Professional Documents
Culture Documents
Manager - 2.8
Administrating
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/41
Table of Contents
Administrating 4
Maintenance .............................................................................................. 23
Backup and Recover System and Settings ............................................................................................... 23
Configuration and Database Backups ................................................................................................. 23
Manual Database Backup .......................................................................................................... 24
Export ......................................................................................................................................... 24
Restore Configuration or Database ..................................................................................................... 24
Restore from Backup ................................................................................................................. 25
Reset to Factory Defaults ........................................................................................................... 25
Back up System .................................................................................................................................. 25
Hardware .................................................................................................................................... 25
AWS: Back Up Instance to Volume ............................................................................................ 26
Restore System ................................................................................................................................... 27
Hardware .................................................................................................................................... 27
AWS: Restore Volume to Same Instance .................................................................................. 28
AWS: Restore Volume to New Instance .................................................................................... 29
Appliance or Instance Backup ............................................................................................................. 29
Physical Appliance System Backup ........................................................................................... 29
Cloud Instance Backup .............................................................................................................. 30
Physical Appliance System Operations ..................................................................................................... 30
System Backup ................................................................................................................................... 30
BEST PRACTICES .................................................................................................................... 31
System Recovery ................................................................................................................................ 31
System Upgrades ................................................................................................................................ 31
Database Operations ................................................................................................................................ 31
Best Practices ..................................................................................................................................... 32
Session Recordings .................................................................................................................................. 32
Storage Locations ............................................................................................................................... 32
Session Recording ..................................................................................................................... 32
Storage Contingencies ........................................................................................................................ 32
Session Recording Preference .................................................................................................. 32
Shellshock Vulnerability Detection ............................................................................................................ 32
CA Privileged Access Manager Configuration .................................................................................... 33
Operation ............................................................................................................................................ 33
CA Privileged Access Manager Log Entry ................................................................................. 34
User Applet Warnings ................................................................................................................ 34
Host header attack mitigation .................................................................................................................... 34
Administrating 5
Activate A2A Clients ............................................................................................................................ 35
Activate Windows Proxies ................................................................................................................... 36
Customize the Global Default Preferences ............................................................................................... 36
Set the Global Time Zone ................................................................................................................... 36
Set the Global List Size ....................................................................................................................... 37
Set the Global Start Page ................................................................................................................... 37
Customize the Global Dashboard ............................................................................................................. 37
Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Stored Credentials .................................... 38
Enable FIPS 140-2 CMVP Certificate 1747 Cryptography .................................................................. 38
Delete the Key Encryption Password .................................................................................................. 39
Resupply a Deleted Key Encryption Password ................................................................................... 40
Notes About Clustered Environments ................................................................................................. 41
Administrating 6
CA Privileged Access Manager - 2.8
Administrating
The content in this section describes administrative procedures.
Control User Activity (see page 8)
Set Up Session Recording (see page 12)
Audit User Activity (see page 17)
Maintenance (see page 23)
Credential Manager Administrator Procedures (see page 35)
22-Mar-2017 7/41
CA Privileged Access Manager - 2.8
View Logs of User session activities and other actions caused by them
Manage Sessions
The Sessions, Manage Sessions page provides a list of the current CA Privileged Access Manager User
logins, and for each User, a list of the connection sessions to target Devices. Both the login sessions
and the connection sessions can be controlled in several ways from the Manage Sessions page.
Control User Sessions (see page 8)
Login session control (see page 9)
Connection session control (see page 9)
Batch Control of Sessions (see page 10)
Manage Sessions – View and control (authenticate/terminate/record) User login and connection
sessions
Session Recordings – View a list of recordings, and optionally view any recording (in a separate
viewer application)
Session: This refers to a single instance of a connection to a Device within a login session with CA
22-Mar-2017 8/41
CA Privileged Access Manager - 2.8
Session: This refers to a single instance of a connection to a Device within a login session with CA
Privileged Access Manager. A single line-item within a User login item represents a session. Each user
login can independently establish a session with a device. As with similar lists throughout the
Administration menus, the list can be ordered on any user login column.
The OOB Devices panel appears as an overlay. The page identifies the ports of all OOB device records
configured in CA Privileged Access Manager. It identifies connected ports using colored tabs which
identify status and device: Green for a running device, Red for a disabled device, and Orange for no
status information.
