Symantec Privileged Access Management

Expand all | Collapse all

REST API doc: Cannot create Target Account with SSH Keys

Jump to Best Answer
  • 1.  REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 04:19 PM
    When attempting to add an account that utilizes SSH Keys for password rotation I get the following error:
    "error": {
    "
    code": 400, "message": "Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request. Message: No response from Password Authority. Check log for details."

    /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts

    I added the correct deviceId and applicationId to the appropriate fields before hitting the "Try it out!" button.

    I entered the json below into the POST section for devices:
    note: the public and private key are base64 encoded as the documentation suggests.
    {
    "accountName":"p-capam",
    "aliasNames":null,
    "attributes":{
    "keyOptions":null,
    "verifyThroughOtherAccount":"false",
    "discoveryAllowed":"f",
    "publicKey":"ssh-rsa AAAAB3NzaC1ycLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUM== root@capam",
    "protocol":"SSH2_PUBLIC_KEY_AUTH",
    "passphrase":"Test$1234",
    "privetKey":null,
    "otherAccount":null,
    "descriptor2":null,
    "discoveryGlobal":"f",
    "descriptor1":null,
    "extensionType":"unixII",
    "useOtherAccountToChangePassword":"false",
    "passwordChangeMethod":"USE_SUDO"
    },
    "cacheBehavior":null,
    "cacheDuration":null,
    "description1":null,
    "description2":null,
    "password":"-----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,7EA3AAELOREUMIPSUM
    FhB6IgY43X8r84OEFmcrLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUM==
    -----END RSA PRIVATE KEY-----",
    "passwordViewPolicyId":null,
    "privileged":"t",
    "synchronize":"t",
    "useAliasNameParameter":null
    }

    Is this a known issue? What log can I check for details? Any help or suggestions would be GREATLY appreciated.


  • 2.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 04:58 PM
    Hello, The Api Docs page includes this note: "Note that the private and public key data should be base64 encoded.". There is also at least one invalid attribute, "privetKey". I assume that was meant to say "privateKey"


  • 3.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 05:10 PM
    Hi Ralf. I corrected the typo and I get the same error. The private and public keys are base64 encoded (as mentioned earlier). In your opinion does the error indicate a key related issue? What logs can I check for more info?  Thank you for the speedy reply!


  • 4.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 05:41 PM
    Hi Jeff, you should check the tomcat logs. Are you able to GET existing target accounts w/o problem?


  • 5.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 05:48 PM
    I can GET an existing account without issue.


  • 6.  RE: REST API doc: Cannot create Target Account with SSH Keys
    Best Answer

    Posted 12-13-2019 06:49 PM
    Hello Jeff, I am not sure whether you fixed your publicKey and password values already. You state you used base64 encoded strings, but what you show in your original post are the keys themselves. E.g. take the public key:

    "ssh-rsa AAAAB3NzaC1ycLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUMLOREUMIPSUM== root@capam"

    A base64-encoded string for that is
    c3NoLXJzYSBBQUFBQjNOemFDMXljTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU09PSByb290QGNhcGFtCg==

    And you would specify that in the payload:

    "publicKey":"c3NoLXJzYSBBQUFBQjNOemFDMXljTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU1MT1JFVU1JUFNVTUxPUkVVTUlQU1VNTE9SRVVNSVBTVU09PSByb290QGNhcGFtCg==",


  • 7.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 06:56 PM
    Also, I suggest you test with "synchronize":"f" first, at least until you get a successful account creation. Then you can turn the synchronize flag on in the target account and see whether it syncs. If successful, delete the account and run the API call again with "synchronize":"t".


  • 8.  RE: REST API doc: Cannot create Target Account with SSH Keys

    Posted 12-13-2019 07:22 PM
    Resolved!  Thanks Ralf.