Previous Topic: Considerations for CA Access Control UsersNext Topic: Disaster Recovery

Implementation GuideCA IT PAM Considerations

CA IT PAM Considerations

This section contains the following topics:

Scenario: How to Use CA EEM on CA User Activity Reporting Module for CA IT PAM Authentication

CA IT PAM Authentication Implementation Process

Prepare to Implement CA IT PAM Authentication on a Shared CA EEM

Copy an XML File to the Management CA User Activity Reporting Module

Register CA IT PAM with a Shared CA EEM

Copy the Certificate to the CA IT PAM Server

Set Passwords for the Predefined CA IT PAM User Accounts

Install the Third-Party Components Required by CA IT PAM

Install the CA IT PAM Domain

Start the CA ITPAM Server Service

Launch and Log in to the CA IT PAM Server Console

Scenario: How to Use CA EEM on CA User Activity Reporting Module for CA IT PAM Authentication

This appendix addresses the scenario where you plan to install CA IT PAM on a Windows server and share the CA EEM on the CA User Activity Reporting Module server for authentication. These procedures supplement those documented in the CA IT Process Automation Installation Guide.

Important! Sharing a CA EEM is not supported in FIPS mode as CA IT PAM is not FIPS compatible. If you upgrade your CA User Activity Reporting Module server to FIPS mode, the integration with CA IT PAM fails.

Note: If you plan to install CA IT PAM on a UNIX server or use LDAP or a local CA EEM for authentication, the documentation in this appendix is not for you. In these instances, you are not sharing the same CA EEM server. CA User Activity Reporting Module r12.1 SP1 can run in FIPS mode and it can communicate with CA IT PAM; however, those communication channels are not FIPS compatible.

For any installation scenario, download the Installation Guide for CA IT Process Automation Manager r2.1 SP03 from Support Online. Also, download Adobe Acrobat reader so you can open the pdf.

The process that lets you use CA EEM on CA User Activity Reporting Module for CA IT PAM authentication involves two manual steps. You copy one file from the Windows server to the appliance and another file from the appliance to the Windows server. These steps are addressed in this appendix. They are not addressed in the CA IT PAM documentation.

CA IT PAM Authentication Implementation Process

The process of implementing CA IT PAM authentication using the CA EEM on the management CA User Activity Reporting Module server follows:

  1. Prepare to implement CA IT PAM authentication.
    1. Load the CA IT PAM installation package on the Windows server where you plan to install CA IT PAM.
    2. (Optional) Change the default password for the itpamcert.p12 certificate.
  2. Copy the ITPAM_eem.xml file from the host where you plan to install CA IT PAM to the CA User Activity Reporting Module appliance that includes CA EEM.
  3. Register ITPAM as an application instance on the same CA EEM that CA User Activity Reporting Module uses. Running the safex command generates the itpamcert.p12 certificate and the ITPAM application instance with two user accounts, itpamadmin and itpamuser.

    Note: For help on using the safex command, type ./safex.

  4. Copy the itpamcert.p12 file from the CA User Activity Reporting Module appliance to the Windows host where you plan to install the CA IT PAM domain.
  5. Browse to the ITPAM application and reset the passwords for itpamadmin and itpamuser.
  6. Log on to the Windows server and install the third-party components using procedures documented in the CA IT Process Automation Manager Installation Guide.
  7. Install the CA IT PAM domain using the guidelines presented in this appendix and the CA IT PAM installation instructions.
  8. Start the CA ITPAM Server service.
  9. Launch and log in to the CA IT PAM console.

More information:

Register CA IT PAM with a Shared CA EEM

Install the CA IT PAM Domain

Set Passwords for the Predefined CA IT PAM User Accounts

Install the Third-Party Components Required by CA IT PAM

Prepare to Implement CA IT PAM Authentication on a Shared CA EEM

Launch and Log in to the CA IT PAM Server Console

Start the CA ITPAM Server Service

Copy the Certificate to the CA IT PAM Server

Copy an XML File to the Management CA User Activity Reporting Module

Prepare to Implement CA IT PAM Authentication on a Shared CA EEM

After your installation package is loaded on the Windows server where you plan to install the CA IT PAM domain, you can set a password for the itpamcert.cer certificate.

