Enterprise Administration Guide › Planning Your PUPM Implementation › Password Consumers › How a Password Consumer Gets a Password on Demand
How a Password Consumer Gets a Password on Demand
A password consumer retrieves a password from PUPM when the associated privileged account authenticates to another application. Password consumers that get passwords on demand forward password requests to the PUPM Agent, which uses the Message Queue to communicate with CA Access Control Enterprise Management.
Software development kit, database, and Windows Run As password consumers get passwords on demand. You use password consumers that get passwords on demand to replace hard-coded passwords in scripts. Whenever an application provides a password for authentication purposes, PUPM replaces the hard-coded password with the privileged account password.
Note: You must install CA Access Control on the PUPM endpoint with the PUPM Integration feature enabled to use password consumers that get passwords on demand.
The following process explains how a password consumer gets a privileged account password on demand:
- An application uses a hard-coded password to try to connect to a system that requires user authentication.
- A password consumer intercepts the connection attempt.
For example, an OCI password consumer intercepts an attempt to connect to an Oracle database.
- The PUPM Agent checks the cache. One of the following happens:
- If the request is cached, the PUPM Agent forwards the privileged account password to the password consumer. The password consumer replaces the hard-coded password with privileged account password. The application uses the privileged account password to log in to the system. The process ends at this step. CA Access Control Enterprise Management does not write an audit record for the password retrieval.
- If the request is not cached, the PUPM Agent forwards the password request to CA Access Control Enterprise Management.
- CA Access Control Enterprise Management receives the message and checks that the password consumer is authorized to obtain the privileged account password.
- One of the following happens:
- If the password consumer is authorized to obtain the password, CA Access Control Enterprise Management sends the privileged account password to the PUPM Agent. The PUPM Agent replaces the hard-coded password with privileged account password. The application uses the privileged account password to log in to the system. CA Access Control Enterprise Management writes an audit record for the event.
- If the password consumer is not authorized to obtain the password, CA Access Control Enterprise Management sends an error message to the PUPM Agent. The PUPM Agent does not forward a password to the application, so the application uses the hard-coded password to log in to the system.
|
Copyright © 2012 CA.
All rights reserved.
|
|
