Layer 7 Privileged Access Management

Transcript for CA Privileged Identity Manager Office Hours [Oct. 14th] 

10-14-2015 12:06 PM

Kristen Malzone (CA) :

Welcome to Office Hours!

 

Kristen Malzone (CA) :

Alright - let's get started!

 

Kristen Malzone (CA) :

PIM experts are standing by to answer your questions right here in the Chat Window.

 

Kristen Malzone (CA) :

Looks like some more folks are jumping in now. Enter your questions here in the chat window. There is no audio.

 

Steven McCullar :

since the last office hours event, CA has acquired Xceedium, a leading vendor of Privileged Account Management.  We're very excited about the acquisition!

 

Kristen Malzone (CA) :

We have a webcast coming up about the Xsuite product  Xceedium which is now called CA Privileged Access Manager: https://communities.ca.com/events/2313

 

Kristen Malzone (CA) :

No questions today? Come on! I know someone out there has one!

 

Kristen Malzone (CA) :

@Clement - Thanks for joining today! Do you have any questions about Privileged Identity Management?

 

clement monakhisi :

@Kristen - no questions  me.

 

Kristen Malzone (CA) :

Tech Tip - CA Privileged Identity Manager: support tool for EntM server https://communities.ca.com/thread/241740793

 

Kristen Malzone (CA) :

Here's an unanswered question in the community for PIM: https://communities.ca.com/thread/241739724

 

DENIS TSE :

Hi, this question if for CA SAM (Proxy) 12.9. I need to terminate a session  a user. Is there a way to perform this task remotelly by invoking a command or through a REST call? The idea is to trigger this automatically through some SIEM integration.

 

Kristen Malzone (CA) :

Sharing and helpful link and document  Redhat website regarding the Kernel builds and release dates: https://communities.ca.com/docs/DOC-231161731

 

Kristen Malzone (CA) :

@Arun - Thanks for joining! Do you have a question for our product team?

 

Arun Kalasapudi :

Hello Everyone, I would like to know if the PIM supports the CA API Management - Gateway and Portal. Are there any reference documentation that you can share regarding the integration.

 

Shahnawaz Soomro :

@Arun, it depends on what is the use case/functionality you need to acheive  this integration..can you please elaborate?

 

Renato Pioker :

@Denis - On the PIM 12.9 Wiki page you have the REST-based API commands and samples. You may look there to find what is possible to achieve using REST. https://wiki.ca.com/display/CMINDER129/REST-based+API

 

Arun Kalasapudi :

@Shahnawaz, the use case would be to have controlled access to the servers when users are logging in via SSH - either ssgconfig or as root.

 

Arun Kalasapudi :

@Shahnawaz, What would be the pre-requisites to install the agent on the Layer 7 servers, as they are hardened images.

 

Shahnawaz Soomro :

@Arun..so if I understand you correctly, you want to use CA PIM to control access ssconfig or root account passwords on APIM server itself

 

Shahnawaz Soomro :

@Arun..I am afraid we do not recommend installing agent on the APIM server itself...it acts as a hardened blackbox and installing 'other' software is not supported by APIM

 

Arun Kalasapudi :

@Shahnawaz, correct. And allow only specific users to use their AD credentials to login and /or checkout the root password

 

Shahnawaz Soomro :

@Arun..however, you can use CA PIM to secure the password to APIM accounts (root/ssconfig) as "disconnected accounts" meaning CA PIM stores the password and you implement a role based check in/checkout process. It gives you ability to secure their password as well as monitor/log who is using that account at any given time

 

Shahnawaz Soomro :

@Arun..Technically it will also be possible to maange the account password remotely on the APIM server itself as an *nix endpoint. However, I have not seen it done by a client so far

 

Arun Kalasapudi :

@Shahnawaz, okay, that might work. When someone checks out the password, how would other users be prevented  accessing the APIM accounts? In other words, can multiple users checkout the passwords and login at the same time?

 

Shahnawaz Soomro :

@Arun ..direct login to APIM server using ssconfig/root account is such a rare occurance (after the intial configuration), using the disconnected account option will probably suffice

 

Renato Pioker :

@Arun - And you can set the option for Exclusive Check Out on each account, so only one check out will be allowed at a time

 

Shahnawaz Soomro :

@Arun, in CA PIM you can designed a privileged account for single (exclusive) or multiple simultaneous (non-exclusive) use...depending if you wish to allow an account to be checked out by one person at at ime or by multiple users simultaneously

 

Kristen Malzone (CA) :

15 minutes left! Get your last questions in now!

 

Arun Kalasapudi :

@Shahnawaz, thank you for your guidance!

 

Shahnawaz Soomro :

@Arun ..you are welcome ..glad to help. BTW, you can also provide auto-login through CA PIM to the APIM server using the built in SSH..without exposing the account password to user

 

Arun Kalasapudi :

@Shahnawaz, so that can be done without installing any agent on the APIM server?

 

Renato :

Hello Everyone. I trying PIM 12.9 and it is installed en RHEL 6.5. This working fine ENTM. But I want to join an endpoint for Access Control. What agent install beacuse on PIM 12.9 do not exist agent  for endpoint windows?

 

Shahnawaz Soomro :

@Arun..that is right there is no client installation needed for securing accounts through CA PIM...only for the fine grain security on the endpoint

 

Renato Pioker :

@Renato - You may use the endpoints  r12.8 SP1

 

Arun Kalasapudi :

@Shahnawaz, thank you for the clarification!

 

Shahnawaz Soomro :

@Arun...using CA PIM to auto-login user into CA APIM with ssconfig/root will also give you an option to record the user session

 

Renato :

@Renato - I did that, but on ENTM not show endpoint installed with agent 12.8

 

Renato Pioker :

@Renato - Please check in the policyfetcher.log file if it is communicating with your server. If it is not, you may have an issue in your endpoint registration. Please, open a ticket on our support so we can assist you

 

Renato :

@Renato - thnanks.

 

Kristen Malzone (CA) :

Alright! That's all the time we have for today!

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

10-15-2015 11:19 AM

Related Entries and Links

No Related Resource entered.