DoD requirements:

  • at least 15 characters total
  • at least two uppercase alphabetic characters (A B C …)
  • at least two lowercase alphabetic characters (a b c …)
  • at least two integers (1, 2, 3 …)
  • at least two special characters (! @ # …)
Min Length 6 Characters Set the mandatory minimum length of a password. Note: Password Security Level must be set to Level 1 or higher.
Max Length 14 Characters Set the mandatory maximum length of a password. Note: Password Security Level must be set to Level 1 or higher.
Change Interval 0 Days Set the number of days between forced password changes for all users.Note: Set this value to zero (0) if the user is not be required to change their password.
History 3   Set the number of most recent passwords that cannot be reused. Example: Assume History = 3, and a series of five (5) passwords is used over time. When the most recently used password in that series is about to expire, it can be reset using one of the two oldest passwords, but not using any of the three most recent ones.
Failure Limit 0   Sets the number of failed login attempts before a user account is deactivated. Note: Set this value to zero if account deactivation is not to be enforced.
Failure Counter Reset 60 minutes Window of time for the counter subject to Failure Limit.

Accounts

Option Default Units Description
  0   Generally: A value of zero (0) removes the restrictions that the particular setting is intended to enforce.
Disable Inactive After 30 Days Deactivate inactive user accounts after a set number of days

When restoring a database from a backup, accounts are disabled if the backup is older than the time limit.

Remove Disabled After 0 Days

Remove disabled user accounts after a specified number of days.

Forced Deactivation Alert (empty) User name, by autosuggest Identify the administrator who is notified (through the email specified in his/her user record) that a user has been deactivated.

Access Methods

Access Method Default Port Description
VNC 5900 Graphical desktop remote access application that enables access to the device. A Windows, Unix, Mac, or X Windows desktop can be accessed directly using this feature.  VNC sessions can be graphically recorded. Note: This feature requires installation of the VNC (Virtual Network Computing) service on each of the devices/servers being accessed.
RDP 3389 Remote Desktop Protocol (RDP) is an access method for connecting to Microsoft Terminal Services and is commonly used for administration of Windows servers. RDP sessions can be graphically recorded.
Telnet 23 Standard Telnet access to a host. The Telnet service on the device being accessed must be running for this to work. See the specific device manufacturer documentation on how to set it up. Note: CA PAM does not support Telnet sessions to itself.
SSH 22 Supports SSH Versions 1 and 2. SSH must be running on the device being accessed for this to work. See the specific device or system manufacturer documentation on how set it up.
Mainframe Mainframe Access Methods appear only if licensed.
TN3270 23 TN3270 is a Telnet client for the IBM AS/400 that emulates 5250 terminals and printers.
TN5250 23 TN5250 is a Telnet client for the IBM AS/400 that emulate 5250 terminals and printers.
TN3270SSL 23 TN3270SSL provides SSL/TLS as a Telnet client for the IBM AS/400 that emulate 5250 terminals and printers.
TN5250SSL 992 TN5250SSL provides SSL/TLS as a Telnet client for the IBM AS/400 that emulate 5250 terminals and printers.
Serial   Serial console is used for the administration of network equipment and Unix servers using an RS-232 interface. Because it does not rely on IP connectivity, operations such as upgrades can be performed without loss of connectivity.
Power   Enables remote power on/off/reboot of the device being managed.
KVM   Captures the video, keyboard, and mouse signals and converts them into packets allowing remote console access to administrators.

Warnings

Option Description
Show License Warning Login page Display a message to all users at the login page.

Use the text box to type the message that appears.

Note: Double-byte characters such as those used for traditional Chinese are supported.

Show Recording Warning Applet Display a message at the top of any Telnet or ssh applet to warn users that they are being monitored through alert, intervention, keyboard logging, session recording, or socket filtering features of CA PAM. Use the text box to type the message that appears.

Applet Customization

Configure Terminal Settings Opens the Configure Terminal Settings pane.

