In a cluster environment configured to use HSM, in one of the servers users are prompted to enter the user name and password of the destination server while connecting to PAM.
Issue is seen when the connection established on one of the PAM servers.
There are two PAM servers configured with HSM. Trying to do any operation against credential management is met with an error:
Error when attempting to retrieve password view requests - error was No response from Password Authority.
The reason for the error is that the HSM is offline and can't be made online from the CA PAM UI.
Upon investigation we did find that the /etc/Chrystoki.conf file inside the appliance failing to connect to HSM was Zero bytes. This is the main configuration file for the HSM integration
This file contains the location of the certificates, the key file and details regarding the HSM.
There is a template of this file available in /usr/lunasa/scripts/files/Chrystoki.conf
The other file that is of importance is the 'members.txt' file in the /opt/cloakware/cspmserver/config/ location, this file has the details of the HSM members. There are other important files related to HSM operation in the main location, but for this particular problem this one is of essence.
This file should be same across all the nodes of a cluster
Release : 2.8
Component : PRIVILEGED ACCESS MANAGEMENT
During the initial configuration of HSM, the configuration files and the members.txt are populated with the correct information on all the nodes of CA PAM cluster
In case of a problem the first approach should be to remove and add the HSM from the CA PAM UI
As a last resort engagement of HSM support should also be included to work along with Broadcom support team. There are many checks required to make sure the root problem for the issue is identified.
HSM support team can validate the HSM configuration and HSM details with respect to the node ID, IP address, partition names, etc.
This resolution is applicable only in case of CA PAM cluster and having the same HSM partition in all the CA PAM nodes
- Copy the /etc/Chrystoki.conf from the working CA PAM node to the problem CA PAM node where HSM is offline
- Edit the copied over file to make sure that proper certificate names and locations are mentioned
- Make sure that the members.txt file is the same in both the nodes
- Save the files
- Connect to CA PAM and refresh the HSM configuration.
Note: The above has been validated with CA PAM 2.8.4 release currently and the above is applicable in case where CA PAM is in cluster for being able to copy over the files.