CA Privileged Access Manager - 2.8 - ENU - Administrating - 20170322

CA Privileged Access
Manager - 2.8
Administrating
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/41
Table of Contents
Control User Activity .................................................................................... 8

Manage Sessions ........................................................................................................................................ 8
Control User Sessions .......................................................................................................................... 8
CA Privileged Access Manager Login and Device Connection Sessions .................................... 8
Connections for OOB Devices ..................................................................................................... 9
Login session control ............................................................................................................................ 9
Connection session control ................................................................................................................... 9
Batch Control of Sessions ................................................................................................................... 10
Manage credential use .............................................................................................................................. 11
Set Up Session Recording ........................................................................ 12

Implement Session Recording .................................................................................................................. 12
Configure Session Recording .................................................................................................................... 12
Activate Session Recording ...................................................................................................................... 12
Viewing Session Recordings ..................................................................................................................... 13
Viewer Controls ................................................................................................................................... 13
Resizing the Window ........................................................................................................................... 14
Searching Text Within CLI Recording ................................................................................................. 15
Audit Session Recordings ......................................................................................................................... 16
Disrupted Recordings .......................................................................................................................... 16
Audit User Activity ..................................................................................... 17

View Logs and Reports ............................................................................................................................. 17
View Unfiltered Logs ................................................................................................................................. 17
View Log Entries ................................................................................................................................. 18
Change Log Fields Displayed ............................................................................................................. 18
Filter Logs to Create CA Privileged Access Manager Reports .................................................................. 18
Apply Filter to Log Records ................................................................................................................. 18
Save Filtered Logs as a CA Privileged Access Manager Report ........................................................ 19
View Access Reports ................................................................................................................................ 20
View Session Recordings .......................................................................................................................... 20
View a Session Recording .................................................................................................................. 21
View Session Recording Violations ..................................................................................................... 21
Administrating 4
Maintenance .............................................................................................. 23
Backup and Recover System and Settings ............................................................................................... 23
Configuration and Database Backups ................................................................................................. 23
Manual Database Backup .......................................................................................................... 24
Export ......................................................................................................................................... 24
Restore Configuration or Database ..................................................................................................... 24
Restore from Backup ................................................................................................................. 25
Reset to Factory Defaults ........................................................................................................... 25
Back up System .................................................................................................................................. 25
Hardware .................................................................................................................................... 25
AWS: Back Up Instance to Volume ............................................................................................ 26
Restore System ................................................................................................................................... 27
Hardware .................................................................................................................................... 27
AWS: Restore Volume to Same Instance .................................................................................. 28
AWS: Restore Volume to New Instance .................................................................................... 29
Appliance or Instance Backup ............................................................................................................. 29
Physical Appliance System Backup ........................................................................................... 29
Cloud Instance Backup .............................................................................................................. 30
Physical Appliance System Operations ..................................................................................................... 30
System Backup ................................................................................................................................... 30
BEST PRACTICES .................................................................................................................... 31
System Recovery ................................................................................................................................ 31
System Upgrades ................................................................................................................................ 31
Database Operations ................................................................................................................................ 31
Best Practices ..................................................................................................................................... 32
Session Recordings .................................................................................................................................. 32
Storage Locations ............................................................................................................................... 32
Session Recording ..................................................................................................................... 32
Storage Contingencies ........................................................................................................................ 32
Session Recording Preference .................................................................................................. 32
Shellshock Vulnerability Detection ............................................................................................................ 32
CA Privileged Access Manager Configuration .................................................................................... 33
Operation ............................................................................................................................................ 33
CA Privileged Access Manager Log Entry ................................................................................. 34
User Applet Warnings ................................................................................................................ 34
Host header attack mitigation .................................................................................................................... 34
Credential Manager Administrator Procedures ......................................... 35

Activate Clients and Proxies ...................................................................................................................... 35
Administrating 5
Activate A2A Clients ............................................................................................................................ 35
Activate Windows Proxies ................................................................................................................... 36
Customize the Global Default Preferences ............................................................................................... 36
Set the Global Time Zone ................................................................................................................... 36
Set the Global List Size ....................................................................................................................... 37
Set the Global Start Page ................................................................................................................... 37
Customize the Global Dashboard ............................................................................................................. 37
Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Stored Credentials .................................... 38
Enable FIPS 140-2 CMVP Certificate 1747 Cryptography .................................................................. 38
Delete the Key Encryption Password .................................................................................................. 39
Resupply a Deleted Key Encryption Password ................................................................................... 40
Notes About Clustered Environments ................................................................................................. 41
Administrating 6
Administrating
The content in this section describes administrative procedures.
Control User Activity (see page 8)
Set Up Session Recording (see page 12)
Audit User Activity (see page 17)
Maintenance (see page 23)
Credential Manager Administrator Procedures (see page 35)
22-Mar-2017 7/41
Control User Activity

Administrators can view a list of the current login and connection sessions active on CA Privileged
Access Manager, and do the following with them:
Terminate Login or Connection session by a User to CA Privileged Access Manager
Force Re-Authentication of a User to CA Privileged Access Manager
Start or Stop Recording a User connection session to a target Device
View Logs of User session activities and other actions caused by them
View Recording of a completed connection session
Manage Sessions
The Sessions, Manage Sessions page provides a list of the current CA Privileged Access Manager User
logins, and for each User, a list of the connection sessions to target Devices. Both the login sessions
and the connection sessions can be controlled in several ways from the Manage Sessions page.
Control User Sessions (see page 8)
Login session control (see page 9)
Connection session control (see page 9)
Batch Control of Sessions (see page 10)
Control User Sessions

The Sessions item on the CA Privileged Access Manager menu bar allows several production-stage
administrative activities:
Manage Sessions – View and control (authenticate/terminate/record) User login and connection
sessions
Logs – View the session log entries
Session Recordings – View a list of recordings, and optionally view any recording (in a separate
viewer application)
CA Privileged Access Manager Login and Device Connection Sessions

The Sessions, Manage Sessions page shows a list of the current User login sessions with CA Privileged
Access Manager. After you select a User, the connection sessions to target Devices for that User are
displayed in a shaded pane.
Login: This is a single instance of a User account login session with CA Privileged Access Manager. A
single line-item on the Manage Sessions page represents a login.
Session: This refers to a single instance of a connection to a Device within a login session with CA
22-Mar-2017 8/41
Session: This refers to a single instance of a connection to a Device within a login session with CA
Privileged Access Manager. A single line-item within a User login item represents a session. Each user
login can independently establish a session with a device. As with similar lists throughout the
Administration menus, the list can be ordered on any user login column.
Connections for OOB Devices

To create a view of all OOB category Devices (Console, KVM, Power) showing enabled services, run
the reports under the Sessions menu button, Overview screen. Separate reports exist for out-of-
band and standard devices.
1. Select from the Menu Bar: Sessions > Manage Sessions.
2. From the upper right, select the link OOB Devices.
The OOB Devices panel appears as an overlay. The page identifies the ports of all OOB device records
configured in CA Privileged Access Manager. It identifies connected ports using colored tabs which
identify status and device: Green for a running device, Red for a disabled device, and Orange for no
status information.
Login session control