Log User out of CA Privileged Access Manager – Click the (end) icon at the right-hand end of
the User line item.
Force User to Re-Authenticate to CA Privileged Access Manager – Click the (exit) icon, second
from the right-hand end of the User line item.
Disconnect User from Device – Click the X (end) icon at the right-hand end of the Device line
item.
Start recording session – Click the (start recording) icon, second from the right-hand end of
the Device line item. (While session is being recorded, the stop-recording icon appears, as shown
below.)
Stop recording session – Click the (stop recording) icon, second from the right-hand end of the
Device line item. (When session is not being recorded, the start-recording icon appears, as shown
above.)
22-Mar-2017 9/41
CA Privileged Access Manager - 2.8
1. Enter an action and a criterion from the first and second drop-down lists.
2. If your criterion requires you to pick a value, select a criterion value from the available values
in a drop-down list.
3. Click Apply to impose the selected control on the applicable Users or Devices.
22-Mar-2017 10/41
CA Privileged Access Manager - 2.8
Viewing passwords
22-Mar-2017 11/41
CA Privileged Access Manager - 2.8
1. Specify an NFS, CIFS, or AWS S3 storage share and activate recording capability in Config >
Logs.
2. Activate recording in the policy settings for specific User (Group) / Device (Group) pairs.
3. During each User/Device session, a recording is created and stored on the designated share.
4. After recordings have been created, you can find them in the Sessions > Sessions Recording
page and can invoke the session recording viewer to inspect and play them.
Session Recording pane to specify whether graphical or CLI (text-based) recording is activated.
NFS/CIFS/S3 Settings pane to specify where – NFS or CIFS mount, or AWS S3 storage – recordings
are stored.
Media type: graphical, command line, bidirectional command line, web portal
22-Mar-2017 12/41
CA Privileged Access Manager - 2.8
Manual – A CA Privileged Access Manager administrator can activate session recording while a
session is taking place from the controls within the Sessions > Manage Sessions page: Each
connection session line item has a recording stop/start switch. See Sessions Menu Bar Reference (
https://docops.ca.com/display/CAPAM/Sessions+Menu+Bar+Reference) for details.
Viewer Controls
Panel Description
[Menu In the top segment of the upper-left panel, information about the
bar] session and its recording is displayed:
Server: target hostname or IP Address
22-Mar-2017 13/41
CA Privileged Access Manager - 2.8
Panel Description
Recordi In the bottom segment of the upper-left panel, information about the recording itself is
ng info displayed:
Recording type: ssh | RDP | TELNET | TN3270 | TN5250 | VNC | Web
Size: filesize (KB)
SHA verification status for recording file: In progress… | Valid | FAILED
Events In the lower-left panel, any violations that occurred are listed
under Events:
Click the blue diamond Question Mark to get information.
Type: Violation or Text (icons)
Time of Event: HH:MM:SS
Description: Brief generic description of violation or text
activity
Navigat The recording begins automatically.
ion To move through the session:
Use the play buttons to navigate at the bottom center-right
portion of the panel:
Play / Pause
Stop
Fast Forward – toggle to run at 2, 4, or 6 times actual speed
Step Forward – causes a 5-second jump forward.
Drag the progress cursor across the timeline.
Near the lower-left corner, enter figures in the Jump to
time field to jump to any point in the session.
Initially, the represented (recorded) GUI fits against the inside border of the presentation area in the
viewer. You can use:
A dynamic resizer within the viewer interface, Operation > Auto Scale (Ctrl-A), that can be
toggled:
While selected, the recorded GUI expands or contracts against the inner frame of the window
as you resize the viewer. Meanwhile, it displays in a small square the new linear dimension
(either width or height) as a percentage of the original GUI length. After you stop resizing the
viewer, this square quickly fades away.
When unselected, the viewer freezes the recorded GUI to the size of the current inner frame,
so that it no longer changes size as you expand or contract the viewer.
