PAM-CMN-0467 When Using API to Create Unix Account With SSH Key
search cancel

PAM-CMN-0467 When Using API to Create Unix Account With SSH Key


Article ID: 274673


Updated On:


CA Privileged Access Manager (PAM)


The PAM API is used to create target accounts, but the following error occurs when trying to create a Unix target account with an SSH key.

  "error": {
    "code": 400,
    "message": "Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request. Message: No response from Password Authority. Check log for details."

This is the API body used to create the account.

        "protocol": "SSH2_PUBLIC_KEY_AUTH",
        "verifyThroughOtherAccount": "false",
        "extensionType": "unixII",
        "passphrase": "<passphrase>",
        "keyoptions": null,
        "privateKey": "<base64privkey>",


Privileged Access Manager, all versions


In order to pass the SSH public and private keys using the API, the keys must first be base64 encoded. In this case, the following commands were used in Powershell to encode the SSH keys with Unicode encoding. As a result, there were null characters when PAM decoded the SSH keys, causing the function to break.

$Text = ‘public/private SSH key text’
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)


For best results, it is advised to use openssl to encode the SSH keys. If openssl is unavailable in the environment, use the following Powershell commands to encode the SSH keys using UTF8 encoding.

$Text = ‘public/private SSH key text’
$Bytes = [System.Text.Encoding]::UTF8.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)

Additional Information

For information about all options which could be used in the API for SSH key accounts, please refer to the following KB article.