Previous Topic: Use Case: The SAM SDKNext Topic: The Java SAM SDK


How a Password Consumer SDK Application Gets a Password

The password consumer SDKs let you write applications that get, check in, and check out privileged account passwords. To use a password consumer SDK, you must do the following:

There are two types of password consumer SDK:

Password consumer SDK applications communicate with the SAM Agent, which then uses the Message Queue to communicate with CA ControlMinder Enterprise Management. The SAM Agent uses SSL communication and port 7243 to communicate with the Message Queue.

The following process describes how a password consumer SDK application gets a password:

  1. The application sends a password request to the SAM Agent.
  2. The SAM Agent receives the password request. CA ControlMinder verifies the identity of the user running the application, and checks the cache. One of the following happens:
  3. CA ControlMinder Enterprise Management receives the request, and checks that a password consumer exists that authorizes the application to obtain the privileged account password.

    The password consumer specifies the path of the application, the privileged accounts that the application can request, the users that can run the application, and the hosts on which the application can be run.

  4. One of the following happens:

    In both cases, CA ControlMinder Enterprise Management writes an audit record for the event.

  5. The SAM Agent sends the privileged account password or error message to the application.

    If the application has obtained the privileged account password for the first time, the SAM Agent caches the password.

Note: When the password for a privileged account changes, CA ControlMinder Enterprise Management broadcasts the password change event to the endpoints. When an endpoint receives the broadcast message, the SAM Agent removes the privileged account password from the cache.

More information:

How to Configure an Endpoint to Use a Password Consumer SDK Application