Symantec Privileged Access Manager 3 - NIAP-CCEVS
249
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement Doc No. 2090-000-D105 Version: 1.3 29 May 2020 Broadcom 520 Madison Avenue New York, New York, USA 10022e Prepared by: EWA-Canada 1223 Michael Street North, Suite 200 Ottawa, Ontario, Canada K1J7T2
Transcript of Symantec Privileged Access Manager 3 - NIAP-CCEVS
Symantec Privileged Access Manager 3.3
Common Criteria Guidance Supplement
Doc No. 2090-000-D105 Version: 1.3 29 May 2020
Broadcom 520 Madison Avenue New York, New York, USA 10022e Prepared by: EWA-Canada 1223 Michael Street North, Suite 200 Ottawa, Ontario, Canada K1J7T2
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page i of i
CONTENTS PREPARATION OF THE OPERATIONAL ENVIRONMENT ................. 1
OPERATIONAL ENVIRONMENT ........................................................ 1
EVALUATED CONFIGURATION ........................................................ 1
POTENTIAL POLICY CONFLICT ........................................................ 1
CONFIGURATION OF SESSION RESTRICTION ................................... 2
AUDIT RECORDS AND CONTENTS ................................................... 2
EXCLUDED FUNCTIONALITY ........................................................... 3
SECURE ACCEPTANCE AND INITIALIZATION ............................... 4
SECURE ACCEPTANCE PROCEDURES ............................................... 4
SECURE INSTALLATION AND INITIALIZATION PROCEDURES ............... 4
Annex A ………………………………………………………………………………………………………………A-1
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page 1 of 5
PREPARATION OF THE OPERATIONAL ENVIRONMENT
OPERATIONAL ENVIRONMENT In the evaluated configuration, it is assumed that the hardware and network components required for operation of the Target of Evaluation (TOE) will be located in an access-controlled secure data warehouse facility. This includes the following TOE and non-TOE components:
• Privileged Access Manager (PAM) Server (TOE) • Socket Filter Agents (SFAs) • Authentication Server
One or more SFAs must be implemented in the operational environment and be configured to protect organizational assets.
Additionally, the operational environment must be able to identify a user requesting access to the TOE, and must provide mechanisms to reduce the ability for an attacker to impersonate a legitimate user during authentication.
EVALUATED CONFIGURATION The following configuration options must be applied to be in the evaluated configuration:
• Federal Information Processing Standards (FIPS) mode must be enabled • Connections to the PAM Server Web Browser User Interface (UI) must use
Hypertext Transfer Protocol Secure (HTTPS) • Credential validation for web users is performed by an external
Lightweight Directory Access Protocol (LDAP) server with Transport Layer Security (TLS) enabled
• Credentials for targets are not configured in policies • TOE administrators using the Web Browser UI are assigned the Global
Administrator role; other users are assigned the Standard User role • SFA Monitoring is enabled for all configured Socket Filter Agents • The preconfigured “super” account password is changed during
installation (to a secure value) and the account is not used after installation. All administrator access is via user accounts added during installation or operation
• Login timeouts (for inactive sessions) are not disabled
POTENTIAL POLICY CONFLICT Policies are identified by name and are associated with User and Device pairs, either directly or via inheritance from a User Group or Device Group. For policies pertaining to connections to targets, User policies always take precedence over User Group policies, and Device policies always take precedence over Device Group policies. Because of the strict hierarchy used by PAM, conflicting policies are prevented. Policies pertaining to SFAs do not have a hierarchical
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page 2 of 5
relationship, so conflicting policies can exist between User (direct) and Group (inherited) policies. User and Group policies are examined before deployment to SFAs. If a conflict exists, connection attempts referencing the policy are prohibited and the following error message is displayed to the user:
Message 20: Error occurred while trying to complete request
CONFIGURATION OF SESSION RESTRICTION To configure the session restriction attributes, navigate to Users > Manage Users. Select a user from the list and click Update. Update the access times as necessary and select OK.
AUDIT RECORDS AND CONTENTS Each audit record may contain the following information: Address, Applet, Date, Time, Details, Device, Device Groups, NAT/Proxy IP, Port, Service, Source IP, Transaction, User Groups, Username. Only the information appropriate for that record will be included.
The following events are recorded:
Auditable Events
Creation or modification of policy
Transmission of policy to Access Control products
Definition of object attributes
Association of attributes with objects
Definition of subject attributes
Association of attributes with subjects
All use of the authentication mechanism
All modifications to audit configuration
Establishment and disestablishment of communications with audit server
Failure of the key generation activity
Failure of the key zeroization process
Failure of encryption or decryption
Failure of cryptographic signature
Failure of hashing function
Failure in cryptographic hashing for non-data integrity
Failure to establish a session, establishment/termination of a session
Failure of the randomization process
Failure to establish a session, establishment/termination of a session
Use of the management functions
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page 3 of 5
Modifications to the members of the management roles
All session termination events
All session termination events
Denial of session establishment
All use of trusted channel functions
All attempted uses of the trusted path functions
Table 1 – Auditable Events
EXCLUDED FUNCTIONALITY The following features were not exercised as part of this evaluation:
• Access Control and Credential Management functionality
• The optional Application-to-Application (A2A) functionality
• Redundancy via clustered servers with automatic synchronization
• Secure Sockets Layer (SSL) Virtual Private Network (VPN) Service
In the evaluated configuration, PAM is installed on a physical appliance. PAM is also available as a VMWare Open Virtual Appliance (OVA), an Amazon Machine Instance (AMI), or as an Azure Virtual Hard Disk (VHD).
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page 4 of 5
SECURE ACCEPTANCE AND INITIALIZATION
SECURE ACCEPTANCE PROCEDURES Customers are required to perform the following steps to ensure secure acceptance of the delivered TOE in accordance with the developer's delivery procedures.
2.1.1 Acceptance of Hardware Customers are required to verify that the hardware label matches the evaluated version of the TOE (Lanner NCA 5210A (404L)).
2.1.2 Acceptance of Software Customers are directed to verify the TOE version using the WebUI. Customers may do this by navigating to System Info, and viewing the TOE version on the Basic Info tab. The evaluated version of the TOE software is 3.3.0.1085.
SECURE INSTALLATION AND INITIALIZATION PROCEDURES
This section describes the steps necessary for secure installation and configuration.
1. Configure the appliance for remote access: a. Make power and Ethernet connections to the Lanner NCA 5210A
(404L); b. Use the front panel interface to configure IP addresses for the
default gateway, the netmask and the GB1 IP address on port 1; c. Save the configuration and select the reboot option;
2. Continue the configuration process from a workstation using a browser: a. Browse to https://ipaddress/config (where ipaddress is the IP
address assigned to port 1 in Step 1b) and login with the username ‘config’ and the password ‘config’;
b. Change the config password by selecting the change password link at the top right of the web interface, and enter the new password. Enter the password a second time, and select ‘Update’;
c. The web session is logged out and the display returns to the default login screen after the Java applet loads;
d. On the default login screen, login with the username ‘super’ and password ‘super’;
e. Since this is the first login of a user to the main device, the ‘My Info’ page is shown and the site ‘MySite’ is created;
f. Fill in the information requested, including an updated password, and select the ‘Save’ button;
3. Continue the configuration process from the front panel of the appliance:
Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page 5 of 5
a. Use the front panel buttons to enable FIPS mode by navigating through the LCD menu and selecting ‘Turn on FIPS’;
b. The TOE will automatically reboot and display ‘FIPS mode’ on the front panel;
4. Continue the configuration process from a workstation using a browser: a. Browse to https://ipaddress (where ipaddress is the IP address
assigned to port 1 in Step 1b) and login with the username ‘super’ and the password configured in Step 2f;
b. Configure the LDAP server information by selecting ‘config’ on the top menu, and then selecting ‘3rd Party’ from the drop-down menu to display the ‘3rd Party’ page. Scroll down to the ‘Add LDAP Domain’ section and supply the appropriate values for Server, Port, Bind Credentials, Bind Password, and Server Type. The ‘Use TLS (LDAPv3 Only)’ box in Other Options must be selected. Select ‘Add’;
c. Logout by selecting the ‘Log Off’ button on the top menu. Login again with the username ‘super’ and the password configured in Step 2f;
d. Configure the LDAP groups that are to be allowed access to PAM by selecting ‘Users’ on the main menu bar, and selecting ‘Manage Groups’. When the group management page is displayed, select ‘Import LDAP Group’. This will launch the LDAP Browser. Navigate to ‘Users’ and check the boxes next to the desired groups on the LDAP server. Select ‘Groups’, and select ‘Manage selected groups’ to register those groups with the appliance. Highlight the groups and select ‘add group’ in the pop-up window;
e. While on the ‘Manage Groups’ page, select the ‘Admins’ group, and in the drop down menu for ‘Available Roles’ select ‘Global Administrator’. Select ‘Save’;
f. Logout. Login again with the username ‘super’ and the password configured in Step 2f;
g. Navigate to the ‘Global Settings’ page and check the ‘Show License Warning’ box. Enter text for the login banner in the text field and select ‘Save Global Settings’; and
h. Logout.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-1 of A-242
Annex A This annex includes excerpts from the Broadcom Symantec Privileged Access Manager online documentation. These excerpts are provided to satisfy the guidance requirements of the CC evaluation.
Supported Environments
At a Glance This document identifies platform support for Privileged Access Manager versions 3.0, 3.1, 3.2 and 3.3.
Privileged Access Manager ships as either a hardware or software-based appliance. In both cases, the operating
system and database are included with the software package. We support the listed platforms for end-point Session
Management, Credential Management, and ancillary agents. These agents (A2A Client, Socket Filter Agent, or
CA PAM Workstation Client) are required for certain features of Privileged Access Manager.
CA PAM Workstation Client is the primary access method to CA PAM. The only browser option is Microsoft Internet
Explorer 11 as IE remains the only browser with NPAPI support. If you use IE11, Java 8u-latest must be installed on
the desktop.
