Symantec Privileged Access Management

 View Only
Expand all | Collapse all

REST API doc: Cannot create Target Account with SSH Keys

Jump to Best Answer
  • 1.  REST API doc: Cannot create Target Account with SSH Keys

    Posted Dec 13, 2019 04:19 PM
    When attempting to add an account that utilizes SSH Keys for password rotation I get the following error:
    "error": {
    "
    code": 400, "message": "Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request. Message: No response from Password Authority. Check log for details."

    /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts

    I added the correct deviceId and applicationId to the appropriate fields before hitting the "Try it out!" button.

    I entered the json below into the POST section for devices:
    note: the public and private key are base64 encoded as the documentation suggests.
    {
    "accountName":"p-capam",
    "aliasNames":null,
    "attributes":{
    "keyOptions":null,
    "verifyThroughOtherAccount":"false",
    "discoveryAllowed":"f",
    "publicKey":"ssh-rsa AAAAB3NzaC1ycLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUM== root@capam",
    "protocol":"SSH2_PUBLIC_KEY_AUTH",
    "passphrase":"Test$1234",
    "privetKey":null,
    "otherAccount":null,
    "descriptor2":null,
    "discoveryGlobal":"f",
    "descriptor1":null,
    "extensionType":"unixII",
    "useOtherAccountToChangePassword":"false",
    "passwordChangeMethod":"USE_SUDO"
    },
    "cacheBehavior":null,
    "cacheDuration":null,
    "description1":null,
    "description2":null,
    "password":"-----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,7EA3AAELOREUMIPSUM
    FhB6IgY43X8r84OEFmcrLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUM==
    -----END RSA PRIVATE KEY-----",
    "passwordViewPolicyId":null,
    "privileged":"t",
    "synchronize":"t",
    "useAliasNameParameter":null
    }

    Is this a known issue? What log can I check for details? Any help or suggestions would be GREATLY appreciated.


  • 2.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Broadcom Employee
    Posted Dec 13, 2019 04:58 PM
    Hello, The Api Docs page includes this note: "Note that the private and public key data should be base64 encoded.". There is also at least one invalid attribute, "privetKey". I assume that was meant to say "privateKey"


  • 3.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted Dec 13, 2019 05:10 PM
    Hi Ralf. I corrected the typo and I get the same error. The private and public keys are base64 encoded (as mentioned earlier). In your opinion does the error indicate a key related issue? What logs can I check for more info?  Thank you for the speedy reply!


  • 4.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Broadcom Employee
    Posted Dec 13, 2019 05:41 PM
    Hi Jeff, you should check the tomcat logs. Are you able to GET existing target accounts w/o problem?


  • 5.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted Dec 13, 2019 05:48 PM
    I can GET an existing account without issue.


  • 6.  RE: REST API doc: Cannot create Target Account with SSH Keys
    Best Answer

    Broadcom Employee
    Posted Dec 13, 2019 06:49 PM
    Hello Jeff, I am not sure whether you fixed your publicKey and password values already. You state you used base64 encoded strings, but what you show in your original post are the keys themselves. E.g. take the public key:

    "ssh-rsa AAAAB3NzaC1ycLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUM== root@capam"

    A base64-encoded string for that is
    c3NoLXJzYSBBQUFBQjNOemFDMXljTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU09PSByb290QGNhcGFtCg==

    And you would specify that in the payload:

    "publicKey":"c3NoLXJzYSBBQUFBQjNOemFDMXljTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU09PSByb290QGNhcGFtCg==",


  • 7.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Broadcom Employee
    Posted Dec 13, 2019 06:56 PM
    Also, I suggest you test with "synchronize":"f" first, at least until you get a successful account creation. Then you can turn the synchronize flag on in the target account and see whether it syncs. If successful, delete the account and run the API call again with "synchronize":"t".


  • 8.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted Apr 25, 2022 05:55 PM
    Hi Ralf,

    Could you please help me understand how to get the device/ target application/ target account IDs?

    Thanks,
    Aayushi Dubey


  • 9.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Broadcom Employee
    Posted Apr 25, 2022 06:18 PM
    Hello Aayushi,
    You use the "GET /api.php/v1/devices.json" Rest API resource to get the ID of the device, assuming it exists already. Once you have the device ID, you use the "GET /api.php/v1/devices.json/{id}/targetApplications" resource with the ID obtained in the first call to get the list of target applications for this device. This will include the ID of the target application for which you want to create an account. If the device doesn't exist yet, you can look at KB 218925 and its attachment for an example on how to create device, target application and target account using the Rest API.
    Regards,
    Ralf


  • 10.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted Dec 13, 2019 07:22 PM
    Resolved!  Thanks Ralf.


  • 11.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted Apr 25, 2022 05:55 PM
    Hi Jeff,

    Could you please help me understand how to get the device/ target application/ target account IDs?

    Thanks,
    Aayushi Dubey