Use A2A to Secure the Keystore and Password (Optional)

The Custom Connector keystore contains the TLS key/certificate pair for HTTPS communication. You can configure PAM to encrypt and store the keystore password. The Custom Connector server securely retrieves the password using the A2A feature.
capam33
The Custom Connector keystore contains the TLS key/certificate pair for HTTPS communication. You can configure
PAM
to encrypt and store the keystore password. The Custom Connector server securely retrieves the password using the
PAM
A2A feature.
To implement the A2A method, configure specific target applications and associated A2A target accounts. The target accounts represent the password for accessing the keystore, a call stack hash, and a file list hash. These mechanisms work together to secure the keystore password.
PAM
can randomly generate the keystore password, which is used when you create the keystore at the Custom Connector server. The call stack and file list hashes ensure that the Custom Connector server, running in a trusted environment, retrieves the keystore password from
PAM
.
This A2A method is an alternative to using the tcfCryptoUtil utility to encrypt the keystore password. The A2A method provides file integrity validation, which tcfCryptoUtil does not. To use tcfCryptoUtil, see the instructions in Deploy the Custom Connector Toolkit, in the section "Create a Keystore for HTTPS Communication."
The following picture illustrates the A2A setup:
A2A Keystore Password Encryption
A2A Keystore Password Encryption
To set up A2A for securing the keystore password, complete the following tasks:
2
Install the A2A Client
Install the A2A Client on the Custom Connector server and register the Client with
PAM
. For instructions, see Install an A2A Client for Credential Management.
When you install the A2A Client, it sends a registration request to
PAM
. As part of the registration process,
PAM
creates a device, unless it finds an existing one. The device name is the fully qualified domain name or IP address of the host where the client is installed. The device type, which is set to A2A, is used later in this procedure.
Edit the cspmclient.xml file, and remove the preserveCacheBetweenRestarts parameter. A2A Client does not need to cache credentials.
Configure
PAM
Components for A2A
Configure the following
PAM
components to secure the keystore with A2A:
  • A2A device configuration
  • Two password composition policies
  • Two target applications, one for the keystore and one for both hash values
  • Three target accounts, one for the key store, one for the call stack hash, and one for the file list hash
  • An A2A script, which gets credentials from
    PAM
  • An A2A target group (optional)
  • A2A mappings for the target accounts
The following sections explain how to configure these components. The procedures list only the fields requiring configuration, including sample values. For step-by-step A2A configuration procedures, see Add and Run Credential Manager A2A Requestors.
Modify the A2A Device Configuration
A device record is required for the appliance to establish a relationship between the Tomcat server and the A2A target accounts.
Select the A2A device for the registered A2A Client. For this procedure, assume that the A2A device has the following values:
  • Name:
    tcf.tomcat.host
    Specify the host name of the Tomcat server where the TCF and A2A Client is installed.
  • Address:
    tcf.tomcat.host
    The address field uses the same value as the Name field, whether the value is an IP address or a fully qualified domain name.
For the device to manage credentials for the keystore, add Password Management to the Device Type setting.
Follow these steps:
  1. Go to
    Devices, Manage Devices
    .
  2. From the list, select the A2A device record and select
    Update
    .
  3. For the
    Device Type
    setting, select
    Password Management
    . The Device Type now is set to Password Management and A2A.
  4. Select
    OK
    to save the changes.
Create Two Password Composition Policies
To specify the characteristics of the keystore password, the call stack and the file list hash values, configure two password composition policies. Create one policy for the keystore password. Create a second policy for the hash values.
Navigate to Credentials, Manage Targets, Password Composition Policies and configure the policies with the following values:
Keystore Password Policy:
Configure a policy to generate a password for the keystore. The password for the keystore is kept only in memory, but make it a strong password of sufficient length.
  • Name:
    Assign a descriptive name to the policy, such as KeyStorePCP.
  • Minimum Length
    and
    Maximum Length:
    Set to 64 characters
  • Must Contain
    and
    First Must Contain:
    Include uppercase, lowercase, and numeric characters. Avoid using special characters.
