How are PAM SSH, RDP, Web Portal and DB Connections secured IN PAM?
search cancel

How are PAM SSH, RDP, Web Portal and DB Connections secured IN PAM?


Article ID: 276215


Updated On:


CA Privileged Access Manager (PAM)


PAM Admin's security team is auditing PAM and wants to know "How are PAM SSH, RDP, Web Portal and DB Connections secured in PAM"?


PAM All Versions


Ultimately what secures the connection is the TLS version and cipher binded to that particular connection port.

In PAM the user interaction is the PAM Client and/or Web Browser.  The communication is done from these over port 433 (SSL), to our PAM Appliance, which supports various different TLS v1.2 configurable ciphers.

From our PAM Appliance to Target Device over SSH, RDP, DB or Web Portal we use:

  • SSH Ciphers:

SSH Mindterm (our internal applet) and SSH Proxy (IE: Putty, SuperPutty, SecureCRT)

we use what you have configured here:

PAM UI >> Configuration >> Security >> Cryptography

this is what our client's can support.

  • RDP - we document the following:

RDP Client applet, the applet supports TLS 1.2 connections and the applet supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. The RDP Client also supports forward secrecy using the following supported cipher suites:

  • DB's (MSSQL, Oracle, Sybase) 

All have an option for SSL/TLS - which secures the connection with a certificate. 

  • Web Portal

Just like PAM's front end of the solution, we determine what TLS version and ciphers we support.  The remote connection to the Web Portal determines this.


Ultimately to determine what the remote side actually supports, the best utility to use is nmap:


nmap -sV -p 22 --script ssh2-enum-algos <servername>


nmap -sV -p 443, 3389,1433 --script ssl-enum-ciphers <servername>

will give you what everyone will accept.