Configure Terminal Settings

Option Description
Applet Copy/Paste Enable the use of copy and paste within any applet: In the applet window, this feature activates an Edit menu with Copy and Paste commands. When this option is disabled, the Edit tab is still visible but dimmed.

Options:  Disable | Enable

Default:  Disable

RDP Keyframes Duration This factor determines how RDP is compressed: A small keyframe duration is equivalent to more frequent full frames of video data, which results in a large file, but allows more a rapid seek in the RDP viewer. For sessions using RDP 6.1, file size can be reduced significantly by increasing the keyframe duration. Reductions to about half the size have been observed.

Options: 

Small (Fast Seek/Large File) – Recommended for all RDP versions except 6.1

Medium

Large

X Large (Slow Seek / Small File)

Default: Small (Fast Seek/Large File)

RDP Drive Mapping Enable a mouseover pop-up window for RDP connections, to display drives mapped to the local (RDP client) computer for possible drive mapping on the remote (RDP server) computer before or while invoking the connection. Each available drive can be selected using a checkbox for mapping. 

Options:  Disable | Enable

Default:  Disable

SSH Terminal File Transfer When "Enable SCP/SFTP" is selected, the MindTerm-based SSH Access Method applet provides the menu items Plugins, SFTP File Transfer and Plugins, SCP File Transfer. When one of those menu items is selected, it invokes a new applet window that allows you to operate the corresponding transfer method (SCP or SFTP) that provides a file transfer interface.

Options:  Disable SCP/SFTP | Enable SCP/SFTP

Default:  Disable SCP/SFTP

CAUTION: Due to logging and recording limitations of the SCP/SFTP window activity, CA PAM MindTerm-based SSH Access Method file transfer feature is disabled by default. However, should the Administrator determine this functionality is to be activated, it is recommended that the following limitations and the security implications of an incomplete audit trail are fully appreciated and accepted.

  • For Files transferred, CA PAM Session Logs will identify the name of the file or folder in addition to the User client computer location from which the transfer was initiated as illustrated below:

Upload C:\Downloads\XS_CUSTOM_CSS.230.01.p.bin (17k) as jsmith

Logs will not identify the location on the target device to which the files were transferred

  • When a file or folder is renamed using the “rename” command this activity is not recorded in the Session Logs.
  • When a file or folder is deleted, this activity is not recorded in the Session Logs.
  • When a user changes directory (cd command) on the target this activity is not recorded in the Session Logs.
  • Even when session recording is provisioned, neither SFTP nor SCP windows are recorded.
Web Recording Quality Specifies the color depth and frame rate to use when recording a web portal session. Options:
High (= 24 bits per pixel / 7 frames per second)
Medium (= 16 BPP / 5 FPS)
Low (= 8 BPP / 3 FPS)
Default: High
Transparent Login Cache Sets the application cache for secondary transparent login on Windows targets.

When Enabled, the Windows target caches the Transparent Login Agent (TLA), Learn Tool, and Control Viewer that are downloaded during connection from CA PAM when transparent login has been configured, provisioned, and activated. On subsequent connections to that Windows target, the load times for these applications are reduced.

The data used by these applications (for example, the transparent login configuration files) is stored only on CA PAM.

Options:  Disable | Enable

Default:  Disable

Retrieve Public Address

Lets an administrator to enable or disable the Java applet Access Agent from retrieving the user's public address. After a user logs in to CA PAM, the Java Applet Access Agent is downloaded to the user desktop. The applet tries to retrieve the address of the gateway used for external access for auditing and for the VMware NSX feature. In some environments, this behavior is not desirable. The Retrieve Public Address setting lets administrators disable this feature.

Options: Enable | Disable

Default: Enable

Branding

Update/Revert Logo Allows you to use your company logo in the place of the CA PAM logo.

Update /Revert Logo Window

Upload Custom Logo Select your company logo.
Revert Logo Reverts to the CA PAM logo.
Was this helpful?

Please log in to post comments.