PAM-CM-0776: Unable to connect to client
Article ID: 190002
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
Made some changes to the PAM Cluster so the Primary Site has been swapped with Secondary Site.
Then following symptoms started relating to the AD Target Accounts.
1. Unable to update target account to sync both ways.
2. When trying to verify target account, get communication failure error.
3. When adding a new target application, get PAM-CM-0769: Account update in progress, unable to process request.
Then following symptoms started relating to the AD Target Accounts.
1. Unable to update target account to sync both ways.
2. When trying to verify target account, get communication failure error.
3. When adding a new target application, get PAM-CM-0769: Account update in progress, unable to process request.
Environment
Release : 3.x.x
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
When you try to set the target account password to sync both ways, PAM will actually test with the target application to see if the password can be verified.
This is failing so the "Sync both ways" cannot be set.
The Communication failure error means there is network side of problem.
"PAM-CM-0769: Account update in progress, unable to process request." means there is already some pending updates to this account so the subsequent changes need to wait.
Tomcat catalina.out log file reports the following problem causing this.
May 01, 2020 10:10:10 AM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'admin1'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(SourceFile:1161)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(SourceFile:1016)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.a(SourceFile:698)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(SourceFile:661)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(SourceFile:1727)
at com.cloakware.cspm.server.app.TargetManager.run(SourceFile:667)
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
at com.cloakware.cspm.server.security.SSLCertificateRetriever$a.createSocket(SourceFile:108)
at com.cloakware.cspm.server.security.SSLCertificateRetriever.getCertificate(SourceFile:75)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(SourceFile:1155)
... 5 more
Testing the AD's LDAPS port from PAM shows as filtered(Blocked).
The previous Primary Site PAM had this open so there was no problem.
When swapping the Primary Site with Secondary and the Secondary Site PAM nodes did not have this port hence the communication failure and other symptoms.
This is failing so the "Sync both ways" cannot be set.
The Communication failure error means there is network side of problem.
"PAM-CM-0769: Account update in progress, unable to process request." means there is already some pending updates to this account so the subsequent changes need to wait.
Tomcat catalina.out log file reports the following problem causing this.
May 01, 2020 10:10:10 AM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'admin1'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(SourceFile:1161)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(SourceFile:1016)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.a(SourceFile:698)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(SourceFile:661)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(SourceFile:1727)
at com.cloakware.cspm.server.app.TargetManager.run(SourceFile:667)
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
at com.cloakware.cspm.server.security.SSLCertificateRetriever$a.createSocket(SourceFile:108)
at com.cloakware.cspm.server.security.SSLCertificateRetriever.getCertificate(SourceFile:75)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(SourceFile:1155)
... 5 more
Testing the AD's LDAPS port from PAM shows as filtered(Blocked).
The previous Primary Site PAM had this open so there was no problem.
When swapping the Primary Site with Secondary and the Secondary Site PAM nodes did not have this port hence the communication failure and other symptoms.
Resolution
Work with Network team to open up tcp 636 from PAM to AD.
Attachments
Feedback
Yes
No
Powered by
