CA Privileged Access

Manager - 2.8
Using

Date: 22-Mar-2017
 CA Privileged Access Manager - 2.8

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.

If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.

Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.

22-Mar-2017 3/25
Table of Contents

Account Types ............................................................................................. 7

'super' (root account) ................................................................................................................................... 7
'config' (root account) .................................................................................................................................. 8
Provisioned Users ....................................................................................................................................... 8

Log in to CA Privileged Access Manager .................................................... 9

Update Active Directory Password Through Login .................................................................................... 12
MacOS login .............................................................................................................................................. 12
Log in Using PIV/CAC with Windows Target (Kerberos) ........................................................................... 12
Dashboard ................................................................................................................................................. 13
Dashboard Panel Components ........................................................................................................... 14

Review the Access Page ........................................................................... 15

Apply Your Account Settings ..................................................................... 16

Customize Your UI Settings ...................................................................... 17

Target Device Interfaces ........................................................................................................................... 17
Access Methods ........................................................................................................................................ 17
Services ..................................................................................................................................................... 17

Display and Access Devices ..................................................................... 18

List the Devices Available ......................................................................................................................... 18
Display Settings ......................................................................................................................................... 18
Restart Session ......................................................................................................................................... 18
Regular and Out-of-Band Devices ............................................................................................................ 18
Filter Views ................................................................................................................................................ 18
Using Multiple Values .......................................................................................................................... 19
Views ................................................................................................................................................... 20

Using 4
Access the Devices ................................................................................................................................... 20
Computer Devices ............................................................................................................................... 20
Access Method ........................................................................................................................... 20
Web Portal ................................................................................................................................. 22
RDP Application ......................................................................................................................... 22
Notes .......................................................................................................................................... 22
Service ....................................................................................................................................... 22
Out-of-Band Devices ........................................................................................................................... 23
Setting Power On/Off ................................................................................................................. 24
SSL VPN ............................................................................................................................................. 24
Viewing SSL VPN Targets ......................................................................................................... 24
Launching Access ...................................................................................................................... 24

View and Permit Views of Passwords ....................................................... 25

View a Password ....................................................................................................................................... 25
View a Password Requiring Dual Authorization ........................................................................................ 25
Check in a Password ................................................................................................................................. 25

Using 5
 CA Privileged Access Manager - 2.8

Using
The content in this section describes end-user procedures for CA Privileged Access Manager.
Account Types (see page 7)
Log in to CA Privileged Access Manager (see page 9)
Review the Access Page (see page 15)
Apply Your Account Settings (see page 16)
Customize Your UI Settings (see page 17)
Display and Access Devices (see page 18)
View and Permit Views of Passwords (see page 25)

22-Mar-2017 6/25
 CA Privileged Access Manager - 2.8

Account Types

'super' (root account)

CA Privileged Access Manager has two preconfigured user accounts: 'super' and 'config'. The 'super' is
a superuser (or root) account that has access to all CA Privileged Access Manager settings (and thus
the config account settings). As with the config account, super cannot be deleted.

1. Point your browser to the CA Privileged Access Manager URL.

2. When you log in for the first time, accept the license agreement. Click I Agree to continue.

3. Enter your default "root" credentials (User: super / Password: super) and click ENTER.

4. The first time that you log in:

a. You see at least two requests to accept Java. If your Java console has been set on, you
see the Java console startup too.

b. You see the My Info page modal view over the Dashboard. Several fields are available
for edit, but you are required to change at least the default password ("super").

5. Change the password by using the fields Old Password, New Password, and Reconfirm.
The strength of the new password must conform to Security Level 2, which requires that the
updated password:

a. Differ from the previous password

b. Have a length between the Global Settings values for Min Length (default: 6) and Max
Length (default: 14)

c. Have at least one (Latin) alphabet character

d. Have at least one numerical digit character

6. Change any other fields that are desired, and click Save.
A warning message appears: "Configuration Password is still the default value." Address this
warning now, as described in 'config' (root account).

