Issue:
After provisioning API request credentials following instructions in the CA PAM 2.6 Implementation Guide in a CA PAM cluster environment, an attempt to make an external API call using the API request credentials fails with error code 401 and message "Unauthorized: The attempt to retrieve the user's password for login failed. Please check with an administrator for further details.". The session logs contain a message "User *** using API key YYY can't perform GET operations while cluster is stopped ...". But the cluster is ON and in sync.
Cause:
The customized default password view policy (PVP), which automatically is associated with the target account that is created while the API request credentials are provisioned, had the "Checkout/Checkin" and "Change Password On View" options checked.
Workaround:
Change the default PVP or associate the target accounts for the ApiKey target application with a different PVP that does not have both options set.
Solution:
This appears to be an issue related to password checkout and API keys... not a conflict between "change on view" and "check out/check in". I was only able to clear the error by disabling password checkout altogether... which is unfortunate as that is the ideal PVP for API-Keys.