Password Authority sub-system of CA PAM is not starting after networking or clustering change.

Article Id: 6917
Status: Published
Updated On: 23-01-2019 13:14
Legacy Id: TEC1152129
Products:
CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM) CA Privileged Access Manager (PAM)
Issue/Introduction:

This issue is characterized by the following Symptoms. These symptoms may not arise until after rebooting the appliance.

Note: Similar symptoms will arise whenever the password authority sub-system is not started or not working correctly. Usually restarting the appliance will bring this back into working order, but in this case a simple reboot will not suffice.

Symptoms:

  • Access to password management does not work. Users may be logged off when they attempt to click "Manage Passwords" or may receive errors trying to complete Credential Management operations.
  • Attempting to use or view a vaulted password does not work. Users may be logged off or receive Password Authority errors when they attempt to view a password or auto-connect using it.

The following error message will likely be found in the Tomcat logs:

May 24, 2017 6:42:22 PM com.cloakware.cspm.server.app.ApplicationImpl shutdown
SEVERE: Shutting down - DataSourceManager.parseAppClusterConfig No local application addresses found.


The following errors & messages may be found in the Session logs:

General Messages:

  • Credential Service daemon is either not running or not reachable.
  • Could not successfully retrieve Password Authority Managed Data for Dashboard
  • Unable to retrieve NSX Accounts No response from Password Authority.
  • The AWS secret key for use by S3 storage is missing

Trying to view / connect:

  • Error when attempting to retrieve password view requests - error was No response from Password Authority.
  • Error when attempting to retrieve pa user id via access user id - error was No response from Password Authority.

Cause:

When the Password Authority sub-system first loads it checks the clustering configurations. One of the checks it performs is to make sure that the appliance address is listed in the clustering configuration. When there is no clustering configuration defined this is not a problem. However, when the cluster configuration does not contain the IP address of the appliance the PA sub-system will not load because it assumes the configuration is wrong.

Note: When changing the cluster config this situation is usually validated and won't be saved if it does not exist. This situation would usually arise after making networking config changes. The network changes DO NOT validate the clustering config.

Environment:

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution:

In order to resolve this problem the server's address will need to be added to the clustering configuration.

  1. If the database has been locked (usually due to a cluster off situation), first visit the clustering/synchronization page & click 'Unlock Me' to unlock it.
  2. Re-configure clustering so the address of this device DOES exist in the cluster config list.
    • Note: The address only needs to exist in the list, all other configuration can be bogus & clustering does NOT need to be started.
  3. Reboot appliance: Config > Power > Reboot Instance

Once the appliance comes back from the reboot the Password Authority sub-system should be working as expected.