Unable to login as super after upgrade from 2.8 to 3.0.0

Document ID : KB000118433
Last Modified Date : 26/10/2018
Show Technical Document Details
Issue:
We upgraded one of our virtual appliances from 2.8.3 to 3.0.0. The upgrade appeared to be successful, but when we try to login as super we get error "PAM-CMN-0900: Bad User ID (Super) or Password". The password is correct and was used successfully many times on 2.8.3. It also works when we restore the snapshot taken just before the upgrade.
Environment:
PAM 3.0.0 upgraded from 2.8.X
Cause:
PAM releases 3.0 and higher use stronger encryption of passwords stored in PAM. The migration patch therefore finds all passwords stored in the PAM database and re-encrypts them with a stronger algorithm. In rare cases this has resulted in a corrupted super user password. The root cause is not understood as of Oct 2018.
Resolution:
The following procedure was tried by one affected customer and worked:
- Restore the snapshot from before the upgrade.
- Change the super user password to the default "super". You will have to temporarily change the Security Level to 0 in Global Settings to do so.
- Perform the upgrade.
- Change the super user password to the previous or a new one.
- Restore the original Security Level. In PAM 3.x this is under Settings > Global Settings > Passwords.
- Log out and back in to verify that the new password works.

CA PAM support has a way of resetting the super user password after the upgrade, but it requires access to the PAM instance during a remote session with a support engineer. If you experience this problem and the above solution is not possible or didn't work, please open a case with PAM support.
Additional Information:
In the environments where the problem was observed, no other active local users were defined, and those environments were used for access control only, not for password management. It is not clear whether other local user accounts could be affected. We are not aware of such a problem with the conversion of target account passwords.