Symantec Privileged Access Management

Tech Tip - CA Privileged Access Manager: Setup CA Threat Analytics Server with CA PAM

By wonsa03 posted 04-21-2017 02:21 AM


CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 21st April 2017


The scope of the document is to provide the necessary steps to integrate CA Threat Analytics 2.0.2 with CA Privileged Access Manager 2.8.1.


  1. CA PAM: Config >> Security
    Enable External REST API

  2. CA PAM: Credential Manager >> Targets >> Accounts
    Verify that CATapApiUser-x is listed, note down the password
  3. CA Threat Analytics Engine (https://<TA_IP>)
    Configure CA Threat Analytics Engine to use the CA Privileged Access Manager adapter.
    Log in to CA Threat Analytics Engine [admin/ P@ssword1234]

    Navigate to Services and select “CA PAM”

    Navigate to Configuration tab. Enter the CATapApiUser-x password, Test successful and Save Configuration
  4. CA Threat Analytics Engine
    Generate an API Auth Token.
    Navigate to Services, select ‘”CA PAM” and navigate to Auth Tokens tab. Click “new Auth Token”

    Download the auth token
  5. CA PAM: Config >> CA Modules
    Specify the CA Threat Analytics service that receives the CA Privileged Access Manager usage data for processing.
    Save and Test the connection

  6. CA PAM: Config >> Security
    Setup SAML authentication from CA PAM to CA Threat Analytics.
    Enable IdP

    Set Entity ID, Fully Qualifies Hostname, Signature Algorithm and the IdP Certificate. Update IdP Configuration and Download Idp Metadata
  7. CA Threat Analytics Administrative Application (https://<TA_IP>:3000)
    Setup SAML authentication from CA Threat Analytics to CA PAM.
    Log in to CA Threat Analytics Administrative Application [admin/ P@ssword1234]

    Navigate to Security

    Select ‘SAML’ for Authentication Mode, select the SAML Metadata File downloaded in Step 6, define the domain name/ IP address of the TAP server and save

  8. CA Threat Analytics Administrative Application
    Restart Threat Analytics Engine and PostgreSQL Database services
  9. CA PAM
    Access CA Threat Analytics Engine via the “punch-through” CA Threat Analytics icon on the dashboard




Error: Service Configuration parameters are incorrect!

Resolution: Ensure that the correct details are defined in CA Threat Analytics Engine and the CA TapApiUser’s account status is Enabled in CA PAM



Error: SAML 2 SSO profile is not configured for relying party https://<IP_or_FQDN>

Resolution: The Threat Analytics Address defined in CA PAM: Config >> CA Modules is automatically reflected in the TCP/UDP Services named ‘TAP-SAML-Service’ as SAML Entity ID. Ensure that the value matches the FQDN/ IP associated to the Assertion Consumer Service URL in CA Threat Analytics Administrative Application: Security.


Note: Any changes made to security settings in CA Threat Analytics Administrative Application requires restart of the Threat Analytics Engine.






07-25-2017 05:44 PM

Worked with Talk Prigl to fix the issue. It was time out of sync in between the two servers.

07-25-2017 05:00 PM

Harjeev, Did you check the time server configuration on both hosts?

07-25-2017 04:48 PM

Any idea why SAML in between PAM and TA won't work and logs shows as below?



05-04-2017 03:18 AM


I have in device list and ApiKey in app list. I checked logs but there is no log related "apikey" or "tap".

I will open a support case.

Thanks for your support

05-03-2017 01:28 PM

Do you have device in your device list? And a target application named "ApiKey” that is associated with this device? If you look for "apikey” or "tap” in the session logs (Click Search and enter the search text in the Details field), do you see any messages indicating a problem? If you can't get past this, please open a support case.

05-03-2017 10:37 AM


Sorry. I forgot a screen capture. I verified in account list and CA TAP Api user not found

05-03-2017 09:47 AM

Hello, You show a screenshot of your list of users. This would not include the TAP Api user account. That is a target account you should find under Targets > Account List when you go to Policy > Manage Passwords. Also, please note my warning above about the integration of TAP with 2.8.2.

05-03-2017 05:26 AM


 ‘Default’ still in PVP

05-03-2017 05:22 AM

Hi wonsa03,

Thanks for your support.

I'd like to send my server status. License is enabled and External REST API is checked.


05-03-2017 05:21 AM

In addition to the above, I have seen issue creating new API key when ‘Default’ Password View Policy is renamed or removed:

Tech Tip - CA Privileged Access Manager: Failed to create new API key 

05-03-2017 05:14 AM

Hi Do,


The account is created automatically.


Ensure that your CA PAM Appliance is licensed with TA:


Also, ensure that ‘External REST API’ is checked (Config >> Security):

05-03-2017 03:15 AM

Hi Kelly,

I'm trying to integrate PAM 2.8.2 with TA but my PAM dont have CATapApiUser-x account. CATapApiUser also not found in User list

Can you show me how to create or enable that account?

Thank you

04-21-2017 11:57 AM

04-21-2017 08:52 AM

Note that there currently is a problem in CA PAM 2.8.2. If you follow this procedure to establish a new integration with Threat Analytics for PAM 2.8.2, the integration will work as far as monitoring of PAM user activity by Threat Analytics is concerned, but you may find that you end up with a PAM dashboard that has no data and no Threat Analytics icon. The CA PAM engineering team is aware of the problem and working on a fix.