JAVA API TargetAccount.getPassword() function always yields 'null' value

Document ID : KB000094336
Last Modified Date : 04/05/2018
Show Technical Document Details
Issue:

After upgrade to 2.8.4.1 JAVA API TargetAccount.getPassword() function always yields 'null' value, although viewAccountPassword CLI, which is run on the same machine with same parameter values show password data.

The problem is reproduced using below steps.

1. Prepare to Use the Credential CLI and JAVA API as per below documentation

    https://docops.ca.com/ca-privileged-access-manager/2-8-4-1/EN/programming/credential-manager-remote-cli-and-java-api/install-and-set-up-the-credential-cli-and-java-api

2. Use CLI viewAccountPassword command and verify Password data is returned.
    For example, on DOS prompt run the following:

C:\PAMCLI>capam_command capam=<PAM's hostname> adminUserId=super adminPassword=<password> cmdName=viewAccountPassword TargetAccount.ID=<Target Account ID> reason=<reason> reasonDetails=<reason details>

Example result:
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><TargetAccount><aliases></aliases><password>Passw0rd123</password><lastVerified>Tue Dec 26 22:30:05 UTC 2017</lastVerified><lastViewed>Wed Feb 21 23:26:00 UTC 2018</lastViewed><targetServerAlias></targetServerAlias><cacheAllow>true</cacheAllow><serverKeyId>-1</serverKeyId><lastUsed>Wed Feb 21 23:26:00 UTC 2018</lastUsed><targetApplicationID>1023</targetApplicationID><userName>masked</userName><accessType></accessType><targetApplication></targetApplication><synchronize>true</synchronize><cacheBehavior>useCacheFirst</cacheBehavior><cacheDuration>30</cacheDuration><ownerUserID>-1</ownerUserID><compoundAccount>false</compoundAccount><compoundServerIDs>null</compoundServerIDs><compoundServerList>[]</compoundServerList><passwordViewPolicyID>1000</passwordViewPolicyID><passwordVerified>false</passwordVerified><privileged>true</privileged><Attribute.extensionType>windows</Attribute.extensionType><Attribute.discoveryGlobal>false</Attribute.discoveryGlobal><Attribute.useOtherAccountToChangePassword>agent</Attribute.useOtherAccountToChangePassword><Attribute.discoveryAllowed>true</Attribute.discoveryAllowed><Attribute.tasks></Attribute.tasks><Attribute.serviceInfo></Attribute.serviceInfo><Attribute.descriptor1></Attribute.descriptor1><Attribute.forcePasswordChange>false</Attribute.forcePasswordChange><Attribute.descriptor2></Attribute.descriptor2><Attribute.lastGoodAgentId>1002</Attribute.lastGoodAgentId><updateDate>Wed Feb 21 07:39:44 UTC 2018</updateDate><updateUser>super</updateUser><hash>Bh9KMaskedmaskedmasked=</hash><updateTime>1519198784000</updateTime><createTime>1513655169000</createTime><createDate>Tue Dec 19 03:46:09 UTC 2017</createDate><createUser>super</createUser><extensionType>windows</extensionType><ID>1033</ID></TargetAccount></cr.result></CommandResult> 

3. Create Java program that uses TargetAccount.getPassword() function with the same parameter values as above.
For example you can download attached JavaAPIExample.java file to this file.

To adjust to your environment, edit JavaAPIExample.java
     a. change passwordAuthorityServerKeyStore variable (line 52) value to keystore path in your enviroment.
     b. change passwordAuthorityUserPassword variable (line 55) to correct super's password
     c. change passwordAuthorityServerHostName variable (line 57) to correct PAM server's hostname

4. Compile the Java program using javac

C:\PAMCLI>Java\jdk1.7.0_80\bin\javac.exe -Xlint:unchecked -cp ".;./cliTool.jar" JavaAPIExample.java

5. Run using java

C:\PAMCLI>Java\jdk1.7.0_80\bin\java.exe -cp ".;./cliTool.jar" JavaAPIExample
viewTargetAccountPassword: Success. null
viewTargetAccountPassword last viewed:Wed Feb 21 18:25:00 EST 2018
viewTargetAccountPassword password:null


6. Notice that it returns Last Viewed date/time but Password is 'null'

Environment:
PAM 2.8.4.1 without CAPAM_2.8.4.1.05 patch
Cause:
This is a known bug, i.e. DE347922, that has been addressed in PAM version 3.1.1
Resolution:
This issue is affecting PAM version 2.8.4.1 but not 3.1.1. So you can upgrade to 3.1.1 to resolve this problem.
If you cannot upgrade at this moment, you can apply CAPAM_2.8.4.1.05.p.bin patch to resolve the problem.

Please download the following patch files from the following URL
  https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-privileged-access-manager-solutions-patches.html
and login using your CA Support Online Website account.
    1. CAPAM_2.8.4.1.05.p.bin
    2. CAPAM_2.8.4.1.05-revert.p.bin

Before applying CAPAM_2.8.4.1.05.p.bin patch, please do your backup/snapshot and other required due diligence.

From PAM Client, go to Config > Upgrade and click the [Browse...] button in Upload Patch section and select CAPAM_2.8.4.1.05.p.bin patch file to upload.
Before clicking the [Upload] button please select the "Apply automatically after upload" box. PAM Server will be rebooted
CAPAM_2.8.4.1.05-revert.p.bin is only required when you need to rollback this patch.
Additional Information:
https://docops.ca.com/ca-privileged-access-manager/2-8-4-1/EN/programming/credential-manager-remote-cli-and-java-api/install-and-set-up-the-credential-cli-and-java-api

https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-privileged-access-manager-solutions-patches.html

 
File Attachments:
JavaAPIExample.java