Jeremy,
I don't believe that the PAM REST API provides a method for performing a verify. However this can be done using the PAM CLI:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/verifyaccountpassword.htmlYou can either use the java .jar file directly, the commandline tool (which uses the .jar), or interact with the Credential Managment API directly using the language of your choice. Here is an example using a windows powershell script:
$pamServer = "your.Pam.url.here"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
$request = @{
"adminUserID" = '<PAM USER NAME NOT API KEY>'
"adminPassword" = '<PASSWORD>'
"authentication" = "CSPM"
"cmdName" = "verifyAccountPassword"
"TargetAccount.ID" = "<ID of account to verify>"
}
$results = Invoke-RestMethod -Method Get -Uri "https:
$xml = $results.'cw.appMessage'.content.'#cdata-section'
$xml
Original Message:
Sent: 12-03-2019 02:31 PM
From: Jeremy Joy
Subject: Account verification through API
Hello,
We are currently using the PAM api to query details of local accounts on servers prior to the servers being restarted to ensure the local accounts are verified prior to restarts. We have received a request to have PAM perform a verification also to ensure that the verified status is correct. I didn't see any direct API calls to perform a verification but was curios if I've missed this functionality (We don't wish to rotate the credentials, only to perform a verification).
Thanks,
Jeremy