How to configure a service to access vSphere 5.5 on CA PAM

Document ID : KB000009813
Last Modified Date : 14/02/2018
Show Technical Document Details

The purpose of this document is to demonstrate how CA PAM may be configured to interact with VMware vCenter 5.5.  This configuration should work for vCenter 6 too, as long as Auto-Login is not used.


The first step to creating a web portal to access vCenter 5.5 is to create a Service.  You can name it whatever you wish.  The port must match what you would use when connecting from a browser.  Set the Application Protocol to Web Portal.  If you plan to use Auto-Login you will have to select the method.  For vCenter 5.5 it will have to be the VMware vSphere Web Client.  If you don't do Auto-Login you will be prompted for the UserID and Password.  The launch url must start with https://<IP Address>:<First Port>.  What follows depends on your environment.  In this case it is /vsphere-client/.  The next item on this page is the Access List.  Here it is set to *, to allow the user to go to any subsequent web page.  You may put whatever you want in here if you want to limit access.  The last item on this page is the Browser Type.  Here it is set to the Xceedium Browser, which allows Web portal activity to be recorded.  If you do not need these sessions to be recorded you may use the Native Browser.



The next step is to add the Device.  Name it what you want to appear as on the Access page.  Assign the IP Adress or Fully Qualified Domain Name.  Add the service you configured in the previous step.



Create the policy and select the Service you added to the Device.  You can click on the Web Portal box, if you wish to enable recording.



If you intend that your users will enter the UserID and Password you may stop here.  If you intend to use Auto-Login you will have to create a Target Application and Target Account.  In this case a Generic Application was used.VMwareApplication.JPG

After creating the Application, create the Accounts associated with the Application.  Notice that the account name includes a leading backslash, as the VMware login required it when launched from CA PAM.  The password doesn't show, but it was entered too.VMwareAccount.JPG


After the Target Account is created you may associate it with the Policy you created.  When you click the link on the Access page you will be logged right in.