Lab Guide

CA Privileged Access Manager 2.5.
x:
Administration Foundations 200
<Brand> <Product>
Lab Guide
Clarifier (what comes after the colon)

Lab Guide
04PIM2010S
04PIM2010LG1
<course code>
<inventory code>
- PROPRIETARY AND CONFIDENTIAL INFORMATION 2016 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA
Customer use only. No unauthorized use, copying or distribution. All names of individuals or of companies
referenced herein are fictitious names used for instructional purposes only. Any similarity to any real
persons or businesses is purely coincidental. All trademarks, trade names, service marks and logos
referenced herein belong to their respective companies. These Materials are for your informational
purposes only, and do not form any type of warranty. The use of any software or product referenced in the
Materials is governed by the end users applicable license agreement. CA is the manufacturer of these
Materials. Provided with Restricted Rights.
CA Privileged Access Manager 2.5.x: Administration Foundations 200
Table of Contents
Introduction 1
Guided Practice 3-1: Users 5
Guided Practice 3-2: Import Users from AD 9
Guided Practice 3-3: RADIUS Users 13
Guided Practice 3-4: CSV User Import 15
Guided Practice 4-2: Manually Add a Device 18
Guided Practice 4-3: Export/Import from csv File 20
Guided Practice 4-4: AD Import of Devices 22
Guided Practice 4-5: Auto discovery of Devices 25
Guided Practice 4-6: Establish Baseline Devices 27
Guided Practice 5-1: Command Line Filter 29
Guided Practice 5-2: Socket Filter 31
Guided Practice 5-3: SSH Access Policy 33
Guided Practice 5-4: RDP Access Policy 37
Guided Practice 5-5: Web Access Policy 39
Guided Practice 6-1: Password Composition Policies 40
Guided Practice 6-2: Password View Policies 43
Guided Practice 6-3: Vault for SMTP Account 44
Guided Practice 6-4: Vault for Syslog/Splunk Account 46
Guided Practice 6-5: Windows Domain Service Account 48
Guided Practice 6-6: WDS Master/Slave Accounts 50
Guided Practice 6-7: UNIX Accounts with Username/Password 52
Guided Practice 6-8: Windows Proxy GUI Install 54
Guided Practice 6-9: Windows Proxy Silent Install 56
Guided Practice 6-10: Local Windows Account 58
Guided Practice 6-11: UNIX Accounts with SSH Key 60
Guided Practice 7-1: Automated Login to UNIX Systems 61
Guided Practice 7-2: Automated Login to Windows Systems 63
Guided Practice 7-3: Automated Login to Web Applications 66
Guided Practice 8-1: Configuration of Password Management 68
TOC-1
2015 CA. All rights reserved.
Guided Practice 9-1: PM Target Groups 70

Guided Practice 9-2: PM User Groups 72
Guided Practice 9-3: Auditor User 74
Appendix: Dynamic Lab Environment Access and User Guide 75
Self-Directed Learning Access and Instructions 77
Instructor-Led Class Set-Up 81
Best Practices 83
Troubleshooting 84
TOC-2
CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises
CA Privileged Access Manager 2.5.x:

Administration Foundations 200: Lab Guide Introduction
Goals
This lab guide provides you with opportunities to practice what you learn in the course as
well as apply what you learn in real-world scenarios.
Scenario
Voonair Airlines is a fictitious niche airline providing service to the Arctic. The company provides
access to areas that are otherwise inaccessible for residents and researchers and has been
successful in this area. The Voonair IT Security team recently discovered unauthorized access to
servers that contain sensitive data. While the existing security posture at Voonair is strong, there
were no measures for protecting privileged identities which were acquired as part of a social
engineering attack.
The company has decided to strengthen their security around privileged identities and direct access
to servers that contain sensitive data. Voonair has partnered with CA Technologies to deploy CA
PAM to meet their needs.
As part of Voonair Airlines IT staff and following the configuration course, you will now configure,
administer and test CA PAM 2.5.x functionality.
CA Technologies

Dynamic lab test environment architecture

The following depicts the dynamic lab environment you will use for proof-of-concept testing:
CA Technologies

Process Overview
This foundations course will focus on the Administration section depicted below. Additional
courses are being continually added to support various typical integrations.
Architecture
Architecture and
Features
CA Technologies
Configuration
Appliance
Configuration
Firewall Permissions

Administration
Access Control
Credential
Management
Password
Management
Access Control and
Automated Login
Access Control Web
Services
The Dynamic lab environment will start with all VMs already logged in as voonair\administrator
(caeducation). You do not need to log off the machines when suspending. Some labs require you to
log in as a different user. Use these steps to log off/on to a virtual machine as the domain admin:
To log off of Windows

Server 2012, RIGHTCLICK the Start button
and select Shut down
or sign out > Sign out
To log on, click the CtrlAlt-Del button in the

Skytap menu bar
Unless otherwise
instructed, log in to
each VM as the domain
admin
voonair\administrator
with password
caeducation
CA Technologies

Guided Practice 3-1: Users

Goals
To demonstrate how to create users and groups via the GUI and CSV import.
Scenario
One of the first steps following configuration of CA PAM is to create or import

users. This first exercise covers manual creation and the importing of users using
a CSV file.
Time
10 Minutes
Instructions: Connect to the virtual machine named Access and from the desktop launch the
shortcut labeled Privileged Access Manager A.
Log on to Privileged Access
Manager A
User: super
Password: caeducation1
Create a User Group for your

team/department
a. From the Users menu, select
Manage Groups
CA Technologies

b. Select Create Local Group

c. Enter a descriptive Groupname
(for example, My Group)
d. Assign the Global Administrator
role for now
e. Click Save
Add 2 Users manually to the group

you created via the CA Privileged
Access Manager Interface:
Manage Users
b. Select Create User
c. Fill in the required fields in RED
d. Select Global Administrator
from available roles in the Roles
section
e. Select System Admin Group
from Available Group in the PM
group section
f. Select the Group you created in
the prior step and then click Add
g. click Save
h. Repeat steps a. through g. for a
second user
CA Technologies

Export the Users .csv file:

Import/Export Users
b. Select Export Users
c. Open the file in MS Excel
CA Technologies

