How to troubleshoot CA PAM Access Page problems

Document ID : KB000013314
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

A common problem when using CA PAM is that the Access Page does not load properly.  This document will help you troubleshoot this issue.

Question:

What do I do when the Access Page does not load, or no access links appear?

Answer:

It is not uncommon when using CA PAM to encounter problems on the Access page.  To start with, you must understand that the environment on which CA PAM depends.  CA PAM uses Java throughout its code.  The Access page is one place and the LDAP browser is another.  If Java is not installed, or cannot be loaded then the Access page will not load.  You will recognize this as the problem by seeing something like in the picture below.

AccessPageLoading.JPG

 

In order to load the access policies CA PAM needs to run a Java applet.  In the picture above you can see that it is attempting to load the necessary applet.  The icon will continue to spin for a while and will eventually time out, and no policies will load as a result.  This means that the user will not be able to perform their job, as they have no way to connect to the required devices.  The picture below shows the message seen after the timeout.JavaLoadFailed.JPG

 

The first thing to ask is "Is Java installed?"  This is easy to check.  On a Windows system you can go to the Control Panel and search for Java.  If it is installed you will find the Java Configuration program.  You can also go to Uninstall or Change Program and search for it in the list.  You can see in the picture below that it is not installed.InstalledPrograms.JPG

It is also easy to check for the presence of Java on a MAC.  Just go to Mac > More Info > System Report > Software and check the list of installed Software.

 

Once it is determined that Java is not installed you must go to java.com to install it.  Only Java from Oracle is supported, so you must use this site as your source.  Other Javas, such as from IBM, are not supported.  Follow the instructions on this site to install the latest version of Java. 

Installing Java does not guarantee that the Access page will appear.  The next thing to check is the browser.  What browser are you using.  At the time of this writing, CA PAM supports IE 9, IE 11 and Firefox(version 45 or later) on Windows.  CA PAM also supports MACS(OS X 10.9 or later), with Safari(version 7 or later and Firefox(version 45 or later).  The same version of Firefox is also supported for linux clients, specifically Debian-based distributions (such as Ubuntu, Mint, or Pearl).  Check the CA PAM wiki for details(ie https://docops.ca.com/ca-privileged-access-manager/2-8-1/EN/release-information/supported-environments/supported-clients).  

You will notice that Chrome is not listed.  Java is based on Netscape Plugin Application Programming Interface (NPAPI).  In 2013 Google announced that Chrome would begin blocking NPAPI plugins(such as Java) starting in January of 2014.  With Java blocked by Chrome it cannot be used to use the full features of CA PAM, and is therefore not supported.  Be aware that Firefox also announce plans to discontinue NPAPI, supposedly by the end of 2016.

The documentation states that the latest version of Java 7 is supported as well as Java 8, up to update 101 for Windows and update 73 and later for MAC and Linux.  This needs clarification.  Starting with Java 8u74 Oracle introduced a change that prevented Java from working with CA PAM.  This was not corrected until Java 8u101, so none of the versions between u73 and u101 were supported.

Even if you are using a supported browser you may encounter problems if you are using an older version of Java.  From time to time the browsers may change their requirements, and problems with Java may be encountered.  This has particularly been a problem with IE, which will not load Java if it determines the version to be too old.  This is a browser issue and not a CA PAM issue. 

There could be other reasons for Java not to load.  A great tool for this is java.com/verify.  If Java won't load for their verify page then it won't load for CA PAM.  Below is a typical message seen when the latest version of Java is installed, and able to load.JavaVerify.JPG

 

You might see messages indicating your version is too old, as per Java, or that it isn't enabled in the browser.  You will have to address such issues before CA PAM will be able to function.

Another useful tool when troubleshooting Java issues is the Java Control Panel, which is also the Java Configuration program.  Click the About button to view the verson. 

JavaControlPanel.JPG

 

You can also click the View button on the Java tab.  This may show multiple versions, if you installed them.  CA PAM may have problems if multiple versions are installed, even if they are not all checked as Enabled.  In such circumstances you may have to delete all of the installed Java versions, including any folders that were created on the disk.  This last step will have to be done manually.  Once all the old versions are gone you may install the version you wish to use.JavaView.JPG

 

In some cases it may be necessary to get additional information.  The Advanced tab contains many options.  Two are Show Console and Enable Tracing.  Show Console will cause the Java Console Log to be opened when Java is loaded.  You can interact with this console, even changing the Logging Level.  Support may ask to see this log at times, which would merely required copying out of the console and pasting into the ticket.  The Enable Tracing can be used to turn on Java tracing, which will be useful if the console does not stay open long enough to capture or if you can't predict when the problem may occur.  The file name that is created starts with "plugin", followed by a long string of numbers which is a timestamp and ends with ".trace".JavaAdvanced.JPG

 

The CA PAM client was created to address the issues above.  As of CA PAM 2.6, you may download this software and install it on your client system.  It contains a browser and Java version that will work, regardless of what the customer has installed on their system.  You can use this program to check if you get the same problem, or if the Access page loads properly. 

Most Access Page problems should resolvable using this document, but there may be other reasons for the Access page not to load.  One such example is slow Access Page loading on 2.8.1.  It required the application of a manual fix, that is now included in HotFix 2.8.1.02.  If you cannot resolve the problem you encounter using this article then you will need to open a ticket, and attach the Java console log or trace you collected while reproducing the problem.