The script above is for Linux accounts, you don't really need to use the CLI for those since that functionality is built into the PAM API.
That said, the scripts below demonstrate how you can access the Credential Manager API (aka CLI) using a script. The first is very basic, the second actually has some processing, but doesn't really do anything very useful.
Both are written in powershell, but the process could be adapted to whatever language you choose.
Refer to the documentation for the various CLI commands and their attributes:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands.htmlKeep in mind that the CLI uses your PAM credentials, not an API key. And the CLI always returns XML data that must be parsed, some languages make this easier than others, but it's never as easy as the PAM API is.
$pamServer = "your.Pam.url.here"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
$request = @{
"adminUserID" = '<PAM USER NAME NOT API KEY>'
"adminPassword" = '<PASSWORD>'
"authentication" = "CSPM"
"cmdName" = "verifyAccountPassword"
"TargetAccount.ID" = "<ID of account to verify>"
}
$results = Invoke-RestMethod -Method Get -Uri "https:
$xml = $results.'cw.appMessage'.content.'#cdata-section'
$xml
"Default" password view
"Default2" password view policy (must exist). Not very useful, but its a good demo.
$pamServer = "1.2.3.4"
$oldPVP = "Default"
$newPVP = "Default2"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
if (-not $CliCred) {
$CliCred = Get-Credential -Message "Enter your PAM username and password (not an API key)"
}
$Url = "https:
Function getPvpId($pvpName) {
$request = @{
"adminUserID" = $CliCred.UserName
"adminPassword" = $CliCred.GetNetworkCredential().Password
"authentication" = "CSPM"
"cmdName" = "searchPasswordViewPolicy"
"PasswordViewPolicy.name" = $pvpName
}
write-host "Retrieving the PVP id for $pvpName..."
[xml]$results = Invoke-WebRequest -Uri $Url -Body $request -Method Get
[xml]$results = $results.'cw.appMessage'.content.'#cdata-section'
$pvps = $results.SelectNodes('
return ($pvps | Where Name -eq $pvpName).ID
}
$oldPvpId = getPvpId($oldPVP)
$newPvpId = getPvpId($newPVP)
$request = @{
"adminUserID" = $CliCred.UserName
"adminPassword" = $CliCred.GetNetworkCredential().Password
"authentication" = "CSPM"
"cmdName" = "searchTargetAccount"
}
write-host "Retrieving list of all target accounts..."
[xml]$results = Invoke-WebRequest -Uri $Url -Body $request -Method Get
[xml]$results = $results.'cw.appMessage'.content.'#cdata-section'
$toUpdate = $results.SelectNodes('
foreach($targetAccount in $toUpdate) {
Write-Host "Updating target account $($targetAccount.ID) ($($targetAccount.userName))..." -NoNewline
$request = @{
"adminUserID" = $CliCred.UserName
"adminPassword" = $CliCred.GetNetworkCredential().Password
"authentication" = "CSPM"
"cmdName" = "updateTargetAccount"
"TargetAccount.ID" = $targetAccount.ID
"TargetAccount.userName" = $targetAccount.userName
"PasswordViewPolicy.ID" = $newPvpId
}
'Attribute.'
($targetAccount | select Attribute.*).psobject.properties | foreach {$request[$_.Name] = $_.Value}
[xml]$results = Invoke-WebRequest -Uri $Url -Body $request -Method Get
$request.adminPassword = "Removed for security"
Write-Host $results.'cw.appMessage'.statusMessage
if ($results.'cw.appMessage'.statusMessage -ne "Success.") {
Write-Host "FAILED Target account:"
$targetAccount
Write-Host "Request data:"
$request
}
}
Original Message:
Sent: 03-19-2020 09:10 AM
From: Pankaj Kumar
Subject: How To bulk load, sync and update an admin account for linux
Hi Joseph ,
is there a demo script for REMOTE CLI also ? . I have to on-board 100's of linux root accounts to PAM , editing xml file for each of them is very time consuming . Just wondering , can we do it via a shell script also ?
Regards
Pankaj Kumar
Original Message:
Sent: 03-18-2020 02:12 AM
From: Joseph Fry
Subject: How To bulk load, sync and update an admin account for linux
Below is a demo script, written in PowerShell, that creates a device, target application, and target account for linux/ssh. I haven't used the API to create an account that uses keys, but the process should be similar.
As Pedro says, you really need to be familiar with writing scripts/software and how to use API's if you want to perform bulk operations like you wish to do. The built in API documentation is invaluable: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/programming/external-api-for-integrating-applications/use-the-external-api-programmers.html
"scriptDevice", create a linux/unix target application
"scriptApp" for that device, and finally create a target account named "scriptAcct" for that target application.
"API Doc" on your PAM settings menu (will need to
"doc" is actually more of an interactive testing tool where you can run a single
$pamServer = "your.Pam.url.here"
$pamServer = "1.2.3.4"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
if (-not $apikey) {$apikey = Get-Credential -Message "Enter your API key"}
$newDevice = @{
description = 'This device was added by a script'
deviceName = 'ScriptDevice'
domainName = '192.168.168.168'
location = 'Imaginary'
os = 'Linux'
typePassword = 't'
typeAccess = 't'
deviceAccessMethods = @{
arbitraryLabel = @{
type = 'SSH'
port = '22'
'x11Forwarding'
}
}
}
$newDevice = ConvertTo-Json -InputObject $newDevice
$deviceId = Invoke-RestMethod -Uri "https:
write-host "device id $deviceId added"
$newApp = @{
applicationName = 'scriptApp'
applicationType = 'unixII'
attributes = @{
'DEFAULT'
't'
'DEFAULT'
't'
't'
't'
'GENERIC'
'f'
'unixII'
't'
}
}
$newApp = ConvertTo-Json -InputObject $newApp
$appId = Invoke-RestMethod -Uri "https:
write-host "Target Application id $appId added"
$newAcct = @{
accountName = 'scriptAcct'
password = '_generate_pass_'
privileged = 't'
synchronize = 'f'
useAliasNameParameter = 'f'
attributes = @{
'false'
discoveryAllowed = 'f'
protocol = 'SSH2_PASSWORD_AUTH'
discoveryGlobal = 'f'
extensionType = 'unixII'
't'
'1122'
'USE_SUDO' "use elevated priviliges"
}
}
$newAcct = ConvertTo-Json -InputObject $newAcct
$acctId = Invoke-RestMethod -Uri "https:
write-host "Target Account id $acctId added"
Original Message:
Sent: 02-21-2020 07:55 AM
From: Pedro Fernandez
Subject: How To bulk load, sync and update an admin account for linux
I used PAM API to onboard hundreds of linux devices, it was very helpful. Check within the training section for this course that instructs you on how to enable the Extenal API in PAM: "CA Privileged Access Manager r3.x: Use the External API 300"
If you are not familiar with web services and API calls you will need to learn how this works first.
Original Message:
Sent: 02-20-2020 02:45 PM
From: rafael diaz
Subject: How To bulk load, sync and update an admin account for linux
Hello,
Looking for help on how to bulk load, sync and update an admin account for linux.
- Over all goal is to managed a local linux account that has the permissions to manged root account.
- This account is using key pair vs password.
- we have a high number of servers we need to do this with and see what way do we go about this via bulk. (maybe CLI?)
Any advise will be greatly appreciated.
------------------------------
Rafael Diaz
------------------------------