Known Issues

This section describes the currently known issues and workarounds, where available.
capam34
This section describes the currently known issues and workarounds, where available.
Clustering Issues
Site-based VIP reassignment performance challenges in Azure
In each site of a cluster, the PAM VIP points to the first member of the Primary Site when clustering is turned on. If the first member fails, the other cluster members detect it and they reassign the VIP address to the next member of the Primary Site.
In Azure, this reassignment process can take several minutes. Microsoft is aware of this situation, and declares the duration to be expected. This delay has these effects:
  1. Replication across secondary sites is delayed until the VIP is successfully reassigned. Secondary sites are equipped to handle this situation and recover gracefully once connectivity is restored.
  2. To ensure that end-user traffic is not disrupted, we recommend that customers deploy a load balancer in front of the primary site. PAM has a load-balancer-friendly heartbeat page which can be configured on the load balancers, allowing traffic to route appropriately.
Access Issues
RDP Sessions on Microsoft Terminal Servers Remain Open to Other Users Accessing the Terminal Server With the Same Target Account (Salesforce case 32050384/Internal defect DE467136)
When an RDP Application or an RDP Access session on a Microsoft Terminal Server is closed by any means, another PAM user using the same Target Account to Access the same Terminal Server is able to resume the session of the first user and see all their open content.
Workaround:
Create a unique target account for each user that needs to sign on to the terminal server.
CISCO Device Access Limitations (Salesforce case 00474300/Internal defect DE223994)
The following limitations apply when configuring CISCO device access through
Privileged Access Manager
:
  • You can configure only a
    single
    account in the transparent login policy for a CISCO device. Multiple accounts are
    not
    supported in the transparent login policy.
  • You cannot configure a unique enabled password for each user with TACACS.
Web Portal does not open for Native Browser (DE349666)
Both Firefox and Internet Explorer fail to open a Web Portal TCP Service in version 2.8. However, the Web Portal succeeds when using CA PAM Client or the CA PAM Browser.
IdP-initiated Access to an RP Does Not Redirect the User Properly (DE349719)
PAM
acting as an IdP does not redirect a user to the RP without challenging the user to authenticate. If you configure IdP-initiated SAML SSO for a TCP/UDP service, set the Browser Type field to
CA PAM Browser
. Do not select the Native Browser option. The Native Browser prevents a user from accessing the Web Portal RP without
PAM
first challenging the user to authenticate. The
Browser Type
field is on the Basic Info tab of the TCP/UDP settings.
Mozilla Firefox Versions 52 and Later Not Supported
Firefox versions 52 and later do not support NPAPI, which is required to run the
Privileged Access Manager
UI. These Firefox versions are therefore not supported. See Supported Environments for other options.
If you use an earlier version of Firefox, disable automatic updates (Options, Advance, Update).
SSH Connections Fail for Some Server DH Key Sizes (DE274103)
Java only supports Diffie Hellman (DH) Key Agreement for key sizes that are multiples of 64 and in the range from 512 to 2048 (inclusive). If a server generates a DH key size that does not meet these criteria, Java throws an exception. The SSH connection fails.
Multiple RDP Application failures with 'Restrict Login' option
If you provision multiple RDP applications in a policy with "Restrict login if agent is not running" enabled, attempts to launch some of these RDP Applications might fail. Failure can occur even when the agent is running.
Syntax error may prompt incorrect message (DE158475)
If you enter a syntax error within a
sudo
or
pbrun
compound command, this syntax error can generate an incorrect error message. Examples of the compound command are within a 'for' loop or within a multi-command line. Before tying to interpret error messages in this environment, check for any syntax errors.
Always use password for sudo and pbrun Commands
To prevent compromised security, configure
sudo
/
pbrun
so that it always requires a password for each command execution.
CA PAM Browser and Client Browser do not support NPAPI Plug-ins (DE161212)
The CA PAM Browser and the
Privileged Access Manager
Client Browser are based on JxBrowser. The version of the JxBrowser has been upgraded to increase security. However, the CA PAM Browser nor the Client Browser support plug-ins that use the older NPAPI architecture, such as Adobe Flash and Oracle Java. The browsers fail to load pages that use NPAPI plug-ins.
