Symantec IGA

 View Only
Expand all | Collapse all

Use CA PAM to manage connector credentials to target systems

Jump to Best Answer
  • 1.  Use CA PAM to manage connector credentials to target systems

    Posted Feb 26, 2018 04:14 AM

    Hi.

    I know this can be achieved but how?

     

    We have both CA Identity Suite and CA PAM. For integration Identity Suite to the AD domain we are hitting a domain strictly controlled by an AD delegation tool (OneIdentity Active Roles Server) why the service account which Identity Suite will be using, will be the second most "dangerous" service account in our entire enterprise only topped by the service account used by the AD delegation tool because we will integrate using the native CA Microsoft AD connector hence conneting through LDAPS and we then needs a native AD delegation not controlled by that delegation tool.

    For this we would like to protect the service account used in the integration - or if possible, use PKI authentication instead of username-password in the LDAPS connection/bind - so we thougth about storing the service account in PAM and then do one of the following:

     

    1. Via scripting in PAM (A2A): Keep the AD service account credentials updated in the CA Identity Suite configuration hence automating password changes and keeping the integration intact.
    2. Look up or inject the credentials in the LDAPS connection/bind by having Identity Suite fetch the credentials - preferable as a windows authentication object/ticket and not as username-password.

     

    Any thoughts, ideas and solution suggestions are welcome!

     

    Btw: My first post here. :-)



  • 2.  Re: Use CA PAM to manage connector credentials to target systems
    Best Answer

    Broadcom Employee
    Posted Feb 26, 2018 01:39 PM

    Hi KevinKruse and welcome to CA Communities .

     

    This is a great question.

     

    I think that periodically updating the Endpoint credentials from CA PAM via LDIF scripts in CA IM Provisioning Server / Store is your easiest option at the moment. We had the same need for another customer and the product management had indicated at that time that managing privileged account passwords for IM endpoints is something that we are looking into but there's no set timeframe for delivering this capability at the moment.

     

    I trust my CA Services colleagues will chime in based on their experiences with other customers.

     

    Regards,

    Russi