PAM CLI- addTargetAccount fails with PAM-CM-3454: Change process not specified

book

Article ID: 127504

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

When running addTargetAccount to add a Windows Remote account an error is returned.

PAM-CM-3454: Change process not specified.

Example command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>> 

Cause

The Windows Remote Target Connector specifically requires that all accounts are either set as an Administrator, who can either use either 'change own password' or 'change own password', or as a User, who REQUIRES that an Administrator is selected to rotate its password.

Environment

PAM CLI

Resolution

To be able to add Windows Remote accounts with the CLI there are additional attribute(s) that need to be used.

This specific error is referring to needing this attribute:
Attribute.useOtherAccountToChangePassword

Values for this are:
true (uses different account)
false (uses 'this' account), not valid for "Users" with Windows Remote

In most cases this will be a normal user, which means this needs to be set to true. Whenever useOtherAccountToChangePassword is true it will also require the account ID of the Administrator account using this attribute:
Attribute.otherAccount=<Management Target Account ID> 

Note: Management Target Account ID can be found using the command: searchTargetAccount
Note 2: Attempting to use "useOtherAccountToChangePassword = true" without "otherAccount" will result in error "PAM-CM-0791: An invalid Target Account ID was assigned to the 'otherAccount' attribute."

Example fixed command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>> Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=<<Management Target Account ID>>