How to add an external MySQL Database to CA PAM
search cancel

How to add an external MySQL Database to CA PAM

book

Article ID: 15538

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

I would like to configure my session logs in PAM to be administered in an external MySQL server.

  • What is required from my side?
  • How does PAM connect to the database?
  • Do I have to manually create the tables?
  • Is the MYSQL Database going to be installed in the external storage? 
  • How do I install  MYSQL Database in the external storage?

Environment

CA PAM 2.7.x -- This is an EOL/EOS Version, still part of this article for reference only.
CA PAM 2.8.x -- This is an EOL/EOS Version, still part of this article for reference only.
CA PAM 3.x -- This is an EOL/EOS Version, still part of this article for reference only.
CA PAM 4.x.x

Cause

This is for enabling the Symentec PAM Administrators to configure an external MySQL database to store session logs. A copy of the log files is automatically kept on the local server in an internal database.
Note: These procedures apply only to session logs; not to syslog messages.

Resolution

  • PAM Appliance is a black box. The MYSQL DB is not installed in PAM. It has to be created in your own environment, in a DB server.
  • To prepare it, it is only necessary to create a new database accordingly. No tables need be created. 
  • When PAM accesses the new MySQL Database for the very first time, it will automatically create the tables.

Follow the below steps:

1) Install MySQL in a server.

Note: Ensure port 3306 is open between PAM and the MySQL Server.

2) Connect to MySQL in the external server and create the database. 

mysql> create database <Database Name>;

3) Grant privileges to the db user that is going to connect to the database from PAM:

mysql> GRANT ALL PRIVILEGES ON *.* TO root@'<PAM Hostname>' IDENTIFIED BY '<your password>' WITH GRANT OPTION;

[OR mysql>GRANT ALL PRIVILEGES ON *.* TO root@'%' IDENTIFIED BY '<your password>' WITH GRANT OPTION;]

[OR mysql>GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES ON <db_name>.* TO <db_username>@'%';
FLUSH PRIVILEGES;]

The last "GRANT" is more specific with respect the privileges that are granted to the user for the Database that is created.

mysql> FLUSH PRIVILEGES;

4) Login to PAM and go to:

  • 2.x version of CA PAM:  Config>>Logs
       
  • Configure the External Log Server by checking the "Enable logging to the external server" checkbox.
  • Enter the server IP where the DB is connected, port and credentials.

  • 3.x and 4.x.x: Configuration>>Logs>>External Log Server
         

  • Configure the External Log Server by checking the "Enable logging to the external server" checkbox.
  • Enter the server IP where the DB is connected, port and credentials.

5) Click on Update. You should get the following message:


6) Connect to your database and verify that tables get created:

mysql>use <Database Name>; 

mysql>show tables;

Eg: my <Database Name> is logpam


Additional Information

Note: This has to be a MySQL server. SQL Server is not compatible.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-2/configuring-your-server/use-logs-to-monitor-operations-and-user-sessions/configure-an-external-mysql-database-for-session-logs-optional.html

Powered by Wolken Software