Cannot open 2 or more AWS management consoles from PAM after upgrade from 3.4.3 to 4.0.1
search cancel

Cannot open 2 or more AWS management consoles from PAM after upgrade from 3.4.3 to 4.0.1

book

Article ID: 237966

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Since the upgrade to 4.0.1 from 3.4.3 we can no longer launch multiple AWS Management Consoles from PAM, even when selecting different accounts that connect to different regions.

For a second launch PAM shows message "You must first log out before logging into a different AWS account", see screenshot below. The same error is observed after closing the PAM access session without explicitly logging out of AWS. In that case we can only get back to previous session using the same account. In order to use a different account, we have to sign out the first account.

Environment

Release : 4.0-4.0.2, 3.4.5-3.4.6

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

The latest PAM maintenance releases include an updated JxBrowser version that behaves differently from the version used in older releases, such as 3.4.3. This only affects direct connections to AWS from the PAM client, which is the default configuration for the AWS Management Console SSO service.

Resolution

If your network configuration allows it, and network latency between PAM client and PAM server, as well as between PAM server and AWS, is low, the problem can be resolved by enabling option "Route Through Symantec PAM" in TCP/UDP service AWS Management Console SSO, which a PAM admin can edit from the Services > Manage TCP/UDP Services page:

 

The problem without the "Route through PAM" option checked is expected to be fixed in future maintenance releases 3.4.7 and 4.0.3. As of March 2022 it is not clear whether the fix will make it into the next main release 4.1. If not, the first maintenance release on top of that, 4.1.1, would be expected to include the solution.