Authentication error after upgrading to PAM 3.x version
Article ID: 105200
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Privileged Access Manager (PAM)
Authentication error after upgrading to 3.2 version
Customer upgraded their PAM 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0 and LDAP Authentication fails when trying to logon to PAM.
On PAM 3.0.1, it updates the /etc/ldap/ldap.conf cipher list by restricting it to couple of ciphers as below.
This causes the PAM to fail handshaking secure connection to AD(or LDAP).
In the xcd_spfd.log, following error is found.
2018-07-06 00:15:41 27896 INFO HandshakeSSL: SSL connection using AES256-SHA256 (TLSv1.2)
2018-07-06 00:15:41 27896 ERROR clientToServerTransfer: TrafficHandler:: Unable to read from client socket!
PAM Upgrade from 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0
If you have encountered this issue, you can open a support ticket and have support engineer to fix it manually by updating the /etc/ldap/ldap.conf file to restore the default PAM ciphers list.
Restart of PAM is not required.
Once the /etc/ldap/ldap.conf file is updated, you can try logging on to PAM using LDAP to confirm.
In case of upgrading PAM 2.8.x to 3.x, customer should avoid PAM 3.0.1 (or apply 3.0.1.02 prior to upgrading to other higher version of PAM).