22-Mar-2017 14/41
CA Privileged Access Manager - 2.8
A reset option, Operation > Original Size (1:1) (Ctrl-R), to immediately resize (larger or smaller)
the recorded GUI to its original dimensions
Keyboard shortcuts
Use Ctrl + to zoom in and expand the recorded window in 5 percent increments
Use Ctrl - to zoom out and contract the recorded window in 5 percent decrements
Keyboard-mouse shortcuts
Press Ctrl while moving the mouse (scroll) wheel up to zoom in and expand the recorded
window
Press Ctrl while moving the mouse (scroll) wheel down to zoom out and contract the recorded
window
Mouse panning:
If the recorded window is larger than the viewing window (not completely in view), you can
pan with the mouse. Hold the mouse wheel down to grab and move the recorded window, so
that the viewing window pans across the recorded window.
Zoom control: When you click the magnifying glass icon to the left of the navigation buttons, a
zoom control slider is available. This widget provides you fine-tuned control of the size of the
recorded GUI:
When you move the slider button up or down, you can resize the recorded window in a
continuous motion.
By clicking the plus or minus buttons at the top and bottom of the zoom control, you can
resize the recorded window in 1 percent increments or decrements.
The maximum size of the recorded window is 200 percent of its original linear size. The
minimum size is 180 pixels on the shorter of the two dimensions (height or width).
For example: A recorded 640 x 480 pixel window can be zoomed in (expanded) so that you
view 1280 x 960 pixels. It can be zoomed out (reduced) so that you see an actual viewing size
of 240 x 180 pixels.
1. From the recording viewer menu bar, select Operation > Find to open a small text-search
pane above the output display pane.
2. To the right of Find what, enter a string into the text box, and optionally select checkboxes to
restrict the search to Match case or to match only a Whole word.
22-Mar-2017 15/41
CA Privileged Access Manager - 2.8
3. Click one of the up or down arrows to the right of the text box to reposition the window so
that the next instance of the search term appears in black-on-white text on the top line.
4. Continue clicking the arrow to continue locating matches. At the end of the recording file, the
search returns to the top. You are also notified with a pop-up message.
Recording file contains only file header packet. Possibly the remote server is powered off or security settings are too high.
Deleting the file: gk72-0000001518-20130322092630268_RDP
22-Mar-2017 16/41
CA Privileged Access Manager - 2.8
GUI tools
Syslog messages can be sent to syslog servers. The CA Privileged Access Manager GUI is able to
view and report MySQL database events.
Log messages can be sent to an external MySQL server. This functionality is recommended for
clustered systems to aggregate the messages.
No additional configuration is necessary to enable event recording to the database. Log recording
settings are configured in Config, Logs.
You can configure the product to purge logs in an hourly, daily, or a weekly basis manually or
automatically. Copies of purged messages are sent to the administrator in ASCII format.
We recommended that copies of the messages be sent to an outside syslog consolidation server.
Logs can be saved as Reports to comma-separated value (CSV) format files for use in
spreadsheets or other applications.
Reporting can be performed at the syslog level. Alternatively, a security information management
tool can collect the syslog messages.
When clustering is used, CA Privileged Access Manager does not consolidate events.
22-Mar-2017 17/41
CA Privileged Access Manager - 2.8
To delete the column from the display, click the plus (-) sign
To add a new (syslog field) column to the right of the selected column:
3. To add more columns, repeat for desired fields and column locations.
When you exit the Sessions, Logs window, Log column settings are not saved.
2. You can filter by Date Range, with Specific Dates or Relative Days. Relative Days produces a
report for your specified number of days, weeks, or months from the time of the report.
3. Select the Specify IP Info or Specify Applets to filter the logs further.
More fields appear.
22-Mar-2017 18/41
CA Privileged Access Manager - 2.8
Note
After you do the search, the Advanced Search window remains open for more filtering. To
shut the window, click the close button X in the upper right. Original filtering selections are
saved after closing the Advanced Search pop-up window, but only while in the Sessions,
Logs window.
b. To replicate the report at a regular interval and send it by email, click Send Emails.
3. Click Save Report to save the filtered records and stage the email forwarding.
Next Step:
22-Mar-2017 19/41
CA Privileged Access Manager - 2.8
2. Under the Reports heading, a drop-down list appears of the existing saved Reports.
These Payment Card Industry (PCI) Data Security Standard (DSS) version 1.2 reports are also
included:
Session info In the top segment of the upper-left panel, information about the session and its
recording is displayed: Server: target hostname, else IP Address Security layer: SSL (TLS 1.0) | RDP
Security Layer Encryption level: High | Client Compatible | Low | FIPS Compliant Source IP client
hostname, else IP Address Resolution: pixels x pixels (graphical recordings only) Quality: High |
Medium | Low (web session recordings only) – Refers to Global Settings > Applet Customization >
Web Recording Bit Depth Duration: HH:MM:SS (except CLI recordings when not used) Start time,
with CA Privileged Access Manager timezone (For recording date: See timestamp of recording)
End time (except CLI recordings when not used) and may have others appropriate to the type of
recording.
