CA PAM is not able to communicate with RSA after the RSA server has been upgraded to version 8.4 patch 08

book

Article ID: 142513

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

After a recent upgrade of the All of a sudden PAM version 3.3.1 is not able to use RSA authentication anymore.

Any attempt at loging in with an RSA or RSA+LDAP user results in a message about "Bad UserID or password" and the users cannot log in

This behaviour started happening all of a sudden and it likely began when the RSA server was upgraded. 

After several checks it is determined that agents are enabled and that ports 5500 5550 are open. There are no inconsistencies in name resolution and sdconf.rec as well as sdopts.rec have been reloaded and node secret cleared to no avail.

Cause

It is likely that, if CA PAM is version 3.3.X, which uses ACE/Agent Version 8.6.0.0.0, and the RSA server has been updated to version 8.4.0 patch 08, the issue described in

https://community.rsa.com/docs/DOC-109440

is occurring. This has been acknowledged by RSA to be a problem in this patch level due to an Oracle Java JDK update included in that patch.

Environment

CA PAM 3.3.X with RSA server 8.4 patch 8

Resolution

This is not a PAM issue, so either upgrade to a later version of RSA or follow the workaround described in

https://community.rsa.com/docs/DOC-109440

Please refer to this external reference or to RSA Knowledge resources for further information

Additional Information

See case 20157385