search cancel

Creating target accounts using the remote CLI addTargetAccount command without knowing the current password

book

Article ID: 202526

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We need to import hundreds of target accounts to existing target applications in PAM. The problem is that the passwords of the accounts are not known. Is it possible to create the accounts with API calls, e.g. using the remote CLI so that they are synchronized and the password provided in the command is set on the target server? We do have accounts configured in PAM already that can be used to set the password of the new accounts.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

As long as a service account is available in PAM and configured as the "other account" to change the new account's password, a new account can be published using the remote CLI with a new password if Attribute.forcePasswordChange=true is specified. Use of another account to change a managed account's password is supported by many types of target applications. Here is an example for a target application of type Windows Remote:

./capam_command -n mypamserver -u super -p mysuperpwd cmdName=addTargetAccount TargetServer.hostName=myhost.mydomain.net TargetApplication.name=myhost-WinRemote TargetAccount.userName=manageme TargetAccount.password=Testing01 TargetAccount.privileged=true TargetAccount.synchronize=true Attribute.extensionType=windowsRemoteAgent Attribute.accountType=user Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=1042001 Attribute.forcePasswordChange=true

You need to know the target account ID of the service account you use to manage the new account. In the example above it is 1042001. You get account IDs from the searchTargetAccount command:

./capam_command -n mypamserver -u super -p mysuperpwd cmdName=searchTargetAccount TargetAccount.userName=adminaccount TargetApplication.name=myhost-WinRemote

This lists all attributes of the existing service account. The account ID typically is found at the end of the returned result.
<CommandResult>...<extensionType>windowsRemoteAgent</extensionType><ID>1042001</ID></TargetAccount></cr.result></CommandResult>

 

Our online documentation includes details on available attributes for each target application. E.g. the PAM 3.4.1 page for attributes specific to the Windows Remote target application is https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-1/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-a-windows-remote-target-connector/windows-remote-target-connector-cli-configuration.html.

The documentation page on the addTargetAccount remote CLI command, https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-1/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/addtargetaccount.html for PAM 3.4.1, discusses attributes common to all target accounts types.

 

Also make sure that you have the remote CLI enabled on your PAM server, otherwise you will get the error discussed in https://knowledge.broadcom.com/external/article?articleId=202525.