search cancel

How to deploy CA PAM in AWS


Article ID: 75126


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


The starting point, whether it be for a purchase or a Proof of Concept, is to associate the Amazon Machine Instance(AMI) for the version of CA PAM you wish to deploy with your AWS account in the desired AWS region(s).  Bear in mind that for versions prior to 3.0.2 there are AWS regions in which PAM cannot be deployed.  Here is the list of AWS regions which we do support for CA PAM versions less than 3.0.2:
  • us-east-1            N. Virginia
  • us-west-1           N. California
  • us-west-2           Oregon
  • eu-west-1           Ireland
  • ap-southeast-1   Singapore
  • ap-southeast-2   Sydney
Versions 3.0.2 and later may be deployed in the additional regions:
  • us-east-2           Ohio
  • ap-south-1         Mumbai
  • ap-northeast-1   Tokyo
  • ap-northeast-2   Seoul
  • eu-west-2           London
  • ca-central-1        Canada
  • eu-central-1        Frankfurt
  • sa-east-1            Sao Paolo
In addition to the regions listed above, there is also a region called govcloud, which is solely for the use by the US Government.


Privileged Access Manager on AWS


The AWS account and region(s) will be sent to Engineering, who will make the appropriate AMI(s) available the AWS account, in the requested region(s).  The AMI ID(s) and AMI Name(s) will be provided, to fulfill a request.

Once the AMI ID(s) and Name(s) are available, it will be possible to deploy the PAM AMI from the AWS Management Console.  Start by going to the EC2(Elastic Compute Cloud) section.  Select the desired region, making sure to select only one of those which is supported by CA PAM.  At this point click AMI.


 The next screen will be the list of owned AMIs, if any exist.  The base PAM images will not be seen,  because they are not owned by the AWS account.  Click the highlighted pulldown and select Private Images.

The list of private images associated with this account in this region will now be seen.  Find the AMI ID provided by CA, for this region, in this list and click the selection box, then click launch.   Note that the AMI ID can be seen at the bottom of the screen too, and the AMI Name as well.  If the provided AMI ID cannot be found please check that the AWS Account number and the region match what was given to CA when the request for the AMIs was made.  It may be necessary for Support to get back in touch with Engineering if the necessary AMIs are not there.

After clicking launch the next page seen will contain a list like this, where the desired AMI size will be selected.  Note that there are a number of AMI sizes that cannot be selected.  With the selection made, click Review and Launch.

Pay attention to the messages appearing here.  The one about “free tier eligibility” not applying may be ignored. 
Some of these Instance types may require some additional configuration.  For example, some of these types cannot be deployed without a VPC.  When this is the case the Review and Launch button will be grayed out.  It will not be clickable until an Instance Type which can be installed into EC2 is selected or the additional configuration is completed.

Something will have to be done about the Security Group.  Think of it like a Firewall.  The ports necessary for proper functioning of PAM and the features being used must be opened, both between the user and AWS and within AWS.  Note that by default AWS opens port 22, ssh.  This won’t do any good, as PAM blocks port 22 by default.  Support does have the ability to use ssh to PAM, but that is only for debug situations.  It is not available for customer use.  Click “Edit security group”, so the desired changes may be made.  At a minimum it is necessary to open port 443, https.  Without this PAM cannot be accessed.  For example  all TCP, all UDP and all ICMP ports, Security Groups used to by Support personnel might open all ports, but only for the CA external IP address.  This would allow all all traffic needed by PAM from anyone within CA.  No one outside of CA will be able to connect.  Modify your Security Groups to meet your needs and then click Review and Launch.

There will next be a prompt for a keypair, which will need to be the same as other AMIs to be managed with this CA PAM.  It is possible to select either that a new keypair be created, which will then have to be downloaded, or that an existing keypair be used.   These keys will be needed again, when configuring public key authentication to the unix AMIs deployed in the AWS account, or to get the Administrator password for a Windows system.

Once this is done and Launch Instances clicked, the Launch Status page appears.  Click View Instances to see this new instance, and any other AMIs you may have already deployed.

The PAM AMI can be seen initializing.  A name can be assigned to this AMI, by clicking in the highlighted field.  When the initialization completes an https connection to PAM , using either the public IP address or the Fully Qualified Domain Name, both assigned by AWS.  Login to PAM as super, download the sysinfo, and provide it to the CA Licensing team, so they can provide the PAM license.  There are several methods for contacting them, which can be seen on this page:

This completes the deployment of CA PAM in the AWS EC2.  There are just a couple of differences for deploying PAM in the AWS Virtual Private Cloud(VPC).  Go to EC2 and launch the AMI.  Three fields must be configured, so that it will be possible to reach the AMI via the public address.  Create a new VPC and subnet, or select ones were already created.  Select Auto-assign Public IP, and click Review and Launch.  The rest of the process is the same.  This assumes that the VPC is already completely configured.  Please consult the AWS documentation for help performing this task.