search cancel

PAM Unable to Rotate the Password for a CA LDAP account on a mainframe using Top Secret

book

Article ID: 188130

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When using a CA LDAP on Top Secret master account to change other TSS account passwords, PAM is unable to rotate the master account password, even though the master account can change the passwords of regular accounts.  The Tomcat log shows that the password was changed, but also that there was an error modifying the password:

javax.naming.NamingException: [LDAP: error code 80 - LDP2406E TSS error modifying tssacid(TSS7030I Password Changed)]; remaining name 'tssacid=XXXXXXXX,tssadmingrp=acids,host=YYYYYYY,o=xxxxxxx,c=us'

Cause

There was actually a defect in CA LDAP.  Due to the inclusion of a new message, TSS7030I, CA LDAP was falling through it's logic, and returning a failure code, even though it had successfully changed the password.

Environment

Release : 3.3.x.  This could happen with any version of PAM supporting CA LDAP on Top Secret

Component : PRIVILEGED ACCESS MANAGEMENT

CA LDAP: 15.1.  It might happen with CA LDAP 15.0.  The port being used is 791.



Resolution

ST12661 provided for CA LDAP 15.1