Deploy the CA PAM Client

The CA PAM Client is a fully functional alternative to the Web browser UI. Use the Client to access  and perform administrator and end-user activities. The Client eliminates the need to keep browser configurations compatible with the product. The Client does not interfere with browser-based UI access – you can use both methods from the same workstation.
capam34
The CA PAM Client is a fully functional alternative to the Web browser UI. Use the Client to access
Privileged Access Manager
and perform administrator and end-user activities. The Client eliminates the need to keep browser configurations compatible with the product. The Client does not interfere with browser-based UI access – you can use both methods from the same workstation. See the Platform Support Matrix for information about where you can run the
CA PAM
Client.
The following instructions explain the deployment of the Client:
2
Download the Client Software
Download a client version compatible with your workstation OS type from the browser-based UI login page. To install the CA PAM Client, the user needs the same user rights or permissions as any other application that you install.
Follow these steps:
  1. From your client workstation, open up a browser and go to the URL for the
    Privileged Access Manager
    UI.
  2. Below the login screen fields, select the arrow next to
    CA PAM Client
    .
  3. In the
    Platform
    field, select the OS for your local workstation then select
    Download
    .
  4. Save the installer file locally to your workstation.
Install the Client
Refer to the appropriate instructions:
Specific macOS Instructions
After you download the installer file, extract the file and run the Client installer. (The
CA PAM
Assistant, which was required by previous versions, is not required for version 3.4.)
You cannot upgrade from previous versions. The 3.4 version of the macOS
CA PAM
Client uses a different install location. However, a previous installation can coexist with the new version. Also, the 3.4 client can connect to a previous appliance, as long as it is not installed with
sudo
(as
root
). You can remove a previous version by right-clicking it and using "Move to Trash".
Use Sudo to Install
For macOS, you can optionally use
sudo
to launch the installation. The installed files are then owned by
root
, preventing standard users from modifying the installed application files. With
root
ownership of the files, multiple users can concurrently use the same client installation. Use the following
sudo
command for
root
ownership:
sudo ./CAPAMClientInstall.app/Contents/MacOS/CAPAMClientInstall
The command "
sudo open CAPAMClientInstall.app"
does not give the ownership of the files to
root
.
If you install as
sudo
, the administrator password is only needed by during installation. However, if you do not install using
sudo
, you will only need the administrator password at run-time to use the SSH Proxy or SFTP Proxy. Everything other than the SSH Proxy or SFTP Proxy works without the administrator password.
Sudo access is only necessary during installation. To distribute the PAM Client without user intervention, see the following:
CA PAM
Client 3.4 is a native macOS app with its own icon that appears in the dock.
To log in to a
CA PAM
appliance from a macOS
CA PAM
Client, add the user certificate to the login keychain and system keychain. Adding the certificate prevents the user from being repeatedly prompted for login credentials.
Multiple macOS Instances
To open multiple instances of the macOS
CA PAM
Client, invoke the binary
/Applications/CA PAM Client.app/Contents/MacOS/CAPAMClient
directly or use this command from terminal:
“open -n /Applications/CA\ PAM\ Client.app”
. Clicking the
CA PAM
Client app icon in Finder multiple times does not result in opening multiple instances.
MacOS Subpixel Antialiasing
If you are using macOS Mojave with Subpixel Antialiasing disabled, the content in the
Privileged Access Manager
user interface may appear blurred. Re-enable Subpixel Antialiasing to fix this issue:
  1. Open a Terminal.
  2. Run the following command:
    defaults write - g CGFontRenderingFontSmoothingDisabled -bool NO
  3. Log out and log back in for the change to take effect.
General Instructions
After you download the installer file, run the Client installer.
If you install the Client in a UNIX environment, the UNIX system must have the necessary graphic libraries to show the PAM Client UI. Otherwise, when you run the Client, the Client exits without showing any error message in the log.
If the PAM Client starts, but the Dashboard page is blank, the required libraries for the JxBrowser might be missing. To see which libraries are missing, go to the PAM Client installation folder and review the logs.log file. Install any missing libraries.
Follow the installation wizard, noting the following instructions:
  • License Agreement:
    To accept the license agreement, scroll through the license text to the bottom of the panel.
