Deploy the CA PAM Client
The CA PAM Client is a fully functional alternative to the Web browser UI. Use the Client to access and perform administrator and end-user activities. The Client eliminates the need to keep browser configurations compatible with the product. The Client does not interfere with browser-based UI access – you can use both methods from the same workstation.
The CA PAM Client is a fully functional alternative to the Web browser UI. Use the Client to access
Privileged Access Managerand perform administrator and end-user activities. The Client eliminates the need to keep browser configurations compatible with the product. The Client does not interfere with browser-based UI access – you can use both methods from the same workstation. See the Platform Support Matrix for information about where you can run the
The following instructions explain the deployment of the Client:
Download the Client Software
Download a client version compatible with your workstation OS type from the browser-based UI login page. To install the CA PAM Client, the user needs the same user rights or permissions as any other application that you install.
Follow these steps:
- From your client workstation, open up a browser and go to the URL for thePrivileged Access ManagerUI.
- Below the login screen fields, select the arrow next toCA PAM Client.
- In thePlatformfield, select the OS for your local workstation then selectDownload.
- Save the installer file locally to your workstation.
Install the Client
Refer to the appropriate instructions:
Specific macOS Instructions
After you download the installer file, extract the file and run the Client installer. (The
CA PAMAssistant, which was required by previous versions, is not required for version 3.4.)
You cannot upgrade from previous versions. The 3.4 version of the macOS
CA PAMClient uses a different install location. However, a previous installation can coexist with the new version. Also, the 3.4 client can connect to a previous appliance, as long as it is not installed with
root). You can remove a previous version by right-clicking it and using "Move to Trash".
Use Sudo to Install
For macOS, you can optionally use
sudoto launch the installation. The installed files are then owned by
root, preventing standard users from modifying the installed application files. With
rootownership of the files, multiple users can concurrently use the same client installation. Use the following
The command "
sudo open CAPAMClientInstall.app"does not give the ownership of the files to
If you install as
sudo, the administrator password is only needed by during installation. However, if you do not install using
sudo, you will only need the administrator password at run-time to use the SSH Proxy or SFTP Proxy. Everything other than the SSH Proxy or SFTP Proxy works without the administrator password.
Sudo access is only necessary during installation. To distribute the PAM Client without user intervention, see the following:
CA PAMClient 3.4 is a native macOS app with its own icon that appears in the dock.
To log in to a
CA PAMappliance from a macOS
CA PAMClient, add the user certificate to the login keychain and system keychain. Adding the certificate prevents the user from being repeatedly prompted for login credentials.
Multiple macOS Instances
To open multiple instances of the macOS
CA PAMClient, invoke the binary
/Applications/CA PAM Client.app/Contents/MacOS/CAPAMClientdirectly or use this command from terminal:
“open -n /Applications/CA\ PAM\ Client.app”. Clicking the
CA PAMClient app icon in Finder multiple times does not result in opening multiple instances.
MacOS Subpixel Antialiasing
If you are using macOS Mojave with Subpixel Antialiasing disabled, the content in the
Privileged Access Manageruser interface may appear blurred. Re-enable Subpixel Antialiasing to fix this issue:
- Open a Terminal.
- Run the following command:defaults write - g CGFontRenderingFontSmoothingDisabled -bool NO
- Log out and log back in for the change to take effect.
After you download the installer file, run the Client installer.
If you install the Client in a UNIX environment, the UNIX system must have the necessary graphic libraries to show the PAM Client UI. Otherwise, when you run the Client, the Client exits without showing any error message in the log.
If the PAM Client starts, but the Dashboard page is blank, the required libraries for the JxBrowser might be missing. To see which libraries are missing, go to the PAM Client installation folder and review the logs.log file. Install any missing libraries.
Follow the installation wizard, noting the following instructions:
- License Agreement:To accept the license agreement, scroll through the license text to the bottom of the panel.
- Choose Install Set:Select one of the following options:
- Typical:Prompts you for an installation directory on your local workstation then installs the Client.
- Run:Extracts the contents to a temporary location and runs the Client. The setup completes and the login screen appears.
- Choose Install Folder:Enter a path, or select theChoosebutton to find a folder. Consider the following options:
- If you use the default, ensure that the intended user has "Full control" of this folder. For example, a typical user might not have the required permissions to run the Client in the default folder.
- For a multi-user shared installation, select a directory where all users have write access. Another option is for each user to install the client separately in their own user folder, such asc:\Users\<.user>\
- The CA PAM Client does not support installation in directories whose names include Japanese characters. If you install the CA PAM Client on a Japanese-language computer, enter a folder with no Japanese characters.
After the installation is complete, you can log in from the Client.
If you start the Client on a UNIX system and the UI Dashboard is blank, the libraries that the JxBrowser needs might be missing. To determine which libraries are missing, go to the Client installation folder and look at the logs.log file. This file lists the missing libraries are listed. Install those libraries.
Log in from the Client
After the Client is installed, you can log in to the server. The initial client screen allows you to specify the address of a
Privileged Access Managerappliance or appliance cluster VIP.
Follow these steps:
- Open the client application.
- Enter the following connection parameters for your server appliance.
- Address:Enter the IP address in the formaddress:port orthe assigned fully qualified domain name of theCA PAMserver.The CA PAM Client cannot use most well-known ports. See Ports Not Allowed for the Client for the full list.
- Connect Mode:Select one of the following options:
Cancelto return to the initial connection screen and restart the Client.
- WEB:Opens a connection to the server, and then opens a browser window to the UI. The console closes.
- CONNECT:Opens a connection to the server, and displays a status connection console. The status connection console displays connection information and aLaunch Web BrowserandLog Offbuttons.
