What is the right syntax to update passwords using CLI in CA PAM ?

book

Article ID: 144337

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Using the CLI/Java API to change the password for a privileged or non-privileged target account from the command line is sometimes a cumbersome task due to the number of parameters involved, the multiple possible options for each one and the lack of practical examples. This article provides the syntax of the CLI command for changing the password of a privileged and non-privileged target account corresponding to a Linux/UNIX target application. The command examples provided can easily be modified to accomodate similar use cases.

Environment

CA PRIVILEGED ACCESS MANAGEMENT, all active versions

Resolution

The following use cases are presented
  • Change of a privileged account password. Assuming the root is able to change its own password. The syntax is
capam_command capam=<<your_pam_server>> adminUserId=<<admin_user>> cmdName=updateTargetAccount TargetServer.hostName=<<target_hostname_or_ip>> TargetApplication.name=<<linux_application_associated_to_target_hostname>> TargetAccount.userName=<<your_target_account>> TargetAccount.ID=<<numerical_id_of_target_account>> TargetAccount.password=<<new_password>> TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.verifyThroughOtherAccount=false Attribute.passwordChangeMethod=DO_NOT_USE_SUDO

For instance

capam_command capam=10.17.42.215 adminUserId=super cmdName=updateTargetAccount TargetServer.hostName=lvntest005347.lvn.broadcom.com TargetApplication.name=lvntest005347-ssh TargetAccount.userName=gilmi06 TargetAccount.ID=32001 [email protected]@[email protected]@ TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.verifyThroughOtherAccount=false Attribute.passwordChangeMethod=DO_NOT_USE_SUDO

Note that the attribute DO_NOT_USE_SUDO may be replaced by any of the other possible values in case you need to use sudo or elevated privileges to change the password of a privileged target account. 
  • Change of a non-privileged account password by using the root user. 
capam_command capam=<<your_pam_server>> adminUserId=<<admin_user>> cmdName=updateTargetAccount TargetServer.hostName=<<target_hostname_or_ip>> TargetApplication.name=<<linux_application_associated_to_target_hostname>> TargetAccount.userName=<<target_account_whose_password_you_want_to_change>> TargetAccount.ID=<<numerical_id_of_target_account_to_change_password>> TargetAccount.password=<<new_password>> TargetAccount.privileged=false Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=<<numerical_id_of_other_account_to_change_password>> Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.verifyThroughOtherAccount=false

For instance

capam_command capam=10.17.42.215 adminUserId=super cmdName=updateTargetAccount TargetServer.hostName=lvntest005347.lvn.broadcom.com TargetApplication.name=lvntest005347-ssh TargetAccount.userName=gilmi06 TargetAccount.ID=32001 TargetAccount.password=CAdemo123 TargetAccount.privileged=false Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=31001 Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.verifyThroughOtherAccount=false

  • Change of the root user password. The syntax is
capam_command capam=<<your_pam_server>> adminUserId=<<admin_user>> cmdName=updateTargetAccount TargetServer.hostName=<<target_hostname_or_ip>> TargetApplication.name=<<linux_application_associated_to_target_hostname>> TargetAccount.userName=root TargetAccount.ID=<<numerical_id_of_target_account_for_root>>TargetAccount.password=<<new_password>> TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.verifyThroughOtherAccount=false Attribute.passwordChangeMethod=IS_ROOT_ACCOUNT

For instance

capam_command capam=10.17.42.215 adminUserId=super cmdName=updateTargetAccount TargetServer.hostName=lvntest005347.lvn.broadcom.com TargetApplication.name=lvntest005347-ssh TargetAccount.userName=root TargetAccount.ID=31001 [email protected]@[email protected]@ TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.verifyThroughOtherAccount=false Attribute.passwordChangeMethod=IS_ROOT_ACCOUNT


Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-a-unix-target-connector/unix-target-connector-cli-configuration.html