PAM 3.X Configuration Foundations 200 - Lab Guide

Configuration Foundations 200
CA Privileged Access Manager:

<Brand>™® <Product>®™
Clarifier (what comes after the colon)
Lab Guide
Lab Guide
04PIM20439 <course code>
CA Technologies CA Privileged Access Manager 1

04PIM20439LG1 © 2017 CA. All rights reserved. <inventory code>
- PROPRIETARY AND CONFIDENTIAL INFORMATION -
© 2017 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA
Customer use only. No unauthorized use, copying or distribution. All names of individuals or of companies
referenced herein are fictitious names used for instructional purposes only. Any similarity to any real
persons or businesses is purely coincidental. All trademarks, trade names, service marks and logos
referenced herein belong to their respective companies. These Materials are for your informational
purposes only, and do not form any type of warranty. The use of any software or product referenced in the
Materials is governed by the end user’s applicable license agreement. CA is the manufacturer of these
Materials. Provided with “Restricted Rights.”
2 CA Privileged Access Manager CA Technologies

© 2017 CA. All rights reserved.
For Owners of Tier 2 Subscription:
In addition to this fully functional training platform (Dynamic Lab Environment), your subscription
includes a web-based training component with recorded demonstrations of these lab activities.
Although not required, we recommend you review the WBT component first, as it describes various
use cases for the features and context for the lab activities.

Contents
CA Privileged Access Manager: Configuration Foundations 200: Lab Guide Introduction ............. 5
Guided Practice 1: Basic Access ........................................................................................................ 9
Guided Practice 2: Add Yourself as a Global Admin ....................................................................... 14
Guided Practice 3: Global Settings.................................................................................................. 19
Guided Practice 4: Network Settings .............................................................................................. 23
Guided Practice 5: Monitor e-mail Connection .............................................................................. 26
Guided Practice 6: Log Purge and Syslog ........................................................................................ 29
Guided Practice 7: Session Recording............................................................................................. 33
Guided Practice 8: SNMP ................................................................................................................ 36
Guided Practice 9: Scheduled Backup ............................................................................................ 39
Guided Practice 10: RADIUS............................................................................................................ 41
Guided Practice 11: LDAP/AD Connection...................................................................................... 48
Guided Practice 12: Security ........................................................................................................... 57
Guided Practice 13: Date/Time ....................................................................................................... 67
Guided Practice 14: Synchronization .............................................................................................. 69
Appendix: Dynamic Lab Environment Access and User Guide .......................................................... i
Getting Started............................................................................................................................... i
System Requirements .................................................................................................................... i
Operating Systems ......................................................................................................................... i
Browsers ........................................................................................................................................ i
Java Version ................................................................................................................................... i
Network Requirements.................................................................................................................. i
Self-Directed Learning Access and Instructions .............................................................................ii
Access Your Assigned Lab Environment ........................................................................................ii
Manage Your Assigned Lab Environment .....................................................................................iii
Network Requirements..................................................................................................................v
Connection Test .............................................................................................................................v
Instructor-Led Class Set-Up............................................................................................................v
Best Practices .............................................................................................................................. viii

CA Privileged Access Manager:

Configuration Foundations 200: Lab Guide Introduction
Goals This lab guide provides you with opportunities to practice what you learn in the course
as well as apply what you learn in real-world scenarios.
Scenario
Voonair Airlines is a fictitious niche airline providing service to the Arctic. The company serves areas
that are otherwise inaccessible for residents and researchers and has been successful in this area.
The Voonair IT Security team recently discovered unauthorized access to servers that contain
sensitive data. While the existing security posture at Voonair is strong, there were no measures for
protecting privileged identities which were acquired as part of a social engineering attack.
The company has decided to strengthen their security around privileged identities and direct access
to servers that contain sensitive data. Voonair has partnered with CA Technologies to deploy CA
PAM to meet their needs.
As part of Voonair Airlines’ IT staff, you are configuring and testing CA PAM functionality. In your
test environment, you have two CA PAM virtual appliances to build a cluster and all required
components to fully configure and test CA PAM functionality.

