When does the PAM A2A client return error 408 null null, fail to get script name?
search cancel

When does the PAM A2A client return error 408 null null, fail to get script name?


Article ID: 131061


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


After installing the A2A client on a Solaris host, a test of the client fails with the following error:
> /opt/cloakware/cspmclient/bin/cspmclient clienttest 
408 null null, fail to get script name

We are running the command in the bash shell, which is configured in a login script and is not the default shell for the user as defined in /etc/passwd.

What is the meaning of the 408 error code and how can we resolve it?


This applies to any PAM A2A client on any supported OS.


The A2A client always checks whether it is called from a script, in which case it has to determine the name of the script being executed so that it can verify script mappings. The check is performed by searching for the full path of a shell binary, such as /bin/bash or /bin/sh, in the process tree. If a full shell path is found, PAM will look for the child process to determine the script name. For a user logging into the default shell, the shell process with show up in the process tree with name "-<shell>", e.g. "-bash" or "-ksh". This will not trigger the script logic. But if the user enters a different shell by explicitly calling it either from the command line or from a login script, there will be a shell process with the full path in the process tree and the A2A client will look for the name of the script. If the user does not invoke a script but executes the cspmclient command directly from the command line, no script name will be found and error 408 with message "fail to get script name" will be returned.
To avoid this problem, either stay in the default shell and execute the cspmclient binary from there, or put the command in a script and execute the script.