Resetting the PAM super user password
search cancel

Resetting the PAM super user password


Article ID: 96844


Updated On:


CA Privileged Access Manager (PAM)


PAM comes with two built-in administrative accounts, config and super. Online documentation shows how to change the password while logged on, see e.g. PAM also provides a Reset Password option on the VM console for virtual appliances, or the front panel for hardware appliances. This resets the config user password to "config". There is no documented option to reset the super user password if it got lost for whatever reason.

Is there any way for a customer to reset the super user password?


This applies to any supported PAM release as of July 2022 with 4.1 being the latest release. It may change in future releases.


If another user is configured as global administrator, the password for the super user can be reset by the other global administrator user from the PAM UI. However, there is no option to reset the super user password, if there is no global administrator other than the super user configured.
The password is stored in the database. One option would be to restore a database backup from a time where the super user had a known password. This could be accomplished by logging in with the config account. But it is not practical if the password had been updated a long time ago, which most likely is true in cases where it got lost.
If a database backup is not an option either, you will have to open a case with PAM support to work with you on resolution of the problem. PAM support will be able to reset the super user password using SSH access to the appliance. This requires the SSH DEBUG patch to be installed and the SSH port to be open. As long as the config account can access the config UI, the patch can be applied and the SSH port can be opened using the UI.

Additional Information

Note that the "Change Password" page for the config user, which logs on using URL https://<PAMserver>/config/, includes a section "Change Administrator Login Name". This can be used to change the account name of the super user. It does not allow you to change the super user password. In fact you have to provide the current super user password to be able to change the name.