Modify and import the updated

users CSV file:
a. In the CSV file, copy one of the
test users you created and paste
to three new rows
b. Modify the user name, first/last
name, and the email address
c. Populate the password column
(E) with Password1 for the new
users
d. Leave the rest of the fields as
copied and save the CSV file to
the desktop. Close the excel file.
e. From the Users menu, select
Export/Import users (if you are
already at this screen, you may
skip this step)
f. Click Browse and select the
updated CSV file and then click
Import Users
g. Confirm success and if errors,
download the CSV import
results and correct the CSV file
before importing again
h. From the Users menu, select
Manage Users and observe the
imported users
CA Technologies

Guided Practice 3-2: Import Users from AD

Goals
Onboarding users to CA PAM can also be done by importing from an LDAP source
such as Active Directory. After users have been imported, you will assign the
appropriate roles to the groups.
Scenario
Voonair has determined specific groups of users within AD are required to utilize
CA PAM for access the privileged identities.
Time
15 Minutes
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named Access and from the desktop launch the shortcut labeled Privileged
Access Manager A
Log on to Privileged Access
Manager A
User: super
Password: caeducation1
Manage Groups
b. Select Import LDAP Group
c. Select OK to connect to Active
Directory using the LDAP
Browser
CA Technologies

a. Expand XsuiteUsers and select

each group that starts with ABC
Vision located under
XsuiteUsers of the Voonair
domain.
b. Select Register Select Groups
with Xsuite Appliance
c. On the Register Groups screen
change the Authentication Type
to LDAP
d. Select Register Groups
A message of the group registration
status will display.
e. Click Close
f. Click X to exit the Xceedium
LDAP Browser
CA Technologies

10

Manage Groups and observe
the imported LDAP groups
b. From the User menu, select
Manage users and observe that
LDAP imported users cannot be
deleted
CA Technologies

11
Assign roles to the imported AD

groups
a. Select Manage Groups from the
Users menu
b. Click on the ABC Vision
Admins group and assign the
role Delegated Administrator
c. Click the User Groups Add
Group and select ABC Vision
Admins from the drop down
menu.
d. Click the Device Group Add
Group and select All Devices
from the drop down menu
e. Click Save
f. Repeat the process for the ABC
Vision Auditor group:
Assign the role Auditor,
User group: ABC Vision
Auditors, and the
Device Group: All Devices
g. Click Save for the ABC Visions
CA Technologies

12
Guided Practice 3-3: RADIUS Users

Goals
Create a user group configured for RADUIS authentication. Users are created at
the first login and the role is assigned based on the group configuration. This
exercise will demonstrate this configuration and functionality.
Scenario
In addition to LDAP, Voonair would like to allow users to authenticate via

RADIUS.
Time
10 Minutes
Access Manager A
Create user group rad-grp1
a. Select Manage Groups from the
Users menu
b. Select Create RADIUS Group
c. Set the Groupname to rad-grp1
d. Set the Authentication type =
RADIUS
e. Add the role Configuration
Manager as the role
f. Remove Standard User role by
selecting Remove
g. Click Save
Log Off from PAM A by selecting Log
Off in the top right hand corner
CA Technologies

13
Login as RADIUS user

a. Username: rad1
b. Password: caeducation
Observe that the user is a
configuration manager with access
only to Global Settings
Log Off from PAM A by selecting Log
Off in the top right hand corner
Login as RADIUS user
a. Username: rad2
b. Password: caeducation
Observe the login response
(rad2 user does not exist)
Login as Global Admin (super).

Verify that user rad1 exists.
Users>Manage Users
CA Technologies

14
Guided Practice 3-4: CSV User Import

Goals
Create users via a CSV import file. This exercise will lead you through importing
users from a CSV file. This is a good method for importing users that are not
available in the user store.
Scenario
Voonair has a set of users that must be imported as they do not existing in Active
Directory.
Time
5 Minutes
Access Manager A
Import users from a CSV file
Import/Export Users
b. Browse to C:\ClassFiles\PAMBootstrap-1.5\
c. Select PAM-users.csv and click
Open
d. Select Import Users
Confirm 100% import complete with
no errors.
Select Users, then Manage Users

Verify that user CLI was imported.
This user is in the CSV import file,
however it was not created
previously.
CA Technologies

15
Guided Practice 4-1: Services

Goals
Configure SSH access using PuTTY local client and web access to the Splunk
servers. This will be utilized during a later exercise.
Scenario
Vooniars UNIX / Linux administrators would like to use PuTTY for SSH access to
servers that they manage. Additionally, Voonair will require access to Splunk be
controlled by CA PAM.
Time
10 Minutes
Access Manager A
Create a new service for locally
installed putty SSH client
a. From the Services menu, select
TCP/UDP Services
b. Click on Create TCP/UDP Service
c. Enter PuTTY as Service Name
d. Enter Port: 22
e. Protocol: TCP
f. Application Protocol: SSH
g. Client application
c:\util\putty.exe -ssh <Local IP> P <First Port>
h. Click Save
Create a new service for Splunk
TCP/UDP Services
b. Click on Create TCP/UDP Service
c. Service Name: Splunk
d. Port: 8000
e. Protocol: TCP
f. Application Protocol: Web
Portal
g. Launch URL:
https://<Local IP>:<First Port>
CA Technologies

16
h. Browser type: Xceedium

Browser
i. Click Save
Testing of this will occur later, as
there are other settings required
before you can utilize these options.
CA Technologies

17
Guided Practice 4-2: Manually Add a Device

Goals
Create a device and device group using the CA PAM web interface. Group
membership is also explored for different ways to add and remove devices.
Scenario
Before devices are imported in an automated manner, its best to understand

the options available for a given device.
Time
10 Minutes
Access Manager A
Create a new device for unix1 server
a. From the Devices menu, select
Manage Devices
b. Click Create Device
c. Device Name: unix1
d. Address: 192.168.0.21
e. Access methods: Click on SSH
f. Under Services, click Add and
select PuTTY as a service
g. Device type is Access and
Password Management (Both
should be checked)
h. Click Save
CA Technologies

18
Create a device group for UNIX

a. From the Devices menu,
select Manage Groups
b. Select Create Device Group
c. Group Name: UNIX
d. Check SSH in the access
methods section
e. Add PuTTY as a Service
f. Click on the Devices field,
and select unix1 checkbox
g. Click Save
To demonstrate an alternate way of
adding a device to a group, remove
unix1 from the UNIX device group
using the device group menu.
Edit the unix1 device and add it to
the UNIX device group.
CA Technologies

