search cancel

A2A Unable to update script hash

book

Article ID: 257928

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We moved some Windows hosts with the A2A client installed to a new data center.  The clients still work as expected to retrieve credentials, however we attempted to update a script hash today and it was unsuccessful.

The client shows active when going to Credentials --> Manage A2A --> Clients, however after attempting to update the hash the status switches to yellow.  Using the "Check Connection Status" button doesn't help, and will actually change an active client to yellow the same as checking for a script hash.  Attempting to get the client logs fails as well.  You can still use the client to retrieve credentials, but the only way to get the status back to green is to restart the service on the host.

The client has the old IP address listed in PAM, which makes me wonder if the outbound requests from PAM such as getting a new script hash or checking the connection status are using that IP and failing.  Is there a way to force an update of that IP address?

Environment

Release : 4.0

Resolution

Use the following workaround to force an IP update of the A2A client entry. This assumes that devices are configured with an FQDN, or possibly a shortname, as address, rather than with an IP.

1) Edit the device from the Devices > Manage Devices pages, change the device address to the new IP and save it.

2) Unless you want to keep the new IP as address, edit the device again and set the address back to the FQDN.

3) Go to the Credentials > Manage A2A > Clients page and verify that this A2A client entry now shows the new IP in the IP Address column.

Additional Information

We would not expect to see this problem, if the device was configured with the new IP as device address already. If you did find such a case, the reverse sequence (change address to FQDN, and then change back to IP) should make sure that the IP address of the A2A client entry on the Credentials > Manage A2A > Clients page changes to the new IP.