How does PAM determine device name and address when a new A2A client registers?


Article ID: 125564


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


When we install an A2A client on a device that is not configured in PAM yet, a Device will be created when the A2A client starts up for the first time and connects to the PAM server. We need to know how exactly PAM determines the device name so we can understand possible problems with a new client matching an existing device in PAM when it shouldn't, or why a new device has an address different from what we would have expected.

How are the Device Name and Address determined for a new device?


Component: CAPAMX


This is the process for registering a new request server and device:
1. The agent sends a login request to the PAM server on startup.

2. The PAM server receives the request and determines the agent's host name and IP address as follows:
 (a) Get the originating IP from the HTTP request, taking into account X-Forwarded-For headers in case the request was forwarded by proxies.
 (b) Get the initial host name <host name> from the originating IP using Java method InetAddress.getHostName().
 (c) Use InetAddress.getByName(<host name>) to get an Inetaddress object <address>.
 (d) Set the final IP address to <address>.getHostAddress().
 (e) Set the final host name to <address>.getCanonicalHostName(), i.e. the FQDN, if DNS can resolve the IP.

3. If not found in PAM, create the request server entry with the IP from (d) and host name from (e).
4. If not found in PAM, create the device with Device name and Device address set to the host name from (e).

In summary, Device name and address will be the FQDN if the IP derived from the HTTP request can be resolved. If it cannot be resolved, it will be the IP.
The device name in PAM is just a label and could be changed later on. At the time of registration all PAM can do is set it to the same value as the device address.

Additional Information

Note: HTTP request header information is logged in the tomcat log (catalina.out) at log level FINER. The log level can be set, and the log file downloaded for review, on the Configuration > Diagnostics > Diagnostic Logs page. Log level FINER is recommended for short time intervals only. Do not leave the log level long term at that setting.