Dynamic lab test environment architecture

The following depicts the dynamic lab environment you will use for proof-of-concept testing:

Process Overview
This foundations course will focus on the Architecture and Configuration sections depicted below.
Additional courses are being continually added to support various typical integrations.
Architecture Configuration Administration
•Architecture and •Appliance •Access Control

Features Configuration •Credential
•Firewall Permissions Management
•Password
Management
•Target Application
and Accounts

The Dynamic lab environment will start with all VMs already logged in as voonair\administrator
(caeducation). You do not need to log off the machines when suspending. Some labs require you to
log in as a different user. Use these steps to log off/on to a virtual machine as the domain admin:
To log off of Windows

Server 2012, RIGHT-
CLICK the Start button
and select Shut down
or sign out > Sign out
To log on, click the Ctrl-

Alt-Del button in the
Skytap menu bar
Unless otherwise
instructed, log in to
each VM as the domain
admin
voonair\administrator
with password
caeducation
Most activity, unless otherwise stated, is accomplished via a web browser on the virtual
machine named “WinClient”. This server is and all server are prefixed with the course number.
For example 04PIM20099-WinClient
There are two appliances that ultimately will be clustered. You will perform configurations on
PAMServerA only. PAMServerB has been preconfigured with identical configurations to enable
you to create the cluster after configuring PAMServerA.
For simplicity, in this training environment “Password01” is used as the password for several
accounts. In production environment, choose your own, complex passwords.

Guided Practice 1: Basic Access
This exercise begins your training by making initial access to CA PAM and
Goals
observing the interface.
Your first action in becoming an SME on CA PAM is to connect to an appliance
Scenario
and familiarize yourself with the interface.
5 minutes
Time
Instructions: Labs will be performed on CA Privileged Access Manager A (PamServerA).
From the “WinClient” virtual

machine desktop, double click “CA
Privileged Access Manager A”.
Until certificates are installed, the

web browser will complain about
the security of the website.
Click Advanced.

Click
Add Exception.
Click
Confirm Security Exception.

Log on:
User: super
Password: Password01
Note: the default super account

password has already been
changed. Typically upon first login
you would be prompted to change
it.
Until certificates are installed, the

web browser will complain about
the security of the website.
Click Continue for now.
Check
Do not show this again…
Check
“Do not show this again…”
Click Run.

Note the elements of the home

page.
This is the dashboard and is only

available to Operational and Global
Administrators.
We need to change the config

default password on the CA PAM
appliance.
The config password change is

accomplished via a separate URL.
Open a new browser window (not a

tab) and navigate to:
https://pamservera/config/
**Note: the trailing slash is required

at the end of the URL.
When prompted, enter config as

both User Name and Password.
Click OK.

After successful login as the config

user, change the default password.
Select
Configuration > Change Password.
Change the config password:

Password01
Click Update.
You will be logged out and returned

to the PAM login page.
-End-
Guided Practice 1: Basic Access

Guided Practice 2: Add Yourself as a Global Admin
Create a new user (GlobalAdmin) for yourself and set the role of Global
Goals
Administrator for use during the rest of this course.
The SUPER user is generally not used in a production environment and it is best
Scenario
practice for each user to have an account for their own use.
5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and log in as super/Password01.
Create a Global Admin account.
Select Users > Manage Users
The Session Manager Users page is

displayed.
Click ADD.

The Add User > Basic Info page is

displayed.
Enter the User information.
User Name: GlobalAdmin

First Name: FirstName
Last Name: LastName
Password: admin1
Note: PAM will prompt for the

password to be changed after the
first successful login.
Email:
administrator@voonair.local
Select the Administration tab.
Check
Email Self on Login.
Select the Roles tab.
Only Standard User is shown.
Click + to show more roles.

Click Please specify a role.
Select Global Administrator from

the list.
Remove the Standard User role
Select the Credential Manager

Groups tab.
Check System Admin Group.
Click the right-arrow to add to the

Selected Groups list.
System Admin Group is now added

to the Selected Groups list.

Note: selection of a password

management group for the
Global Admin role is required.
Access to email in future exercises

will be done via the virtual machine
named “ADServer” via Microsoft
Outlook.
Click OK to save.
GlobalAdmin is now added to the

Session Manager Users list.
Logout and log back in as

GlobalAdmin, password admin1.

“Due to account modifications,

please change your password.”
Change the password.
Old Password: admin1

New Password: Password01
Click OK to save the new password.
-End-
Guided Practice 2:
Add Yourself as a Global Admin

Guided Practice 3: Global Settings
This exercise sets some initial global settings and brands the UI for Voonair.
Goals
Certain global settings must first be set to continue with configuration.
Scenario
Voonair would also like to brand the UI with the corporate logo.
< 5 Minutes
Time
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Select Settings > Global Settings

On the Basic Settings tab:
Login Timeout = 0
Applet Timeout = 0
Check Default Device Type:

Access
Password Management
The External API Buttons setting is

enabled by default.
Click SAVE.
Select the Warnings tab.
Check
Show Recording Warning.
Click SAVE.
Select the Applet Customization

tab.
Buffer Size = 1000

Web Recording Quality = Medium
Check
Applet Copy/Paste
Click SAVE.

Upload your custom logo.
Select Settings > Branding.
Click CHOOSE FILE.
Browse to:
C:\ClassFiles\PAM-Bootstrap-
1.5\Logo
Select
Voonair-SMALL.png
Click Open.
Click
UPLOAD LOGO.

Logo is successfully uploaded.
Note: logo will be seen by standard

users later in this course.
-End-
Guided Practice 3: Global Settings

Guided Practice 4: Network Settings
Observe and verify basic network settings of the PAM appliance.

Goals
Each appliance must have a name and IP address for connectivity.
Scenario
< 5 Minutes
Time
Privileged Access Manager A” and log in as GlobalAdmin / Password01.
Select Configuration >

Network > Network Settings
Note the network settings.
Hostname: pamservera
Domain Name: voonair.local
Default Gateway: 192.168.0.254
DNS Servers: 192.168.0.10
Note: Network settings were added

during appliance installation.

Click Update to save any changes.
You will see a message that

confirms the network setting
changes.
You will have to either reboot the

appliance or click the
Restart Networking button for the
changes to take effect.
Click
RESTART NETWORKING

A Network Settings dialog box

appears warning that all active
users will be logged out of CA PAM
and would you like to continue.
Click YES.
Login:
User: GlobalAdmin
-End-
Guided Practice 4: Network Settings

Guided Practice 5: Monitor e-mail Connection
Configure SMTP connection for email alerts from CA PAM.

Goals
In order for CA PAM to send alerts, a connection to an SMTP server is required.
Scenario
< 5 Minutes
Time
Select Configuration > Monitor.

On General Monitoring Parameters

tab:
Admin Email:
administrator@voonair.local
SMTP Server: 192.168.0.10
Appliance From Address:

pamadmin@voonair.local
Re-check Time: 10
DNS Text Query:

voonair.local
Click UPDATE.
Click the Monitor tab.
Start at Boot is checked by default.
Click START.

Confirmation displayed that

monitor started successfully.
A test email is sent to the

Administrator’s address.
Connect to virtual machine ADS and

open Microsoft Outlook to view the
test email. Click to open Inbox.
-End-
Guided Practice 5:
Monitor Email Connection

Guided Practice 6: Log Purge and Syslog
Configure CA PAM to send log data to a SYSLOG server and observe data on
Goals
Splunk
Capturing log data for aggregation and future review is an import part of any IT
Scenario
organization. Log data from CA PAM is no exception and must be captured.
< 5 Minutes
Time
From WinClient.
Configure Automatic Log Purge.
Select Configuration > Logs >

Automatic Log Purge

Check:
Enable as scheduled below
Check:
Require Email to be Sent Before
Purge
Leave Purge Interval at 24 hours

and Email Size as 1MB.
Click UPDATE.
Settings have been saved

successfully.
Configure Syslog.

Syslog.

Check:
Enable syslog to the specified
server
Remote Server
192.168.0.11
Remote Port
514
Click UPDATE.
Syslog configuration was updated

successfully.
Login to Splunk by opening another

browser window and typing in the
following URL:
https://192.168.0.11:8000/
Click Search & Reporting.

Observe syslog messages in real-

time.
Enter * in Search.
Click the search icon.
Realtime data is displayed.
Close the Splunk session.
-End-
Guided Practice 6:
Log Purge and Syslog

Guided Practice 7: Session Recording
Complete storage configuration for session recording data.

Goals
Voonair requires all CA PAM sessions to be recorded for future review and
Scenario
auditing purposes.
< 5 Minutes
Time
Configure Session Recording

Session Recording.

Select External Storage.
Protocol: NFS
Share Path:
/var/xsuite/recordings
Hostname:
192.168.0.11
Click SAVE SETTINGS.
Note message that settings were

saved successfully.
Click MOUNT.
Primary mount performed

successfully.
Mount Availability will show

“unavailable” at this point.

Go to Session Recording.
Check:
Text based recording to
NFS/CIFS/S3 mounted directory
Check:
Graphical Session recording to
NFS/CIFS/S3 mounted directory
Click UPDATE.
Note the keystroke logging

configuration success message.
Mount status should now show as

“mounted” and Mount availability
as “available” in the External
Storage area.
This may take several minutes to

resolve.
Go to Access Policy and confirm

that Present an error and do not
connect. (Security Safe) is selected.
Change error message on mount

failure to read:
Session cannot be established.
Storage for recording is not available.
Please contact your administrator.
Click UPDATE to save.

-End-
Guided Practice 7: Session Recording

Guided Practice 8: SNMP
Configure CA PAM to send management messages to an SNMP server.

Goals
Voonair requires that management messages be sent to an SNMP server.
Scenario
< 5 Minutes
Time
Select Configuration > SNMP >

Poll Server

Configure SNMP poll server.
Uncheck
SNMP V3 only
Note: training environment uses

SNMP version 2c.
Check
Start at Boot.
Click SAVE.
Change Read-Only Community

string to xsuite.
Click SAVE.
Click START to start the server.
Note the SNMP Agent started

successfully message.

Configure SNMP trap server.

Configuration > SNMP > Trap
Server
Check
Traps Enabled
Trap Community:
xsuite
Trap Destination:
192.168.0.11
Select SNMP Version 2c.
Click SAVE CONFIGURATION.
Login to Splunk by typing the

following URL in a new browser
window:
https://192.168.0.11:8000/
Click Search & Reporting
Observe in Splunk the SNMP trap

messages by searching for “snmp
trap” in the search criteria and
pressing Enter.
-End-
Guided Practice 8: SNMP

Guided Practice 9: Scheduled Backup
Configure daily scheduled backup of CA PAM database and configuration.

Goals
A backup is critical for continuity of operations. Voonair standards require all IT
Scenario
systems to be backed up daily and secured in a local other than the solution
itself.
< 5 Minutes
Time
Configure scheduled backup.
Select Configuration > Database.

Select the Backup Scheduler tab.
Set Backup time to every day by

selecting ALL in the Month, Days,
and Weekday columns and at 1 for
the hour and minute.
Share Path:
pamadmin@192.168.0.11:/var/xsui
te/database-XsuiteA
Check
Delete After Successful Send
Click SAVE.
Note confirmation that the

database backup schedule was
saved successfully.
-End-
Guided Practice 9: Schedule Backup

Guided Practice 10: RADIUS
Configure CA PAM for RADIUS authentication.

Goals
Voonair employs a RADIUS server and would like this authentication method
Scenario
available on CA PAM.
15 Minutes
Time
Create a device for password management, create a target application, RADIUS/TACACS+ Secret
and create a target account, Secret/Verify Secret.
Select Devices > Manage Devices.
The Devices page is displayed.
Click ADD.

The Add Device page is displayed.
Fill in the required fields:
Name: RADIUS
Address: 192.168.0.11
Click
SAVE AND ADD TARGET
APPLICATIONS.
The Add Target Application page is

displayed.
Host Name: 192.168.0.11

Device Name: RADIUS
Application Name:
RADIUS/TACACS+ Secret
Application Type:
Selecting Application Type

RADIUS/TACACS+ Secret creates a
tab with that name. Select this tab.
For the Type, select RADIUS from

the drop-down menu.

The port will fill in automatically

after the Type is selected.
Port: 1812
Click OK.
Confirmation is displayed that the

target application has been saved.

Select Credentials >

Manage Targets > Accounts.
The Target Accounts page is

displayed.
Click ADD.
The Add Target Account page is

displayed.
Select the search icon for

Application Name.

The Target Applications page is

displayed.
Select
RADIUS/TACACS+ Secret.
Click OK.
You are returned to the Add Target

Account page and the Application,
Device and Host Name are filled in.
Account Name:
RADIUS_Account
Secret:
caeducation1
Check Show Secret to see the entry.
Click OK.

Target Account has been saved.

Select
Configuration > RADIUS and
TACACS+
Click ADD.
Select the Application from the

search.
The Server will be automatically

filled in. 192.168.0.11
Then select the Account.

RADIUS_Account
Click OK.
Confirmation displayed that RADIUS

and TACACS+ configuration has
been saved.

Log out of PAM.
RADIUS is now an authentication

option.
Log in using Local Authentication.
User: GlobalAdmin
Under Users > Manage User Groups

there is now a CREATE RADIUS
GROUP button that is active.
-End-
Guided Practice 10: RADIUS

Guided Practice 11: LDAP/AD Connection
Configure LDAP connection to an Active Directory server.

Goals
Voonair users will ultimately be acquired and kept in sync with Active Directory.
Scenario
AD will also be an authentication method for users of CA PAM.
20 Minutes
Time
Select Devices > Manage Devices
Click ADD.
On the Basic Info tab:
Name: ADServer
Address: 192.168.0.10
Operating System: Windows 2012
Uncheck Device Type: Access

Leave Password Management
checked.

Click SAVE AND ADD TARGET

APPLICATIONS.
Note use Page Down if you can’t

see buttons at bottom of screen.
Add Target Application is

displayed.
Host Name: 192.168.0.10

Device Name: ADServer
Application Name: ActiveDirectory
Application Type:
select from drop-down window:
Windows Domain Service
Note the new tab created after

Application Type is selected.

Select Windows Domain Service

tab.
Note the options for Domain

Controller lookup.
Domain Name: voonair.local
Click OK.
Target application is saved.
ActiveDirectory is now seen in list

of Target Applications.
Select Credentials > Manage

Targets > Accounts

Click ADD.
Add Target Account is displayed.
Application Name: click search

icon
to select the application name you
created for LDAP.
ActiveDirectory
Target Applications window is

displayed.
Select ActiveDirectory.
Click OK.

You are returned to the Add Target

Account window.
ActiveDirectory is now shown in

the Application Name field and the
Host and Device Name are
automatically filled in.
Account Name: xsuiteLookup

Account Type: Privileged Account
Password: caeducation
Note: xsuiteLookup is an existing

Active Directory account with read
access to the directory being
searched (bind account).
Select Windows Domain Service.

Add Target Account is displayed.
Enter Distinguished Name: (comma separated,no spaces)

CN=xsuiteLookup,CN=Users,DC=voonair,DC=local
Click OK.
Target account is saved.
xsuiteLookup is now seen in the

Account Name list.

Select
Configuration > 3rd Party > LDAP
Select LDAP Domains tab.
Click ADD.
Configure connection to AD server.
Find and select the Bind Account

using the search icon:
xsuiteLookup
This will automatically fill in the

Bind Server, Bind Application and
Server fields.
In the SSL Usage field, select LDAPS
Click OK.

A window appears asking you to

log out and then log back into CA
PAM before attempting to import
an LDAP group for the first time.
Click OK to dismiss the window.
The LDAP domain is saved.
After successful configuration,

logout.
Observe that a new authentication

mechanism for LDAP and
LDAP+RADIUS is now available in
the menu.
Log back into PAM.
User: GlobalAdmin
Authentication Type: Local

Under Users > Manage User

Groups, there are new
import/refresh mechanisms:
IMPORT LDAP GROUPS

REFRESH LDAP GROUPS
-End-
Guided Practice 11: LDAP/AD

Guided Practice 12: Security
Configure security certificates on CA PAM

Goals
Scenario
10 Minutes
Time
Select
Configuration > Security > Access

Enable
External REST API
Credential Management CLI
Click SAVE.
Upload/install certificates, and

private key.
Select Configuration > Security >

Certificates

Select the Upload section.
Select CA Bundles.
Click CHOOSE FILE.
Certificate files are found at

1.5\Keys
Select root CA bundle

voonair-ca.p7b
Click Open.
Click UPLOAD.
Note confirmation at top of page

that file was loaded.

Upload certificate with private key
Select Certificate with Private Key
Click CHOOSE FILE.
Select pamserver.pem
Click Open.
Enter Passphrase caeducation, in

the Passphrase and Confirm fields.
Click UPLOAD.

Note the certificate verification

success message at the top of the
page.
Go to the Set section.
Select and verify the pamserver.crt

certificate by clicking VERIFY.
Message confirms that the

certificate has been verified.
Click ACCEPT.

Message indicates that the system

certificate has been changed and a
reboot will make the new certificate
take effect, and asks if you want to
reboot now.
Click YES.
The CA PAM appliance reboots.
Wait 4-5 minutes, and go back and

check if the appliance is back online.
A message may appear that the

network is unavailable, connection
was lost and the session will be
terminated. You are adviced to log
in again to continue.
Click OK to dismiss the window.
The login window will reappear.
Click the menu icon in Firefox.

Select Options.
Select Advanced…
Select the Certificates tab.
Click View Certificates.

Certificate Manager is displayed.
Click Import.
Select the certificate to import.
Browse to
1.5\Keys
Select
voonair-ca.cer
Click Open.
Downloading Certificate page is

displayed.
Check all trust items.
Click OK.

Click OK to exit the Certificate

Manager.
Close out of the browser and

reopen CA Privileged Access
Manager A.
You are returned to the login page.
Note that the lock icon is now

green.

The root CA and intermediate CA

certificates have been installed in
the systems certificate trusted root
store as part of the environment
configuration.
Verify the certificate is working by

clicking on the padlock in the
browser; clicking the right arrow,
and clicking on the More
Information button.
Click the View Certificate button

and view the General and Details
tab.
Different browsers will yield

different results. Browsers may still
notify that the certificate is self-
signed.
-End-
Guided Practice 12: Security

Guided Practice 13: Date/Time
Configure date and time setting for NTP

Goals
Since Voonair requires a clustered configuration, NTP is a critical component of
Scenario
CA PAM clustering.
< 5 Minutes
Time
Select Configuration > Date/Time.

Go to Time Servers.
Enter 192.168.0.11 as the time

server and remove any existing
entries.
Click SAVE
Note the successful update

message.
Select NTP Status.
You may need to refresh the status

to confirm connectivity if condition
is “reject”.
Click REFRESH.
After refresh, condition should

change to sys.peer.
A sys.peer condition is desired.
-End-
Guided Practice 13: Date/Time

Guided Practice 14: Synchronization
Configure clustering of two CA PAM virtual appliances and observe behavior.

Goals
This exercise uses the already-configured CA PAM Appliance B.
For redundancy of CA PAM, Voonair would like to have two appliances operating
Scenario
in a clustered manner.
20 Minutes
Time
Access PAMServerB using the desktop shortcut “CA Privileged Access Manager B” and log in as
super / Password01.
Launch the desktop icon CA

Privileged Access Manager B
Log on:
User: super
Note: the default super account

password has already been
changed. Typically, upon first login
you would be prompted to change
it.

Configuration > Clustering
The Clustering page is displayed

with the Local Settings tab selected.
On Privileged Access Manager A

and Privileged Access Manager B
complete the following steps:
Generate a Shared Key Passphrase:

HelloWorld
This cryptographic key ensures

secure communications between
the clustered appliances.
Click GENERATE KEY

A key is generated and displayed.
Select the Interface: GB1
Click SAVE CONFIG LOCALLY.
Don’t forget that these steps are

applied to both A and B.

synchronization config was saved
locally.
On Privileged Access Manager A

only:
In the Configuration > Clustering

window, select the Global Settings
tab.
Select Security Safe.
Scroll over….

Click ADD.
Add Cluster Site is displayed.
VIP Address: 192.168.0.9
VIP Host Name:

capam.voonair.local
Click “+”
Enter the IP addresses of the Cluster

Members.
192.168.0.5

Click “+” to add the other member:
192.168.0.6
Click OK.
Click
SAVE CONFIG LOCALLY.

Only on PAM A:
Click
SAVE TO CLUSTER.
Confirmation displayed that PAM

has successfully saved cluster
configuration to all members.
On Privileged Access Manager A,

click TURN CLUSTER ON.
Note that the PAM cluster can only

be enabled from the Primary Node
(the first one in the Cluster
Member list).

Turn Cluster On window appears

and asks if you are sure you want to
turn the cluster on.
Click YES.
CA PAM restarts…
Logout and login to the cluster VIP.

https://192.168.0.9/
If required, add a permanent

exception in the browser to allow
the site to load.
If required, allow Java to run and

remember this setting for further
use.
Check the two boxes to not show

the alert again and click Run for the
CA PAM Java applications
Observe that the dashboard has

changed.
There is a new section:

Appliance Cluster Status.
The new logo is also displayed.
Congratulations!
You have successfully configured

PAM A and B and established a high
availability cluster configuration.
-End-
Guided Practice 15: Synchronization

Appendix: CA Technologies Dynamic Lab Environment
Appendix: Dynamic Lab Environment Access and User Guide
Getting Started
Dynamic Lab Environment is the name of the CA Education virtual environment for labs and
practice activities. The technology behind the Dynamic Lab Environment is provided by Skytap and
some of the instructions in this document reference Skytap.
This appendix provides the following information:
• System and network requirements
• Self-Directed Learning login and usage information
• Setting up an environment (other than Self-Directed Learning)
• Instructor-Led classroom set up
• Best practices
• Troubleshooting
• Escalating unresolved issues
System Requirements
The minimum system requirements for an individual client machine accessing the Dynamic Lab
Environment are listed below. Please check that you meet the minimum requirements and that
you have the equipment you need before attempting to use the environment.
• Windows XP/2003/Vista/2008/Windows 7/2008 R2/Windows 8/2012

Operating
• Mac OS X 10.7 or higher (Lion or Mountain Lion)
Systems
• Linux variants with supported browser and Java versions
• Internet Explorer 8, 9, or 10
Browsers
• Mozilla Firefox
• Google Chrome
• Mac OS X Safari
Java Version
• The acceptable Java versions are Java 1.6, 1.7, or newer.
• If you are unsure which version of Java you are running, simply click the following link and it
will auto-detect: http://java.com/en/download/installed.jsp or type “java -version” in the
terminal for Linux.
• If you are running OS X, please see Running Java on Mac OS X.
• For information on installing Java on your local Linux machine, see How to install Java on my
local Linux machine.
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
CA Technologies Dynamic Lab Appendix i

© 2017 CA. All rights reserved
Self-Directed Learning Access and Instructions

After you register for the course, you will receive a system-generated email that includes two
important pieces of information:
• A published URL to access your assigned lab environment
• The date and time on which your access to that environment expires
Keep this email as you will need to use the URL whenever you access your lab environment.
Here is a sample email with the two pieces of information highlighted:
Access Your Assigned Lab Environment
Click on the published URL from the email or paste the link in your web browser to access your
assigned lab environment. Use this same link each time you access your dynamic lab environment.
A sample environment with multiple Virtual Machines (VMs) is shown below:
The above sample environment includes three VMs. Your particular environment will be
appropriate for the course activities for which you have registered.
ii Dynamic Lab Appendix CA Technologies

NOTE: When you initially access your environment, you may see a Java prompt, asking if
you want to run this application. Click Run if you see this prompt. It will enable you to
properly connect into the environment and enable the keyboard to work correctly.
Manage Your Assigned Lab Environment
You are allocated a certain amount of lab session time to complete all of the activities associated
with a given course. That time starts once you access your environment and continues to run until
the end date and time specified in the email. The clock continues to run even if you are not
actively working in the environment unless you manage your environment.
Use the Suspend and Run buttons to manage your lab environment. These buttons are shown
below:
Using Suspend to preserve your lab time

Click the Suspend button to stop the Run Time clock. Do this any time you are not working on
course activities to preserve your remaining time. You can suspend any or all of the VMs in your
environment by clicking in the check box in each VM window and then clicking the Suspend button.
The Suspend button is called out in the following sample where all three VMs have been checked:
CA Technologies Dynamic Lab Appendix iii

When you click Suspend, your allocated lab time is preserved and the time clock remains paused
until you change the status to Run. The VMs in a suspended environment display that status as
shown in the following image:
Once you have suspended your environment, you can minimize or close the browser window in
which the environment has been running. Use the same URL you were sent in email to re-open
your environment when you are ready to resume.
Using Run to resume running your lab time

Click the Run button to start up suspended VMs and restart the Run Time clock. The Run button is
called out in the following sample:
This may take several minutes. The environment is ready the when VMs are highlighted in green
and display a Running status. Click on the machine(s) you want to directly access to start or resume
your lab activities.
Tracking lab time using the Run Time clock
The Run Time clock in the upper right corner of your set of VMs tracks how much dynamic lab
environment time you have left.
iv Dynamic Lab Appendix CA Technologies

Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
If you have a group of 15 users, each connecting to their own client session from the same physical
location concurrently, the recommended amount of bandwidth required is
1.16Mb/sec per user x 15 or 17.5Mb/sec.
Connection Test
If you are connecting for the first time, or connecting from a computer you have never used before,
run the connection and speed tests to make sure that your browser supports a connection to the
Dynamic Lab Environment. These tests are hosted by Skytap directly.
Use the following URL to use the Skytap Connectivity Checker to run connection and speed tests:
https://cloud.skytap.com/tools/connectivity
Instructor-Led Class Set-Up

The Dynamic Lab Environment is accessed directly through a URL link that is provided to the
instructor by a system-generated email. The email includes a class URL as well as instructor and
student position URLs. A sample email is shown below:
CA Technologies Dynamic Lab Appendix v

1. Click the URL link or copy and paste the link to your web browser. If the URL link is valid, your
web browser will load the environment with the appropriate VM or VM set for hands-on
activities.
2. Examine all VMs and ensure they are running by selecting them and clicking the Run button to
power them on.
Once they are powered on, all VMs will show that they are in a running status and you may
log in to the VMs by clicking the desired VM machine.
vi Dynamic Lab Appendix CA Technologies

3. Click the desired VM machine to connect directly to it.
Note: Most VMs will take you directly to the desktop, but if you are prompted to enter login info,
use the following credentials:
- Username: administrator
- Password: caeducation
Students should have been sent an email message telling them to run the tests before class starts.
Best practice is for the instructor to send an email message to your students to introduce yourself
as the instructor and remind them to run the connectivity test before the class starts.
CA Technologies Dynamic Lab Appendix vii

Best Practices
Use the following list of best practices to help you avoid potential issues with the Dynamic Lab
Environment:
• Ensure that you are connected to a dedicated hardwired network connection on a
broadband internet connection.
• Do not use Wi-Fi connection because it is more susceptible to higher latency issues
impacting performance.
• Close all applications and documents you are not using for your virtual training; applications
running in the background may use up your computer's bandwidth and affect system
performance.
• You should not be connected to a corporate VPN while connecting to the virtual training
class.Troubleshooting
Run both Connectivity Checker and Speed Test from appropriate application regions and submit
results to educationlabs@ca.com. Before the start of class, make sure your browser supports a
connection to the remote labs.
viii Dynamic Lab Appendix CA Technologies


PAM 3.X Configuration Foundations 200 - Lab Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PAM 3.X Configuration Foundations 200 - Lab Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Configuration Foundations 200

CA Privileged Access Manager:

04PIM20439 <course code>

CA Technologies CA Privileged Access Manager 1

- PROPRIETARY AND CONFIDENTIAL INFORMATION -

2 CA Privileged Access Manager CA Technologies

For Owners of Tier 2 Subscription:

CA Technologies CA Privileged Access Manager 3

4 CA Privileged Access Manager CA Technologies

CA Privileged Access Manager:

CA Technologies CA Privileged Access Manager 5

Dynamic lab test environment architecture

6 CA Privileged Access Manager CA Technologies

Architecture Configuration Administration

•Architecture and •Appliance •Access Control

CA Technologies CA Privileged Access Manager 7

To log off of Windows

To log on, click the Ctrl-

8 CA Privileged Access Manager CA Technologies

Guided Practice 1: Basic Access

Instructions: Labs will be performed on CA Privileged Access Manager A (PamServerA).

From the “WinClient” virtual

Until certificates are installed, the

CA Technologies CA Privileged Access Manager 9

10 CA Privileged Access Manager CA Technologies

Note: the default super account

Until certificates are installed, the

Click Continue for now.

CA Technologies CA Privileged Access Manager 11

Note the elements of the home

This is the dashboard and is only

We need to change the config

The config password change is

Open a new browser window (not a

**Note: the trailing slash is required

When prompted, enter config as

12 CA Privileged Access Manager CA Technologies

After successful login as the config

Change the config password:

You will be logged out and returned

CA Technologies CA Privileged Access Manager 13

Guided Practice 2: Add Yourself as a Global Admin

Create a Global Admin account.

Select Users > Manage Users

The Session Manager Users page is

14 CA Privileged Access Manager CA Technologies

The Add User > Basic Info page is

Enter the User information.

User Name: GlobalAdmin

Note: PAM will prompt for the

Select the Administration tab.

Select the Roles tab.

Only Standard User is shown.

Click + to show more roles.

CA Technologies CA Privileged Access Manager 15

Click Please specify a role.

Select Global Administrator from

Remove the Standard User role

Select the Credential Manager

Check System Admin Group.

Click the right-arrow to add to the

System Admin Group is now added

16 CA Privileged Access Manager CA Technologies

Note: selection of a password