After renewing an Embedded Entitlement Manager (EEM) certificate, users may be unable to log in to the Process Automation (PAM) web UI. Authentication attempts often result in an EE_NOTALLOWED or "The specified user ID, password, or token is invalid" error. This occurs because the PAM keystore remains out of sync with the updated EEM root certificate, requiring a re-alignment of the security components.

Symptoms

• End users receive an EE_NOTALLOWED error when attempting to log in to the Process Automation web UI.
• The UI may display: "The specified user ID, password, or token is invalid."
• The ipoz.log file on the EEM server (located in the EEM install folder's logs directory) records the following warning:
  

  WARN 2025-08-26 17:11:48,998 [0x00002904] [eiam.server.ipoz.sponsorinterfacev1] Exception[-702]: permission denied

• The c2o.log file, located in C:\Program Files\CA\PAM\wildfly\standalone\log on the Process Automation server records:
  
  

  ERROR [com.optinuity.c2o.securitymanagement.EEMSessionContext] Error while authenticating EEM application with certificate com.ca.eiam.SafeException: EE_AUTHFAILED

• Products: CA Process Automation (PAM), Embedded Entitlement Manager (EEM).
• Releases: PAM 4.3 SP05 and earlier; EEM 12.6.
• Components: EEM Certificate Integration, PAM Keystore (PAM.P12).

The EEM certificate renewal process updates the server-side root certificate but does not automatically push these changes to integrated applications. The Process Automation PAM.P12 certificate file must be regenerated to align with the new EEM root certificate to restore the trust relationship between the two products.

Follow these steps to synchronize the certificates and restore user access:

1. Backup the Process Automation Installation:
   • Create a virtual machine snapshot of the PAM server.
   • Alternatively, stop the PAM services and create a manual copy of the entire PAM installation directory.
2. Execute the PAM Re-installation:
   • Run the Process Automation installer on the existing server.
   • When prompted by the wizard, select the Reinstall option.
   • Note: The re-installation process will detect the updated EEM environment and automatically upgrade/regenerate the PAM.P12 certificate files within the PAM configuration.
3. Validate Connectivity:
   • After the installation completes, restart the Process Automation services.
   • Attempt to log in to the PAM web UI to verify that the EE_NOTALLOWED error is resolved.

For further information on renewing the initial EEM root certificate, refer to EEM TLS Error "Exception[-800]: error