We compiled and are trying to run the Java Example class on an AIX server. The output shows that the server returned code 400, suggesting that the call into PAM to retrieve the password succeeded, but the password shows as "null", similar to the following:

> ./run_java_sample.sh mypamaccountalias
Status Code: 400
UsedId:      mypamaccount
Password:    null

The same sample code works fine on another server, for which we defined an A2A mapping for the same target account, and the correct password is retrieved.

Applies to any PAM release as of May 2023.

The Java version used on the AIX server was incompatible with the A2A client libraries., cspmclient.jar and cwjcafips.jar. Specifically the cwjcafips.jar file is signed with SHA1 and didn't pass signed JAR validation.

If the problem is that the JRE blocks loading of SHA1-signed JAR files, a possible workaround could be to edit lib\security\java.security, find parameter "jdk.jar.disabledAlgorithms" and remove SHA1 (typically "SHA1 denyAfter 2019-01-01") from the disabled algorithms list.

If your application allows it, use the JRE that the PAM A2A client installs. The Java executable would be $CSPM_CLIENT_HOME/cspmclient_thirdparty/java/bin/java.

As of May 2023 PAM Engineering is looking into updating the cwjcafips.jar library to one that is signed with a SHA2 certificate. There are compatibility issues to work through and it is not known yet which future PAM release will include the updated library.