7. Select Log Off at the upper right-hand corner.

22-Mar-2017 7/25
 CA Privileged Access Manager - 2.8

'config' (root account)

We recommend that you use this configuration account only for initial setup. Change the password
from default using the Change Password button in the Toolbar Menu. Consider also changing the
"config" Login Id in addition to the Password using the Change Password menu. Store the password in
a safe place and use it only for emergencies when other authentication methods are not available.
This account is used only for CA Privileged Access Manager configuration. Reset its password:

1. Access URL: https://YourCAPAMaddress/config/

2. In the pop-up window, enter: User Name: config / Password: config

3. When you are logged in, click Change Password in the upper right-hand toolbar menu.

4. In the Password and Confirm fields (in the Change Config User Login Id and Password panel),
enter your new password.

5. In the same panel, click Update.

As long as the updated passwords match, you are immediately logged out and returned to the
administration login page.

6. You can also access the Config menu through the Admin menu.

Provisioned Users
All other Users that you create, regardless of their roles, are initially presented with the My Info page
for password change. After changing their passwords, they land on the default page suitable to their
roles.

Global Administrators (including the 'super' account) and Operational Administrators land at the
Dashboard page.

Most End Users (with the "Standard User" role) land on the Access page (whether it is populated
with any access links). They do not see the dark gray Admin menu bar.

Other Users with various combinations of roles land on the Access page, but also see a
customized Admin menu bar.

The 'config' account has access only to the Config menu and other toolbar items, and cannot
access the Admin menu at all.

22-Mar-2017 8/25
 CA Privileged Access Manager - 2.8

Log in to CA Privileged Access Manager

You can log in to CA Privileged Access Manager from multiple platforms and browsers.

Follow these steps:

1. From your browser, enter the CA Privileged Access Manager login page address.
https://CAPAMAddress/https://capam.example.com/*

The credentials are specific to CA Privileged Access Manager. You could have single
sign-on provisioning or might have to supply credentials at the point of login to a
target system. Check with your CA Privileged Access Manager administrator. In
addition, at the login page you can also:

Have an Authentication Type that differs from "Local", such as "RSA" or

"RADIUS". In that case, you are also be asked to specify which authentication
Domain is to be used.

Accept an organizational license.

2. Enter your credentials, and click ENTER.

3. If you log in on a Windows computer, skip to step 5.

4. If you log in on a Mac OS, continue with these steps:

The first time that you enter your credentials, you are prompted with a pop-up "Gatekeeper
Helper" window. Enter your Mac administrator credentials to log in. In the future, whenever
your user policy changes (as set by your CA Privileged Access Manager administrator), you
might be asked to enter Mac administrator credentials again. However, no other Mac-related
user interaction is required.

a. If you are logged in to your Mac as a regular (non-administrator) user, the prompt asks
for both a Mac administrator name and password.

b. If you are logged in to your Mac as an administrator, the prompt asks only for the
corresponding administrator password.

5. Enter the required credentials and click OK.

6. If you log in the first time, you see a window that requires you to change your password, and
other account information.

Differ from the previous password

Have a length between the Global Settings values for Min Length (default: 6) and Max
Length (default: 14)

22-Mar-2017 9/25
 CA Privileged Access Manager - 2.8

Have at least one (Latin) alphabet character

Have at least one numerical digit character

7. You cannot change your UserID. In addition to your contact information, you can add or
update the following items where they are applicable to you:

RDP Username

Mainframe Display Name

Keyboard Layout

Terminal Customization (User Settings)

To change these settings, select the My Info link from the Toolbar at the top right,
which reopens this page.

8. You can customize the terminal settings for use of any Device. Select the check box at the
bottom of the Account Information / Contact Information page (below Keyboard Layout) to
display the settings panels.

a. Select Update at the bottom right corner of the pane; your login process resumes.

b. While your login progresses you see a progress indicator and the framework of your
page, and you have access to Toolbar items. Ordinarily, this process takes a few
moments.

c. If you are an Administrator with Global Administrator level privileges, you arrive at the
Dashboard. These privileges include 'super' and those with the role Global
Administrator or Operational Administrator.

Because you have logged in as "super", you have a User role of "Global
Administrator". This role provides you with access to the Dashboard page.

The Dashboard provides information but not functional links. Its features are
described in detail in Reference: GUI Reference: Access: Dashboard.

Above the Dashboard is the gray administration menu bar. To the right of the first
menu item, "Access", are Dashboard access controls:

Dashboard button – Returns you to the Dashboard when you are anywhere else in the
administration menu
Dashboard Refresh button – Appears when you are at the Dashboard page. Refreshes
Dashboard with current information.

