Cannot view passwords on new PAM cluster nodes

book

Article ID: 206987

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We added new nodes to our PAM 3.4.2 cluster, but when we try to view passwords on those new nodes, we only get garbled text, and when we try access methods with auto-login they fail.

Cause

This problem can be observed if PAM has TLS 1.0/1.1 disabled. This setting is configurable on the Configuration > Security > Access page, option "TLS v1.0/1.1 Connection Allowed". There is a known problem in releases up to 3.4.2, where the push of encryption key files during cluster startup does not work with TLS 1.0/1.1 disabled. PAM uses a combination of encryption keys in the database and on the file system to decrypt/encrypt passwords to protect passwords when a database backup gets into the wrong hands. Thus the cluster master has to push some files to other cluster nodes so they can decrypt and store new passwords in the common database. This needs to be done once. See also documentation page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-2/administrating/maintenance/configuration-and-database-backups/restore-the-database-to-a-new-appliance.html.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The problem will be fixed in 3.4.3 and new PAM release such as 4.0.

As a workaround, temporarily enable TLS 1.0/1.1 on the PAM UI and then make affected nodes leave and rejoin the cluster. Once all nodes can decrypt passwords, TLS 1.0/1.1 can be disabled again. If you have a new node to join the cluster, make sure that that node also has TLS 1.0/1.1 enabled at the time you have it join.