Symantec Privileged Access Management

Hello,

We are currently using the PAM api to query details of local accounts on servers prior to the servers being restarted to ensure the local accounts are verified prior to restarts. We have received a request to have PAM perform a verification also to ensure that the verified status is correct. I didn't see any direct API calls to perform a verification but was curios if I've missed this functionality (We don't wish to rotate the credentials, only to perform a verification).

Thanks,
Jeremy

Jeremy,

I don't believe that the PAM REST API provides a method for performing a verify.  However this can be done using the PAM CLI: 

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/verifyaccountpassword.html

You can either use the java .jar file directly, the commandline tool (which uses the .jar),  or interact with the Credential Managment API directly using the language of your choice.  Here is an example using a windows powershell script:

# This is a simple demo of the PAM CLI

$pamServer = "your.Pam.url.here"  # either FQDN or IP address

# This section is to prevent errors when connecting to a PAM system that uses a self signed certificate.
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
    Add-Type -TypeDefinition  @"
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public static class TrustEverything
    {
        private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
            SslPolicyErrors sslPolicyErrors) { return true; }
        public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
        public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
    }
"@
} [TrustEverything]::SetCallback()


# Create a request
$request = @{
    "adminUserID" = '<PAM USER NAME NOT API KEY>'
    "adminPassword" = '<PASSWORD>'
    "authentication" = "CSPM"               
    "cmdName" = "verifyAccountPassword"    #see CLI documentation for a description of this command
    "TargetAccount.ID" = "<ID of account to verify>"   #this is an example of a parameter
}

#Run the api call
$results = Invoke-RestMethod -Method Get -Uri "https://$pamServer/cspm/servlet/adminCLI" -Body $request -TimeoutSec 30

#Parse the xml content from the results
$xml = $results.'cw.appMessage'.content.'#cdata-section'

#output the xml
$xml​

Original Message:
Sent: 12-03-2019 02:31 PM
From: Jeremy Joy
Subject: Account verification through API

Hello,

We are currently using the PAM api to query details of local accounts on servers prior to the servers being restarted to ensure the local accounts are verified prior to restarts. We have received a request to have PAM perform a verification also to ensure that the verified status is correct. I didn't see any direct API calls to perform a verification but was curios if I've missed this functionality (We don't wish to rotate the credentials, only to perform a verification).

Thanks,
Jeremy