To control an ongoing login session from a User access point (desktop client) to CA Privileged Access
Manager, you can:
Log User out of CA Privileged Access Manager – Click the (end) icon at the right-hand end of
the User line item.
Force User to Re-Authenticate to CA Privileged Access Manager – Click the (exit) icon, second
from the right-hand end of the User line item.
Connection session control

To control an ongoing connection session from a User access point (desktop client) through CA
Privileged Access Manager to a target Device, you can:
Disconnect User from Device – Click the X (end) icon at the right-hand end of the Device line
item.
Start recording session – Click the (start recording) icon, second from the right-hand end of
the Device line item. (While session is being recorded, the stop-recording icon appears, as shown
below.)
Stop recording session – Click the (stop recording) icon, second from the right-hand end of the
Device line item. (When session is not being recorded, the start-recording icon appears, as shown
above.)
22-Mar-2017 9/41
Batch Control of Sessions

To control a specific session or group of CA Privileged Access Manager sessions according to a set of
criteria, use batch control. The batch control panel is near the top of the Manage Sessions page.
1. Enter an action and a criterion from the first and second drop-down lists.
2. If your criterion requires you to pick a value, select a criterion value from the available values
in a drop-down list.
3. Click Apply to impose the selected control on the applicable Users or Devices.
Action Criterion Criterion Values Behavior

Login Applies to User login sessions to CA
session Privileged Access Manager
options
Log out All If Criterion is not 'All': Select from all 1. Request acknowledgment from
User configured CA Privileged Access administrator. 2. Disconnect Users from
Group Manager login session criterion CA Privileged Access Manager.
Auth. values. 3. Display message to Users (over login
Type page).
Re- 1. Request acknowledgment from
Authentic administrator. 2. Suspend User sessions.
ate 3. Display login request to Users (over
login page).
4. If authentication succeeds, restore
suspended User session. If authentication
fails, end session.
Connecti Applies to User connection sessions to
on target Devices
session
options
Disconne All If Criterion is not 'All': Select from all 1. Request acknowledgment from
ct Device configured target Device connection administrator. 2. Disconnect Users from
Group criterion values. target Device.
Location 3. Display message to Users.
Address
Port
Record 1. Request acknowledgment from
administrator. 2. Interrupt User sessions
and start recording. 3. Resume session to
Users.
Stop 1. Request acknowledgment from
administrator. 2. Interrupt User sessions
and stop recording. 3. Resume session to
Users.
22-Mar-2017 10/41
Manage credential use

See Configure Credential Manager Password Policies (https://docops.ca.com/display/CAPAM28
/Configure+Credential+Manager+Password+Policies) for information on how to handle:
Viewing passwords
Check out and checking in passwords
Password viewing requests
22-Mar-2017 11/41
Set Up Session Recording

All Access Method applet and web portal sessions can be recorded by using the CA Privileged Access
Manager session recording capability.
Implement Session Recording

Session recordings require that you:
1. Specify an NFS, CIFS, or AWS S3 storage share and activate recording capability in Config >
Logs.
2. Activate recording in the policy settings for specific User (Group) / Device (Group) pairs.
3. During each User/Device session, a recording is created and stored on the designated share.
4. After recordings have been created, you can find them in the Sessions > Sessions Recording
page and can invoke the session recording viewer to inspect and play them.
Configure Session Recording

Session recording capability is built in, but you must reserve and activate external storage space using
the following panes on the Config, Logs dialog:
Session Recording pane to specify whether graphical or CLI (text-based) recording is activated.
NFS/CIFS/S3 Settings pane to specify where – NFS or CIFS mount, or AWS S3 storage – recordings
are stored.
See Logs (https://docops.ca.com/display/CAPAM/Logs) for detail on these interfaces.
Activate Session Recording

Automated – When provisioning a policy in each Policy > Manage Policies > User/Device record,
you can elect to activate recording based on the following criteria:
Media type: graphical, command line, bidirectional command line, web portal
Triggering violation: socket filter or command filter violation

See Manage Policies (https://docops.ca.com/display/CAPAM/Manage+Policies) for details.
22-Mar-2017 12/41
Manual – A CA Privileged Access Manager administrator can activate session recording while a
session is taking place from the controls within the Sessions > Manage Sessions page: Each
connection session line item has a recording stop/start switch. See Sessions Menu Bar Reference (
https://docops.ca.com/display/CAPAM/Sessions+Menu+Bar+Reference) for details.
Viewing Session Recordings

When you open a session recording from the CA Privileged Access Manager Sessions > Session
Recordings page, the Session Recording Viewer interprets the file and allows you to examine and play
back the recording.
Viewer Controls
Panel Description
[Menu In the top segment of the upper-left panel, information about the
bar] session and its recording is displayed:
Server: target hostname or IP Address
Security layer: SSL (TLS 1.0) | RDP Security Layer

Session In the top segment of the upper-left panel, information about the session and its
info recording is displayed:
Server: target hostname or IP Address
Security layer: SSL (TLS 1.0) | RDP Security Layer
Encryption level: High | Client Compatible | Low | FIPS Compliant
Source IP: client hostname or IP Address
Resolution: pixels x pixels (graphical recordings only)
Quality: High | Medium | Low (web session recordings only)
This setting refers to Global Settings > Applet Customization > Web Recording Bit
Depth
Duration: HH:MM:SS (except CLI recordings when not used)
Start time, with the CA Privileged Access Manager time zone. For the recording date,
see the timestamp of the recording.
End time (except CLI recordings when not used) and can have others appropriate to
the type of recording.
User In the middle segment of the upper-left panel, information
info about the CA Privileged Access Manager and target users is
displayed:
Target User: target user login ID (when applicable)
Domain: target user domain (when applicable)
CA Privileged Access Manager ID: appliance name (if available)
or address
CA Privileged Access Manager User ID: login ID
22-Mar-2017 13/41
Panel Description
Recordi In the bottom segment of the upper-left panel, information about the recording itself is
ng info displayed:
Recording type: ssh | RDP | TELNET | TN3270 | TN5250 | VNC | Web
Size: filesize (KB)
SHA verification status for recording file: In progress… | Valid | FAILED
Events In the lower-left panel, any violations that occurred are listed
under Events:
Click the blue diamond Question Mark to get information.
Type: Violation or Text (icons)
Time of Event: HH:MM:SS
Description: Brief generic description of violation or text
activity
Navigat The recording begins automatically.
ion To move through the session:
Use the play buttons to navigate at the bottom center-right
portion of the panel:
Step Backward – causes a 5-second jump backward.
Play / Pause
Stop
Fast Forward – toggle to run at 2, 4, or 6 times actual speed
Step Forward – causes a 5-second jump forward.
Drag the progress cursor across the timeline.
Near the lower-left corner, enter figures in the Jump to
time field to jump to any point in the session.
Resizing the Window

