Install and Activate an A2A Client on a Request Server

The A2A Client manages the connection between PAM and a request server. The A2A Client runs on a request server and allows requestors to communicate securely with the appliance.
capam331
The A2A Client manages the connection between
Privileged Access Manager
and a request server. The A2A Client runs on a request server and allows requestors to communicate securely with the appliance.
This topic describes the requirements and installation procedures for an A2A Client.
2
A2A Client Hardware Requirements
The following table details the hardware requirements for the A2A Client.
A2A Client
Hardware Requirements
A2A Client (32-bit)
32-MB RAM
120-MB hard drive space
A2A Client (64-bit)
32-MB RAM
170-MB hard drive space
50 MB must also be reserved for the A2A Client log file.
A2A Client Operating System Requirements
The A2A Client runs as a daemon or service and requires a Java Virtual Machine (JVM). The A2A Client can be installed on either a 32-bit or 64-bit operating system.
The 32-bit installation is no longer supported on Linux or Solaris Sparc systems. However, the 32-bit
libcwjcafips.so
file is preserved as
libcwjcafips32.so
so that you can still run your applications using a 32-bit JRE if necessary.
To use the 32-bit
libcwjcafips32.so
file, follow these steps:
  1. Navigate to
    /catech/cspmclient/lib
    .
  2. Copy
    libcwjcafips32.so
    to a different folder.
  3. Rename
    libcwjcafips32.so
    to
    libcwjcafips.so
    .
  4. Set the
    java.library.path
    to point to the folder that contains your new
    libcwjcafips.so
    file before pointing to the
    /catech/cspmclient/lib
    folder.
Prepare the A2A Client Host System for Installation
Before you install the A2A Client, do the following tasks:
  • Important!
    Verify that there is no existing A2A Client installed on the host system. If there is, uninstall it. For more information, see Uninstall the A2A Client.
  • Verify that all A2A Client hardware and software requirements are met.
  • Ensure that firewalls do not block the necessary communication ports. See Default Port Settings for details.
  • Verify that the A2A Client correctly resolves the
    PAM
    appliance name using DNS. If DNS resolution fails, correct the issue. If it cannot be corrected, place the name in the A2A Client host file:
    • On UNIX:
      /etc/hosts
    • On Windows:
      C:\Windows\System32\drivers\etc\hosts
  • Verify that the appliance resolves the DNS name of the A2A Client host. From the UI, select
    Configuration
    ,
    Tools
    . Try to resolve the name of the A2A Client host. If it does not resolve, then correct the issue.
    You can also verify that DNS resolution after the A2A Client is started. Select
    Credentials
    ,
    Manage A2A
    ,
    Mappings
    . Select
    Add
    then use the magnifying glass for the
    Request
    field to display a list of A2A Clients. Verify that your A2A Client is displayed.
  • The default installation directory for the A2A Client is
    /opt/cloakware
    (UNIX) or
    C:\cspm
    (Windows). If you do not want to use the default directory, create an alternate installation directory.
Download the A2A Client
Download the A2A Client from the Broadcom Support Site.
Follow the appropriate steps on the target system:
  • If your appliance is running a Service Pack (X.x.
    x
    ) release, follow these steps:
    1. Select the appropriate A2A Client zip file for your operating system and release (for example, UNIXA2A-3.3.2.zip) to download the .zip file to local storage.
    2. Unzip the installation package.
  • If you are running a major (X.
    x
    ) release, follow these steps:
    1. Log in to Download Management and search for then select the "Privileged Access Management" entry.
    2. Filter the results to locate the "App to App Manager" software.
    3. Select the regular or FIPS version of the App to App Manager software.
    4. Select the appropriate release from the drop-down list.
    5. Download the "Windows A2A Manager (Client)" or "Unix A2A Manager Client" entry, as appropriate.
    6. Unzip the installation package.
Install the A2A Client
You can install the A2A Client on a UNIX or Windows host.
Install the A2A Client on UNIX Host
Install and configure the A2A Client on all request servers, but install only one A2A Client on a single host. If there is an existing A2A Client, uninstall it before proceeding.
Before you install the A2A Client on a Linux system, ensure that your system has the correct 32-bit or 64-bit libidn installed. If you try to install the Client without the correct libidn. The installation stops and an error message is displayed.
Follow these steps:
  1. Open a shell window and navigate to the location of the unzipped A2A Client installation package:
    cd
    unzip_location
    /
  2. Enter the following commands:
    chmod u+x setup_unix
  3. Start the installation script by entering the following command and options:
    ./setup_unix
    host_type
    A2A_
    client_install_dir
    server_address
    host_type
    : Specifies the type of UNIX host. Enter
    Linux
    or
    SolarisSparc
    A2A_client_install_dir
    : Names the installation directory for the A2A Client software.
    server_address
    : Identifies the IP address or fully qualified domain name (FQDN) of the appliance. If you specify the FQDN, it must match the name in the appliance SSL certificate.
