Develop Custom Connectors for Remote Targets

The out-of-the-box application types and target connectors that the appliance provides might not be sufficient for your remote systems and applications. For remote targets that are not available out-of-the-box, you can build custom target connectors.  offers a Custom Connector framework, which provides the necessary components to develop custom target connectors.
capam33
The out-of-the-box application types and target connectors that the appliance provides might not be sufficient for your remote systems and applications. For remote targets that are not available out-of-the-box, you can build custom target connectors. 
Privileged Access Manager
 offers a Custom Connector framework, which provides the necessary components to develop custom target connectors.
The process to build a custom target connector includes the following tasks:
Before you begin these tasks, familiarize yourself with the target connector framework.
2
Target Connector Framework Functions
The
 target connector framework 
(TCF)
 
and a custom connector enable users with the necessary privileges to view and update remote account passwords.
The target connector framework is referred to as the 
TCF
 going forward in this guide.
The TCF communicates with the appliance and the custom target connector for the following functions:
  • Sends the appliance information about the custom connector and the remote target. 
  • Sends information about the target application and target account to the UI. 
  • Exchanges data between the appliance and the custom target connector to change and view the target account passwords. 
The TCF and the custom target connector are installed on a 
Custom Connector server. 
The Custom Connector server is a Tomcat server.
Any reference to the 
Custom Connector server
 implies a Tomcat server where the TCF and custom target connector are installed.
The following graphic shows where the TCF and custom connector reside in a 
PAM
 deployment.
Custom Target Connector in a Network
Custom Target Connector in a Network
TCF Communication with 
PAM
 and Custom Connectors
The TCF has the following main components:
  • TCF web application
  • UI schema to define the custom UI fields and controls
  • A TCF SDK
The TCF web application acts as a proxy between 
PAM
 and the custom target connectors. When the appliance sends a request for available target connectors, the TCF calls the custom target connectors. The TCF then sends the list of deployed connectors back to the appliance. The UI elements are then rendered on the appliance. The TCF also handles tasks that are related to verifying and changing account passwords. The TCF sends a request to the target connector to perform these tasks.
When a custom target connector starts up, it registers with the TCF. The connectors themselves manage the UI fields and controls for target accounts and applications. 
Data Flow for a Target Application
The following graphic shows the data flow between 
Privileged Access Manager
, the TCF, the target connector, and the target application:
Target Connector Framework Data Flow
Target Connector Framework Data Flow
Data Flow for a Target Account
The following graphic shows the data flow between 
PAM
, the TCF, the target connector, and the target account:
Target Connector Framework Account Data Flow
Target Connector Framework Account Data Flow
Customer Responsibilities for Custom Connectors
If you build custom target connectors that are based on the TCF, you are responsible for the operation between the custom target connector and the target endpoint. These responsibilities include:
  • Writing log messages from the target connector to the TCF server catalina.out log
  • Writing any log messages that the target connector returns to 
    PAM
    .
  • Obfuscating passwords when log messages are written into the catalina.out file on the TCF server.
  • Providing for secure information transfer between the target connector and the target endpoint.
CA Technologies
 is responsible for operation up to the point where the TCF passes information to the custom target connector. After that point, you are responsible for how the custom connector handles communication, operationally and securely.