Enterprise Administration Guide › Configuring PUPM Endpoints › Configure an Endpoint to Use a Database (ODBC, OLEDB, OCI) Password Consumer

Configure an Endpoint to Use a Database (ODBC, OLEDB, OCI) Password Consumer

Valid for Windows Agentless endpoints

You can use ODBC, OLEDB or OCI database password consumers to replace hard-coded passwords in applications that use ODBC, OLEDB or OCI to connect to a database. When an application tries to connect to the database, the PUPM Agent intercepts the connection attempt and replaces the hard-coded password with the privileged account password that it retrieves from CA Access Control Enterprise Management.

The application must reside on a Windows Agentless endpoint on which CA Access Control is installed. If you want to create an OCI database password consumer, verify that the application uses OCI8 or later.

PUPM uses a different plug-in to intercept each type of connection attempt. For example, the OCI plug-in intercepts connection attempts that use OCI. The following registry key controls the behavior of CA Access Control plug-ins:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Instrumentation\PlugIns

The settings for each plug-in are located in the following subkeys:

• OCI—Instrumentation\PlugIns\OCIPlg
• ODBC—Instrumentation\PlugIns\ODBCPlg
• OLEDB—Instrumentation\PlugIns\OLEDBPlg

To configure an endpoint to use a database (ODBC, OLEDB, OCI) password consumer

1. Verify that CA Access Control is installed on the endpoint with the PUPM Integration feature enabled.

   Note: Install CA Access Control on the endpoint on which the application that connects to the database is installed. You do not need to install CA Access Control on the database host.

2. Stop CA Access Control on the endpoint.
3. In the appropriate registry subkey for the connection type, do the following:
   • Verify that the value of the OperationMode registry entry is 1.

     This registry entry enables the plug-in.

   • Verify that the name of the process that runs the application is a value of the ApplyOnProcess registry entry.

     This registry entry specifies the processes to which the plug-in applies. For example, if you are creating a password consumer for an IIS application, verify that w3wp.exe is a value of the registry entry.

     Note: We recommend that you do not change the value of this registry entry yourself. For assistance, contact CA Support at http://ca.com/support.

4. Start CA Access Control.

   You have configured the endpoint to use a database password consumer. You must now create a database password consumer for the application in CA Access Control Enterprise Management.

   Note: If you create a password consumer for an IIS application, you must specify that the NT_AUTHORITY\NETWORK SERVICE and hostname\IUSR_hostname users can use the password consumer to get the privileged account password, where hostname is the name of the endpoint.