Add Target Accounts to Target Applications

After you configure a target application and connector, add a target account. The target account identifies an account at the remote server for which CA PAM can view, and change passwords.
After you configure a target application and connector, add a target account. The target account identifies an account at the remote server for which
Symantec PAM
can view, and change passwords.
Before you add a target account, verify that an account exists on the remote target system. For example, create an Oracle account on the remote Oracle database before you add Oracle as a target account. Make sure that each credential only has one target account.
This topic describes tasks including how to:
Add a Target Account Using the UI
On the Account tab, follow these steps to add a target account:
  1. Select
    Manage Targets
  2. Select
  3. On the
    tab, complete the following fields:
    • Host Name:
      Enter the IP address of the remote target system
    • Device Name:
      Enter the name of the remote target system.
    • Application Name:
      Select an existing target application. The application corresponds to an application installed on the remote target server. Complete any additional fields that might display.
    • Account Name:
      Assign a
      account name for a given account. The account name that you enter must match the account name that is used by the target system. For example, on a UNIX system, account names are the UNIX user ID (userid).
    • Password View Policy:
      The default password view policy is always assigned. Use the magnifying glass to select other defined view policies.
    • Protocol (only for UNIX targets):
        This field is displayed and filled-in automatically.
    • Password:
      The password of the user account at the remote target server. These passwords must match. Enter a password or select the Generate Password icon (a key ring).
      The generated password follows the password composition policy, and it updates automatically at the target server. For accounts that use the
      application type, manually change the password on the target system so it matches the one in the secure database.
    • Account Type
      Accept the default, Privileged Account, unless you are adding an A2A target. For A2A devices, select
      A2A Account
      . A2A is only available if your license allows for A2A devices.
    • Access Type (Optional):
      The Access type is only for reference. This field is not used by Credential Manager. Use the Access Type value to define dynamic target groups. If you are using target groupings, enter descriptors for the target account.
    • Descriptor 1 and 2 (Optional)
      :  If you are using target groupings, you can enter descriptors for the target account.
  4. For A2A target accounts, the following fields are optional:
    • Aliases
      : A target alias enables an A2A requestor to request credentials from a specific account without transmitting the account user name and password. Enter a target alias name for the account. The target alias name must be unique across the Credential Manager.
    • Cache Behavior:
      Controls password caching the A2A Client. Select one of the following options:
      • Use Cache First: The A2A Client looks for the password in local cache first. If there is no password or if the password is not the most recent, the A2A Client contacts the appliance.
      • Use Server First: The A2A Client contacts the product appliance to get the most recent password. If a password is unavailable, the A2A Client looks in the local cache.
      • No Cache: The password is never stored in the local cache. The A2A Client always contacts the product appliance for the password.
    • Cache Expiry Days:
      Specify how long the password remains in cache.
  5. Select
    . Your new target account is added to the list of accounts on the Account List page.
When you update target account information other than the password, you must manually perform password verification. To verify the password manually, select the
Verify Password
icon on the Account tab for the target account.
Specify AWS Target Account Information
If the target account is an AWS account, there are more fields that you must configure.
Before doing this procedure, ensure that you have downloaded from AWS the
EC2 Private Key
file. The key file has a
Follow the steps for adding an AWS target account:
  1. In the Application Name field, select
    AWS Access Credential Accounts
    The Host Name and Device Name fields are populated with the entry.
  2. For AWS Access Credential Type, select the
    EC2 Private Key
    option button.
  3. Enter the EC2 Instance User Name, such as
    (for Amazon Linux), or
    (for Red Hat Linux), or other full permission account.
  4. Browse and upload the EC2 Private Key key file.
  5. In Key Pair Name, enter the file name of the EC2 Private Key you uploaded, but without the extension.
  6. (Optional) Enter a passphrase to use with the EC2 private key in the Passphrase field.
Add a Target Account using the CLI
Configure Password Synchronization and Account Discovery
From the Password tab of a target account, you can view information about a target account password, such as:
Whether the password has been used. You can also configure account discovery and password synchronization. These two features are documented in the following topics:
Add a Compound Target Account (Optional)
A compound account consists of several accounts on a cluster of servers, all having the same account name. When the password of a compound account is updated, it is changed on all the cluster members. If the password cannot be changed on all cluster members, roll back the password to the previous value.
The Compound Servers tab shows the status of an update:
  • If a password update fails but the subsequent rollback succeeds, the Verified column displays a warning symbol next to the server.
  • If a password update fails
    the subsequent rollback fails, the Verified column displays a red
    next to the server name. The password on this server is now out of sync.
Compound accounts respect existing target account functions such as, workflow, scheduled jobs, auto-connect, and target group membership.
You can create a compound target account from the Compound Servers tab.
You cannot add the host target server as a compound server.
Follow these steps:
  1. Add a target account or update an existing target account.
  2. Select the
    Compound Servers
  3. Use the
    sign to add servers. The number of servers is not limited, but the recommendation is 20 servers.
Configure Settings Specific to Individual Target Accounts
When you add a target account, one or more tabs are added to the Target Account configuration page. The tabs are specific to the target application associated with the target account. Many of these settings are for features unique to one or more target accounts. The following table lists where you can find information about these additional tabs.
For information about target accounts for service desk applications, see Integrate with Your Service Desk Solution.
Application Type for Target Account
UI Setting or Tab
Multiple application types
Change Process
Active Directory
Services and Scheduled Tasks tabs
Cisco SSH tab
Enter the distinguished name for the account
Enter the name of the database on the target system
Oracle tab
Palo Alto
Palo Alto tab
SPML v2.0
Database Name
Specify the name of the SPML 2.0-compliant database
Privilege Elevation
VMware NSX Manager
Access Privileged mode using
The function of this field is the same as the Change Process setting.
Windows Proxy
Windows Proxy settings
Windows Remote
Services and Scheduled Tasks tabs