Device Setup

Follow these steps:
capam32
HID_ManagedDevicePanel
In addition to CSV import. This topic describes how to use the Manage Devices page to add devices.
2
Prerequisites for Adding a Device
Access types might need to be set up before Device setup. These types include:
  • Access Methods
    invoke a proprietary Java applet that is downloaded from
    Privileged Access Manager
    to a local client computer. See Access Methods for more information.
  • TCP/UDP Services:
    See Create TCP/UDP Services for more information.
  • Native Services
    invoke a resident application on a local Client computer.
  • Web Portals
    invoke an HTTP/HTTPS website. See Configure Automatic Login to Web Portals for more information.
  • RDP Applications
    invoke resident application on target RDP Device. See RDP Applications Configuration for more information.
Basic Info Configuration
Follow these steps:
  1. Log in to the UI.
  2. Select
    Devices
    ,
    Manage Devices.
  3. To specify a new device, select
    Add
    .
  4. Complete the fields on the
    Basic Info
    tab. Required fields are highlighted with a red asterisk.
    Name:
    This field specifies the name that is displayed on the Access page. You can enter double-byte characters.
    Address:
    The device IP address or FQDN
    • For FQDN, DNS must be set up properly on the
      Configuration
      ,
      Network
      ,
      Network Settings
      page.
    • A specified FQDN can be no longer than 255 characters.
    • If you are updating a Device that is imported from AWS, Azure, or VMware, an
      Override Address
      checkbox appears. To edit the Address, for example, to use a private IP address, select the Override Address checkbox.
    Scan:
    Select this option to execute a port scan. The scan detects services that are configured. The detected services appear on the Access Methods and Services tabs.
    Description:
    Enter an optional description.
    Location:
    Enter an optional location. To help you organize your device list, you can sort entries in this column.
    Operating System:
    Select the device operating system. To help you organize your device list, you can sort entries in this column.
    Device Type:
    Select the functions that you want to apply to the device:
    • Access
      for access to remote systems
    • Password Management
      for designating a device as a target device for credential management.
    • A2A
      for Application-to-Application credential management. An A2A Client must be installed on the remote system: The following additional A2A fields are required:
      • Active:
        Select
        Active
        to allow the A2A Client to receive credentials
      • Preserve Hostname:
        Select this box to prevent the host name of the request server from being overwritten each time the A2A Client registers. If you do not select this option, the existing host name can be overwritten.
  5. Select
    OK
    .
Tag Creation and Assignment
Device tags are text strings of any form and length that you can use to group and search for Devices. Tags have no dependence on any other characteristics of those devices. You create a device tag within a specific device record. After it is created, you can copy the tag to other devices.  Multiple tags can be assigned to a device, so it is possible to create a wide variety of groupings.
A tag is applied to a device record. How you apply a tag depends on whether it exists or you are creating a tag:
  • For an existing tag, select from drop-down list of tags. An existing tag must be used in at least one device record. Start typing and a list of available tags appears in the drop-down list.
  • For a new tag, enter a tagname.
To view and edit tags, see Manage Tags.
The following guidelines apply when you tag devices and device groups:
  • A device in a device group does not inherit the tag that is assigned to the device group.
  • If a device and a device group have the same tag,
    CA PAM
    treats the single device as part of the device group. If a single device has the same tag as a device group, any policy that applies to the device group also applies to the device.
Example of Using Tags:
A number of devices use the Windows operating system, but some do not. For network maintenance purposes, you want to group all Windows devices. Tag all devices with the tag
Windows
. On the Manage Devices and Access pages, you can then search for "windows" to collect all instances.
Specify Access Methods
From the
Access Method
tab, specify the method by which users gain access to a device. The defaults methods are RDP, SSH, Telnet, and VNC. Mainframe licenses also provide the following methods: TN3270, TN3270SSL, TN5250, TN5250SSL.
Follow these steps:
  1. Select the
    Access Methods
    option.
  2. Select the plus sign to add a method.
  3. In the
    Name
    field, select an access method from the pull-down menu.
    The
    SSH
    access method can provide X11 forwarding using SSH. To enable X11 forwarding, select the
    X11
    checkbox. For forwarding to work, the client computer must have a configured X11 server, such as OpenText Exceed.
    Be aware of the following limitations with X11:
    • The product supports key stroke logging and command filtering for all activities that are conducted within the SSH applet. However, the X11 server runs on the local client, so it cannot provide graphical session recording or command filtering for the forwarded graphical application.
    • The X11 feature cannot currently be applied to device groups.
    RDP
    has a
    Console
    checkbox to specify that access is through the device console interface.
