There are some business concerns that require the PAM "super" and "config" users passwords are updated and store somewhere safe on a regular interval. Since the PAM credential vault cannot be used we need to use an external API to perform this.

Both the "super" and the "config" user passwords can be updated without knowledge of the original password using a Global Admin account API key. No additional prompts will occur in the GUI requiring the password the change after use. 

The following are sample curl commands that can demonstrate the API functionality. All variables are capitalized below.

For super account

# curl -X PUT -u 'APIKEYUSER:PASSWORD' -k --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "password":"NEWPASSWORD", "resetPasswordFlag":"f", "userId":1  }' 'https://PAMHOSTNAME/api.php/v1/users.json'

For config account

# curl  -X PUT -u 'APIKEYUSER:PASSWORD'  -k --header "Content-Type:application/json; charset=utf-8" -d '{ "configUser":"config", "configPassword":"NEWPASSWORD" }' 'https://PAMHOSTNAME/cspm/ext/rest/config/password/config'

For the latest password composition rules please see the "account-types" page from the support manual based on your version of Symantec/CA PAM

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-2/administrating/account-types.html