Rest API problem when creating UNIX target applications
search cancel

Rest API problem when creating UNIX target applications


Article ID: 112499


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


In an attempt to minimize the number of human errors when creating applications and accounts on new devices, we are attempting to utilize the Rest API to create Applications for Unix devices. In the interest of making sure we include the correct attributes, we use resource

GET /api.php/v1/devices.json/{id}/targetApplications/{applicationId}

with "*" in the "fileds" text box to return all fields.

We copy the response body and make the following changes:
- Remove the "id" field
- Remove the "deviceId" field
- Update the "applicationName" field with the desired target application name for the new device.

We expect this to be a valid body for resource

POST /api.php/v1/devices.json/{id}/targetApplications

to create a similar target application for a different device. But this results in the following error:

"error": { 
"code": 400, 
"message": "Bad Request: PAM-CMN-0338: Device xxx was not updated due to Password Authority authorization errors." 



This can be observed on all currently supported PAM releases, with PAM 3.2 being the latest release as of the writing of this knowledge doc.


GET requests return boolean attributes with values "t" or "f", but POST and PUT requests require values "true" or "false".


Update all boolean attributes to have value "true" instead of "t" or "false" instead of "f".

Returned by GET request:

"sshUseDefaultKeyExchangeAlgorithms": "t",

Correct syntax to use in POST or PUT request:

"sshUseDefaultKeyExchangeAlgorithms": "true",

Another potential problem is the password composition policy (PCP). If the original target application did not have a specific PCP assigned, the GET request will return
"passwordCompositionPolicyId": "0"

But "0" is not a valid PCP id. If you do not want to assign a specific PCP to the new target application, remove this line from the request body. If you remove the last line in a body, make sure to remove the trailing comma of the previous line.
The following is a sample body to post a new UNIX target application:

  "applicationName": "newdevice-UNIX",
  "applicationType": "unixII",
  "description1": "My TA descriptor one",
  "description2": "My TA descriptor two",
  "attributes": {
    "passwordEntryPrompt": "",
    "sshSessionTimeout": "",
    "echoCommand": "",
    "telnetSessionTimeout": "",
    "useUpdateScriptType": "DEFAULT",
    "substituteUserCommand": "",
    "acctDiscGidValue": "",
    "acctDiscUidRangeLow": "",
    "acctDiscGidRangeLow": "",
    "sshUseDefaultKeyExchangeAlgorithms": "true",
    "sshKeyPairPolicyID": "",
    "acctDiscUidValue": "",
    "passwordConfirmationPrompt": "",
    "changeFilePermissionsCommand": "",
    "sshPort": "",
    "changePasswordCommand": "",
    "useVerifyScriptType": "DEFAULT",
    "sshServerToClientCiphersList": "",
    "elevatePrivilegeCommand": "",
    "sshKnownHostKey": "",
    "sshKnownHostKeyFingerprint": "",
    "exitStatusOfLastCommand": "",
    "sshServerToClientCompressionAlgorithmsList": "",
    "extensionType": "unixII",
    "systemInfoCommand": "",
    "patternMatchingCommand": "",
    "acctDiscGidRangeHigh": "",
    "acctDiscGidType": "",
    "sshDetectCiphersList": "",
    "sshClientToServerCiphersList": "",
    "sshClientToServerCompressionAlgorithmsList": "",
    "passwordChangePrompt": "",
    "acctDiscUidType": "",
    "acctDiscUidRangeHigh": "",
    "sshUseDefaultCiphers": "true",
    "sshServerHostKeyAlgorithmsList": "",
    "userNameEntryPrompt": "",
    "sshUseDefaultHashes": "true",
    "unixVariant": "LINUX",
    "whoAmICommand": "",
    "telnetPort": "",
    "sshKeyExchangeAlgorithmsList": "",
    "policyManagementCommand": "",
    "sshUseDefaultCompressionAlgorithms": "true",
    "acctDiscUseUid": "false",
    "sshUseDefaultServerHostKeyAlgorithms": "true",
    "scriptTimeout": "",
    "sshClientToServerHashesList": "",
    "sshServerToClientHashesList": "",
    "sshStrictHostKeyCheckingEnabled": "false",
    "acctDiscUseGid": "false"