Enterprise Administration Guide › Configuring PUPM Endpoints › Configure an Endpoint to Use a Database (.NET) Password Consumer

Configure an Endpoint to Use a Database (.NET) Password Consumer

Valid on Windows Agentless Endpoints

You can use a .NET database password consumer to replace hard-coded passwords in applications that use .NET to connect to a database. When an application tries to connect to the database, the PUPM Agent intercepts the connection attempt and replaces the hard-coded password with the privileged account password that it retrieves from CA Access Control Enterprise Management.

Note: The application must reside on a Windows Agentless endpoint on which CA Access Control is installed.

PUPM uses a profiler to load a plugin to intercept each connection attempt. The .NET plug-in intercepts connection attempts that use .NET. The following registry key control the behavior of CA Access Control .NET:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Instrumentation\.NET\

The settings for the profiler and plug-in are located in the following subkeys:

• Profiler—Instrumentation\.NET\Profiler\
• Plugin—Instrumentation\.NET\Profiler\Plugin

To configure an endpoint to use a .NET database password consumer

1. Verify that CA Access Control is installed on the endpoint with the PUPM Integration feature enabled.

   Note: Install CA Access Control on the endpoint on which the application that connects to the database is installed. You do not need to install CA Access Control on the database host.

2. Stop CA Access Control on the endpoint.
3. In the appropriate registry subkey for the connection type, do the following:
   • Verify that the value of the OperationMode registry entry is 1.

     This registry entry enables the plug-in.

     Important! Verify that the OperationMode registry entry is set to 1 for the profiler and plugin.

   • Verify that the name of the process that runs the application is a value of the ApplyOnProcess registry entry.

     This registry entry specifies the processes to which the plug-in applies. For example, if you are creating a password consumer for an IIS application, verify that w3wp.exe is a value of the registry entry.

     Note: We recommend that you do not change the value of this registry entry yourself. For assistance, contact CA Support at http://ca.com/support.

4. Start CA Access Control.

   You have configured the endpoint to use a database password consumer. You must now create a database password consumer for the application in CA Access Control Enterprise Management.

   Note: If you create a password consumer for an IIS application, specify the NT_AUTHORITY\NETWORK SERVICE and hostname\IUSR_hostname as users that can use the password consumer to get the privileged account password, where hostname is the name of the endpoint.