How to add an external MySQL Database to CA PAM
search cancel

How to add an external MySQL Database to CA PAM

book

Article ID: 15538

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

I would like to configure my session logs in PAM to be administered in an external MySQL server.

  • What is required from my side?
  • How does PAM connect to the database?
  • Do I have to manually create the tables?
  • Is the MYSQL Database going to be installed in the external storage? 
  • How do I install  MYSQL Database in the external storage?

Environment

CA PAM 3.x.x -- This is an EOL/EOS Version, still part of this article for reference only.
CA PAM 4.2.x

Cause

This is for enabling the Symantec PAM Administrators to configure an external MySQL database to store session logs. A copy of the log files is automatically kept on the local server in an internal database.

Note: These procedures apply only to session logs; not to syslog messages.

Resolution

  • PAM Appliance is a black box. The MYSQL DB is not installed in PAM. It has to be created in your own environment, in a DB server.
  • To prepare it, it is only necessary to create a new database accordingly. No tables need be created. 
  • When PAM accesses the new MySQL Database for the very first time, it will automatically create the tables.

Follow the below steps:

1) Install MySQL in a external server.

Note: Ensure port 3306 is open between PAM and the MySQL Server.

2) Connect to MySQL in the external server and create the database. 

mysql> create database <db_name> DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;

3) Create the DB user that PAM uses to access this database:

mysql> create user '<db_username>'@'%' IDENTIFIED WITH mysql_native_password BY '<db_password>';

Where:

  • <db_username> is the name of the database user you are creating.
  • <db_password> is the password for the database user you are creating.

    4) Grant privileges to the db_username that is going to connect to the database from PAM:

    mysql> GRANT ALL PRIVILEGES ON *.* TO db_username@'<PAM Hostname>' IDENTIFIED BY '<your password>' WITH GRANT OPTION;

    [OR mysql>GRANT ALL PRIVILEGES ON *.* TO db_username@'%' IDENTIFIED BY '<db_password>' WITH GRANT OPTION;]

    [OR mysql>GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES ON <db_name>.* TO <db_username>@'%';
    FLUSH PRIVILEGES;]

    The last "GRANT" is more specific with respect the privileges that are granted to the user for the Database that is created.

    mysql> FLUSH PRIVILEGES;

    5) Login to PAM and go to:

    • Configure the External Log Server by checking the "Enable logging to the external server" checkbox.
    • Enter the server IP where the DB is connected, port and credentials.
    • 3.x and 4.x.x: Configuration>>Logs>>External Log Server

             

    • Configure the External Log Server by checking the "Enable logging to the external server" checkbox.
    • Enter the server IP where the DB is connected, port and credentials.

    5) Click on Update. You should get the following message:

    Below is the confirmation message from 3.x.x and 4.x.x version

     

    7) Connect to your database and verify that tables get created:

    mysql>use <Database Name>; 

    mysql>show tables;

    Eg: my <Database Name> is logpam

    Additional Information

    Attachments

    external_log_server_configured.png get_app
    port scan.png get_app