After upgrade to 3.3.2, target server not connecting: "can't decide access type"

book

Article ID: 189378

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

After upgrading to 3.3.2 to resolve a known issue with the system certificate, the certificate is still blank. When a user tries to access a target server, they get the message "can't decide access type". When trying to set the system certificate, the error message "failed to update certification" occurs.

Cause

In versions 3.3.0 and 3.3.1, there was a known issue with the database where the system certificate was not properly set, which prevents any new certificate from being set. Because the certificate is not set properly, the UI does not properly load, resulting in the "can't decide access type" error. Upgrading to 3.3.2 or above will prevent the defect from occurring in the future, but will not resolve the issue if it's currently happening.

Environment

PRIVILEGED ACCESS MANAGEMENT 3.3.2 or above

Resolution

If the issue is occurring on only one appliance in the cluster:
1- On the affected appliance, go to the Clustering configuration page and click LEAVE CLUSTER to leave the cluster, then click UNLOCK ME to unlock the database.
2- Navigate to the Database configuration page and click SAVE DATABASE AND CONFIGURATION to back up the database, then click RESET to reset the database to the default.
3- The appliance will automatically reboot as part of the reset. After the reboot, log into the appliance with the default super credentials.
4- Go back to the Database configuration page, select the database that was saved, an click RESTORE to restore that database. This will cause the appliance to reboot again.
5- Log back in with the super credentials from before the database reset.
6- On the Configuration page, go to Security > Certificates, then click on the Set tab.
7- The System Certificate will no longer be blank and will now be the default certificate, select the correct certificate and click VERIFY and ACCEPT to set it. 
8- After it is set, PAM will prompt to reboot the appliance to change the system certificate. After the reboot, go back to the certificate configuration page and confirm it is now set to the proper certificate.
9- Go to the Clustering configuration page and add the appliance back to the cluster.

If the issue is occurring on multiple appliances in a cluster:
1- Go to the Clustering configuration page and turn off the cluster.
2- Log into an affected appliance and go to the Clustering configuration page and click UNLOCK ME to unlock the database.
3- Navigate to the Database configuration page and click SAVE DATABASE AND CONFIGURATION to back up the database, then click RESET to reset the database to the default.
4- The appliance will automatically reboot as part of the reset. After the reboot, log into the appliance with the default super credentials.
5- Go back to the Database configuration page, select the database that was saved, an click RESTORE to restore that database. This will cause the appliance to reboot again.
6- Log back in with the super credentials from before the database reset.
7- On the Configuration page, go to Security > Certificates, then click on the Set tab.
8- The System Certificate will no longer be blank and will now be the default certificate, select the correct certificate and click VERIFY and ACCEPT to set it. 
9- After it is set, PAM will prompt to reboot the appliance to change the system certificate. After the reboot, go back to the certificate configuration page and confirm it is now set to the proper certificate.
10- Repeat steps 2-9 for all affected appliances.
11- After the proper certificate has been set on all appliances, go to the Clustering configuration page and turn the cluster back on.

Additional Information

If the issue still persists after following the steps above, open a case for a support engineer to investigate further.

For additional information on adding the appliance back into the cluster, refer to the documentation link below.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-3-4/deploying/set-up-a-cluster/configure-a-cluster/add-a-cluster-member.html