19
Guided Practice 4-3: Export/Import from csv File

Goals
Create additional devices using a CSV file. You will export existing devices in
order to then modify the CSV and import the changes.
Scenario
With the number of devices that Voonair will manage on CA PAM, creating them
via the web interface is not practical. This is the first method of device import
you will explore.
Time
15 Minutes
Access Manager A
Export devices to a CSV file.
Import/Export Devices
b. Click Export Devices and open
the file with Microsoft Excel
Edit the csv file and duplicate the
device unix1 to unix2 and unix3
a. Necessary changes are device
name and address/hostname (as
seen in the image on the left)
b. Save the file on your desktop
and be sure it is in CSV format.
c. Close the excel file
CA Technologies

20
Import the device csv file.

b. Browse for the file on your
desktop that was updated and
select Import Devices.
Confirm 100% success from the
import
Select Devices, then Manage
Devices
Observe that the unix2 and unix3
devices are imported.
Click to expand unix2, and verify

UNIX in Groups.
CA Technologies

21
Guided Practice 4-4: AD Import of Devices

Goals
Import devices from specific groups in Active Directory and observe the results.
The test group will be deleted and not saved during this exercise.
Scenario
Devices that belong to a domain can also be imported via an LDAP group. Since
Voonair utilizes Active Directory services, you will import devices from specific
groups.
Time
10 Minutes
Access Manager A
Manage Groups
b. Select Import LDAP Groups to
open the LDAP browser
CA Technologies

22
Choose Domain Controllers devices

and register the device group by
selecting Register Groups.
Close the screen once the group has
been registered by selecting Close.
Close the Xceedium LDAP Browser
by clicking on the X in the top right
hand corner of the open window.
Observe devices being added to CA

Privileged Access Manager
Observe the group and device
additions
CA Technologies

23
Select the Domain Controller

checkbox and Delete the device
group as they will be re-created
later from a static import file.
CA Technologies

24
Guided Practice 4-5: Auto discovery of Devices

Goals
Using Autodiscovery, find and add all devices within a specified IP range.
Scenario
You can discover devices and add them automatically to CA PAM. This is helpful
for when the target device population for a specified netmask or IP range is not
known.
Time
15 Minutes depending on the length of the scan process
Access Manager A
Scan the subnet for new devices
Autodiscovery
b. Change radio button to Range
and enter Address range:
192.168.0.10 to 192.168.0.50
c. Click Scan and beware that the
scan may take several minutes
to complete
CA Technologies

25
Once the devices have been

scanned:
a. Add the following found devices:
1. adserver.voonair.local
2. nfs.voonair.local
3. win1.voonair.local
4. win2.voonair.local
5. mssql.voonair.local
6. oracle.voonair.local
b. Click Save/Update
c. Click Continue
Observe the new devices in the

Manage Devices list
CA Technologies

26
Guided Practice 4-6: Establish Baseline Devices

Goals
Remove all previously created Devices and Services to prepare for additional lab
exercise.
Scenario
In order to ensure that your lab environment is built correctly for future lab
exercises and to save you time in having to do repetitive work, you will remove
previously created services and devices. You will then import Services and
Devices from CSV files provided.
Time
10 Minutes
Access Manager A
Remove all services created.
TCP/UDP Services
b. Delete PuTTY and Splunk
services previously created.
CA Technologies

27
Remove all devices created.

Manage Devices
b. Select the checkbox next to the
Name field to select all devices
that you are able to delete.
c. Click Delete
Remove all device groups created.
Manage Groups
b. Select and Delete the UNIX
group
Import services from a prepared csv
file:
Import/Export Services
b. Browse for file:
c:\classfiles\PAM-Bootstrap1.5\PAM-Services.CSV
c. Click Import Services
Confirm import 100% with no errors
Import devices from prepared csv
file:
b. Browse for the file
c:\classfiles\PAM-Bootstrap1.5\PAM-Devices.csv
c. Click Import Devices
Confirm 100% completed with no
errors
CA Technologies

28
Guided Practice 5-1: Command Line Filter

Goals
Create command filters using both keywords and regex to observethe

differences.
Scenario
To add additional protection to the use of privileged accounts, certain commands

on UNIX / Linux will be prohibited from use on specific accounts. Use of these
commands can then be limited to other accounts that have things like full session
recording and active review of the recordings.
Time
10 Minutes
Instructions: Continue using the browser session from the prior exercise or if
closed, connect to the virtual machine named Access and from the desktop
launch the shortcut labeled Privileged Access Manager A
CA Technologies

29
Create a command line filter to

block commands
a. From the Policy menu, select
Manage Policies and then select
Manage Filters
b. On the Command Filter Config
tab, Change the Action After
Limit Exceeded to Logout of
terminal device
c. Click Save Command Filter
Config
d. Select Manager Filters again
e. Select the Command Filter Lists
tab and select Create List
f. Name it Simple Blocked
g. Enter Keyword passwd and
check Alert and Block and click
Add Keyword
h. Enter Keyword su and check
Alert and Block.
i. Save the list updates
Create a command line filter to

block commands
a. From the Manage Filters screen,
select Create List under the
Command Filter Lists tab
b. Name it RegEx Blocked
c. In the Keyword command enter:
.*(^|\W)passwd($|\W).* and
check the Regexp checkbox.
d. Click Add Keyword
e. In the Keyword command enter:
.*(^|\W)su($|\W).* and check
the Regexp checkbox.
f. Save the new list
CA Technologies

30
Guided Practice 5-2: Socket Filter

Goals
Create socket filters in order to further create white and blacklists for RDP and
SSH for specific devices.
Scenario
Voonair has determined that Socket Filters are needed.
Time
10 Minutes
Access Manager A
Manage Policies and then select
Manage Filters
b. Select Socket Filter Config
c. Change Action After Limit
Exceeded to Logout of terminal
device
d. Enable SFA Monitoring and
Log All Access
e. Enter a Violation e-mail message
as seen in the image on the
right. (RDP is not allowed on
this network. Your activity has
been reported to Information
Security)
f. Click Save Socket Filter Config
CA Technologies

