ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

A2A returns Error 402

book

Article ID: 199234

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Intermittently the A2A returns Error 402. What are the reasons?

Environment

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Possible causes of a 402.


#1 High CPU Usage


If the CPU usage is high on the machine, then a java program will keep trying until it can access the client daemon; however, a shell script will time out if it cannot access the daemon, and return an error 402, that it is unable to establish connection.
We would have to check the latest figures, but last I knew they were set at 3 seconds for a connect timeout and set at 30 seconds for a read timeout. For example, if the server operation completed in 40 seconds, then that would lead to a timeout as the client
is hard-coded to timeout after 30 seconds


 


#2 Daemon tied up at server


The catalina logs do not show a 402, but will show other errors that all take time to process, and could lead to a 402. For example, each 405 (cannot find target alias) takes several seconds depending on
number of aliases to be searched, so several 405 errors could cause the daemon to be too busy to contact the server. At the time of the 402, investigate the catalina logs to see if there is an increased number of other errors that are keeping the daemon process
busy.


 


#3. Use of client cache


Are the scripts going to the server each time, or making use of the A2A client cache?


 
# 5. use IP address in cspm_client_config.xml to avoid naming resolution requirement


Check the Password Authority Client configuration file to ensure that the Password Authority Server parameter is listed correctly (The Password Authority Client configuration file is located at:: $CSPM_CLIENT_HOME/cspmclient/config/cspm_client_config.xml where $CSPM_CLIENT_HOME is your installation directory, for example /opt/cloakware). If the Password Authority Server parameter is incorrect or has changed, see Reconfiguring a Password Authority Client to use a different Password Authority Server. 


# 6. do not use http_proxy environment variable in Windows

Windows OS uses the http_proxy for all network traffic. When the environment variable http_proxy is set under windows the client stub returns error 402. Removing this variable setting causes the client stub to successfully communicate with the daemon. 


# 7. delete the A2A's cache file

Reconfiguring a Password Authority Client to use a different Password Authority Server: 
If you have previously used your Client installation for one server and are now pointing it to a different server, you must delete the following cache file before starting the Client daemon again: 

$CSPM_CLIENT_HOME/cspmclient/config/data/.cspmclient.dat 

where $CSPM_CLIENT_HOME is your installation directory, for example /opt/cloakware 

To reconfigure a Password Authority Client to use a different Password Authority Server: 

1. Stop the Password Authority Client (see Starting and stopping the Password Authority Client). 

2. Go to $CSPM_CLIENT_HOME/cspmclient/config/data. 

3. Delete .cspmclient.dat. 

4. Update the  entry in the Client configuration with your new server name. For example: 

new_server.company.com 

 

# 8. Problems with Request Server host environment.


a) Port 28088 needs to be open for application to client communication, as defined in the cspm_client_config file


b) DNS - The Password Authority Server requires a DNS, Windows hosts, or /etc/hosts entry for each Password Authority Windows Proxy and Password Authority Client. Also, each Password Authority Windows Proxy
and Password Authority Client requires a DNS or /etc/hosts entry for the Password Authority Server.


 
# 9. Is it this one alias, that is giving the 402?  Does it ever return 400 success?