Symantec Privileged Access Management

Ever been puzzled by applications using password consumers failing mysteriously? Passwords not being received for unknown reasons?

The PUPM agent has debugging via a parameter OperationMode. If this is set to 2 then all transactions are logged to <AccessControl>/Data/PUPMAgent/PUPMAgent_Trace.log.

On unix, OperationMode is located in the [PUPMAgent] section of seos.ini.

On windows, the following registry key is used:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\PUPMAgent\OperationModer

To change the setting:

1) Stop the ControlMinder Agent:

secons -s

2) Change seos.ini or registry as above

3) Start ControlMinder agaent:

Unix:

seload

Windows:

seosd -start

An example successful transaction for a JDBC consumer is below. The following are very usefull for debugging.

The following shows that the application making the request is C:\Program Files\Java\jre1.8.0_91\bin\java.exe, this should match the "Application Path" parameter of the password consumer:

20-May-2016 11:39:26: HandleJavaPlgDatabaseRequest> Application names: C:\Program Files\Java\jre1.8.0_91\bin\java.exe

The following shows which server (MYSERVER) is making the request. This needs to be allowed in the Hosts tab of the password consumer:

20-May-2016 11:39:26: _AddMessageProperties> SOURCE_HOST --> MYSERVER was added.

The following shows the user name making the request. This user needs to be allowed in the Users tab of the password consumer:

NATIVE_USER_NAME=CI,MYSERVER\Administrator

The following should be self-explanatory.

ACCOUNT_NAME=test CONTAINER_NAME=MS SQL Logins END_POINT_TYPE=MS SQL Server

The FAILURE_CODE and FAILURE_MESSAGE are helpful to determine why a request was rejected, in this case it is not:

20-May-2016 11:39:26: _ProcessCheckoutReply> FAILURE_CODE --> 0

20-May-2016 11:39:26: _ProcessCheckoutReply> FAILURE_MESSAGE --> OK

Full log sample:

20-May-2016 11:39:26: Request header: version: 2; request type: JDBC request(2); request size: 4341 starting @ offest 32; process id: 2428; ticket id: 0
20-May-2016 11:39:26: HandleJavaPlgDatabaseRequest> Application names: C:\Program Files\Java\jre1.8.0_91\bin\java.exe

20-May-2016 11:39:26: HandleJavaPlgDatabaseRequest> User name: MYSERVER\Administrator
20-May-2016 11:39:26: ParseJDBRequest> Request type is: JDBCDriver
20-May-2016 11:39:26: ParseJDBRequest> CONNECT_IDENTIFIER is: jdbc:sqlserver://mydbserver;DatabaseName=master;SelectMethod=cursor;
20-May-2016 11:39:26: ParseJDBRequest> USERNAME is: test
20-May-2016 11:39:26: GetHostList> Will not resolve empty hosts list.
20-May-2016 11:39:26: _AddMessageProperties> MESSAGE_TYPE --> PUPM_PASSWORD was added.
20-May-2016 11:39:26: _AddMessageProperties> ACTION --> GET was added.
20-May-2016 11:39:26: _AddMessageProperties> MSG_VERSION --> 1100 was added.
20-May-2016 11:39:26: _AddMessageProperties> MSG_ID --> 1026 was added.
20-May-2016 11:39:26: _AddMessageProperties> SOURCE_HOST --> MYSERVER was added.
20-May-2016 11:39:26: _AddMessageProperties> SOURCE_ACID --> 860b25f3-a58d-446a-8a79-948773a285b5 was added.
20-May-2016 11:39:26: _AddMessageProperties> SOURCE_TIME --> 1463724566 was added.
20-May-2016 11:39:26: _AddMessageProperties> AC_DESTINATION_COMPONENT --> PUPM was added.
20-May-2016 11:39:26: GetHostList> Resolving: mydbserver
20-May-2016 11:39:26: _FillCheckoutData> Found 3 hosts for mydbserver: mydbserver.myco.com mydbserver 10.131.42.158.
20-May-2016 11:39:26: _FillCheckoutData> Message data:
REQUEST_SOURCE=JDBC
ACCOUNT_NAME=test
CONTAINER_NAME=MS SQL Logins
END_POINT_TYPE=MS SQL Server
NATIVE_USER_NAME=CI,MYSERVER\Administrator
NATIVE_GROUPS_COUNT=13
NATIVE_GROUP_NAME=CI,MYSERVER\None
NATIVE_GROUP_NAME=CI,Everyone
NATIVE_GROUP_NAME=CI,NT AUTHORITY\Local account and member of Administrators group
NATIVE_GROUP_NAME=CI,BUILTIN\Administrators
NATIVE_GROUP_NAME=CI,BUILTIN\Users
NATIVE_GROUP_NAME=CI,NT AUTHORITY\REMOTE INTERACTIVE LOGON
NATIVE_GROUP_NAME=CI,NT AUTHORITY\INTERACTIVE
NATIVE_GROUP_NAME=CI,NT AUTHORITY\Authenticated Users
NATIVE_GROUP_NAME=CI,NT AUTHORITY\This Organization
NATIVE_GROUP_NAME=CI,NT AUTHORITY\Local account
NATIVE_GROUP_NAME=CI,LOCAL
NATIVE_GROUP_NAME=CI,NT AUTHORITY\NTLM Authentication
NATIVE_GROUP_NAME=CI,Mandatory Label\High Mandatory Level
CONTAINING_APPLICATIONS_COUNT=1
CONTAINING_APPLICATION=CI,C:\Program Files\Java\jre1.8.0_91\bin\java.exe
CONNECTION_STRING=jdbc:sqlserver://mydbserver;DatabaseName=master;SelectMethod=cursor;
NETWORK_SET_COUNT=1
NETWORK_SET=[TARGET_HOST_ID:mydbserver.myco.com],[TARGET_HOST_ID:mydbserver],[TARGET_HOST_ID:10.131.42.158],


20-May-2016 11:39:26: ACMQ Listener(ac_server_to_endpoint)> New message received.
20-May-2016 11:39:26: _ProcessReplyProperties> MESSAGE_TYPE --> PUPM_PASSWORD was received.
20-May-2016 11:39:26: _ProcessReplyProperties> ACTION --> GET_REPLY was received.
20-May-2016 11:39:26: _ProcessReplyProperties> MSG_ID --> 1026 was received.
20-May-2016 11:39:26: _ProcessReplyProperties> DESTINATION_HOST --> MYSERVER was received.v 20-May-2016 11:39:26: _ProcessCheckoutReply> RESPONSE_CODE --> ACCEPT
20-May-2016 11:39:26: _ProcessCheckoutReply> FAILURE_CODE --> 0
20-May-2016 11:39:26: _ProcessCheckoutReply> FAILURE_MESSAGE --> OK
20-May-2016 11:39:26: _ProcessCheckoutReply> END_POINT_NAME --> mydbserver-mssql
20-May-2016 11:39:26: _ProcessCheckoutReply> PASSWORD --> ********
20-May-2016 11:39:26: _ProcessCheckoutReply> PASSWORD_CONSUMER --> mydbserver-mssql-test
20-May-2016 11:39:26: ReadDataComplete> Pipe instance: 0x548 has been closed by client side. Deleting instance ....
20-May-2016 11:39:26: _ProcessCheckoutReply> Event was cached successfully.