Previous Topic: Additional Information for Oracle DatabasesNext Topic: Configure an Endpoint to Use a Database (.NET) Password Consumer


Configure an Endpoint to Use a Database (ODBC, OLEDB, OCI) Password Consumer

Valid for Windows Agentless endpoints

You can use ODBC, OLEDB or OCI database password consumers to replace hard-coded passwords in applications that use ODBC, OLEDB or OCI to connect to a database. When an application tries to connect to the database, the SAM Agent intercepts the connection attempt and replaces the hard-coded password with the privileged account password that it retrieves from CA ControlMinder Enterprise Management.

The application must reside on a Windows Agentless endpoint on which CA ControlMinder is installed. If you want to create an OCI database password consumer, verify that the application uses OCI8 or later.

SAM uses a different plug-in to intercept each type of connection attempt. For example, the OCI plug-in intercepts connection attempts that use OCI. The following registry key controls the behavior of CA ControlMinder plug-ins:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Instrumentation\PlugIns

The settings for each plug-in are located in the following subkeys:

To configure an endpoint to use a database (ODBC, OLEDB, OCI) password consumer

  1. Verify that CA ControlMinder is installed on the endpoint with the SAM Integration feature enabled.

    Note: Install CA ControlMinder on the endpoint on which the application that connects to the database is installed. You do not need to install CA ControlMinder on the database host.

  2. Stop CA ControlMinder on the endpoint.
  3. In the appropriate registry subkey for the connection type, do the following:
  4. Start CA ControlMinder.

    You have configured the endpoint to use a database password consumer. You must now create a database password consumer for the application in CA ControlMinder Enterprise Management.

    Note: If you create a password consumer for an IIS application, you must specify that the NT_AUTHORITY\NETWORK SERVICE and hostname\IUSR_hostname users can use the password consumer to get the privileged account password, where hostname is the name of the endpoint.