Correctint error "A secure connection to XXX cannot be established " accessing CA PAM when CA PAM system certificate has expired

book

Article ID: 209456

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In general, when the system CA PAM certificate expires, it is still possible to connect to the Appliance, even though the majority of browsers will throw out messages warning about the connection and eventually also for some of them it won't be possible connect if a restrictive set of browser security settings is in place

However, there may be situations where an expired certificate will not allow under any circumstance to connect to the PAM appliance. No matter what change is made to the security settings of any of the browser, if the remote site is added to the trusted root or if address resolution is disabled, the message and the behaviour will always be the same: no access to any of the ssl-secured pages in PAM is possible. The error message obtained looks like the following picture 

 

Environment

CA PRIVILEGED ACCESS MANAGEMENT, all editions

Resolution

This situation may happen if the client is accessing CA PAM through a VPN. In this situation rules are more stringent and access won't be possible through the VPN until the certificate is updated in CA PAM

To correct this situation make sure to access the PAM instance through the internal network or locally and set the system certificate either to the self-signed certificate in PAM or to the renewed system certificate. That will reenable connections to CA PAM for clients connecting through the VPN.

Attachments