Layer7 Privileged Access Management

Tech Tip - CA Privileged Access Manager: Use CA Single Sign-On to protect CA PAM resources

By wonsa03 posted 04-18-2017 11:34 PM

  

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 19th April 2017

 

The scope of the document is to provide the necessary steps to configure the CA Single Sign-On R12.52 SP1 to protect ‘Global Settings’ page with CA Directory as user store

 

  1. CA Single Sign-On: Administrative UI >> Infrastructure >> Agents >> Agent
    Create an Agent object
  2. CA Single Sign-On: Administrative UI >> Infrastructure >> Agents >> Agent Configuration Objects
    Create an Agent Configuration object with copy of ‘ApacheDefaultSettings’ with updates to DefaultAgentName, HttpsPorts, GetPortFromHeaders and LogoffUri


  3. CA Single Sign-On: Administrative UI >> Infrastructure >> Authentication >> Authentication Schemes
    Create HTML Form authentication scheme referencing pamlogin.fcc
  4. CA Single Sign-On: Administrative UI >> Infrastructure >> Directory >> User Directories
    Create User Directory object referencing the CA Directory instance
  5. CA Single Sign-On: Administrative UI >> Infrastructure >> Hosts >> Host Configuration Objects
    Create host configuration object referencing the Policy Server
  6. CA Single Sign-On: Administrative UI >> Policies >> Applications
    Create an Application and associate the user directory created in Step 4 to the Application

    Create Component to protect ‘Global Settings’ page and associate the authentication scheme created in Step 3 to the component



    Create Resources with GET, POST actions



    Create Roles, include all the users that are allow to access the protected resources



    Create Policies to associate the Roles to the Resources
  7. CA PAM: Config >> CA Modules
    Define the CA Single Sign-On Configuration
  8. Save the configuration and Restart Apache.


Troubleshooting

 

To disable CA Single Sign-On, you can disable it from the Utility Console (VMware OVA appliance)

OR disable it from CA PAM: Config >> CA Modules

If you are getting a blank page after CA Single Sign-On login or the CA Single Sign-On login page does not respond, please ensure that you have login to CA PAM using CA PAM server’s FQDN.

 

 

Error:

Registration failed. Host config object not found.

Resolution:

Ensure that the Host Configuration Object value defined in CA PAM matches the Host Configuration Object name defined in CA Single Sign-On and the object still exists in CA Single Sign-On.

 

 

 

Error:

Login failed: unknown reason’ (from CA PAM Client) OR ‘Internal Server Error’ (from web browser UI) after Apache restart for CA Single Sign-On integration.



Resolution:

Ensure that the Agent Configuration Object value defined in CA PAM matches the Agent Configuration Object name defined in Step 2 and the object still exists in CA Single Sign-On.  

 

 

 

Error:

Checking for update failed. Reason: Server returned HTTP response code: 500 for URL: https://<PAM_FQDN>/client/structure.php?os=win’ (from CA PAM Client) OR ‘Internal Server Error’ (from web browser UI) when users attempt to access CA PAM with CA Single Sign-On integration enabled.

Resolution:

Ensure that CA Single Sign-On Policy Server is up and running.

 

 

Error:

Registration failed. A trusted host with the same name already exists.

Resolution:

This usually happens when you disabled and attempt to re-enable CA Single Sign-On (with same settings as before) from CA PAM.

 

Define a different Trusted Host Name

OR delete the existing Trusted Host from CA Single Sign On: Administrative UI >> Infrastructure >> Trusted Hosts, before saving the CA Single Sign-On Configuration

0 comments
2 views

Permalink