To prepare to implement CA IT PAM authentication on the CA User Activity Reporting Module management server

  1. Extract the CA IT PAM iso image to the Windows Server 2003 host where you plan to install CA IT PAM.

    Note: You can find the CA IT PAM iso image on CD 2 of the CA IT PAM install source.

  2. (Optional) Change the default password for the IT PAM certificate.
    1. Navigate to the <install path>\eem folder.
    2. Open the ITPAM_eem.xml file.
    3. Replace "itpamcertpass" in the following line: 
      <Register certfile="itpamcert.p12" password="itpamcertpass"/>
    4. Save the file.

Copy an XML File to the Management CA User Activity Reporting Module

The safex command generates CA IT PAM security objects from the ITPAM_eem.xml file. You must copy this file to the CA User Activity Reporting Module appliance where it can be accessed during safex processing.

To copy the ITPAM_eem.xml file to the CA User Activity Reporting Module appliance

Copy the ITPAM_eem.xml file located on the CA IT PAM installation disk to the CA User Activity Reporting Module appliance that includes CA EEM. If you extracted the iso file onto the Windows server, use Winscp to copy ITPAM_eem.xml to the /tmp directory of the appliance.

Register CA IT PAM with a Shared CA EEM

You can register CA IT PAM with the CA EEM embedded in the CA User Activity Reporting Module management server. Registration with CA EEM adds CA IT PAM security objects.

CA IT PAM security objects added to CA EEM during registration include the following:

You can create the CA IT PAM security objects on the CA User Activity Reporting Module management server. Before you begin, obtain the caelmadmin password, if not already known.

To register CA IT PAM with the CA EEM on the CA User Activity Reporting Module management server

  1. Log on to the CA User Activity Reporting Module appliance through ssh as the caelmadmin user.
  2. Switch users to the root account. 
    su -
  3. Change directories to the target path and list the contents. 
    cd /opt/CA/SharedComponents/iTechnology
ls
  4. Verify that the following files are listed:
  5. Execute the following command: 
    ./safex -h <ELM_hostname> -u EiamAdmin -p <password> -f ITPAM_eem.xml

    This process creates the CA IT PAM application in the CA User Activity Reporting Module management server, adds the default users, and generates the certificate needed during IT PAM installation. The certificate is generated with the password you specified in the ITPAM_eem.xml file, or if not changed, itpamcertpass.

    Note: For help on using the safex command, type ./safex.

  6. List the directory contents and verify that the itpamcert.cer is present.
  7. Remove the CA IT PAM configuration XML file. This is recommended for security reasons. 
    rm ITPAM_eem.xml

Copy the Certificate to the CA IT PAM Server

When you ran the safex command from CA User Activity Reporting Module to register CA IT PAM with its CA EEM, this process generated the itpamcert.p12 certificate. You must copy this certificate to the Windows server where you plan to install the CA IT PAM domain. During CA IT PAM domain installation, you browse for this certificate file.

To copy the certificate from the CA User Activity Reporting Module appliance to the target Windows server

Copy the itpamcert.p12 file from the CA User Activity Reporting Module appliance that includes CA EEM to the host where you plan to install CA IT PAM.

Set Passwords for the Predefined CA IT PAM User Accounts

Execution of the safex command creates the following:

You must reset the password for the two predefined IT PAM users.

To reset the passwords for itpamadmin and itpamuser in the IT PAM application on CA EEM

  1. Browse to the URL of the server where the CA EEM used by CA User Activity Reporting Module is installed, for example, the CA User Activity Reporting Module management server: 
    https://<ELM_managementserver>5250/spin/eiam

    The CA EEM logon screen appears. The Application pull-down list includes <Global>, CAELM, and ITPAM.