Hashes Password Policy:
Configure a policy that defines the requirements for the call stack and file list hash values. The Custom Connector server calculates these hash values. Before the server requests the keystore password, it compares these hashes with the hashes that are stored in the target accounts at
PAM
.
  • Name:
    Assign a descriptive name to the policy, such as TCFHashPCP.
  • Minimum Length
    and
    Maximum Length
    : Set to 64 characters
  • Must Contain
    and
    First Must Contain:
    Use only lowercase and numeric characters. Avoid using special characters.
Configure Two Target Applications
Configure two target applications (Credentials, Manage Targets, Applications). One application is for the keystore password and one application is for the call stack and file list hash values.
Keystore Target Application
: Specify the following values for the keystore application:
  • Host Name:
    Enter the name of the A2A device (tcf.tomcat.host)
  • Device Name:
    Enter the name of the A2A device (tcf.tomcat.host).
  • Application Name:
    Enter a name to indicate that this target application is for the keystore (TCFKeyStoreApplication).
  • Application Type:
    Generic
  • Password Composition Policy:
    Specify the keystore password policy that you created (KeyStorePCP)
Hashes Target Application
: Specify the following values for the hash values application:
  • Host Name:
    Enter the name of the A2A device (tcf.tomcat.host)
  • Device Name:
    Enter the name of the A2A device (tcf.tomcat.host).
  • Application Name:
    Enter a name to indicate that this target application is for the hashes, such as TCFHashApplication.
  • Application Type:
    Generic
  • Password Composition Policy:
    Specify the hashes password policy that you created (TCFHashPCP).
Create Three Target Accounts
Configure three target accounts—one for the keystore password, one for the file list hash and one for the call stack hash. The Custom Connector server calculates the hash values. You copy these values to the target accounts. Before the Custom Connector server requests the keystore password, it compares its calculated hashes with the target account hashes. The values must match.
Keystore Target Account: When you configure the keystore target account, you generate a password. This password gets encrypted and stored in the
PAM
database. Use this generated password for the keystore that you create at the Custom Connector server.
Specify the following values for the account and save the account:
  • Host Name:
    Enter the name of the A2A device (tcf.tomcat.host)
  • Device Name:
    Enter the name of the A2A device (tcf.tomcat.host).
  • Application Name:
    Enter the name of the keystore target application (TCFKeyStoreApplication).
  • Account Name:
    Enter a name indicating that this target account is for the keystore, such as TCFKeystore
  • Password View Policy:
    Default
  • Account Type:
    A2A Account
  • Aliases:
    We recommend that you enter the same name as the target account name, TCFKeystore. You can specify a different value.
  • Cache Behavior:
    No Cache
  • Password:
    Select the key ring icon and generate a password.
In the Target Accounts list:
  1. Select the keystore account that you created.
  2. Under Action, select the eye icon to view the password.
  3. Copy this password and save it. This value is required when you create a keystore at the Custom Connector server.
Call Stack Hash Target Account
: Specify the following values for the account:
  • Host Name:
    Enter the name of the A2A device (tcf.tomcat.host)
  • Device Name:
    Enter the name of the A2A device (tcf.tomcat.host).
  • Application Name:
    Enter the name of the target application you created for the hashes (TCFHashApplication).
  • Account Name:
    Enter a name indicating that this target account is for the call stack hash, such as TCFCallStackHash.
  • Password View Policy:
    Default
  • Account Type:
    A2A Account
  • Aliases:
     We recommend that you enter the same name as the target account name, TCFCallStackHash. You can specify a different value.
  • Cache Behavior:
    No Cache
  • Password:
    Select the key ring icon and generate a password. After the Custom Connector server generates the call stack hash, update this field with that hash value.
File List Hash Target Account
: Specify the following values for the account:
  • Host Name:
    Enter the name of the A2A device (tcf.tomcat.host)
  • Device Name:
    Enter the name of the A2A device (tcf.tomcat.host).
  • Application Name:
    Enter the name of the target application you created for the hashes (TCFHashApplication).