  4. Optionally, specify a
    Custom Name.
    The default Name is the Access Method (such as SSH). A custom name is required if a device uses the same access method on two different ports. For example, if a device listens for SSH connections on port 22 and on port 2200, you define an SSH access method for each port. Both access methods cannot have the same name, so at least one of them has to have a custom name. You can also use a custom name to have a non-standard name appear on the access page for this method on this device.
  5. In The
    Port
    field, accept the default port or specify a different port number.
  6. Repeat the previous steps for each method you want added.
  7. Select
    OK
    to save your selections, or continue to the next tab.
Select Services
Services are the way to customize access to devices.
Follow these steps:
  1. Select the
    Services
    option.
  2. For each Service you want, select the checkbox.
  3. Select the arrow to move the services over to the Selected Services list.
  4. Select
    OK
    to save your selections, or continue to the next tab.
Customize Terminal Access to a Device
Set up terminal access to a device so that any user receives an administrator-recommended screen presentation. Configuring the look of the terminal is helpful for users who do not know the ideal settings.
A user can override this customization by specifying user-based terminal settings.
Follow these steps:
  1. Select the
    Terminal
    option.
  2. Configure each field using the pull-down lists. Most fields are self-explanatory.
    The "End to select" checkbox function is deprecated.
Transparent Login
Transparent login lets a user issue password-enforced commands whose passwords are unknown to the user. The user must be logged on to a target device to use transparent login.
The RDP and SSH services support transparent login. Support for the graphical RDP transparent login feature on Windows machines is on the Services page. Support for the SSH applet and the SSH proxy is also defined on the Services page. Specify one or both UNIX/Linux applications
pbrun
or
sudo
. When these applications are invoked, the applications are silently presented with valid managed credentials, effecting an automated transparent login.
To use sudo/pbrun at run time, specify a credential for auto-connection on the policy for this device, and select the Transparent Login checkbox.
Follow these steps:
  1. Select the Transparent Login tab.
  2. In the drop-down list, select sudo/pbrun.
    The
    sudo/pbrun
    fields appear.
  3. In the
    Full Path
    field, enter the path on the target device where the application executable resides. For example, /usr/bin
  4. In the
    Password Prompt
    field, specify a substring of the text that is presented to the user. The closer a string match that you provide, the greater the security. For example, the full prompt to the user might be
    sudo password
    for
    user
    , where
    user
    represents the dynamically applied user name. The maximum literal that can be applied is then "sudo password for".
Command Strings for Transparent Login
You can also specify a set of command strings and a prompt. This feature is disabled by default for security reasons. To enable it, go to
Configuration
,
Security
,
Access
, and select
Enabled
for
Command String
.
To use the Command String feature, follow these steps:
  1. Enable
    Command String
    on the
    Configuration
    ,
    Security
    ,
    Access
    page.
  2. Select the Transparent Login tab.
  3. In the drop-down list, select
    Command String
    .
    The
    Command String
    fields appear.
  4. In the
    Authentication Prompt
    field, specify a substring of the text that is presented to the user. The closer a string match that you provide, the greater the security. For example, the full prompt to the user might be password for
    user
    , where
    user
    represents the dynamically applied user name. The maximum literal that can be applied is then "password for".
  5. Select the plus icon to add the actual command string. The user must match the command string exactly. To support shortened versions of the command string, add them as separate command strings. For example, "ENABLE" would be one command string, and "EN" would be another command string.
  6. Select
    OK
    to save your settings.
  7. Set Up a Policy for the device and an account to use the transparent login feature. Unlike sudo/pbrun, auto-connect configuration is unnecessary for Command String transparent login.
    The password from the specified target account is sent under the following conditions:
    • You type a string that matches the specified command string
    • SSH returns the specified prompt, whether you are using an SSH applet or the SSH proxy.
Edit a Device from a Policy
An administrator can edit a Device from the Manage Policies page.
  1. Open the
    Policy
    ,
    Manage Policies
    page.
  2. Select a Policy to
    Update
    for a given Device.
  3. Select the
    Manage Device
    button on the Policy window.
    The corresponding
    Device
    window appears.
Edit Targets from the Manage Devices Page
An administrator can add a Target Application from the Manage Devices page:
  1. Select a Device from the list, then select the
    Manage Target Applications
    button.
    If the Device record is already open, you can select
    Save and Add Target Applications
    at the bottom of the Device window.
  2. The Add Target Application window opens in front of the
    Target
    Applications
    List. The GUI controls are presented as they are on Targets, Target Applications.
  3. When finished, select
    OK
    .
For information about importing Devices using a CSV file, and importing AWS and VMware Devices, see Import and Export Devices.