Symantec Privileged Access Management

Hi, 

I have a problem with an A2A configuration, I have a script web.config and this file have many connection #strings and appSettings in the same file, I don't know how to map many credencials in this file, I know how to configure A2A in a file with a single credential, but in this file I could not configure the mapping, this is the example of the file:

<appSettings>
   <add key="key1" value="value1"/>
   <add key="key2" value="value2"/>
   <add key="key3" value="value3"/>
</appSettings>

<connectionString>
   <add name="DB1" connectionString="Data Source=Database1;Initial Catalog=IT_Logs;Integrated    Security=False;User ID=user1;Password=pwd1;Connect    Timeout=15;Encrypt=False;TrustServerCertificate=False;ApplicationIntent=ReadWrite;MultiSubnetFailover=False" />

   <add name="DB2" connectionString="Data Source=Database2; Initial Catalog=bi; Persist Security Info=true; User    ID=user2; Password=pwd2" />

   <add name="DB3" connectionString="Provider=Database3; User ID=user3; Password=pwd3; Data Source=source;"    />
</connectionString>

Best Regards, 

Rafael

Hello Rafael, The main idea of A2A is to get away from passwords stored in configuration files. Rather than having the password in the file, you change the application that uses the credentials to get the passwords from PAM at the time they are needed.

Also, a configuration file wouldn't be registered as a script in PAM. You register executable scripts that make calls into the PAM A2A client to get passwords when executed on the target device. PAM can verify that the request comes from a registered script, or deny the request if that is not the case. In theory you could write a script that parses the configuration file and updates all the passwords in it after getting them from PAM. But it is better to remove the passwords from the configuration file and get them at run time whenever needed.

Hi Ralf,

I have another question, you know a way to use A2A without import windows DLL in application(I have a C#.NET application, using a web.config file to connect to the Database)? Import the DLL in all applications is going to be impractical for me.

Best Regards, 

Thanks.

Hi Rafael, You could call a binary, e.g. one of the samples that come with the A2A client, from your application instead of calling directly into the A2A client, and get the passwords from the response of the binary you execute.

Hi Ralf,

you have an example of that? So that I can guide myself in the configuration.

Thanks, 

Rafael 

Hi Rafael, If you question is whether I have a sample C#.NET project that calls another executable to get a PAM password, the answer is no. The A2A client includes the cspmclient binary which can be called to get passwords. This is discussed on page Integrate Applications with the Credential Manager A2A Client - CA Privileged Access Manager - 3.2.4 - CA Technologies D…