Installing a new PAM license fails with error
search cancel

Installing a new PAM license fails with error

book

Article ID: 96795

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

When attempting to install new PAM license keys the following errors may be observed:

1. Error: PAM-CMN-1279: The license was not updated. CA threat analytics feature not removed. Please check the logs to find the problem and reapply the license.
2. PAM-CMN-1744: Failed to delete target account for API key CATapApiUser
3. Error: Error occurred while accessing the database. See the CA PAM logs for details.
4. Error: PAM-CMN-1219: The license was not updated. There was an error provisioning the AWS device. See the audit log for more details.

Environment

Privileged Access Manager, all versions

Resolution

1) Connect to the primary node and turn off the cluster if enabled under Configuration > Clustering
2) Optionally, power down the appliances and take a snapshot if virtual to mitigate any risk
3) Select Configuration > Database > Save Database and Configuration
4) Select Configuration > Clustering > Unlock Me if locked
5) Select Configuration > Database > Reset
6) Log in as super/super and update the required fields 
7) Install the new license 
8) From Configuration > Database restore the saved database from step 3 
9) Log in using the super credentials prior to the reset and verify the updated license reflects correctly
10) Install the new license again after having the database backup restored. This may be necessary, because the backup may be missing internal PAM objects required for support of the features that are enabled in the new license but were not enabled in the old one.
11) Repeat steps 3-7 for any additional appliances. Steps 8-10 are not needed, because these nodes will load the database from the primary node on cluster startup.
12) Log into the primary and turn the cluster on
 

Additional Information

More detail for PAM-CMN-1219
If you were issued a license during PAM 2.x.x with AWS features disabled and then upgrade to 3.x.x and apply a newly issued license, you will get this error as well.
Because 3.x.x license has AWS support feature enabled by default and the DB is lacking certain records (such as "xceedium.aws.amazon.com" and "xceedium.nsx.vmware.com" device) which need to be recreated, thus reset the DB.
After performing the above steps, applying the new license will not throw PAM-CMN-1219 error.
However, although you can successfully apply license after resetting the DB, restoring the DB which again lacks those devices can cause problem such as adding users to ACCESS METHODS in the policy where the users list may not appear. In that case a support ticket need to be opened to resolve that separately(DE405330).