Workaround:
Replace plug-ins that use NPAPI with versions that use PPAPI. For Adobe Flash, see http://get.adobe.com/flashplayer/otherversions/. For Oracle Java, there is no PPAPI equivalent.
RDP session closes when you open RDP application connection to Windows Server 2008 (DE158489)
In the Launch Path field for an RDP transparent login connection to Windows Server 2008, the case of the field entry must match the path. Otherwise, the login connection might be dropped.
PAM
Cannot relaunch VNC applet after another device is accessed with auto-connect (DE140874)
This issue exists for the following specific scenario:
  • You are using a variety of VNC servers. Some use VNC protocol version 3.8 while others use VNC protocol version 3.7 or older.
  • Your policy allows you to access multiple machines with VNC and auto-connect.
  • You auto-connect to an initial system with VNC 3.8, then auto-connect to another system with VNC 3.7 or older. You then attempt to auto-connect to the initial server again with VNC.
The second attempt to auto-connect to the initial system with VNC might fail.
The issue exists because you are occasionally using VNC 3.7 or older. The new VNC applet implements VNC protocol version 3.8. Therefore, the VNC access method, session recording, and auto-connect functionality only supports VNC protocol version 3.8 or newer.
Workaround
: Log out then log back in to
Privileged Access Manager
then start a new VNC auto-connect session to the original system.
PAM and PAM SC Login Integration Fails with Local Windows Accounts (DE457677)
When trying to use the login integration feature, the connection cannot be made with local Windows accounts.
For the login integration feature to work with the Windows local accounts, follow these steps:
  1. Identify how users are setup in the End Points:
    1. Log in to the End Point.
    2. In selang, at the prompt, enter the following command to display the list of available users:
      f user
  2. In PAM,
    Create a Device
    as detailed on this page.
  3. Create an Application with type as Generic. See the
    Create an Application
    section on this page.
  4. Create an Account. See the
    Create an Account
    section on this page, and follow these steps:
    1. In the Account Name field, enter the domain name associated with the user as determined with the selang command in step 1.
    2. If the domain name is not available for the user in selang, then accept the default account name.
  5. Check the login integration to determine if it displays the actual user.
Credential Manager Issues
Error Message Appears on First Attempt to View the Password of the "nimadmin" Target Account (DE448878)
When a "nimadmin" target account is assigned a password view policy with the
Reason Required For View
option, the first attempt to view that password results in the following error: "ConnectionFailed: Unidentified Resource." Workaround: Dismiss the error dialog and attempt to view the password again. All subsequent password view attempts will be successful.
Number of Applications and Accounts Displayed by Target Group Details Differs from Show Button (DE171423)
If you change the name of a target server in
Privileged Access Manager
to a nonexistent hostname, the number of associated applications and accounts is affected. The Target Group Details count still displays the previous count, while the Show button no longer includes accounts and applications on the renamed server. This issue has been reported in version 2.8.x and earlier. To avoid this problem, do not change the server name to a nonexistent server.
Multiple Scripts of the Same Name but in Different Directories (DE158576)
Privileged Access Manager
does not allow A2A credential management using multiple scripts of the same name but located in different directories. The exception is if the scripts are
executed
from different directories.
UTF-8 only for CLI input
Privileged Access Manager
currently does not evaluate CLI input encoding and instead assumes that it is all UTF-8. Thus other input, such as UTF-16, is misinterpreted as garbled.
Adobe Acrobat Reader DC Font Pack Required to View Japanese Credential Manager Reports In PDF format
To view Credential Manager PDF format reports in Japanese, install the Adobe Acrobat Reader DC
FontPack1900820071_XtdAlf_Lang_DC
fontpack.
Case sensitivity
For the purposes of filtering and sorting information, all fields in the Credential Manager GUI are case-sensitive, except for the following fields:
  • Fields containing host names
    Host names are used typically to look up IP addresses. Host names fields appear on screens dealing with target servers, request servers, and other types of servers.
  • Fields containing device names
    Device names are assigned to machines to help identify them.
  • Description fields
    Descriptions contain additional information to identify an entity, such a policy, a user group, or a role.
