Retired devices not deleted - PAM-CMN-2265 error during group refresh
search cancel

Retired devices not deleted - PAM-CMN-2265 error during group refresh

book

Article ID: 258938

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM is not removing devices from LDAP groups that were deleted in Active Directory, even for groups that are refreshed manually. In the session logs we find many PAM-CMN-2265 errors such as the following:

PAM-CMN-2265: Target Server <hostname>.yyy is not deleted. Reason: PAM-CM-0572: An error occurred; if this problem persists then please ask your Administrator to investigate..

Looking in the tomcat logs, these message are associated with the following error:

2022-11-18T11:07:54.286+0000 SEVERE [TP9] com.cloakware.cspm.server.app.impl.DeleteTargetServerCmd.invoke DeleteTargetServerCmd.invoke exception
 java.lang.NullPointerException

 

In testing we found that we cannot delete any local device in PAM either, as long as it has device type Password Management checked. It results in the same error.

Environment

Release : 4.0

Cause

A custom connector had been created and tested in the past. It was decided to not keep it and its configuration was removed from the Configuration > Custom Connectors page. However, the test target application and account were not deleted. Before a device, specifically a target server, i.e. a device with type Password Management checked, is deleted, PAM needs to check whether any account associated with the target server is used by any other target application/account. This check tripped over the unrecognized custom target application type.

Resolution

This problem is fixed in PAM release 4.1.2 and later releases.

In general leftover target applications and accounts for custom connectors that are no longer in use should be deleted, which will resolve this problem w/o a code fix. To check whether a given target application falls into this category, go to the Credentials > Manage Targets > Applications page, find the application by name and note its application type. Then choose column Application Type as filter and use the drop-down in the Value field to see the list of selectable application types. If the type is not in the list, it must be a custom application type that is not associated with an active custom connector.

If you have reasons to keep the application and account in place, and you are experiencing this problem, contact PAM Support.

Powered by Wolken Software