Symantec Privileged Access Management

Hi Team,

We have got some issue in CA PAM.

There is vCenter Server which we have onboarded as Linux Device. Created a Target application type Generic. Target Account is added. We have created the policy with device and user using the target account.

When we try establishing the session it opens up the SSH window shows connection details and before logging in it just vanishes. How ever all the linux servers hosted on the same vCenter server as normal Linux server they are doing a automated login. attaching the screenshot. kindly help.

Hi Avijit,

The first thing I would do here is change the Tomcat logs to Config level, then reproduce the issue and review the Tomcat logs. If there are errors related to the connection they would likely show here. One example that may apply to your situation is that you may have differing security levels on the different vCenter servers which could result in problems for some but not all.

If this doesn't point you in the correct direction, you may need to set the SSH server into debug mode, then try again. This would give you logs of what the vCenter server is receiving and how it is handling those responses. It may tell you what is happening.

Hope this helps.

Regards,

Christian Lutz

Support Engineer

Broadcom (CA) - ESD Support

Thanks for the response. I will check it and come back to the thread.

Hi Christian,

This is what I get from log. Please let me know what could be the issue? I have tried the 1st approach not the second one where you wanted me to take the ssh target to debug mode.

INFO: UserSecurityContextImpl.hasAccess User CN=shapratap.das (************) (ID=1375) with gkUserID=223 has GK Policy access to target account IDs: 1161
Feb 27, 2019 6:25:34 AM com.cloakware.cspm.server.app.ar a
INFO: Account password is being SSO'd, but policy has change on SSO disabled
Feb 27, 2019 6:25:34 AM com.cloakware.cspm.server.app.impl.lr a
INFO: ViewAccountPassword.invoke, end:true
Feb 27, 2019 6:25:34 AM com.ca.pam.CSRFFilter doFilter
INFO: Running Cross-Site Request Forgery (CSRF) check for URL: /cspm/rest/passwordauthority/pvr/
Feb 27, 2019 6:25:34 AM com.ca.pam.CSRFFilter doFilter
INFO: Cross-Site Request Forgery (CSRF) check pass for Hos

***Just to let you know this is vCenter Server ova provided by vmware to our infra team, who then deployed it to the infrastructure with necessary Virtual hardware

These messages look like they're from the Tomcat log.  I don't see anything here that would explain the behavior you described.  Did you get the debug log from Vcenter, as Christian also suggested?

Hello Avijit, I just noticed that this question is still open. Since this is a question about auto-login rather than password management, the tomcat log will not be useful. The question is how the device prompts for username and password when connecting to it via SSH. You would want to remove the target account for auto-login from the policy, and take screenshots showing the prompt for user name and then for password. This should tell us whether the SSH applet can handle it or not. Another piece of useful information would be to configure a TCP/UDP service with an SSH client like PuTTY and see whether auto-login works in that case. This may be better done in the context of a support case rather than a community post. If you have the problem resolved by now, please document the solution here for the benefit of others. Thanks, Ralf