  • Account Name:
    Enter a name indicating that this target account is for the file list hash, such as TCFFileListHash.
  • Password View Policy:
    Default
  • Account Type:
    A2A Account
  • Aliases:
     We recommend that you enter the same name as the target account name, TCFFileListHash. You can specify a different value.
  • Cache Behavior:
    No Cache
  • Password:
    Select the key ring icon and generate a password. After the Custom Connector server generates the file list hash, update this field with that hash value.
Identify the A2A Script that Retrieves the Keystore Password
The A2A script, which is a Java class, runs on the Tomcat server. This script uses the A2A Client to fetch the keystore password from
PAM
.
PAM
calculates the script hash when one of the following requests occur:
  • You select Get Script Hash when you add an A2A Script in the UI.
  • The A2A Client uses the script to send a password request.
At
PAM
, identify the A2A script:
  1. In the UI, select
    Credentials, Manage A2A, Scripts
    .
  2. Select Add and specifying the following values:
    • Client:
      tcf.tomcat.host
    • Device Name:
      tcf.tomcat.host
    • Script/App Name:
        Enter the class name that calls the A2A Client. In this context, the class name is
      com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource
    • Execution Path:
      Specify the
      directory where the Tomcat server is installed on Custom Connector server. Note: If the Execution Path check is enabled in the mapping, then paths that include soft links result in failure. Example: In the path /example/linkdir/test, if linkdir is a soft link to realdir, then the Execution Path should be /example/realdir/test.
    • File Path:
      Specify the location of the class. For example, the location is the /lib directory on the Tomcat server and the CryptoUtil JAR file name. For example: C:\DevTools\apache-tomcat-9.0.13\lib\capamextensionstcfCryptoUtil-4.16.0.jar
    • Type:
      Java
  3. Select
    OK
    .
The JAR file is determined by the version of the Tomcat server.
Configure a Target and Request Group to Reduce A2A Mappings (Optional)
PAM
must authorize requesters who want to retrieve the keystore password. An A2A mapping is the mechanism that
PAM
uses to verify a request script and before releasing the requested credentials.
You can use a target group to organize the accounts for the keystore password, call stack hash, and file list hash. Using this target group requires only one A2A mapping. Without a target group, you have to configure individual mappings for each account. If several Custom Connector servers are deployed, use an A2A request group for A2A mappings.
Create a Target Group
A target group lets you organize target accounts. A target group can use filters on host servers, applications, and accounts. By using a target group for the keystore password and two hash target accounts, you can more easily manage authorization policies between clients and scripts.
Follow these steps:
  1. From the UI, select
    Credentials, Manage Targets, Target Groups
    .
  2. Add a group.
  3. Complete the following settings:
    • Name:
      Enter a descriptive name, such as TCFTargetGroup
    • Server
      section: Select the Filter column for the Host Name. Filter on a string that is contained in the name of the Tomcat servers.
    • Application
      section: Select the Filter column for the
      Application Name
      field. Add a string that applies to all the relevant TCF target applications that you configured earlier. For example, for the Application Name, use this filter:
      tcf_target_group_filter.png
    • Account
      section
      :
      Select the Filter column for the
      Account Name
      field. Add a string that applies to all the relevant TCF target accounts that you configured earlier.
Create an A2A Request Group
If you deploy two Custom Connector servers, a request group is useful. Both servers in the group need access to the keystore credentials.
Follow these steps:
  1. From the UI, select
    Credentials, Manage A2A, Request Groups
    .
  2. Add a group.
  3. In the Client section, select the Filter column for the
    Host Name
    field. Filter on a string that is contained in the name of the Tomcat servers. Add a second host for the other Custom Connector server. Ensure both servers use the same A2A script.
  4. In the Script section, select the Filter column for the
    Name
    field. Filter on the name of the A2A script you created previously. The following graphic shows how to configure the Script section of the A2A request group page:
    a2a_request_group.png
  5. Continue to the next section and create an A2A mapping.
Create an A2A Mapping for Requester Authorizations
The final configuration step at
PAM
is to configure an A2A mapping for requester authorizations. Create a mapping between the A2A script running on the Tomcat server and the individual target account or A2A target group. This mapping tells the appliance to authorize the A2A script, the requester, and grant access to credentials.
