search cancel

PAM-CMN-1871 When Trying to Apply a License to Disable Threat Analytics


Article ID: 201005


Updated On:


CA Privileged Access Manager (PAM)


When trying to apply a new license to disable Threat Analytics, an error occurs. In the session logs, the following error is seen.

"PAM-CMN-1871: Cannot remove CA Threat Analytics license feature while users still have API client keys."

Looking at the Tomcat logs, there is an error about deleting a target account because it does not exist.


PAM 3.3.x and above


The target account and policy related to Threat Analytics were both deleted previously. Even when creating a new target account and policy, the error still occurs.

Other cause:  The same error message is observed if the CATapApiUser and its API key (target account) still exist from an old license that was later on replaced by a license w/o Thread Analytics. Either it was done at an old release, when we did not actively remove such artifacts associated with a license option, or someone worked around the problem by using the procedure in KB 96795, bringing the user and key back in when restoring a DB backup. In that case the error may occur when the PAM admin stops the cluster and tries to apply the license while the nodes are in a locked state. This will not work, because the API key cannot be deleted while the CMDB is locked.


Following the steps in the KB below will allow the license to be applied.

After following the KB, the Threat Analytics device and user will still remain. In order to delete them, Support must connect to the appliance and manually delete them.


For the other cause in a cluster: After stopping the cluster, unlock the master node (first node in the primary site), and then delete the CATapApiUser. This should be successful. Start the cluster back up so that the other nodes get the database updated. Then stop the cluster, apply the new licenses and start it again.