The target GUI interface that is displayed in a Session Recording Viewer can be resized larger or
smaller to fit the size of the CA Privileged Access Manager viewer window, or reverted at any point to
its original size and resolution:
Initially, the represented (recorded) GUI fits against the inside border of the presentation area in the
viewer. You can use:
A dynamic resizer within the viewer interface, Operation > Auto Scale (Ctrl-A), that can be
toggled:
While selected, the recorded GUI expands or contracts against the inner frame of the window
as you resize the viewer. Meanwhile, it displays in a small square the new linear dimension
(either width or height) as a percentage of the original GUI length. After you stop resizing the
viewer, this square quickly fades away.
When unselected, the viewer freezes the recorded GUI to the size of the current inner frame,
so that it no longer changes size as you expand or contract the viewer.
22-Mar-2017 14/41
A reset option, Operation > Original Size (1:1) (Ctrl-R), to immediately resize (larger or smaller)
the recorded GUI to its original dimensions
Keyboard shortcuts
Use Ctrl + to zoom in and expand the recorded window in 5 percent increments
Use Ctrl - to zoom out and contract the recorded window in 5 percent decrements
Keyboard-mouse shortcuts
Press Ctrl while moving the mouse (scroll) wheel up to zoom in and expand the recorded
window
Press Ctrl while moving the mouse (scroll) wheel down to zoom out and contract the recorded
window
Mouse panning:
If the recorded window is larger than the viewing window (not completely in view), you can
pan with the mouse. Hold the mouse wheel down to grab and move the recorded window, so
that the viewing window pans across the recorded window.
Zoom control: When you click the magnifying glass icon to the left of the navigation buttons, a
zoom control slider is available. This widget provides you fine-tuned control of the size of the
recorded GUI:
When you move the slider button up or down, you can resize the recorded window in a
continuous motion.
By clicking the plus or minus buttons at the top and bottom of the zoom control, you can
resize the recorded window in 1 percent increments or decrements.
The maximum size of the recorded window is 200 percent of its original linear size. The
minimum size is 180 pixels on the shorter of the two dimensions (height or width).
For example: A recorded 640 x 480 pixel window can be zoomed in (expanded) so that you
view 1280 x 960 pixels. It can be zoomed out (reduced) so that you see an actual viewing size
of 240 x 180 pixels.
Searching Text Within CLI Recording

Within a CLI Access Method applet recording you can perform text string searches:
1. From the recording viewer menu bar, select Operation > Find to open a small text-search
pane above the output display pane.
2. To the right of Find what, enter a string into the text box, and optionally select checkboxes to
restrict the search to Match case or to match only a Whole word.
22-Mar-2017 15/41
3. Click one of the up or down arrows to the right of the text box to reposition the window so
that the next instance of the search term appears in black-on-white text on the top line.
4. Continue clicking the arrow to continue locating matches. At the end of the recording file, the
search returns to the top. You are also notified with a pop-up message.
Audit Session Recordings

Disrupted Recordings
If a mount is unavailable (for any reason), session recording terminates. The recording file is deleted
during post processing and an error like the following text is written to the session logs:
Recording file contains only file header packet. Possibly the remote server is powered off or security settings are too high.
Deleting the file: gk72-0000001518-20130322092630268_RDP
22-Mar-2017 16/41
Audit User Activity

CA Privileged Access Manager captures administration syslog-based activities, user login and logoff,
user access to resources, violations, alerts, and system information. The product stores a copy of
these messages in its database.
View Logs and Reports

For the administrator, the following tools are available:
GUI tools
For viewing and searching reports
Reports: On-demand (immediate), Scheduled, Third-party
File handling: Copying
Syslog messages can be sent to syslog servers. The CA Privileged Access Manager GUI is able to
view and report MySQL database events.
Log messages can be sent to an external MySQL server. This functionality is recommended for
clustered systems to aggregate the messages.
No additional configuration is necessary to enable event recording to the database. Log recording
settings are configured in Config, Logs.
You can configure the product to purge logs in an hourly, daily, or a weekly basis manually or
automatically. Copies of purged messages are sent to the administrator in ASCII format.
We recommended that copies of the messages be sent to an outside syslog consolidation server.
Logs can be saved as Reports to comma-separated value (CSV) format files for use in
spreadsheets or other applications.
Reporting can be performed at the syslog level. Alternatively, a security information management
tool can collect the syslog messages.
When clustering is used, CA Privileged Access Manager does not consolidate events.
View Unfiltered Logs

Upon selecting Sessions, Logs, you see a default listing with several syslog fields for all recent activity.
22-Mar-2017 17/41
View Log Entries

Unfiltered Logs and any log list show a list of log entries made. The data that is contained in each log
entry is much longer than a single line of text. Unfiltered Logs addresses this issue by showing a
subset of all fields, and by showing wrapped-line field data (especially, Details).
If you mouse click once on a line-item log entry, it opens to display the full set of field data recorded
for that log entry with field labels.
Change Log Fields Displayed

As you mouse over any heading, you see a popup (+ -) link.
To delete the column from the display, click the plus (-) sign
To add a new (syslog field) column to the right of the selected column:
1. Click the plus (+) sign.

You see a list of the other syslog fields available.
2. Select the desired field to display its column.
3. To add more columns, repeat for desired fields and column locations.
When you exit the Sessions, Logs window, Log column settings are not saved.
Filter Logs to Create CA Privileged Access

Manager Reports
Current logs can also be filtered in several ways by using the blue Search button, near the upper-right
corner of white page body.
Logs are saved as Reports to comma-separated value (CSV) format files for use in spreadsheets or
other applications.
Apply Filter to Log Records

1. Click Search button.
The Advanced Search popup window appears under the Search button. This window allows
filtering of the current display fields.
2. You can filter by Date Range, with Specific Dates or Relative Days. Relative Days produces a
report for your specified number of days, weeks, or months from the time of the report.
3. Select the Specify IP Info or Specify Applets to filter the logs further.
More fields appear.
22-Mar-2017 18/41
4. Specify desired fields.

Each text field performs immediate text recognition. You can quickly select a recognized CA
Privileged Access Manager object name.
5. Click the pop-up window Search button (at bottom of pop-up).

The list is updated with only the records matching the search selections. The window label
changes to Filtered Logs.
Note
After you do the search, the Advanced Search window remains open for more filtering. To
shut the window, click the close button X in the upper right. Original filtering selections are
saved after closing the Advanced Search pop-up window, but only while in the Sessions,
Logs window.
Save Filtered Logs as a CA Privileged Access Manager Report

After doing a Search from the Advanced Search pop-up window, a Filtered Logs window replaces the
original Unfiltered Logs window.
1. To save the filtered log records to a file, click Save As Report.