  4. Auto-register the A2A Client (request server) in the GUI by starting the daemon. Enter the following command:
    cspmclientd start
After the installation is complete and the client is started, the Client registers with
PAM
.
Install the A2A Client on a Windows Host
Install a single A2A Client on the Windows host. Multiple Clients on the same host are not supported. If there is an existing A2A Client, uninstall it before proceeding.
If the A2A Client host is a 64-bit platform, you can install the 32-bit or the 64-bit A2A Client. Install the 64-bit client to integrate with 64-bit applications or the 32-bit client to integrate with 32-bit applications.
The A2A Client installation on Windows is performed by InstallAnywhere software. If you execute the installation from an account that contains special characters, the InstallAnywhere wizard fails. To avoid this problem, start the installation by right-clicking on the executable file and selecting the
Run As
option. The
Run As
dialog opens and prompts for an alternate username and password for the installation. Specify the account credentials and continue with the installation.
Follow these steps:
  1. Open a Command window and navigate to the
    clients/win
    subdirectory in the unzipped installation package.
  2. Start the installation wizard by double-clicking
    setup_windows32_java.exe
    or
    setup_windows64_java.exe
    .
    An InstallAnywhere window informs you that the installation preparation has started.
    When the preparation completes, the A2A Client Welcome window followed by the
    Introduction
    window. Select Next.
  3. In the
    Choose Install Folder
    window, enter, or select the folder where you want to install A2A Client.
    Do not use a space in the installation folder names.
  4. In the
    Server Information
    window, enter the Fully Qualified Domain Name (FQDN) of the appliance in the
    Server Name
    field.
  5. In the
    Choose Log Directory
    window, enter a specific path name for the installation log file directory or use the default path name.
  6. In the
    Pre-Installation Summary
    window, validate the installation information then select
    Install
    .
    The
    Installing Password Authority Client
    window appears and shows the progress of the installation.
  7. When the installation finishes, the
    Install Complete
    window appears. Select
    Done
    .
  8. Do
    one
    of the following tasks to auto-register the A2A Client by starting the CSPMClient service:
    • Open a command window and enter:
      net start cspmclientd
    • Open the Windows Services tool and start the
      cspmclientd
      service.
After the installation is complete and the client is started, the Client registers with
PAM
.
Install the A2A Client on an AIX Host
Install and configure the A2A Client on all request servers, but install only one A2A Client on a single host. Multiple Clients on the same host are not supported. If there is an existing A2A Client, uninstall it before proceeding.
Before you install the A2A Client on an AIX system, ensure that your system has the correct 64-bit libidn installed. AIX only supports 64 bit. If you try to install the Client without the correct libidn, the installation stops and an error message is displayed. 
Follow these steps:
  1. Open a shell window and navigate to the location of the unzipped A2A Client installation package:
    cd
    unzip_location
    /
  2. Enter the following commands:
    chmod u+x setup_aix
  3. Start the installation script by entering the following command and options:
    ./setup_aix
    A2A_client_install_dir server_address
    A2A_client_install_dir
    : Names the installation directory for the A2A Client software.
    server_address
    : Identifies the IP address or fully qualified domain name (FQDN) of the appliance. If you specify the FQDN, it must match the name in the appliance SSL certificate.
  4. Auto-register the A2A Client (request server) in the GUI by starting the daemon. Enter the following command:
    A2A_client_install_dir
    /catech/cspmclient/bin/cspmclientd start
After the installation is complete and the client is started, the Client registers with
PAM
.
Registration of the A2A Client Host
After you install the A2A Client and start it for the first time, the Client sends a registration request to
PAM
. The appliance registers the Client and automatically configures an A2A device. The appliance names the device using the fully qualified domain name or the Client host IP address.
To re-register the A2A Client, modify the A2A device record in the UI. Clear the
A2A
option for the
Device Type
setting. If you make change, the A2A Client responds by reregistering.
If you change the device address without changing the device name, the re-registration fails. The
Sessions
,
Logs
screen displays an error that the request server cannot register because the device name already exists.
The A2A Client is registered in an inactive state. For the A2A Client to receive credentials, activate the request server, as instructed in the next procedure.
Activate and Deactivate the A2A Request Server
The A2A Client is registered in an inactive state. Activate the request server with the installed A2A Client.
This procedure assumes that you have:
  • Installed the A2A Client software
  • Started the A2A Client (CSPMClient service)
Follow these steps:
  1. Select
    Devices
    ,
    Manage Devices.
  2. From the Devices list, select the A2A Client and select
    Update
    .
  3. On the
    Basic Info
    tab, select the
    Active
    option in the Request Client section
  4. Select
    OK
    to activate the A2A Client.
To deactivate a request server, repeat the previous procedure but clear the
Active
option.