Otherwise, you will arrive at the Access page, from which you are able to make
connections and view passwords.

22-Mar-2017 10/25
 CA Privileged Access Manager - 2.8

Option Description
*Required
Account Information tab
UserID* View the current user ID. This field cannot be edited.
Old Password* Confirm the previous password
New Password* Change to another password, then verify that the password was specified correctly.
and
Reconfirm*
Email* Edit a contact email address
RDP Username Used by the RDP applet in credentials for access to a remote Windows device.
RDP Username accepts a name with an embedded backslash to log in to a domain
account.
Mainframe Display Name used by the AS/400 applets TN3270, TN3270SSL, TN5250, TN5250SSL
Display Name
Keyboard Layout Conforms CA Privileged Access Manager keyboard input to native keyboard output.
Options:
AUTO – Default – CA Privileged Access Manager uses the current local default
keyboard layout,
or select a layout from this version list.
DA – Danish
DE – German
EN-GB – English (UK / British)
EN-US – English (US / American)
ES – Spanish
FI – Finnish
FR – French
FR-BE – French (Belgian)
FR-CH – French (Swiss)
HU – Hungarian
NO – Norwegian
PL – Polish
RU – Russian
SV – Swedish
Contact Information tab
First Name* Change a users first name
Last Name* Change a users last name
Phone Edit or add a contact telephone number
Cell Phone Edit or add a cellular, mobile, or alternate contact phone number
Email self on Enable an email to be sent to the above-specified email address. Alerts you when
login the account is being used by someone else.
Terminal Customization tab
SSH & Telnet Terminal Settings panel
CLI Terminal Checkbox to open options.
Customization

22-Mar-2017 11/25
 CA Privileged Access Manager - 2.8

Update Active Directory Password Through Login

If you configure CA Privileged Access Manager to use Active Directory user accounts, you can update
the Active Directory account passwords (https://docops.ca.com/display/CAPAM28/LDAP#LDAP-
_AD_password_updating) during login.

MacOS login
After you attempt to log in from a MacOS, you are prompted each time for the administrator
credentials to continue.

If you are logged in to your MacOS as a regular (non-administrator) user, the prompt asks for both
a MacOS administrator name and password.

If you are logged in to your MacOS as an administrator, the prompt asks only for the
corresponding administrator password.

Log in Using PIV/CAC with Windows Target

(Kerberos)
If you are a PIV/CAC smart card user, you can silently log in to a destination Windows computer
automatically.

Follow these steps:

1. If your UI shows a menu bar with an Access link, click that link.

2. Click the RDP link for the desired Device to launch a connection to it.
A window prompts you to Enter your credentials …

3. Click Smart Card.

A new screen appears prompting you to Choose the smart card credential (Kerberos
authentication).

4. Enter the following:

a. Select a username from its drop-down list.

b. Select the smart card provider local software (example: “ActivClient …”) that you use.

c. Enter your PIN for this smart card.

5. Click Login to access the Device.

a. (Optional) If Kerberos is not being used, lick Login Form to access the Device.

6. (Optional) If you did not select the correct Provider (above), and depending on the card

22-Mar-2017 12/25
 CA Privileged Access Manager - 2.8

6. (Optional) If you did not select the correct Provider (above), and depending on the card
system you use, you are prompted by one or more smart card provider-specific interfaces.

a. At each additional request, enter your PIN to continue login.

7. The applet window (RDP interface) to your target Windows computer displays a lock icon at
the left side of its RDP banner.

a. (Optional) Click this to identify the authentication protocol. In this case, a pop-up
window confirms that “the identity of the remote computer was verified using
Kerberos”.

If your credentials are correct, you are then logged in to your target Device.

Dashboard
The Dashboard provides with a Global Administrator a snapshot of CA Privileged Access Manager
system component status.