31
Create an RDP socket filter blacklist

a. Open Manage Filters if closed
from prior exercise
b. Select the Socket Filter Lists
option and select Create List
c. Enter a name for the filter and
select Blacklist (For example:
Block RDP and Alert)
d. Block and alert all RDP
connections to 192.168.0.0/16
on port 3389
e. Click Save
Create an SSH socket filter blacklist
a. Click Create List.
b. Enter a name for the filter and
select Blacklist (For example:
Block RDP/SSH and Alert)
c. Block and alert all SSH
connections to 192.168.0.0/16
for ports 3389, 22
This can be done by adding a port to
the existing Socket Filter or creating
a new entry
d. Save the updates
Create an SSH socket filter whitelist
Select Create List
a. Enter a name for the filter and
select Whitelist(For example:
Permit SSH to Unix1
b. Create a new Socket Filter List to
Permit SSH connections to
192.168.0.21
a. Save the new list
CA Technologies

32
Guided Practice 5-3: SSH Access Policy

Goals
Scenario
Time
Create SSH access policies that utilize both CA PAM built in SSH client or the local
PuTTY installation. Also, connections will be made with the configured access
users to observe the options and restrictions configured as part of the access
policy. Lastly, observe the session recordings of your attempted access.
As you continue configuring CA PAM, this exercise begins to put it all together.
You will now assign an access policy to specific users/groups and devices/device
groups.
20 Minutes
Access Manager A
Best Practice Tip: For the remainder of the labs, it is highly recommended you use two web
browsers instead of logging in and out. You may leave your super account logged in (default:
Firefox), but open a separate Internet Explorer browser and launch PAMA when the lab
instructions tell you to login as abc-admin1.
Create an access policy for SSH
access to UNIX1:
Manage Policies
b. User (Group): enter admin1 and
select the abc-admin1 user
c. Device (Group): unix1
d. Click Create Policy
e. Access: Add SSH
f. Enable Command Line session
recording
g. Click Save
CA Technologies

33
Observe the access page and

connect to UNIX1 server:
a. Connect to CA PAM as
User: abc-admin1
Password: caeducation
(remember this is an LDAP user)
b. Connect to unix1 using SSH and
login as adm1 with password
caeducation
c. Execute some basic commands,
cd /
ls l
d. Type exit and press enter to

leave the SSH session.
CA Technologies

34
Create an access policy for SSH +

PuTTY access to UNIX device group
Manage Policies
b. User (Group): abc-admin1
c. Device (Group): 168-UNIX
e. Access: Click Add, select SSH
f. Services: Click Add, select putty
g. Use a command filter:
Simple Blocked
h. Use a socket filter: Block
RDP/SSH and Alert
i. Chose to record session: Select
Command Line and
Bidirectional
j. Click Save
Observe the examples below to
review different access methods
and violation recordings
Connect to the access page: Restart
Session if still logged in as abcadmin1:
abc-admin1
LDAP, password: caeducation
a. Connect to UNIX2 server using
SSH access.
b. Login as adm1 with password
caeducation
c. Run prohibited commands three
times (created in prior exercises,
passwd or su). Session will be
terminated.
d.
View the recording of the sessions.
a. Go back to the super account reconnect to CA PAM (password:
caeducation1)
CA Technologies

35
b. Observe the different playback

for SSH and PuTTY sessions
(session recordings from the
sessions menu)
CA Technologies

36
Guided Practice 5-4: RDP Access Policy

Goals
Create an RDP access policy for a specific device and a device group. The session
recordings will also be viewed as part of this exercise.
Scenario
Now access policy will be created for RDP to Windows servers.
Time
10 Minutes
Access Manager A
Create an access policy for RDP
access to WIN1 server.
Login in as the super user.
Manage Policies
c. Device (Group): win1
d. Select Create Policy
e. Add Access: RDP
f. Use a socket filter: Block
RDP/SSH Alert
g. Choose to record session:
Graphical
h. Click Save
CA Technologies

37
Create an additional access policy

for RDP access to all Windows
servers:
a. Select Policy > Manage Policy
b. Set user to abc-admin1
c. Device Group: 168-Windows
d. Select Create Policy
e. Set Access = RDP
f. Choose to record session:
Graphical
g. Click Save
Log off. Observe the access page

User: abc-admin1
Password: caeducation
Connect to WIN1 server using RDP.
a. Login as adm1 with password
caeducation (leave domain
empty)
b. Connect to WIN2, login with
same account as step a.
Log off. Login as super, password:
caeducation1.
To view the session recordings:
From the Sessions menu, select
Session Recordings
CA Technologies

38
Guided Practice 5-5: Web Access Policy

Goals
Create a web access policy to use Splunk via CA PAM. You will also connect using
this policy to observe the access process as well as the subsequent session
recording.
Scenario
In addition to managing access via SSH and RDP, web access control is also
required as part of the Voonair security strengthening.
Time
10 Minutes
Access Manager A
Create an access policy for Splunk
service to syslog server.
Manage Policies
c. Device: 168.0 syslog
e. Services: Add Splunk
i. Choose to record session:
Web Portal
j. Click Save
Observe the access page and
connect to Syslog using Splunk.
a. Login as admin with password
caeducation
View the recording of the session.

CA Technologies

39
Guided Practice 6-1: Password Composition Policies

Goals
Create password composition policies to be used for Windows, UNIX, and Oracle
accounts. You will utilize these policies in later lab exercises.
Scenario
As part of password management, the composition policies must be created to

match destination requirements for target devices and user stores. Additionally,
the requirements of Voonair in some cases are more stringent than the user
store or operating system requires.
Time
10 Minutes
Access Manager A
Create a Password Composition
Policy (PCP) for Windows.
Manage Passwords
b. Now from the Targets menu,
select Password Composition
Policies and then click Add
c. Enter Windows as the Name
d. Create a description for the PCP,
for example: Password
composition policy for Windows
Account.
e. Maximum length should be 24
or more characters
f. Set Maximum Password Age =
7 days (click the enable option in
order to enter the 7 days)
g. Click Save
CA Technologies

40

Policy (PCP) for UNIX. Click Add.
a. Name: UNIX
b. Enter a description. For
example: Password composition
policy for UNIX servers
c. Maximum length should be 24
or more characters
b. Use password age 30 days (click
the enable option in order to
enter 30 days)
c. Click Save
CA Technologies

