Symantec Privileged Access Management

Hi,

I am very confused about your CA PAM. I tried to manage devices after I discored them, but everythime I get the an error: error: Unable to perform the operation. Please contact System Administrator." 0031. But I am the Administrator. The documentation is not realy helpful, because of there is the same text as the CA PAM.

Can you help me? Is it possible to give me a clear manuel how I configure the CA PAM?

What is the A2A Client? Is it a Client which I installed on all Clients? Or only on the Server which I want to Access via RDP for example? The documentation is not realy clear!

Thank you.

Best regards

Hi,

I am not sure what the cause of the errors you are seeing is, if you need assistance with these please open a support case to have this looked at. 

As for manual configuration, this tech doc should help get you started setting up devices (the manual way):

HOW-TO: Set up a device for RDP or SSH with automatic login in CA PAM.

The A2A client is a piece of client software that can be loaded on a server to allow the server to create automated requests for passwords that are stored in the CA PAM Vault. This is NOT required on every target device, only on the ones that will be required to request passwords using it. These password requests are primarily meant to remove hard coded passwords from configuration files. In the past you would store for example SQL passwords for web applications in an ini or other config file. With A2A, when the password is required an automated request is sent to CA PAM and the password is provided on the spot. This increases security by removing hard coded passwords and allowing them to be more easily rotated.

Note: All agents/clients (A2A, Windows Proxy, Socket Filter Agent) are optional for enabling certain features, they are not required.

Hope this helps!

-Christian

I get a new alert. To test the function "Login ip range" I add a Range by a test user. After I removed that and I logged in again, I get a alert. Binding Failure. And all Access Methods and Services are listed. I restart the appliance and the Server too. But the issue is still there.What is the Problem? Is there a bug? After I Change the ports I get no alert, but the RDP dosn't work. So I changed the ports back and I get the alert again. One of the ports i don´t found it is the port 61998. Can you help me?

These Bind Failures usually mean that the ports are already in use on the user's local workstation. Please see the tech doc below for information on the Bind Failures. 

http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1116109.html 

Hope this helps!

-Christian

But before I Changed the Login IP Ranges it works with the same Settings. I removed the changes and the alert come.

Now I can´t use it, because of the alert.

In my opinion, the CA PAM has few bugs. Another is, that after the session time out, only 1 from 20 the Login page come. The other 19 only the text "site is not available".

And by the way the port is only used one time.

Here is the error message, whe I want start a RDP Apllications, after I klicked the OK Button from the bind failure alert

Error type: RdpException.
Error message: Unable to connect to backend device. Please contact Administrator..

Stack trace:
   com.ca.xsuite.app.rdp3.client.handler.TCPStreamHandler.read(Unknown Source)
   com.ca.xsuite.app.rdp3.core.layer.channel.BaseITULayer.receive(Unknown Source)
   com.ca.xsuite.app.rdp3.core.layer.ITULayer.mainLoop(Unknown Source)
   com.ca.xsuite.app.rdp3.client.app.RDesktop.main(Unknown Source)
   com.ca.xsuite.launcher.a.n.run(Unknown Source)
   java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
   java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
   java.lang.Thread.run(Unknown Source)

Cause:
Error type: EOFException.
Error message: .

Stack trace:
   com.ca.xsuite.app.rdp3.core.impl.RDPInputStream.readFully(Unknown Source)
   com.ca.xsuite.app.rdp3.client.handler.TCPStreamHandler.read(Unknown Source)
   com.ca.xsuite.app.rdp3.core.layer.channel.BaseITULayer.receive(Unknown Source)
   com.ca.xsuite.app.rdp3.core.layer.ITULayer.mainLoop(Unknown Source)
   com.ca.xsuite.app.rdp3.client.app.RDesktop.main(Unknown Source)
   com.ca.xsuite.launcher.a.n.run(Unknown Source)
   java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
   java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
   java.lang.Thread.run(Unknown Source)

The error you posted is definitely expected whenever you get the Bind Failure. The bind failure is telling us that we were not able to bind to the port (usually because it is already in use). Since we cannot bind to the port it would be impossible to use this port for communication, thus the "Unable to connect to backend device" error. 

If you are using a web browser, make sure you don't have multiple tabs or browsers open to PAM, they will conflict with each other and cause this.

The same is true of the CA PAM Client. Check task manager for extra CA PAM Client processes & kill them. It is possible that there was a problem when closing the client and the process got stuck.

You could also use the netstat utility to see if another process is holding the port open for some reason.

If all else fails, try rebooting your workstation. This should clear any bound ports.

As for the session timeout issue that you are seeing, this is likely a cache problem. When this happens try clearing the cache in the Browser & Java or the PAM Client.

-Christian