How does CA PAM client install and update ?
search cancel

How does CA PAM client install and update ?

book

Article ID: 208073

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The CA PAM client is not much different than the common browser interface. Since most common web browsers no longer support the use of Java Applets the CA PAM client became a more common way to use the product. The PAM Client is created using a customized Chromium Browser with local Java components to allow local access. Due to the updates required to maintain compatibility an update process is used to ensure the common components installed locally do match the version from the PAM server it is connected to.

Environment

Release : All CA PAM versions

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

Request For Information (RfI)

Resolution

The general process of the way the CA PAM Client is installed and updated is as follows.  

When first connecting to the CA PAM server through a standard web browser at https://<IP or DNS Name of the CA PAM server>/ the initial login screen will appear. A link is provided to download the proper client based on the operating system detected through the browser.

 

 

When the download button is clicked it will generate the download from the defined download location which by default is an external cloud location
https://d21oi5tjuccwe.cloudfront.net/ca-pam/install/<OS>/<Client Install>

All binaries are retrieved from an AWS Service called Cloudfront over HTTPS.

The CA PAM client upgrade options can be viewed after the login to CA PAM using the Web Browser. Settings --> Global Settings --> Client Settings.

After the client is installed and launched and the connection to the CA PAM server has started the client version will either upgrade or downgrade to match the specific server build connected. This download will update the base client version by downloading from the specific appliance it is connected to.

Note that PAM client releases are not exact matches of any PAM server release. When a new PAM client connects to a PAM server for the first time, it always will have to update to the specific release/build the PAM server is running, even if the PAM server is running the GA release matching the PAM client release you installed.

The links below can provide greater details on the process.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1/deploying/deploy-the-pam-client.html

Configure How the Client is Made Available

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1/deploying/deploy-the-pam-client/configure-how-the-client-is-made-available.html

Use a Private Delivery Network to Distribute the Client Installer

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1/deploying/deploy-the-pam-client/use-a-private-delivery-network-to-distribute-the-client-installer.html

See (Optional) Disable PAM Client Update Checking

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1/deploying/deploy-the-pam-client.html#concept.dita_0190d90c6dc753bf97a6bcf0d12dfd7420de5453_OptionalDisableCAPAMClientUpdateChecking