I'm working with PAM 3.2, on a evaluation implementation and had a question I was wondering if anyone had clarity on.
As far as Oracle's decision to charge for JDK/JRE use, I was wondering what is involved for the users from that change.
The application-access to PAM runs on an internal JRE, so I assume that is CA's responsibility to manage, but the website seems to still be running on java.
Does that mean each user of PAM logging in through the website requires a JDK/JRE installation?
Additionally, I assume we'll need JDK or JRE installed for the windows proxy server, as well as the Java connector server, but it isn't clear.
Has anyone found out anything regarding this?
Indeed most of PAMs features are based on java one way or other. The actual PAM client s an embedded JRE installation, and it is actually using the jxbrowser, which is a java browser. In the same way the ssh terminal is Mindterm, again based on java. The appliance itself works internally making heavy use of java as well (e.g. Tomcat and JBOSS)
Using the product with any desktop browser will let you access the password management side and some other areas, but it certainly won't allow to use many of the access features. Actually this is something which is already happening today and it causes JRE to have to be installed locally in order to fully administer the product without the PAM client, as well as posing limitations with the browsers you can use.
Agreed Miquel, and thank you for the reply.
This is an area that is not clear to me-
You're saying website access of CA PAM restricts certain key functionalities (remote access) to endpoints without a JRE/JDK installed on the workstation?
It seems the local PAM client shouldn't be an issue, as the embedded JRE shouldn't need a licence for our use.
If you try to access PAM just with a native browser (e.g. Internet Explorer, Firefox), that is without the PAM client, then the parts of the product that rely heavily on java, that is, on running applets, will not work well. Indeed this will not happen when using the CA PAM Client, as it itself is a java environment. I assume as well as you say, that if you are using the CA PAM Client alone, you should not have to worry about licensing bits because java already comes in the client.
If that's the case, if we want to avoid license fees we'll need to only provide PAM access through the client, as our browser will not have access to java.
Thanks for your input, I'm not sure if your answer is definitive, so I'm going to keep the question open.
I don't know how much help it might be, but just to add you can check out the third-party license agreements on this link:
Third-Party License Acknowledgments - CA Privileged Access Manager - 3.2 - CA Technologies Documentation
There is a link on that page where you can find the document that describes each license in more details.