PAM License Invalid Because of Incorrect Date


Article ID: 126304


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


The system date keeps changing to 2016, about 3 years old.  As a result, a term license is seen as expired.  The system is configured to use ntp.  The date keeps reverting to the wrong date following a reboot, even after manually setting it to the correct date.


Component: CAPAMX


Examination of ntp status page shows that the Reach field is set to 0.  An explanation of this field was found on the following Cisco page: 

As described on this page, reach=0 means that the ntp process did not receive any packets from the ntp server.  The desired value is 377, which is the octal value when all 8 bits in a byte are set to 1.  It means that the ntp process received the last 8 packets. During normal operation it can be expected to see this number to change, as packets are received and then not. 

Because no packets were received the time seems to be defaulting to whatever the default is for the ntp daemon. This may have something to do with the release date of the daemon, which appears to be 2016 according to the system logfile. 

The following steps will help to resolve the ntp issue:
1. Check that port 123 is open between PAM and the ntp server. We can't test this from the tools page, because that only checks tcp ports. You will have to check with your network team. 
2. Try using a different ntp server. 
3. Configure PAM not to use NTP, and manually reset the time. 

If these steps do not resolve the problem a Support ticket should be opened.