Adding many hosts to PAM

For those of you with many hosts in PAM, how did you add them all? Did you automate it through the REST API or did you add them all manually? We have a few to add and I'd rather not add them all manually. I can already add the host to the vault with the corresponding credential but don't know how to add the corresponding command control rule yet.

  • Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

  • Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

  • Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

  • Thanks. The privileged account name is the same. At the moment, we are creating unique authorization rules for every server (only difference is Account Domain/Credentials/Run Host). I'll try to collapse this into one rule.

  • Does every host need to be a resource in credential vault? I have a long list of hosts that I need to use same local credential but can not figure out how to get ssh relay to work without adding each host and credential to credential vault. I have created a host group but if I try to use one credential SSH connects to hostname set in resource.

  • My thinking is the same as yours. Because we add the SSH private key as a credential to the vault entry for the host, it seems impossible to use a simple command control rule for all hosts. But, maybe there is something I don't understand. Anyway, worth trying to investigate.

  • Agreed, I can't see a way to use a credential across multiple hosts which is something we need to be able to do.

  • So you can have a single cmdctrl rule configured to authorize access to many resources using the same run user name as the credential; however, each resource would need to be created in the crdvlt with the associated credential. So the single rule could have the run hosts be from a run host group, and cmdctrl resolves those to resource names in the crdvlt so it can obtain the connection details associated with that resource (e.g. hostname/ip, port, host key) and also the credential.

    One advantage that could be considered with this approach is that the Password Management feature could be enabled to configure a password or key rotation of this credential so that the same credential isn't available for all the servers from a security perspective. But I can see the challenge here if that's not the desire..

    It would be convenient if there was a csv to crdvlt import script created leveraging the REST API so that the creation of the resources / credentials could be automated within the crdvlt. I think an approach like that would be a good one to take as well. Has anyone started down that route yet perhaps?