Symantec Privileged Access Management

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password? 

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Ralf,

Good thought - Steps I have done so far

1. Application - Account Discovery
BaseDN => acf2admingrp=lids,host=***,o=**********,c=us
Account Object => acf2lid
Name Attribute => acf2lid
Filter => 

2. Credential - LDAP
DN => acf2lid=<credential>      **************** Is this right?

3. Verify CA ACF2 LDAP
- Added CA ACF2 as an LDAP source to CA PAM
- Use CA PAM LDAP browser to verify CA ACF2 directory structure

I'm running out of ideas...
Original Message:
Sent: 03-10-2020 01:39 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Hi Scott, No, that doesn't look right. The distinguished name for this account you have to get from the credential source, it's certainly not "acf2lid=<credential>".
Original Message:
Sent: 03-10-2020 03:28 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Good thought - Steps I have done so far

1. Application - Account Discovery
BaseDN => acf2admingrp=lids,host=***,o=**********,c=us
Account Object => acf2lid
Name Attribute => acf2lid
Filter =>

2. Credential - LDAP
DN => acf2lid=<credential>      **************** Is this right?

3. Verify CA ACF2 LDAP
- Added CA ACF2 as an LDAP source to CA PAM
- Use CA PAM LDAP browser to verify CA ACF2 directory structure

I'm running out of ideas...
Original Message:
Sent: 03-10-2020 01:39 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Ralf,

I'm purposely obfuscating certain details.

I've tried DN= acf2lid=<credential>,acf2admingrp=lids,host=<host>,o=<company>,c=us and I still get a PAM failure.

Note: The credential is synchronized. Whats interesting is when forcing a password update in PAM (and getting the error), PAM shows it has a new password, but the ACF2 credential still retains the original password.
Original Message:
Sent: 03-10-2020 03:32 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Scott, No, that doesn't look right. The distinguished name for this account you have to get from the credential source, it's certainly not "acf2lid=<credential>".
Original Message:
Sent: 03-10-2020 03:28 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Good thought - Steps I have done so far

1. Application - Account Discovery
BaseDN => acf2admingrp=lids,host=***,o=**********,c=us
Account Object => acf2lid
Name Attribute => acf2lid
Filter =>

2. Credential - LDAP
DN => acf2lid=<credential>      **************** Is this right?

3. Verify CA ACF2 LDAP
- Added CA ACF2 as an LDAP source to CA PAM
- Use CA PAM LDAP browser to verify CA ACF2 directory structure

I'm running out of ideas...
Original Message:
Sent: 03-10-2020 01:39 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Hi Chris, I am still confused about what "<credential>" represents. At this point in the DN should be the user name, but I've never seen just a user name represented by a <credential> token. Credential typically represents a password or key or username/password combination. I do assume that you got the correct DN from the mainframe account. Other than that, I believe you have to further investigate this on the CA LDAP for Mainframe side rather than in PAM.
Original Message:
Sent: 03-10-2020 07:13 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

I'm purposely obfuscating certain details.

I've tried DN= acf2lid=<credential>,acf2admingrp=lids,host=<host>,o=<company>,c=us and I still get a PAM failure.

Note: The credential is synchronized. Whats interesting is when forcing a password update in PAM (and getting the error), PAM shows it has a new password, but the ACF2 credential still retains the original password.
Original Message:
Sent: 03-10-2020 03:32 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Scott, No, that doesn't look right. The distinguished name for this account you have to get from the credential source, it's certainly not "acf2lid=<credential>".
Original Message:
Sent: 03-10-2020 03:28 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Good thought - Steps I have done so far

1. Application - Account Discovery
BaseDN => acf2admingrp=lids,host=***,o=**********,c=us
Account Object => acf2lid
Name Attribute => acf2lid
Filter =>

2. Credential - LDAP
DN => acf2lid=<credential>      **************** Is this right?

3. Verify CA ACF2 LDAP
- Added CA ACF2 as an LDAP source to CA PAM
- Use CA PAM LDAP browser to verify CA ACF2 directory structure

I'm running out of ideas...
Original Message:
Sent: 03-10-2020 01:39 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris

Credential may have been a bad term, maybe UserrID would have been more appropriate.

I appreciate the time you have taken to help with this issue. Thanks Again!
Original Message:
Sent: 03-10-2020 07:29 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, I am still confused about what "<credential>" represents. At this point in the DN should be the user name, but I've never seen just a user name represented by a <credential> token. Credential typically represents a password or key or username/password combination. I do assume that you got the correct DN from the mainframe account. Other than that, I believe you have to further investigate this on the CA LDAP for Mainframe side rather than in PAM.
Original Message:
Sent: 03-10-2020 07:13 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

I'm purposely obfuscating certain details.

I've tried DN= acf2lid=<credential>,acf2admingrp=lids,host=<host>,o=<company>,c=us and I still get a PAM failure.

Note: The credential is synchronized. Whats interesting is when forcing a password update in PAM (and getting the error), PAM shows it has a new password, but the ACF2 credential still retains the original password.
Original Message:
Sent: 03-10-2020 03:32 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Scott, No, that doesn't look right. The distinguished name for this account you have to get from the credential source, it's certainly not "acf2lid=<credential>".
Original Message:
Sent: 03-10-2020 03:28 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Good thought - Steps I have done so far

1. Application - Account Discovery
BaseDN => acf2admingrp=lids,host=***,o=**********,c=us
Account Object => acf2lid
Name Attribute => acf2lid
Filter =>

2. Credential - LDAP
DN => acf2lid=<credential>      **************** Is this right?

3. Verify CA ACF2 LDAP
- Added CA ACF2 as an LDAP source to CA PAM
- Use CA PAM LDAP browser to verify CA ACF2 directory structure

I'm running out of ideas...
Original Message:
Sent: 03-10-2020 01:39 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Ralf,

Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?

I get the following error as it is:

SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'


Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM

Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM

Hello,

I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)

Thanks

Chris