Post upgrade from PAM version 4.1.6 or 4.1.7 to PAM version 4.2, updating the PAM Client fails with error as shown in screenshot below if PAM UI is used to Sign Applets with Default Certificates(Configuration==>Security==>Certificates==>Sign Applets). This happens on PAM client that is launched and updated on MacOS and Linux servers. Issue does but not on Windows server).

The screenshot below shows as an example file kerb-core-203__V4.2.0.285.1.jar has been signed using the Default Certificates. The "285.1" in the filename contains a 1 (as in .1) indicating this jar file was signed 1 time in PAM.

The screenshot below shows how PAM UI allows a user to "Sign Applets"

PAM Client on MacOS and Linux servers

Applet signing activity uses an old expired certificate instead of the current valid one that the original applet jar files are signed with.

The are two options to avoid this PAM client update issue.

1. Please do not sign the applet jar files. PAM UI screen to "Sign Applets" shown only as reference.    

2. Sign applets with your own signing certificate (NOT Default Certificates) if there is an actual need to sign the Applets.  Do not use Default Applet Certificate for Applet Signing

****  Please keep in mind that applet jar files are signed to begin with. We are not signing previously unsigned jar files. We are re-signing jar files. *****

Note that a defect is filed with PAM Engineering to fix this issue in future releases.