Getting error PAM-UTL-0019 when trying to readd a utility appliance to a group
search cancel

Getting error PAM-UTL-0019 when trying to readd a utility appliance to a group

book

Article ID: 263345

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Sometimes Utility appliances may become unresponsive due to communications failures or otherwise. 

In these cases it is quite frequent that PAM Administrators simply delete them from the Utility Group they are part of. This usually works fine and the Utility group shows as empty

Subsequently most PAM Administrators will try to recreate the Utility Group or simply add the appliance(s) back to it, which may result in error

PAM-UTL-0019 Failed to add the Utility Appliance to the Group

Environment

PAM 4.0.X and 4.1.X

Cause

This is due to the Utility Appliance having been removed from the Utility Group while there was a communications outage

When a Utility Appliance is first added to a Utility Group, it uses a default ssh key. The same that the group has.

Subsequently PAM rotates this key for the group and the appliances, so that it is common to both but not the default one

The behaviour when a Utility group becomes empty or is reset is to recover back the initial default ssh key so that new appliances- also with a default ssh key- may be added

Supposing the Utility Appliance is removed while there is a communications outage, its key will still be the same as it was while in the group, but the group itself- having been reset or emptied- will recover the default ssh key.

This means the Utility Appliance will try to use a key which will for sure differ from that of the Utility group and the operation will fail

Resolution

Unfortunately there is no way to reset the ssh key for a utility appliance back to default, so in this cases the Utility Appliance needs to be redeployed and readded back to the Utility group