A large number of password view policies (PVPs) are configured with service desk (SD) integration. To be ready for a scenario where the service desk is not available for a period of time, it is necessary to be able to reset the SD configuration in the PVPs so that users are able to access target devices while the SD application is down. This should be possible with remote CLI command updatePasswordViewPolicy, but the command doesn't appear to work right, throwing a PAM-CM-4107 error:

# ./capam_command -n <pamserver> -u <PAMadmin> -p <password> cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=<ID> PasswordViewPolicy.exclusiveCheckoutRequired=true PasswordViewPolicy.changePasswordOnSessionEnd=true PasswordViewPolicy.reasonRequiredSso=true PasswordViewPolicy.reasonRequiredView=false PasswordViewPolicy.changePasswordOnView=false PasswordViewPolicy.authenticationRequiredView=false Attribute.serviceDeskType= PasswordViewPolicy.approverIDs=<approver ID list>
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>4689</cr.statusCode><cr.statusDescription>PAM-CM-4107: Password View Policy Exclusive Checkout and Change Password On View/ReAuthenticate On View/Reason required on View can not be both true. Password View Policy exclusiveCheckout and changePasswordOnView/ReAuthenticate On View/Reason required on View can not be both true.</cr.statusDescription><cr.result></cr.result></CommandResult>

This must be a bug. The command sets parameters changePasswordOnView, authenticationRequiredView and reasonRequiredView to "false", the message cannot be right.

The same error is observed when calling directly into the adminCLI servlet using a URL similar to the following:

https://xxxxx/cspm/servlet/adminCLI?cmdName=updatePasswordViewPolicy&adminUserID=super&adminPassword=xxxxx&PasswordViewPolicy.ID=22001&PasswordViewPolicy.exclusiveCheckoutRequired=true&PasswordViewPolicy.changePasswordOnSessionEnd=true&PasswordViewPolicy.reasonRequiredSso=true&PasswordViewPolicy.reasonRequiredView=false&PasswordViewPolicy.changePasswordOnView=false&PasswordViewPolicy.authenticationRequiredView=false&Attribute.serviceDeskType=&PasswordViewPolicy.approverIDs=1001,4001

Applies to any PAM environment running a release older than 4.2.1.

The error was thrown by a legacy validation logic looking for parameter "authenticationRequired", which used to be a valid parameter name, before it was split into the current "authenticationRequiredView" and "authenticationRequiredSso" parameters. Since the "authenticationRequired" parameter was not explicitly set to "false", the validation code threw the PAM-CM-4107 error.

There was a second problem in that the command did not have an equivalent to the "-- None --" setting in the PVP UI editor:

Setting "Attribute.serviceDeskType=" actually does nothing, leaving the current service desk integration in place.

The problem will be fixed in future releases starting with the 4.2.1 maintenance release. The CLI command will accept either PasswordViewPolicy.authenticationRequired or PasswordViewPolicy.authenticationRequiredView to set option "Re-authenticate for View". And it will allow setting "Attribute.serviceDeskType=None" as the equivalent to choosing "-- None --" in the UI.

As a workaround for releases prior to 4.2.1, use PasswordViewPolicy.authenticationRequired in place of PasswordViewPolicy.authenticationRequiredView, and blank out all SD parameters, as shown in the following adminCLI URL:

https://xxxxx/cspm/servlet/adminCLI?cmdName=updatePasswordViewPolicy&adminUserID=super&adminPassword=xxxxx&PasswordViewPolicy.ID=22001&PasswordViewPolicy.exclusiveCheckoutRequired=true&PasswordViewPolicy.changePasswordOnSessionEnd=true&PasswordViewPolicy.reasonRequiredSso=true&PasswordViewPolicy.reasonRequiredView=false&PasswordViewPolicy.authenticationRequired=false&Attribute.serviceDeskType=&Attribute.serviceDeskServer=&Attribute.serviceDeskAccount=&Attribute.serviceDeskQueryFilter=&Attribute.serviceDeskTicketType=&Attribute.serviceDeskApplication=&PasswordViewPolicy.approverIDs=1001,4001