Layer 7 Privileged Access Management

Tech Tip - CA Privileged Access Manager: External API call fails with 401 error 

07-13-2016 04:25 PM

Issue:

After provisioning API request credentials following instructions in the CA PAM 2.6 Implementation Guide in a CA PAM cluster environment, an attempt to make an external API call using the API request credentials fails with error code 401 and message "Unauthorized: The attempt to retrieve the user's password for login failed. Please check with an administrator for further details.". The session logs contain a message "User *** using API key YYY can't perform GET operations while cluster is stopped ...". But the cluster is ON and in sync.

 

Cause:

The customized default password view policy (PVP), which automatically is associated with the target account that is created while the API request credentials are provisioned, had the "Checkout/Checkin" and "Change Password On View" options checked.

 

Workaround:

Change the default PVP or associate the target accounts for the ApiKey target application with a different PVP that does not have both options set.

 

Solution:

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

01-05-2018 12:57 PM

This appears to be an issue related to password checkout and API keys... not a conflict between "change on view" and "check out/check in".  I was only able to clear the error by disabling password checkout altogether... which is unfortunate as that is the ideal PVP for API-Keys.

Related Entries and Links

No Related Resource entered.