Authentication error after upgrading to PAM 3.x version

Article Id: 105200

Status: Published

Updated On: 05-07-2018 18:57

Products:

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM) CA Privileged Access Manager (PAM)

Issue/Introduction:

Authentication error after upgrading to 3.2 version
Customer upgraded their PAM 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0 and LDAP Authentication fails when trying to logon to PAM.

Cause:

On PAM 3.0.1, it updates the /etc/ldap/ldap.conf cipher list by restricting it to couple of ciphers as below.

/etc/ldap/ldap.conf
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA

This causes the PAM to fail handshaking secure connection to AD(or LDAP).
In the xcd_spfd.log, following error is found.

2018-07-06 00:15:41 27896 INFO HandshakeSSL: SSL connection using AES256-SHA256 (TLSv1.2)
...
2018-07-06 00:15:41 27896 ERROR clientToServerTransfer: TrafficHandler:: Unable to read from client socket!

Environment:

PAM Upgrade from 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0

Resolution:

If you have encountered this issue, you can open a support ticket and have support engineer to fix it manually by updating the /etc/ldap/ldap.conf file to restore the default PAM ciphers list.

From:
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA

To:
TLS_CIPHER_SUITE NORMAL:+SECURE256:+SECURE128:+SHA256

Restart of PAM is not required.
Once the /etc/ldap/ldap.conf file is updated, you can try logging on to PAM using LDAP to confirm.

In case of upgrading PAM 2.8.x to 3.x, customer should avoid PAM 3.0.1 (or apply 3.0.1.02 prior to upgrading to other higher version of PAM).

Additional Information:

https://communities.ca.com/thread/241792494-upgrade-pam-28x-to-300-301-and-311