Symantec Privileged Access Management Community Blog

  • Private Community
 View Only

Doing More with Less RAM: Cut Privileged Access Costs Without Sacrificing Security or Scale

By Joe Burke
The global DRAM/RAM shortage has resulted in significant cost increases, +200% since August 2025. These higher prices are expected for the foreseeable future creating mounting pressure for organizations to reduce their overall memory consumption. CIOs and CISOs are challenged to extract as much value as possible out of existing infrastructure while keeping the environment secure in the face of rising threats and regulatory pressure. Many companies are now scrutinizing every available gigabyte deployed. Modern IT practices have fueled spikes in infrastructure demand and simultaneously boosted the need to continuously manage privileged accounts and ...
0 comments

Achieve Zero Trust: How Symantec PAM Delivers End-to-End Least Privilege Protection

By Justin Stanton
In an era where cyber threats grow increasingly sophisticated, the principle of least privilege has evolved from a best practice to a core pillar of enterprise cybersecurity. Organizations are adopting identity-based Zero Trust architectures, where access is continuously verified and privileges are tightly controlled. Implementing least privilege ensures that users, systems, and applications receive only the permissions required to perform their tasks—no more, no less. Symantec Privileged Access Manager (PAM) offers a unified, policy-driven platform for enforcing least privilege across the enterprise. It secures privileged accounts, monitors administrative ...
0 comments

New Webinar - Privileged Access Governance: Are You Certifying Privileged User Access?

By Ora Niknamfard
Despite the numerous, headline-making incidents in recent years, cybercrime continues to rise while organizations must contend with an ever-increasing attack surface. Many types of attacks depend on stealing and exploiting privileged credentials and accounts. Organizations have recognized these dangers and are focusing their protection efforts in this area; but many are still failing to manage and govern their privileged users on an ongoing basis. In this session we will discuss how you can combine privileged access management and identity management technologies to enable organizations to manage and govern their privileged users more efficiently. Check out ...
0 comments

Announcement regarding Layer7 Privileged Access Management Support for AdoptOpenJDK

By Michael Dullea
As outlined in CA’s recent general notice regarding Java, CA software products will be migrating to support open-source implementations of Java. For Layer7 products, primary support will shift from Oracle Java to AdoptOpenJDK, a popular free version of Java that derives its source from OpenJDK. What is AdoptOpenJDK? "AdoptOpenJDK uses infrastructure, build and test scripts to produce prebuilt binaries from OpenJDK™ class libraries and a choice of either the OpenJDK HotSpot or Eclipse OpenJ9 VM. All AdoptOpenJDK binaries and scripts are open source licensed and available for free." (source: https://adoptopenjdk.net/ ) This document will ...
0 comments

CA Privileged Access Management Frequently Asked Questions

By Jean-Sebastien Cuche
Please review this useful information and links to help you be successful with your CA PAM implementation 1. Where to download the product? Note – CA PAM is distributed as Virtual Appliance On Premise, AWS and MS Azure, as well as HW Appliance – for the Virtual Appliance On Premise (OVA): https://support.ca.com/us/download-center.html select: - CA Privileged Access Manager (PAM) - CA Privileged Access Credential Manager DEBIAN - select the latest version available (as of this writing it is 3.2) - download the OVA file (as of this writing it is “PRIVILEGED ACCESS MANAGER R3.2 - ESD ONLY DVD500000000001333.ova”) ...
0 comments

Top KB Docs for CA PAM - June 2018

By Christian Lutz
Below is a list of the KB Docs with the most views in June 2018: DLG_FLAGS_SEC_CERT_CN_INVALID How to troubleshoot CA PAM Access Page problems How to add an external MySQL Database to CA PAM I am getting "Access is denied" when I try to RDP in learming mode to my Windows device while trying to configure Transparent login After logging into CA PAM there is a message: "Bind Failure" "The following loopback addresses could not be loaded..." How to configure the Schedule Backup for PAM with CIFS/NFS RDP Drive Mapping, drive not being mapped. Error on Access RDP Connections How-to: Troubleshooting RDP Application Transparent Login ...
0 comments

Tech Tip - CA Privileged Access Manager: PAM 3.0.1 A2A UNIX client not working after disabling TLS 1.0 and 1.1

