Symantec Privileged Access Management

Hello All,

I have written a teradata connector for PAM 3.3 . I have written the functions for teradata DB password verification and update code. The port used for teradata url is also configurable in the application UI. During testing I have found that when the wrong teradata port is given and the verify function is called , an error is displayed in the PAM UI
i.e.

PAM-CM-1766: Failed to verify password with target: PAM-EF-0013:Error processing request. Please contact administrator. Connector Host: pamconnect(169.254.102.204)


and the log message that we got is 

25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Connect url is given as jdbc:teradata://192.168.232.128/DBS_PORT=1025,TMODE=ANSI,CHARSET=UTF8
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Credential Verify
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Connecting to jdbc:teradata://192.168.232.128/DBS_PORT=1025,TMODE=ANSI,CHARSET=UTF8
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] using the username verifypam
25-Mar-2021 07:55:46.374 SEVERE [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.credentialsValidate [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Failed to verify credentials for user: 'verifypam' on device: 'terradataserver' with targetApplicationName: 'teradataAppTest'. Reason:
java.lang.IllegalStateException: Verify failed.
at com.hcl.TeradataConnector.api.Credentials.processCredentialVerify(Credentials.java:395)
at com.hcl.TeradataConnector.api.Credentials.credentialsValidate(Credentials.java:149)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)

Is there any way to reflect the right error for port no is PAM UI ??  I am looking for some message like 

PAM-CM-1766: Failed to verify password with target: PAM-EF-abcd:Wrong port no given in URL.. Please contact administrator. Connector Host: pamconnect(169.254.102.204)

in place of 
PAM-CM-1766: Failed to verify password with target: PAM-EF-0013:Error processing request. Please contact administrator. Connector Host: pamconnect(169.254.102.204)

-Regards
   Mohit

------------------------------
Software Consultant
Broadcom
------------------------------

Hi Mohit, This is your custom connector, you control what messages it writes on error. You see that the connector runs into an exception in the processCredentialVerify() method called from credentialsValidate(), both in the Credentials class, source file Credentials.java. This is the class you customize, and you can control what exceptions are thrown in which method, and what message the credentialsValidate() method writes when it catches a specific exception. In this case your custom code throws an IllegalStateException, which is not caught specifically, and so you get into the "catch (Exception e)" case, which throws a new ExtensionException with message MessageConstants.SERVER_ERROR == PAM-EF-0013. I question your intentions above though. How could your code distinguish between the case where the port is wrong and where the port is right but the DB service listening on the port is down? And the fact that there is no log message showing a connect error in your log points to missing diagnostics in your custom code.
Original Message:
Sent: 03-31-2021 01:06 PM
From: Mohit Aggrawal
Subject: Teradata Connector error

Hello All,

I have written a teradata connector for PAM 3.3 . I have written the functions for teradata DB password verification and update code. The port used for teradata url is also configurable in the application UI. During testing I have found that when the wrong teradata port is given and the verify function is called , an error is displayed in the PAM UI
i.e.

PAM-CM-1766: Failed to verify password with target: PAM-EF-0013:Error processing request. Please contact administrator. Connector Host: pamconnect(169.254.102.204)


and the log message that we got is

25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Connect url is given as jdbc:teradata://192.168.232.128/DBS_PORT=1025,TMODE=ANSI,CHARSET=UTF8
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Credential Verify
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Connecting to jdbc:teradata://192.168.232.128/DBS_PORT=1025,TMODE=ANSI,CHARSET=UTF8
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] using the username verifypam
25-Mar-2021 07:55:46.374 SEVERE [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.credentialsValidate [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Failed to verify credentials for user: 'verifypam' on device: 'terradataserver' with targetApplicationName: 'teradataAppTest'. Reason:
java.lang.IllegalStateException: Verify failed.
at com.hcl.TeradataConnector.api.Credentials.processCredentialVerify(Credentials.java:395)
at com.hcl.TeradataConnector.api.Credentials.credentialsValidate(Credentials.java:149)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)

Is there any way to reflect the right error for port no is PAM UI ??  I am looking for some message like

PAM-CM-1766: Failed to verify password with target: PAM-EF-abcd:Wrong port no given in URL.. Please contact administrator. Connector Host: pamconnect(169.254.102.204)

in place of
PAM-CM-1766: Failed to verify password with target: PAM-EF-0013:Error processing request. Please contact administrator. Connector Host: pamconnect(169.254.102.204)

-Regards
   Mohit

------------------------------
Software Consultant
Broadcom
------------------------------

Original Message:
Sent: 3/31/2021 11:23:00 PM
From: Ralf Prigl
Subject: RE: Teradata Connector error

Hi Mohit, This is your custom connector, you control what messages it writes on error. You see that the connector runs into an exception in the processCredentialVerify() method called from credentialsValidate(), both in the Credentials class, source file Credentials.java. This is the class you customize, and you can control what exceptions are thrown in which method, and what message the credentialsValidate() method writes when it catches a specific exception. In this case your custom code throws an IllegalStateException, which is not caught specifically, and so you get into the "catch (Exception e)" case, which throws a new ExtensionException with message MessageConstants.SERVER_ERROR == PAM-EF-0013. I question your intentions above though. How could your code distinguish between the case where the port is wrong and where the port is right but the DB service listening on the port is down? And the fact that there is no log message showing a connect error in your log points to missing diagnostics in your custom code.
Original Message:
Sent: 03-31-2021 01:06 PM
From: Mohit Aggrawal
Subject: Teradata Connector error

Hello All,

I have written a teradata connector for PAM 3.3 . I have written the functions for teradata DB password verification and update code. The port used for teradata url is also configurable in the application UI. During testing I have found that when the wrong teradata port is given and the verify function is called , an error is displayed in the PAM UI
i.e.

PAM-CM-1766: Failed to verify password with target: PAM-EF-0013:Error processing request. Please contact administrator. Connector Host: pamconnect(169.254.102.204)


and the log message that we got is

25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Connect url is given as jdbc:teradata://192.168.232.128/DBS_PORT=1025,TMODE=ANSI,CHARSET=UTF8
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Credential Verify
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Connecting to jdbc:teradata://192.168.232.128/DBS_PORT=1025,TMODE=ANSI,CHARSET=UTF8
25-Mar-2021 07:55:46.328 INFO [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.processCredentialVerify [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] using the username verifypam
25-Mar-2021 07:55:46.374 SEVERE [http-nio-127.0.0.1-18080-exec-9] com.hcl.TeradataConnector.api.Credentials.credentialsValidate [17b5be71-c0d8-43de-9376-133a3957bb6e] [TeradataConnector] Failed to verify credentials for user: 'verifypam' on device: 'terradataserver' with targetApplicationName: 'teradataAppTest'. Reason:
java.lang.IllegalStateException: Verify failed.
at com.hcl.TeradataConnector.api.Credentials.processCredentialVerify(Credentials.java:395)
at com.hcl.TeradataConnector.api.Credentials.credentialsValidate(Credentials.java:149)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)

Is there any way to reflect the right error for port no is PAM UI ??  I am looking for some message like

PAM-CM-1766: Failed to verify password with target: PAM-EF-abcd:Wrong port no given in URL.. Please contact administrator. Connector Host: pamconnect(169.254.102.204)

in place of
PAM-CM-1766: Failed to verify password with target: PAM-EF-0013:Error processing request. Please contact administrator. Connector Host: pamconnect(169.254.102.204)

-Regards
   Mohit

------------------------------
Software Consultant
Broadcom
------------------------------