Cannot run a job with job owner in CyberArk, "Owner attribute error. The user name or password is incorrect"
Article ID: 273137
Updated On:
Products
Issue/Introduction
Unable to run a Windows CMD job with the job owner in Cyberark, Error "<Owner attribute error. The user name or password is incorrect.>"
Below is the configuration of the Vault and Security Profile:
Cyberark vault definition:
Name : cark-testType : CyberArk AAMApplicationID: TestApp
AutoSys Security Profile:
Name : autosysadmin@secprofProfile Type : PasswordStorage Type : VaultQuery : Safe=TestSafe;Folder=Root;Object=example.com-autosysadminVault Name : cark-testUser : autosysadmin
A simple command job to retrieve security profile user/password from Cyberark finishes successfully:
insert_job: test_cark3 job_type: CMDcommand: echo START $$sec_profile^autosysadmin@secprof@<k>user</k> - $$sec_profile^autosysadmin@secprof@<k>password</k> ENDmachine: localhostowner: testuserstd_out_file: "/home/testuser/test_cark3.out"std_err_file: "/home/testuser/test_cark3.err"
But when a similar job with job owner to point to a Vaulted user (example: user@host) the job fails to run.
User Password vault nameautosysadmin@AD cark-test
insert_job: mk_test_cark job_type: CMD
command: echo
machine: <server>.<example>.<com>
owner: autosysadmin@AD
Job Name Last Start Last End ST/Ex Run/Ntry Pri/Xit
________________________________________________________________ ____________________ ____________________ _____ ________ _______
test_cark ----- ----- IN 1992379/1
Status/[Event] Time Ntry ES ProcessTime Machine
-------------- --------------------- -- -- --------------------- ----------------------------------------
STARTING 08/23/2023 11:13:38 1 PD 08/23/2023 11:13:38 <server>.<example>.<com>
[*** ALARM ***]
STARTJOBFAIL 08/23/2023 11:13:48 1 PD 08/23/2023 11:13:49
<Owner attribute error. The user name or password is incorrect.>
Agent's Windows Event Viewer shows failed login attempts and the user ID (autosysadmin) gets locked out. Before the account is locked that same cyberark credential can be used to manually RDP to the agent in question.
Environment
Workload Automation AutoSys
Cause
Security profile / Vault configuration in AutoSys is not set properly.
Resolution
1) You need to some prep work on CyberArk first (creating an Application, Safe within the vault)
2) You need to install the CyberArk SDK on the AutoSys Server machine
3) Verify that the CyberkArk SDK can talk to the CyberArk server's Safe+application properly
Here is an example:
/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=test-application -p Query="Safe=autosys-application;Folder=Root;Object=test-user" -o Password
NOTE: The result of running the above command should give you the password for the test-user from the vault
4) Create a Cyberark vault in AutoSys:
autosys_secure
AutoSys Security Utility
Please select from the following options:
[1] Revert to NATIVE instance security.
[2] Manage CA EEM security settings.
[3] Change database password.
[4] Change remote authentication method.
[5] Manage users.
[6] Get encrypted password.
[7] Manage password vault.
[8] Manage security profiles.
[0] Exit AutoSys Security Utility.
> 7
Manage password vault
Please select from the following options:
[1] Create password vault.
[2] Delete password vault.
[3] Show password vault.
[4] Change password vault.
[9] Exit from "Manage password vault" menu.
[0] Exit AutoSys Security Utility.
> 1
Input the password vault name (or hit enter to cancel): CyberArkVault
CAUAJM_I_60423 Please select password vault type from the following options:
[1] Symantec PAM
[2] CyberArk AAM
> 2
Input the password vault ApplicationID (or hit enter to cancel): test-application
CAUAJM_I_60176 Password vault added successfully.
Please select from the following options:
[1] Create password vault.
[2] Delete password vault.
[3] Show password vault.
[4] Change password vault.
[9] Exit from "Manage password vault" menu.
