Authentication error after upgrading to PAM 3.x version

book

Article ID: 105200

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

Authentication error after upgrading to 3.2 version
Customer upgraded their PAM 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0 and LDAP Authentication fails when trying to logon to PAM.

Cause

On PAM 3.0.1, it updates the /etc/ldap/ldap.conf cipher list by restricting it to couple of ciphers as below.

/etc/ldap/ldap.conf
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA

This causes the PAM to fail handshaking secure connection to AD(or LDAP).
In the xcd_spfd.log, following error is found.

2018-07-06 00:15:41  27896 INFO  HandshakeSSL: SSL connection using AES256-SHA256 (TLSv1.2) 
...
2018-07-06 00:15:41  27896 ERROR clientToServerTransfer: TrafficHandler:: Unable to read from client socket!
 

Environment

PAM Upgrade from 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0

Resolution

If you have encountered this issue, you can open a support ticket and have support engineer to fix it manually by updating the /etc/ldap/ldap.conf file to restore the default PAM ciphers list.

From:
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA

To:
TLS_CIPHER_SUITE NORMAL:+SECURE256:+SECURE128:+SHA256

Restart of PAM is not required.
Once the /etc/ldap/ldap.conf file is updated, you can try logging on to PAM using LDAP to confirm.

In case of upgrading PAM 2.8.x to 3.x, customer should avoid PAM 3.0.1 (or apply 3.0.1.02 prior to upgrading to other higher version of PAM).
 

Additional Information

https://communities.ca.com/thread/241792494-upgrade-pam-28x-to-300-301-and-311