Session and Credential Management Platform Support
Operating System Platforms v3.0.x v3.1.x v3.2.x v3.3.x
CentOS 7.0 ✔ ✔ ✔ ✔
CentOS 7.2 ✔ ✔ ✔ ✔
Fedora™ 23 ✔ ✔ ✔ ✔
IBM® AIX 7.2 ✔ ✔ ✔ ✔
Microsoft® Windows 2008 R2 ✔ ✔ ✔ ✔
Microsoft® Windows 2012 R2 ✔ ✔ ✔ ✔
Microsoft® Windows 7 ✔ ✔ ✔ ✔
Microsoft® Windows 8.1 ✔ ✔ ✔ ✔
Microsoft® Windows 10 ✔ ✔ ✔ ✔
Microsoft® Windows 2016
✔ ✔ ✔
Microsoft® Windows 2019
✔
Oracle® Solaris 10 ✔ ✔ ✔ ✔
Oracle® Solaris 11.0 ✔ ✔ ✔ ✔
Red Hat® Enterprise Linux 6.6 ✔ ✔ ✔ ✔
Red Hat® Enterprise Linux 7.0 ✔ ✔ ✔ ✔
Red Hat® Enterprise Linux 7.2 ✔ ✔ ✔ ✔
SuSE® Linux Enterprise Server 11 SP3 ✔ ✔ ✔ ✔
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-2 of A-242
Databases (as Target Applications) v3.0.x v3.1.x v3.2.x v3.3.x
IBM® DB2 v10.51 ✔ ✔ ✔ ✔
Microsoft® SQL Server 2008 R2 ✔ ✔ ✔ ✔
Microsoft® SQL Server 2012 R2 ✔ ✔ ✔ ✔
Microsoft® SQL Server 2014 ✔ ✔ ✔ ✔
Oracle® 11g ✔ ✔ ✔ ✔
Oracle® 12c ✔ ✔ ✔ ✔
Oracle® MySQL 5.7 ✔ ✔ ✔ ✔
Network Devices2 v3.0.x v3.1.x v3.2.x v3.3.x
Cisco™ ASA ✔ ✔ ✔ ✔
Cisco™ IOS ✔ ✔ ✔ ✔
Cisco™ TACACS+ Server ✔ ✔ ✔ ✔
Palo Alto PAN Server 6 ✔ ✔ ✔ ✔
Palo Alto Devices (Layer 3, Option C configuration) ✔ ✔ ✔ ✔
Devices with *nix Operating Systems using SSHv2 connection ✔ ✔ ✔ ✔
Mainframe34 v3.0.x v3.1.x v3.2.x v3.3.x
CA ACF2™ r15 ✔ ✔ ✔ ✔
CA TopSecret® r15 ✔ ✔ ✔ ✔
Directories v3.0.x v3.1.x v3.2.x v3.3.x
CA® Directory v12 ✔ ✔ ✔ ✔
Microsoft® Active Directory5 ✔ ✔ ✔ ✔
1 IBM® DB2 is an OS credential. Use the UNIX connector. See product documentation. 2 As Target Applications. Typically, Network devices use SSH protocol for User session establishment. Use the UNIX connector. See product documentation. 3 Requires CA LDAP for Mainframe System z 4 Transparent Login functionality for Mainframe not supported 5 For any supported Windows Server
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-3 of A-242
Red Hat® Enterprise Linux6 ✔ ✔ ✔ ✔
Cloud & Virtualization Platforms v3.0.x v3.1.x v3.2.x v3.3.x
Amazon Web Services™ Admin web console access ✔ ✔ ✔ ✔
Microsoft® Office 365 Admin console access ✔ ✔ ✔ ✔
VMware® vCenter 5.x ✔ ✔ ✔
VMware® vCenter 6.7
✔
VMware® NSX for vSphere ✔ ✔ ✔
Web/Application Servers v3.0.x v3.1.x v3.2.x v3.3.x
Apache Tomcat 7 ✔ ✔ ✔ ✔
Apache Tomcat 8 ✔ ✔ ✔ ✔
IBM® Websphere ✔ ✔ ✔ ✔
Oracle® Weblogic ✔ ✔ ✔ ✔
CA Threat Analytics (for PAM) v3.0.x v3.1.x v3.2.x v3.3.x
CA Threat Analytics (for PAM) v2.0 ✔ ✔ ✔ ✔
CA Threat Analytics (for PAM) v2.2 ✔ ✔ ✔ ✔
CA Threat Analytics (for PAM) v2.3
✔
IT Service Management Systems v3.0.x v3.1.x v3.2.x v3.3.x
CA Service Desk Manager 12.6 ✔ ✔
CA Service Desk Manager 12.7 ✔ ✔
CA Service Desk Manager 12.9 ✔ ✔
CA Service Desk Manager 14.1 ✔ ✔ ✔ ✔
CA Service Desk Manager 17.0
✔ ✔
BMC Remedy 8.1 ✔ ✔ ✔ ✔
BMC Remedy 9.1
✔ ✔
HP Service Manager 9.32 ✔ ✔ ✔ ✔
HP Service Manager 9.41
✔ ✔
Salesforce Service Cloud (Winter 2015) ✔ ✔ ✔ ✔
ServiceNow (Eureka) ✔ ✔
ServiceNow (Fuji) ✔ ✔
6 When installed on a supported Red Hat Enterprise Linux Server
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-4 of A-242
ServiceNow (Geneva) ✔ ✔
ServiceNow (Istanbul)
✔ ✔
ServiceNow (Jakarta)
✔ ✔
CA PAM Workstation Client The CA PAM Workstation Client enables you to log in to Privileged Access Manager and perform administrator and
end-user activities without a customer-installed web browser and Oracle Java engine. The Client removes the
required maintenance of keeping Java and browser configurations compatible with CA PAM. You can run any
CA PAM connection applets and can provide a complete substitute for the traditional CA PAM GUI using the Client.
The client does not interfere in any way with traditional GUI access – both methods can be used from the same
workstation. However, as of January 1, 2017, the only browser option is Microsoft Internet Explorer 11. IE is the only
browser still with NPAPI support, which is required for the applets. If you use IE11, Java 8u-latest must be installed
on the desktop. (Oracle Java 7 is end-of-life for public updates).
You can download a client version compatible with your workstation OS types and can install from a button on the
CA PAM GUI login page. The embedded JRE is downloaded with the client but CA PAM-served JARs download at
runtime.
CA PAM
Workstation Client (End-User Desktop Support)
v3.0.x v3.1.x v3.2.x v3.3.x
Microsoft® Windows 7, 8.1, 10 ✔ ✔ ✔ ✔
Microsoft® Windows 2012 R2, 2016
✔ ✔ ✔
RHEL 7.3 x64 ✔ ✔ ✔ ✔
Apple macOS (El Capitan) ✔ ✔ ✔
Apple macOS (Sierra) ✔ ✔ ✔ ✔
Apple macOS (High Sierra)
✔
Apple macOS (Mojave)
✔
CA PAM Access Agent
The CA PAM Access Agent is a lightweight Windows alternative to the CA PAM Client.
CA PAM
Agent (End-User Desktop Support)
v3.0.x v3.1.x v3.2.x v3.3.x
Microsoft® Windows 10 64-bit
✔
Mobile Support for CA PAM Privileged Access Manager offers limited support for mobile devices. The CA PAM browser user interface is
optimized for password view requests and password check-in and check-out operations for mobile devices.
Mobile Device Operating System Browser v3.2.x v3.3.x
iPhone X iOS 11 Safari ✔ ✔
iPhone 8 iOS 11 Safari ✔ ✔
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-5 of A-242
iPad Pro 12.9 iOS 11 Safari ✔ ✔
iPad Pro 10.5 iOS 11 Safari ✔ ✔
Samsung Galaxy 8 Android 7 (Nougat) Chrome v.64.0.3282 ✔ ✔
Samsung Galaxy 7 Android 7 (Nougat) Chrome v.64.0.3282 ✔ ✔
CA PAM App2App Client App2App integration allows administrators to provide authorization for applications to access privileged credentials for
application to application transactions. An App2App client is installed on the Request server where the requesting
application resides and has various security checks to maintain authorization control. Multiple programming and
scripting languages can be used (see product documentation for integration details).
CA PAM
App2App Client
v3.0.x v3.1.x v3.2.x v3.3.x
AIX 6 ✔ ✔ ✔ ✔
AIX 7 ✔ ✔ ✔ ✔
Microsoft® Windows 2008 R2 ✔ ✔ ✔ ✔
Microsoft® Windows 2012 R2 ✔ ✔ ✔ ✔
Microsoft® Windows 2016
✔ ✔ ✔
Microsoft® Windows 2019
✔
Red Hat Enterprise Linux 6 ✔ ✔ ✔ ✔
Red Hat Enterprise Linux 7 ✔ ✔ ✔ ✔
Solaris 10 ✔ ✔ ✔ ✔
Solaris 11 ✔ ✔ ✔ ✔
CA PAM
App2App languages
v3.0.x v3.1.x v3.2.x v3.3.x
Java ✔ ✔ ✔ ✔
C++ ✔ ✔ ✔ ✔
C ✔ ✔ ✔ ✔
C# ✔ ✔ ✔ ✔
PHP ✔ ✔ ✔ ✔
Python ✔ ✔ ✔ ✔
JavaScript ✔ ✔ ✔ ✔
Perl ✔ ✔ ✔ ✔
PowerShell ✔ ✔ ✔ ✔
Korn Shell ✔ ✔ ✔ ✔
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-6 of A-242
C Shell ✔ ✔ ✔ ✔
CA PAM Socket Filter Agent Installed on an endpoint, the Socket Filter Agent is used to provide lateral containment (such as preventing
administrators from “leap frogging” to another server).
CA PAM
SFA Client
v3.0.x v3.1.x v3.2.x v3.3.x
UNIX, Linux ✔ ✔ ✔ ✔
AIX 6 ✔ ✔ ✔ ✔
AIX 7 ✔ ✔ ✔ ✔
Microsoft® Windows 2008 R2 ✔ ✔ ✔ ✔
Microsoft® Windows 2012 R2 ✔ ✔ ✔ ✔
Microsoft® Windows 2016
✔
Microsoft® Windows 2019
Set a User-Device Policy Apply a policy to a user-device pair to allow that user access to the device or to view a password based in the device.
Follow these steps:
1. Select Policy, Manage Policies. The policy page appears. 2. In the User (Group) field, start typing the User or User Group you want, and select the matching full name
from the filtered drop-down list. 3. In the Device (Group) field, start typing the Device or Device Group you want, and select the matching full
name from the filtered drop-down list. 4. In the upper-right corner of the page body, click the Create Policy link. A policy template opens. 5. (Optional) To use an Access Method, click Add (or Edit) to the right of Access, and from the drop-down list
select an available type: port (for example, RDP:3389). A blank field opens to the right. a. (Optional) To allow auto-connection to the device, click in this field and select a target account - target account pair.
6. (Optional) To use a previously provisioned local Service, click Add (or Edit) to the right of Services, and from the drop-down list select a Service (for example, PuTTY). A blank field opens to the right. a. (Optional) To allow auto-connection to the device, click in this field and select a target account - target account pair.
7. (Optional) To allow this user to view a target account password: a. Click Add (or Edit) to the right of Passwords. From the drop-down list, select a target application.
A blank field opens to the right. b. Click in this field. Select an available target account from the drop-down list for the application
which stores the password. 8. (Optional) To apply a Command Filter to all connections, select one from the drop-down list. 9. (Optional) To apply a Socket Filter to all connections, select one from the drop-down list.
a. (Optional) To prevent device access whenever its Socket Filter Agent (SFA) is not running, select Restrict login if agent is not running.
10. (Optional) To activate recording, select Graphical for RDP or VNC connections or Command Line for CLI connections.
a. (Optional) For CLI connections, to capture both output and input lines, select Bidirectional. Otherwise, only output lines are captured.
b. (Optional) To start recording only after the user commits a (filter) violation, select On Violation. Otherwise, all connections are recorded from start to finish.
11. Click Save. You return to the policy list. The activated device or password access is now available for execution from the Access page of the user.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-7 of A-242
Provision Access Policies To enforce access rules for specific users and user groups. Policies for associating users and devices can be done at a granular level (device and port). Each user then has access only to devices and applications that they need to do their jobs.
