After Adding a Utility Server to PAM 4.0, PAMSC Endpoints Do Not Appear

book

Article ID: 224222

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

PAM was upgraded to 4.0 and a utility server or cluster was added, but PAMSC endpoints are not getting registered. The unity server logs show proper communication to the endpoints, but the following error is seen.

2021-09-17T00:11:22.192390581Z  210917001122(    0) PolicyUpdator_Pre - Sending Status Update.
2021-09-17T00:11:22.454501101Z  210917001122(    0) PolicyUpdator_Pre - send_status_update() - HTTP error received = 400

In the Tomcat, there is a warning about a DSApiUser around the same time.

Sep 17, 2021 12:11:22 AM com.ca.pam.RestApiKeyAuthenticationFilter isValidApiKeyAuth
WARNING: RestApiKeyAuthenticationFilter.doFilter T310 Login name DSApiUser-44001 not found or not active

Cause

DSApiUser is for communication between the PAM appliance and utility servers, so if enough time has elapsed between the upgrade to 4.0 and configuring the utility server, the user would have been deactivated. The amount of time is determined by Deactivate Inactive After in Global Settings.

Environment

Privileged Access Manager 4.0
PAM Server control 14.x
Privilieged Identity Manager 12.8

Resolution

To get rid of those errors, go to Users > Manage Users, search for DSApi, and enable the user. Since the user is constantly in use by the utility server, it will not become disabled again.

Attachments