Troubleshooting a failed A2A Request
Here are the possible status codes returned from a request for credentials by the PAM A2A client:
400 - Success
Problems with communication:
401 - Failed to authenticate with the Password Authority service
402 - Unable to establish connection with client daemon
403 - Not authorized (for client daemon)
404 - Unable to establish connection with Password Authority Server
Troubleshooting these:
There may be a problem with the digest key that was set up when the A2A client first registered with the PAM server. Perhaps your A2A client had been pointing to a different server and you are trying to point it to a new server. Perhaps you have upgraded the machine hosting your A2A client, and the hardware fingerprint has changed.
Try this first:
Invoke the 'Update Client Key' command (button on the A2A->Clients->client details page
If that doesn't work, try this:
1. Stop the client daemon
2. Delete the cache file (%CSPM_CLIENT_HOME%\cspmclient\config\data\.cspmclient.dat)
3. Deactivate the client in the server (A2A->Clients->client details page)
4. Restart the client daemon
Communication to PAM is good, but A2A request fails:
405 - No data found for specified target alias
406 - Application error. See system log for details
407 - Invalid parameters specified
409 - Unauthorized script name
410 - Unauthorized execution path
411 - Unauthorized execution user ID
412 - Unauthorized request server
To troubleshoot these, look at the Failed A2A Client Request report on the Dashboard.
Date/Time Client Alias Script Name Execution User ID Error Code
2017-03-07 11:59 IPaddress MyAlias MyApp MyUser 409
Click on the underlined Date/Time - it is actually a link to more details about the failure:
Account Request Details - These are the details that the PAM server received for the request. They may not be the same as you have authorized on the Mappings tab. For a 409, you may find out that PAM received a different script name, or quite simply, after working hard to get your application integrated with the PAM client, you may have completely forgotten to add an authorization mapping for it. That is quite common.