Incorrect CA PAM Compound Account password expiration date

book

Article ID: 195788

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

A compound account was created for an AIX cluster with 2 nodes registered in PAM with a password composition policy set to expire the accounts after 60 days.
When the users generate a new password for the account on the first node, PAM will also change the password on the second node as it should, using the same password. If you check the account for the second node, the view password will display the changed password, but the created date is not updated. Also, the account for the second node will still be expired, even if the password was changed automatically because of the compound setting.
 

 

Cause

The purpose of a compound account is to have one and only one target account in PAM that represents accounts meant to have the same password on multiple target servers. An account must not be defined on each server. Only one target account is used to update the password on all servers. Defining a second target account in PAM is wrong.

The way this set up works is discussed in the documentation page

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4/search.html?q=compound

under section "Add a Compound Target Account (Optional)".

In the compound target account you define the list of servers that should have this account updated. There is no FIRST account, there is only ONE account. As will all groups of devices sharing credentials

The way to configure access is to define a device group, make the device that the compound account is defined for a credential source, and then define a policy for the device group.

Environment

 PRIVILEGED ACCESS MANAGEMENT release 3.3 and above

Resolution

Use a single target account for all servers according to documentation