A policy is a set of configuration values identifying permitted or required: • Access types
(access method applets, TCP/UDP, and application services) • Access restrictions
(command filters, socket filters) • Passwords
(which involve Devices and resident applications) • Recording
(graphical or command line) A Policy specifies the interactivity between:
• one registered user or user group (including LDAP and RADIUS) and
• one managed device or device Group After a user logs in to a device using the policy assignments, the appliance can:
• Record user activity • Perform command filtering • Terminate user leapfrog attempts
Access Provisioning The access capabilities that you provide for a Device are available for specification in Policy. See Set Up Access to a Target Device for information about setting up access capabilities for Devices. Access Restrictions Through a Policy, these restrictions to Device or Device Group access can be imposed on a particular User or User Group:
• Command Filtering • Socket Filtering
Command Filtering You can use command filter lists to enforce policies in the command line applets TELNET, SSH, and serial consoles. Both Command Filtering and Socket Filtering use whitelists and blacklists to set the appropriate policy.
• A command-filtering blacklist is a list of commands that a user cannot type. If the user attempts to type the command, the appliance can flag (log), alert, re-mediate, and stop the command from being processed. All other commands are allowed.
• A command filtering whitelist is a list of the commands that a user can type. All other commands are prohibited.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets. The Command Filter Configuration (CFC) sets the behavior of the blacklist and whitelist command filters. Command Filter Alerts Example From: [email protected] To: [email protected] Cc: Subject: Alert Msg from xsuite1 ------------------------------------------------------------------------------- Date/Time: Fri, 1 Oct 2010 14:09:05 User ID: Traveler123 User Source IP: 168.0.2.123 Violation on: LinuxBox12 Captured Keystrokes: rlogin Socket Filtering
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-8 of A-242
Socket Filter Agents (SFAs) are Privileged Access Manager components that are used to restrict access either to server-based devices or from server-based devices. Socket filters provide a different kind of access control than devices with finite command sets, such as routers and switches, for which command filtering is applied. Three components are required:
• Socket Filter Lists – to define either a socket blacklist (specifying where access is prohibited) or whitelist (specifying where access is allowed)
• Socket Filter Agents – to apply rules that are specified by Socket Filter Lists and used in Policies. • Socket Filter Configuration – to apply agent behavior across all
Privileged Access Manager -managed devices using socket filter agents.
Socket Filter Lists (SFLs) Socket Filter Lists define groups of servers or networks that can be applied to a policy for LeapFrog Prevention. Socket Filter Agents (SFAs) Once a Socket Filter Agent is deployed and a user connects through Privileged Access Manager to the host Device, the SFA downloads the user policy. The SFA then enforces at the Device any blacklist or whitelist filters. A blacklist contains devices and ports that user is prevented from accessing. A whitelist identifies the only devices and ports that a user can connect to. The SFA does not inspect or disturb any other connections to that Device, such as production web traffic or Privileged Access Manager users who are not restricted. SFAs can be installed on Windows and Linux devices. The Linux root account is exempt from SFA rules and restrictions. Windows administrator accounts are subject to SFA rules and restrictions. Socket Filter Configuration (SFC) Global values that affect the behavior of the socket filter agents are found under Socket Filter Configuration, accessible through the Policies menu. CA Technologies advises verifying your organization policies before setting up socket filtering. Network heartbeat checks might not be allowed. Amazon Web Services (AWS) When connection is made to AWS after populating the Config, 3rd Party, AWS settings, the Policy, Manage Policies, AWS Policies link interface is established for specifying AWS IAM Policy. Defining AWS Policies AWS policy is applied for AWS privileges when accessing the AWS management interface. Initially, the editing window Manage AWS Policies holds two default versions, but you can edit or create an IAM policy. Although Privileged Access Manager is designed to pass an IAM Policy to AWS, AWS does not accept an AWS Policy that is "too lengthy." The length limit is not a predictable value, but can be evaluated by AWS before processing to avoid errors. Therefore, Privileged Access Manager sends all submitted policies to AWS for preprocessing. If the size limit is exceeded, an error message is relayed to the Privileged Access Manager user. Workaround: Some guidance on permitted length is provided in this AWS Forum thread: https://forums.aws.amazon.com/thread.jspa?threadID=80882 Specifying AWS Policies When a Service has been configured for access to the AWS management interface, the credential specification pop-up window in the Manage Policy interface also provides for the IAM policy specification through the AWS Policy field at the right-hand side of the pop-up window. Session Recording In addition to the access controls that are applied in advance, session recording can be assigned to policy, providing a view of User actions after the fact. As recordings, they simulate the environment of the User to provide a view into what transpired during a connection session. Note: Privileged administrators also apply control during sessions with the ability to terminate a connection session or log a User off Privileged Access Manager, while Privileged Access Manager logging is another during, or post, session tracking resource. In the command-line applets, TELNET, SSH, and Console user keystrokes can be recorded. Graphical session recording is available with the RDP and VNC applets. Recordings are identified in the GUI as line items. They can be searched with variable text filtering. When a recording identifies a User violation, this fact is marked inside the recording as the User views it. The line item record is also highlighted in bold red. The session recording logs are not stored on Privileged Access Manager. The session recording files can be stored on mount points or sent to a syslog consolidation server.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-9 of A-242
Use a directory mounted to a Windows or UNIX server for session recordings to be available through the administration interface. The session recordings can be viewed in Sessions, Session Recordings. Session Recording policy is set for a user/user group – device / device group pair in Policies, Manage Policies. In the Recording pane:
• Selecting Command Line records user entry, and if Bidirectional is selected, Privileged Access Manager records both the user and device responses.
• Selecting Graphical records the user GUI interaction with the Windows server as a movie that can be played, stopped at any point, and replayed from any point.
Set Up a Policy As an administrator, apply a policy to a user-device pair. The policy defines user access to the device or to view a password for the device. Assign a policy using one of the following methods:
• Policy template • Imported CSV file
A policy can also be applied based on inheritance from a parent group. A User effective policy spans these categories, as the union of all policy assignments. It reflects the range of device and access options available to a user as represented on the User Access page. As an administrator, you can view a User effective policy in Users, Manage Users, Update, Manage Policy. The configuration of a Device provides a template for choosing access methods are allowed for a particular User. The scope of this template has previously been defined by the attributes that are assigned in the Device record. A unique policy can exist between every match of each of the first (Users and User Groups) with each of the second (Devices and Device Groups). For example, if there are three Users and three Devices, after matching each User with each Device, there could be up to nine different policies. Note: For information about Credential Manager Password Policies, see Credential Manager Policies. Prerequisites
• Session recording activation requires that storage is configured in advance on the Configuration, Logs, Session Recording page.
• Define Users, Devices, Access Types, Services, and Filters. Configure the components of a policy first so that they are available to include in a policy.
Policy Template Create an association with a user and device using the policy template. To import policies using a CSV file, see Import or Export Policies. These procedures begin from the Policy menu. However, for some user records, you can edit a policy template from the user record by selecting Manage Policy. Follow these steps:
1. Select Policies, Manage Policies. 2. Complete one of the following actions:
• Create a new policy by clicking Add. • Select an existing policy record and click Update. If the policy record is not listed, find it by
selecting the User/User Group or Device/Device group search criteria at the top of the screen. 3. If you are adding a new policy, use the fields in the Association section to locate the user or device that you
want to associate in a policy. Select the search icon in one of the fields to display the list of choices. Double-click an entry and it gets added to the Association screen. If you select a Device Group, only those Access Methods that are specified for the group, are displayed.
4. On the Access tab, select one or more entries from the list and move it to the Selected Access list. 5. On the Services tab, select one or more services available for a provisioned device. 6. On the SAML tab, set SAML options as appropriate. (SAML must already be configured for anything to
show here.) 7. On the Password tab, select the passwords the user or user group can manage. Then, select from
the available Device or Device Group defined target applications. When you select a target application, you can also select one or more provisioned target accounts for that application that the user can manage. For AWS AMI instance on UNIX and Linux Devices, only EC2 keys auto-populate as options.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-10 of A-242
8. If Socket Filter Agents are installed in the environment, select the available command and socket filters to assign to the black and white lists on the Filters tab. The filters listed are those set up in the Filters option of the UI. Select the Restrict login if agent is not running check box.
• If the product cannot detect a running SFA on the device and an SFA-monitored connection is attempted, the login is rejected. Unmonitored connection instances are never rejected by selecting this option.
• SFAs monitor the following connections: Access Method GUI, CLI, and mainframe applets; and RDP, VNC, and ICA Services.
• SFAs do not monitor: standard (customized) Services and Web Portal Services. [XGK-231 As user, ability to launch a "normal" or "Web Portal" Service which has "set.]
9. If session recording capability is configured, specify the types of recording to make using the options on the Recording tab. Set one or more of the following available options (availability depends on the selected access methods on the Access tab):
• Graphical (available for RDP and VNC access methods): Record user activity graphically.
• Command Line (available for TELNET, SSH, and Console access methods): Record user activity on the target device as plain text.
• Bidirectional (applicable for command line recordings only): Record command line output from the operating system or application as well as what the user types. Bidirectional recording is required for SSH Proxy applets. All mainframe-access applets apply bidirectional session recording when you enable recording.
• Web Portal (available for VNC access method only): Record user activity on the web portal graphically.
• On Violation (only valid if no other recording options are set): Start recording only when a user causes a violation against a Command Filter or Socket Filter during a session. The recording continues until the user ends the connection session.
To view session recordings when accessed through a Juniper SA appliance, configure a policy for allowing custom headers. See Junos configuration required for viewing session recordings.
10. Select Login Integration on the CA PAM Server Control tab if you are integrating with CA PAM Server Control. See CA Privileged Access Manager Server Control Login Integration for more information.
11. Select a Login on the Transparent Login tab if you are using Transparent Login. See Device Setup, Transparent Login for more information.
Junos Configuration Required for Viewing Session Recordings To view session recordings when Privileged Access Manager is accessed through a Juniper SA appliance, configure a policy for allowing custom headers. Follow these steps:
1. Navigate to Resource Policies, Web, Custom Headers. 2. Create a policy. 3. Specify the IP address of the web portal resource that this policy applies to, with protocol specification, for
example: https://192.0.2.123
4. Select the allow custom headers action.
How to Set Up LDAP Servers for User Authentication Privileged Access Manager can authenticate users whose records reside on LDAP servers, including Microsoft Active Directory (AD), OpenLDAP, and other LDAP-compliant services. To enable CA PAM to communicate with an LDAP server:
• Add an LDAP Device • Create a Target Account for the LDAP Server • Identify the LDAP Servers in Your Environment
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-11 of A-242
• Import LDAP Groups
Add an LDAP Device
Add a device that represents the target LDAP server, where an administrator account exists. This account must have
read access to the tree from which CA PAM can pull administrators.
Follow these steps:
1. Navigate to Devices, Manage Devices, and select Add.
2. Complete the following required settings:
• Name: Enter the name of the LDAP server. If Access is configured, this name is displayed on the
Access page.
• Address: Enter the LDAP Server IP address or fully qualified domain name. DNS must be
configured on the Network Settings page for FQDN to work.
• Device Type: Select Password Management. Other types can also be selected.
Optionally, for details about other tabs on the Add Device page, see Device Setup.
3. Select Save and Add Target Applications.
The Add Target Application page opens.
4. Complete the following fields:
• Application Name: Specify an application of your selection.
• Application Type: Select the applicable application.
• For Active Directory, select Active Directory or Windows Proxy. To use the Windows
Proxy type, a Windows Proxy must already be set up. For instructions, see Configure the
Windows Proxy Connector.
