Symantec Privileged Access Management

​We just upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0 during the weekend.  It appears the Layer 7 PAM 3.3.0 is unable to reset passwords for accounts. It appears the change in the applications that interface with our servers are no longer able to change the passwords in version 3.3.0.  These password policies were written by me along with input from the awesome and legenday Adam Roll! They worked for 4 months under PAM 3.2.3.

For our Windows systems, we use a password master.  It keeps failing to rotate the password masters password.  The accounts that depend upon it, become unverified when the password cannot be rotatted.  On the domain, the passwords expire every 60 days.  The accounts can be rotated administratively any time.  However, the accounts must wait one day before the account can rotate its own password.

I have cleaned up 6 domains.  For our LINUX systems, we are not using a password master. As a result, the accounts are not rotating the password and being locked out.  We have over 100 local accounts on LINUX systems that unverified. 

I check the session logs on all three production appliances.  There were no entries the pertain to either resetting LINUX or Active Directory accounts.

I attached a copy of our password policy.  Does anyone have any ideas of what works with 3.3.0 versus 3.2.3?

Thanks

------------------------------
Thanks
Tarek Hamdy
thamdy2000@gmail.com
571-723-2859
------------------------------

Hi,
You are posting to the wrong community, please go to PAM community.

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer?tab=digestviewer&CommunityKey=3e91a086-c7b2-4bd0-9f8d-3493ed834111

Also, please check the tomcat log(catalina.out) which can be downloaded at Configuration>Diagnostics Logs page to see if there are any errors during that time frame.

You may open a support case if further help needed.

Original Message:
Sent: 10-24-2019 11:37 AM
From: Tarek Hamdy
Subject: upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0..no PW rotation!

​We just upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0 during the weekend.  It appears the Layer 7 PAM 3.3.0 is unable to reset passwords for accounts. It appears the change in the applications that interface with our servers are no longer able to change the passwords in version 3.3.0.  These password policies were written by me along with input from the awesome and legenday Adam Roll! They worked for 4 months under PAM 3.2.3.

For our Windows systems, we use a password master.  It keeps failing to rotate the password masters password.  The accounts that depend upon it, become unverified when the password cannot be rotatted.  On the domain, the passwords expire every 60 days.  The accounts can be rotated administratively any time.  However, the accounts must wait one day before the account can rotate its own password.

I have cleaned up 6 domains.  For our LINUX systems, we are not using a password master. As a result, the accounts are not rotating the password and being locked out.  We have over 100 local accounts on LINUX systems that unverified.

I check the session logs on all three production appliances.  There were no entries the pertain to either resetting LINUX or Active Directory accounts.

I attached a copy of our password policy.  Does anyone have any ideas of what works with 3.3.0 versus 3.2.3?

Thanks

------------------------------
Thanks
Tarek Hamdy
thamdy2000@gmail.com
571-723-2859
------------------------------

Original Message------

Hi,
You are posting to the wrong community, please go to PAM community.

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer?tab=digestviewer&CommunityKey=3e91a086-c7b2-4bd0-9f8d-3493ed834111

Also, please check the tomcat log(catalina.out) which can be downloaded at Configuration>Diagnostics Logs page to see if there are any errors during that time frame.

You may open a support case if further help needed.

Hi Tarek,

If something was working before and breaks after upgrade, then probably it is a defect.
I would recommend testing with PAM 3.3.1 as that is the most current version and if it does not fix the issue then I hope you already have a support ticket raised.

As Tomo suggested, do you see any error in the catalina.out?

Regards,
Kim

------------------------------
Support Engineer 5
Broadcom
------------------------------

Original Message:
Sent: 10-25-2019 12:29 PM
From: Tarek Hamdy
Subject: upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0..no PW rotation!

Hello tom, I meant to put it into Layer 7 PAM.

 

Tarek Hamdy

System Administrator | Cybersecurity Services Staff | Office of Chief Information Officer | Department of Justice

Contractor – Entwined Technologies, Inc.

Mobile:  (571) 723-2859 and 202-598-9362 | 145 N Street N.E. | 4E.113A | Washington D.C. 20530

Email:tyhamdy@jmd.usdoj.gov

 

Original Message------

Hi,
You are posting to the wrong community, please go to PAM community.

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer?tab=digestviewer&CommunityKey=3e91a086-c7b2-4bd0-9f8d-3493ed834111

Also, please check the tomcat log(catalina.out) which can be downloaded at Configuration>Diagnostics Logs page to see if there are any errors during that time frame.

You may open a support case if further help needed.