How to add an external MySQL Database to CA PAM

Article Id: 15538
Status: Published
Updated On: 28-02-2020 16:56
Products:
CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM)
Issue/Introduction:

I would like to configure my session logs in PAM to be administered in an external MySQL server.

 



  • What is required from my side?
  • How does PAM connect to the database?
  • Do I have to manually create the tables?
  • Is the MYSQL Database going to be installed in the external storage? 
  • How do I install  MYSQL Database in the external storage?

Environment:

CA PAM 2.7.x
CA PAM 2.8.x
CA PAM 3.x

Resolution:

  • PAM Appliance is a black box. The MYSQL DB is not installed in PAM. It has to be created in your own environment, in a DB server.
  • To prepare it, it is only necessary to create a new database accordingly. No tables need be created. 
  • When PAM accesses the new MySQL Database for the very first time, it will automatically create the tables.


Follow the below steps:



1) Install MySQL in a server.



Note: Ensure port 3306 is open between PAM and the MySQL Server.



2) Connect to MySQL in the external server and create the database. 



mysql> create database <Database Name>;



3) Grant privileges to the db user that is going to connect to the database from PAM:



mysql> GRANT ALL PRIVILEGES ON *.* TO [email protected]'<PAM Hostname>' IDENTIFIED BY '<your password>' WITH GRANT OPTION;



[OR mysql>GRANT ALL PRIVILEGES ON *.* TO [email protected]'%' IDENTIFIED BY '<your password>' WITH GRANT OPTION;]



mysql> FLUSH PRIVILEGES;



4) Login to PAM and go to:



  • 2.x:  Config>>Logs



  • 3.x: Configuration>>Logs>>External Log Server


 
  • Configure the External Log Server by checking the "Enable logging to the external server" checkbox.
  • Enter the server IP where the DB is connected, port and credentials.


5) Click on Update. You should get the following message:





6) Connect to your database and verify that tables get created:



mysql>use <Database Name>; 



mysql>show tables;



Eg: my <Database Name> is logpam



 

Additional Information:

Note: This has to be a MySQL server. SQL Server is not compatible.

  • 2.x: https://docops.ca.com/ca-privileged-access-manager/2-8/EN/reference/web-gui/toolbar/config/logs#Logs-ExternalLogServer
PAM DB Version 2.8.3:
mysql  Ver 14.14 Distrib 5.1.58, for debian-linux-gnu (i486) using readline 5.2
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.1.58-1~dotdeb.0-log (Debian)
Protocol version:       10
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
 
  • 3.x: https://docops.ca.com/ca-privileged-access-manager/3-0/EN/implementing/configure-your-server/logging-server-activity/configure-an-external-database-for-session-logs-optional/

PAM DB Version 3.x:
mysql Ver 14.14 Distrib 5.7.21, for Linux (x86_64) using EditLine wrapper 
Current pager: stdout 
Using outfile: '' 
Using delimiter: ; 
Server version: 5.7.21-log MySQL Commercial Server (Advanced) 
Protocol version: 10 
Server characterset: utf8mb4 
Db characterset: utf8mb4 
Client characterset: utf8mb4 
Conn. characterset: utf8mb4