Highlighted
Super Contributor.
Super Contributor.
377 views

Adding many hosts to PAM

For those of you with many hosts in PAM, how did you add them all? Did you automate it through the REST API or did you add them all manually? We have a few to add and I'd rather not add them all manually. I can already add the host to the vault with the corresponding credential but don't know how to add the corresponding command control rule yet.

0 Likes
6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Adding many hosts to PAM

Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6+ and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

If this is PAM 3.2, sorry, I don't know what the call might have been.

If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Adding many hosts to PAM

Thanks. The privileged account name is the same. At the moment, we are creating unique authorization rules for every server (only difference is Account Domain/Credentials/Run Host). I'll try to collapse this into one rule.

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: Adding many hosts to PAM

Does every host need to be a resource in credential vault? I have a long list of hosts that I need to use same local credential but can not figure out how to get ssh relay to work without adding each host and credential to credential vault. I have created a host group but if I try to use one credential SSH connects to hostname set in resource.


0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Adding many hosts to PAM

My thinking is the same as yours. Because we add the SSH private key as a credential to the vault entry for the host, it seems impossible to use a simple command control rule for all hosts. But, maybe there is something I don't understand. Anyway, worth trying to investigate.

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: Adding many hosts to PAM

Agreed, I can't see a way to use a credential across multiple hosts which is something we need to be able to do.


0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Adding many hosts to PAM

So you can have a single cmdctrl rule configured to authorize access to many resources using the same run user name as the credential; however, each resource would need to be created in the crdvlt with the associated credential. So the single rule could have the run hosts be from a run host group, and cmdctrl resolves those to resource names in the crdvlt so it can obtain the connection details associated with that resource (e.g. hostname/ip, port, host key) and also the credential.

One advantage that could be considered with this approach is that the Password Management feature could be enabled to configure a password or key rotation of this credential so that the same credential isn't available for all the servers from a security perspective. But I can see the challenge here if that's not the desire..

It would be convenient if there was a csv to crdvlt import script created leveraging the REST API so that the creation of the resources / credentials could be automated within the crdvlt. I think an approach like that would be a good one to take as well. Has anyone started down that route yet perhaps?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.