PAM TAP integration troubleshooting

Document ID : KB000100056
Last Modified Date : 06/07/2018
Show Technical Document Details
Threat Analytics for PAM uses the PAM External API, with specific credentials, a user named CATapApiUser that is tied to a Target Account named CATapApiUser-#.  If the Target Account cannot be used with PAM's API doc then it will not work with TAP.
The actual CATapApiUser-# Target Account will vary.  It is necessary to go to the Credentials --> Target Account page to see the actual Target Account used on a particular PAM instance.  It is a good idea to test the credentials within PAM before completing the Threat Analytics integration.  This is done by clicking on Settings --> API Doc, and executing one of the jsons.  For example, click on devices.json and then Try it out!.  Enter the CATapApiUser-# for the PAM instance, the password and click OK.  If the credentials are correct the Response Body will show the data for the devices on the system, in which case it should work from TAP.  This same test should be performed if problems are encountered with the TAP PAM integration, at some point after the integration was successfully completed.

It is possible that this may fail even if the correct Target Account and password are entered, in which case the prompt for credentials will appear again, over and over.  One cause for this is that PAM's Disable Inactive After setting, on the Global Settings page, has kicked in, and the account is not active.  Check that the account is Enabled, on the User --> Administration page.  Another cause is a problem that results from PAM's current design.  PAM is the result of the integration of 2 legacy products, and contains an Access database and a Credentials database.  These databases contain some data that must be kept in sync, which includes user information.  When such an out of sync situation occurs please contact support to get the latest UserSync patch.  This patch runs through a set of scenarios and fixes those that have been identified.  As of this writing is does not fix an issue that was identified related to the CATapApiUser.  The following error was seen:  "WARNING: CSPMCallbackHandler.getUser User 'CATapApiUser' not found in database." 

This is a known issue for which a defect record has been created and is pending resolution. 
This article will be updated when the defect has been fixed.