22-Mar-2017 20/41
CA Privileged Access Manager - 2.8
User info In the middle segment of the upper-left panel, information about the CA Privileged
Access Manager and target users is displayed: target User: target user login ID (when applicable)
Domain: target user domain (when applicable) CA Privileged Access Manager ID: appliance name
(if available) or address, and CA Privileged Access Manager User ID: login ID
Recording info In the bottom segment of the upper-left panel, information about the recording
itself is displayed: Recording type: ssh | RDP | TELNET | TN3270 | TN5250 | VNC | Web Size: file
size (KB) SHA verification status for recording file: In progress… | Valid | FAILED
Events In the lower-left panel, any violations that occurred are listed under Events: Type:
Violation or Text (icons) Time of Event: HH:MM:SS Description: Brief generic description of
violation or text activity
Use the play buttons to navigate at the bottom center-right portion of the panel. NOTE Play
buttons are not available on CLI recordings Step Backward – causes a 5 second jump backward
Play / Pause Stop – upon re-Play, returns to beginning Fast Forward – toggle to run at 2, 4, or 6
times actual speed Step Forward – causes a 5 second jump forward
Near the lower-left corner, enter figures in the Jump to time field to jump to any point in the
session immediately.
3. The Session Recording Viewer opens loaded with the selected recording.
1. Click View Recording at the right the desired red violation line file record in the Session
Recording list. The Session Recording Viewer window automatically launches, and starts
playing from the beginning of the session.
22-Mar-2017 21/41
CA Privileged Access Manager - 2.8
5. Set the Transactions to Violations, and click Search (at bottom of pop-up).
If a policy violation has occurred in an RDP applet session, a View Recording button appears in
its record.
6. Select the View Recording button to bring up the RDP Session Recording Viewer and start
playing from just before the time of the violation.
22-Mar-2017 22/41
CA Privileged Access Manager - 2.8
Maintenance
The following pages describe activities that are recommended for the primary CA Privileged Access
Manager administrator. This list is not exhaustive. Some activities can be delegated to other
administrators.
Backup and Recover System and Settings (see page 23)
Physical Appliance System Operations (see page 30)
Database Operations (see page 31)
Session Recordings (see page 32)
Shellshock Vulnerability Detection (see page 32)
Host header attack mitigation (see page 34)
System backup (includes OS, firmware, configuration data, and provisioning data) – allows you to
roll back the entire CA Privileged Access Manager software; ideally, to a known good state.
Configuration or Database backup – allows you to roll back the appliance settings (for network
context and user-targeted globals) and provisioning or managed object records (for Users,
Devices, access definitions, policy)
AWS instance backup (includes entire instance) – allows you to roll back the entire CA Privileged
Access Manager software; ideally, to a known good state.
Note
Certificates, RSA authentication, and cleartext passwords are not backed up.
22-Mar-2017 23/41
CA Privileged Access Manager - 2.8
Certificates, RSA authentication, and cleartext passwords are not backed up.
A Configuration backup is a file that contains all the unique settings for each CA Privileged Access
Manager appliance. As such, it cannot be restored to or from another unit. This CFG file includes
the network context, globals, and settings such as "Disable Config User."
File name format: gkYYYYMMDDHHMMSS.cfg
A Database backup is a file that contains all the provisioning data for users and user groups,
devices and device groups, socket and command filter appliance configuration, and policies. This
backup includes Access data, and Credential Manager data, with any A2A data. The GZ file can be
used interchangeably between units when appropriate.
File name format: gkdatabaseYYYYMMDDHHMMSS.gz
You have two options to create a configuration and database file backup set:
Automatically and periodically back up to an external mount after you have configured a
schedule. Use Schedule Backup, Save Configuration and Database or Reset Database: Schedule
Backup.
Manually (see page 24) back up to the appliance primary hard drive, by using the feature:
Schedule Backup, Save Configuration and Database or Reset Database: Save Database and
Configuration.