A Save Report pop-up window appears below the Save As Report link.
2. Populate the Save Report pop-up window:
a. Create a Report Name.
b. To replicate the report at a regular interval and send it by email, click Send Emails.
c. Enter email addresses in Emails, space-delimited
d. Select and set the Send Interval.
3. Click Save Report to save the filtered records and stage the email forwarding.
Next Step:
View Access Reports (see page 20)
22-Mar-2017 19/41
View Access Reports

You can generate CA Privileged Access Manager access reports from the Sessions, Logs page. See
Audit User Activity (see page 17) for information about saving filtered log views as reports.
To view previously generated Reports:
1. In the Sessions, Logs window, mouse over (or click) Reports.
2. Under the Reports heading, a drop-down list appears of the existing saved Reports.
These Payment Card Industry (PCI) Data Security Standard (DSS) version 1.2 reports are also
included:
a. 10.2.1 User Login
b. 10.2.1 User Logout
c. 10.2.3 Track Audit Policy Change
d. 10.2.4 Failed User Login
e. 10.2.6 Audit Logs Access
3. Select a named report.

The selected report replaces the Unfiltered Logs listing, and the report name is substituted as
the name of the listing.
View Session Recordings

After you configure a storage share, make recordings for any CLI, RDP, VNC, or Web Portal
connection session by provisioning a policy for the relevant User (Group) / Device (Group) pair. After
you make a recording, open it in the CA Privileged Access Manager Session Recording Viewer.
Within the Session Recording Viewer, you see:
Session info In the top segment of the upper-left panel, information about the session and its
recording is displayed: Server: target hostname, else IP Address Security layer: SSL (TLS 1.0) | RDP
Security Layer Encryption level: High | Client Compatible | Low | FIPS Compliant Source IP client
hostname, else IP Address Resolution: pixels x pixels (graphical recordings only) Quality: High |
Medium | Low (web session recordings only) – Refers to Global Settings > Applet Customization >
Web Recording Bit Depth Duration: HH:MM:SS (except CLI recordings when not used) Start time,
with CA Privileged Access Manager timezone (For recording date: See timestamp of recording)
End time (except CLI recordings when not used) and may have others appropriate to the type of
recording.
22-Mar-2017 20/41
User info In the middle segment of the upper-left panel, information about the CA Privileged
Access Manager and target users is displayed: target User: target user login ID (when applicable)
Domain: target user domain (when applicable) CA Privileged Access Manager ID: appliance name
(if available) or address, and CA Privileged Access Manager User ID: login ID
Recording info In the bottom segment of the upper-left panel, information about the recording
itself is displayed: Recording type: ssh | RDP | TELNET | TN3270 | TN5250 | VNC | Web Size: file
size (KB) SHA verification status for recording file: In progress… | Valid | FAILED
Events In the lower-left panel, any violations that occurred are listed under Events: Type:
Violation or Text (icons) Time of Event: HH:MM:SS Description: Brief generic description of
violation or text activity
Navigation (The recording will begin automatically.)
To move through the session:
Use the play buttons to navigate at the bottom center-right portion of the panel. NOTE Play
buttons are not available on CLI recordings Step Backward – causes a 5 second jump backward
Play / Pause Stop – upon re-Play, returns to beginning Fast Forward – toggle to run at 2, 4, or 6
times actual speed Step Forward – causes a 5 second jump forward
Drag the progress cursor across the timeline.
Near the lower-left corner, enter figures in the Jump to time field to jump to any point in the
session immediately.
View a Session Recording

Follow this procedure to view a session recording within the Session Recording Viewer:
1. Select Sessions > Session Recording
2. Select View Recording in the right-hand column of the file of interest.
3. The Session Recording Viewer opens loaded with the selected recording.
View Session Recording Violations

There are two ways to view a recorded applet or web portal session:
1. Click View Recording at the right the desired red violation line file record in the Session
Recording list. The Session Recording Viewer window automatically launches, and starts
playing from the beginning of the session.
2. Alternatively, one can search the logs:
3. Select Sessions > Logs.
4. In the upper-right hand corner of list, click Search.
22-Mar-2017 21/41
4. In the upper-right hand corner of list, click Search.

The Advanced Search pop-up window appears.
5. Set the Transactions to Violations, and click Search (at bottom of pop-up).
If a policy violation has occurred in an RDP applet session, a View Recording button appears in
its record.
6. Select the View Recording button to bring up the RDP Session Recording Viewer and start
playing from just before the time of the violation.
22-Mar-2017 22/41
Maintenance
The following pages describe activities that are recommended for the primary CA Privileged Access
Manager administrator. This list is not exhaustive. Some activities can be delegated to other
administrators.
Backup and Recover System and Settings (see page 23)
Physical Appliance System Operations (see page 30)
Database Operations (see page 31)
Session Recordings (see page 32)
Shellshock Vulnerability Detection (see page 32)
Host header attack mitigation (see page 34)
Backup and Recover System and Settings

CA Privileged Access Manager applies these types of backups and data management to protect from
software loss:
System backup (includes OS, firmware, configuration data, and provisioning data) – allows you to
roll back the entire CA Privileged Access Manager software; ideally, to a known good state.
Configuration or Database backup – allows you to roll back the appliance settings (for network
context and user-targeted globals) and provisioning or managed object records (for Users,
Devices, access definitions, policy)
AWS instance backup (includes entire instance) – allows you to roll back the entire CA Privileged
Access Manager software; ideally, to a known good state.
These backups are described and compared in the following sections.

Configuration and Database Backups (see page 23)
Restore Configuration or Database (see page 24)
Back up System (see page 25)
Restore System (see page 27)
Appliance or Instance Backup (see page 29)
Configuration and Database Backups

These backups can be managed manually (and together) from the Config, Database GUI page.
Scheduled backups are recommended so that the backup is always close to the current operational
state.
Note
Certificates, RSA authentication, and cleartext passwords are not backed up.
22-Mar-2017 23/41
Certificates, RSA authentication, and cleartext passwords are not backed up.
A Configuration backup is a file that contains all the unique settings for each CA Privileged Access
Manager appliance. As such, it cannot be restored to or from another unit. This CFG file includes
the network context, globals, and settings such as "Disable Config User."
File name format: gkYYYYMMDDHHMMSS.cfg
A Database backup is a file that contains all the provisioning data for users and user groups,
devices and device groups, socket and command filter appliance configuration, and policies. This
backup includes Access data, and Credential Manager data, with any A2A data. The GZ file can be
used interchangeably between units when appropriate.
File name format: gkdatabaseYYYYMMDDHHMMSS.gz
You have two options to create a configuration and database file backup set:
Automatically and periodically back up to an external mount after you have configured a
schedule. Use Schedule Backup, Save Configuration and Database or Reset Database: Schedule
Backup.
Manually (see page 24) back up to the appliance primary hard drive, by using the feature:
Schedule Backup, Save Configuration and Database or Reset Database: Save Database and
Configuration.
Manual Database Backup

You can immediately back up the database to CA Privileged Access Manager internal storage at any
time. Click the Save Database and Configuration button on the Config, Database page.
Export
You can export backup files to an external location, protecting them until needed.
Manually - use Configuration and Database File Operations, Download.
Automatically - use Schedule Backup, and select an external Share Path in the schedule.
Restore Configuration or Database

