Highlighted
achinayoung_wau Respected Contributor.
Respected Contributor.
113 views

Adding many hosts to PAM

For those of you with many hosts in PAM, how did you add them all? Did you automate it through the REST API or did you add them all manually? We have a few to add and I'd rather not add them all manually. I can already add the host to the vault with the corresponding credential but don't know how to add the corresponding command control rule yet.

0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

Re: Adding many hosts to PAM

Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6+ and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

If this is PAM 3.2, sorry, I don't know what the call might have been.

If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: Adding many hosts to PAM

Thanks. The privileged account name is the same. At the moment, we are creating unique authorization rules for every server (only difference is Account Domain/Credentials/Run Host). I'll try to collapse this into one rule.

0 Likes
Kgallog Regular Contributor.
Regular Contributor.

Re: Adding many hosts to PAM

Does every host need to be a resource in credential vault? I have a long list of hosts that I need to use same local credential but can not figure out how to get ssh relay to work without adding each host and credential to credential vault. I have created a host group but if I try to use one credential SSH connects to hostname set in resource.


0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: Adding many hosts to PAM

My thinking is the same as yours. Because we add the SSH private key as a credential to the vault entry for the host, it seems impossible to use a simple command control rule for all hosts. But, maybe there is something I don't understand. Anyway, worth trying to investigate.

0 Likes
Kgallog Regular Contributor.
Regular Contributor.

Re: Adding many hosts to PAM

Agreed, I can't see a way to use a credential across multiple hosts which is something we need to be able to do.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.