41

Policy (PCP) for Oracle. Click Add.
a. Name: Oracle
b. Description: Password
Composition policy for Oracle
Servers/Databases
c. Maximum length should be 24
or more characters
d. Uncheck special characters
d. Use password age 1 day (click
the enable option in order to
enter 1 day)
e. Click Save
CA Technologies

42
Guided Practice 6-2: Password View Policies

Goals
Create password view policies to change after view and change after checkin/check-out. You will utilize these policies in later lab exercises.
Scenario
Voonair has requirements for changing password upon view and use, since the
goal of CA PAM implementation is to provide access to target devices without
exposing the passwords to the user.
Time
10 Minutes
Access Manager A
Create a PVP for Change Password
on View.
Manage Passwords
b. Now from the Workflow menu,
select Password View Policies,
and then click Add
c. Change Password on View after
3 minutes
d. Name it so you recognize it, e.g.
CPOV-3
Create a PVP for Checkout/checkin
a. Checkin after 60 minutes.
b. Name it so you recognize it, e.g.
Checkout-60
CA Technologies

43
Guided Practice 6-3: Vault for SMTP Account

Goals
Create a target application and target account for the SMTP server and email
account. This will also be utilized in later lab exercises.
Scenario
To support management of credentials, they must be stored in the CA PAM vault.

This lab demonstrates the configuration of target accounts and applications.
Time
5 Minutes
Access Manager A
SMTP Target Server
Manage Devices
b. Review device: XXX.99 SMTP
c. Verify it has Device Type
Password Management
SMTP Target Application

Manage Passwords
b. From the Targets menu, select
Applications and select Add
c. Find server smtp.pam.intra
d. Add application name Vault
smtp
e. Set application type Generic
f. Click Save
CA Technologies

44
SMTP Target Account

a. From the Targets menu, select
Accounts and select Add
b. Find server smtp.pam.intra
c. Find application Vault smtp
d. Set the account name to
administrator
e. Set PVP to Default
f. Set Password to caeducation1
g. Click Save
CA Technologies

45
Guided Practice 6-4: Vault for Syslog/Splunk Account

Goals
Create a target application and target account for the Syslog/ plunk account.
This will be utilized in later lab exercises.
Scenario
Similar to the 6-3 lab, this time you are vaulting the Syslog/Splunk account
Time
10 Minutes
Access Manager A
Syslog Target Server
Manage Devices
b. Review device
syslog.voonair.local
c. Verify it has type Password
Management
Splunk Target Application
a. While syslog.voonair.local is
selected in the Manage Devices
section, select Manage Target
Applications and then click Add
b. Find server syslog.voonair.local
c. Add application name Vault
syslog/splunk
d. Set application type Generic
e. Click Save
CA Technologies

46
Splunk Target Account

a. While in the Target Application
list, select Go to Accounts List
and click Add
b. Find server syslog.voonair.local
c. Find application Vault
syslog/splunk
d. Set PVP to Default
e. Set the account name to: admin
and password: caeducation
f. Click Save
CA Technologies

47
Guided Practice 6-5: Windows Domain Service Account

Goals
Create a target application and target account for a Windows domain service
account. This will be utilized in later lab exercises.
Scenario
Another iteration of vaulting credentials, this time for a Windows domain service
account.
Time
10 Minutes
Access Manager A
Windows Domain Service Target
Server. The Active Directory is the
target server for WDS type
accounts.
Manage Devices
b. Review AD device (IP address
192.168.0.10)
c. Device Type at least Password
Management
d. Select Manage Target
Applications for the next step
CA Technologies

48
WDS Target Application

a. From the Application List, select
Add
b. Find the AD server
c. Use application name:
WDS AD
d. Application type:
WindowsDomainServices
e. Password Composition Policy:
Windows
f. Domain: voonair.local
g. Use port: 636
h. In Descriptor1 add Windows
i. Scroll down and Click Save
Add Windows Domain a Target
Account
a. From the Application List, select
Go To Accounts List in the upper
left and click Add
b. Find the AD server and WDS
application
c. Account name: testadmin1
d. Enter password: caeducation
e. Enter the users DN
you can use the LDAP browser
to find it.
CN=Test Admin 1,CN=Users,DC=voonair,DC=local
f. Move synchronized radio button

to both
g. In Descriptor1 add Windows
h. Save
Green circle with check mark
indicates account is synchronized.
CA Technologies

49
Guided Practice 6-6: WDS Master/Slave Accounts

Goals
Create a Target Account and configure so that the password is managed/updated

using another account. This will be utilized in a later lab exercise.
Scenario
It is a best practice to have an account that is able to manage passwords for

other accounts on the domain, user store, or target device.
Time
10 Minutes
Access Manager A
Add Windows Domain a Target
Account.
a. From the Targets menu, select
Accounts
b. Click Add
c. Find the AD server and WDS AD application
d. Account name: testadmin2
e. Enter password random value
f. Enter the users DN.
You can use the LDAP browser
to find it.
CN=Test Admin 2,CN=Users,DC=voonair,DC=local
g. Move synchronized radio button

to both
h. Change the change process to
use testadmin1 as master
account
i. In Descriptor1 add Windows
j. Save
CA Technologies

50
Observe that the master/slave

account can be used where the
account password is unknown.
CA Technologies

51
Guided Practice 6-7: UNIX Accounts with Username/Password

Goals
Create target applications and accounts for various UNIX accounts.
Scenario
Local accounts on the target device can and will be managed by CA PAM for the
Voonair implementation.
Time
15 Minutes
Access Manager A
UNIX Target Server
Manage Devices
b. Review UNIX1 device
Device Type at least Password
Management
UNIX Target Application
a. From the Manage Devices
display, select Manage Target
Applications and Click Add
b. Find the unix1 server
c. Use application name: UNIX
unix1
d. Application type: UNIX
e. Password Composition Policy:
UNIX
f. Set UNIX variant (in Script
Processor section) to Linux
g. In Descriptor1 add UNIX
h. Scroll down and click Save
CA Technologies

52
UNIX Target Account

a. From the Application List screen,
select Go To Accounts List in the
upper left and Click Add
b. Find the unix1 server and UNIX unix1 application
c. Account name: adm1
d. Enter password: caeducation
e. Move synchronized radio button
to both
f. In Descriptor1 add UNIX and
click Save
indicates account is synchronized
Create adm2 (password:

caeducation) on unix1 server as
target account
Create adm1 (password:
caeducation) on unix2 server as
target account.
unix2 Target Application will also
need to be created
CA Technologies

53
Guided Practice 6-8: Windows Proxy GUI Install

Goals
Install a Windows Proxy using the GUI installer.
Scenario
Unlike UNIX/Linux, Windows accounts cannot be done natively by CA PAM.