• For other LDAP servers, select LDAP.
Depending on the type, different tabs become available at the top of the Add Target Application window
5. Fill in the fields for your application type:
• Active Directory: Enter the Domain Name, such as ca.com. Alter the default Domain Controller Port if necessary.
• Windows Proxy: Select the Proxy from the Available Proxies list. Alter any other information as
necessary.
• LDAP: Select Server Type of either OpenLDAP or Other. Alter the Protocol and Port if necessary. For more information about application settings, see the relevant topic:
• Add an LDAP Target Connector
• Add an Active Directory Target Connector
• Add a Windows Proxy Connector
6. Select OK to save the application.
Create a Target Account for the LDAP Server
Specify an application for bind requests between CA PAM and the LDAP server.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-12 of A-242
Follow these steps: 1. Navigate to Credentials, Manage Targets, Accounts, and select Add.
The Add Target account page opens.
2. Begin at the Application Name field. Select the LDAP application that you created previously.
The Host Name and Device Name automatically populate.
3. In the Account Name field, specify an account to use for connecting to the LDAP server.
4. Enter the Password for this account.
5. Enter the information that is required for the application type in use:
• Active Directory: Enter the Distinguished Name (DN). For example:
CN=Lookup,CN=Users,DC=security,DC=com
• Windows Proxy: Accept the default entry.
• LDAP: Enter the DN. For example:
CN=Lookup,CN=Users,DC=security,DC=com
If necessary, alter the default Change Process.
For more information about optional account settings, see Add Target Accounts to Target Applications.
6. Select OK to save the account.
Identify the LDAP Servers in Your Environment
Identify the remote LDAP server account that the appliance contacts to authenticate users. As an Administrator, you
must have an account on the LDAP or Active Directory Server. This account must have read access to the tree from
which you want to pull Administrators.
Follow these steps: 1. Navigate to Configuration, 3rd Party, LDAP.
2. Select Add on the LDAP Domains tab.
3. Complete the following fields by searching and selecting the appropriate entries:
• Bind Server
• Bind Application
• Bind Account If you have only one LDAP account, complete the Bind Account field first, then the Bind Server and Bind Application fields automatically populate.
4. For a Windows Proxy, complete the Bind Credentials field. For example: [email protected]
5. Select the appropriate SSL Usage value.
6. To schedule regular synchronization updates between the appliance and the LDAP directory, enter a time
interval in the Update Interval (minutes) field. If you set a small value, such as 10 minutes, you might experience high LDAP update traffic. This traffic
might interfere with, or disable, cluster functioning. To avoid this problem, you can manage synchronization
on-demand. Go to Users, Manage User Groups, and select Refresh LDAP Groups.
7. To filter the LDAP members from this connection, use the fields in the Attributes tab.
8. If Kerberos network authentication is set up on the LDAP server, enter the KDC server and port on the Kerberos tab.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-13 of A-242
9. On the Browse Points tab, optionally enter one or more DNs to serve as starting points to browse the LDAP
directory. A browse point becomes the root from which to start browsing the tree.
10. To map specific fields from a PIV/CAC smart card to fields in Active Directory for authentication, use the Custom Field Mapping tab. We normally compare the smart card Subject Name to the DN
(distinguishedName) AD attribute, and the Subject Alt Name on the card to the UPN (userPrincipalName)
attribute. Use the Subject Name and Subject AltName drop-down lists to alter these mappings. For
example, you might want to map Subject AltName to altSecurityIdentities.
11. Select OK to save.
The newly added LDAP domain appears in the LDAP Domains list. Once the connection to the LDAP server has
been configured, LDAP users are imported through the Users, Manage User Groups interface.
The newly added LDAP domain appears in the LDAP Domains list.
Modify the Check Down LDAP Servers Interval (Optional)
LDAP servers can shut down or can become unavailable for other reasons. The Check Down LDAP Servers Interval setting specifies the interval, in minutes, when CA PAM checks whether a previously unavailable LDAP
server has become available. The LDAP servers must be in the LDAP domains list.
Follow these steps: 1. Navigate to Configuration, 3rd Party, LDAP.
2. Select the Check Down LDAP Servers Interval tab.
3. In the Interval (minutes) field, set the frequency that the LDAP servers are polled. The default is 30
minutes.
4. Select Update to save the setting.
You can also select Check Now to poll all servers immediately.
Configure Multiple LDAP Servers
You can add multiple LDAP servers for the same or different domains. Users select the correct domain during
authentication. If the primary server is unavailable, the appliance connects to any backups if listed. All Associations and user policies will be maintained after connection to the new server.
Import LDAP Groups
To import LDAP groups, use the Privileged Access Manager LDAP Browser, which launches automatically when you
select an Import LDAP Groups button in the UI.
Note: You cannot import individual devices or users. To import individual objects, use the LDAP Browser to import the
groups containing those objects.
When you import an LDAP group, the TLS 1.0/1.1 Connection Allowed configuration option is enforced.
To import LDAP device groups or user groups, see the following topics.
• Import LDAP Device Groups
• Import LDAP User Group
Messages and Log Formats This content in this section describes Privileged Access Manager messages that are used in log entries, real-time UI warnings, and other informational output. Note: The pre-formatted messages that are identified here are included in most syslog output (MSG field). Not every message is used in a syslog emission, and not all syslog emissions include a message. For example, some messages are used solely for user interaction. See Syslog Message Formats for more information.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-14 of A-242
• Syslog Message Formats • PAM-AGT: CA PAM Access Agent Messages • PAM-CF: Connector Framework Messages • PAM-CLNT: CA PAM Client Messages • PAM-CM: Credential Manager Messages • PAM-CMN: Common Messages • PAM-CS: Cluster Status Messages • PAM-IMP: Import and Export Constants • PAM-LDAP: LDAP Importer Messages • PAM-MGC: Management Console Messages • PAM-PRX: Proxy Messages • PAM-SP: SailPoint Messages • PAM-SPFD: Secure Port Forwarding Daemon Messages • PAM-SRM: Session Recording Manager Messages • PAM-TELE: Telemetry Segment Messages • PAM-UI: User Interface Messages • PAM-UIL: UI Logging Messages • PAM-UPD: Session Clean-up and Storage Status Messages • Credential Manager Client Return Codes
Message Code List Available from Server Use the getErrorCodes CLI command to produce a complete list of Credential Manager error codes. The command takes no parameters, and returns an XML structure listing each error code and its description. For improved readability of the output, we recommend that you direct the XML structure to a separate file, and open it with an XML editor. Example This example directs the output of the getErrorCodes CLI command to a file called error_codes.xml. To retrieve a complete list of Credential Manager error codes:
1. Use the following command: capam_command -u admin -p password capam=mycompany.com cmdName=getErrorCodes > error_codes.xml Where password is the password of the admin account Credential Manager returns an XML command string to the error_codes.xml file.
2. Open the error_codes.xml file with an XML editor, such as Notepad++.
Syslog Message Formats Privileged Access Manager has two major formats for Syslog messages, and a few minor ones. The Application field
denotes the major component source of the log message. This section describes the formats of these different Syslog
messages.
• Session Management Log Formats
• Credential Management Log Formats
• GKMonitor
• Logwatch
• Other Messages
Session Management Log Formats
Format <priority>APPLICATION[PID]: MSG
Priority is produced by a standard IETF syslog grid of Facility by Severity. Syslog servers might extrapolate the Facility and Severity
values. For example, 13 is “user-level” facility and “Notice” severity. See Syslog Priority Facility Severity Grid for more information.
Application denotes the major component source of the log message. For Session Management (formerly known as GateKeeper), this
value is gkpsyslog.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-15 of A-242
PID is the process ID associated with the logged activity, which can help group log messages. MSG includes 12 fields common to Session Logs in the product UI, separated by commas, except after Date/Time.
MSG Fields Date/Time: This field is not labeled, but sent as "created = yyyy-mm-dd hh:mm:ss" (The date and time are sent in UTC.)
Example: created = 2017-11-14 19:55:22
Private IP: "Private Address" in the UI; if none, a space is logged Public IP: "Public Address" in the UI; if none, a space is logged
Nat/Proxy IP: "Nat/Proxy Address" in the UI; if none, a space is logged
User: "User Name" in the UI; should not be empty
Transaction: should not be empty Address: if none, space, dash, space, dash is logged; for example: Address: - -,
Device Name: if none, space, dash, space, dash is logged; for example: Device Name: - -,
User Group: if none, space, dash, dash is logged; for example: User Group: --,
Port: if none, space, dash, space, dash is logged; for example: Port: - -,
Access/Protocol: "Applet" in the UI; if none, space, dash, space, dash is logged; for example: Access/Protocol: - -,
Service/App: "Service" in the UI; if none, space, dash, space, dash is logged; for example: Service/App: - -,
Details: The log messages included in the Details field are listed in the Messages and Log Formats section. This field should not be empty.
Each Session Management Syslog message ends in hex code 0A.
Examples
Returns are added for legibility.
Log Records Viewed <13>gkpsyslog[14289]: created = 2017-11-14 19:55:22 Private IP: , Public IP: , Nat/Proxy IP: , User: super, Transaction: admin,
Address: - -, Device Name: - -, User Group: --, Port: - -, Access/Protocol: - -, Service/App: - -,
Details: PAM-CMN-1371: Log records viewed Session Recording Reconciliation <28>gkpsyslog[355]: created = 2017-11-14 18:17:03 Private IP: , Public IP: , Nat/Proxy IP: , User: sessionReconciliation,
Transaction: system, Address: - -, Device Name: - -, User Group: --, Port: - -, Access/Protocol: - -,
Service/App: - -, Details: PAM-CMN-1989: Ending session recording reconciliation.
0 session recording rows added to table. 0 sidecar(.inf) files added to share.
0 nearly empty files deleted from share. Super logged in <85>gkpsyslog[9632]: created = 2017-11-14 20:17:06 Private IP: , Public IP: , Nat/Proxy IP: 130.200.78.105, User: super,
Transaction: login, Address: - -, Device Name: - -, User Group: --, Port: - -, Access/Protocol: - -,
Service/App: - -, Details: PAM-CMN-0917: User super logged in successfully via local authentication. Credential Management Log Formats Format <priority>VERSION TIMESTAMP HOSTNAME APPLICATION MSG
Priority is produced by a standard IETF syslog grid of Facility by Severity. Syslog servers might extrapolate the Facility and Severity
values. For example, 134 is “local0” facility and “Info” severity. See Syslog Priority Facility Severity Grid for more information.
Version is the version number of the Syslog protocol standard. Currently this value can only be 1.
Timestamp uses the IETF RFC5424 format including date, time, and time zone. In practice, it is always UTC. For example: 2017-11-12T19:08:18+00:00
Hostname is the host name of the originating Privileged Access Manager instance.
Application denotes the major component source of the log message. For Credential Management, this value is pam.
MSG includes either Metric Data or Audit Data.
Beginning with release 3.0.2, the Metric and Audit data is not truncated.
Metric Data Metric log entries result from functions that must be recorded as successes or failures, such as login attempts and password changes.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-16 of A-242
Each metric log entry contains an object that has several built-in fields. These fields are applied as tag names, and usually have object-specific extended attributes. For example, target accounts use extended attributes to store information that depends on the type of account.
