ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

PowerShell script as TCP/UDP service

book

Article ID: 198532

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We are interested in configuring a service that launches a powershell script in PAM, passing in the parameters that are available in TCP/UDP service definitions, such as <Local IP> and <First Port>. We found forum post https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=803467#bm4b812c70-bc62-4762-90a1-374642296bf6, but this didn't provide enough information for us to get a service working.
How can this be achieved?

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Unless your powershell script invokes a client for a protocol supported by PAM, such as an SSH client or an RDP client, you will have to configure the service using application protocol Disabled. In this case PAM will just route the connection to the target device and session recording will not be available. A sample Client Application string is:

cmd /c start powershell -ExecutionPolicy Bypass "&'c:\PSScripts\PAMService.ps1' -user <User> -password '<Password>' -localip <Local IP> -firstport <First Port> -devicename <Device Name>"

Here is a screenshot of the service definition

 

Launching the service will start a powershell and execute the script. Our sample script c:\PSScripts\PAMService.ps1 has the following contents:

<#
Invoke from PAM Service with
cmd /c start powershell -ExecutionPolicy Bypass "&'c:\PSScripts\PAMService.ps1' -user <User> -password '<Password>' -localip <Local IP> -firstport <First Port> -devicename <Device Name>"
#>

param($user, $password, $localip, $firstport, $devicename)

# write parameters for demonstration
write-host "user=$user"
write-host "password=$password"
write-host "localip=$localip"
write-host "firstport=$firstport"
write-host "devicename=$devicename"

# your code here

# Responding to this will close the Service
read-host "Hit Enter to continue"

 

This will yield the following result when launching the service from the PAM Access Page:

Port 61558 is a random port that was available when the PAM session started, because we used the wildcard in the Service definition for the local port.

If you add code in the PS script to make a network connection to <Local IP>:<First Port> (here 127.3.2.1:61558), PAM will route this connection to port 8080 on device psdemodevice.broadcom.com.

We added sample special characters to the password to demonstrate that this can work with many special characters, but some characters in the password, such as quote characters, would break the service launch. Make sure to exclude such characters from the password composition policy for the target accounts you configure in the access policy. This applies to TCP/UDP services in general, not just the service discussed here.

Attachments