I know this can be achieved but how?
We have both CA Identity Suite and CA PAM. For integration Identity Suite to the AD domain we are hitting a domain strictly controlled by an AD delegation tool (OneIdentity Active Roles Server) why the service account which Identity Suite will be using, will be the second most "dangerous" service account in our entire enterprise only topped by the service account used by the AD delegation tool because we will integrate using the native CA Microsoft AD connector hence conneting through LDAPS and we then needs a native AD delegation not controlled by that delegation tool.
For this we would like to protect the service account used in the integration - or if possible, use PKI authentication instead of username-password in the LDAPS connection/bind - so we thougth about storing the service account in PAM and then do one of the following:
Any thoughts, ideas and solution suggestions are welcome!
Btw: My first post here. :-)
Hi KevinKruse and welcome to CA Communities .
This is a great question.
I think that periodically updating the Endpoint credentials from CA PAM via LDIF scripts in CA IM Provisioning Server / Store is your easiest option at the moment. We had the same need for another customer and the product management had indicated at that time that managing privileged account passwords for IM endpoints is something that we are looking into but there's no set timeframe for delivering this capability at the moment.
I trust my CA Services colleagues will chime in based on their experiences with other customers.