[0] Exit AutoSys Security Utility.
> 3
CAUAJM_I_60177 Listing all password vaults:
/* -----------------1. Password vault details ----------------- */
Name : CyberArkVault
Type : CyberArk AAM
ApplicationID: test-application
5) Next step is to create a Security Profile in AutoSys
Please select from the following options:
[1] Revert to NATIVE instance security.
[2] Manage CA EEM security settings.
[3] Change database password.
[4] Change remote authentication method.
[5] Manage users.
[6] Get encrypted password.
[7] Manage password vault.
[8] Manage security profiles.
[0] Exit AutoSys Security Utility.
> 8
Manage security profiles
Please select from the following options:
[1] Create a security profile.
[2] Change a security profile.
[3] Delete a security profile.
[4] Show a security profile.
[9] Exit from "Manage security profiles" menu.
[0] Exit AutoSys Security Utility.
> 1
Input the security profile name (or hit enter to cancel): test-user@autosysserver
Please select profile type from the following options (or hit enter to cancel)
[1] Password[2] Token
[3] Key File
[4] Key Value Pair
[5] SSH Key
> 1
Please select storage type from the following options (or hit enter to cancel):
[1] Internal - Manage secrets in AutoSys database
[2] Vault - Manage credentials using Vault
> 2
Enter the user name (or hit enter to use profile name as user name): test-user@autosysserver
Input the query (or hit enter to cancel): Safe=autosys-application;Folder=Root;Object=test-user
Enter new security code (or hit enter to cancel):
Enter new security code again:
NOTE: The security code is just a code for Native Security, to prevent deletes for non SUExec user, so I entered 12345. If you are using EEM, as_securityprofile policy authorizations apply.
CAUAJM_I_60942 Security profile: test-user@autosysserver successfully created.
Please select from the following options:
[1] Create a security profile
[2] Change a security profile.
[3] Delete a security profile.
[4] Show a security profile.
[9] Exit from "Manage security profiles" menu.
[0] Exit AutoSys Security Utility.
> 4
Note: Use 'ALL' or wildcard characters(*, %, ?) to view multiple profiles.
Input the security profile name (or hit enter to cancel): test-user@autosysserver
CAUAJM_I_60683 Listing all security profiles:
/* ---------------- 1. test-user@autosysserver ----------------- */
Name : test-user@autosysserver
Profile Type : Password
Storage Type : Vault
Query : Safe=autosys-application;Folder=Root;Object=test-user
Vault Name : CyberArkVault
User : test-user@autosysserver
6) Now create a job where owner = <the security profile above>
jil
jil>>1> insert_job: first_cyberark_cmd
jil>>2> command: sleep 100
jil>>3> machine: <server>.<example>.<com>
jil>>4> owner: test-user@autosysserver
jil>>5> exit
CAUAJM_I_50323 Inserting/Updating job: first_cyberark_cmdCAUAJM_I_50205 Database Change WAS Successful!
CAUAJM_I_52301 Exit Code = 0
7) Run the new job
sendevent -E STARTJOB -J first_cyberark_cmd
autorep -J first_cyberark_cmd -d
Job Name Last Start Last End ST/Ex Run/Ntry Pri/Xit
________________________________________________________________ ____________________ ____________________ _____ ________ _______
first_cyberark_cmd 09/07/2023 17:49:07 09/07/2023 17:50:47 SU 265/1 0
Status/[Event] Time Ntry ES ProcessTime Machine
-------------- --------------------- -- -- --------------------- ----------------------------------------
STARTING 09/07/2023 17:49:07 1 PD 09/07/2023 17:49:07 <server>.<example>.<com>
RUNNING 09/07/2023 17:49:07 1 PD 09/07/2023 17:49:08 <server>.<example>.<com>
<Executing at WA_AGENT>SUCCESS 09/07/2023 17:50:47 1 PD 09/07/2023 17:50:47 <server>.<example>.<com>
Feedback