Export
You can export backup files to an external location, protecting them until needed.
Automatically - use Schedule Backup, and select an external Share Path in the schedule.
Immediately before recovering or restoring, you can save and download the logs.
Before a recovery/restoration need arises, you can use the external log server option.
22-Mar-2017 24/41
CA Privileged Access Manager - 2.8
Does not interfere with session recordings. Session Recordings are saved externally, so access to
this data is maintained.
The red highlighted text indicating a violation within recordings is lost for the interval after the
database was last saved. (This highlight is not available for RDP graphical session recordings.)
To restore the entire system, see Restore System (see page 27).
2. In the Configuration and Database File Operations panel, select the file to restore. (See
Configuration and Database Backups (see page 23) for file descriptions.)
a. If the configuration or database you are recovering does not appear in the list, you can
upload a saved backup. In the Database or Configuration File Upload panel, Choose
File to select the database file to Upload. A copy of the backup is now available on CA
Privileged Access Manager.
3. From the drop-down list of files available in the Configuration and Database File Operations
panel, select the file.
4. Click Restore, then click OK in the confirmation pop-up window to begin restoration.
2. In the Schedule Backup, Save Configuration and Database or Reset Database panel in the
middle of the page, click Reset Database to reset configuration to the factory default values.
Back up System
Hardware
Toolbar: Config, Upgrade, Backup & Recovery
1. If this CA Privileged Access Manager appliance is part of a synchronized cluster, turn off the
synchronization.
22-Mar-2017 25/41
CA Privileged Access Manager - 2.8
3. In the Backup & Recovery panel, click Backup to start the process.
4. When you see "Do you really want to backup?", click Proceed to continue.
CA Privileged Access Manager displays a red text message asking you to wait.
When the backup completes, CA Privileged Access Manager automatically reboots, eventually
landing at the login page.
Note
2. From the Navigation panel (the left menu tree), select INSTANCES > Instances.
3. If needed, Search for the instance Name or instance number (labeled "Instance").
4. From the Instance list, select the checkbox of the desired CA Privileged Access Manager
instance.
5. From the Instance Actions menu, select from Instance Actions: Stop to stop the instance to
freeze its state.
Note
6. In the third column, write down or otherwise note the Instance ID for this instance.
7. From the Navigation panel, select ELASTIC BLOCK STORE > Volumes.
8.
22-Mar-2017 26/41
CA Privileged Access Manager - 2.8
8. Identify the volume that is attached to the CA Privileged Access Manager instance you want to
back up.
If the list of volumes is large, click the header of the tenth column Attachment Information,
which re-orders the list in its own alphabetical order. The first component of the attachment
information for each volume is the corresponding Instance ID (noted from a previous step).
10. From the drop-down list at the top of the panel that is labeled More…, select Create Snapshot
. In the shadowed-background pop-up window Create Snapshot that appears, give the
snapshot a Name and optional Description, and click Yes, Create. Ensure that this snapshot is
created in the same instance zone.
11. From the Navigation panel, select ELASTIC BLOCK STORE > Snapshots.
12. You see a line item for your snapshot, and the indicators likely show that is still being created.
13. This snapshot is your full system backup for this point in time. You can use this snapshot to
restore CA Privileged Access Manager to this state by creating a volume from the snapshot.
See the procedure described in the next section. Make a of note the Snapshot ID, especially if
your snapshot Name or Description does not provide identifiable information as to when and
why the snapshot was created.
14. You might also want to create extra snapshots at other points in time. You are not limited in
the number of snapshots.
Restore System
As a CA Privileged Access Manager administrator, you can restore your appliance to a previous state.
Hardware
To restore a hardware appliance, follow these steps:
1. If this CA Privileged Access Manager appliance is part of a synchronized cluster, turn off the
synchronization.
On the Config, Synchronization page, in the Cluster Settings section, select Turn Cluster
Off.
4. When you see "Do you really want to backup?", click Proceed to continue.
CA Privileged Access Manager displays a red text message asking you to wait.
When the recovery completes, CA Privileged Access Manager reboots automatically,
eventually refreshing with the login page.
5.
22-Mar-2017 27/41
CA Privileged Access Manager - 2.8
2. From the Navigation panel (the left menu tree), select INSTANCES > Instances.
a. Find the correct CA Privileged Access Manager instance: Note the Instance (ID) for a
subsequent step.