Therefore an agent is installed to perform this and other duties.
Time
20 Minutes
Access Manager A
This is the GUI installer of the CA
PAM Windows Proxy.
Login to win1 as user Administrator
with password caeducation (local
account, not voonair domain)
Install the Windows proxy
a. Run the installer as
Administrator for the Windows
proxy:
C:\software\setup-windowsagent-4.5.3-v2.exe
b. Accept default choices and enter

the CA PAM VIP (192.168.0.5 or
xsuitea.voonair.local) as the
Server Name
c. Start the cspmagentd service
d.
Login to CA Privileged Access
Manager and find the proxy
registration.
CA Technologies

54
Activate the proxy.

It is found in Targets > Proxies
Use the Devices > Tools and verify

that port 27077 is open to Win1
server.
IP Address: 192.168.0.31
Ports: 0-30000
CA Technologies

55
Guided Practice 6-9: Windows Proxy Silent Install

Goals
Install the Windows proxy on a second Windows server using the silent install
script option.
Scenario
This is a repeat of the process from lab 6-8, except that now the installation is
done silently again a second Windows server.
Time
15 Minutes
Access Manager A
This is the silent installer of the CA
Privileged Access Manager Windows
Proxy.
Login to win2 as user Administrator
with password caeducation
Silent install the Windows proxy.
a. Run the silent installer script for
Windows proxy as Administrator
c:\scripts\install-proxy.bat
b. Confirm that the cspmagentd
service is running or start if
needed.
Login to CA Privileged Access

Manager and find the proxy
registration.
CA Technologies

56
Activate the proxy running on win2.

It is found in Targets > Proxies
Use the Devices > Tools and verify

that port 27077 is open to Win2
server.
CA Technologies

57
Guided Practice 6-10: Local Windows Account

Goals
Create a target application utilizing a Windows proxy to manage local

credentials. You will also create the necessary target account.
Scenario
Target accounts local to Windows servers will also be managed by CA PAM for
Voonairs implementation. This will utilize the proxy server to manage the
credentials.
Time
10 Minutes
Access Manager A
Create a target application for
server win1 of type Windows Proxy.
a. Set Application Name to Win1proxy
b. Choose Application Type:
Windows Proxy
c. Choose the scope to be Local
Account
d. Choose the proxy installed on
the win1 server
e. Save
CA Technologies

58
Create a target account.

a. Select Win1-proxy Application
b. Account Name: adm1
c. Create a random password
You do not need to know the
account password
d. Select Update both the
password authority server and
the target
e. Chose to use proxy credentials
update the account
f. Chose to force update the
password and click save
Create another target account for
local account adm2 on win1-proxy
using similar settings as you did in
the step prior
CA Technologies

59
Guided Practice 6-11: UNIX Accounts with SSH Key

Goals
Create a Target Account to manage SSH keys on a UNIX server.
Scenario
SSH keys within the Voonair infrastructure are also in scope for the deployment.
You will need to create the necessary configuration to support this need.
Time
10 Minutes
Access Manager A
UNIX Target Account SSH key
a. Create a new Target Account
b. Find the unix1 server and UNIX
- unix1 application
c. Account name: ec2-user
d. Change the protocol to SSH-2
Public Key
e. Current SSH key is found on
C:\classfiles\PAM-Bootstrap1.5\Keys\UX
Private key id_rsa (no
password on the key)
Public key id_rsa.pub
f. Move synchronized radio button
to Update both
g. In Descriptor1 add UNIX
h. Save
CA Technologies

60
Guided Practice 7-1: Automated Login to UNIX Systems

Goals
Create access policy to allow for single sign on using vaulted credentials.
Scenario
Voonair would like for administrators to access target devices without entering
or exposing the credentials. This process will configure that access.
Time
10 Minutes
Access Manager A
It is assumed that Error! Reference
source not found. has been
completed.
Edit access policy for abc-admin1
user and unix1 server.
a. Associate adm1 account to the
SSH access method
b. Show the access page and select
SSH
Automated login using adm1 should
happen.
CA Technologies

61
Multiple accounts for automated

login
a. Add adm2 to the SSH access
method as a possible login
account for unix1 / abc-admin1
access policy
b. Show the access page and select
SSH
a. A popup allowing a choice of
adm1 and adm2 is shown
b. Select either of the accounts
and automated login should
happen
CA Technologies

62
Guided Practice 7-2: Automated Login to Windows Systems

Goals
Create the necessary configuration to support automated login to Windows

target devices.
Scenario
Voonair would also prefer the Windows administrators access their target
devices without entering or exposing the credentials.
Time
15 Minutes
Access Manager A
Create a device group for Windows
domain servers.
a. Use the AD as credential source
b. Add the AD server and Win1
server as a device to the group
c. Select RDP as Access Method
d. Click Save
CA Technologies

63
Create an access policy for Windows

domain group.
a. Continue using abc-admin1 or
the user to which you are using
for testing access policies. (likely
not super)
b. Add RDP access and associate
one or more domain accounts
Show the access page and select

RDP for the AD server and for the
Win1 server.
a. If only one account is associated
automated login will happen
b. If more than one account is
associated select which account
to use
c. If you cannot access win1 as
abc-admin1, recall that you may
have an access policy for this
user and device combination
from prior labs
Create an access policy for Win1
server.
a. RDP access method and
associate one local account
b. Option to modify your prior
access policy for Win1 device
and abc-admin1 user (which
may also be blocking RDP to
Win1 from prior labs)
When returning to the access page,
dont forget to Select Restart
Session before attempting access
due to the policy change
CA Technologies

64

RDP for the Win1 server.
a. Observer that a choice of
multiple accounts including AD
and local accounts
CA Technologies

65
Guided Practice 7-3: Automated Login to Web Applications

Goals
Create the necessary configuration for automated login to web applications,

