Enterprise Administration Guide › Planning Your SAM Implementation › Implementation Considerations › The SAM SDK › How a Password Consumer SDK Application Gets a Password
How a Password Consumer SDK Application Gets a Password
The password consumer SDKs let you write applications that get, check in, and check out privileged account passwords. To use a password consumer SDK, you must do the following:
- Install CA ControlMinder on the endpoint on which the application runs
- Define a password consumer for the application in CA ControlMinder Enterprise Management
There are two types of password consumer SDK:
- Java SAM SDK
- .NET SAM SDK
Password consumer SDK applications communicate with the SAM Agent, which then uses the Message Queue to communicate with CA ControlMinder Enterprise Management. The SAM Agent uses SSL communication and port 7243 to communicate with the Message Queue.
The following process describes how a password consumer SDK application gets a password:
- The application sends a password request to the SAM Agent.
- The SAM Agent receives the password request. CA ControlMinder verifies the identity of the user running the application, and checks the cache. One of the following happens:
- If the password request is cached, the SAM Agent sends the privileged account password to the application. The process ends at this step. CA ControlMinder Enterprise Management does not write an audit record for the password request.
- If the password request is not cached, the SAM Agent sends the password request and the name of the user running the application to CA ControlMinder Enterprise Management.
- CA ControlMinder Enterprise Management receives the request, and checks that a password consumer exists that authorizes the application to obtain the privileged account password.
The password consumer specifies the path of the application, the privileged accounts that the application can request, the users that can run the application, and the hosts on which the application can be run.
- One of the following happens:
- If the application is authorized to obtain the password, CA ControlMinder Enterprise Management sends the privileged account password to the SAM Agent.
- If the application is not authorized to obtain the password, CA ControlMinder Enterprise Management sends an error message to the SAM Agent.
In both cases, CA ControlMinder Enterprise Management writes an audit record for the event.
- The SAM Agent sends the privileged account password or error message to the application.
If the application has obtained the privileged account password for the first time, the SAM Agent caches the password.
Note: When the password for a privileged account changes, CA ControlMinder Enterprise Management broadcasts the password change event to the endpoints. When an endpoint receives the broadcast message, the SAM Agent removes the privileged account password from the cache.
More information:
How to Configure an Endpoint to Use a Password Consumer SDK Application
Copyright © 2013 CA Technologies.
All rights reserved.
|
|