A user cannot be imported without a password and exporting a user does not show the password in CA PAM

book

Article ID: 211558

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When migrating a CA PAM system one possibility is to import users or export them to move them to the new system.

However, it is observed that the export process (Users --> Manage Users --> Export/Import) produces a csv file where the password field is empty.

Supposing as well that the exported user csv file from one PAM system is being imported into another one, this is only possible if  the user exists already in the destination system (that is, if all that is changed is any property of an existing user, but not if the user is added anew).

Otherwise CA PAM throws an error indicating that the user cannot be imported without a password and the import fails.

Cause

This is working as designed. PAM does not keep the password stored in its tables, but rather a hash representation of it (sha 512 with 18 rounds and salted). Exporting that hash and reimporting it again into the other system would not recover the original password, but rather store the hash of the hash anyway. However, the reason for the password not being exported lies purely in security: if by hitting a simple button one could export all the system users and passwords it would be easy for any intruder with enough rights to compromise a whole site security by just going to PAM and hitting that button.

Likewise, users cannot be imported with no password because that would allow anyone to provision a user in PAM with maximal privileges and freely accessible (since no password would be set). To avoid such a security hole, any user imported must have a password, or the import must simply update the different properties of an existing user.

Environment

CA Privileged Access Manager, all version

Resolution

There is no resolution for this as the product is working as designed.

If the whole DB of users and their passwords needs to be imported to another appliance, we suggest clustering the new machine with an existing machine: that will copy over the DB to the new instance and, once this is done, uncluster it and upgrade or use it as needed.