  • Choose Install Set:
    Select one of the following options:
    • Typical:
      Prompts you for an installation directory on your local workstation then installs the Client.
    • Run:
      Extracts the contents to a temporary location and runs the Client. The setup completes and the login screen appears.
  • Choose Install Folder:
    Enter a path, or select the
    Choose
    button to find a folder. Consider the following options:
    • If you use the default, ensure that the intended user has "Full control" of this folder. For example, a typical user might not have the required permissions to run the Client in the default folder.
    • For a multi-user shared installation, select a directory where all users have write access. Another option is for each user to install the client separately in their own user folder, such as
      c:\Users\<
      user
      >\
      .
    • For silent installation, see CA PAM Client Silent Install.
    • The CA PAM Client does not support installation in directories whose names include Japanese characters. If you install the CA PAM Client on a Japanese-language computer, enter a folder with no Japanese characters.
After the installation is complete, you can log in from the Client.
If you start the Client on a UNIX system and the UI Dashboard is blank, the libraries that the JxBrowser needs might be missing. To determine which libraries are missing, go to the Client installation folder and look at the logs.log file. This file lists the missing libraries are listed. Install those libraries.
Log in from the Client
After the Client is installed, you can log in to the server. The initial client screen allows you to specify the address of a
Privileged Access Manager
appliance or appliance cluster VIP.
Follow these steps:
  1. Open the client application.
  2. Enter the following connection parameters for your server appliance.
    • Address:
      Enter the IP address in the form
      address:port or
      the assigned fully qualified domain name of the
      CA PAM
      server.
      The CA PAM Client cannot use most well-known ports. See Ports Not Allowed for the Client for the full list.
    • Connect Mode:
      Select one of the following options:
      • WEB:
        Opens a connection to the server, and then opens a browser window to the UI. The console closes.
      • CONNECT:
        Opens a connection to the server, and displays a status connection console. The status connection console displays connection information and a
        Launch Web Browser
        and
        Log Off
        buttons.
      You cannot switch between WEB and CONNECT, following your connection to the server. Select
      Cancel
      to return to the initial connection screen and restart the Client.
  3. Select
    Connect
    .
  4. If a client update is required, you are notified. Select
    Update
    to update automatically the installed client to the latest version. If necessary, restart the client.
  5. If applet jars must be downloaded from the
    CA PAM
    server, you are notified. Select 
    Update
    to install the appropriate applet jars automatically.
  6. You may receive a
    Verify Certificate
    window before the login screen appears.
    1. Select
      View Certificate
      to see the certificate details and evaluate its applicability.
    2. If you approve of the certificate, select
      Import
      at the bottom of the dialog. Once it is trusted, you should not see the certificate warning any more.
  7. When the login screen appears, enter the user name and password.
  8. Select the
    Authentication Type
    .
  9. Select
    Login
    .
Depending on the Connect Mode that you select, the browser window or the status connection window opens. If the status connection window opens, select
Launch Web Browser
to open the UI. The console window remains open. If you close the browser window, you can Launch Web Browser later and can return to the same GUI location, as its state is preserved.
You can now use the product.
CA PAM Client Cache
You can speed up the CA PAM Client connection to the
Privileged Access Manager
server by using the client cache. The cache saves reused files, much like any Web browser. The Client does not have a switch to turn the cache on or off. The cache works only if the
Privileged Access Manager
HTTPS certificate is configured properly. The certificate also must be trusted globally or in the local network or organization. The certificate cannot be trusted only by the client. Your whole system (OS) must trust the certificate. You can test whether your connection to the server is trusted by connecting with a Chrome browser. If you receive a Certificate warning such as "Your connection is not private," the cache is not used.
The CA PAM Client manages its own cache, but you may want to clear your CA PAM Client cache. To clear the CA PAM Client cache, delete this directory when all client processes have been terminated:
<
client_root>
\temp\web-cache
.
Modify Client Configuration Settings (Optional)
The Client configuration settings specify operational behavior of the Client. Usually, the default Client configuration settings work for your environment. If necessary, you can modify the configuration settings.
Follow these steps:
  1. From the Client login page, open the
    Configuration Settings
    window by selecting the gear icon in the lower-left corner
  2. Select the relevant tab to change the following settings:
    Proxy
    Indicates whether the CA PAM Client is connecting to the
    CA PAM
    server through a proxy server. Select one of the following options for your deployment:
    • No Proxy (default): The Client connects directly to the
      CA PAM
      server.