  • Fields containing user information such as a user name
    Case insensitivity applies strictly to the fields in the previous list. Other fields might display names. However, unless they are host names, device names, or user names, the field is case-sensitive for sorting and filtering.
Credentials Fail to Synchronize When the Target Application is MySQL on a Linux, UNIX, or Solaris Server (DE433674)
When a target application is configured for MySQL on a Linux, UNIX, or Solaris server, associated target account credentials may fail to synchronize because of time zone nomenclature incompatibility. This issue can typically be identified in the
PAM
catalina.out
file. For example:
SEVERE: UpdateTargetAccountCmd.invoke -1: The server time zone value 'MDT' is unrecognized or represents more than one time zone. You must configure either the server or JDBC driver (via the serverTimezone configuration property) to use a more specifIc time zone value if you want to utilize time zone support.
Example Workaround:
The following procedure shows how to configure MySQL Server on Red Hat Linux to return the timezone in a format which can be understood by the
PAM
MySQL driver. The exact commands required may vary slightly depending on your target server platform and configuration.
Follow these steps:
  1. Log in to the Red Hat server
  2. Populate the MySQL time zone tables. To do this use the
    mysql_tzinfo_to_sql
    command to pass the zoneinfo directory path name and send the output into MySQL. For example:
    mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
    See the MySQL documentation for more details about time zones in MySQL.
  3. Run the
    timedatectl
    command on the Red Hat Linux server to get the current timezone from Linux. For example:
    [[email protected] ~]# timedatectl Local time: Tue 2019-10-01 10:50:15 PDT Universal time: Tue 2019-10-01 17:50:15 UTC RTC time: Tue 2019-10-01 17:50:15 Time zone: America/Los_Angeles (PDT, -0700) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: yes Last DST change: DST began at Sun 2019-03-10 01:59:59 PST Sun 2019-03-10 03:00:00 PDT Next DST change: DST ends (the clock jumps one hour backwards) at Sun 2019-11-03 01:59:59 PDT Sun 2019-11-03 01:00:00 PST
  4. Locate the MySQL configuration file
    my.cnf
    (often found in /etc) and add the following property:
    default-time-zone=<TIME_ZONE>
    Where <TIME_ZONE> is the value returned in line 4 of the output returned by the
    timedatectl
    command in Step 2.  For example:
    default-time-zone='America/Los_Angeles'
  5. Enter the following commands to restart the MySQL service:
    systemctl mysql stop systemctl mysql start
Client Issues
PAM
Client Installer Fails on Windows Server 2019 (DE425707)
On Windows server 2019, the
PAM
Client installer fails, displaying an "Installer UI Mode Error" dialog.
Workaround:
Add a JAVA_TOOL_OPTIONS system variable to the system environment variables using the following procedure:
  1. In the
    System Properties
    dialog, click the
    Advanced
    tab.
  2. Select
    Environment Variables
    .
  3. Under
    System Variables
    , select
    New
    .
  4. Add the following system variable:
    JAVA_TOOL_OPTIONS
  5. Set the following value for the system variable:
    "-Dos.name=Windows 7"
CA PAM Client Shows an IdP Login Form Instead of an Error Message (DE334815)
If SAML is not properly configured, the CA PAM Client is displaying a login form. The Client should show the error "An error occurred while processing your request. Please contact your help desk for assistance."
"Cannot load JVM options" error when launching PAM client on Japanese Windows computer (DE314263)
Privileged Access Manager
does not support installing the CA PAM Client in directories whose names include Japanese characters. If you install the CA PAM Client on a Japanese-language computer, select the Typical option. On the click Install Folder step, enter a folder with no Japanese characters.
Older Linux installations require more libraries (DE137968)
This issue occurs when the
PAM
Client is installed on a workstation that uses older versions of Linux. The
PAM
Client uses the libXss.so.1 library from libXScrnSaver and the libgconf package. These libraries and packages might not be included in older versions of Linux.
Workaround
: Ensure libXScrnSaver and libgconf are available on the workstation before you install the CA PAM Client.