22-Mar-2017 13/25
 CA Privileged Access Manager - 2.8

Dashboard Panel Components

CA Privileged Access Manager puts information for the user in the Messages section
Messages of the Dashboard.
User ID – For this login account (email address)
Account
Last Successful Login – Most recent login start time, before the current login, for
Information
this User ID login account.
Hostname – For this appliance, or cluster VIP
Current Access
Recent Logins shows the number of currently active User login sessions. This number
Activity includes multiple logins of the same User (when applicable).
Sessions shows the number of currently active connection sessions. This number
includes multiple connections from the same User to the same Device(when
applicable).
Passwords Over Past 12 Hours shows the number of password view Requests and
password Changes initiated.
Per Hardware Appliance. The order of the appliances is the same as that in Config,
Appliance Synchronization.
Status Hostname - assigned
or
IP - IP Address assigned
Cluster Status
MAC - Address assigned
CPU - CPU capacity in use
RAM - Memory in use
HDD - Disk storage in use
Quantities currently: (In Use) / (Licensed)
License Usage Session Management – For Access target use
Credential Management – For password management target use
A2A Management – For A2A request server use
Quantities currently of:
Elements Devices – Target Devices in use (all types)
Under
Users – CA PAM User accounts registered
Management
Target Accounts – Privileged user target accounts registered
A2A Accounts – A2A target accounts registered
Time, User, and Details message for recent connection and violation log events (most
Recent recent are listed first).
Events

22-Mar-2017 14/25
 CA Privileged Access Manager - 2.8

Review the Access Page

The Device Access Password interface, is seen as:

The unmarked landing page for the Standard User

The Access link on the Menu bar for any User with privileges beyond the Standard User role

The Access page provides a consolidated interface from which you can:

Establish a connection session to any permitted CA Privileged Access Manager Device

View the password of any permitted Target Account (of a Target Application maintained on a CA
Privileged Access Manager Device)

After you log in, a page appears with three columns labeled Device Name, Access Methods, and
Target Applications. If your administrator has provisioned CA Privileged Access Manager Devices and
assigned policy to you (or your User Group), you might have several rows. For example, you might
have Devices named "RH3", "Win2k", and "WS2". Each line item corresponds to access features
available to you for that device.

For example, an Access Method named "RDP_3389" might be available for your download and
automatic connection to Device "Win2k". Clicking "RDP_3389" triggers an applet to be downloaded
to your computer. The applet automatically executes a connection to the physical device labeled in
CA Privileged Access Manager as "Win2k". If single sign-on is configured, you might be prompted to
enter a username and password. You might be logged in automatically and land in the home
directory.

In the right-hand column labeled "Target Applications", there is a drop-down list corresponding to
Device "WS2". There might be a Target Application, such as "MSSQL" on that Device ("WS2").
Indented below that name might a Target Account ("User1"). The items in this menu prompted
Password Views. Thus if you select "User1" you invoke an overlay window that asks for your
password viewing credentials. When you supply them, the password appears.

22-Mar-2017 15/25
 CA Privileged Access Manager - 2.8

Apply Your Account Settings

Two My Info tabs allow you to specify several interface-related account settings and personal
information for administrator/contact use:

Account Information – User ID, Password, Email, RDP Username, Mainframe Display Name,
Keyboard Layout (15 language-based options)

Contact Information – First Name, Last Name, Phone, Cell Phone, and a checkbox to trigger an
email to oneself upon each login

22-Mar-2017 16/25
 CA Privileged Access Manager - 2.8

Customize Your UI Settings

You can customize your experience with the UI and the interaction with target devices.

The UI has a fixed-pixel width that you can adjust using the zoom capability of your browser.

Target Device Interfaces

The third My Info tab allow you to customize your access display:

Terminal Customization – CLI settings for SSH/Telnet terminal display (character encoding, font,
font size, window size, etc.); RDP display graphical resolution (fixed dimensions, or full screen)

The interface for access target devices is provided in a new window outside the UI.

Access Methods
You can customize the SSH and Telnet Access Method window display, and the resolution of RDP
Access Method (applet) display. Under the My Info toolbar item, select the Terminal Customization
tab, and for:

SSH/Telnet – Select CLI Terminal Customization checkbox, and change as desired.

RDP – Under RDP Resolution at the bottom of the panel select the screen size (pixel "real estate")
to be displayed.

Services
These are connection applications that are handled by CA Privileged Access Manager, but (except for
the Browser) are not native to it:

Local application – This appears the same as without CA Privileged Access Manager.

