We have a requirement in which we have onboarded the target application server (let's say XYZ) in PAM for password management. Currently, the flow of the the transaction is as below.
1. Admin logged in to the CA PAM console and click on the generate password for XYZ target application.
2. The new password is generated.
3. On application server we have a script (placed on the XYZ target app server) that runs periodically to fetch the generated password from PAM for XYZ target applications and update in the properties file, which lies on the XYZ target application.
4. The admin restarts the server or we can have a automated script to do this.
As per the above flow, the password sync is not real time and also not fully automated. Does anyone provide me a real time solution or design as i am new to PAM. Thanks in advance.
Please suggest. Thanks.
If its some kind of script which requires password to work then You need Application to Application module of CA pam.
If you have this then it can be done.
As Asif mentioned, this is the function of the App2App module of CA PAM. The Target accounts are managed by the PAM system according to the rule you apply to the credential's life-cycle. To ensure access by any applications/scripts that require access to the target account, integrate you program with the A2A client. As with Privileged Users, calling applications must be authorized in the CA PAM server and mapped to the target account or group. The A2A client can be set up to keep a secure store with mapped account credentials or bi-pass the cache store and go to the main PAM server/cluster. The local client cache will be updated when the target accounts stored are changed by the PAM server life-cycle rules
I am unable to drop a message to you. Can we connect for 5 min as per your suitable time (if possible). There are multiple ways to utilize PAM API and one of them is REST-based which is what I am using. There are other APIs like bash-based, C++ and command line which required installation of a A2A client and run commands using it, however, I wasn’t able to do it easily after getting the client installed.
Thanks for your assistance. I really appreciate your kindness.
If I am understanding your query correctly and your licenses allow for this, I do believe this is done under 'target accounts'. When the select account is created and attached to a host, you can allow for the system to be updated along with the password authority server, so the changes to password are propagated to the machine. On top of that you can include other machines with the same user account if you want to have all said passwords modify to be the same. Please see the below image as the password for the root account is synchronized to; the system, Password Auth, and the other system listed below so they change for both servers.