Plugins

The Plugin Settings provide options for System Admins to configure Privileged Access Management (PAM) provider plugins. In this page, you can start and stop PAM providers plugins, or create a new PAM Server Configuration.

PAM Server Configurations

The Privileged Access Management (PAM) Server Configurations are used by PAM provider plugins to connect to remote, third party PAM servers and vaults.

An Administrator can only create Global PAM configurations, which assume that the remote PAM vault is directly accessible by the CPAM Server.

Customer users, particularly Gatekeeper or Application administrators, can create PAM Configurations that use one of their managed Sites as a tunnel for the PAM provider plugin to reach the vault, allowing the CPAM server to use vaults that reside within that Customer's networks and would otherwise be unreachable.

When creating PAM Configurations, administrators need to provide a Name, a Description, and a URL that the plugin uses to make its requests. This endpoint must be accessible from the CPAM server. Along with those configurations, administrators must select a PAM provider plugin that is currently loaded into the server, and configure its required Connection Parameters as specified.

A suitable list of placeholders can be used, so that the remote vault can be connected to as needed. To see the list of placeholders, the Administrator needs to hover their mouse over Help.

Placeholders resolved according to the appropriate service, host and user that is trying to access the service, each time that a credential is requested. PAM Plugins use these values as part of their workflow when connecting to the remote provider.

IMPORTANT:
Delinea (previously Thycotic) Secret Server is rolling out a new platform that is not currently supported to integrate with CPAM. To configure a secret and credentials plugin, consider an alternative while we integrate with Delinea Secret Server. For more information, navigate to:

Plugin Updates

After you configure a plugin in CPAM, the server can automatically migrate existing plugin configuration to a newer version of the same plugin. This feature enables you to upgrade plugins without reconfiguring credentials and connection settings.

NOTE:
If you uninstall a newer plugin version or install a different plugin type, configurations do not migrate back or across. The system preserves the existing configuration references, even if the plugin is removed.

To configure plugin updates to migrate configurations, you must meet the following requirements:

  • You are a System Administrator or your role has the adequate permissions.

  • You can install or upgrade plugins with the sudo pas plugin install command

  • You have SSH access to the Gatekeeper.

  • Your CPAM server has active credentials and plugin configurations in the system before upgrading.

The following sections contain the steps the process for migrating configurations and how you can verify the migration works.

When you install a newer version of a plugin, the following happens in your CPAM server:

  1. The system detects an existing configuration that uses the previous plugin version.

  2. The configuration automatically rebinds to the new plugin version, after installation is complete.

  3. Any credentials or services that depend on the plugin continue to function without interruption.

  4. The Plugin Settings table updates to display the new version number.

  5. The External Credential Provider previously configured with the older plugin continues to operate normally, without errors.

This process ensures that the migration is transparent to the administrator and does not require manual intervention or reconfiguration.

To validate the plugin configuration migration works, follow the steps below:

  1. Navigate to System Admin > Settings > Plugin Settings.

  2. Confirm that the system displays the upgraded plugin in the Plugins table and is running.

  3. Navigate to System Admin > Credentials > External Credential Providers.

  4. Verify that credentials linked to the previous version continue to function.

  5. Launch a service that uses these credentials.
    The service should connect successfully and credential injection should occur without errors.

If the migration succeeds, the configuration now references the new plugin version automatically.

If you uninstall the latest plugin version, the configuration remains bound to that version. The system does not revert the configuration to an earlier version automatically.

When the newer plugin is removed:

  • The configuration entry in Plugin Settings displays N/A in the Plugin column.

  • The Server Configuration details display the following message:

    The required plugin is not available or its properties could not be retrieved. Contact a system administrator.

  • The configuration still points to the removed plugin version.

This design prevents accidental rollback of configurations and ensures administrators are aware of missing components.