  2. Log in to the IT PAM application:
    1. Select ITPAM as the application.
    2. Type EiamAdmin as the user name.
    3. Type the password for the EiamAdmin user account.
    4. Click Log In.
  3. Click the Manage Identities tab.
  4. In the Search Users dialog, type itpam for Value and click Go.

    The following users appear in the list

  5. Reset the password for itpamadmin:
    1. Select itpamadmin from the list and scroll to Authentication in the right pane.
    2. Select Reset password.
    3. Type the password for this account for New Password and again for Confirm Password.
    4. Click Save.
  6. Reset the password for itpamuser:
    1. Select itpamuser from the list and scroll to Authentication in the right pane.
    2. Select Reset password.
    3. Type the password for this account for New Password and again for Confirm Password.
    4. Click Save.
  7. Click Log Out.

Install the Third-Party Components Required by CA IT PAM

JDK 1.6 or higher must be installed on your system before you install the third-party components. Run Third_Party_Installer_windows.exe on the Windows server where you plan to install CA IT PAM. See the CA IT Process Automation Manager Installation Guide for details.

Install the CA IT PAM Domain

Running the CA IT PAM wizard with the specifications described here links the certificate so that CA IT PAM and the CA EEM on the CA User Activity Reporting Module management server are trusted.

Have the following information at hand:

For instructions on installing the CA IT PAM domain, see the CA IT Process Automation Manager Installation Guide that accompanies the software. Use the following procedure for specifics on configuring the EEM security settings.

To install the CA IT PAM domain

  1. If the IT PAM installation wizard is not launched as a continuation of installing third-party components, launch CA_ITPAM_Domain_windows.exe.
  2. Follow the instructions in your CA IT PAM documentation until you get to Select Security Server Type.
  3. When the Select Security Server Type dialog appears, select EEM for Security Server and click Next.

    The EEM Security Settings page appears.

  4. Complete the EEM security settings as follows:
    1. Enter the host name of the CA User Activity Reporting Module management server in the EEM server field.
    2. Enter ITPAM in the EEM Application field.
    3. Click Browse and navigate to the folder where you put itpamcert.p12.
    4. Select itpamcert.p12.
    5. Complete the EEM Certificate Password field in one of the following ways:
      • Enter the password you replaced in the ITPAM_eem.xml file during the preparation step.
      • Enter itpamcertpass, the default password.
  5. Click Test EEM Settings.

    The message "Performing a test...may take a few minutes" appears.

  6. Click OK.

    The Verify EEM settings dialog appears.

  7. Enter itpamadmin as the user name. Enter the password you set for the itpamadmin user account and click OK.
  8. Click Next. Follow IT PAM documented instructions to complete the rest of the wizard.

Start the CA ITPAM Server Service

Start the CA ITPAM Server service so that you and others can launch the CA IT PAM server.

To start the CA ITPAM Server service

  1. Log on to the Windows server where you installed the CA IT PAM domain.
  2. From the Start menu, select Programs, ITPAM Domain, Start Server Service.

    Note: If this menu option is not displayed, select Administrative Tools, Component Services. Click Services, click CA IT PAM Server, and click Start the service.

Launch and Log in to the CA IT PAM Server Console

You can launch the CA IT PAM server from a browser on any system where Java JRE 1.6 or JDK 1.6 api is installed and integrated.

To launch the CA IT PAM management console

  1. Enter the following URL in the address bar of a browser: 
    http://<itpam_server_hostname>:8080/itpam/

    The CA IT Process Automation Manager logon screen appears.

  2. Enter itpamadmin in the User Login field.
  3. Enter the password you assigned for this user account in the Password field.
  4. Click Log In.

    The CA EEM on the CA User Activity Reporting Module appliance authenticates your login credentials and opens the CA IT Process Automation Manager.

For details on integrating and using CA IT PAM with CA User Activity Reporting Module, see the "Working with CA IT PAM Event/Output Processes" section of the Action Alerts chapter in the CA User Activity Reporting Module Administration Guide.

More information:

Enabling Dynamic Values Import

Working with CA IT PAM Event/Alert Output Processes