API Keys not working after upgrading from 2.8 to 3.0.1 or 3.0.2

Document ID : KB000008972
Last Modified Date : 02/07/2018
Show Technical Document Details

After the upgrade to 3.0.1 or 3.0.2 our calls into the PAM Rest API using valid API keys keep failing. When we try to update the key or add a new key, it fails with error "PAM-CMN-0496: Target application ApiKey was not found."

This problem also surfaces when attempting to select the AWS account from Configuration > 3rd Party > AWS, the AWS target account is not displayed in the 'Access Key Alias' dropdown.


The PAM instance has an upgrade history going back to PAM 2.6. The problem is not observed with PAM appliances that started at release 2.7 or 2.8. PAM 3.0.1 introduced localization, and during the upgrade the names of some internal target applications are localized, specifically two applications related to Service Desk integration. These applications have a fixed target application ID, for PAM instances based on release 2.7 or newer. For PAM instances that were upgraded to 2.7 from a previous release the target application IDs are different. The 3.0.1 upgrade scripts do not take this possibility into account and update the target application names using a hardcoded ID.


If you have this problem, please logon as a PAM administrator and open page Credentials > Manage Targets > Target Applications. Filter by column Application Type and value Xsuite API Key. You will find that the name of the application is different, most likely set to "CA Normalized Integration Management for User Management". It could be different depending on your license history. Edit the target application and set the name to "ApiKey" as shown in the following screenshot:



When you have this problem you should find a second target application with a changed name. For the default English locale the application name would be "CA Normalized Integration Management for Service Management". If you have two target applications with that name, only the one with application type "CA NIM SM" is right. If the second application having that name has type "AWS Access Credentials", rename it to "AWS Access Credential Accounts" as shown below. It's also possible that the target application with type "AwsApiProxyCredentials" was changed. The correct name for that application would be "AWS API Proxy Access Credential Accounts". In case of a doubt open a support case.