A mapping to a target group includes aliases for all accounts in the group. A mapping from a request group includes all Custom Connector servers in the group.
If your environment has only one Custom Connector server, add an A2A authorization mapping for a single client.
To map the script to a single Tomcat server, specify the following values:
  • Target:
    Select
    Group
    and specify the TCFTargetGroup
  • Request:
    Select
    Client
    and enter the IP address of the A2A Client
  • Script:
    Select
    Individual
    and specify the name of the script, com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource
  • Check Execution User/Execution User:
    Select this checkbox and specify the user administering the Tomcat server.
  • Check Execution Path:
    Select this checkbox
  • Check File Path:
    Select this checkbox
  • Perform Script Integrity Validation:
    Select this checkbox
To map the script to multiple Tomcat servers, specify the following values:
  • Target:
    Select
    Group
    and specify the Tomcat keystore
  • Request:
    Select
    Group
    and select the name of the request group you created previously.
  • Check Execution User/Execution User:
    Select this checkbox and specify the user administering the Tomcat server.
  • Check Execution Path:
    Select this checkbox
  • Check File Path:
    Select this checkbox
  • Perform Script Integrity Validation:
    Select this checkbox
Configure the Custom Connector to Obtain the Keystore Password
After you set up the A2A components at
PAM
, set up the Custom Connector server to retrieve the keystore password. Some of the appliance configuration settings are required to create and secure the keystore.
Create a Keystore and Encrypt the Keystore Password
To secure communication between
PAM
and the Custom Connector, create a PKCS12 keystore. The keystore must contain an X.509 private key and certificate pair in PEM format. When you generate the keystore, the keystore password is in plain text. Encrypt the password using a TCF-provided utility, configTCF.
The keystore that holds the X.509 key/certificate pair is separate from the keystore to secure the payload from
PAM
.
Example: Keystore Set Up Using Keytool
Many tools are available to create a keystore. The following procedure uses the keytool utility as an example.
The keys expire after the number of days that are specified by the
-validity
command argument. In the following procedure, the keys expire after 360 days. To regenerate the keys after they expire, repeat this procedure.
Follow these steps to create a keystore and encrypt the password:
  1. Create a PKCS12 keystore by entering the following keytool command. If you created a keystore when you initially deployed the Custom Connector, do not create a new one. Move on to step 2.
    keytool -genkey -alias pam -keyalg RSA -keysize 2048 -storetype PKCS12 -dname “CN=capamtcf, OU=PAM, O=CA, L=Burlington, ST=MA, C=US” -keypass
    password
    -storepass
    password
    -keystore <
    keystore_file
    > -validity 360
    password
    is the password that you assigned when you created the keystore target account.
    keystore_file
    is path and file name where you want to generate the keystore
    This command output is an encrypted keystore password that is displayed on the command prompt.
  2. Continue to the next procedure.
Add the Keystore Location to the server.xml File
Specify the location of the keystore:
  1. Edit the server.xml file in %CATALINA_HOME%\conf\.
  2. Locate the connector for HTTPS scheme
  3. Add the following lines:
    <Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="8443" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="
    keystore_file
    " keystorePass="${tomcat.keystore.pwd}"
    clientAuth="false" sslProtocol="TLS"/>
    keystore_file
    is the file path and name of the PKCS12 keystore you created previously.
  4. Continue to the next section.
Enable Tomcat to Read the TCF Properties
Modify the catalina.properties file to enable Tomcat to read the TCF properties:
Follow these steps:
  1. Navigate to the file
    %CATALINA_HOME%\conf\catalina.properties
    .
