How a Password Consumer SDK Application Gets a Password

Enterprise Administration Guide › Planning Your PUPM Implementation › Implementation Considerations › The PUPM SDK › How a Password Consumer SDK Application Gets a Password

How a Password Consumer SDK Application Gets a Password

The password consumer SDKs let you write applications that get, check in, and check out privileged account passwords. To use a password consumer SDK, you must do the following:

Install CA Access Control on the endpoint on which the application runs
Define a password consumer for the application in CA Access Control Enterprise Management

There are two types of password consumer SDK:

Java PUPM SDK
.NET PUPM SDK

Password consumer SDK applications communicate with the PUPM Agent, which then uses the Message Queue to communicate with CA Access Control Enterprise Management. The PUPM Agent uses SSL communication and port 7243 to communicate with the Message Queue.

The following process describes how a password consumer SDK application gets a password:

The application sends a password request to the PUPM Agent.
The PUPM Agent receives the password request. CA Access Control verifies the identity of the user running the application, and checks the cache. One of the following happens:
- If the password request is cached, the PUPM Agent sends the privileged account password to the application. The process ends at this step. CA Access Control Enterprise Management does not write an audit record for the password request.
- If the password request is not cached, the PUPM Agent sends the password request and the name of the user running the application to CA Access Control Enterprise Management.
CA Access Control Enterprise Management receives the request, and checks that a password consumer exists that authorizes the application to obtain the privileged account password.
The password consumer specifies the path of the application, the privileged accounts that the application can request, the users that can run the application, and the hosts on which the application can be run.
One of the following happens:
- If the application is authorized to obtain the password, CA Access Control Enterprise Management sends the privileged account password to the PUPM Agent.
- If the application is not authorized to obtain the password, CA Access Control Enterprise Management sends an error message to the PUPM Agent.
In both cases, CA Access Control Enterprise Management writes an audit record for the event.
The PUPM Agent sends the privileged account password or error message to the application.
If the application has obtained the privileged account password for the first time, the PUPM Agent caches the password.

Note: When the password for a privileged account changes, CA Access Control Enterprise Management broadcasts the password change event to the endpoints. When an endpoint receives the broadcast message, the PUPM Agent removes the privileged account password from the cache.

More information:

How to Configure an Endpoint to Use a Password Consumer SDK Application

Tell Technical Publications how we can improve this information