How to use the CA PAM Command Line Interface

Document ID : KB000010240
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA PAM provides a command-line interface (CLI) that allows you to enter Credential Manager commands, or scripts of commands, from a command line, either Windows or Unix.  This document will guide you through the simple steps to configure and test the CLI.

  • Download the remote CLI corresponding to the release of the software running on the CA Privileged Access Manager appliance. The cliTool can be downloaded from the CA Technologies support site. 
  • Download your CA Privileged Access Manager appliance certificate.
  • Generate a keystore using that certificate.
  • Execute the commands you wish to use.

There is also a Restful API(aka External API), which may be used.  It is used to perform other functions, and will not be covered further in this document.

Instructions:

There is no direct command line access to CA PAM.  The cliTool.jar file is provided, via the CA Download Center, https://support.ca.com/irj/portal/DownloadCenter.  It will give you the ability to perform Credential Management tasks via a command or script.  Below you can see how to retrieve the 2.8 based version of the tool.DownloadCenter.JPG

 

When you've filled out this page to match the base version of CA PAM you are using, click Go and find the line with RemoteCLI and click Download.  RemoteCLI.JPG

 

Unpack the zip file and put the contents in the folder from which you want to run the Credentials CLI commands.  It contains 3 files:

  • cliTool.jar which communicates with the CLI API
  • capam_command - unix command file to execute CLI commands
  • capam_command.bat - Windows command file to execute CLI commands

Wherever you put these files, make sure that your Path environmental variable points to the folder.

 

The next step is to create the keystore.  This will require that you first download the certificate you are using in CA PAM.  It will be used to generate the keystore, which must go into the same folder as contains the 3 files above.  This article assumes that you've done what is necessary to create, and load, a valid certificate for CA PAM.  You cannot use the default certificate, gkcert.crt, or a certificate that has no Alternate Subject Names.  Below you can see how the Self Sign certificate used for this document was created.

SScert.JPG

 

If you don't already have the certificate on the system where you implementing the cliTool, you may download it from CA PAM.CertDownload.JPG

 

With the certificate in the same location as the cliTool.jar file, use the command to generate the keystore.  In Windows this is the keytool command:

C:\Users\voged01\Documents\CA\Software\CLI>keytool -import -trustcacerts -file SScert.crt -alias cspmserver -keystore capam.keystore

Reply to the prompts, first to create a password and then to trust the certificate. 

 

With this done, you are ready to start executing Credential CLI commands.  It is recommended that you start with simple ones, specifically those not requiring parameters.  You can get the information about the various commands available to you, and their parameters, from the CA PAM wiki:  https://docops.ca.com/ca-privileged-access-manager/2-8-1/EN/programming/credential-manager-cli-commands.cliCommands.JPG

 

Here is how you can execute the getNumberOfAccounts command, and the results:

C:\Users\voged01\Documents\CA\Software\CLI>capam_command cmdName=getNumberOfAccounts capam=10.130.73.70 UserID=super
Enter password:


<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><NumberOfAccounts><count>21</count><a2aCount>3</a2aCount><privCount>18</privCount><createDate>
</createDate><createTime>0</createTime><updateDate></updateDate><updateUser></updateUser><extensionType></extensionType><createUser></createUser><hash></hash><updateTime>0</updateTime><ID>0</ID></NumberOfAccounts></cr.result></CommandResult>

 

The password that you will enter is the password corresponding to your CA PAM admin account.  Notice that the command returns the data in HTML format, and that the total is given, along with a breakdown of A2A and Privileged. 

You can also execute these commands from a browser, which will be helpful if you want to execute them from a system without Java installed.  Below you can see the same command executed from a browser.cliFromBrowser2.JPG

With this working you can start using any of the other commands, making sure that you provide any required parameters. If you encounter any problems please open a ticket with Support.  We will be glad to assist you.