search cancel

After Adding a Utility Server to PAM 4.0.0, PAMSC Endpoints Do Not Appear


Article ID: 224222


Updated On:


CA Privileged Access Manager (PAM)


PAM was upgraded to 4.0.0 and a utility server or cluster was added, but PAMSC endpoints are not getting registered. The unity server logs show proper communication to the endpoints, but the following error is seen.

2021-09-17T00:11:22.192390581Z  210917001122(    0) PolicyUpdator_Pre - Sending Status Update.
2021-09-17T00:11:22.454501101Z  210917001122(    0) PolicyUpdator_Pre - send_status_update() - HTTP error received = 400

In the Tomcat, there is a warning about a DSApiUser around the same time.

Sep 17, 2021 12:11:22 AM isValidApiKeyAuth
WARNING: RestApiKeyAuthenticationFilter.doFilter T310 Login name DSApiUser-44001 not found or not active


DSApiUser is for communication between the PAM appliance and utility servers, so if enough time has elapsed between the upgrade to 4.0.0 and configuring the utility server, the user would have been deactivated. The amount of time is determined by Deactivate Inactive After in Global Settings.


Privileged Access Manager 4.0.0


To get rid of those errors, go to Users > Manage Users, search for DSApi, and enable the user. Since the user is constantly in use by the utility server, it will not become disabled again.

Additional Information

This problem is fixed in PAM 4.0.1, and will be fixed in all future 4.0.X maintenance release and future releases. It is not referenced in the 4.0.1 release notes, because the problem had been observed by PAM Engineering during internal testing, in that case for the MCApiUser user, and a fix was coded that exempts all PAM internal Api user accounts from deactivation.