A2A Client and Target Connector Issues
Account with elevated privileges in Cisco IOS is not supported by Cisco target connector (DE158580)
An account in Cisco IOS that has Elevated Privileges level 15 is not required to provide credentials when "enable" command is used. That configuration is currently not supported by the Cisco target connector. Such an account cannot be managed by the target application.
Workaround
: Use another account with privilege level 0 to manage the level 15 account.
UNIX Client uninstaller does not remove THIRD_PARTY_LICENSE (DE158682)
The UNIX A2A Client installer puts file THIRD_PARTY_LICENSE in /opt/cloakware. The uninstaller does not remove the file.
Upgrade Issues
Secondary Backup Drive can cause an upgrade issue (AMI upgrade only)
If you are upgrading the appliance on an AMI, remove any secondary backup drive that you added for the previous upgrade to 3.0. If you fail to remove the secondary drive, the upgrade completes without producing an error, but your appliance version is not upgraded.
Other Issues
Changing the MAC Address of a PAM Virtual Server (VMware, AWS, or Azure) Causes PAM to Recognize it as a Clone, Causing Multiple Serious Issues (DE474220, Salesforce case: 31868078)
Changing the network interface MAC address or addresses of a virtual appliance changes its hardware ID, causing PAM to recognize the server as a clone when it next starts up. with the following
serious negative effects
:
  • The database will be in an inconsistent state and will need to be reset.
  • Your session logs will be lost.
  • Your session recordings will be lost.
Windows 2016 and Windows 2019 not recognized in Device Discovery (DE346437, DE475642)
Device Discovery does not reliably discover Windows 2016 or Windows 2019. You can set the Default OS to either Windows 2016 or Windows 2019, or manually change the OS after discovery.
SFA with blacklist throws "Access Denied" message for non-blacklisted IP when launching SSH Proxy service (DE281461)
An SSH Proxy connection is not terminated in the following circumstances. A Socket Filter Agent with a Blacklist and an SSH Proxy is added to the same device. The Blacklist is configured with the action "Logout of terminal device." A user selects "Restart Session" on the Access page, then selects the SSH Proxy service, and auto-login. The user enters "ssh
DeviceIP
" of a device that is not blacklisted. An "Access denied" message appears. The connection should be established, but is not.
Privileged Access Manager
API Documentation feature not supported in Internet Explorer 9
The documentation and test feature of the External API does not work correctly in Internet Explorer 9 (IE 9). Use IE 11 instead. To access this feature, select the API Doc link from the upper-right-hand menu.
Keyboard Mapping Issues (DE158692)
When using a Linux or Mac OS client, keyboard mapping of some keys for languages other than English would not work correctly for some keyboards.
Unable to log in to
Privileged Access Manager
using RADIUS when Two RADIUS Servers are configured (DE172566)
Redundant RADIUS servers sometimes fail for CHAP authentication when used with One Time Passwords (OTP), This problem causes login failures.
Workaround:
In the UI, configure the RADIUS server responsible for OTP as the last server in the list of configured RADIUS servers.
Context-Sensitive Menu Disabled
The browser right-click context menu is disabled in the 3.x user interface. The navigation operations that are exposed by the context menu are not supported because they can put the web application into an invalid state. The new web application operates as a single HTML page with dynamic content that is generated at runtime.
PAM
Access Agent Does Not Support Password View Policies That Require Retrospective Approval
When a user makes a request to view a password that requires retrospective approval in the
PAM
Access Agent, the dialog that informs them that their request is for emergency access and requires retrospective approval does not appear, breaking the workflow.
Windows Proxy and Windows Server 2016 Target Device OS Information Is Wrong
The user installed a Windows Proxy on a server (such as Windows Server 2016). However, the wrong OS Name appears when the user looks at Credentials -> Manage Targets -> Proxies -> Update -> Type Info
This conflict occurs because the user added an environment variable called JAVA_TOOL_OPTIONS, with a value different from the OS name. For example, the user entered JAVA_TOOL_OPTIONS: "-Dos.name=Windows 7".
The value specified in the JAVA_TOOL_OPTIONS is taking priority showing the OS name instead of actual OS name.
Workaround Solution:
Because the user customized the OS, the user has to remove the environment variable to view the actual OS in the proxies screen.