search cancel

EiamAdmin Account LOCKED and Permissions errors in ca-wcc.log

book

Article ID: 253495

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

We recently changed the password for production's EiamAdmin account.

We regenerated the wcc key and pem files, put them in place, and restarted WCC.

But WCC's "monitor" page does not show any jobs.

We see following in the logs.

# A lot of these.

INFO   | jvm 1    | 2022/11/01 12:15:54 |      765 | @configservices <172.24.102.123 A1093503 ~A7E> [] ERROR #AccessFacade                       # Cannot check permission for SARResourceClass=as-job, ResourceName=PR3.fs_sp_time_get_cpaf311_rpt, Action=read
INFO   | jvm 1    | 2022/11/01 12:15:54 |      765 | @configservices <172.24.102.123 A1093503 ~A7E> [] ERROR #AccessFacade                       # Cannot check permission for SARResourceClass=as-job, ResourceName=PR3.fs_sp_time_get_returned_check_file, Action=read

# and entries for the EiamAdmin account being locked

INFO   | jvm 1    | 2022/11/01 12:15:49 |      760 | @tomcat-resource <172.24.102.123 A1093503 ~A7E> [] ERROR #EmbIAMAccessProvider               # EmbIAMAccessProvider - SafeContextFactory.getSafeContext failed for config: AccessConfig[HostName=host1234,host5678, Locale=en_US, ServerEnabled=true, AppName=WorkloadAutomationAE, AppCertPath=/appdata/CA/WorkloadAutomationAE/wcc/data/config/autosysCertificate.pem, ServerAdminID=EiamAdmin, EventLogPath=null, PersistentCachePath=null, RetryConnectInterval=30, RetryPingInterval=30, FullCacheUpdateEnabled=false, CacheUpdateInterval=30], SafeException.getMessage = EE_PW_USERLOCKED Account locked
INFO   | jvm 1    | 2022/11/01 12:15:49 |      760 | com.ca.eiam.SafePasswordException: EE_PW_USERLOCKED Account locked

Environment

Release : 12.0

Resolution

WCC uses and checks the certs if they are supplied during change_eem and wcc_config and for its normal operations regarding WCC EEM policies.

If you specify eiamadmin's password and certs during your change_eem or wcc_config commands the password is updated in WCC's configuration but it is not tested/verified at that time.

WCC uses the eiamadmin id's password to get the WorkloadAutomationAE policies during normal operations.

In this client's case their eiamadmin password contained special characters and they had not double quoted the value when they issued wcc_config or change_eem.

As a result WCC stored an incomplete / incorrect password which was not verified during insertion.

When it was time to use it the password was wrong and WCC repeatedly failed to login to EEM, eventually locking the id.

The client needed to rerun the wcc_config and/or change_eem command and supply the certs and password, while enclosing the password in double quotes.

 

 

be double quoted in the wcc_config and/or change_eem commands.