3. From the Navigation panel (the left menu tree), select ELASTIC BLOCK STORE > Snapshots.
a. If needed, Search on the Name, Snapshot ID, or Description to locate the correct
snapshot.
b. In the left column, select the checkbox of this snapshot. Note the snapshot ID for later
use.
c. From the top-level buttons in this panel, select Create Volume. In the shadowed-
background pop-up window Create Volume that appears, give the recovered volume a
Size that is equal or larger than the original.
4. From the Navigation panel (the left menu tree), select ELASTIC BLOCK STORE > Volumes.
a. Confirm that the recovery volume has been created: Check for the snapshot ID.
i. The newly recovered volume is now available in the Volumes list – but it is not
attached to a machine instance (the Attachment Information field is blank).
ii. If the number of volume instances is large, you can reorder the Snapshot [ID]
list. You can scan alphabetically for the correct snap-xxxxxxxx number to
confirm that the volume exists.
ii. If the number of volume instances is large, you can reorder the Attachment
Information list. You can scan alphabetically for the correct instance number,
which begins the Attachment Information string.
22-Mar-2017 28/41
CA Privileged Access Manager - 2.8
c. In the left column, select the checkbox of this volume you want to replace.
d. From the drop-down list at the top of the panel that is labeled More…, select Detach
Volume. This can take a few minutes. In the upper right of the panel, click Refresh to
confirm completion.
e. In the left column, select the checkbox of the volume you want to recover (swap in).
f. From the top-level buttons in this panel, select Attach Volume. In the shadowed-
background pop-up window Attach Volume that appears, select the CA Privileged
Access Manager Instance, and for Device, enter "/dev/sda".
5. From the Navigation panel (the left menu tree), select INSTANCES > Instances.
Automatically, during every Hotfix installation that requires a reboot, and every Upgrade
installation. (There is no need to perform a backup manually in advance.)
NOTE During a backup, the previous version is written over with the new one so that only the most
recent backup is ever in CA Privileged Access Manager storage. This backup cannot be exported. To
protect settings and data, you can export configuration and database backups.
Recover a backup, which returns the CA Privileged Access Manager software back to the previously
saved state:
22-Mar-2017 29/41
CA Privileged Access Manager - 2.8
System Backup
Copy complete firmware, configuration and database system to internal storage (secondary drive)
NOTE System Backup can only be performed on a CA Privileged Access Manager appliance, not an
AWS CA Privileged Access Manager AMI instance.
A full CA Privileged Access Manager system backup (including: OS, firmware, configuration settings of
the appliance, provisioning data of managed users and devices) to its internal storage (secondary
drive) can be manually initiated through the Backup Appliance panel by clicking the Backup button.
NOTEThese are characteristics of system backups:
Single backup maintained – Because the secondary drive stores up to an entire (primary) drive's
capacity, it can contain only the most recently executed Backup.
Upgrade background component – As part of any Hotfix that requires a reboot or any upgrade,
CA Privileged Access Manager performs the Backup process automatically and silently.
During backup –
Full copy made – During the backup process, the secondary drive makes a complete copy of the
primary drive.
Reboots automatically – After copying the primary drive, CA Privileged Access Manager will
automatically reboot.
22-Mar-2017 30/41
CA Privileged Access Manager - 2.8
BEST PRACTICES
Maintain regular, automated Database Backups – Schedule periodic backup of the database and
configuration to an external location. See Database Operations .
Avoid production impact – To avoid production impact, perform System Backup only during an
installation or maintenance window.
System Recovery
Recover complete firmware, configuration and database system from the last backup to internal
storage (secondary drive)
NOTE System Backup can only be performed on a CA Privileged Access Manager appliance, not an
AWS CA Privileged Access Manager AMI instance.
IMPORTANT This procedure should be performed only when recommended by CA Technologies CA
Privileged Access Manager Support. After this procedure, CA Privileged Access Manager will
automatically reboot. To avoid production impact, perform this action only during an installation or
maintenance window.
A CA Privileged Access Manager system that has previously been backed up to its internal storage
(secondary drive) can be restored through the Backup & Recovery panel by clicking the Recover
button. If the system has become inaccessible from the network, Recovery is also possible from the
Console in coordination with CA Technologies CA Privileged Access Manager Support.
