Enterprise Administration Guide › Planning Your SAM Implementation › Password Consumers › How a Password Consumer Gets a Password on Demand
How a Password Consumer Gets a Password on Demand
A password consumer retrieves a password from SAM when the associated privileged account authenticates to another application. Password consumers that get passwords on demand forward password requests to the SAM Agent, which uses the Message Queue to communicate with CA ControlMinder Enterprise Management.
Software development kit, database, and Windows Run As password consumers get passwords on demand. You use password consumers that get passwords on demand to replace hard-coded passwords in scripts. Whenever an application provides a password for authentication purposes, SAM replaces the hard-coded password with the privileged account password.
Note: You must install CA ControlMinder on the SAM endpoint with the SAM Integration feature enabled to use password consumers that get passwords on demand.
The following process explains how a password consumer gets a privileged account password on demand:
- An application uses a hard-coded password to try to connect to a system that requires user authentication.
- A password consumer intercepts the connection attempt.
For example, an OCI password consumer intercepts an attempt to connect to an Oracle database.
- The SAM Agent checks the cache. One of the following happens:
- If the request is cached, the SAM Agent forwards the privileged account password to the password consumer. The password consumer replaces the hard-coded password with privileged account password. The application uses the privileged account password to log in to the system. The process ends at this step. CA ControlMinder Enterprise Management does not write an audit record for the password retrieval.
- If the request is not cached, the SAM Agent forwards the password request to CA ControlMinder Enterprise Management.
- CA ControlMinder Enterprise Management receives the message and checks that the password consumer is authorized to obtain the privileged account password.
- One of the following happens:
- If the password consumer is authorized to obtain the password, CA ControlMinder Enterprise Management sends the privileged account password to the SAM Agent. The SAM Agent replaces the hard-coded password with privileged account password. The application uses the privileged account password to log in to the system. CA ControlMinder Enterprise Management writes an audit record for the event.
- If the password consumer is not authorized to obtain the password, CA ControlMinder Enterprise Management sends an error message to the SAM Agent. The SAM Agent does not forward a password to the application, so the application uses the hard-coded password to log in to the system.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|