search cancel

Web portal launches correctly for only the last target device where Learn mode was configured

book

Article ID: 201476

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We created a Web Portal service for more than one PAM device, and then launched learn mode for one of them.  But after doing so the web portal is found to be working for the specific target device only, for which Learn Mode was launched and configured. If we run Learn Mode for another device, then the Web Portal will work for that device, but no longer work for the first device. The Web Portal  launches correctly for the last device where Learn Mode was executed and fails for other devices (credentials are not automatically populated during login). 

Cause

Learn Mode related content that is saved in PAM server DB is found to be different for each device, because the login page includes device-specific information such as the device name. When a common Web Portal service is created to be used by multiple devices, PAM expects the login content to be identical for all devices.  If the login content is different, the launch of the Web Portal will not lead to autologin (credentials will not be populated automatically), because the login page does not match what PAM is looking for. This is a protection against providing credentials to a form that was not configured explicitly by the PAM Administrator for auto-login.

Another cause could be a redirect to a URL that doesn't match the device address stored in PAM. E.g. in one case a PAM web server was defined with address webserver1vip.mydomain.com. But when launching the service, PAM was redirected to URL http://webserver1node1.mydomain.com/... . In this case, because the address in the redirect URL (actual login page where PAM is meant to insert credentials) doesn't match the device address in PAM, the learn mode has to save the URL of the login page with a fixed address. This will not work when launching the service for a different device, which goes to a different login page.

Environment

Release : any

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

If the required login content cannot be forced to be identical for all the target devices for which the Web Portal is configured, then different Web Portal services need to be configured for each device.

The same is true, if the web service redirects to a URL whose server address component does not match the server address configured in PAM. Only if it matches can PAM use a place holder for the server address in the service template used for auto-login, to be replaced by the address of the device for which the service is launched at runtime. If the redirection is to a different server address, then a dedicated service is required.

PAM Support can help you run a query in an SSH session to examine the login page content saved in the PAM database during Learn Mode.

 

 

Additional Information

Example for a Vcenter web portal:

- The Launch URL defined in the TCP/UDP service is https://<Local IP>:<First Port>/ui/

- When the service is launched for the device with address myesxserver.mydomain.com, it may get redirected to SAML authentication, e.g. https://myesxserver.mydomain.com/websso/SAML2/SSO/vsphere.local. In this case, since the address in the redirect URL matches the device address, PAM will save the login page (redirect) URL as "https://@[email protected]/websso/SAML2/SSO/vsphere.local". This will work when the service is launched for another device, because PAM dynamically will replace token "@[email protected]" with the address of the device for which the service is launched. However, if during learn mode the launch URL got redirected to https://myesxserver-node1.mydomain.com/websso/SAML2/SSO/vsphere.local, PAM cannot match the device address with the contents of the redirect URL and has to store the latter literally. In that case the service will work only for devices whose launch URL gets redirected explicitly and consistently to https://myesxserver-node1.mydomain.com/websso/SAML2/SSO/vsphere.local, and not for any other devices.