A2A Client Connection Security

When an A2A Client registers with CA PAM, the appliance identifies the Client using the following data, in this order:
capam32
When an A2A Client registers with
PAM
, the appliance identifies the Client using the following data, in this order:
  1. Fingerprinting the host server.
    Fingerprinting must be enabled at the host on which the client resides.
    A server fingerprint consists of a combination of hardware characteristics. Examples: CPU serial numbers and network IDs. Credential Manager dynamically calculates the fingerprint of the server executing a script to validate the machine ID of the credential requestor.
  2. A unique client token
    The client token is a unique request server identifier that identifies the client in the appliance database. When an A2A Client initially registers, the server generates a unique token for the client. For subsequent client requests, the server uses the token to retrieve credentials from the database.
  3. Domain Name Servers (DNS)
    Credential Manager uses the client host name as part of the client authentication process. Reverse IP lookup is also possible.
When a requestor application requests credentials, the credentials remain encrypted as they are transferred over the network. The A2A Client decrypts the credentials before passing them to the requestor.