PAM rotates a password and it is shown as expired in PAM User Interface

book

Article ID: 194621

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Randomly, when a password is changed, the timestamp of the password change is not updated.
This problem leads to unwanted password expirations affecting the operator productivity.

When the password is changed the password history list show the timestamps of the password changes. 
When the problem occurs, the one on top of the list is not the last one even though you try to sort it.


Even trying to change the password several times a day for one of the affected accounts, the one in the top of the list keeps on being an older one, like in the screenshot here below:

So, apparently, the date stored in the first place of this list is the one assumed to be the most recent, as it is the shown as last change date. 

Cause

The problem was related to the query made by the GUI to display the changed password list tries to order it by the field accounthistoryid.
This doesn't work in a PAM 3.3 cluster in its current implementation because each cluster node writes its own accounthistoryid sequence.

Environment

Product: Layer 7 Privileged Access Management.
Versions: 3.3.0.x, 3.3.1.x and 3.3.2.x

Resolution

This is a known bug and it has been solved in PAM versions 3.3.3 and 3.4

Additional Information

See also:

Resolved Issues in PAM 3.3.3

Resolved Issues in PAM 3.4

Review the defect "DE446663 Passwords are incorrectly shown as expired for many target accounts on the PAM user interface" in any of the previous links.

Attachments