Web portal (websites) – Depending on the CA Privileged Access Manager browser setting for the
web portal, one of the following is invoked to present the HTTP/HTTPS target site:

Native browser – the same browser that is used to access CA Privileged Access Manager

Xceedium Browser – a CA proprietary browser with restricted functions that is based on

JxBrowser

22-Mar-2017 17/25
 CA Privileged Access Manager - 2.8

Display and Access Devices

Users use CA Privileged Access Manager to identify and provide connections and passwords to
remote devices, applications, and accounts to work on that device. A CA Privileged Access Manager
administrator role involves any type of management of the appliance and its managed objects. This
page reviews end-user functions and provides additional information for the administrator.

List the Devices Available

Your access policy, determining what Devices and passwords you can access, is dynamically applied
during your login. This process results in the set of objects available on your Access page.

Display Settings
To reset your graphical session (RDP, VNC) window size, select the Display Settings link to show a
pop-up menu with the available size options (pixel width by height - for example, "1024x768"). The
currently active option is marked in bold.

Restart Session
Selecting Restart Session resets your session to your initial login state, without logging you out. Your
connections are closed and you must re-establish them.

Regular and Out-of-Band Devices

The default Access view shows the regular, computational "in-band" devices. However, you might
need access to "out-of-band" devices your administrator has configured.

To switch the device listing to see (only) out-of-band (KVM, power, and serial) devices you have
access to, click the OOB Devices link in the menu bar at the top center of the white page body.

You can switch back the regular list by clicking the non-OOB Devices link.

Filter Views
By default, you see an unfiltered view that shows all Devices and methods you are permitted to use.
You can then filter this list by specifying necessary field values so that it shows fewer Devices.

Follow these steps:

22-Mar-2017 18/25
 CA Privileged Access Manager - 2.8

1. Click Search to filter the records and update the list. (The list label now says "Filtered.")

2. To undo the search and restore the original list, click Clear (now visible at the right-hand end
of the Search box).

3. To save the search results to a permanently stored View, click Save as View to invoke the
Save View pop-up window.

4. Give it a View Name (up to 15 characters), select Set as Default if you want the view to
appear whenever you log in (for administrators: also, whenever you open the Access page),
and click Save New View.

5. The view can now be invoked from My Views at the top of the page body (to the left of the
Search box).

Filters are not labeled as such, but are invoked from through more features in the Search function.

1. Click your mouse in the gray Search field at the upper right. Select items from the enumerated
list for any of these Device fields: OS (Operating System field), Location, and Tag.

2. Filtering is done as you make selections (automatically and immediately).

3. To undo all filtering for any particular field, click Clear (at the right of its Name (Quantity)
label).

Using Multiple Values

Within a field – Selecting multiple values within a field produces a correspondingly larger list of
records. Each record in that list contains a field value that matches one of the selected values. To
select multiple values within a field:

To select a sequence of values: Select the first value of the sequence, hold the Shift key, and
select the last value of the sequence.

To select individual values (sequential or not): Hold the Ctrl key while selecting values (Figure 78,
Location field).

Across fields – Selecting values in multiple fields produces the intersection of the separate results
for all fields. Thus, each record in that list contains:

For the Operating System field, a field value that matches one of the selected values in the OS list
(if there are any selected values for OS);

For the Location field, a field value that matches one of the selected values in the Location list (if
there are any selected values for Location);

and

For the Tag field, a field value that matches one of selected values in the Tags list (if there are any
selected values for Tags).

22-Mar-2017 19/25
 CA Privileged Access Manager - 2.8

Views
As noted in the previous descriptions for Search and Filter, any filtering operation can be saved for
repeated use as a View.

Save as View – You can create a new view from the current filtering by using the Save View pop-
up window.

Manage View – After a view has been created, you invoke a similar pop-up to edit its View Name,
apply or remove its default status, or delete it.

Load a View – From the My Views link and its menu item is bold.

Access the Devices

Computer Devices

For users without a local account in CA Privileged Access Manager (for example, if LDAP
or RADIUS provisioned): On your first login, if you are not local User you might be required
to go to the My Info page and click Save before attempting to access a device. This step is
necessary to propagate functionally required settings.

To access a device from its line-item listing, click a link on the Access list:

Access Methods (VNC, Telnet, SSH, RDP), Web Portals, and your custom Services are launched by
clicking their blue , named text buttons.

