Troubleshooting Unix Password Rotation and Credential Script

book

Article ID: 144241

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

An AIX Target server does not work with Default AIX Credentials Script due to customization at the OS level.
So the "Script Processor" has been updated to a known expression that worked in the past but still does not work.

Cause

There can be many reasons such as 
1. The account used for changing the password has invalid password(unverified)
2. The account used for changing the password has insufficient privilege(sudo) to clear target account status(such as disabled).
3. The account used for changing the password do not have access to /usr/bin/passwd

Environment

Release : 3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Check the tomcat catalina.out to better understand why the password rotation fails.

Following sample shows when the /usr/bin/passwd was not accessible due to misconfiguration of the account.

INFO: start executing the default UNIX credentials update script
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: sent data 'passwd targetuser1
'
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'passwd targetuser1
adminuser1@unix:~> passwd targetuser1
bash: passwd: command not found
[email protected]:~> ' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'

This is an uncommon use case but it is important to check the catalina.out log to understand why the password change failed.
As you can see the "passwd" command returned "command not found".
And when PAM tried to find a pattern using the defined (original or custom) expression, there was no matching pattern for obvious reason.

System administrator should ensure the "adminuser1" will have access to /usr/bin/passwd to change other account password.