Symantec Privileged Access Management

  • Private Community

  • 1.  CA PAM Password View Policy not working

    Posted Jan 16, 2019 04:19 AM

    Hello All,

     

    I am new to CA PAM and I am currently stuck with "Password View Policy". I have enabled certain options,

    *Change Password On View.

    *Change Password On Connection End.

    *Check-out / Check-in. 

    *Force check-in: 5mins

    and added to a specific server account for test and given access to a testuser.

     

    As per the policy once the Testuser access the and ends the connection the password should change right?

    But the password is not changing automatically. Please guide if i am doing it wrong and tell me the steps i should follow.

     

    Thanks & regards,

    Rushikesh Pattankar.



  • 2.  Re: CA PAM Password View Policy not working

    Broadcom Employee
    Posted Jan 16, 2019 10:00 AM

    Hi Rushi, The individual options are discussed on page https://docops.ca.com/ca-privileged-access-manager/3-2-3/EN/implementing/protect-privileged-account-credentials/set-up-password-composition-and-view-policies/establish-password-view-policies/create-a-password-view-policy

    If you have check-out/check-in selected, that should dominate. At the time the password is checked out, you should see a job (Credentials > Manage Targets > Scheduled Jobs) getting created that will change the password at the time controlled by the "Force check-in after" setting, if it's not checked in earlier. If you want the password to be changed on connection end, then just use that option. Another question would be whether a password change was attempted but failed.



  • 3.  Re: CA PAM Password View Policy not working
    Best Answer

    Posted Jan 17, 2019 03:44 AM

    Hi Ralf Prigl, thanks for the replay.  After I Checked out with the testuser, i could see the job created in Scheduled job. After the account was checked-in the Scheduled job disappeared, but the password was not getting verified automatically nor i was able to view the password. it was displaying "PAM-CM-1072: Cannot check out synchronized accounts that are unverified." and after i verified it manually it was displaying same old password while viewing. 

     

    this happened while i was testing it again:

     

    Let me know how to solve it.

    Thanks & regards,

    Rushikesh Pattankar.



  • 4.  Re: CA PAM Password View Policy not working

    Posted Jan 18, 2019 03:21 AM

    Please guide me on this.



  • 5.  Re: CA PAM Password View Policy not working

    Broadcom Employee
    Posted Jan 18, 2019 03:30 PM

    Hi Rushi,

    When generating passwords automatically, it is important that the Password Composition Policy attached to the Target Application meets the requirements of the target system.  That is one thing to check.  Another is to look in the Tomcat catalina log for the error at the time of the scheduled job to update the password.   If that does not show you the problem, please open a support ticket and send the catalina logfile and the time of the password change which failed. 

    Regards,

    Margaret



  • 6.  Re: CA PAM Password View Policy not working

    Broadcom Employee
    Posted Jan 18, 2019 05:39 PM

    One other thing to check is that the account isn't restricted to a single password change in a 24 hour period... some systems have that limitation.  It's also possible that the account you are using to update the password doesn't have the appropriate permissions to do so (can you generate a new credential manually and have it apply?)