ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

After Adding a Utility Server to PAM 4.0.0, PAMSC Endpoints Do Not Appear

book

Article ID: 224222

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM was upgraded to 4.0.0 and a utility server or cluster was added, but PAMSC endpoints are not getting registered. The unity server logs show proper communication to the endpoints, but the following error is seen.

2021-09-17T00:11:22.192390581Z  210917001122(    0) PolicyUpdator_Pre - Sending Status Update.
2021-09-17T00:11:22.454501101Z  210917001122(    0) PolicyUpdator_Pre - send_status_update() - HTTP error received = 400

In the Tomcat, there is a warning about a DSApiUser around the same time.

Sep 17, 2021 12:11:22 AM com.ca.pam.RestApiKeyAuthenticationFilter isValidApiKeyAuth
WARNING: RestApiKeyAuthenticationFilter.doFilter T310 Login name DSApiUser-44001 not found or not active

Cause

DSApiUser is for communication between the PAM appliance and utility servers, so if enough time has elapsed between the upgrade to 4.0.0 and configuring the utility server, the user would have been deactivated. The amount of time is determined by Deactivate Inactive After in Global Settings.

Environment

Privileged Access Manager 4.0.0


Resolution

To get rid of those errors, go to Users > Manage Users, search for DSApi, and enable the user. Since the user is constantly in use by the utility server, it will not become disabled again.

Additional Information

This problem is fixed in PAM 4.0.1, and will be fixed in all future 4.0.X maintenance release and future releases. It is not referenced in the 4.0.1 release notes, because the problem had been observed by PAM Engineering during internal testing, in that case for the MCApiUser user, and a fix was coded that exempts all PAM internal Api user accounts from deactivation.

Attachments