If the 'Config' user's password is lost or forgotten it can be reset in order to gain access back to the Alternate Configuration Utility.
CA Privileged Access Manager (CA PAM) has two pre-configured user accounts: 'super' and 'config'. 'super' is the Administrative account that has access to all CA Privileged Access Manager settings from the main PAM GUI. 'Config' is a special user used to access a secondary configuration page meant for initial setup and emergency use.
We recommend using the configuration account only for initial setup and immediately changing the password from default using the Change Password option in the Config Page Menu. Store the new password in a safe place and use it only for emergencies when other authentication methods are not available.
Consider also changing the 'config' and 'super' Login Ids using the Alternate Configuration Utility for additional security.
The procedure to reset the config user's password is different for Hardware vs. VMware vs. Cloud Instances (AWS/Azure). In a cluster environment these procedures will need to be done individually on each appliance. If there are any problems, contact PAM Support for additional assistance getting the password reset.
Important! In all cases it is suggested to visit the config page immediately after resetting the password to update to a more secure password. See Additional Info in this doc for more info.
VMware:
Follow the steps below to reset the 'config' user password to factory default for a PAM Virtual appliance:
- Connect to the ESX/vCenter server where CA PAM is hosted.
- Open the VM Console for the CA PAM VM.
- Once in the VM Console, the main menu appears. It may be necessary to click into the window to activate it.
- In the main menu, use the up/down arrows to highlight ‘Reset Password’ and press enter to select the option.
Selecting this option will reset the ‘config’ user password to the default password: config
Hardware:
For hardware appliances the Reset Password option is available on the front LCD panel. See the documentation link below & search for "Reset Password" for instructions:
Reset Password
Following these instructions will reset the ‘config’ user password to the default password: config
Cloud Instance (AWS/Azure):
Unlike VMware; AWS & Azure do not have a console screen where the config password can be reset easily. If the config password is lost for a Cloud Instance please contact PAM Support for assistance resetting the password.
To change the 'config' user's password after resetting it follow the steps below:
As long as the two passwords match, you are immediately logged out and returned to the standard user login page. You would have to change the URL again to verify the new config user password.
Note: If you are going to the config URL above on a browser where you had logged on to PAM as an administrator already, e.g. with the super user account, and accessed the standard configuration menu as that user, the configuration menu after logon as the config user may be missing the "Change Password" menu option, which is not in the standard menu. In that case try logging out and back in again to the config URL, or open a separate incognito browser window for the config user logon. Clearing cached data also should resolve the problem.
More info on managing the config user:
Change Login for Config or Super User
The config user is set per appliance. In a cluster environment you have to set it on each member of the cluster. The encrypted password is stored outside of the database, to enable recovery from a problem where encrypted passwords cannot be read from the DB, such as when a wrong DB backup file is restored by mistake. Therefore it is not replicated across a cluster.