PAM-CM-0816 error when importing accounts
Article ID: 127263
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Privileged Access Manager (PAM)
Issue/Introduction
Sometimes it is necessary to import target accounts into PAM which do not have the default password view policy and instead have one which requires a change password on view action.
If we try this for a target account with the highlighted policy, import seems to work fine, but then accessing the imported account and trying to verify or save it we get the following
So "PAM-CM-0816 The specified password view policy has "change password on view" enabled, but the account is unsynchronized"
Why is this so and how can it be solved ?
Environment
CA PAM all versions
Resolution
This is due to how the password view and verification flow works: when we try to verify or save a password after the import, if the password view policy chosen has the "Change Password on View" policy enabled it will access the password we have stored in the database and it will see it has never been verified.
Because of this, it cannot know if it is the right password. If it were not the right password, the next time we access the password for this account we would have the wrong one and it would not be possible to verify or change it.
That is why unless the account is verified you cannot save or verify the password with the "Change password on view" setting active.
To successfully import these accounts, first assign to them the default password view policy, which does not have "Change password on view" setting active and subsequently save their passwords locally to the Password Authority server and then to the Target server. That will allow you to save the password and make sure it is verified.
After doing so, you can change back their Password view Policy to your custom policy and all will work correctly.
Because of this, it cannot know if it is the right password. If it were not the right password, the next time we access the password for this account we would have the wrong one and it would not be possible to verify or change it.
That is why unless the account is verified you cannot save or verify the password with the "Change password on view" setting active.
To successfully import these accounts, first assign to them the default password view policy, which does not have "Change password on view" setting active and subsequently save their passwords locally to the Password Authority server and then to the Target server. That will allow you to save the password and make sure it is verified.
After doing so, you can change back their Password view Policy to your custom policy and all will work correctly.
Attachments
Feedback
Yes
No
Powered by