Fields are used to store information common to all target accounts. Extended attributes are stored within a tag with attribute ("k") and value
("v") pairs.
The following fields appear in Metric log entries:
type: This field describes type of metric, such as login, or password change. The metric type determines the contents of the description field.
level: This field is not used, and is always set to "1".
errorCode: If the operation failed, the error code identifying the reason for the failure is identified here. A value of "0" denotes
success.
adminUserId: This field identifies the user (not necessarily an administrator) that performed the activity in question.
Success: This field identifies whether the operation was successful. If not, the errorCode field identifies why. description: This field contains an embedded field (typically a hashmap) representing details specific to the type of metric.
Credential Management metric log entries appear as strings, but can be reformatted to display their structure: <Metric>
<type>viewAccountPassword</type>
<level>1</level>
<description>
<hashmap>
<k>commandInitiator</k><v>USER</v>
<k>adminUserID</k><v>super</v>
<k>reason</k><v></v>
<k>selectedComponent</k><v>0</v>
<k>Attribute.descriptor2</k><v></v>
<k>Attribute.descriptor1</k><v></v>
<k>TargetAccount.ID</k><v>1005</v>
<k>TargetApplication.name</k><v>SQLServer</v>
<k>reasonDetails</k><v></v>
<k>password</k><v></v>
<k>TargetServer.hostName</k><v>100.130.156.40</v>
<k>TargetAccount.accessType</k><v></v>
<k>referenceCode</k><v></v>
<k>adminPassword</k><v></v>
<k>TargetAccount.userName</k><v>xmd_user</v>
</hashmap>
</description>
<errorCode>0</errorCode>
<userID>super</userID>
<success>true</success>
<originatingIPAddress></originatingIPAddress>
<originatingHostName></originatingHostName>
<extensionType></extensionType>
</Metric> Audit Log Entries
Credential Management audit log entries appear as strings, but can be reformatted to display their structure: <c.cw.m.ts>
<bm.id>1004</bm.id>
<bm.cd>1473152059000</bm.cd>
<bm.cu>super</bm.cu>
<bm.ud>1473234607186</bm.ud>
<bm.uu>super</bm.uu>
<bm.ha>FUwULFPtQlT4...f+AwUW4Ha8k=</bm.ha>
<bm.at.li>
<c.cw.m.at>
<bm.id>1004</bm.id>
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-17 of A-242
<bm.cd>1473152059000</bm.cd>
<bm.cu>super</bm.cu>
<bm.ud>1473152881000</bm.ud>
<bm.uu>super</bm.uu>
<bm.ha>Wpkmh+aP01rWk/...8s57Mjowo=</bm.ha>
<at.na>descriptor1</at.na>
<at.ob.id>1004</at.ob.id>
<at.ob.cl>c.cw.m.ts</at.ob.cl>
</c.cw.m.at>
<c.cw.m.at>
<bm.id>1005</bm.id>
<bm.cd>1473152059000</bm.cd>
<bm.cu>super</bm.cu>
<bm.ud>1473152881000</bm.ud>
<bm.uu>super</bm.uu>
<bm.ha>Wpkmh+aP01rWk/A...s57Mjowo=</bm.ha>
<at.na>descriptor2</at.na>
<at.ob.id>1004</at.ob.id>
<at.ob.cl>c.cw.m.ts</at.ob.cl>
</c.cw.m.at>
</bm.at.li>
<hn>123.123.123.000</hn>
<ip>123.123.124.000</ip>
<dn>redhat</dn>
</c.cw.m.ts> These log entries are wrapped by <c.cw.m...> tags.
• c.cw.m = com.cloakware.model.
"Cloakware" is an internal name for the Credential Management function.
• bm = BaseModel is the parent of all object types. This tag is found in all objects for their common attributes.
• id = identification number for this object
o For example, "id" may be a target account ID, a target server ID, or a Password View Request ID.
o The name of a target account may change but its ID does not.
o Metric log entries only specify the ID, but not the name. The session log entries are comprehensive, so you can find an
ID when given the name.
Class IDs begin with c.cw.m. The fourth element identifies the object. The elements specific to that object follow each object code. ac = Account
ca = cache allowed cd = cache duration
pv = password verified
um = unmanaged
un = User Name
uoid = owner user ID
ach = Account History act = Account ht = Historical Tag
fl = Filter
an = object
ex = expression
ty = operator
gr = Group (Target or Requestor) ty = type dy = dynamic
gro = read-only
pe = Request Server ID
po = Password Composition Policy
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-18 of A-242
pvp = Password View Policy
cpov = Change Password On View cpoconnend = Change Password On Connection End
cposessend = Change Password On Session End
cposso = Change Password On SSO
pci =Password Change Interval
cico = Check-out Check-in Required
cci = Check-out Check-in Interval
da =Dual Authorization
ai =Dual Approval Interval
mi =Max Interval
md =Max Days
rr = Reason Required
rrsso = Reason Required SSO
en =Email Notification
enda = Email Notification for Dual Approvers
enau =Email Only Active Users
ro = Read Only
pvr = Password View Request ar = Approval rc = Reason Code
re = Reason
ro = Role rs = Request server
atr = action required av = Active
ty = type
sa = A2A ce = Check Execution User cf = Check File Path
cp = Check Path
cs = Check Script Hash
eu = Execution User
sc = Script sj = Scheduled Job
sysp = System Properties
pn = property name pv = property value
ta = Target Alias tp = Target Application
ts = Target Server
ug = User Group
us = User
fn = First Name ln = Last Name
st = Status
em = Email
The following elements are common to multiple classes: ad = Approval Description cd = created date, in UNIX time, with milliseconds
cu = Creating User
de = Description
dn = Device name
ha = hash
hn = Host name
ip = IP Address
na = Attribute name
phn = preserve host name
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-19 of A-242
po = port
ps = patch status
rg = Request Group
sid = Site ID
skid = server key ID
sp = System property
ta = Target application ID
tg = Target Group
ud = updated date, in UNIX time, with milliseconds
uu = Updating User
va = Attribute Value GKMonitor
Format <priority>APPLICATION[PID]: MSG
Priority is produced by a standard IETF syslog grid of Facility by Severity. Syslog servers might extrapolate the Facility and Severity values.
For example, 85 is “security/auth” facility and “Notice” severity. See Syslog Priority Facility Severity Grid for more information. Application denotes the major component source of the log message. For these messages, this value is gkmonitor. PID is the process ID associated with the logged activity, which can help group log messages.
MSG includes only a simple log message. The date and time are not sent.
Example
User account disabled <85>gkmonitor[12371]: PAM-CMN-2136: Inactive user account: {0} has been disabled in PAM
Logwatch Format <priority>APPLICATION[PID]: MSG
Priority is produced by a standard IETF syslog grid of Facility by Severity. Syslog servers might extrapolate the Facility and Severity values.
For example, 28 is “system” facility and “Warning” severity. See Syslog Priority Facility Severity Grid for more information.
Application denotes the major component source of the log message. For these messages, this value is logwatch.
PID is the process ID associated with the logged activity, which can help group log messages. MSG includes only a simple log message. The date and time are not sent.
Example
Starting up logwatch <28>logwatch[1]: Starting up logwatch
Other Messages
Format <priority>TIMESTAMP HOSTNAME MSG
Priority is produced by a standard IETF syslog grid of Facility by Severity. Syslog servers might extrapolate the Facility and Severity values. For example, 134 is “local0” facility and “Info” severity. See Syslog Priority Facility Severity Grid for more information.
Timestamp does not conform to IETF specifications. The year and time zone are not included, and the month is an English abbreviation. In
practice, it is always UTC. For example: Sep 18 22:09:54
Hostname is the hostname of the originating Privileged Access Manager instance. MSG entries are tagged as <Metric> or formatted like Audit entries, but not labeled as such. The audit-type entries are usually paired with a
Metric entry.
Examples
System Startup <134>Sep 18 20:09:25 uslipam13-133
<Metric>
<type>systemStartup</type>
<level>1</level>
<description>
<hashmap/>
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-20 of A-242
</description>
<errorCode>0</errorCode>
<userID>system</userID>
<success>true</success>
<originatingIPAddress>130.200.13.133</originatingIPAddress>
<originatingHostName>uslipam13-133</originatingHostName>
<extensionType></extensionType>
</Metric>
Register Request Server 1 <134>Sep 12 22:09:31 uslipam13-133
<Metric>
<type>registerRequestServer</type>
<level>1</level>
<description>
<hashmap>
<k>commandInitiator</k><v>USER</v>
<k>enablefips</k><v>true</v>
<k>version</k><v>4.13.0</v>
<k>RequestServer.ID</k><v>1000</v>
<k>commandName</k><v>clientLogin</v>
<k>port</k><v>27077</v>
<k>osarch</k><v>x86</v>
<k>osversion</k><v>6.1</v>
<k>nodeid</k> <v><?xml version="1.0" encoding="utf-8" ?><nodeid><macaddr>
00:50:56:86:0E:4F</macaddr><machineid>
4_39ec5d8a_0_0-Intel-PIIX4_Internal_IDE_Channel</machineid>
<applicationtype>cspm_agent</applicationtype></nodeid></v> <k>osname</k><v>Windows 7</v>
</hashmap>
</description>
<errorCode>0</errorCode>
<userID>client</userID>
<success>true</success>
<originatingIPAddress>10.130.236.131</originatingIPAddress>
<originatingHostName>10.130.236.131</originatingHostName>
<extensionType></extensionType>
</Metric>
Register Request Server 2 <134>Sep 12 22:09:31 uslipam13-133
<c.cw.m.rs>
<bm.id>1000</bm.id>
<bm.cd>1505255190000</bm.cd>
<bm.cu>client</bm.cu>
<bm.ud>1505255191851</bm.ud>
<bm.uu>client</bm.uu>
<bm.ha>P2yCGNvoSpvZiEmtLwohN7kXa5w=</bm.ha>
<ty>AGENT</ty>
<hn>10.130.236.131</hn>
<ip>10.130.236.131</ip>
<dn>10.130.236.131</dn>
<po>27077</po>
<nk>{1}ada8fd1fdcbb2a…3587101e2330685f7e</nk>
<ac>false</ac>
<av>false</av>
<atr>true</atr>
<at>102</at>
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-21 of A-242
<cf>NgdtGgAjjF7QHPap9Kqd2mpSS1M=</cf>
<on>Windows 7</on>
<ov>6.1</ov>
<oa>x86</oa>
<ct>java</ct>
<sid>1000</sid>
<phn>false</phn>
<skid>1</skid>
<pl>win</pl>
<ps>Disabled</ps>
<cvn>4.13.0</cvn>
<cfd>1505255190000</cfd>
<cst>2</cst>
<csudt>1505255189000</csudt>
</c.cw.m.rs>
Syslog Priority Facility Severity Grid The Priority value that sends to Syslog servers is derived from a standard IETF syslog grid of Facility by Severity.
Syslog servers might extrapolate the Facility and Severity values. Find the value, from 0 to 191, in the grid, and see
the column and row values. For example, a Priority value of 13 is “user-level” Facility and “Notice” Severity.
