CA PAM A2A Hash Script Issue

book

Article ID: 191946

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We have Enabled the use case of A2A Powershell. But, when we enable the 'GetScript Hash' from the Credentials --->Manage A2A -->Script and also enabled the Credentials ----> Manage A2A ---> Mapping 'Perform Script Integrity Validation'.

Next at the A2A client end if three is a change in the script, then still If we pass the execution path it is showing code 400 as a success.

Below is the snippet from the A2A client log

Client Daemon Event Log:
WARNING:  ClientDaemonManager::main. Cache file: c:\cspm\cloakware\cspmclient\config\data\.cspmclient.dat has been invalidated.
WARNING:  ApplicationCSPM::initAppConfig. CPA Client is in FIPS mode
WARNING:  ClientService::loginToCSPMServer. start
WARNING:  ClientService::loginToCSPMServer. done

Cause

This is caused due to the incorrect version of A2A client being deployed to communicate with the CA PAM server. 

The CA PAM server and A2A client should be the same version, the A2A client can be 32 bit or 64 bit depending upon the version of the A2A client operating system bit level.

Environment

Release: 3.3.x

A2A Client is on Windows 2016 server.

Component: PRIVILEGED ACCESS MANAGEMENT

Resolution

Deploying the correct version of A2A client matching the CA PAM server version will resolve the problem and the proper return codes are visible if the A2A script is modified.

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4/introduction/credential-manager-overview/application-to-application-a2a-credential-management.html