There is no direct command line access to CA PAM. The cliTool.jar file is provided, via the CA Download Center, https://support.ca.com/irj/portal/DownloadCenter. It will give you the ability to perform Credential Management tasks via a command or script. Below you can see how to retrieve the 2.8 based version of the tool.
When you've filled out this page to match the base version of CA PAM you are using, click Go and find the line with RemoteCLI and click Download.
Unpack the zip file and put the contents in the folder from which you want to run the Credentials CLI commands. It contains 3 files:
- cliTool.jar which communicates with the CLI API
- capam_command - unix command file to execute CLI commands
- capam_command.bat - Windows command file to execute CLI commands
Wherever you put these files, make sure that your Path environmental variable points to the folder.
The next step is to create the keystore. This will require that you first download the certificate you are using in CA PAM. It will be used to generate the keystore, which must go into the same folder as contains the 3 files above. This article assumes that you've done what is necessary to create, and load, a valid certificate for CA PAM. You cannot use the default certificate, gkcert.crt, or a certificate that has no Alternate Subject Names. Below you can see how the Self Sign certificate used for this document was created.
If you don't already have the certificate on the system where you implementing the cliTool, you may download it from CA PAM.
With the certificate in the same location as the cliTool.jar file, use the command to generate the keystore. In Windows this is the keytool command:
C:\Users\voged01\Documents\CA\Software\CLI>keytool -import -trustcacerts -file SScert.crt -alias cspmserver -keystore capam.keystore
Reply to the prompts, first to create a password and then to trust the certificate.
With this done, you are ready to start executing Credential CLI commands. It is recommended that you start with simple ones, specifically those not requiring parameters. You can get the information about the various commands available to you, and their parameters, from the CA PAM wiki: https://docops.ca.com/ca-privileged-access-manager/2-8-1/EN/programming/credential-manager-cli-commands.
Here is how you can execute the getNumberOfAccounts command, and the results:
C:\Users\voged01\Documents\CA\Software\CLI>capam_command cmdName=getNumberOfAccounts capam=10.130.73.70 UserID=super
The password that you will enter is the password corresponding to your CA PAM admin account. Notice that the command returns the data in HTML format, and that the total is given, along with a breakdown of A2A and Privileged.
You can also execute these commands from a browser, which will be helpful if you want to execute them from a system without Java installed. Below you can see the same command executed from a browser.
With this working you can start using any of the other commands, making sure that you provide any required parameters. Please note that some parameters may be required even though the documentation does not state they are required. Also, the names of some parameters are not properly documented. They may require "Attribute." in front of the name in the document. If you encounter any problems please open a ticket with Support. We will be glad to assist you.