Severity Emergency Alert Critical Error Warning Notice Info Debug
Facility 0 1 2 3 4 5 6 7
kernel 0 0 1 2 3 4 5 6 7
user-level 1 8 9 10 11 12 13 14 15
mail 2 16 17 18 19 20 21 22 23
system 3 24 25 26 27 28 29 30 31
secur/auth 4 32 33 34 35 36 37 38 39
syslog 5 40 41 42 43 44 45 46 47
lpd/printer 6 48 49 50 51 52 53 54 55
news/nntp 7 56 57 58 59 60 61 62 63
uucp 8 64 65 66 67 68 69 70 71
time 9 72 73 74 75 76 77 78 79
secur/auth 10 80 81 82 83 84 85 86 87
ftp 11 88 89 90 91 92 93 94 95
ntp 12 96 97 98 99 100 101 102 103
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-22 of A-242
logaudit 13 104 105 106 107 108 109 110 111
logalert 14 112 113 114 115 116 117 118 119
clock 15 120 121 122 123 124 125 126 127
local0 16 128 129 130 131 132 133 134 135
local1 17 136 137 138 139 140 141 142 143
local2 18 144 145 146 147 148 149 150 151
local3 19 152 153 154 155 156 157 158 159
local4 20 160 161 162 163 164 165 166 167
local5 21 168 169 170 171 172 173 174 175
local6 22 176 177 178 179 180 181 182 183
local7 23 184 185 186 187 188 189 190 191
PAM-AGT: CA PAM Access Agent Messages PAM-AGT-1000: This version of PAM is not supported by the Agent. Please connect to another PAM server. PAM-AGT-1001: CA PAM Agent Service is not started. Please start this service before continuing. PAM-AGT-1002: Cannot connect to the PAM server at this address. Please re-check your server name/IP, and ensure your PAM instance is running. PAM-AGT-1003: This service has already been activated. PAM-AGT-1004: A Password View Request for this Credential is already pending. PAM-AGT-1005: Reason is required, please select one PAM-AGT-1006: Error importing certificate. Please check your certificate and try again. PAM-AGT-1007: Error exporting certificate. PAM-AGT-1008: Error removing the certificate PAM-AGT-1009: Host and Port values are required for this proxy mode. PAM-AGT-1010: Proxy URL is required for this proxy mode. PAM-AGT-1011: Cannot activate this service. Another service with the same device and local port(s) has already been activated. PAM-AGT-1012: Error occurred during authentication. PAM-AGT-1013: Error launching installer. If this problem persists, please contact support. PAM-AGT-1013: Dual authorization for this credential is still pending. Try again after approval. PAM-AGT-1014: Dual authorization for this credential has been denied. PAM-AGT-1100: Service activation failed. Please restart the PAM Agent and the PAM Agent service and try again. PAM-AGT-1101: Error setting up Agent services. Please restart the PAM Agent and the PAM Agent service and try again.
PAM-CF: Connector Framework Messages PAM-CF-0001 = The Custom Connector server is inaccessible or its configuration is invalid. PAM-CF-0002 = There is an error on the Custom Connector server. PAM-CF-0005 = Failed to validate target connector attributes. {0} PAM-CF-0006 = Invalid connector framework configuration parameters : {0} PAM-CF-0007 = Connector Framework Certificate is expiring in less than {0} day(s). PAM-CF-0008 = Connector Framework Certificate has expired.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-23 of A-242
PAM-CLNT: CA PAM Client Messages PAM-CLNT-0000 = Application error occurred in RDP client: {0} PAM-CLNT-0001 = Wrong Web SSO configuration. PAM-CLNT-0002 = Incorrect login URL. PAM-CLNT-0003 = Unknown Web SSO status: {0} PAM-CLNT-0004 = Auto login inner error. Reason: {0} PAM-CLNT-0005 = Auto login timeout expired, possibly due to wrong credentials. PAM-CLNT-0006 = SSO credentials are invalid. PAM-CLNT-0007 = Session disconnected due to a problem with session recording. PAM-CLNT-0008 = Session can't be established due to a problem with session recording PAM-CLNT-0009 = Local folder has been created by user {0} PAM-CLNT-0010 = Local file has been created by user {0} PAM-CLNT-0011 = Remote folder has been created by user {0} PAM-CLNT-0012 = Remote file has been created by user {0} PAM-CLNT-0013 = Local folder has been renamed to {0} by user {1} PAM-CLNT-0014 = Local file has been renamed to {0} by user {1} PAM-CLNT-0015 = Remote folder has been renamed to {0} by user {1} PAM-CLNT-0016 = Remote file has been renamed to {0} by user {1} PAM-CLNT-0017 = Local folder has been deleted by user {0} PAM-CLNT-0018 = Local file has been deleted by user {0} PAM-CLNT-0019 = Remote folder has been deleted by user {0} PAM-CLNT-0020 = Remote file has been deleted by user {0} PAM-CLNT-0021 = Uploaded {0} to {1} as user {2} PAM-CLNT-0022 = Downloaded {0} from {1} as user {2} PAM-CLNT-0023 = Executed '{0}' using transparent login as {1} PAM-CLNT-0024 = A connection from {0} to service '{1}' was attempted by an unauthorized session '{2}' on '{3}'PAM-CLNT-0025="{0}"
PAM-CM: Credential Manager Messages The following messages are created by Credential Manager. Certain messages are grouped by subheading.
• Discovery Scans, Scheduled Jobs • Message Headers • General Error Messages • Client Messages • Native Call Application Error Messages • Target Manager Error Messages • Role Error Messages • Update User Password Error Messages • Client Error Messages • Batch Sequence Error Messages • Extension Manager: General Error Messages • Extension Manager: Oracle Error Messages • Extension Manager: UNIX Error Messages • LDAP Error Messages • Database Password Change Error Messages • Enable Change-Password-On-View Error Messages • Scheduling Error Messages • Constraint Error Messages • Account Error Messages • Target Alias Error Messages • Role Error Messages • Group Error Messages • User Group Error Messages • Report Error Messages
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-24 of A-242
• System Property Error Messages • E-mail Properties Validation Error Messages • US 121 Messages • US 120 Messages • US 91 Messages • Initial Property Error Messages • Patch Error Messages • Password Policy Error Messages • Error Code Messages Common to Multiple Target Connectors and Authenticators • Error Code Messages for Remedy Target Manager Connector • Error Code Messages for Remedy View Password Plug-in • Error Code Messages for ServiceNow View Password Plug-in • Error Code Messages for CA SDM View Password Plug-in • Error Code Messages for Salesforce Service Cloud View Password Plug-in • Error Code Messages for HP Service Manager View Password Plug-in • Custom View Password Module Error Code Messages • Extension Manager: Common Channel and Processor Target Connector API • Extension Manager: Common Channel and Processor Target Connector UI • Error messages for CA NIM SM target manager connector • Error Code Messages for CA NIM UM Target Manager Connector • Error Code Messages for ServiceNow Target Manager Connector • Basic error messages for Service Desk connector • Error messages for HP Service Manager target manager connector • Error Code Messages for CA SDM Target Manager Connector • Locale Messages
PAM-CM-0000 = Downloaded Certificate {0} PAM-CM-0001 = Downloaded CSR {0} PAM-CM-0002 = Downloaded private key file {0} PAM-CM-0004 = Downloaded database file {0} PAM-CM-0005 = User tried and failed to upload a database or configuration file with invalid characters in the file name and / or an improper file extension. PAM-CM-0006 = Config file {0} uploaded successfully PAM-CM-0007 = Database file {0} uploaded successfully PAM-CM-0008 = Run ping on host {0}. PAM-CM-0009 = Run traceroute on host {0}. PAM-CM-0010 = Run Port Scan on IP address: {0}. Ports: {1}. PAM-CM-0011 = Run nslookup on host {0}. PAM-CM-0012 = {0} export completed. PAM-CM-0013 = {0} import completed. PAM-CM-0014 = Uploaded license file {0} PAM-CM-0015 = Downloaded log file {0}. PAM-CM-0016 = File {0} uploaded successfully. For this change to take effect, please restart Tomcat. PAM-CM-0018 = File {0} uploaded successfully! Please delete the Node Secret file if it exists to clear old cache. PAM-CM-0019 = Job {0} deleted. PAM-CM-0020 = Job {0} cancelled. PAM-CM-0021 = Unable to load PAM certificate for SSO user {0}. User will not be able to log-in PAM-CM-0022 = Account Scan Profile {0} created. PAM-CM-0023 = Account Scan Profile {0} deleted. PAM-CM-0024 = Account Scan Profile {0} updated. PAM-CM-0025 = Config exception: {0} PAM-CM-0026 = Error creating object: {0} PAM-CM-0027 = CA Single Sign-On Web Agent disabled. For this change to take effect, please restart Apache. PAM-CM-0028 = Restarting Apache Web Server
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-25 of A-242