Restoring the CA Privileged Access Manager Configuration or Database has the following
consequences:
Reverts CA Privileged Access Manager to an earlier state, including passwords.
Overwrites all session logs. However:
Immediately before recovering or restoring, you can save and download the logs.
Before a recovery/restoration need arises, you can use the external log server option.
22-Mar-2017 24/41
Does not interfere with session recordings. Session Recordings are saved externally, so access to
this data is maintained.
The red highlighted text indicating a violation within recordings is lost for the interval after the
database was last saved. (This highlight is not available for RDP graphical session recordings.)
To restore the entire system, see Restore System (see page 27).
Restore from Backup

1. Navigate to the Config, Database screen.
2. In the Configuration and Database File Operations panel, select the file to restore. (See
Configuration and Database Backups (see page 23) for file descriptions.)
a. If the configuration or database you are recovering does not appear in the list, you can
upload a saved backup. In the Database or Configuration File Upload panel, Choose
File to select the database file to Upload. A copy of the backup is now available on CA
Privileged Access Manager.
3. From the drop-down list of files available in the Configuration and Database File Operations
panel, select the file.
4. Click Restore, then click OK in the confirmation pop-up window to begin restoration.
5. After restoration completes, CA Privileged Access Manager automatically reboots.
6. Close your browser, then restart it, and log in as super.
Reset to Factory Defaults

1. Navigate to the Config, Database screen.
2. In the Schedule Backup, Save Configuration and Database or Reset Database panel in the
middle of the page, click Reset Database to reset configuration to the factory default values.
3. After reset completes, CA Privileged Access Manager automatically reboots.
4. Close your browser, then restart it, and log in.
Back up System
Hardware
Toolbar: Config, Upgrade, Backup & Recovery
1. If this CA Privileged Access Manager appliance is part of a synchronized cluster, turn off the
synchronization.
2. Navigate to the Config, Upgrade page.
22-Mar-2017 25/41
3. In the Backup & Recovery panel, click Backup to start the process.
4. When you see "Do you really want to backup?", click Proceed to continue.
CA Privileged Access Manager displays a red text message asking you to wait.
When the backup completes, CA Privileged Access Manager automatically reboots, eventually
landing at the login page.
5. Log in, and navigate back to the Upgrade page.

A successful backup generates a message in the Backup Appliance panel identifying the date
and time of the backup.
AWS: Back Up Instance to Volume

This procedure is analogous to the system backup performed after clicking the Backup button in the
Config,Upgrade,Backup & Recovery menu on a CA Privileged Access Manager appliance. It creates a
snapshot of the current instance state and stores it in the designated S3 bucket for possible later use
in recovery.
Note
This procedure can be automated by using the AWS API.
1. Navigate to your AWS Management Console EC2 view.
2. From the Navigation panel (the left menu tree), select INSTANCES > Instances.
3. If needed, Search for the instance Name or instance number (labeled "Instance").
4. From the Instance list, select the checkbox of the desired CA Privileged Access Manager
instance.
5. From the Instance Actions menu, select from Instance Actions: Stop to stop the instance to
freeze its state.
Note
Stopping might not be practical at some or any times when in a production

environment. The State changes to stopping (yellow ball). Wait for the instance to
wind down, so that its State is stopped (red ball).
6. In the third column, write down or otherwise note the Instance ID for this instance.
7. From the Navigation panel, select ELASTIC BLOCK STORE > Volumes.
8.
22-Mar-2017 26/41
8. Identify the volume that is attached to the CA Privileged Access Manager instance you want to
back up.
If the list of volumes is large, click the header of the tenth column Attachment Information,
which re-orders the list in its own alphabetical order. The first component of the attachment
information for each volume is the corresponding Instance ID (noted from a previous step).
9. In the left column, select the checkbox of this volume.
10. From the drop-down list at the top of the panel that is labeled More…, select Create Snapshot
. In the shadowed-background pop-up window Create Snapshot that appears, give the
snapshot a Name and optional Description, and click Yes, Create. Ensure that this snapshot is
created in the same instance zone.
11. From the Navigation panel, select ELASTIC BLOCK STORE > Snapshots.
12. You see a line item for your snapshot, and the indicators likely show that is still being created.
13. This snapshot is your full system backup for this point in time. You can use this snapshot to
restore CA Privileged Access Manager to this state by creating a volume from the snapshot.
See the procedure described in the next section. Make a of note the Snapshot ID, especially if
your snapshot Name or Description does not provide identifiable information as to when and
why the snapshot was created.
14. You might also want to create extra snapshots at other points in time. You are not limited in
the number of snapshots.
Restore System
As a CA Privileged Access Manager administrator, you can restore your appliance to a previous state.
Hardware
To restore a hardware appliance, follow these steps:
1. If this CA Privileged Access Manager appliance is part of a synchronized cluster, turn off the
synchronization.
On the Config, Synchronization page, in the Cluster Settings section, select Turn Cluster
Off.
2. Navigate to Config, Upgrade, Backup & Recovery
3. Click Recover to start the process.
4. When you see "Do you really want to backup?", click Proceed to continue.
CA Privileged Access Manager displays a red text message asking you to wait.
When the recovery completes, CA Privileged Access Manager reboots automatically,
eventually refreshing with the login page.
5.
22-Mar-2017 27/41
5. Log in, and navigate to the Upgrade page to confirm recovery.

If the recovery succeeded, the previous backup message no longer appears in the Backup
Appliance panel.
AWS: Restore Volume to Same Instance

This procedure is analogous to the system recovery performed after clicking the Recover button in
the Config, Upgrade, Backup & Recovery menu on a CA Privileged Access Manager appliance. It
recovers or re-establishes a volume from a snapshot of a previous machine state that is stored in a
designated S3 bucket. This volume can then be substituted for the current (non-functioning or
otherwise undesirable) volume.
1. Navigate to your AWS Management Console EC2 view.
a. Find the correct CA Privileged Access Manager instance: Note the Instance (ID) for a
subsequent step.
b. If desired / necessary, stop the instance.
3. From the Navigation panel (the left menu tree), select ELASTIC BLOCK STORE > Snapshots.
a. If needed, Search on the Name, Snapshot ID, or Description to locate the correct
snapshot.
b. In the left column, select the checkbox of this snapshot. Note the snapshot ID for later
use.
c. From the top-level buttons in this panel, select Create Volume. In the shadowed-
background pop-up window Create Volume that appears, give the recovered volume a
Size that is equal or larger than the original.
4. From the Navigation panel (the left menu tree), select ELASTIC BLOCK STORE > Volumes.
a. Confirm that the recovery volume has been created: Check for the snapshot ID.
i. The newly recovered volume is now available in the Volumes list – but it is not
attached to a machine instance (the Attachment Information field is blank).
ii. If the number of volume instances is large, you can reorder the Snapshot [ID]
list. You can scan alphabetically for the correct snap-xxxxxxxx number to
confirm that the volume exists.
b. Find the volume that you want to discard (swap out).
i. It is attached to the machine Instance [ID] you determined earlier, identifiable

in the Attachment Information column.
ii. If the number of volume instances is large, you can reorder the Attachment
Information list. You can scan alphabetically for the correct instance number,
which begins the Attachment Information string.
22-Mar-2017 28/41
c. In the left column, select the checkbox of this volume you want to replace.
d. From the drop-down list at the top of the panel that is labeled More…, select Detach
Volume. This can take a few minutes. In the upper right of the panel, click Refresh to
confirm completion.
e. In the left column, select the checkbox of the volume you want to recover (swap in).
f. From the top-level buttons in this panel, select Attach Volume. In the shadowed-
background pop-up window Attach Volume that appears, select the CA Privileged
Access Manager Instance, and for Device, enter "/dev/sda".
a. If necessary, restart the instance.
AWS: Restore Volume to New Instance