  2. Edit the file by adding the following lines to the end of it:
    org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource
    tomcat.keystore.pwd.usea2a=true
    tomcat.keystore.pwd=TCFKeyStore
    tomcat.callstack.hash.alias=TCFCallStackHash
    tomcat.file.list.hash.alias=TCFFileListHash
    The entries provide the following information:
  • The line beginning
    org.apache.tomcat
    : Overrides the default behavior to read the properties.
  • tomcat.keystore.pwd.usea2a=true: Instructs Tomcat to retrieve the keystore password from
    PAM
    . With this set to true, the following lines are required:
    • tomcat.keystore.pwd=TCFKeyStore
      : Alias for the keystore password target account that is stored at
      PAM
      .
    • tomcat.callstack.hash.alias=TCFCallStackHash
      : Alias for the call stack hash target account
    • tomcat.file.list.hash.alias=TCFFileListHash:
      Alias for the file list hash target account
Enable the Custom Connector Server to Retrieve Credentials
For the Custom Connector server to retrieve credentials from
PAM
, add the A2A Client API libraries and TCF libraries to its class paths.
In the following procedure:
  • The directory paths and place holders reflect a UNIX/LINUX system. Windows paths use backward slashes and placeholders use % signs.
  • cspmclient/lib is located under CSPM_CLIENT_HOME, the installed location of the A2A Client on your system
  • CATALINA_HOME is the installed location of the Tomcat server
Follow these steps:
  1. Copy the following A2A JAR files from
    CSPM_CLIENT_HOME
    /cspmclient/lib to $CATALINA_HOME/lib
    • cspmclient.jar
    • cwjcafips.jar
  2. Copy the appropriate A2A Client libraries for your platform:
    • UNIX/Linux platforms:
      1. Copy the following libraries from
        $CSPM_CLIENT_HOME/cspmclient/lib to $CATALINA_HOME/lib
        • libcpaspiffadaptor64.so
        • libcspminterface64.so
        • libcwjcafips.so
      2. For Tomcat to recognize these libraries, set the LD_LIBRARY path in the setenv.sh script. This script is located in $CATALINA_HOME/bin/.
        Example path:
        export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/$CATALINA_HOME/lib
    • Windows platforms: copy the following DLL files from
      %CSPM_CLIENT_HOME%\cspmclient\lib to %CATALINA_HOME%\bin
      :
      • cpaspiffadaptor64.dll
      • cspminterface64.dll
      • cwjcafips.dll
  3. Copy the capamextensionstcfCryptoUtil-4.16.0.jar file from 
    TCF_HOME
    /configTCF to $CATALINA_HOME/lib
    TCF_HOME
    is where you extracted the Custom Connector Framework zip file.
Create a File List for Verifying Deployed Files
Before the Custom Connector server fetches the keystore password, it verifies the integrity of its files. The Custom Connector server adds all the file hashes together and calculates one consolidated hash value of its files. The server compares this hash with the hash of the file list target account, which is retrieved from
PAM
. The hash values must match.
To generate the hash, the server needs a list of all the deployed target connector files.
Follow these steps:
  1. Create a file and name it
    pam.filelist
    . This name is the required file name.
  2. In the pam.filelist file, include the:
    • full path of the pam.filelist file itself
    • full path of the capamef.war file
    • full path for all the files that are extracted from the .war files in the
      webapps
      and
      webapps_targetconnectors
      folders
    • full path of all custom target connectors that are deployed on the Custom Connector server.
    • Optionally, the full path of libraries in the
      lib
      directory under %CATALINA_HOME%
    All paths and file names are case-sensitive.
  3. Save the file.
  4. Copy the file to %CATALINA_HOME%\conf.
  5. Restart the Tomcat server.
The following example is a simple file list. An actual file list contains more files, such as the files extracted from the .war files in the
webapps
and
webapps_targetconnectors
folders.
C:\DevTools\apache-tomcat-9.0.13\conf\pam.filelist
C:\DevTools\apache-tomcat-9.0.13\webapps\capamef.war
C:\DevTools\apache-tomcat-9.0.13\webapps_targetconnectors\exampleTargetConnector.war
C:\DevTools\apache-tomcat-9.0.13\webapps_targetconnectors\echoTargetConnector.war
Copy the Hash Values to
PAM
Target Accounts
When the Custom Connector requests the keystore password, it calculates the call stack and file list hash values. The server then compares these values to the target account hashes. The values must match before
PAM
responds with the keystore password.
