Unable to automatically login to CA Automation Point Client using CA PAM

book

Article ID: 192051

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

There is a need to launch Automation Point Client from PAM and to automatically login.  Automation Point Client is installed on a Windows server.  It is not clear how to configure this.

Cause

The PAM feature to be used to launch a program on a Windows server and to supply it with the necessary credentials is RDP Transparent Login.  Transparent Login requires that it be presented with a screen on which the UserID and Password field may both be seen, along with the Submit button.  With Automation Point Client the program that is run is apview.exe.  It does not prompt for credentials.  The next step is to click Action and then Open remote connection.  In the window that opens the address of the target system is entered, but still no prompt for credentials is seen.  To get that you have to check the Use explicit credentials box and click Connect.  The Login window appears and to this the Transparent Login script can inject the userid and password.  It's just that Transparent Login is not able to take the user all the way through to the Login window automatically.  It is not currently a feature of PAM to handle the multiple windows.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The apview.exe program has several run time parameters, one of which allows the target system to be specified.  It is /h followed by the Fully Qualified Domain Name or IP address of the target system.  This skips the need for the interaction with the first 2 screens, and TL is able to inject the credentials and log into the AP Automation Point Client.  This required that apview.exe be a published application, with /h<target system address> specified as the parameter always to be used.  For example, /hmytargetsystem.broadcom.net. 


It may also be possible to use "Allow any command-line parameters", but this is less secure, and it is recommended that this be avoided.

The steps for configuring the Windows server to publish applications may be found here if the PAM Admin does not know how to do so:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/setting-up-transparent-login/set-up-transparent-login-for-rdp-servers.html

Once the Windows server is set up PAM must be set up to launch the published application.  To launch this application an RDP Application must be configured, to match the configuration of the published application.  This includes the specification of the /h parameter:
  

It is also necessary to configure the Transparent Login Tab.  It is necessary to check the Transparent Login box and provide the Window Title and the Transparent Login Configuration to be used.  This helps Transparent Login to know when the window into which the credentials must be inserted has appeared.  The TL Configuration specifies the script to be used to locate the fields into which the UserID and Password will be inserted, along with the button to be clicked to submit the credentials.


The general instructions for configuring a TL script in Learn Mode may be found here:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/setting-up-transparent-login/set-up-transparent-login-for-rdp-servers/configure-windows-transparent-login.html

This RDP application must be configured for the appropriate device in PAM, then the Target Application and Target Account, in order to vault in PAM the credentials to be used.  The RDP application must then be configured as a service for the Policy connecting the User and the Device.  To this must be attached the credentials just vaulted.


The Target Account used the Generic Target Application, so those screens are not included.  The PAM Sys Admin should use whichever Target Application meets the needs of the environment.





Attachments