This procedure is analogous to that with a CA Privileged Access Manager hardware appliance in which
a system backup was performed, but then the drive is removed and mounted in another appliance.
Note: This is not a customer-facing process.
In this case – whether using appliances or instances – the machine ID has changed. It requires a
license update that reflects that change.
Appliance or Instance Backup

Physical Appliance System Backup
System Backup/Recover allows you to roll back the entire CA Privileged Access Manager software
onto the backup SSD (solid-state drive) to the last saved version for use in the event of a recoverable
system malfunction or failure, or otherwise following installation of a firmware package such as a
release upgrade or hotfix.
CA Privileged Access Manager system backup creates a single copy of the current or, during upgrade,
the immediate prior full set of software – including operating system, firmware release, configuration
data, and provisioning (user, device, policy) data – from the primary to the secondary SSD. System
backup is managed from the Config > Upgrade GUI page.
Create a system backup from the CA Privileged Access Manager primary drive to the backup (or
secondary) drive:
Automatically, during every Hotfix installation that requires a reboot, and every Upgrade
installation. (There is no need to perform a backup manually in advance.)
Manually, when you use the feature Backup Appliance.
For procedures and more information, see System Backup .
NOTE During a backup, the previous version is written over with the new one so that only the most
recent backup is ever in CA Privileged Access Manager storage. This backup cannot be exported. To
protect settings and data, you can export configuration and database backups.
Recover a backup, which returns the CA Privileged Access Manager software back to the previously
saved state:
22-Mar-2017 29/41
Manually, when you use the feature Recover Appliance, following:
System or firmware malfunction or failure.
Firmware upgrade that appears to initiate problems.
See System Recovery .
Cloud Instance Backup

CA Privileged Access Manager cloud instances are available in the Amazon Web Services (AWS)
environment.
Amazon Web Services (AWS)

Within the AWS cloud environment, a snapshot of an instance at a point of time can be created, and
then re-created in the event of instance failure.
Physical Appliance System Operations

Features that allow the administrator to view and manipulate the CA Privileged Access Manager
system firmware are located on the Upgrade page.
Toolbar: Config → Upgrade
System Backup
Copy complete firmware, configuration and database system to internal storage (secondary drive)
NOTE System Backup can only be performed on a CA Privileged Access Manager appliance, not an
AWS CA Privileged Access Manager AMI instance.
A full CA Privileged Access Manager system backup (including: OS, firmware, configuration settings of
the appliance, provisioning data of managed users and devices) to its internal storage (secondary
drive) can be manually initiated through the Backup Appliance panel by clicking the Backup button.
NOTEThese are characteristics of system backups:
Single backup maintained – Because the secondary drive stores up to an entire (primary) drive's
capacity, it can contain only the most recently executed Backup.
Upgrade background component – As part of any Hotfix that requires a reboot or any upgrade,
CA Privileged Access Manager performs the Backup process automatically and silently.
During backup –
Full copy made – During the backup process, the secondary drive makes a complete copy of the
primary drive.
Reboots automatically – After copying the primary drive, CA Privileged Access Manager will
automatically reboot.
22-Mar-2017 30/41
BEST PRACTICES
Maintain regular, automated Database Backups – Schedule periodic backup of the database and
configuration to an external location. See Database Operations .
Avoid production impact – To avoid production impact, perform System Backup only during an
installation or maintenance window.
System Recovery
Recover complete firmware, configuration and database system from the last backup to internal
storage (secondary drive)
NOTE System Backup can only be performed on a CA Privileged Access Manager appliance, not an
AWS CA Privileged Access Manager AMI instance.
IMPORTANT This procedure should be performed only when recommended by CA Technologies CA
Privileged Access Manager Support. After this procedure, CA Privileged Access Manager will
automatically reboot. To avoid production impact, perform this action only during an installation or
maintenance window.
A CA Privileged Access Manager system that has previously been backed up to its internal storage
(secondary drive) can be restored through the Backup & Recovery panel by clicking the Recover
button. If the system has become inaccessible from the network, Recovery is also possible from the
Console in coordination with CA Technologies CA Privileged Access Manager Support.
System Upgrades
To prepare and execute your upgrade, use these documents:
1. The currently published version of CA Privileged Access Manager Update Paths, to identify any
previous versions or patches or other prerequisites
2. The latest version of the CA Privileged Access Manager Release Notes for your release, which
provides Upgrade procedures for single and clustered CA Privileged Access Manager
appliances.
Database Operations
CA Privileged Access Manager contains two databases – one database for configuration, and another
for provisioning. Features that allow the administrator to view and manipulate these databases are
on the Config, Database page. See Configure Your Database (https://docops.ca.com/display/CAPAM28
/Configure+Your+Database) for information about database operations, including backup (https://docops.
ca.com/display/CAPAM28/Schedule+a+Database+Backup) and restoration (https://docops.ca.com/display
/CAPAM28/Database+Restoration).
Configuration (.cfg) files can only be used on the appliance where they were created.
22-Mar-2017 31/41
Database (.gz) files can be used to recreate provisioning on other units: Services, Users, Devices,
Command Filter Lists, Socket Filter Lists, Policies
The files that are stored on the CA Privileged Access Manager secondary drive can be
downloaded, deleted, or used to restore the database.
Best Practices
Be sure to configure and schedule regular backups of the database and configuration files.
Keep ongoing operations and CA Privileged Access Manager maintenance to a minimum so that
they do not require more than one day per month.
The CA Privileged Access Manager appliance is not meant as a storage device. More external
capacity might be necessary to comply with log retention policy.
Session Recordings
Session recordings require these settings for global storage before recordings can be saved to files.
NOTE Session recording settings are first set up during initial configuration – please see links below to
configuration sections.
Storage Locations
Session Recording
The Session Recording panel specifies where, among the log storage locations specified, recordings
will be saved.
Storage Contingencies
Session Recording Preference
The Session Recording Preference panel specifies whether recording save attempts should be made
when storage is not reliable.
Shellshock Vulnerability Detection

