Tech Tip - CA Privileged Access Manager: External API call fails with 401 error

Document created by prira01 Employee on Jul 13, 2016Last modified by kristen.palazzolo on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

Issue:

After provisioning API request credentials following instructions in the CA PAM 2.6 Implementation Guide in a CA PAM cluster environment, an attempt to make an external API call using the API request credentials fails with error code 401 and message "Unauthorized: The attempt to retrieve the user's password for login failed. Please check with an administrator for further details.". The session logs contain a message "User *** using API key YYY can't perform GET operations while cluster is stopped ...". But the cluster is ON and in sync.

 

Cause:

The customized default password view policy (PVP), which automatically is associated with the target account that is created while the API request credentials are provisioned, had the "Checkout/Checkin" and "Change Password On View" options checked.

 

Workaround:

Change the default PVP or associate the target accounts for the ApiKey target application with a different PVP that does not have both options set.

 

Solution:

Attachments

    Outcomes