PAM-CM-0029 = Configuration of CA Single Sign-On Web Agent complete.For this change to take effect, please restart Apache. PAM-CM-0030 = Registration failed ('{0}'); PAM-CM-0032 = CA Single Sign-On Web Agent registration failed. Host config object not found. PAM-CM-0033 = CA Single Sign-On Web Agent registration failed. Invalid credentials. PAM-CM-0034 = CA Single Sign-On Web Agent registration failed. Unknown administrator. PAM-CM-0035 = Object empty: {0} PAM-CM-0036 = Updated system certificate to {0} PAM-CM-0037 = Problem updating system certification {0} PAM-CM-0038 = Problem updating system certification PAM-CM-0039 = Unable to perform the operation. Please contact System Administrator. PAM-CM-0040 = Created Self-Signed Certificate {0} PAM-CM-0041 = Created CSR {0} PAM-CM-0042 = There is invalid CRL URL format: {0} PAM-CM-0043 = There is invalid CRL file: {0} PAM-CM-0044 = CRL file: {0} was added. PAM-CM-0045 = Disabling SAML IdP component PAM-CM-0046 = SAML IdP is already disabled PAM-CM-0047 = Restarting after SAML IdP change PAM-CM-0048 = SAML IdP is already enabled PAM-CM-0049 = Enabling SAML IdP component PAM-CM-0050 = CA PAM SAML Identity Provider configuration updating: Entity ID = {0}, FQDN = {1}, Certificate = {2} PAM-CM-0051 = The CA PAM database has been compacted successfully PAM-CM-0052 = Reset CA PAM database failed: {0} PAM-CM-0053 = Database backup schedule saved successfully PAM-CM-0054 = Database backup schedule deleted successfully PAM-CM-0055 = Mount unsuccessful. Please contact administrator. PAM-CM-0056 = NFS mount operation unsuccessful. Mount point: {0} Hostname: {1} PAM-CM-0057 = NFS mounting performed successfully. Mount point: {0} Hostname: {1} PAM-CM-0058 = CIFS mount operation unsuccessful. Mount point: {0} Hostname: {1} PAM-CM-0059 = CIFS mounting performed successfully. Mount point: {0} Hostname: {1} PAM-CM-0060 = Mount unsuccessful. Please contact administrator. Not existent S3 bucket {0} PAM-CM-0061 = Mount unsuccessful. Please contact administrator {0} PAM-CM-0062 = S3 mounting performed successfully PAM-CM-0063 = The CA PAM database has been reset successfully PAM-CM-0064 = CA PAM configuration restored successfully from file {0}. CA PAM is being rebooted. PAM-CM-0065 = Could not restore CA PAM configuration: {0} PAM-CM-0066 = Could not restore the database because disk is over half full. PAM-CM-0067 = CA PAM database restored successfully from file {0}. CA PAM is being rebooted. PAM-CM-0068 = Could not restore the database: {0}. Contact your CA PAM administrator. PAM-CM-0069 = Unable to save the database to a file: {0} PAM-CM-0070 = Unable to save CA PAM configuration to a file: {0} PAM-CM-0071 = {0} CA PAM configuration saved successfully to {1} PAM-CM-0073 = Database file {0} deleted successfully. PAM-CM-0074 = Unable to delete database file {0}: File not found. PAM-CM-0075 = Unable to delete database file {0}: {1}. PAM-CM-0076 = Unmounting performed successfully PAM-CM-0077 = Unmount operation unsuccessful. PAM-CM-0078 = Account {0} managed. PAM-CM-0081 = Device {0} managed. PAM-CM-0082 = Session recording '{0}' was viewed PAM-CM-0083 = Monitor started successfully PAM-CM-0084 = Monitor stopped successfully PAM-CM-0085 = Updated monitoring configuration. Admin email: {0}., SMTP Server: {1}., From Address: {2}. PAM-CM-0086 = Problem updating the configuration: {0} PAM-CM-0087 = Changed Monitor startup flag to on.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-26 of A-242
PAM-CM-0088 = Changed Monitor startup flag to off. PAM-CM-0089 = Added new route: Destination: {0} Netmask: {1} Gateway: {2} Device: {3} Metric: {4} PAM-CM-0090 = Added new route: Destination: {0} Gateway: {1} Device: {2} PAM-CM-0091 = Deleted route: Destination: {0} Netmask: {1} Gateway: {2} Device: {3} Metric: {4} PAM-CM-0092 = Deleted route: Destination: {0} Gateway: {1} Device: {2} PAM-CM-0093 = Successfully restarted networking PAM-CM-0094 = Network Interface: {0} disabled. PAM-CM-0095 = Network Interface: {0} Speed: {1}, Duplex: {2}, IP address: {3}, Netmask: {4}, Broadcast: {5}, IPv6 Address: {6}. PAM-CM-0096 = Network settings updated successfully . Hostname: {0}, Domain Name: {1}, Default Gateway: {2}, DNS Servers: {3} PAM-CM-0097 = Device Scan Profile {0} created. PAM-CM-0098 = Device Scan Profile {0} deleted. PAM-CM-0099 = Device Scan Profile {0} updated. PAM-CM-0100 = Updated Microsoft Office 365 configuration PAM-CM-0101 = Cleared Microsoft Office 365 configuration PAM-CM-0102 = Office 365 configuration test: Connected successfully to the supplied URLs PAM-CM-0103 = Office 365 configuration test: Error connecting to the supplied URLs PAM-CM-0104 = The user has acknowledged the warnings related to rebooting an appliance (for activating or deactivating FIPS) while the cluster is running. PAM-CM-0105 = Activated FIPS Mode PAM-CM-0106 = Deactivated FIPS Mode PAM-CM-0107 = The user has acknowledged the warnings related to rebooting an appliance (for activating or deactivating FIPS) while the cluster is running.Activated FIPS Mode PAM-CM-0108 = The user has acknowledged the warnings related to rebooting an appliance (for activating or deactivating FIPS) while the cluster is running.Deactivated FIPS Mode PAM-CM-0109 = The user has acknowledged the warnings related to rebooting an appliance while the cluster is running. The appliance will now be powered off. PAM-CM-0110 = Powered off the appliance PAM-CM-0111 = Shutting down... PAM-CM-0112 = The user has acknowledged the warnings related to rebooting an appliance while the cluster is running. The appliance will now be rebooted. PAM-CM-0113 = Rebooted the appliance PAM-CM-0114 = Rebooting... PAM-CM-0115 = {0} Configuration Updated Successfully! Added server {1}:{2} PAM-CM-0116 = {0} Configuration Updated Successfully! Deleted server {1}:{2} PAM-CM-0117 = Object not found: {0} PAM-CM-0118 = Radius server on {0}: port {1} not found. PAM-CM-0119 = File {0} deleted successfully. For this change to take effect, please restart Tomcat. PAM-CM-0120 = File {0} deleted successfully! PAM-CM-0121 = {0} PAM-CM-0122 = Connected successfully to the ActiveMQ Console on host {0} PAM-CM-0123 = Could not connect to the ActiveMQ Console on host {0} PAM-CM-0124 = Server Control integration module was activated PAM-CM-0125 = Server Control integration module was deactivated PAM-CM-0126 = Could not activate Server Control integration module PAM-CM-0127 = Could not deactivate Server Control integration module PAM-CM-0128 = Unable to delete {0} PAM-CM-0129 = {0} deleted successfully PAM-CM-0130 = Certificate Upload: Unknown Format ({0}) PAM-CM-0131 = Unknown Format PAM-CM-0132 = An error occurred while setting the cluster tuning mode. PAM-CM-0133 = Database error PAM-CM-0134 = Data is being collected. Graphs will begin to be generated within the next twenty minutes. PAM-CM-0135 = An error occurred setting debug SSHD Mode PAM-CM-0136 = Created System Diagnostic file PAM-CM-0137 = The license was not updated. Uploaded license file could not be verified or read.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-27 of A-242
PAM-CM-0138 = Log file {0} deleted successfully. PAM-CM-0139 = Unable to delete log file {0}: File not found. PAM-CM-0140 = Unable to delete log file {0}: {1}. PAM-CM-0141 = Mount unsuccessful. Please contact administrator PAM-CM-0142 = All logs have been purged. PAM-CM-0143 = Unable to purge the logs. Please, contact your administrator. PAM-CM-0144 = Purged logs up till {0} PAM-CM-0145 = Changed automatic Log Purge Settings. Status: Enabled, Purge interval: {0}, Email flag: {1}, Email size: {2} MB. PAM-CM-0146 = Changed automatic Log Purge Settings. Status: Disabled PAM-CM-0147 = External Log Settings saved successfully. PAM-CM-0148 = Created new log table on the external server. PAM-CM-0149 = Created new log_user_group table on the external server. PAM-CM-0150 = Created new log_device_group table on the external server. PAM-CM-0151 = Connection to the database established successfully and tables created. PAM-CM-0152 = Connection to the database established successfully. PAM-CM-0153 = Saved logs up till {0} PAM-CM-0154 = Unable to write the logs to a file! Please, contact your administrator! PAM-CM-0155 = Updated Syslog Settings. Status: Enabled, Remote Server(s): {0}, with port: {1} PAM-CM-0156 = Updated Syslog Settings. Status: Disabled PAM-CM-0157 = Keystroke Logging configuration updated successfully. Syslog: {0}. NFS/CIFS/S3 CLI Recording: {1}. NFS/CIFS/S3 Graphical Recording: {2}. PAM-CM-0158 = {0}. Settings saved successfully. Mount point: {1}. Hostname: {2} PAM-CM-0159 = Updated Session Recording to be Security Safe PAM-CM-0160 = Updated Session Recording to be Operationally Safe PAM-CM-0161 = You do not have sufficient permissions to perform this operation. PAM-CM-0162 = Payload id does not match url id: {0} != {1} PAM-CM-0163 = Must specify all filter parameters (column, op, value) or none PAM-CM-0164 = Invalid Operator filter. Valid values = EQ, NE PAM-CM-0165 = Error retrieving object by id: {0} PAM-CM-0166 = Error retrieving object by name: {0} PAM-CM-0167 = Error updating object: {0} PAM-CM-0168 = Call to PAM service controller failed: {0} PAM-CM-0169 = Error connecting to the database. Transaction canceled PAM-CM-0170 = Transaction error with the database. Transaction canceled PAM-CM-0171 = Target Server not found for host: {0} PAM-CM-0172 = Number of devices that were successfully managed: {0} PAM-CM-0173 = Number of devices that were NOT successfully managed: {0} PAM-CM-0174 = Target Application not found: {0} PAM-CM-0175 = Target Account {0} already exists. No modifications made. PAM-CM-0176 = {0} is not a valid {1} IP Address. PAM-CM-0177 = Profile name is not defined. PAM-CM-0178 = {0} name {1} already exists. PAM-CM-0179 = {0} is not a valid parameter. PAM-CM-0180 = Radius server on {0}: port {1} already exists. PAM-CM-0181 = Splunk server on {0}: port {1} already exists. PAM-CM-0182 = Account management failed for account {0} with the following error: {1} PAM-CM-0183 = Logo was reverted to original logo. PAM-CM-0184 = Logo file {0} was successfully uploaded. PAM-CM-0185 = Action was applied for {0} {1}. PAM-CM-0186 = Shared Key is not allowed to download PAM-CM-0187 = Private Key is not allowed to be downloaded PAM-CM-0188 = Required Remedy licensed files could not be found. PAM-CM-0189 = {0} is not defined. PAM-CM-0190 = Please enter the required password that will be used to encrypt the private key! PAM-CM-0191 = Please enter the confirmed password that will be used to encrypt the private key! PAM-CM-0192 = The confirmed password does not match the password!
