Rest API problem when creating UNIX target applications
Article ID: 112499
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
In an attempt to minimize the number of human errors when creating applications and accounts on new devices, we are attempting to utilize the Rest API to create Applications for Unix devices. In the interest of making sure we include the correct attributes, we use resource
GET /api.php/v1/devices.json/{id}/targetApplications/{applicationId}
with "*" in the "fileds" text box to return all fields.
We copy the response body and make the following changes:
- Remove the "id" field
- Remove the "deviceId" field
- Update the "applicationName" field with the desired target application name for the new device.
We expect this to be a valid body for resource
POST /api.php/v1/devices.json/{id}/targetApplications
to create a similar target application for a different device. But this results in the following error:
{
"error": {
"code": 400,
"message": "Bad Request: PAM-CMN-0338: Device xxx was not updated due to Password Authority authorization errors."
}
}
GET /api.php/v1/devices.json/{id}/targetApplications/{applicationId}
with "*" in the "fileds" text box to return all fields.
We copy the response body and make the following changes:
- Remove the "id" field
- Remove the "deviceId" field
- Update the "applicationName" field with the desired target application name for the new device.
We expect this to be a valid body for resource
POST /api.php/v1/devices.json/{id}/targetApplications
to create a similar target application for a different device. But this results in the following error:
{
"error": {
"code": 400,
"message": "Bad Request: PAM-CMN-0338: Device xxx was not updated due to Password Authority authorization errors."
}
}
Environment
This can be observed on all currently supported PAM releases, with PAM 3.2 being the latest release as of the writing of this knowledge doc.
Cause
GET requests return boolean attributes with values "t" or "f", but POST and PUT requests require values "true" or "false".
Resolution
Update all boolean attributes to have value "true" instead of "t" or "false" instead of "f".
Example:
Returned by GET request:
...
"sshUseDefaultKeyExchangeAlgorithms": "t",
...
Correct syntax to use in POST or PUT request:
...
"sshUseDefaultKeyExchangeAlgorithms": "true",
...
Another potential problem is the password composition policy (PCP). If the original target application did not have a specific PCP assigned, the GET request will return
"passwordCompositionPolicyId": "0"
But "0" is not a valid PCP id. If you do not want to assign a specific PCP to the new target application, remove this line from the request body. If you remove the last line in a body, make sure to remove the trailing comma of the previous line.
The following is a sample body to post a new UNIX target application:
{
"applicationName": "newdevice-UNIX",
"applicationType": "unixII",
"description1": "My TA descriptor one",
"description2": "My TA descriptor two",
"attributes": {
"passwordEntryPrompt": "",
"sshSessionTimeout": "",
"echoCommand": "",
"telnetSessionTimeout": "",
"useUpdateScriptType": "DEFAULT",
"substituteUserCommand": "",
"acctDiscGidValue": "",
"acctDiscUidRangeLow": "",
"acctDiscGidRangeLow": "",
"sshUseDefaultKeyExchangeAlgorithms": "true",
"sshKeyPairPolicyID": "",
"acctDiscUidValue": "",
"passwordConfirmationPrompt": "",
"changeFilePermissionsCommand": "",
"sshPort": "",
"changePasswordCommand": "",
"useVerifyScriptType": "DEFAULT",
"sshServerToClientCiphersList": "",
"elevatePrivilegeCommand": "",
"sshKnownHostKey": "",
"sshKnownHostKeyFingerprint": "",
"exitStatusOfLastCommand": "",
"sshServerToClientCompressionAlgorithmsList": "",
"extensionType": "unixII",
"systemInfoCommand": "",
"patternMatchingCommand": "",
"acctDiscGidRangeHigh": "",
"acctDiscGidType": "",
"sshDetectCiphersList": "",
"sshClientToServerCiphersList": "",
"sshClientToServerCompressionAlgorithmsList": "",
"passwordChangePrompt": "",
"acctDiscUidType": "",
"acctDiscUidRangeHigh": "",
"sshUseDefaultCiphers": "true",
"sshServerHostKeyAlgorithmsList": "",
"userNameEntryPrompt": "",
"sshUseDefaultHashes": "true",
"unixVariant": "LINUX",
"whoAmICommand": "",
"telnetPort": "",
"sshKeyExchangeAlgorithmsList": "",
"policyManagementCommand": "",
"sshUseDefaultCompressionAlgorithms": "true",
"acctDiscUseUid": "false",
"sshUseDefaultServerHostKeyAlgorithms": "true",
"scriptTimeout": "",
"sshClientToServerHashesList": "",
"sshServerToClientHashesList": "",
"sshStrictHostKeyCheckingEnabled": "false",
"acctDiscUseGid": "false"
}
}
Example:
Returned by GET request:
...
"sshUseDefaultKeyExchangeAlgorithms": "t",
...
Correct syntax to use in POST or PUT request:
...
"sshUseDefaultKeyExchangeAlgorithms": "true",
...
Another potential problem is the password composition policy (PCP). If the original target application did not have a specific PCP assigned, the GET request will return
"passwordCompositionPolicyId": "0"
But "0" is not a valid PCP id. If you do not want to assign a specific PCP to the new target application, remove this line from the request body. If you remove the last line in a body, make sure to remove the trailing comma of the previous line.
The following is a sample body to post a new UNIX target application:
{
"applicationName": "newdevice-UNIX",
"applicationType": "unixII",
"description1": "My TA descriptor one",
"description2": "My TA descriptor two",
"attributes": {
"passwordEntryPrompt": "",
"sshSessionTimeout": "",
"echoCommand": "",
"telnetSessionTimeout": "",
"useUpdateScriptType": "DEFAULT",
"substituteUserCommand": "",
"acctDiscGidValue": "",
"acctDiscUidRangeLow": "",
"acctDiscGidRangeLow": "",
"sshUseDefaultKeyExchangeAlgorithms": "true",
"sshKeyPairPolicyID": "",
"acctDiscUidValue": "",
"passwordConfirmationPrompt": "",
"changeFilePermissionsCommand": "",
"sshPort": "",
"changePasswordCommand": "",
"useVerifyScriptType": "DEFAULT",
"sshServerToClientCiphersList": "",
"elevatePrivilegeCommand": "",
"sshKnownHostKey": "",
"sshKnownHostKeyFingerprint": "",
"exitStatusOfLastCommand": "",
"sshServerToClientCompressionAlgorithmsList": "",
"extensionType": "unixII",
"systemInfoCommand": "",
"patternMatchingCommand": "",
"acctDiscGidRangeHigh": "",
"acctDiscGidType": "",
"sshDetectCiphersList": "",
"sshClientToServerCiphersList": "",
"sshClientToServerCompressionAlgorithmsList": "",
"passwordChangePrompt": "",
"acctDiscUidType": "",
"acctDiscUidRangeHigh": "",
"sshUseDefaultCiphers": "true",
"sshServerHostKeyAlgorithmsList": "",
"userNameEntryPrompt": "",
"sshUseDefaultHashes": "true",
"unixVariant": "LINUX",
"whoAmICommand": "",
"telnetPort": "",
"sshKeyExchangeAlgorithmsList": "",
"policyManagementCommand": "",
"sshUseDefaultCompressionAlgorithms": "true",
"acctDiscUseUid": "false",
"sshUseDefaultServerHostKeyAlgorithms": "true",
"scriptTimeout": "",
"sshClientToServerHashesList": "",
"sshServerToClientHashesList": "",
"sshStrictHostKeyCheckingEnabled": "false",
"acctDiscUseGid": "false"
}
}
Feedback
Yes
No
Powered by
