Symantec Privileged Access Management

Good day,
I started the implementation of PAM-SC 14.1 in a RHEL environment.
All the components (ENTM, DS and Agent) are in place and we tested also the SSL communication encryption (ssl_only) with the default certificate and works with no problem.

I have some doubt regarding the creation of custom certificates and I would like to know if you can help me to clarify some steps.

If I understand correctly I have two option for SSL certificate customization as described in:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager-server-control/14-1/implementing/communication-encryption/enable-ssl-encryption.html

1- Use Third-Party Root and Server Certificates
All the certificate and key provided by the client. What must be done is to replace the files in the default path or modify the path in the seos.ini file of each component. In case of password protection, store the new password via sechkey comman

2- Use a Server Certificate You Generate from a Third-Party Root Certificate
Client must provide root certificate and key. What must be done is to replace the files in the default path and leave only the sub_cert_info file in order to generate the server certificate.

What I don't understand is:

- Server Certificate must be generate in each server? I mean, regardless of the configuration/creation mode, server certificate must be create in all the DS and all the agent separately because each server has his own server certificate? I ask because my client have more then 3000 agents and these means that he must to generate more then 3000 server certificate. Is that correct? Or the server certificate is only one (e.g. generated in ENTM) and uploaded in each agent?

- I checked the sub_cert_info that allow the creation of server certificate via sechkey. I saw that the SERIAL attribute is configured automaticaly, but what about the SUBJECT? Should be the FQDN? I ask you because in my TEST ENTM I have this value equal to "cn=any.string". Should be modify with the correct FQDN?

Thanks for your support.

Regards,
Andrea Gimmelli

Good day,
Do you have some feedback for my questions?

Regards,
Andrea Gimmelli
Original Message:
Sent: 05-19-2020 10:11 AM
From: Andrea Gimmelli
Subject: PAM-SC 14.1: SSL Communication Encryption

Good day,
I started the implementation of PAM-SC 14.1 in a RHEL environment.
All the components (ENTM, DS and Agent) are in place and we tested also the SSL communication encryption (ssl_only) with the default certificate and works with no problem.

I have some doubt regarding the creation of custom certificates and I would like to know if you can help me to clarify some steps.

If I understand correctly I have two option for SSL certificate customization as described in:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager-server-control/14-1/implementing/communication-encryption/enable-ssl-encryption.html

1- Use Third-Party Root and Server Certificates
All the certificate and key provided by the client. What must be done is to replace the files in the default path or modify the path in the seos.ini file of each component. In case of password protection, store the new password via sechkey comman

2- Use a Server Certificate You Generate from a Third-Party Root Certificate
Client must provide root certificate and key. What must be done is to replace the files in the default path and leave only the sub_cert_info file in order to generate the server certificate.

What I don't understand is:

- Server Certificate must be generate in each server? I mean, regardless of the configuration/creation mode, server certificate must be create in all the DS and all the agent separately because each server has his own server certificate? I ask because my client have more then 3000 agents and these means that he must to generate more then 3000 server certificate. Is that correct? Or the server certificate is only one (e.g. generated in ENTM) and uploaded in each agent?

- I checked the sub_cert_info that allow the creation of server certificate via sechkey. I saw that the SERIAL attribute is configured automaticaly, but what about the SUBJECT? Should be the FQDN? I ask you because in my TEST ENTM I have this value equal to "cn=any.string". Should be modify with the correct FQDN?

Thanks for your support.

Regards,
Andrea Gimmelli