After installing and configuring the CLI following instructions in the CA PAM Credential Management Implementation Guide we try to run "capam_command" commands, but we always get a "java.io.IOException: Server returned HTTP response code: 403 for URL ..." error.
The guide does not explain how CA PAM needs to be configured to allow CLI commands.
There are two places where the CLI needs to be enabled:
1) In the Password Management UI under Settings > General Settings, checkbox "Enable External CLI". As stated on the page this change is not dynamic but requires a reboot of the appliance.
2) On the Config > Security page, near the bottom under "External API Access", option "Enable Credential Management CLI" needs to be checked. This change is dynamic.