System Upgrades
To prepare and execute your upgrade, use these documents:
1. The currently published version of CA Privileged Access Manager Update Paths, to identify any
previous versions or patches or other prerequisites
2. The latest version of the CA Privileged Access Manager Release Notes for your release, which
provides Upgrade procedures for single and clustered CA Privileged Access Manager
appliances.
Database Operations
CA Privileged Access Manager contains two databases – one database for configuration, and another
for provisioning. Features that allow the administrator to view and manipulate these databases are
on the Config, Database page. See Configure Your Database (https://docops.ca.com/display/CAPAM28
/Configure+Your+Database) for information about database operations, including backup (https://docops.
ca.com/display/CAPAM28/Schedule+a+Database+Backup) and restoration (https://docops.ca.com/display
/CAPAM28/Database+Restoration).
Configuration (.cfg) files can only be used on the appliance where they were created.
22-Mar-2017 31/41
CA Privileged Access Manager - 2.8
Database (.gz) files can be used to recreate provisioning on other units: Services, Users, Devices,
Command Filter Lists, Socket Filter Lists, Policies
The files that are stored on the CA Privileged Access Manager secondary drive can be
downloaded, deleted, or used to restore the database.
Best Practices
Be sure to configure and schedule regular backups of the database and configuration files.
Keep ongoing operations and CA Privileged Access Manager maintenance to a minimum so that
they do not require more than one day per month.
The CA Privileged Access Manager appliance is not meant as a storage device. More external
capacity might be necessary to comply with log retention policy.
Session Recordings
Session recordings require these settings for global storage before recordings can be saved to files.
NOTE Session recording settings are first set up during initial configuration – please see links below to
configuration sections.
Storage Locations
Session Recording
The Session Recording panel specifies where, among the log storage locations specified, recordings
will be saved.
Storage Contingencies
Session Recording Preference
The Session Recording Preference panel specifies whether recording save attempts should be made
when storage is not reliable.
22-Mar-2017 32/41
CA Privileged Access Manager - 2.8
a User employs an SSH or Telnet Access Method applet to connect to a remote target device; and
If the vulnerability is found, CA Privileged Access Manager logs a message and (if configured) alerts
the User to that effect. The patch does not alter anything on the target device. Remediation of the
affected target device is the responsibility of the customer.
If the shell is changed during an active connection, this feature is not supported. If you are not using
the Bash shell at the initial connection, it does not detect the vulnerabilities.
Note
This feature is adapted from and works the same as the one provided by 2.3 Hotfix 5 and
2.4 Hotfix 6. (Those patches were first distributed in early October 2014.)
1. In the Applet Customization panel on the Global Settings page, select Enable Shellshock
Vulnerability Checks.
2. In the drop-down list to the right, select a Vulnerability Reporting Mode. (See log entry and
warning illustrations in User Experience (https://docops.ca.com/display/CAPAM28/Windows+OS).)
The two mode options are:
3. Log: If the vulnerability exists, log this finding in CA Privileged Access Manager ( Sessions, Logs
).
4. Log and Warn: If the vulnerability exists, log this finding in CA Privileged Access Manager.
Warn the User with a pop-up window and a terminal message emission on the command line.
Operation
If an administrator enables the vulnerability checks (CA PAM Configuration (https://docops.ca.com
/display/CAPAM28/Windows+OS)), then when – and only then – a User makes the initial command key
input to a connection in an SSH or Telnet Access Method applet, CA Privileged Access Manager makes
a log entry and – if enabled – user warnings.
22-Mar-2017 33/41
CA Privileged Access Manager - 2.8
22-Mar-2017 34/41
CA Privileged Access Manager - 2.8
Note:
The following procedures assume that you have installed an A2A Client, Windows Proxy, or
both. For the A2A Client, the A2A Client daemon (UNIX) or service (Windows) must be
running. See Install Credential Manager Components (https://docops.ca.com/display/CAPAM28
/Install+Credential+Manager+Components) for details.
3. For an initial activation, in the Item list, click Clients Requiring Initial Activation. A list of
installed A2A Clients appears. Notice that the entry in the Active column is set to false.
4. Click the host name of the client. The Client Details page appears. Notice that the Status is
Inactive.
