Install and Set Up the Remote CLI and Java API

To use the remote CLI or the Java API, install and configure the software on a client system in your environment. The client system is remote to the
appliance, and it is the system that you plan to use to manage Credential Manager.
To use the remote CLI or the Java API, install and configure the software on a client system in your environment. The client system is remote to the
appliance, and it is the system that you plan to use to manage Credential Manager.
Complete the following procedures on the client system connecting to
Privileged Access Manager
Complete these instructions whether you plan to use the Remote CLI, the Java API, or both.
Download and Deploy the Remote CLI Software
Follow this procedure to download and deploy the appropriate version of the Remote CLI software, which is packaged as a zip file, to your client system. The release version of the Remote CLI software should be the latest available version corresponding to the
release running on your appliance.
Follow these steps on the client system:
  1. If your appliance is running a Service Pack (X.x.
    ) release, do the following steps to identify whether there are any Remote CLI patches that are listed for your release stream:
    1. Locate the section for your release version and identify whether it has an associated Remote CLI entry (For example, ""). If so, select the associated link to download the associated zip file.
    2. If your release version does not include a Remote CLI entry, scan the sections for any earlier service packs in the same release stream. If any sections do contain a Remote CLI entry, select the link that is associated with the
      version to download the associated zip file.
  2. If your appliance is running a major (X.
    ) release or you are running a Service Pack release and you found no appropriate Remote CLI entries in Step 1, follow these steps:
    1. Log in to Download Management and search for, then select, the "Privileged Access Management" entry.
    2. Filter the results to locate the "Privileged Access Manager MSP Debian" software and select the entry that is returned.
    3. Select the appropriate version from the Release drop-down list
    4. Locate the "REMOTECLI r
      - ESD ONLY" entry and download the associated zip file to your client system.
  3. Create a directory on the local system and extract the contents of the zip file into it.
    The following files are extracted:
    • cliTool.jar
    • capam_command.bat
      (for CLI access from a Windows system)
    • capam_command
      (for CLI access from a UNIX/Linux system)
  4. (Optionally) For convenience, add the installation directory to your
  5. Do one of the following steps:
    • For UNIX/Linux systems, identify the installation directory by entering
      export CAPAM_DIR
    • For Windows systems, add an Environment Variable named
      with the value of the path to the installation directory. For example:
  6. If it is not already installed, install the Java Runtime Environment (JRE) Version 8u-latest. Obtain the JRE from If you are creating a Java application that uses the Java API, you also need the Java Version 8 SDK.
Enable the Credential Manager CLI
Follow these steps to enable the remote CLI:
  1. Connect to the
    appliance using a browser or the CA PAM Client.
  2. Navigate to
    Configuration, Security,
  3. On the Access page, select the
    radio button that is associated with the
    Credential Management CLI
  4. Select
  5. Navigate to
    Credential Manager
  6. Verify that the
    Enable External CLI
    option is enabled. If not, enable it and restart the appliance.
Obtain a Certificate
CLI and Java API commands must be executed over an HTTPS connection between your client system and the
appliance. To secure the connection, obtain a certificate that the client trusts.
Complete the following steps to obtain a certificate:
To complete the steps for getting a certificate, connect to the appliance using a browser or the CA PAM Client.
Gather Information for the Certificate
Gather the following information for each
appliance before generating a certificate:
  • IP address or the internal VIP for appliances in a cluster
  • Fully qualified domain name (FQDN)
  • FQDN short name: If the fully qualified domain name is , the short name is
Generate a Certificate or Use an Existing Certificate
Use a certificate from a Certificate Authority or use a self-signed certificate to secure the network connection. If the
appliance already has a certificate available, skip to Generate a keystore.
Do not use the default certificate, gkcert.crt, or a certificate that has no Alternate Subject Names.
Follow these steps to obtain a certificate:
  1. From your client system, log in to the
    UI from a web browser or using the CA PAM Client.
  2. Select
    Configuration, Security, Certificates, Create
    The following screen shows the Certificates page:
  3. Select the one of the appropriate options:
    • Self-signed Certificate
    • CSR
      to request a certificate from a Certificate Authority
  4. Complete the fields in the form. Add the appliance information that you gathered to the
    Alternate Subject Names
    box. Add one name or IP address per line.
  5. After the form is complete, select
    If you completed a CSR, download the CSR and then send the request to a Certificate Authority. The Certificate Authority signs and returns a certificate, which you must upload to the appliance. Use the
    tab on the Certificates page.
  6. Set and accept the certificate:
    1. Select the
    2. Pick the certificate in the
    3. Select
      Verify Certificate.
      A confirmation message displays at the top of the page.
    4. Select
      Accept Certificate
    Accepting the certificate forces the appliance to reboot.
  7. After the reboot, apply the certificate.
Apply the Certificate
If you are using a
-generated certificate, download it to your client system. If you are using a Certificate Authority-obtained certificate, upload it from your client system to the
of the procedures for your certificate:
If you obtained a certificate from the
  1. Select the
  2. In the
    field, select the certificate from the pull-down list.
    A password for the certificate is not required.
  3. Select
  4. When prompted, save the certificate to the directory where you installed the cliTool.jar file.
If you obtained a certificate from a Certificate Authority:
  1. Select the
  2. For the Type option, select
  3. In the
    field, browse for the certificate on your client system.
  4. Fill in any other required fields.
  5. Select
Go to the next section to generate a keystore on your client system.
Create a Keystore
Generate a keystore on the client system. This keystore must contain the certificate from the client system. You can generate a keystore in many ways. The following steps explain only
method, using the keytool utility.
Follow these steps for the keytool utility:
  1. Navigate to the directory where you put the
  2. Generate the keystore and import the certificate to this keystore. Use the following command but note the guidelines:
    • You can substitute capam.crt for another file name with the
    • Do not change the keystore name. It must be
    • You must place the
      file in the same folder as the cliTool.jar file. If keytool is executed directly in the Java bin directory, you must manually copy the resulting
      file to the same folder as cliTool.jar.
    $JAVA_HOME/bin/keytool -import -trustcacerts -file capam.crt -alias capamserver -keystore capam.keystore
    starting in JRE 1.8,
    is replaced by
    %JAVA_HOME%\bin\keytool -import -trustcacerts -file capam.crt -alias capamserver -keystore capam.keystore
    starting in JRE 1.8,
    is replaced by
  3. After you execute the command, you are prompted for the keystore password. Enter a new password for the keystore you are creating. The following messages display:
    Trust this certificate? [no]: yes
    Certificate was added to keystore
  4. Verify that the import is successful by listing the keystore contents:
    $JAVA_HOME/bin/keytool -list -v –keystore capam.keystore
    %JAVA_HOME%\bin\keytool -list -v –keystore capam.keystore
Verify the Installation
To verify that the installation works, execute a command. For example:
capam_command adminUserID=admin cmdName=getErrorCodes
If successful, a list of error codes displays. The host name ( must match the server name in the certificate. If the certificate contains an IP address for the appliance, you can use the address in place of the server name.
Before the command executes, you are prompted for the Credential Manager administrator password. If the command executes successfully, it produces an XML string. For more information about the return values, see Remote CLI Return Values.