By Ralf Prigl
Issue After disabling the "TLS v1.0/1.1 Connection Allowed" option on the Configuration > Security > Access page, our Linux A2A clients no longer work. It looks like they are not using TLS 1.2 when connecting to the PAM server by default. Cause The Linux A2A version 4.13 for PAM 3.0.1 comes with a JRE 7 version that by default uses TLS 1.0 to connect to secure web servers. The A2A client does not overwrite the default. Resolution The problem will not be observed after upgrading PAM and the A2A client to version 3.1.1 or higher. The 3.1.1 A2A client includes a JRE 8 version that uses TLS 1.2 by default. If you have to remain at 3.0.X, you can ...
0 comments

Tech Tip - CA Privileged Access Manager: S3 bucket for session recording or DB backup does not mount after upgrade to PAM 3.X

By Ralf Prigl
Issue We used an S3 bucket with name x.y for session recording with PAM 2.8. After upgrade to PAM 3.X the bucket is not mounted successfully. Resolution PAM uses s3fs to mount an S3 bucket. PAM 3.x includes a newer version with tighter certificate checking. Per information at https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html please avoid using bucket names with dots when creating buckets for PAM session recordings or database backups: " When you use virtual hosted–style buckets with Secure Sockets Layer (SSL), the SSL wildcard certificate only matches buckets that don't contain periods. To work around this, use HTTP or write your ...
0 comments

Tech Tip - CA Privileged Access Manager: Remote CLI fails to find the keystore file on Windows

By Ralf Prigl
Issue After installing the PAM 3.1.1 remote CLI on a Windows host and preparing the keystore file following instructions at https://docops.ca.com/ca-privileged-access-manager/3-2/EN/programming/credential-manager-remote-cli-and-java-api/install-and-set-up-the-remote-cli-and-java-api , running the capam_command.bat script results in error "Couldn't find the keystore file capam.keystore". The keystore file does exist in the folder from where the command is run. Resolution This problem will be observed if the remote CLI is copied to a folder that has a space character in its path, such as "C:\CA PAM\Remote CLI". The bat script does not quote file paths. ...
0 comments

Tech Tip:  Target accounts in Oracle multitenant architecture

By Margaret Anttila
Question: How do we manage target accounts that are sitting in containers in an Oracle multitenant architecture? Oracle RAC. Answer: Oracle 11g release 2 introduced a feature: SCAN. Single Client Access Node. The Target Application is set up the same way, as if it were a single database, but on the customer side, they replace the Node Name with the SCAN name. Single Client Access Name (SCAN) is an Oracle Real Application Clusters (Oracle RAC) feature that provides a single name for clients to access Oracle Databases running in a cluster. More information from Oracle: Single Client Access Name
0 comments

Tech Tip - CA Privileged Access Manager: Cipher Suites supported by the Active Directory Target Application

By Ralf Prigl
Question What Cipher Suites are supported by the Active Directory Target Application in PAM 3.1.1? Answer The AD target application only connects to the secure 636 port of AD domain controllers. A good way to see which Cipher Suites a secure client supports is to run a network trace somewhere along the network route, or on the AD controller itself, and inspect the "Client Hello" packet. An example is given below for a PAM 3.1.1 AD target application connecting to a domain controller using TLS 1.2: Transmission Control Protocol, Src Port: 51577, Dst Port: 636, Seq: 1, Ack: 1, Len: 252 Secure Sockets Layer TLSv1.2 Record Layer: ...
0 comments

Tech Tip - CA Privileged Access Manager: CVE-2018-1347 and CVE-2018-7489

By Ralf Prigl
Question Is PAM affected by the recently reported Apache Struts and Jackson-databind vulnerabilities, CVE-2018-1347 and CVE-2018-7489? Answer CA PAM is not affected by either vulnerability.
0 comments

Tech Tip - CA Privileged Access Manager: Threat Analytics launch from PAM dashboard results in blank page after upgrade from 2.8.3 to 3.0.2

By Ralf Prigl
Issue After upgrading PAM from 2.8.3 to 3.0.2, when I click on the Analytics icon on the PAM dashboard a browser session is launched but the page remains empty. When we check recent IdP log entries using the Configuration > Diagnostics > Diagnostic Logs -> Download page, we find some exceptions and a message "Metadata file '/opt/shibboleth-idp/metadata/xcdSPMetadata.xml' does not exist". There are no new entries when we try to launch thread analytics from the dashboard, not event after raising the IdP log level to Verbose. Resolution This files can be recreated by saving the TCP service created for TAP and restarting the Identify Provider service. ...
0 comments