Applications and CA Privileged Access Manager-defined Services appear in drop-down list.

When you hover your mouse over a Service or Web Portal, a pop-up hint window displays target
address, port and other information.

Access Method
Selecting an Access Method downloads to your computer a Java applet customized to use the
protocol (RDP, SSH, other). The applet has been specified to initiate a connection to the specified
Device automatically.
To launch an Access Method:

From the list or drop-down list, click the desired Access Method button.

CLI Applet (Telnet, SSH)

If you have selected a CLI-based applet, a MindTerm terminal emulation applet with a control
menu appears.

22-Mar-2017 20/25
 CA Privileged Access Manager - 2.8

If you have an SSO (single sign-on) configured (through Policy, Manage Passwords), these are
applied and the prompt lands logged in.

Terminal window characteristics (window size, font, colors, and other features) are configured at
several levels. Verify them with your CA Privileged Access Manager administrator:

By an administrator using global default settings

By an administrator using default settings for a specific Device

By you for your specific use (overriding the Global Settings) in: Toolbar: My Info, Xceedium
Terminal Customization (User Settings)

SSH with X11 Forwarding

For an SSH Access Method applet configured to forward X11:

1. From the Access page, launch the SSH applet.

You are prompted for your local display coordinates (default is 0,0).

2. Enter your display coordinates.

Your SSH session begins.

3. Invoke an xterm for a graphical application. If you are using Cygwin, use the "x-terminal-
emulator" command (not "xterm").

4. You can now start X-Windows commands from the SSH applet.
The session is then forwarded through the SSH tunnel to the X11 server running on the client
host, where it is then graphically displayed to the user.
For example: using Cygwin:
From within the SSH applet, invoke: xeyes
The xeyes now displays on the users local X11 server.

See the settings table in Provisioning: Devices: Set up Devices: Create/Edit Devices for administrator
setup of X11 forwarding.

Graphical Applet (RDP, VNC)

Several seconds after you mouse over the applet link, you can select the applet window resolution,
and can select any of your local drives for mapping onto the RDP target.

If you select an RDP applet:

The applet first displays a splash screen.

Then, the interface emulation window of the applet appears.

If credentials are not being passed (for example, through a single sign-on (SSO) configuration),
you land at a credentials prompt. You can use the emulated interface as you would with native
RDP – in other words, similar to as you would use your server locally.

22-Mar-2017 21/25
 CA Privileged Access Manager - 2.8

Web Portal
Selecting a Web Portal invokes on your computer a browser session with the web server on the
specified Device. To focus interaction within the Web Portal, the browser controls (File menu bar,
Back/Forward buttons, and others) are mostly disabled.
To launch a Web Portal:

From the list, click the desired portal name.

If credentials have been configured in CA Privileged Access Manager, they appear (in cleartext) in
the upper left. You can copy and paste them to fields in the portal interface.

A new browser window or tab launches and (attempt to) land at the target website.

RDP Application
Selecting an RDP Application connects to the specified Device and launches the specified RDP
Application on the target device.

Notes
The connection method is either an Access Method or a Service; it is not identified on the Access
page. (See the method descriptions elsewhere in this section.)

If credentials are needed but not passed, connection progress stops at the credentials prompt.

To launch an RDP Application:

1. From the list or drop-down list, select the desired drop-down application name.
The (hidden) connection method that is specified for this application is invoked.

2. Upon connection and credentials verification, the RDP Application is launched automatically.

Service
Selecting a Service first creates a secure tunnel to the associated Device. This Service then invokes on
your computer a communication application that automatically connects to the specified Device. The
local path and executable file for the communication application is specified in advance by the CA
Privileged Access Manager administrator. However, you can revise but them using the following
procedure:

Do not confuse the following terms:

a Service application that is resident on a client computer

an RDP Application that is resident on a Device

a [Target] Application used with Credential Manager.

22-Mar-2017 22/25
 CA Privileged Access Manager - 2.8

On the Access page, the first are located in the column labeled "Service", and the second are in the
column labeled "RDP Application", and the third group are under the column "Target Application".
To launch a Service:

1. From the list or drop-down list, click the desired Service button or drop-down selection.

2. The Service application is launched and a connection is attempted using this service.
Note: If credentials are needed but not passed, connection progress waits at the credentials
prompt.