    • Auto-detect proxy settings for this network: for a network-managed proxy
    • Use system proxy settings: for workstation OS-managed proxy
    • Manual system proxy configuration: for a custom target device as the proxy
    • Automatic proxy configuration URL: for a web server-supplied proxy
    • Ignore proxy certificate: This setting determines whether
      CA PAM
      trusts the proxy certificate. If the certificate is not trusted, the CA PAM Client cannot connect to the server. For security seasons, the setting is
      unchecked
      by default.  If the Client keeps getting disconnected, it might be a result of a certificate mismatch. To avoid this problem, select this check box; however, this option is less secure.
    General
    Specifies memory for the Client.
    • Max memory size:
      default (Windows, Linux x86): 1024 MB; (Mac, Linux x64): 2048 MB
      For Windows, 1200 is the maximum value. If the value is set to 1201 MB or greater, the client does not start again. If it does not restart, edit the
      settings.properties
      file at the installation root. reset the
      memory.max
      parameter to 1200 or less and save the file.
    • Client language
      By default, the Client automatically detects the language of the host computer OS and displays the user interface in that language, if available. To change the Client from the default to another language, clear the
      Auto-detect
      checkbox, and select a language from the
      Client language
      drop-down list.
    • Restore security prompts
      If you have previously selected a checkbox to ignore a security warning, selecting this
      Restore
      button causes the warnings to resume.
    • Use Host Address IP
      Set this option if
      CA PAM
      Client login attempts fail with "Unknown Error" messages.
    Cache
    Specifies the cache of previous CA PAM Client versions.
    • Enable Caching:
      Stores previous versions for the CA PAM Client to revert to an earlier version. Default = On (checked).
    • Current Cache Size:
      Specifies the total size of the cached versions of the CA PAM Client. Default: Total size of cached prior versions.
    • Clear Cache:
      Specify to remove all cached versions. (You can remove individual versions by using the Manage button.)
    • Max Cache Size, MB (0 = unlimited):
      Specify the maximum size of the cache by using the slider or the field.
    • Cached Versions:
      Displays the number of cached versions.
    • Manage:
      Displays details for all cached versions of the CA PAM Client. You can remove any or all versions.
    Certificate
    From a table list, specify a certificate authority (CA) certificate to be used. The CA PAM Client is provided with several preinstalled CA certificates. Add more if needed.
  3. Select
    OK
    to save your settings.
(Optional) Disable
CA PAM
Client Update Checking
Use the following procedure to disable automatic update checking on
CA PAM
Clients that are experiencing startup issues.
Follow these steps on each system on which a
CA PAM
Client is installed in your environment:
  1. Shut down any
    CA PAM
    Client instances that are running.
  2. In the
    CA PAM
    Client installation folder, create a file called
    update
    with no file extension.
  3. Open the
    update
    file with a text editor and entering the word
    false
    . Save and close the file.
  4. Set permissions for the update file. For administrators, set full permissions. For users, set read-only permissions.
  5. Launch the
    CA PAM
    Client and connect to the server.
  6. If you see the message “Synchronization is Required,” complete the following steps:
    1. Select the gear icon in the left corner of the login dialog
    2. Click Cache and select the following settings:
      • Enable Caching
      • Keep instances for reuse
    3. Launch the
      CA PAM
      Client again and connect to the server.
To re-enable update checking, delete the
update
file or edit it to remove the word
false
.
Uninstall the Client
Follow the instructions for your workstation type:
Windows
Do one of the following tasks to remove the Client:
  • Remove the Client from the Windows
    Control Panel,
    Programs and Features
    .
  • Remove a CA PAM Client installation from its location in the file directory:
    1. At the root level of the installation, locate the directory
      _/CA PAM Client_installation
      .
    2. Open this directory and run the uninstallation wizard named
      Change CA PAM Client Installation
      .
Mac
To remove a Mac installation, you need root privileges. Delete the installation directory and its entire contents.
Linux
To remove a Linux installation, delete the installation directory and its entire contents. Do
not
use the uninstallation wizard that is provided.
More information: