PAM 3.X Configuration Foundations 200 - Lab Guide
PAM 3.X Configuration Foundations 200 - Lab Guide
<Brand>™® <Product>®™
Clarifier (what comes after the colon)
Lab Guide
Lab Guide
© 2017 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA
Customer use only. No unauthorized use, copying or distribution. All names of individuals or of companies
referenced herein are fictitious names used for instructional purposes only. Any similarity to any real
persons or businesses is purely coincidental. All trademarks, trade names, service marks and logos
referenced herein belong to their respective companies. These Materials are for your informational
purposes only, and do not form any type of warranty. The use of any software or product referenced in the
Materials is governed by the end user’s applicable license agreement. CA is the manufacturer of these
Materials. Provided with “Restricted Rights.”
In addition to this fully functional training platform (Dynamic Lab Environment), your subscription
includes a web-based training component with recorded demonstrations of these lab activities.
Although not required, we recommend you review the WBT component first, as it describes various
use cases for the features and context for the lab activities.
Contents
CA Privileged Access Manager: Configuration Foundations 200: Lab Guide Introduction ............. 5
Guided Practice 1: Basic Access ........................................................................................................ 9
Guided Practice 2: Add Yourself as a Global Admin ....................................................................... 14
Guided Practice 3: Global Settings.................................................................................................. 19
Guided Practice 4: Network Settings .............................................................................................. 23
Guided Practice 5: Monitor e-mail Connection .............................................................................. 26
Guided Practice 6: Log Purge and Syslog ........................................................................................ 29
Guided Practice 7: Session Recording............................................................................................. 33
Guided Practice 8: SNMP ................................................................................................................ 36
Guided Practice 9: Scheduled Backup ............................................................................................ 39
Guided Practice 10: RADIUS............................................................................................................ 41
Guided Practice 11: LDAP/AD Connection...................................................................................... 48
Guided Practice 12: Security ........................................................................................................... 57
Guided Practice 13: Date/Time ....................................................................................................... 67
Guided Practice 14: Synchronization .............................................................................................. 69
Appendix: Dynamic Lab Environment Access and User Guide .......................................................... i
Getting Started............................................................................................................................... i
System Requirements .................................................................................................................... i
Operating Systems ......................................................................................................................... i
Browsers ........................................................................................................................................ i
Java Version ................................................................................................................................... i
Network Requirements.................................................................................................................. i
Self-Directed Learning Access and Instructions .............................................................................ii
Access Your Assigned Lab Environment ........................................................................................ii
Manage Your Assigned Lab Environment .....................................................................................iii
Network Requirements..................................................................................................................v
Connection Test .............................................................................................................................v
Instructor-Led Class Set-Up............................................................................................................v
Best Practices .............................................................................................................................. viii
Goals This lab guide provides you with opportunities to practice what you learn in the course
as well as apply what you learn in real-world scenarios.
Scenario
Voonair Airlines is a fictitious niche airline providing service to the Arctic. The company serves areas
that are otherwise inaccessible for residents and researchers and has been successful in this area.
The Voonair IT Security team recently discovered unauthorized access to servers that contain
sensitive data. While the existing security posture at Voonair is strong, there were no measures for
protecting privileged identities which were acquired as part of a social engineering attack.
The company has decided to strengthen their security around privileged identities and direct access
to servers that contain sensitive data. Voonair has partnered with CA Technologies to deploy CA
PAM to meet their needs.
As part of Voonair Airlines’ IT staff, you are configuring and testing CA PAM functionality. In your
test environment, you have two CA PAM virtual appliances to build a cluster and all required
components to fully configure and test CA PAM functionality.
Process Overview
This foundations course will focus on the Architecture and Configuration sections depicted below.
Additional courses are being continually added to support various typical integrations.
The Dynamic lab environment will start with all VMs already logged in as voonair\administrator
(caeducation). You do not need to log off the machines when suspending. Some labs require you to
log in as a different user. Use these steps to log off/on to a virtual machine as the domain admin:
Unless otherwise
instructed, log in to
each VM as the domain
admin
voonair\administrator
with password
caeducation
Most activity, unless otherwise stated, is accomplished via a web browser on the virtual
machine named “WinClient”. This server is and all server are prefixed with the course number.
For example 04PIM20099-WinClient
There are two appliances that ultimately will be clustered. You will perform configurations on
PAMServerA only. PAMServerB has been preconfigured with identical configurations to enable
you to create the cluster after configuring PAMServerA.
For simplicity, in this training environment “Password01” is used as the password for several
accounts. In production environment, choose your own, complex passwords.
This exercise begins your training by making initial access to CA PAM and
Goals
observing the interface.
Your first action in becoming an SME on CA PAM is to connect to an appliance
Scenario
and familiarize yourself with the interface.
5 minutes
Time
Click Advanced.
Click
Add Exception.
Click
Confirm Security Exception.
Log on:
User: super
Password: Password01
Check
Do not show this again…
Check
“Do not show this again…”
Click Run.
https://pamservera/config/
Click OK.
Select
Configuration > Change Password.
Click Update.
-End-
Guided Practice 1: Basic Access
Create a new user (GlobalAdmin) for yourself and set the role of Global
Goals
Administrator for use during the rest of this course.
The SUPER user is generally not used in a production environment and it is best
Scenario
practice for each user to have an account for their own use.
5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and log in as super/Password01.
Click ADD.
Email:
[email protected]
Check
Email Self on Login.
Click OK to save.
-End-
Guided Practice 2:
Add Yourself as a Global Admin
This exercise sets some initial global settings and brands the UI for Voonair.
Goals
Certain global settings must first be set to continue with configuration.
Scenario
Voonair would also like to brand the UI with the corporate logo.
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Login Timeout = 0
Applet Timeout = 0
Click SAVE.
Check
Show Recording Warning.
Click SAVE.
Check
Applet Copy/Paste
Click SAVE.
Browse to:
C:\ClassFiles\PAM-Bootstrap-
1.5\Logo
Select
Voonair-SMALL.png
Click Open.
Click
UPLOAD LOGO.
-End-
Guided Practice 3: Global Settings
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and log in as GlobalAdmin / Password01.
Hostname: pamservera
Domain Name: voonair.local
Default Gateway: 192.168.0.254
DNS Servers: 192.168.0.10
Click
RESTART NETWORKING
Click YES.
Login:
User: GlobalAdmin
Password: Password01
-End-
Guided Practice 4: Network Settings
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Admin Email:
[email protected]
Re-check Time: 10
Click UPDATE.
Click START.
-End-
Guided Practice 5:
Monitor Email Connection
Configure CA PAM to send log data to a SYSLOG server and observe data on
Goals
Splunk
Capturing log data for aggregation and future review is an import part of any IT
Scenario
organization. Log data from CA PAM is no exception and must be captured.
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
From WinClient.
Check:
Enable as scheduled below
Check:
Require Email to be Sent Before
Purge
Click UPDATE.
Configure Syslog.
Check:
Enable syslog to the specified
server
Remote Server
192.168.0.11
Remote Port
514
Click UPDATE.
Enter * in Search.
-End-
Guided Practice 6:
Log Purge and Syslog
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Protocol: NFS
Share Path:
/var/xsuite/recordings
Hostname:
192.168.0.11
Click MOUNT.
Go to Session Recording.
Check:
Text based recording to
NFS/CIFS/S3 mounted directory
Check:
Graphical Session recording to
NFS/CIFS/S3 mounted directory
Click UPDATE.
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Uncheck
SNMP V3 only
Check
Start at Boot.
Click SAVE.
Click SAVE.
Check
Traps Enabled
Trap Community:
xsuite
Trap Destination:
192.168.0.11
-End-
Guided Practice 8: SNMP
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Share Path:
[email protected]:/var/xsui
te/database-XsuiteA
Check
Delete After Successful Send
Click SAVE.
-End-
Guided Practice 9: Schedule Backup
15 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Create a device for password management, create a target application, RADIUS/TACACS+ Secret
and create a target account, Secret/Verify Secret.
Click ADD.
Name: RADIUS
Address: 192.168.0.11
Click
SAVE AND ADD TARGET
APPLICATIONS.
Port: 1812
Click OK.
Click ADD.
Select
RADIUS/TACACS+ Secret.
Click OK.
Account Name:
RADIUS_Account
Secret:
caeducation1
Click OK.
Select
Configuration > RADIUS and
TACACS+
Click ADD.
Click OK.
User: GlobalAdmin
Password: Password01
-End-
Guided Practice 10: RADIUS
20 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Click ADD.
Name: ADServer
Address: 192.168.0.10
Operating System: Windows 2012
Application Type:
select from drop-down window:
Windows Domain Service
Click OK.
Click ADD.
Select ActiveDirectory.
Click OK.
Click OK.
Select
Configuration > 3rd Party > LDAP
Click ADD.
Click OK.
User: GlobalAdmin
Password: Password01
Authentication Type: Local
-End-
Guided Practice 11: LDAP/AD
Scenario
10 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Select
Configuration > Security > Access
Enable
External REST API
Credential Management CLI
Click SAVE.
Select CA Bundles.
Click Open.
Click UPLOAD.
Select pamserver.pem
Click Open.
Click UPLOAD.
Click ACCEPT.
Click YES.
Select Options.
Select Advanced…
Click Import.
Browse to
C:\ClassFiles\PAM-Bootstrap-
1.5\Keys
Select
voonair-ca.cer
Click Open.
Click OK.
-End-
Guided Practice 12: Security
< 5 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Go to Time Servers.
Click SAVE
Click REFRESH.
-End-
Guided Practice 13: Date/Time
20 Minutes
Time
Instructions: Continue using the browser session from the prior exercise or if closed, connect to
the virtual machine named “WinClient” and from the desktop launch the shortcut labeled “CA
Privileged Access Manager A” and login as GlobalAdmin / Password01.
Access PAMServerB using the desktop shortcut “CA Privileged Access Manager B” and log in as
super / Password01.
Log on:
User: super
Password: Password01
Scroll over….
Click ADD.
Click “+”
192.168.0.5
192.168.0.6
Click OK.
Click
SAVE CONFIG LOCALLY.
Only on PAM A:
Click
SAVE TO CLUSTER.
Click YES.
CA PAM restarts…
Congratulations!
-End-
Guided Practice 15: Synchronization
Getting Started
Dynamic Lab Environment is the name of the CA Education virtual environment for labs and
practice activities. The technology behind the Dynamic Lab Environment is provided by Skytap and
some of the instructions in this document reference Skytap.
This appendix provides the following information:
• System and network requirements
• Self-Directed Learning login and usage information
• Setting up an environment (other than Self-Directed Learning)
• Instructor-Led classroom set up
• Best practices
• Troubleshooting
• Escalating unresolved issues
System Requirements
The minimum system requirements for an individual client machine accessing the Dynamic Lab
Environment are listed below. Please check that you meet the minimum requirements and that
you have the equipment you need before attempting to use the environment.
Click on the published URL from the email or paste the link in your web browser to access your
assigned lab environment. Use this same link each time you access your dynamic lab environment.
The above sample environment includes three VMs. Your particular environment will be
appropriate for the course activities for which you have registered.
NOTE: When you initially access your environment, you may see a Java prompt, asking if
you want to run this application. Click Run if you see this prompt. It will enable you to
properly connect into the environment and enable the keyboard to work correctly.
Manage Your Assigned Lab Environment
You are allocated a certain amount of lab session time to complete all of the activities associated
with a given course. That time starts once you access your environment and continues to run until
the end date and time specified in the email. The clock continues to run even if you are not
actively working in the environment unless you manage your environment.
Use the Suspend and Run buttons to manage your lab environment. These buttons are shown
below:
When you click Suspend, your allocated lab time is preserved and the time clock remains paused
until you change the status to Run. The VMs in a suspended environment display that status as
shown in the following image:
Once you have suspended your environment, you can minimize or close the browser window in
which the environment has been running. Use the same URL you were sent in email to re-open
your environment when you are ready to resume.
This may take several minutes. The environment is ready the when VMs are highlighted in green
and display a Running status. Click on the machine(s) you want to directly access to start or resume
your lab activities.
The Run Time clock in the upper right corner of your set of VMs tracks how much dynamic lab
environment time you have left.
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
If you have a group of 15 users, each connecting to their own client session from the same physical
location concurrently, the recommended amount of bandwidth required is
1.16Mb/sec per user x 15 or 17.5Mb/sec.
Connection Test
If you are connecting for the first time, or connecting from a computer you have never used before,
run the connection and speed tests to make sure that your browser supports a connection to the
Dynamic Lab Environment. These tests are hosted by Skytap directly.
Use the following URL to use the Skytap Connectivity Checker to run connection and speed tests:
https://cloud.skytap.com/tools/connectivity
1. Click the URL link or copy and paste the link to your web browser. If the URL link is valid, your
web browser will load the environment with the appropriate VM or VM set for hands-on
activities.
2. Examine all VMs and ensure they are running by selecting them and clicking the Run button to
power them on.
Once they are powered on, all VMs will show that they are in a running status and you may
log in to the VMs by clicking the desired VM machine.
Note: Most VMs will take you directly to the desktop, but if you are prompted to enter login info,
use the following credentials:
- Username: administrator
- Password: caeducation
Students should have been sent an email message telling them to run the tests before class starts.
Best practice is for the instructor to send an email message to your students to introduce yourself
as the instructor and remind them to run the connectivity test before the class starts.
Best Practices
Use the following list of best practices to help you avoid potential issues with the Dynamic Lab
Environment:
• Ensure that you are connected to a dedicated hardwired network connection on a
broadband internet connection.
• Do not use Wi-Fi connection because it is more susceptible to higher latency issues
impacting performance.
• Close all applications and documents you are not using for your virtual training; applications
running in the background may use up your computer's bandwidth and affect system
performance.
• You should not be connected to a corporate VPN while connecting to the virtual training
class.Troubleshooting
Run both Connectivity Checker and Speed Test from appropriate application regions and submit
results to [email protected]. Before the start of class, make sure your browser supports a
connection to the remote labs.