For the hashes to match, you must copy the calculated values to the target accounts at
PAM
.
To compare hashes, follow these steps:
  1. Start the Custom Connector server but expect startup to fail.
    At startup, the server calls
    PAM
    and fetches the hash values. Startup fails because the hashes obtained from
    PAM
    do not match the values that are calculated by the Custom Connector server.
  2. Open the catalina.log file in %CATALINA_HOME%\logs directory.
  3. Look for the following two messages in the log file:
    Computed callstack hash:
    callstack_hash
    does not match the retrieved call stack hash:
    CA_PAM_call_stack_hash
    Computed filelist hash:
    filelist_hash
    does not match the retrieved filelist hash:
    CA_PAM_file_list_hash
  4. Copy the hashes from these log messages and paste them into the
    Password
    tab of the associated target accounts at
    PAM
    .
    • callstack_hash
      : The computed value from the call stack target account
    • filelist_hash
      : The computed value from the file list target account
  5. Restart the server.
When the Custom Connector server restarts, it requests the hashes from
PAM
, which are verified successfully. Finally, the Custom Connector server retrieves the keystore password from
PAM
.
Troubleshooting
If exceptions are logged during startup of the Tomcat server, look at the catalina log file. If the exception stack trace looks like the following graphic, the server cannot start the HTTPS connector.
01-Nov-2018 14:59:46.063 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
01-Nov-2018 14:59:46.401 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
The reasons for this problem are:
Problem:
The keystore password is incorrect.
The password is retrieved from
PAM
, but it is incorrect. Verify the retrieval by checking the catalina.log for the message:
A2A Client Status Code: 400
Examine the following stack trace in the catalina.log file:
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:238)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:179)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
Solution:
In the
PAM
UI, verify that the password in keystore target account is correct.  Also, verify that the Tomcat keystore has the same password.
Problem:
The A2A Client is not started. The catalina.log file contains the message:
A2A Client Status Code: 402
Solution:
Start the A2A client daemon (UNIX)/service (Windows).
Problem:
The keystore password alias in the catalina.properties file is not found in
PAM
. The catalina log shows the message:
A2A Client Status Code: 405
Solution:
In the
PAM
UI, look at the name of the keystore target account. At the Tomcat server, look at the catalina.properties file. Confirm that the
tomcat.keystore.pwd.alias
property has the same name as the target account.
If the call stack or filelist hash alias is not found in
PAM
, the error and solution are the similar. Look in the UI and the catalina.properties file and ensure that the aliases match.
Problem:
Unauthorized Script Name. The A2A mapping uses an incorrect script name. The catalina.log contains the message:
A2A Client Status Code: 409
Solution:
Fix the A2A script to match the mapping and script program.
Problem:
Unauthorized execution path. The A2A mapping does not have the correct execution path for the script. The catalina.log contains the message:
A2A Client Status Code: 410
Solution:
Verify the execution path. In the
PAM
UI, navigate to
Credentials, Reports, Activities
. Select
Configure
to set up the activities report. Add an entry using the
+
sign then select the
Failed A2A Client Requests in Last 30 days
item. After the report runs, look for the entry with the 410 error code. That entry includes the execution path for the A2A client request. Specify this execution path in the A2A script.
Problem:
Unauthorized execution user. The A2A mapping does not specify the correct user. The catalina.log includes the message:
A2A Client Status Code: 411
Solution:
Change A2A mapping to use the same user that is running the Tomcat server.
Problem:
  Incorrect script hash value. The hash value of the Custom Connector Java class file is incorrect or the wrong script is specified. The catalina.log includes the message:
A2A Client Status Code: 436
Solution:
If the Custom Connector Java class file is changed intentionally, recalculate the hash. Select the
Get Script Hash
button on the script panel
PAM
UI.