Skip to content
CA Privileged Access Manager - 2.8.3
Documentation powered by DocOps

Managing Java on Your Client Workstation

Last update March 15, 2018

This content describes how to manage Java on your client workstation.

Clear the Java Cache (Windows)

To help prevent mismatched CA Privileged Access Manager Java cache contents during or after upgrading a Windows client workstation, clear the Oracle Java cache.

To clear the Java cache, open the Java control panel (Control Panel, Java) and remove all "Temporary Files".

Update the Java Heap Setting

We recommend that you adjust your Java heap so that with 4-GB total memory, 1024 MB is allocated to it.
An example of the adjustment mechanism would be to Assign the Java maximum heap size value in Runtime Parameters:

-Xmx1024m -Xms1024m

Note: Do not copy-and-paste the string into a word processor (such as Microsoft Word) before pasting into the Java Control Panel. This action might alter the characters. Instead, if you want to store the string, use a plain-text application such as Notepad.

To confirm that the heap adjustment has taken effect: When your mouse is in focus in the Java console, press: m to display the memory values. If successful, the results are close to the settings.

JAR File Signing

By default, CA Privileged Access Manager JARs are signed and are validated against a public Certificate Authority (CA). For many customers, this arrangement is sufficient and no further action is required. However, if your end users do not have access to the public Internet, this feature provides an alternative to signing CA Privileged Access Manager applets using an internal CA.

Note: If you are considering self-signing, we suggest you discuss this issue with CA Support.

CA Privileged Access Manager Configuration

You can have CA Privileged Access Manager sign its JAR files using certificates issued from any CA, including one located in your internal network, which is isolated from the Internet. To set the signing certificate:

  1. Have your organization CA administrator prepare a code-signing certificate for use by CA Privileged Access Manager.
    You receive the public certificate and private key for signing the CA Privileged Access Manager JARs. You also receive the public key of the CA that issues this certificate with its CRL.
  2. Log in as CA Privileged Access Manager User "config", or as another account with at least a role of Configuration Manager. For example, you can also use "super".
  3. Navigate to Config, Security.
  4. In the Upload Certificate or Private Key panel, Browse to your certificate files and Upload them.
    Upload at least the public certificate and private key, and these files must have the same root name. The public and private key files should end with the ".crt" and ".key" extensions respectively; for example, you might have "ExampleCorp1.crt" and "ExampleCorp1.key".
  5. In the (new) Sign Xsuite Applets panel on that page, enter the node IP address as the Xsuite Domain.
  6. Use the Select A Certificate with the bundle root name you uploaded, or the Default Xsuite Applet Certificate.
  7. To confirm certificate integrity, click Verify Certificate, and note the confirmation message at the top of the page.
  8. After the certificate passes verification, click Sign Applets With Certificate, and wait a few moments for the CA Privileged Access Manager applets to be signed and confirmed at the top of the page.
  9. Clear your Java cache.
  10. Log out from CA Privileged Access Manager, and then log back in.

Client Configuration

Your clients must be configured to trust the public certificate that is used to sign the CA Privileged Access Manager JARs:

  • On each client, add the public certificate of the CA to your Java JRE installation (Java Control Panel, Security, Manage Certificates, User tab + Certificate Type = "Signer CA" > Import), or to your browser certificate store.
Was this helpful?

Please log in to post comments.