Drive Mapping and access methods not working when PAM cluster is accessed through external load balancer.


Article ID: 7819


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


We have a PAM cluster with a VIP FQDN that connects to a cluster node through an external load balancer. When we use the VIP FQDN in a browser to access PAM and get connected to one of the cluster nodes, access methods work as expected, but when the load balancer connects us to the other node, they don't, and just hovering over an RDP access link shows no local drives under "Drive Mapping:".

The CA PAM client log shows error messages similar to the following:

liveconnect: The html source is on the ESL or covered by a DRS run rule, however the jar's Caller-Allowable-Codebase attribute exists and does not include this source

liveconnect: Security Exception: JavaScript from https://<PAM VIP FQDN>/conn/wUP.php?PHPSESSID=882298535810c51041b09b8e9c87bcd1 attempted to access a resource it has no rights to.

When we connect to the node directly using its host name, there is no problem.


This is similar to the problem described in KB docĀ TEC1769207. However, the solution provided there does not work for a cluster using an external load balancer. When the external load balancer, rather than the PAM internal one, connects to one of the cluster nodes, the URL does not change and the client finds itself connected to the VIP FQDN. It turned out that on the problem cluster node the client jar files (applets) had been signed using the local FQDN, consistent with what the old KB doc suggests. When the Java plugin of the browser connected to the VIP FQDN received the client jar files, it found a mismatch between the URL used and the name that the jar files were signed with, and rejected their use.


Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY


If there is no unique name with which a PAM node is accessed, resign the jar files with an empty Xsuite Domain name. If you only use the cluster FQDN, and you use an external load balancer, you may sign the applets using the cluster FQDN, but then you will not be able to use access methods when logged on to an individual cluster node directly using its host name or IP.

<Please see attached file for image>


Signing the applets will take a couple of minutes. Once it's done, you should see a message like the following in the Session logs. Note the wildcard character at the end of the message.

"Xsuite applets successfully signed with Default Xsuite Applet Certificate and domain(s) *"

It is recommend to logout of PAM and clear the Java cache using the Java Control Panel. Afterwards you should be able to access PAM using either the local hostname, IP, or the VIP FQDN without having a problem with the plugins.


1558700089582000007819_sktwi1f5rjvs16oxf.jpeg get_app