Intermittently the A2A returns Error 402. What are the reasons?
Component : PRIVILEGED ACCESS MANAGEMENT
Possible causes of a 402.
#1 High CPU Usage
If the CPU usage is high on the machine, then a java program will keep trying until it can access the client daemon; however, a shell script will time out if it cannot access the daemon, and return an error 402, that it is unable to establish connection.
We would have to check the latest figures, but last I knew they were set at 3 seconds for a connect timeout and set at 30 seconds for a read timeout. For example, if the server operation completed in 40 seconds, then that would lead to a timeout as the client
is hard-coded to timeout after 30 seconds
#2 Daemon tied up at server
The catalina logs do not show a 402, but will show other errors that all take time to process, and could lead to a 402. For example, each 405 (cannot find target alias) takes several seconds depending on
number of aliases to be searched, so several 405 errors could cause the daemon to be too busy to contact the server. At the time of the 402, investigate the catalina logs to see if there is an increased number of other errors that are keeping the daemon process
busy.
#3. Use of client cache
Are the scripts going to the server each time, or making use of the A2A client cache?
# 4. A2A client service not listening on port 28088
Check the A2A version. If you are using a very old version, it is possible that it stops working after OS maintenance is applied. Uninstall it and install a new version that matches the release your PAM server is running.
# 5. use IP address in cspm_client_config.xml to avoid naming resolution requirement
Check the Password Authority Client configuration file to ensure that the Password Authority Server parameter is listed correctly (The Password Authority Client configuration file is located at:: $CSPM_CLIENT_HOME/cspmclient/config/cspm_client_config.xml where $CSPM_CLIENT_HOME is your installation directory, for example /opt/cloakware). If the Password Authority Server parameter is incorrect or has changed, see Reconfiguring a Password Authority Client to use a different Password Authority Server.
# 6. do not use http_proxy environment variable in Windows
Windows OS uses the http_proxy for all network traffic. When the environment variable http_proxy is set under windows the client stub returns error 402. Removing this variable setting causes the client stub to successfully communicate with the daemon.
# 7. delete the A2A's cache file
Reconfiguring a Password Authority Client to use a different Password Authority Server:
If you have previously used your Client installation for one server and are now pointing it to a different server, you must delete the following cache file before starting the Client daemon again:
$CSPM_CLIENT_HOME/cspmclient/config/data/.cspmclient.dat
where $CSPM_CLIENT_HOME is your installation directory, for example /opt/cloakware
To reconfigure a Password Authority Client to use a different Password Authority Server:
1. Stop the Password Authority Client (see Starting and stopping the Password Authority Client).
2. Go to $CSPM_CLIENT_HOME/cspmclient/config/data.
3. Delete .cspmclient.dat.
4. Update the entry in the Client configuration with your new server name. For example:
new_server.company.com
# 8. Problems with Request Server host environment.
a) Port 28088 needs to be open for application to client communication, as defined in the cspm_client_config file
b) DNS - The Password Authority Server requires a DNS, Windows hosts, or /etc/hosts entry for each Password Authority Windows Proxy and Password Authority Client. Also, each Password Authority Windows Proxy
and Password Authority Client requires a DNS or /etc/hosts entry for the Password Authority Server.
# 9. Is it this one alias, that is giving the 402? Does it ever return 400 success?