Password Encryption stored in PAM
Article ID: 123064
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
How PAM stores the user passwords for PAM local login and target accounts?
Environment
Applies to all CA PAM Releases as of October 2023.
Resolution
Local PAM login users' passwords are not stored in PAM. A SHA-512 hash is stored in the DB.
When a user login to PAM using a PAM local account, the password given is hashed and compared to the stored value.
You cannot reverse the process and get the clear-text password for login users.
Passwords for accounts used to connect to end-points must be known to PAM in clear text when opening a session with automated login.
The account passwords are stored encrypted using AES-256 with a key unique to the cluster. Different cluster will use a different key encryption key.
When a user login to PAM using a PAM local account, the password given is hashed and compared to the stored value.
You cannot reverse the process and get the clear-text password for login users.
Passwords for accounts used to connect to end-points must be known to PAM in clear text when opening a session with automated login.
The account passwords are stored encrypted using AES-256 with a key unique to the cluster. Different cluster will use a different key encryption key.
Feedback
Yes
No
Powered by
