Password Authority sub-system of CA PAM is not starting after networking or clustering change.

Document ID : KB000006917
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

This issue is characterized by the following Symptoms. These symptoms may not arise until after rebooting the appliance.

Note: Similar symptoms will arise whenever the password authority sub-system is not started or not working correctly. Usually restarting the appliance will bring this back into working order, but in this case a simple reboot will not suffice.

Symptoms:

  • Access to password management does not work. Users are logged off when they attempt to click "Manage Passwords".
  • Attempting to use or view a vaulted password does not work. Users are logged off when they attempt to view a password or auto-connect using it.

The following error message will likely be found in the Tomcat logs:

May 24, 2017 6:42:22 PM com.cloakware.cspm.server.app.ApplicationImpl shutdown
SEVERE: Shutting down - DataSourceManager.parseAppClusterConfig No local application addresses found.


The following errors & messages may be found in the Session logs:

General Messages:

  • Credential Service daemon is either not running or not reachable.
  • Could not successfully retrieve Password Authority Managed Data for Dashboard
  • Unable to retrieve NSX Accounts No response from Password Authority.
  • The AWS secret key for use by S3 storage is missing

Trying to view / connect:

  • Error when attempting to retrieve password view requests - error was No response from Password Authority.
  • Error when attempting to retrieve pa user id via access user id - error was No response from Password Authority.
Cause:

When the Password Authority sub-system first loads it checks the clustering configurations. One of the checks it performs is to make sure that the appliance address is listed in the clustering configuration. When there is no clustering configuration defined this is not a problem. However, when the cluster configuration does not contain the IP address of the appliance the PA sub-system will not load because it assumes the configuration is wrong.

Note: When changing the cluster config this situation is usually validated and won't be saved if it does not exist. This situation would usually arise after making networking config changes. The network changes DO NOT validate the clustering config.

Resolution:

In order to resolve this problem the server's address will need to be added to the clustering configuration.

  1. If the database has been locked (usually due to a cluster off situation), first visit the clustering/synchronization page & click 'Unlock Me' to unlock it.
  2. Re-configure clustering so the address of this device DOES exist in the cluster config list.
    • Note: The address only needs to exist in the list, all other configuration can be bogus & clustering does NOT need to be started.
  3. Reboot appliance: Config > Power > Reboot Instance

Once the appliance comes back from the reboot the Password Authority sub-system should be working as expected.