Symantec Privileged Access Management

  • Private Community

  • 1.  How can I get simple Java A2A ScriptName correct?

    Posted Apr 25, 2018 11:12 AM

    I'm using legacy Cloakware (PAM) and trying to set up simple Java A2A. I'm trying to test that I can get correct script names.

     

    If I run with the jar in classpath, I see:

    WARNING: GetScriptCredentials failed to retrieve credentials for request
    { targetAliasName=sql_sa_pamtgt,
    scriptName=com.cloakware.cspm.client.bj,
    scriptFilePath=C:\cspm\cloakware\cspmclient\lib\cspmclient.jar,
    scriptExePath=C:\cspm\cloakware\cspmclient\examples\Java,

     

    If I create a fat jar in Maven, I see:

    WARNING: GetScriptCredentials failed to retrieve credentials for request
    {targetAliasName=sql_sa_pamtgt,
    scriptName=com.cloakware.cspm.client.bj,
    scriptFilePath=F:\utilities\sqltest\sqltest\target\sqltest-1.0-SNAPSHOT.jar,
    scriptExePath=F:\utilities\sqltest\sqltest,

     

    What kind of magic do I need to do get the scriptName correct as per the old doc's:

    Script name: The name of the class file containing the CSPMClient instantiation and getScriptCredentials call, without the class extension.

     

    Thanks, Carl



  • 2.  Re: How can I get simple Java A2A ScriptName correct?

    Broadcom Employee
    Posted Apr 25, 2018 12:01 PM

    Hi Carl, Can you clarify which PAM version you are working with? I don't understand your values for scriptName, scriptFilePath and scriptExePath. Also, can you clarify where you see the errors and what error code you get? I assume you get those message from the tomcat log on the PAM server, but they are truncated. There should be a reason message appended. What is it? What error do you see on the client side?

    For reference, to run the Example class in the cspmclient\examples folder, assuming the A2A client is installed in C:\cspm\cloakware\cspmclient, you would use

     

    Script/App Name: Example

    Execution Path: C:\cspm\cloakware\cspmclient\examples

    File Path: C:\cspm\cloakware\cspmclient\examples

     

    This is documented at https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/add-and-run-credential-manager-a2a-requestors/example-requestors.



  • 3.  Re: How can I get simple Java A2A ScriptName correct?

    Posted Apr 25, 2018 12:26 PM

    Hi Ralf. As I say I am using legacy Cloakware (4.5.3 (.9?))

     

    I expect to get an error 409 for the above calls as the alias - sql_sa_pamtgt - is only mapped to a VC++ binary, but I was trying to record - via the logs in catalina.out - what the request is being reported as in terms of the script name so it's useful to look at the logs.

     

    If I view the Reports/Account Requests I can see the script name being reported as com.cloakware.cspm.client.bj in all cases, so I was wondering what I needed to do to make it set the name as documented (from PasswordAuthority_4.5.0.chm)

     

    If I add a script mapping using com.cloakware.cspm.client.bj + F:\utilities\sqltest\sqltest\target\sqltest-1.0-SNAPSHOT.jar + F:\utilities\sqltest\sqltest then I get a 400 success code.

     

    There are good reasons why I am using such an old version, but I would have expected this to work as documented:

    "Script name: The name of the class file containing the CSPMClient instantiation and getScriptCredentials call, without the class extension."

     

    Thanks,

     

    Carl

     

     



  • 4.  Re: How can I get simple Java A2A ScriptName correct?

    Broadcom Employee
    Posted Apr 25, 2018 12:59 PM

    Carl, if you work with Cloakware, please don't refer to it as PAM==Privileged Access Management. The latter is a different product. You are using PA == Password Authority.

    I don't understand what your problem is. You say it works after you add the proper script mapping, which is necessary. That would be working as designed.



  • 5.  Re: How can I get simple Java A2A ScriptName correct?

    Broadcom Employee
    Posted Apr 25, 2018 01:50 PM

    After discussion with Carl I understand now that his sample class is not com.cloakware.cspm.client.bj, but that is the class he needs to specify in the script mapping to make it work. We are checking on whether there is a known problem with the Java A2A client in the old PA product.