PAM CLI- addTargetAccount fails with PAM-CM-3454: Change process not specified
Article ID: 127504
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Privileged Access Manager (PAM)
Issue/Introduction
When running addTargetAccount to add a Windows Remote account an error is returned.
PAM-CM-3454: Change process not specified.
Example command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>>
PAM-CM-3454: Change process not specified.
Example command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>>
Cause
The Windows Remote Target Connector specifically requires that all accounts are either set as an Administrator, who can either use either 'change own password' or 'change own password', or as a User, who REQUIRES that an Administrator is selected to rotate its password.
Environment
PAM CLI
Resolution
To be able to add Windows Remote accounts with the CLI there are additional attribute(s) that need to be used.
This specific error is referring to needing this attribute:
Attribute.useOtherAccountToChangePassword
Values for this are:
true (uses different account)
false (uses 'this' account), not valid for "Users" with Windows Remote
In most cases this will be a normal user, which means this needs to be set to true. Whenever useOtherAccountToChangePassword is true it will also require the account ID of the Administrator account using this attribute:
Attribute.otherAccount=<Management Target Account ID>
Note: Management Target Account ID can be found using the command: searchTargetAccount
Note 2: Attempting to use "useOtherAccountToChangePassword = true" without "otherAccount" will result in error "PAM-CM-0791: An invalid Target Account ID was assigned to the 'otherAccount' attribute."
Example fixed command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>> Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=<<Management Target Account ID>>
This specific error is referring to needing this attribute:
Attribute.useOtherAccountToChangePassword
Values for this are:
true (uses different account)
false (uses 'this' account), not valid for "Users" with Windows Remote
In most cases this will be a normal user, which means this needs to be set to true. Whenever useOtherAccountToChangePassword is true it will also require the account ID of the Administrator account using this attribute:
Attribute.otherAccount=<Management Target Account ID>
Note: Management Target Account ID can be found using the command: searchTargetAccount
Note 2: Attempting to use "useOtherAccountToChangePassword = true" without "otherAccount" will result in error "PAM-CM-0791: An invalid Target Account ID was assigned to the 'otherAccount' attribute."
Example fixed command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>> Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=<<Management Target Account ID>>
Feedback
Powered by