Splunk in this case. You will also connect to Splunk to test single sign on.
Scenario
Following the method for UNIX and Windows servers, access to web applications
should also be done in a single sign on manner.
Time
15 Minutes
Access Manager A
Create or edit access policy for user:
abc-admin1 / syslog server
a. Add or update the Splunk_SSO
service and associate the Vault
Syslog/Splunk account
b. Click Save
a. Login as abc-admin1, show the
access page and select
Splunk_SSO.
b. If the learn mode was not done
an error is shown
c. Select Splunk_SSO(Learn) to
begin
CA Technologies

66
Complete the learn mode step for

Splunk_SSO.
a. Right click on each field and
mark accordingly and then save
the learn mode activity

Splunk_SSO. To observe the SSO
behavior
CA Technologies

67
Guided Practice 8-1: Configuration of Password Management

Goals
Configure Password Management for alerting (email) settings and confirm that
alerts are sent via email.
Scenario
Password management requires additional configuration before any workflow

configuration can be done.
Time
10 Minutes
Access Manager A
Setup e-mail server connection
a. Be sure that you are in
Password Management and
from the Settings menu, select
E-mail settings
b. Chose Vault SMTP account
created in Lab 6-3 as the
account for e-mail configuration.
c. The hostname should be set to
smtp.voonair.local
d. Set the one click approver
to the address of your appliance
(xsuitea.voonair.local)
e. Set the from e-mail to
xsuite@voonair.local
f. Scroll down and then Click Save
g. Update message is at the top of
the screen
CA Technologies

68
Test e-mail notification from

Password Management.
a. From the Workflow menu,
select Password View Policies
and create a PVP using e-mail
notification
Set super (email is
configured as
administrator@voonair.local)
and Save
b. Assign the e-mail PVP to an

account
c. You will need to edit a target
account as well and enable
password viewing, adm1 on
UNIX1 in this example
d. Edits access policy for abcadmin1 / unix1 to enable
viewing of the password for
adm1 on unix1
e. While connected as super,
ensure that email addresses is
setup as
administrator@voonair.local by
clicking on the my info option at
that top of the CA PAM web UI
f. Login as abc-admin1 and view
the adm1 password on unix1
g. An e-mail notification should be
received
h. Connect to the ADS virtual
server and open Microsoft
Outlook to see message to the
Administrator account
CA Technologies

69
Guided Practice 9-1: PM Target Groups

Goals
Create static and dynamic target groups for password management. Observe the
devices added to each group.
Scenario
Since the management of several target devices will follow a similar model,
Target Groups can be created for ease of management.
Time
15 Minutes
Access Manager A
Create a (static) Target Group
UNIX containing all UNIX Server
accounts.
In Password Management:
Select Targets and then Target
Groups.
Click Add Static Group
Name: UNIX
Under Group Servers, select the
plus sign and filter devices on
hostname beginning with unix
Click Save and then Click Show
to observe the accounts visible
through the target group
CA Technologies

70
Create a (static) Target Group adm

for all adm accounts.
a. Filter on account name.
Observe the accounts visible
Create a (dynamic) Target Group

SAP for all account where
Descriptor1 contains a specific
keyword.
a. Filter on Descriptor1 containing
the keyword SAP
b. Click Save and then Show to
observe accounts visible
c. Update two target accounts and
add SAP to its Descriptor1
field
Observe accounts visible through
the target group
CA Technologies

71
Guided Practice 9-2: PM User Groups

Goals
Create user groups for various user types. You will also login as various users to
test group membership and permission inheritance.
Scenario
As was done for devices, users will also be added to groups for ease of
management.
Time
15 Minutes
Access Manager A
Create a PM User group for UNIX
account administrators.
a. From the Groups menu, select
User Groups and click Add
b. Chose PM role TargetAdmin
Chose Target Group UNIX
c. Click Save
Create / update a CA PAM user
(Student10 for example)
a. Chose role Standard User and
Password Manager
Verify that no additional
inherited roles exists for the
user
b. Assign the PM User Group UNIX
account administrators to the
user
Verify that there are no other
PM groups assigned to the
user
c. Click Save
CA Technologies

72
d. Login in as this user and

navigate to Manage Passwords
Observe the target accounts visible
for the user
For the same user, add the role
Delegated Administrator.
a. Chose groups
All users
A device group for UNIX
servers
b. Clicks Save
c. Login as the user
d. The user can create policies for
other users but only a subset of
servers
e. The user can create/update PM
accounts on UNIX servers
CA Technologies

73
Guided Practice 9-3: Auditor User

Goals
Create an Auditor user and observer the system access that is granted.
Scenario
To support the needs of Voonair auditors, a read only user with access to CA
PAM is required.
Time
10 Minutes
Access Manager A
In PM create a user group
for read-only
a. Chose PM role read-only
b. Target group: Targets - all
accounts
c. Click Save
Create a CA PAM user

a. Remove the Standard User role
b. Assign the Auditor role
For all users and all devices
c. Assign the Password Manager
role
Assign the PM User group
just created
Login as the auditor user
a. Observe that no access
option exists
b. Observe that read-only
capabilities in PM to everything
CA Technologies

74
Appendix: CA Technologies Dynamic Lab Environment
Appendix: Dynamic Lab Environment Access and User Guide

Getting Started
Dynamic Lab Environment is the name of the CA Education virtual environment for labs and
practice activities. The technology behind the Dynamic Lab Environment is provided by Skytap and
some of the instructions in this document reference Skytap.
This appendix provides the following information:
System and network requirements

Self-Directed Learning login and usage information
Setting up an environment (other than Self-Directed Learning)
Instructor-Led classroom set up
Best practices
Troubleshooting
Escalating unresolved issues
System Requirements
The minimum system requirements for an individual client machine accessing the Dynamic Lab
Environment are listed below. Please check that you meet the minimum requirements and that
you have the equipment you need before attempting to use the environment.
Operating
Systems
Browsers
Windows XP/2003/Vista/2008/Windows 7/2008 R2/Windows 8/2012

Mac OS X 10.7 or higher (Lion or Mountain Lion)
Linux variants with supported browser and Java versions
Internet Explorer 8, 9, or 10
Mozilla Firefox
Google Chrome
Mac OS X Safari
Java Version
The acceptable Java versions are Java 1.6, 1.7, or newer.

