Resetting the PAM super user password
search cancel

Resetting the PAM super user password

book

Article ID: 96844

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM comes with two built-in administrative accounts, config and super. Online documentation shows how to change the password while logged on, see e.g. Change Login for Config or Super User. PAM also provides a Reset Password option on the VM console for virtual appliances, or the front panel for hardware appliances. This resets the config user password to "config". There is no documented option to reset the super user password if it got lost for whatever reason.

Is there any way to reset the super user password?

Environment

This applies to any supported PAM release as of July 2024. It may change in future releases.

Cause

Request For Information (RFI)

Resolution

If another user is configured as global administrator, the password for the super user can be reset by the other global administrator user from the PAM UI.

1. When logged in as a Global Administrator to reset "super" password.

1a.  On PAM UI, navigate to "Users" ==> "Manage Users"  then double click on User Name "super"

1b.  Use the screen below to set the desired password for "super".

However, there is no option to reset the super user password, if there is no global administrator other than the super user configured.
The password is stored in the database. One option would be to restore a database backup from a time where the super user had a known password. This could be accomplished by logging in with the config account. But it is not practical if the password had been updated a long time ago, which most likely is true in cases where it got lost.
If a database backup is not an option either, you will have to open a case with PAM support to work with you on resolution of the problem. PAM support will be able to reset the super user password using SSH access to the appliance. This requires the SSH DEBUG patch to be installed and the SSH port to be open. As long as the config account can access the config UI, the patch can be applied and the SSH port can be opened using the UI.

Additional Information

Note that the "Change Password" page for the config user, which logs on using URL https://<PAMserver>/config/, includes a section "Change Administrator Login Name". This can be used to change the account name of the super user. It does not allow you to change the super user password. In fact you have to provide the current super user password to be able to change the name.

Powered by Wolken Software