6. Click Save. The Client List page appears showing your A2A Client in an active state.
22-Mar-2017 35/41
CA Privileged Access Manager - 2.8
3. For an initial activation, in the Item list, click Proxies Requiring Initial Activation. A list of
installed Proxies appears. Notice that the entry in the Active column is set to false.
4. Click the host name of the proxy. The Proxy Details page appears. Notice that the Status is
Inactive.
6. Click Save.
The Proxy List page appears showing your Windows Proxy in an active state.
2. Click the Settings tab and then select UI Settings. The UI Settings window appears.
5. Click Save.
22-Mar-2017 36/41
CA Privileged Access Manager - 2.8
2. Click the Settings tab and then select UI Settings. The UI Settings window appears.
3. Enter an integer value for the number of list entries per page.
4. Click Save.
2. Click the Settings tab and then select UI Settings. The UI Settings window appears.
4. Click Save.
2. Click the Settings tab and then select UI Settings. The UI Settings window appears.
4. To add a new item to the Dashboard Summary, click the Plus icon, select an entry from the list
of dashboard items available to add, and click Add.
5. To remove an entry from the Dashboard Summary, click the Remove icon at the end of the
row and click Save. The Remove icon is a yellow X.
6. To re-position a list item, drag-and-drop the item to the desired location or click the Up or the
22-Mar-2017 37/41
CA Privileged Access Manager - 2.8
6. To re-position a list item, drag-and-drop the item to the desired location or click the Up or the
Down icon at the end of the row and click Save.
7. To set a threshold limit that activates a warning icon in the Dashboard Summary, enter a
value in the Threshold field. For example, if you set a threshold value of 5 for Passwords Not
Verified and the number of unverified passwords reaches 5 or more, a warning icon appears
in the Dashboard Summary page.
You can also configure Credential Manager to use the OpenSSL FIPS Object Module that is validated
to FIPS 140-2 CMVP certificate 1747 to encrypt and decrypt stored credentials.
Tip: We recommend that you configure FIPS 140-2 CMVP Certificate 1747 encryption for
stored credentials because it uses true (hardware-based) random number generation for
the primary encryption key, Additionally, it provides faster encryption and decryption than
the default software encryption module.
Note: If you require hardware-based encryption for stored credentials, you can configure a
Hardware Security Module (HSM (https://docops.ca.com/pages/viewpage.action?
pageId=369270530)).
Enable FIPS 140-2 CMVP Certificate 1747 Cryptography (see page 38)
Delete the Key Encryption Password (see page 39)
Resupply a Deleted Key Encryption Password (see page 40)
Notes About Clustered Environments (see page 41)
22-Mar-2017 38/41
CA Privileged Access Manager - 2.8
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
3. Scroll down to the Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Credential
Manager panel.
4. Enter a password to use to generate the encryption key in the Password field. The password
must be at least 16 characters long and must contain at least one of each of the following
character types:
Numbers (1-9)
Note: The password that you supply is used to encrypt and decrypt the AES256
encryption key each time the server is started. For convenience, the password is
encrypted and stored so that you do not need to supply it manually after each
restart. Optionally, you can delete (see page 39)it from the storage for extra
security
6. Select Enable.
The CA Privileged Access Manager Server reboots. Upon restart, all stored credentials are
reencrypted using the OpenSSL FIPS Object Module.
22-Mar-2017 39/41
CA Privileged Access Manager - 2.8
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
3. Scroll down to the Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Credential
Manager panel.
Note: After the key encryption password is deleted, Credential Manager continues
to function until the server is restarted. Upon restart, Credential Manager is
disabled until the password is reentered.
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
3. Scroll down to the Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Credential
Manager panel.
4. Type the key encryption password in the Password field and select Submit.
22-Mar-2017 40/41
CA Privileged Access Manager - 2.8
The encryption key is regenerated and used to decrypt the stored credentials and Credential
Manager is reenabled.
Note: Depending on the number of stored credentials, initial decryption can take some
time. We recommend waiting one minute before attempting to use Credential Manager
features.
To delete the key encryption password, delete it manually from each node in the cluster.
Important! If the key encryption password was previously deleted and the cluster must be
restarted, the password must be reentered before restarting the cluster. Otherwise, the
cluster does not restart properly and Credential Manager does not function correctly. Once
the password has been reentered, the cluster and Credential Manager function correctly.
For more information about clustered environments, see Implement a Cluster (see page 38).
22-Mar-2017 41/41