Part of what hardens the CA PAM is the lack of ability for anyone , including system monitors from accessing the console or backend. The only port that is open to any external access by default is port 443. Several other ports are required to be opened between cluster nodes but these are not accessible by any other resource.
The only access methods to the backend of this appliance is through Broadcom support and even then the ssh access must be manually started prior to that access and this access is never passed over to the client. This access uses Private Key authentication witch expires every 3 months from when the key is made, not when the key is added to the system. Furthermore the ssh service used to connect can only be started based on time, default is 1 week and the max time is 3 month. See "Remote PAM Debugging Services" in the latest CA PAM Manual for more information on how to enable.