- If a client update is required, you are notified. SelectUpdateto update automatically the installed client to the latest version. If necessary, restart the client.
- If applet jars must be downloaded from theCA PAMserver, you are notified. SelectUpdateto install the appropriate applet jars automatically.
- You may receive aVerify Certificatewindow before the login screen appears.
- SelectView Certificateto see the certificate details and evaluate its applicability.
- If you approve of the certificate, selectImportat the bottom of the dialog. Once it is trusted, you should not see the certificate warning any more.
- When the login screen appears, enter the user name and password.
- Select theAuthentication Type.
Depending on the Connect Mode that you select, the browser window or the status connection window opens. If the status connection window opens, select
Launch Web Browserto open the UI. The console window remains open. If you close the browser window, you can Launch Web Browser later and can return to the same GUI location, as its state is preserved.
You can now use the product.
CA PAM Client Cache
You can speed up the CA PAM Client connection to the
Privileged Access Managerserver by using the client cache. The cache saves reused files, much like any Web browser. The Client does not have a switch to turn the cache on or off. The cache works only if the
Privileged Access ManagerHTTPS certificate is configured properly. The certificate also must be trusted globally or in the local network or organization. The certificate cannot be trusted only by the client. Your whole system (OS) must trust the certificate. You can test whether your connection to the server is trusted by connecting with a Chrome browser. If you receive a Certificate warning such as "Your connection is not private," the cache is not used.
The CA PAM Client manages its own cache, but you may want to clear your CA PAM Client cache. To clear the CA PAM Client cache, delete this directory when all client processes have been terminated:
Modify Client Configuration Settings (Optional)
The Client configuration settings specify operational behavior of the Client. Usually, the default Client configuration settings work for your environment. If necessary, you can modify the configuration settings.
Follow these steps:
- From the Client login page, open theConfiguration Settingswindow by selecting the gear icon in the lower-left corner
- Select the relevant tab to change the following settings:ProxyIndicates whether the CA PAM Client is connecting to theCA PAMserver through a proxy server. Select one of the following options for your deployment:
GeneralSpecifies memory for the Client.
- No Proxy (default): The Client connects directly to theCA PAMserver.
- Auto-detect proxy settings for this network: for a network-managed proxy
- Use system proxy settings: for workstation OS-managed proxy
- Manual system proxy configuration: for a custom target device as the proxy
- Automatic proxy configuration URL: for a web server-supplied proxy
- Ignore proxy certificate: This setting determines whetherCA PAMtrusts the proxy certificate. If the certificate is not trusted, the CA PAM Client cannot connect to the server. For security seasons, the setting isuncheckedby default. If the Client keeps getting disconnected, it might be a result of a certificate mismatch. To avoid this problem, select this check box; however, this option is less secure.
CacheSpecifies the cache of previous CA PAM Client versions.
- Max memory size:default (Windows, Linux x86): 1024 MB; (Mac, Linux x64): 2048 MBFor Windows, 1200 is the maximum value. If the value is set to 1201 MB or greater, the client does not start again. If it does not restart, edit thesettings.propertiesfile at the installation root. reset thememory.maxparameter to 1200 or less and save the file.
- Client languageBy default, the Client automatically detects the language of the host computer OS and displays the user interface in that language, if available. To change the Client from the default to another language, clear theAuto-detectcheckbox, and select a language from theClient languagedrop-down list.
- Restore security promptsIf you have previously selected a checkbox to ignore a security warning, selecting thisRestorebutton causes the warnings to resume.
- Use Host Address IPSet this option ifCA PAMClient login attempts fail with "Unknown Error" messages.
CertificateFrom a table list, specify a certificate authority (CA) certificate to be used. The CA PAM Client is provided with several preinstalled CA certificates. Add more if needed.
- Enable Caching:Stores previous versions for the CA PAM Client to revert to an earlier version. Default = On (checked).
- Current Cache Size:Specifies the total size of the cached versions of the CA PAM Client. Default: Total size of cached prior versions.
- Clear Cache:Specify to remove all cached versions. (You can remove individual versions by using the Manage button.)
- Max Cache Size, MB (0 = unlimited):Specify the maximum size of the cache by using the slider or the field.
- Cached Versions:Displays the number of cached versions.
- Manage:Displays details for all cached versions of the CA PAM Client. You can remove any or all versions.
- SelectOKto save your settings.
CA PAMClient Update Checking
Use the following procedure to disable automatic update checking on
CA PAMClients that are experiencing startup issues.
Follow these steps on each system on which a
CA PAMClient is installed in your environment:
- Shut down anyCA PAMClient instances that are running.
- In theCA PAMClient installation folder, create a file calledupdatewith no file extension.
- Open theupdatefile with a text editor and entering the wordfalse. Save and close the file.
- Set permissions for the update file. For administrators, set full permissions. For users, set read-only permissions.
- Launch theCA PAMClient and connect to the server.
- If you see the message “Synchronization is Required,” complete the following steps:
- Select the gear icon in the left corner of the login dialog
- Click Cache and select the following settings:
- Enable Caching
- Keep instances for reuse
- Launch theCA PAMClient again and connect to the server.
To re-enable update checking, delete the
updatefile or edit it to remove the word
Uninstall the Client
Follow the instructions for your workstation type:
Do one of the following tasks to remove the Client:
- Remove the Client from the WindowsControl Panel,Programs and Features.
- Remove a CA PAM Client installation from its location in the file directory:
- At the root level of the installation, locate the directory_/CA PAM Client_installation.
- Open this directory and run the uninstallation wizard namedChange CA PAM Client Installation.
To remove a Mac installation, you need root privileges. Delete the installation directory and its entire contents.
To remove a Linux installation, delete the installation directory and its entire contents. Do
notuse the uninstallation wizard that is provided.