3. Simultaneously, a pop-up acknowledgment window appears over the Access page.

Note: No interaction with this pop-up window is required (to execute the Service using the
default path provided by CA Privileged Access Manager).
The Service name is not mentioned – only the device address and port are.

Change Service Local Path to Application

Following the launch of a Service as described in the previous section
If the CA Privileged Access Manager-specified local path to the application does not match what a
current user has set for it, then from the acknowledgment pop-up window the user can:

1. Click Set or change local application to reset the path.

The pop-up window expands to allow the user to create or revise the local Path to Application
(which is initially a copy of the CA Privileged Access Manager-stored path to the application).

2. Enter the actual path and application executable to be used, and click Save.
This local path will then be substituted for the CA Privileged Access Manager-stored path the
next time that you launch this Service.

Out-of-Band Devices
The OOB Devices button is used for non-login management of out-of-band devices and power
control. Out-of-Band, or "Lights Out," Management allows a system administrator to monitor and
manage devices by remote control regardless of whether the device is powered on. CA Privileged
Access Manager supports Serial Console, Terminal Servers, and KVM over IP and Power Management.
Each row in the access list represents a device on the network that a CA Privileged Access Manager
User is permitted to manage. This list of permitted devices is defined by policy as applied through CA
Privileged Access Manager associations. It will dynamically reflect access policy as it is applied by a CA
Privileged Access Manager administrator to a user or group.
Control Indicators include:

Serial – Serial consoles are intended for use when the device is not functional or when network
connectivity is lost due to a reboot or upgrade. Supported out-of-band access methods include:

Serial Port consoles and Terminal Servers.

Serial console access can be recorded and command controls can be enforced. All managed
access creates an event.

22-Mar-2017 23/25
 CA Privileged Access Manager - 2.8

KVM – Certain KVM over IP network appliances have integrated support and can be used to limit
access to only certain devices connected. Other KVM over IP devices can be supported via their
web interface.

Power – Controls a smart power switch that is capable of powering the device on or off.

CA Privileged Access Manager can be used to restrict access to certain devices on the switch.
Status is shown for each device with an icon (color dot at lower right):

Green indicates that the device is ON.

Red indicates that the device is OFF.

White indicates that the device is new – or has failed to reply – and the status is unknown.

Setting Power On/Off

To change the Power status for a device:

1. Select the Power button. This brings up a pop-up window showing power options.

2. Select power option ON, OFF, or RESET. Or, to exit without making changes, select the Cancel
button.

SSL VPN
Your experience when using the SSL VPN is the same as if you were connected on the local network.

Viewing SSL VPN Targets

If enabled for the user, the SSL VPN Info link to the left of the Search field opens a shadow box
window that lists the devices and ports which are accessible.

Launching Access
To access a device:

1. From the SSL VPN device list, click an appropriate client application.
After successful authentication, you are granted SSL VPN access to a particular device, and CA
Privileged Access Manager downloads the device driver automatically to the client. A
confirmation dialog appears.

2. Accept the installation of the device driver by clicking Continue Anyway.

3. After downloading the driver, launch the client application.

4. Configure the client application as if you were on the internal network.

The service configuration can be seen under the SSL VPN menu option under the Access tab.

22-Mar-2017 24/25
 CA Privileged Access Manager - 2.8

View and Permit Views of Passwords

View a Password
Active Target Applications and their associated Target Accounts are listed on the Access Page. Every
Target Application that is associated with a Device is identified in the drop-down list in the Target
Applications column. Every Target Account that is associated with each application appears in a
nested list. After selecting a Target Account from the drop-down list for a particular Device, a pop-up
View Account Password Request window appears. After entering the Password (for the currently
logged-in CA Privileged Access Manager user), the credentials are displayed in the pop-up.

View a Password Requiring Dual Authorization

Dual Authorization requires access to the Credential Manager menu using the FirecallUser role. The
menu is not available to a Standard User from the Access page.

Check in a Password
You can monitor check-out status and can perform check-in from the Access page. If another
administrator attempted to view this password, the message "This account is checked out by another
user" appears in place of the View Account Password pop-up. For the second administrator to view
(and also check out) the password, the first administrator clicks Check In link for that account, rather
than needing to switch to the Credential Manager dashboard.

22-Mar-2017 25/25