If you are unsure which version of Java you are running, simply click the following link and it
will auto-detect: http://java.com/en/download/installed.jsp or type java -version in the
terminal for Linux.
If you are running OS X, please see Running Java on Mac OS X.
For information on installing Java on your local Linux machine, see How to install Java on my
local Linux machine.
CA Technologies
CA Privileged Access Manager 2.5x: Administration Foundations 200

2016 CA. All rights reserved
75
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
76

CA Technologies
Self-Directed Learning Access and Instructions

After you register for the course, you will receive a system-generated email that includes two
important pieces of information:
A published URL to access your assigned lab environment
The date and time on which your access to that environment expires
Keep this email as you will need to use the URL whenever you access your lab environment.
Here is a sample email with the two pieces of information highlighted:
Access Your Assigned Lab Environment

Click on the published URL from the email or paste the link in your web browser to access your
assigned lab environment. Use this same link each time you access your dynamic lab environment.
A sample environment with multiple Virtual Machines (VMs) is shown below:
CA Technologies

77
The above sample environment includes three VMs. Your particular environment will be
appropriate for the course activities for which you have registered.
NOTE: When you initially access your environment, you may see a Java prompt, asking if
you want to run this application. Click Run if you see this prompt. It will enable you to
properly connect into the environment and enable the keyboard to work correctly.
Manage Your Assigned Lab Environment

You are allocated a certain amount of lab session time to complete all of the activities associated
with a given course. That time starts once you access your environment and continues to run until
the end date and time specified in the email. The clock continues to run even if you are not actively
working in the environment unless you manage your environment.
Use the Suspend and Run buttons to manage your lab environment. These buttons are shown
below:
Using Suspend to preserve your lab time

Click the Suspend button to stop the Run Time clock. Do this any time you are not working on
course activities to preserve your remaining time. You can suspend any or all of the VMs in your
environment by clicking in the check box in each VM window and then clicking the Suspend button.
The Suspend button is called out in the following sample where all three VMs have been checked:
78

CA Technologies
When you click Suspend, your allocated lab time is preserved and the time clock remains paused
until you change the status to Run. The VMs in a suspended environment display that status as
shown in the following image:
Once you have suspended your environment, you can minimize or close the browser window in
which the environment has been running. Use the same URL you were sent in email to re-open
your environment when you are ready to resume.
Using Run to resume running your lab time

Click the Run button to start up suspended VMs and restart the Run Time clock. The Run button is
called out in the following sample:
This may take several minutes. The environment is ready the when VMs are highlighted in green
and display a Running status. Click on the machine(s) you want to directly access to start or resume
your lab activities.
Tracking lab time using the Run Time clock

The Run Time clock in the upper right corner of your set of VMs tracks how much dynamic lab
environment time you have left.
CA Technologies

79
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
If you have a group of 15 users, each connecting to their own client session from the same physical
location concurrently, the recommended amount of bandwidth required is
1.16Mb/sec per user x 15 or 17.5Mb/sec.
Connection Test
If you are connecting for the first time, or connecting from a computer you have never used before,
run the connection and speed tests to make sure that your browser supports a connection to the
Dynamic Lab Environment. These tests are hosted by Skytap directly.
Use the following URL to use the Skytap Connectivity Checker to run connection and speed tests:
https://cloud.skytap.com/tools/connectivity
80

CA Technologies
Instructor-Led Class Set-Up

The Dynamic Lab Environment is accessed directly through a URL link that is provided to the
instructor by a system-generated email. The email includes a class URL as well as instructor and
student position URLs. A sample email is shown below:
1. Click the URL link or copy and paste the link to your web browser. If the URL link is valid, your
web browser will load the environment with the appropriate VM or VM set for hands-on
activities.
2. Examine all VMs and ensure they are running by selecting them and clicking the Run button to
power them on.
CA Technologies

81
Once they are powered on, all VMs will show that they are in a running status and you may
log in to the VMs by clicking the desired VM machine.
3. Click the desired VM machine to connect directly to it.
Note: Most VMs will take you directly to the desktop, but if you are prompted to enter login info,
use the following credentials:
- Username: administrator
- Password: caeducation
Students should have been sent an email message telling them to run the tests before class starts.
Best practice is for the instructor to send an email message to your students to introduce yourself
as the instructor and remind them to run the connectivity test before the class starts.
82

CA Technologies
Best Practices
Use the following list of best practices to help you avoid potential issues with the Dynamic Lab
Environment:
Ensure that you are connected to a dedicated hardwired network connection on a
broadband internet connection.
Do not use Wi-Fi connection because it is more susceptible to higher latency issues
impacting performance.
Close all applications and documents you are not using for your virtual training; applications
running in the background may use up your computer's bandwidth and affect system
performance.
You should not be connected to a corporate VPN while connecting to the virtual training
class.
CA Technologies

83
Troubleshooting
Run both Connectivity Checker and Speed Test from appropriate application regions and submit
results to educationlabs@ca.com. Before the start of class, make sure your browser supports a
connection to the remote labs.
84

CA Technologies

Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab Guide

Uploaded by

Copyright:

Available Formats

CA Privileged Access Manager 2.5.

Clarifier (what comes after the colon)

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200

Guided Practice 9-1: PM Target Groups 70

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

CA Privileged Access Manager 2.5.x:

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Dynamic lab test environment architecture

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

To log off of Windows

To log on, click the CtrlAlt-Del button in the

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Guided Practice 3-1: Users

One of the first steps following configuration of CA PAM is to create or import

Create a User Group for your

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

b. Select Create Local Group

Add 2 Users manually to the group

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Export the Users .csv file:

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Modify and import the updated

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Guided Practice 3-2: Import Users from AD

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

a. Expand XsuiteUsers and select

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

a. From the Users menu, select

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Assign roles to the imported AD

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Guided Practice 3-3: RADIUS Users

In addition to LDAP, Voonair would like to allow users to authenticate via

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Login as RADIUS user

Login as Global Admin (super).

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Guided Practice 3-4: CSV User Import

Select Users, then Manage Users

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Guided Practice 4-1: Services

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

h. Browser type: Xceedium

CA Privileged Access Manager 2.5.x: Administration Foundations 200

CA Privileged Access Manager 2.5.x: Administration Foundations 200 Training Exercises

Guided Practice 4-2: Manually Add a Device