We are testing a new A2A client installation. The client starts up successfully, but all A2A calls result in a 412 error
The client entry in PAM shows green, but the client version is 0.0.0.
Release : 4.1
Per information on documentation page Credential Manager Client Return Codes the 412 error is returned by PAM if it cannot find an authorization for this request server. This includes the case where the A2A client entry in PAM is not marked as active.
There was an existing device with the short name as device name and the FQDN as address. It had the A2A flag enabled and the A2A client was set to active. But when the new A2A client registered with PAM, its IP could not be resolved at the time by PAM and PAM ended up creating a new device with the IP address as device name and device address. The corresponding new A2A client was never activated, because the PAM administrator searched for the client by device name and only found the old stale entry.
1. Delete the new device entry that has the IP as device name and address, and only device type A2A checked.
2. Temporarily change the name of the old device entry to the FQDN and make sure the A2A device type is unchecked. If PAM can NOT resolve the A2A client IP, temporarily set device name and address to the IP.
3. Restart the A2A client. Now it should associate itself with the existing device entry.
4. Edit the device in PAM. It should show the A2A device type as checked. Mark it as active and set the "Preserve Hostname" flag.
5. With the A2A client active and the "Preserve Hostname" flag checked, you can change the device name and address back to your preferred choices. Using short names for device names rather than FQDNs may be preferred to make the access page look better for PAM users. The device address should be an FQDN or IP.
6. Go to the Credentials > Manage A2A > Clients page and verify that the client shows up with the correct version and a status check is successful.
7. Define scripts and mappings for this client as needed.
8. Confirm that the A2A calls are successful now.
If DNS resolution works at the time the A2A client registers, but the original device had the short name as device name, it is possible that PAM creates a second device entry with the FQDN as device name. PAM requires a unique device name, but not a unique device address. However, there can only be one A2A client for a given device address. You should find that only one of the two devices has the A2A flag checked. The above procedure should allow you to consolidate the two devices. If you had scripts and mappings defined already for the A2A client, note them down before deleting the A2A device and then create them for the new A2A client entry, see step 7.