Getting error " PAM-CM-3488: Change process not specified" when using the REST API to create a UNIX Target Account
search cancel

Getting error " PAM-CM-3488: Change process not specified" when using the REST API to create a UNIX Target Account

book

Article ID: 236046

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to create a UNIX target account with the following attributes in the POST /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts

                    { "verifyThroughOtherAccount": "false" },
                    { "discoveryAllowed": "f" },
                    { "protocol": "SSH2_PASSWORD_AUTH" },
                    { "otherAccount": "279001" },
                    { "discoveryGlobal": "f" },
                    { "extensionType": "unixII" },
                    { "useOtherAccountToChangePassword": "t" },
                    { "passwordChangeMethod": "DO_NOT_USE_SUDO" }

Results always in error

    "code": 400,
    "message": "Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request. Message: PAM-CM-3488: Change process not specified. Check log for details."

Environment

CA PAM all versions

Cause

There are actually two problems with this call

  • The passwordChangeMethod attribute can only be specified in cas the useOtherAccountToChangePassword is set to "false". In the same way as when defining the Target Account through the GUI, only when using the own account to manage its password is it necessary to specify what kind or privilege usage will be necessary
  • Conversely, if useOtherAccountToChangePassword is set to "true" it is necessary to give the id of an another privileged account which can be used to carry out the password update
  • Also it is very important to stick to the exact definition for the values of the attributes. In this particular case, the boolean value for some of the attributes may be either "true" and "false" or "t" and "f", depending on the attribute. In most cases if the value requires a specific spelling, there will be a parsing error reported at the end of the API call or in the Tomcat log in PAM. However, in some other cases other apparently unrelated errors may come up. In this particular case, the PAM-CM-3488: Change process not specified message will always be reported if the useOtherAccountToChangePassword attribute is assigned values "t" or "f" instead of "true" or "false".

Resolution

Double check the syntax of the REST API call and especially whether an attribute has been assigned an incorrectly parsed or erroneous value. The values, and specifically the boolean ones need to be exactly as specified in the documentation or unexpected results may occur. In the present case, set value for useOtherAccountToChangePassword to either "true" or "false"

For more documentation about attributes please see

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-a-unix-target-connector/unix-target-connector-cli-configuration.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/UNIX-Target-Application-External-API-Attributes.html