I'm having problems defining new weblogic accounts in CA PAM 2.8.2.
Even if I choose "Update only the Password Authority Server" , it gives an error saying that I must define a change process account. (WebLogic 10 Account Details -> Change Process).
On version 2.8.1 , this didn't happened when I defined the existing accounts.
It makes sense to have an "change process account" if I only want to store the password ? Does anyone have this same issue ?
I just tested this on 2.7.0, 2.8.0, 2.8.1 & 2.8.2 and I am seeing the same behavior you mentioned above in all 4 releases.
This behavior does seem strange to me, especially since it does still happen when using "Update only the Password Authority Server" as you pointed out. I would suggest opening a support ticket for this.
Hi Nuno, We detected this with another colleague. I found a workaround to fix this meantime.
There's a new attribute for Weblogic accounts: useOtherAccountToChangePassword. To configure the first Target Account, you will need to do it using the CLI.
Windows Domain Services Target Connector - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation The parameter useOtherAccountToChangePassword has to be set to false. If after creating this account, you want to create another target account (weblogic type) you will see that the first account created is now available to be selected in the Change Process.If you don't want to select any account, you will have to create the account by commandline.
1) Create the New Target Account:https://docops.ca.com/ca-privileged-access-manager/2-8-2/EN/programming/credential-manager-cli-commands/addtargetaccount
>capam_command cspmHostName=<PAM IP> UserID=super cmdName=addTargetAccount TargetServer.hostName=<Server hostname> TargetApplication.name=<Application Name> TargetAccount.userName=<username> TargetAccount.password=<password> Attribute.useOtherAccountToChangePassword=false TargetAccount.privileged=true
2) If you need to update an existing target account then check the command line updateTargetAccount:https://docops.ca.com/ca-privileged-access-manager/2-8-2/EN/programming/credential-manager-cli-commands/updatetargetaccount
For eg: >capam_command cspmHostName=<PAM IP> UserID=super cmdName=updateTargetAccount TargetAccount.ID=<TargetAccount ID> TargetAccount.userName=<TargetAccountName> TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false
Remember that you have to add the argument: useOtherAccountToChangePassword=false
Hope to this be helpful.
I update the existing account by command line and it shows useOtherAccountToChangePassword=false.
But I'm still not able to change that account using the web interface. For example to add an descriptor.
Hi Nuno, That is correct. Unfortunatelly If you are not going to select another account to have permission to change the password (in Change Process), you will have to update the account settings via command line. This is a bug.
If you want to add a description, you will have to add these arguments in the updateTarget command.
for eg: capam_command cspmHostName=<PAM IP> UserID=super cmdName=updateTargetAccount TargetAccount.ID=<TargetAccount ID> TargetAccount.userName=<TargetAccountName> TargetAccount.privileged=true Attribute.useOtherAccountToChangePassword=false Attribute.descriptor1=<Despcription> TargetAccount.synchronize=<true/false>
Set TargetAccount.synchronize=true to indicate that the password stored in Credential Manager should be synchronized with the password on the target system. This functionality is not supported with Target Application Type Generic.
Find more arguments in the link provided previously:
updateTargetAccount - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation
For further information let us know.
Ok. I understand.
Thanks for this workaround.