Symantec Privileged Access Management

 View Only
  • 1.  CA PAM vSphere Web Client 6.0

    Posted Aug 15, 2019 12:51 PM
    Edited by Michael Pass Aug 15, 2019 03:03 PM
    Hi all,

    I'm working with a customer to implement auto login for vSphere Web Client 6.5.

    I'm reference the product documentation: 
    https://docops.ca.com/ca-privileged-access-manager/3-1-4/en/implementing/provision-your-server/provisioning-devices/about-access-setup/create-tcp-udp-services/configure-automatic-login-to-web-portals/#ConfigureAutomaticLogintoWebPortals-vsphere6

    Specifically the following: 

    Automatic Login to vSphere Web Client 6.0 Configuration

    To configure automatic login to vSphere Web Client 6.0, use the following settings when completing the previous procedures:

    • Port: 443
    • Auto-Login Method:  CA PAM HTTP Web SSO
    • Launch URL: https://<Local IP>:<First Port>/vsphere-client 

    • Address: Specify the vSphere server domain name. An IP address does not work. Example: vcenter.north.afc.nfl.local


    Our service is configured as follows: 

    When we try to connect to VSphere client via Access Page, we see the client launch but credentials are not being injected. 

    Any idea on how to configure Auto-Login for VSphere client v6? 

    Thanks for any help that can be provided. 

    Michael Pass


  • 2.  RE: CA PAM vSphere Web Client 6.0

    Broadcom Employee
    Posted Aug 15, 2019 04:16 PM
    Hi Michael,
    I did a quick test with PAM 3.2.4 and Vsphere client 6.7, and I get the same as you.
    Since the page I get is expecting username and password, a colleague suggests we should be using HTML SSO and the Learn Mode.
    I haven't tested this yet, and not sure if it is supported for the version you are on and Vsphere 6.5, but the docs also suggest this:
    For Auto-Login Method, select the appropriate method, as described previously:
    • CA PAM HTML Web SSO is best suited to websites that have user name and password entry fields. This method requires administrator configuration using the Learn Tool. 
    • CA PAM HTTP Web SSO is best suited to websites that receive user names and passwords programmatically, such as through Windows Authentication. This method does not require using the Learn Tool. 
    Regards,
    Margaret


  • 3.  RE: CA PAM vSphere Web Client 6.0

    Posted Aug 15, 2019 04:31 PM
    Hi Margaret,

    Thanks for your response. 

    To provide more details: 
    - We are running PAM v3.3x in the test environment
    - We are testing against VSphere client v6.5 and v6.7

    Per the support matrix: 

    So it seems vCenter 6.7 is supported... 

    We also have the requirement to use HTML5 (/ui) and the client (/vsphere-client).

    When using HTML5, the learn tool works as expected and allow creds to be injected via the Learn process. 

    When trying to use the learn tool with the vsphere client, I get an error as well.

    Any additional input would be greatly appreciated. 

    Regards,

    Michael Pass


  • 4.  RE: CA PAM vSphere Web Client 6.0

    Broadcom Employee
    Posted Aug 16, 2019 11:35 AM
    Hello Michael, The section of the support matrix you cite is not relevant here. This is for integration with virtualization platforms to allow import of devices running on those platforms into PAM. It has nothing to do with Web Portal services.
    I connected successfully to vCenter 6.7 using a TCP/UDP web service with application protocol Web Portal, Auto Login Method "CA PAM HTML Web SSO" and Launch URL "https://<Local IP>:<First Port>/vsphere-client/?csp", which I understand is what you are trying to do. Since this page requires the adobe flash player, and the PAM browser (jxBrowser) is a Chromium browser, I had to install the Flash PPAPI plugin as per page https://jxbrowser.support.teamdev.com/support/solutions/articles/9000013099-adobe-flash
    After installation you have to exit the PAM client and launch it new so that the browser picks up the plugin. Complete the learn mode first, and then auto-login should work.


  • 5.  RE: CA PAM vSphere Web Client 6.0

    Broadcom Employee
    Posted Aug 16, 2019 12:37 PM
    I have this working on my 3.3 system, with vSphere 6.7.  Below is a screen capture of my service:


    As stated by Margaret, CA PAM HTML Web SSO requires the Learn Tool to be run from the Access page.  You will identify the Username & Password fields and the Submit button.  After saving, you will be able to launch the vSphere and autoconnect, assuming that the credentials were configured and entered into the policy.  Regarding html5, that is actively being worked on but has no targeted release.


    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 6.  RE: CA PAM vSphere Web Client 6.0

    Posted Aug 16, 2019 12:52 PM
    Hi Ed and Ralf... Thanks so much for your response. 

    We have set the service up similar to what you've attempted. The only difference is there isn't a requirement to "route through PAM", so that checkbox isn't checked (I don't believe that matters). 

    We are able to launch the browser but when trying "learn" the different fields, we get the following error: 



    We also have a different service for https://<Local IP>:<First Port>/ui and the learn tool works as expected. 

    Any information would be greatly appreciated. 

    Regards,

    Michael Pass



  • 7.  RE: CA PAM vSphere Web Client 6.0

    Broadcom Employee
    Posted Aug 16, 2019 01:08 PM
    Michael, Does your Access List field look the same, i.e. do you also have the wildcard character in there to not limit which URLs the service can access? This does look though like you web server has additional security implemented that our instance doesn't have. It seems to block the right-click menu from coming up. The learn mode needs this. Hopefully whatever setting on the web server side blocks this can be relaxed temporarily to allow the Learn Mode to complete.


  • 8.  RE: CA PAM vSphere Web Client 6.0

    Posted Aug 19, 2019 11:45 AM
    Hi Ralf,

    Thanks for your responses. Yes, we are using the wildcard for the Access List. 

    We were able to get the Vsphere client learn mode working by updating the Launch url to include "https://<Local IP>:<First Port>/vsphere-client/login". 

    We can actually do learn mode now and inject creds during login. 

    The problem we see now is that flash doesn't appear to be loading into the PAM browser: 

    We've downloaded and installed PPAPI flash plugin... We also are able to open in chrome browser after allowing it... 

    Is there an addition step to enable flash to run in the PAM client? 

    Thanks,

    Michael Pass



  • 9.  RE: CA PAM vSphere Web Client 6.0
    Best Answer

    Broadcom Employee
    Posted Aug 20, 2019 10:26 AM
    Edited by Christopher Hackett Aug 28, 2019 12:36 PM
    Michael,

    You cannot test that the flash plugin is installed by using Chrome.  Google Chrome has flash built into it, so it would not use the plugin at all.  If you want to test the plugin you can install Chromium (https://www.chromium.org/getting-involved/download-chromium), which is the open source foundation for Chrome, Microsoft Edge, Opera, and the PAM Browser.

    You will also need to make sure you installed the right plugin.  You would have had to get it from here: https://get.adobe.com/flashplayer/otherversions/ and selected "FP 32  for Opera and Chromium - PPAPI"

    I hope that helps get to the bottom of this.