Privileged Access Manager Server Control Login Integration

As a security administrator, you want to audit the actual user of your server, not the shared local privileged user name.  Server Control Login Integration allows to integrate the login process and information with Server Control. When activated, it allows the use of the actual user name for auditing in
Privileged Access Manager
Server Control.
capam33
HID_ConfigServerControl
As a security administrator, you want to audit the actual user of your server, not the shared local privileged user name.
Privileged Access Manager
Server Control Login Integration allows
Privileged Access Manager
to integrate the login process and information with Server Control. When activated, it allows the use of the actual user name for auditing in
Privileged Access Manager
Server Control.
Configure Server Control Login Settings
Integration of Server Control Login requires configuration of specific Server Control settings and the creation of the following endpoint definitions:
  • Device
  • Account
  • Application
  • Policy
To use server names instead of IP addresses, verify that DNS Servers are configured in the Network Configuration section. From the UI main page, select
Configuration, Network, Network Settings.
Verify that in the
DNS Servers
field, a DNS IP address is listed. If none is listed, add your DNS Servers. Select Update to save the changes.
CA Modules Configuration
Set up ActiveMQ for Server Control in the Server Control Section of CA Modules. Some information from the Server Control setup is required.
  1. Log in to the
    Privileged Access Manager
    UI,
  2. Select
    Configuration
    ,
    CA Modules
    ,
    CA PAM Server Control
    .
  3. Set the
    Enable Login Integration
    option.
  4. Enter the target server hostname or IP address in the
    ENTM Host Name or IP
    field.
  5. Enter the
    Port
    number, or accept the default 61616.
  6. Optionally, unset the
    Use SSL
    option (which is set by default), if appropriate.
  7. Enter the
    ActiveMQ Broker Account
    . The default is "reportserver."
  8. Enter the
    Password
    .
  9. Optionally, specify a different
    Message time-to-live
    value (the default is 60 minutes).
  10. Optionally, specify a different
    Reply Timeout
    (the default is 10 seconds).
  11. Select
    Ping AMQ Console
    when complete.
  12. Verify that your information is correct and select
    Save
    .
Create a Device
Create a Device for the
Privileged Access Manager
Server Control endpoint.
  1. Select
    Devices
    ,
    Manage Devices
    .
  2. Select
    Add
    to create a device.
  3. Enter the host name in the
    Name
    field.
  4. Enter the IP address in the
    Address
    field. To verify the IP address, select
    Scan
    .
  5. Specify the target
    Operating System
    .
    Always specify the applicable operating system. Use of the "Other" setting causes access failure when a PAM user attempts to log into the specified device.
  6. Set the
    Password Management
    option.
  7. Select the
    Access Methods
    tab and select the plus sign (
    +
    ) button to add an Access Method.
  8. Select the access type (such as SSH or RDP) from the
    Name
    drop-down list.
    Specific access method details appear. Add or alter the information as necessary.
  9. All other fields on all tabs are optional.
  10. Select
    OK
    to save your changes.
Create an Application
Create an Application for the
Privileged Access Manager
Server Control endpoint.
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Applications
    .
  2. Select the
    Add
    button to create an application.
  3. Enter the host name in the
    Host Name
    field or use the magnifying glass icon to the right to select from existing Devices.
  4. Enter the
    Device Name
    . (Selecting an existing device using the magnifying glass icon to the right of the
    Host Name
    field also populates this field.)
  5. Enter the target
    Application Name
    .
  6. Select the
    Application Type
    .
    Do not select the "Generic" option; doing so can result in access issues.
    Certain Application Types display more options when selected. For example, Windows Proxy allows selection of Local or Domain Account. Most fields are optional or show a default value.
  7. Select
    OK
    to save your changes.
Windows or Windows proxy applications using a local account require that you use the target device's machine name (netbois name) in the
Name
field of the target device.
Create an Account
Create an Account for the
Privileged Access Manager
Server Control endpoint.
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    .
  2. Select the
    Add
    button to create an account.
  3. Enter the host name in the
    Host Name
    field or use the Select magnifying glass icon to the right to select from existing Devices.
  4. Enter the
    Device Name
    . (Selecting an existing device using the Select magnifying glass icon to the right of the
    Host Name
    field also populates this field.)
  5. Use the magnifying glass icon to the right of the
    Application Name
    field to select from Applications that have already been created for the Device. Alternatively, use the Add Target Application plus sign (
    +
    ) icon to add an application directly from this screen.
  6. Enter the
    Account Name
    to use for connecting to the Server Control endpoint.
  7. Enter the
    Password
    for the Account Name that you selected.
  8. Other fields are optional. At this point, you may want to enable password management options. For more information, see Protect Privileged Account Credentials.
  9. Select
    OK
    to save your changes.
Create a Policy
Create an Access Policy for the Server Control endpoint.
  1. Select
    Policies
    ,
    Manage Policies
    .
  2. Select the
    Add
    button to create a policy.
  3. Select the
    User
    to use for connecting to the Server Control device.
  4. Select the Server Control
    Device
    .
  5. On the
    Access
    tab, select one or more entries from the
    Available Access
    list and move them to the
    Selected Access
    list.
  6. On the
    CA PAM Server Control
    tab, set the
    Login Integration
    option.
  7. Other fields are optional.
  8. Select
    OK
    to save your changes.
Test the Login Integration
To test
Privileged Access Manager
Server Control Login Integration, connect through the Access link on the Access Management page. Verify the user name substitution.
  1. Select
    Access
    A list of Device Names appears with corresponding Access Methods and Target Applications.
  2. Select the Access Method link (such as RDP or SSH) for the Server Control Device you are integrating.
    An RDP or SSH session opens to the Device.
  3. For Windows RDP, open PowerShell or the Command prompt. For Linux, use the SSH prompt.
    The prompt includes the local Server Control privileged user login, not the
    Privileged Access Manager
    user.
  4. For Windows, enter "secons –whoami". For Linux, enter "/opt/CA/AccessControl/bin/sewhoami -a".
    Server Control secons utility writes several lines of text.
  5. Find the "PUPM User". This should be the
    Privileged Access Manager
    user, not the local Server Control privileged user.