After upgrading PAM to 4.1.0 or 4.1.1, secrets cannot be created. The vault is created successfully, but the following error occurs when trying to create a secret in the vault.
PAM-CM-0964: Password policy could not be found for parent application.
Privileged Access Manager, 4.1.0 and 4.1.1
The issue was occurring because the built-in password composition policy "SecretsPcp" was never created. The password composition policy is created by one of the background tasks that runs when either a cluster starts or cspm is restarted on the primary site leader. These background tasks will not run if maintenance mode is on. If all appliances in the cluster are in maintenance mode when the cluster is turned on after the upgrade, these tasks will not run.
This problem is fixed in 4.1.2+, see the following item on page Resolved Issues in 4.1.2:
PAM-CM-0964 error is seen when trying to add a generic secret to a vault.
To have these tasks run on 4.1.0 or 4.1.1, turn off maintenance mode on at least one primary site member prior to starting the cluster. If the cluster has already been started, the tasks can be run by restarting the cluster or manually restarting cspm on the primary site leader.