Skip to content
CA Privileged Access Manager Hotfixes
Documentation powered by DocOps Hotfix

Last update April 3, 2019

This content provides information about the hotfix.

Resolved Issue

This hotfix resolves the following issues: 

  • When login timeout is set to 1 minute, all users are locked out of CA PAM after logging out. (Salesforce case number: 01007991/Internal defect ID: DE357320)
  • The Access Name field is not populated on the list of AWS Target accounts from which the customer wants to select. (Salesforce case number: 00964491/Internal Defect ID: DE360221)

This hotfix also includes other hotfixes that resolved the following issues: 

  • Hotfix Standard users are prevented from asking a CA Privileged Access Manager administrator for permission to view user data. When a user tries to send a permissions request, the user sees the error message, You do not have sufficient privileges to perform this operation. (Salesforce case number: 00948377/Internal defect ID DE343117).
  • Hotfix Users cannot authenticate to CA Privileged Access Manager using credentials that are stored on a TACACS server. The query that the appliance sends to the database returns a list of all target servers instead of only the TACACS server. The first server that handles the authentication is not a TACACS server, causing the user login to fail. (Salesforce case number: 00971944/Internal defect ID: DE348248)
  • Hotfix The AS/400 (IBM i) Target Connector did not support SSL/TLS secure connections.
  • Hotfix You cannot select the Enable Login Integration checkbox in the policy to enable integration with CA Privileged Access Manager Server Control (Salesforce case number: 00959682/Internal defect ID: DE348834)
  • Hotfix Fixed the following defects:
    • You can create a UNIX target application using the Remote CLI, but the application does not display properly in the CA PAM UI. (Salesforce case number: 00946305/Internal Defect ID: DE343074)
    • On the Access page in the UI, the Application Name entries in the Available Credentials window are truncated so you cannot read the full name. (Salesforce case number: 00964491/Internal Defect ID: DE351593)
    • When you add a target UNIX application using the Remote CLI, the application does not display in the CA PAM UI. Navigate to Credentials, Manage Targets, Applications, and select the application. All the tabs for the application are missing. (Salesforce case number: 00977574/Internal Defect ID: DE349824)
  • Hotfix Fixed the following defects
    • After you upgrade from Release 2.7 to 3.1.1, the SSH and Web Portal access methods no longer work when the cluster is activated. Also, you cannot view old session recordings that were made before the upgrade. (Salesforce case numbers: 00981751/Internal Defect ID: DE352160)
    • On the Access page of the UI, filtering the list of devices using the Address column returns incorrect results (Salesforce case numbers: 00977595, 00983257, 00977595, 00983257, 00984570, 01006781/Internal Defect ID: DE350779)
    • The viewAccountPassword permission is required to make an API call. This requirement is not valid. (Salesforce case number: 00995116/Internal defect ID: DE355279)

Functional Changes

This hotfix includes Hotfix that provides the following functional changes: 

IBM i (AS/400) SSL/TLS Capability (Hotfix

This hotfix adds SSL/TLS support for the IBM i connector (formerly AS/400) to compatible endpoint systems. 

Target servers must be running OS/400, i5/OS, or IBM i, at these maintenance levels: PTFs (Program Temporary Fix) on IBM i platform:

  • V7R3: SI65622
  • V7R2: SI65619
  • V7R1: SI65613

The IBM i application type defaults to using SSL/TLS. If you upgrade an existing IBM i (or AS/400) application, it continues without SSL/TLS. You must re-enable SSL/TLS. If you are adding a new IBM i application that does not support SSL or TLS, disable SSL/TLS.

Enable SSL/TLS

To enable SLL/TLS for an IBM i target connector in the UI, follow these steps:

  1. For existing applications, go to CredentialsManage TargetsApplications, and Update the application. 
  2. Select the IBM i tab. 
  3. Select the SSL/TLS Enabled checkbox.  
  4. Optionally, you can view the server certificate. Select the magnifying glass Search icon. 
  5. Click OK to save.
    The certificate is installed. Your IBM i system is ready for SSL/TLS connections. Any password verification or changes to IBM i target accounts for this application now use an SSL/TLS connection. If your IBM i endpoint does not support SSL/TLS connections, an error occurs.

Disable SSL/TLS

To disable SLL/TLS for an IBM i target connector in the UI, follow these steps:

  1. Follow the steps in Add Target Applications for new applications. 
  2. For Application Type, select IBM i
  3. Select the IBM i tab. 
  4. Clear the SSL/TLS Enabled checkbox to disable SSL/TLS.  
  5. Click OK to save. 

New CLI Command

One new command is added to the AS/400 Target Connector for the Credential Manager CLI:


Specify whether to use a secure (SSL or TLS) connection. 

Required Default Value Valid Values
yes true true, false

More Information

For more information about this target connector, see AS400 Target Connector.


Do the following tasks before installing this patch:

Install the Hotfix

The hotfix takes several minutes to install on each server.

Note: This procedure initiates a reboot of the appliance.

Before you install the hotfix:

  • To prevent logins to CA Privileged Access Manager during configuration changes, turn on Maintenance Mode. Maintenance Mode is not required, but it stops disruptions from user activity. 
    To enable Maintenance Mode:
    1. Select ConfigurationDiagnosticsSystem.
    2. On the Modes page, turn on Maintenance Mode.
  • If you have a clustered environment, turn off the cluster. 

Follow these steps on each server in your environment:

  1. Log in to the UI as an administrator with Global Administrator permissions.
  2. Navigate to Configuration, Upgrade.
  3. On the Patches page, click Choose File and browse to the location of the patch file on your local system.
  4. Click Upload and Apply. 
    During the upload, you might temporarily see a blank page. The hotfix gets installed and the appliance reboots. 
  5. Verify that the hotfix installation is successful. Look for a message at the top of the page that indicates upgrade success. Also, ensure the Upgrade History lists the patch and the date and time it was applied. If you do not see this information, contact CA Support for further instructions.
  6. Log out from the UI.
  7. Log back in to the UI and verify that you can access devices on the Access page.

After you successfully apply this hotfix, complete the following steps:

  1. Turn on the cluster. 
  2. If applicable, turn off Maintenance Mode.
  3. Instruct all users who connect to the appliance through a browser, to clear their Java caches before they log in again.

Revert the Hotfix

To revert to a previous hotfix, install the associated revert hotfix, CAPAM_3.1.1.18-revert.p.bin. The installation instructions for the revert hotfix are the same as the hotfix.

To revert two or more hotfixes, install each revert hotfix in reverse sequence until you have reached the target hotfix.

Was this helpful?

Please log in to post comments.