How to Install the Remote CLI for Symantec Privileged Access Manager (PAM)

Credential Manager Remote Command-line Interface

The Credential Manager CLI enables programmatic access to the password management functions of the Credential Manager. The CLI also provides access to a limited set of maintenance operations. You can issue a command, or a script of commands, from a Windows or UNIX/Linux command line.

The commands available to a user depend on the roles and groups that are assigned to the user in the PAM UI. 

Install the CLI on any client system, then connect this remote system to the Privileged Access Manager appliance across an HTTPS network connection. From the client system, issue CLI commands to administer the Credential Manager information programmatically.


  • Download the on the client system. 
    • Example: “”
    • Verify the correct version before downloading
  • Create a directory on the client system to contain the files from the file
  • Obtain the current pam certificate and to the same directory you created in the previous step.
    NOTE: If the remote CLI is copied to a folder that has a space character in its path, such as “C:\CA PAM\Remote CLI”, the bat script will not execute because it does not quote file paths. The parent folder must be contained in a folder that has no space characters in its path for the script to execute.

Installation Tasks and Steps

Task 1 – Enable the Credential Manager CLI from the PAM UI 

Follow these steps:

  1. Connect to the PAM appliance using a browser or the CA PAM Client.
  2. Navigate to Configuration, Security, Access

  3. On the Access page, select the Enabled radio button that is associated with the Credential Management CLI entry
  4. Select Save
  5. Navigate to Settings, Credential Manager
  6. Verify that the Enable External CLI option is enabled. If not, enable it and restart the appliance

Task 2 – Obtain Certificate 

You must obtain a signed certificate to successfully complete the installation. CLI commands must be executed over an HTTPS connection between the client and the PAM appliance. To secure the connection, obtain a certificate that the client trusts.

Generate a Certificate or Use an Existing Certificate. Once you obtain the signed certificate save the certificate on the client system. We recommend saving the certificate to the directory you created containing the file on the client system.

Use a certificate from a Certificate Authority or use a self-signed certificate to secure the network connection. If the PAM appliance already has a certificate available, skip to Generate a KeyStore.

Warning: Do not use the default certificate, gkcert.crt, or a certificate that has no Alternate Subject Names.

Task 3 – Import Certificate KeyStore and Generate the Keystore

Generate a keystore on the client system. This keystore must contain the certificate from the client system. You can generate a keystore in many ways. The following steps explain only one method, using the keytool utility.

  1. Navigate to the directory where you put the cliTool.jar file
  2. Generate the keystore and import the certificate to this keystore


  • For your command entry, change “capam.crt” to the name of the certificate you imported onto the client system
  • Do not change the keystore name. It must be capam.keystore

Run this command from the same directory containing the cliTool.jar:

UNIX/Linux: $JAVA_HOME/bin/keytool -import -trustcacerts -file capam.crt -alias capamerver -keystore capam.keystore

Windows: “%JAVA_HOME%\bin\keytool” -import -trustcacerts -file capam.crt -alias capamserver -keystore capam.keystore

Note: starting in JRE 1.8, –import is replaced by –importcert

  1. Once executed, you will be prompted for the keystore password. Enter a new password for the keystore.
  2. Next, a message appears asking “Trust this certificate? [no]:” type “yes”.
  3. A confirmation message appears, “Certificate was added to keystore”
  4. Finally, verify that the import was successful by listing the contents of the keystore.

UNIX/Linux: $JAVA_HOME/bin/keytool -list -v –keystore capam.keystore

Windows: %JAVA_HOME%\bin\keytool -list -v –keystore capam.keystore

Task 4 – Verify the Installation

To verify that the installation works, execute a command. 

Example Command:

capam_command adminUserID=admin cmdName=getErrorCodes

Note: Remember to change the “capam” and “adminUserID” fields to the appropriate information for your system.

If successful, a list of error codes displays. The host name ( must match the server name in the certificate. If the certificate contains an IP address for the appliance, you can use the address in place of the server name.

Before the command executes, you are prompted for the Credential Manager administrator password. If the command executes successfully, it produces an XML string.

Looking for additional help with installing the Remote CLI for Symantec PAM? ISX is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including PAM. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow to Install the Remote CLI for Symantec Privileged Access Manager (PAM)

Leave a Reply

Your email address will not be published. Required fields are marked *