Frequent PAM-CMN-2275 and PAM-CM-0567 errors in session logs
search cancel

Frequent PAM-CMN-2275 and PAM-CM-0567 errors in session logs


Article ID: 234988


Updated On:


CA Privileged Access Manager (PAM)


I noticed this error in the logs: PAM-CMN-2275: Unable to retrieve Password Authority password for  username __xcd_local__.  Error: PAM-CM-0567: Failed to authenticate with the Password Authority service..

But we do not have password authority setup, so I wouldn’t expect this error.


Release : 4.0, 4.x



The customer restored a database backup from a cluster that the node showing the errors had never been a member of, but was planned to be joined to soon.


Per our online documentation page Restore the Database from a Backup File a backup from one node can only be restored on another node successfully, if both nodes are/were members of the same cluster and neither joined a different cluster afterwards:

"Beginning in version 3.0.1, only the appliance that performed the database backup can restore the database and function properly. Another appliance can restore the database, but it cannot decrypt the password data, so any functionality involving that data fails."

PAM stores encrypted passwords for internal accounts in the database. These cannot be decrypted correctly on a different PAM server, unless the node on which the DB is restored uses the same encryption key files as the database donor. That condition is satisfied for members of a PAM cluster.

If you want to bring a new node into a cluster, it will get the cluster database at the time it joins. There is no need to load the cluster DB upfront.