I have a problem with an A2A configuration, I have a script web.config and this file have many connection #strings and appSettings in the same file, I don't know how to map many credencials in this file, I know how to configure A2A in a file with a single credential, but in this file I could not configure the mapping, this is the example of the file:
<appSettings> <add key="key1" value="value1"/> <add key="key2" value="value2"/> <add key="key3" value="value3"/></appSettings>
<connectionString> <add name="DB1" connectionString="Data Source=Database1;Initial Catalog=IT_Logs;Integrated Security=False;User ID=user1;Password=pwd1;Connect Timeout=15;Encrypt=False;TrustServerCertificate=False;ApplicationIntent=ReadWrite;MultiSubnetFailover=False" />
<add name="DB2" connectionString="Data Source=Database2; Initial Catalog=bi; Persist Security Info=true; User ID=user2; Password=pwd2" />
<add name="DB3" connectionString="Provider=Database3; User ID=user3; Password=pwd3; Data Source=source;" /></connectionString>
Hello Rafael, The main idea of A2A is to get away from passwords stored in configuration files. Rather than having the password in the file, you change the application that uses the credentials to get the passwords from PAM at the time they are needed.
Also, a configuration file wouldn't be registered as a script in PAM. You register executable scripts that make calls into the PAM A2A client to get passwords when executed on the target device. PAM can verify that the request comes from a registered script, or deny the request if that is not the case. In theory you could write a script that parses the configuration file and updates all the passwords in it after getting them from PAM. But it is better to remove the passwords from the configuration file and get them at run time whenever needed.
I have another question, you know a way to use A2A without import windows DLL in application(I have a C#.NET application, using a web.config file to connect to the Database)? Import the DLL in all applications is going to be impractical for me.
Hi Rafael, You could call a binary, e.g. one of the samples that come with the A2A client, from your application instead of calling directly into the A2A client, and get the passwords from the response of the binary you execute.
you have an example of that? So that I can guide myself in the configuration.
Hi Rafael, If you question is whether I have a sample C#.NET project that calls another executable to get a PAM password, the answer is no. The A2A client includes the cspmclient binary which can be called to get passwords. This is discussed on page Integrate Applications with the Credential Manager A2A Client - CA Privileged Access Manager - 3.2.4 - CA Technologies D…