Two vulnerabilities in the widely used Bash shell can lead to arbitrary and potentially malicious code
execution. These issues have received wide media coverage and have been informally labeled
"Shellshock". You can find additional information at the primary references for the associated CVE
tickets: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 and http://cve.mitre.org/cgi-
22-Mar-2017 32/41
tickets: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 and http://cve.mitre.org/cgi-

bin/cvename.cgi?name=CVE-2014-7169.
This feature provides a Bash vulnerability checking and reporting mechanism. When detection is on,
CA Privileged Access Manager inspects the target for the presence of the Bash vulnerability when:
a User employs an SSH or Telnet Access Method applet to connect to a remote target device; and
the target device is running the Bash shell
If the vulnerability is found, CA Privileged Access Manager logs a message and (if configured) alerts
the User to that effect. The patch does not alter anything on the target device. Remediation of the
affected target device is the responsibility of the customer.
If the shell is changed during an active connection, this feature is not supported. If you are not using
the Bash shell at the initial connection, it does not detect the vulnerabilities.
Note
This feature is adapted from and works the same as the one provided by 2.3 Hotfix 5 and
2.4 Hotfix 6. (Those patches were first distributed in early October 2014.)
CA Privileged Access Manager Configuration

The checking mechanism is set to "off" (unselected) by default. To enable checking and reporting
behavior (for all Users and Devices):
1. In the Applet Customization panel on the Global Settings page, select Enable Shellshock
Vulnerability Checks.
2. In the drop-down list to the right, select a Vulnerability Reporting Mode. (See log entry and
warning illustrations in User Experience (https://docops.ca.com/display/CAPAM28/Windows+OS).)
The two mode options are:
3. Log: If the vulnerability exists, log this finding in CA Privileged Access Manager ( Sessions, Logs
).
4. Log and Warn: If the vulnerability exists, log this finding in CA Privileged Access Manager.
Warn the User with a pop-up window and a terminal message emission on the command line.
Operation
If an administrator enables the vulnerability checks (CA PAM Configuration (https://docops.ca.com
/display/CAPAM28/Windows+OS)), then when – and only then – a User makes the initial command key
input to a connection in an SSH or Telnet Access Method applet, CA Privileged Access Manager makes
a log entry and – if enabled – user warnings.
22-Mar-2017 33/41
CA Privileged Access Manager Log Entry

Immediately following the first User command interaction with the device, CA Privileged Access
Manager determines whether the two Shellshock vulnerabilities (CVE-2014-6271 and CVE-2014-7169)
exist on the target device. If they are present, CA Privileged Access Manager logs an entry.
However, if the vulnerabilities are not detected, CA Privileged Access Manager does not make any log
entries to that effect.
User Applet Warnings

If the "Log and Warn" mode has been selected, a pop-up window displaying the applicable CVE
numbers of the vulnerability appears in the SSH Access Method applet window. The User must click
OK to continue.
When the warning window is closed, CA Privileged Access Manager inserts a command message into
the shell. If the session is being recorded, the recording also shows this message.
Host header attack mitigation

CA Privileged Access Manager can check that any X-Forwarded-Host values presented to it have been
specified in the X-Forwarded-Host Whitelist field under Config > Exceptions. If they have not been
specified here, CA Privileged Access Manager rejects the request.
22-Mar-2017 34/41
Credential Manager Administrator Procedures

This section contains procedures available to users with an administrative role. These procedures are
based on the preconfigured settings when CA Privileged Access Manager is installed. The settings in
your organization can differ if modifications have been made.
Activate Clients and Proxies (see page 35)
Customize the Global Default Preferences (see page 36)
Customize the Global Dashboard (see page 37)
Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Stored Credentials (see page 38)
Activate Clients and Proxies

The first time that you access Credential Manager the Dashboard lists Clients Requiring
Initial Activation and Proxies Requiring Initial Activation. These items are
your newly installed A2A Clients and Windows Proxies. Activate these components.
Note:
The following procedures assume that you have installed an A2A Client, Windows Proxy, or
both. For the A2A Client, the A2A Client daemon (UNIX) or service (Windows) must be
running. See Install Credential Manager Components (https://docops.ca.com/display/CAPAM28
/Install+Credential+Manager+Components) for details.
Activate A2A Clients

A2A Clients require an initial activation. These items are new clients that have never been activated.
Follow these steps:
1. Select Policy, Manage Passwords.
2. Click the Dashboard tab.
3. For an initial activation, in the Item list, click Clients Requiring Initial Activation. A list of
installed A2A Clients appears. Notice that the entry in the Active column is set to false.
4. Click the host name of the client. The Client Details page appears. Notice that the Status is
Inactive.
5. Set the Status to Active.
6. Click Save. The Client List page appears showing your A2A Client in an active state.
22-Mar-2017 35/41
Activate Windows Proxies

Windows Proxies require an initial activation. These items are new proxies that have never been
activated.
Follow these steps:
2. Click the Dashboard tab.
3. For an initial activation, in the Item list, click Proxies Requiring Initial Activation. A list of
installed Proxies appears. Notice that the entry in the Active column is set to false.
4. Click the host name of the proxy. The Proxy Details page appears. Notice that the Status is
Inactive.
5. Set the Status to Active.
6. Click Save.
The Proxy List page appears showing your Windows Proxy in an active state.
Customize the Global Default Preferences

An administrator with appropriate permissions can modify preferences and can apply those
preferences globally. Global changes affect all users. Modifications do not take effect until the next
logon session.
Set the Global Time Zone

You can customize the global time zone settings for Credential Manager. All dates in Credential
Manager are stored in UTC format, but these dates can be displayed in a specified time zone.
Selecting a custom time zone can only be done through the GUI.
Follow these steps:
2. Click the Settings tab and then select UI Settings. The UI Settings window appears.
3. Select an entry in the Time Zone Region listbox.
4. Select an entry in the Time Zone listbox.
5. Click Save.
22-Mar-2017 36/41
Set the Global List Size

Credential Manager data such as accounts and password requests appear in lists in the GUI. You can
set a global value for the number of list entries per page that appear in the GUI.
Follow these steps:
3. Enter an integer value for the number of list entries per page.
4. Click Save.
Set the Global Start Page

Use the following procedure to configure the global home page for Credential Manager.
Follow these steps:
1. Select Policy. Manage Passwords.
3. Select the start page from the Home Page listbox.
4. Click Save.
Customize the Global Dashboard

The dashboard provides a set of predefined metrics to monitor system activity. Administrators with
appropriate permissions can change the dashboard settings and can apply those changes globally.
Global changes affect all users of the product.
Follow these steps:
3. Click the Dashboard tab. The Dashboard Settings window appears.
4. To add a new item to the Dashboard Summary, click the Plus icon, select an entry from the list
of dashboard items available to add, and click Add.
5. To remove an entry from the Dashboard Summary, click the Remove icon at the end of the
row and click Save. The Remove icon is a yellow X.
6. To re-position a list item, drag-and-drop the item to the desired location or click the Up or the
22-Mar-2017 37/41
6. To re-position a list item, drag-and-drop the item to the desired location or click the Up or the
Down icon at the end of the row and click Save.
7. To set a threshold limit that activates a warning icon in the Dashboard Summary, enter a
value in the Threshold field. For example, if you set a threshold value of 5 for Passwords Not
Verified and the number of unverified passwords reaches 5 or more, a warning icon appears
in the Dashboard Summary page.
8. To reset the dashboard, click Restore Defaults.
Configure FIPS 140-2 CMVP Certificate 1747

