Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  Issues with RSA and CA PAM integration

    Posted Jul 05, 2018 01:12 AM

    Hello All,

     

    I have query regarding RSA integration with CA Privilege Access Manger.
    There is a limitation that we cannot create any new user in RSA hence we are using the existing RSA user (which is already in use and working fine).


    We have imported the "sdconf.rec" and "sdopts.rec" in CA PAM and created the same user in AD (Active directory) which works fine if we login using LDAP Authentication to CA PAM.

     

    After this we have tried logging in to CA PAM console using LDAP+RSA option and we are getting the error as

    "Error: PAM-CMN-0900: Bad User ID or Password."


    Request help on this, Thanks in Advance..!



  • 2.  Re: Issues with RSA and CA PAM integration

    Broadcom Employee
    Posted Jul 05, 2018 09:56 AM

    Hi Shyam, A user can login to PAM using one authentication type only. If the user was imported as part of a group that uses LDAP authentication, the LDAP+RSA option will not work. Can you clarify the group membership for this user and whether other users in the group can login successfully using LDAP+RSA?



  • 3.  Re: Issues with RSA and CA PAM integration

    Posted Jul 05, 2018 10:58 AM

    Hi Ralf,

     

    We have a user001 in LDAP (Active Directory) added to a PAMAccessGroup. PAM allows user to access PAM application only if the user is member of this group. This configuration is already done and the user001 is able to login with AD credentials.

     

    The same user is already available in RSA server, for VPN access. The RSA team asked us use this existing user in RSA servers, and create the same user in local PAM or LDAP. So that RSA authentication will work. So, we tried using RSA and LDAP+RSA. But both didnt work.

     

    Kindly let us know. What is the correct method for RSA only and LDAP+RSA? Do we need to have any linking between RSA and LDAP so that the RSA or LDAP +RSA authentication will work.

     

    And also, we dont see any information or failure related messages from PAM tomcat logs. Kindly let us know in PAM, how do we see the logs for PAM and RSA communication?

     

     

     

    Thanks

    dk



  • 4.  Re: Issues with RSA and CA PAM integration
    Best Answer

    Broadcom Employee
    Posted Jul 06, 2018 05:10 AM

    Hello DK

     

    As mentioned before by Ralf - when you do the import of the LDAP group specifying the authentication method LDAP only - finally members of that group will be able to login to PAM with LDAP method only.

     

    Hence you have to import the LDAP group in your case specifying LDAP+RSA so that the user can use the additional method.

     

    Anyway, please make sure to logout of PAM (best close the UI completely) and login again to see the new features.

     

    Should you face any issues with this process, please do not hesitate to open a Support Case with us.