Tech Tip - CA Privileged Access Manager: CAPM 2.8.3 or 2.8.4 upgrade can cause problems with Thales HSM integration

By Ralf Prigl
Applying PAM 2.8.3 or 2.8.4 patches to an appliance that is integrated with Thales HSM may cause problems for the Password Management side of the product. This is because either of these two patches may overwrite configuration changes made for the HSM integration. A PAM administrator would find on the dashboard under "Elements Under Management" that the count for target accounts is missing. This problem cannot be fixed by applying another patch. It can be corrected in a remote session with technical support right after the upgrade. If you have PAM integrated with Thales HSM at a release lower than 2.8.3, or at 2.8.3 and you want to upgrade to 2.8.4, please ...
0 comments

Tech Tip - CA Privileged Access Manager: Root account fails to update other accounts password if not in sudoers file

By Ralf Prigl
Issue On UNIX or Linux a privileged account can change the password of any other account by running a "sudo passwd <user>" command, assuming the privileged account is allowed to run "sudo passwd" per configuration in the /etc/sudoers file. The default Update Credentials Script for a target applications of type UNIX is written with that use case in mind. The root account can run the passwd command without using sudo. However, the default script unconditionally uses the sudo command, or in general the Privilege Elevation Command configured in the target application, when the password change process for a target account is configured with the "Use the following ...
4 comments

PAM not able to verify or change the password of Linux account

By Maria Celeste Catena
###### [Issue Summary] ###### We have tested the non root accounts in PAM, where we created a user in Linux and tried to integrate it with PAM. After saving the password in PAM, we found that the PAM is not able to change the password neither it can verify the credentials. The GUI is also different since it is the local account in Linux system. But at the same time, if we map the access of this machine to the user, it is able to give the authenticated session with successful SSO. ###### [Troubleshooting] ###### Set the Tomcat logs to INFO. Remember to click on Submit to take effect the change. Reproduce the error by doing a verify and download the tomcat ...
2 comments

Tech-Tip: Not able to connect to PAM GUI after upgrade to 3.0.1

By Maria Celeste Catena
Symptom After upgrading to 3.0.1, the appliance is not reacheable via WebGUI. However the appliance is up and available via VMWare console. The network cards are enabled, but I can't communicate to those appliances anymore. This only for Virtual Machines. Cause : During the upgrade to 3.0.1 all the NICs configured in the virtual machine are connected. So if there are more NICs connected than the ones enabled in PAM, the system blocks the communications. Resolution : Compare the Network Interfaces cards enabled in the server settings and in the Interface Network Settings in PAM console. The number of Network Interfaces enable has to match. If there are ...
1 comment

Tech Tip - CA Privileged Identity Manager - sesudo: Parameter is too long.

By Renato_Pioker
Question : Customer is using sesudo on a shell script created by their support team. Sesudo receives some large parameters and when we tried to execute the command, the following error appeared: "sesudo: Parameter is too long." Is it possible to increase the parameter length that sesudo accepts? Answer : sesudo has a limit of 255 characters on its command line, and it is not configurable. Looking at their script, a good workaround would be a wrapper script - an intermediate script containing the parameters (${ARGXSU[1]} ${ARGXSU[2]} ${ARGXSU[3]} ${ARGXSU[4]} ${ARGXSU[5]} ${ARGXSU[6]} ${ARGXSU[7]} ${ARGXSU[8]} ${ARGXSU[9]}) that would be called ...
0 comments

Tech Tip - CA Privileged Access Manager: "Device CSV Import Error"

By Renato_Pioker
Problem : Customer built a CSV to import Devices into CA PAM but got the following error while importing it: "Message 10012: First CSV header must be Type not Type." Resolution : 1. Renamed the file from IMPORT_PAM.CSV to IMPORT_PAM.csv ( please note the lower case ); 2. Switched the file encoding from ANSI to UTF-8 (I used Notepad++ for that). No changes were made in the file header nor file contents.
0 comments