Encryption for Stored Credentials
The default software encryption module that Credential Manager uses to encrypt and decrypt stored
credentials is the Cloakware Security Kernel software encryption module that is validated to FIPS 140-
2 CMVP certificate 1443.
You can also configure Credential Manager to use the OpenSSL FIPS Object Module that is validated
to FIPS 140-2 CMVP certificate 1747 to encrypt and decrypt stored credentials.
Tip: We recommend that you configure FIPS 140-2 CMVP Certificate 1747 encryption for
stored credentials because it uses true (hardware-based) random number generation for
the primary encryption key, Additionally, it provides faster encryption and decryption than
the default software encryption module.
Note: If you require hardware-based encryption for stored credentials, you can configure a
Hardware Security Module (HSM (https://docops.ca.com/pages/viewpage.action?
pageId=369270530)).
Enable FIPS 140-2 CMVP Certificate 1747 Cryptography (see page 38)
Delete the Key Encryption Password (see page 39)
Resupply a Deleted Key Encryption Password (see page 40)
Notes About Clustered Environments (see page 41)
Enable FIPS 140-2 CMVP Certificate 1747 Cryptography

Use the following procedure to enable FIPS 140-2 CMVP certificate 1747 cryptography for stored
credentials.
Important! Once enabled, the new encryption is permanent – it cannot be undone.
22-Mar-2017 38/41
Important! Once enabled, the new encryption is permanent – it cannot be undone.
Follow these steps:
1. Log in to the CA Privileged Access Manager Server Web UI or the CA Privileged Access
Manager Client.
2. Select Config, Security.

The Security dialog appears.
3. Scroll down to the Configure FIPS 140-2 CMVP Certificate 1747 Encryption for Credential
Manager panel.
4. Enter a password to use to generate the encryption key in the Password field. The password
must be at least 16 characters long and must contain at least one of each of the following
character types:
Lower case letters (a-z)
Upper case letters (A-Z)
Numbers (1-9)
5. Reenter the password in the Confirm Password field.
Note: The password that you supply is used to encrypt and decrypt the AES256
encryption key each time the server is started. For convenience, the password is
encrypted and stored so that you do not need to supply it manually after each
restart. Optionally, you can delete (see page 39)it from the storage for extra
security
Important! Store this password carefully. It cannot be changed, reset, or recovered.
6. Select Enable.
The CA Privileged Access Manager Server reboots. Upon restart, all stored credentials are
reencrypted using the OpenSSL FIPS Object Module.
Delete the Key Encryption Password

After you have confirmed that Credential Manager is working correctly with the new encryption, you
can delete the key encryption password from the server to provide the highest level of security,
Follow these steps:
22-Mar-2017 39/41
Follow these steps:
Manager Client.

Manager panel.
4. Select Delete Password.
5. Select OK on the warning dialog that appears

The key encryption password is deleted from the disk.
Note: After the key encryption password is deleted, Credential Manager continues
to function until the server is restarted. Upon restart, Credential Manager is
disabled until the password is reentered.
6. Do the following steps to restart the server:
a. Select Config, Power.
b. Select OK on the warning dialog that appears.

The Power screen opens.
c. Select Reboot Instance.
The server instance reboots.
Resupply a Deleted Key Encryption Password

Use the following procedure to reenable Credential Manager on a server instance upon which the key
encryption password has been deleted. Repeat this procedure after every system restart.
Follow these steps:
Manager Client.

Manager panel.
4. Type the key encryption password in the Password field and select Submit.
22-Mar-2017 40/41
The encryption key is regenerated and used to decrypt the stored credentials and Credential
Manager is reenabled.
Note: Depending on the number of stored credentials, initial decryption can take some
time. We recommend waiting one minute before attempting to use Credential Manager
features.
Notes About Clustered Environments

To implement FIPS 140-2 CMVP Certificate 1747 Cryptography in a clustered environment, enable it
on the master node before turning on the cluster. The change is propagated to all nodes.
To delete the key encryption password, delete it manually from each node in the cluster.
Important! If the key encryption password was previously deleted and the cluster must be
restarted, the password must be reentered before restarting the cluster. Otherwise, the
cluster does not restart properly and Credential Manager does not function correctly. Once
the password has been reentered, the cluster and Credential Manager function correctly.
For more information about clustered environments, see Implement a Cluster (see page 38).
22-Mar-2017 41/41

CA Privileged Access Manager - 2.8 - ENU - Administrating - 20170322

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CA Privileged Access Manager - 2.8 - ENU - Administrating - 20170322

Uploaded by

Copyright:

Available Formats

CA Privileged Access

The manufacturer of this Documentation is CA.

Control User Activity .................................................................................... 8

Set Up Session Recording ........................................................................ 12

Audit User Activity ..................................................................................... 17

Credential Manager Administrator Procedures ......................................... 35

Control User Activity

Terminate Login or Connection session by a User to CA Privileged Access Manager

Force Re-Authentication of a User to CA Privileged Access Manager

Start or Stop Recording a User connection session to a target Device

View Recording of a completed connection session

Control User Sessions

Logs – View the session log entries

CA Privileged Access Manager Login and Device Connection Sessions

Connections for OOB Devices

1. Select from the Menu Bar: Sessions > Manage Sessions.

2. From the upper right, select the link OOB Devices.

Login session control

Connection session control

Batch Control of Sessions

Action Criterion Criterion Values Behavior

Manage credential use

Check out and checking in passwords

Password viewing requests

Set Up Session Recording

Implement Session Recording

Configure Session Recording

See Logs (https://docops.ca.com/display/CAPAM/Logs) for detail on these interfaces.

Activate Session Recording

Triggering violation: socket filter or command filter violation

Viewing Session Recordings

Security layer: SSL (TLS 1.0) | RDP Security Layer

Step Backward – causes a 5-second jump backward.

Resizing the Window

Searching Text Within CLI Recording

Audit Session Recordings

Audit User Activity

View Logs and Reports

For viewing and searching reports

Reports: On-demand (immediate), Scheduled, Third-party

File handling: Copying

View Unfiltered Logs

View Log Entries

Change Log Fields Displayed

1. Click the plus (+) sign.

2. Select the desired field to display its column.

Filter Logs to Create CA Privileged Access

Apply Filter to Log Records

4. Specify desired fields.

5. Click the pop-up window Search button (at bottom of pop-up).

Save Filtered Logs as a CA Privileged Access Manager Report

1. To save the filtered log records to a file, click Save As Report.

2. Populate the Save Report pop-up window:

a. Create a Report Name.

c. Enter email addresses in Emails, space-delimited

d. Select and set the Send Interval.

View Access Reports (see page 20)

View Access Reports

To view previously generated Reports:

1. In the Sessions, Logs window, mouse over (or click) Reports.

a. 10.2.1 User Login

b. 10.2.1 User Logout

c. 10.2.3 Track Audit Policy Change