The Symantec Privileged Access Manager Remote CLI (Command Line Interface) allows administrators to manage a PAM Appliance remotely from a client system by executing specific commands and batch scripts. Below is a step-by-step guide on how to create a target device in PAM from the Remote CLI.
- The target device must be created before the addTargetApplication command can be executed.
Installation Tasks and Steps
Step 1 – Understand the Command Syntax & Parameters
You can use the Remote CLI to control and configure Credential Manager. This command-line interface allows administrators to provide scripted functionality to complete management and integration tasks. The interface supports a limited subset of features that are available through the GUI and a few commands that are only available through the CLI.
- To invoke the commands in the cliTool.jar, every remoteCLI command must begin with capam_command
- Next, you must specify what PAM Appliance this command will be executed on. The syntax begins with “capam=” and ends with the hostname of the PAM Appliance.
Note: This server name must be a FQDN and must exist in the capam.crt file as a Subject Alternative Name (SAN)
- Next, define the admin user that will be executing the command. Use “adminUserID=” and then input the username of the administrative account you would like to use.
- Then, define what command you are attempting to execute. The “cmdName=” parameter determines what command is going to be executed on the PAM Appliance. In this case that command is “addTargetApplication”.
- Next, define the hostname of the target server you are trying to add to PAM. To do this you must use “TargetServer.hostName=” then, put in the host name of the device.
- Now define the target application parameters
- Define the application name with the following syntax: TargetApplication.name=
- To define the target application operating system use the following syntax:
Valid Input Values: cisco, CiscoSSH, ldap, mssql, oracle, sybase, unixII (capitalize “i” twice after “unix”), unixAccountViaTelnet, windows, windowsDomainService.
Other Non-Required Parameters
- PasswordPolicy.name – If a password policy is not specified, manually entered passwords are not validated against a policy. In addition, Credential Manager generated passwords use the Credential Manager default password policy.
- PasswordPolicy.ID – Use searchPasswordPolicy to retrieve the PasswordPolicy.ID. If a password policy is not specified, manually entered passwords are not validated against a policy. In addition, Credential Manager generated passwords use the Credential Manager default password policy.
- Optionally, add descriptors. Use the parameter Attribute.descriptor1= then input a short description (use quotation marks around the name and do not add any spaces.)Example: Attribute.descriptor1=”IdentityManager”
Task 2 – Add Target Application
Use the addTargetApplication command to add a target server to Credential Manager.
- To add a target application, we must use the appropriate parameters in the appropriate order. Therefore, we will type the command in the respective order in the above section.
capam_command capam=capamServer adminUserID=admin cmdName=addTargetApplication TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myApplication TargetApplication.type=unixII
- Once you execute the command you will be prompted for the administrator password. Enter that password and the command will execute.
- Look at <CommandResult> information to verify the command ran successfully and that the test was completed.
- Finally, verify that the command executed successfully by going to the PAM Appliance, navigate to Credentials, Manage Targets, Accounts and you should see your newly created device here.
Looking for additional help with creating a target application in PAM? ISX is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including PAM. Take your interoperability to the next level, and contact an ISX consultant today.