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-28 of A-242
PAM-CM-0193 = The passphrase contains invalid space or - characters! PAM-CM-0194 = Unable to upload file PAM-CM-0195 = The key file for the certificate {0} is missing PAM-CM-0196 = Could not change {0} PAM-CM-0197 = Cannot update CRL configuration: {0} PAM-CM-0198 = The IdP settings cannot be updated while the cluster is on PAM-CM-0199 = Unknown certificate {0} selected PAM-CM-0200 = SAML Metadata file must be an XML file PAM-CM-0201 = Verification Error {0} PAM-CM-0202 = Invalid Tomcat log level submitted PAM-CM-0203 = Tomcat Log Level updated. PAM-CM-0204 = Tomcat Log Level could not be updated. PAM-CM-0205 = Database updated successfully PAM-CM-0206 = Applet Log Level updated. PAM-CM-0207 = Applet Log Level could not be updated. PAM-CM-0208 = Web service log level updated successfully PAM-CM-0209 = Web service log level could not be updated PAM-CM-0212 = CA PAM As SAML RP Log Level updated PAM-CM-0213 = CA PAM As SAML IdP Log Level updated PAM-CM-0214 = CA PAM As SAML IdP Log Level could not be updated PAM-CM-0216 = An error occurred setting Maintenance Mode PAM-CM-0217 = Maintenance mode has been enabled for this appliance PAM-CM-0218 = Maintenance mode has been disabled for this appliance PAM-CM-0219 = AACTRL debug mode has been enabled for this appliance PAM-CM-0220 = AACTRL debug mode has been disabled for this appliance PAM-CM-0221 = Remote CA PAM Debugging Services active until {0} UTC PAM-CM-0222 = Remote CA PAM Debugging Services turned off PAM-CM-0223 = Cluster tuning mode turned on PAM-CM-0224 = Cluster tuning mode turned off PAM-CM-0228 = External REST API Access has been Enabled PAM-CM-0229 = External REST API Access has been Disabled PAM-CM-0230 = External Password Authority API Access has been Enabled PAM-CM-0231 = External Password Authority API Access has been Disabled PAM-CM-0232 = VMware console could not be Enabled PAM-CM-0233 = VMware console could not be Disabled PAM-CM-0234 = No common name specified PAM-CM-0235 = IPv6 is not supported PAM-CM-0236 = You entered an invalid value for Subject Alternative Name. Please enter only IP addresses and/or FQDNs PAM-CM-0237 = Unknown certificate {0} selected PAM-CM-0238 = Invalid Password Entry PAM-CM-0239 = Invalid Confirmed Password Entry PAM-CM-0240 = Invalid Provider Entry PAM-CM-0241 = Confirmed Password Does Not Match The Password PAM-CM-0242 = The SAML entity ID for the IdP is required PAM-CM-0243 = The fully qualified hostname for the SAML IdP is required PAM-CM-0244 = The fully qualified hostname for the SAML IdP is not a valid hostname PAM-CM-0245 = Invalid Signature Algorithm Specified! Valid values are: {0} PAM-CM-0246 = Applied patch {0} : {1} PAM-CM-0247 = Message 32026: Patch with name {0} has been uploaded successfully. PAM-CM-0248 = Invalid file type of {0}. Import supports only CSV files of types: csv. PAM-CM-0249 = Need to provide /approve or /deny as path parameter. PAM-CM-0250 = Deleted Certificate: {0} PAM-CM-0251 = Error updating configuration (split tunnel) PAM-CM-0252 = Error updating configuration (net) PAM-CM-0253 = Mask must be integer number between 16 and 29 bits PAM-CM-0254 = Error updating configuration (mask)
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-29 of A-242
PAM-CM-0255 = SSL VPN Configuration updated; Network: {0}/{1}; Split tunneling enabled PAM-CM-0256 = SSL VPN Configuration updated; Network: {0}/{1} PAM-CM-0257 = Configuration updated PAM-CM-0258 = RSA authentication manager configuration file names must be sdconf.rec or sdopts.rec PAM-CM-0259 = BMC Remedy SDK file names must be arapi8*.jar, arapi9*.jar, arutil81*.jar, or arutil91*.jar. PAM-CM-0260 = Error uploading BMC Remedy SDK file {0}. Please check version. PAM-CM-0261 = CA Privileged Access Manager is collecting and analyzing limited information about your client system and sessions PAM-CM-0262 = Successfully connected to BAP server PAM-CM-0263 = Unable to retrieve Risk Levels from BAP server. Invalid or missing API token PAM-CM-0264 = Unable to retrieve Risk Levels from BAP server PAM-CM-0265 = Command String has been Enabled PAM-CM-0266 = Command String has been Disabled PAM-CM-0267 = Invalid characters or extension in your filename! No spaces or special characters allowed.(Extension should be ".gz.bin" or ".cfg") PAM-CM-0268 = File {0} uploaded successfully. You can use it to restore the Config now. PAM-CM-0269 = File {0} uploaded successfully. You can use it to restore the Database now. PAM-CM-0274 = FIPS mode can not be activated when logging to an external server is enabled. Disable external logging first PAM-CM-0275 = Could not activate FIPS mode because SNMP is configured for unsecured access. Please configure SNMP (poll server and traps) for v3 access only and try again. PAM-CM-0276 = Could not activate FIPS mode because CA PAM as a SAML RP is configured to accept assertions signed using a SHA1 based algorithm. SHA1 based algorithms are not supported in FIPS mode. PAM-CM-0277 = Can not start Monitor. Please verify the information in General Monitoring Parameters. PAM-CM-0278 = Can not stop Monitor PAM-CM-0279 = The Email logs option may only be enabled if you have a valid Admin Email, SMTP Server, and Appliance From Address configured under the Monitor tab. PAM-CM-0280 = "Date and Time","Private IP","Public IP","NAT/Proxy IP","User","Transaction","Address","Device Name","Port","Access/Protocol","Service/App","Details","Target Account","Password View Request ID" PAM-CM-0281 = Attaching of additional storage attached to this virtual appliance ({0}) initiated, this appliance will be rebooted. PAM-CM-0282 = Attachment of additional storage completed successfully PAM-CM-0283 = Detaching of additional storage from this virtual appliance initiated, this appliance will be rebooted PAM-CM-0284 = Downloaded database backup public key file {0} PAM-CM-0285 = Error downloading database backup public key file: {0} PAM-CM-0286 = Session recording purging settings updated. PAM-CM-0287 = Problem changing the SNMP Agent startup flag: {0} PAM-CM-0288 = SNMP Agent startup flag changed successfully. Start at boot: {0} PAM-CM-0289 = Can not save SNMP daemon configuration: {0} PAM-CM-0290 = SNMP poll configuration saved successfully. Read-only Community: {0} PAM-CM-0291 = SNMP Agent started successfully PAM-CM-0292 = Problem starting SNMP Agent: {0} PAM-CM-0293 = SNMP Agent stopped successfully PAM-CM-0294 = Problem stopping SNMP Agent: {0} PAM-CM-0295 = Invalid characters for Read-Only Community PAM-CM-0296 = xceedium is not a valid SNMPv3 username PAM-CM-0297 = Invalid characters for SNMPv3 Username PAM-CM-0298 = Authentication Passphrase must be at least eight (8) characters in length PAM-CM-0299 = Private Passphrase can be omitted or should be at least eight (8) characters in length PAM-CM-0300 = SNMPv3 User "{0}" already exists PAM-CM-0301 = SNMPv3 user "{0}" added successfully PAM-CM-0302 = SNMPv3 user "{0}" updated successfully PAM-CM-0303 = SNMPv3 Username "{0}" not found PAM-CM-0304 = SNMPv3 user "{0}" deleted successfully PAM-CM-0305 = {0} has been loaded({1}){2}{3} PAM-CM-0306 = Uploaded Certificate {0} PAM-CM-0307 = Certificate ({0}) Self signed Certificate
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-30 of A-242
PAM-CM-0309 = Uploaded Certificate with Private Key {0} PAM-CM-0311 = {0} has been loaded PAM-CM-0312 = Uploaded Intermediate Certificate {0} PAM-CM-0313 = Could not activate FIPS mode because CA PAM as a SAML RP is configured to sign authentication requests to the the following SAML Remote IdPs using SHA1: {0}. SHA1 based algorithms are not supported in FIPS mode. PAM-CM-0314 = Uploaded CA Bundles {0} PAM-CM-0315 = Uploaded Certificate Revocation List {0} PAM-CM-0316 = Please enter the same content in Passphrase and Confirm fields PAM-CM-0317 = Certificate Upload: {0} ({1}) PAM-CM-0318 = Certificate with Private Key Upload: This is not a PEM certificate ({0}) PAM-CM-0319 = This is not a PEM certificate PAM-CM-0320 = Certificate with Private Key Upload: Error opening certificate. please check the certificate ({0}) PAM-CM-0322 = Certificate with Private Key Upload: {0} ({1}) PAM-CM-0323 = Certificate with Private Key Upload: PEM Private Key is missing ({0}) PAM-CM-0324 = PEM Private Key is missing PAM-CM-0325 = Certificate with Private Key Upload: Private Key file encrypted, please provide Passphrase ({0}) PAM-CM-0326 = Private Key file encrypted, please provide Passphrase PAM-CM-0327 = Certificate with Private Key Upload: Error occurred. Please check Passphrase ({0}) PAM-CM-0328 = Error occurred. Please check Passphrase PAM-CM-0329 = Intermediate Certificate Upload: {0} ({1}) PAM-CM-0330 = Intermediate Certificate Upload: Unknown format ({0}) PAM-CM-0331 = Intermediate Certificate Upload:Invalid CA Certificate ({0}) PAM-CM-0332 = Invalid CA Certificate PAM-CM-0333 = Intermediate Certificate Upload: Invalid Key Usage ({0}) PAM-CM-0334 = Invalid Key Usage PAM-CM-0335 = CA Bundles Upload: {0} ({1}) PAM-CM-0336 = CA Bundles Upload: Unknown Format ({0}) PAM-CM-0337 = Certificate Revocation List Upload: Unknown Format ({0}) PAM-CM-0338 = Certificate Revocation List Upload: Please choose downloaded CRL option and try again ({0}) PAM-CM-0339 = Please choose downloaded CRL option and try again PAM-CM-0340 = Error: Certificate version {0} but contains x509v3 extensions. Ensure that x509v3 certificates show Version 3 in the Version field. PAM-CM-0341 = Certificate with Private Key Upload: Error: Certificate version {0} but contains x509v3 extensions. Ensure that x509v3 certificates show Version 3 in the Version field. ({1}) PAM-CM-0342 = Error opening certificate. Please check the certificate PAM-CM-0343 = Certificate Upload: Error opening certificate. Please check the certificate ({0}) PAM-CM-0344 = Certificate Upload: Error: Certificate version {0} but contains x509v3 extensions. Ensure that x509v3 certificates show Version 3 in the Version field. ({1}) PAM-CM-0345 = Self signed Certificate PAM-CM-0346 = {0} has been verified PAM-CM-0347 = Rebooting after new certificate accepted PAM-CM-0348 = SAMPR log level not updated PAM-CM-0349 = {0} has been verified. PAM-CM-0350 = Object empty: Log PAM-CM-0351 = Date/Time changed successfully. New time: {0, date, MM-dd-yyyy HH:mm} in Timezone: {1}. PAM-CM-0352 = Unable to change Date/Time: {0} PAM-CM-0353 = Time Servers information updated successfully PAM-CM-0354 = Updated Time Servers. Synchronize at boot: Enabled, Servers: {0}. PAM-CM-0355 = Updated Time Servers. Synchronize at boot: Disabled, Servers: {0}. PAM-CM-0356 = Error updating Time Servers information: {0} PAM-CM-0357 = NTP IFF key saved: closed security policy no key PAM-CM-0358 = NTP IFF key saved: closed security policy PAM-CM-0359 = NTP IFF key saved: open security policy no key PAM-CM-0360 = NTP IFF key saved: open security policy Discovery Scans, Scheduled Jobs PAM-CM-0361 = No discovery credentials available for application {0}. Discovery unsuccessful.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-31 of A-242
PAM-CM-0362 = An error occurred during discovery. Details: {0} PAM-CM-0363 = No discovery credentials with sufficient permissions available for application {0}. Discovery unsuccessful. PAM-CM-0364 = An internal exception ({0}) occurred during discovery of device "{1}" with application "{2}". PAM-CM-0365 = An internal exception ({0}) occurred during discovery of device "{1}" with application "{2}": {3} PAM-CM-0366 = Invalid SSH key found in file {0} of device {1}: {2} PAM-CM-0367 = Invalid discovery response from device {0}; first line : {1} PAM-CM-0368 = Invalid discovery response from device {0}; expected user-to-key relationship but instead received {1} PAM-CM-0369 = Invalid discovery response from device {0} for file {1}; expected embedded keys but instead received {2} PAM-CM-0370 = Invalid discovery response from device {0} for file {1}; expected embedded key but instead received {2} PAM-CM-0371 = Invalid discovery response from device {0} for file {1}; embedded key was empty. PAM-CM-0372 = Invalid discovery response from device {0} for file {1}; bits portion of protocol version 1 key non-numeric: {2} PAM-CM-0373 = Invalid discovery response from device {0} for file {1}; key size from fingerprint non-numeric: {2} PAM-CM-0374 = Device {0} cannot process SSH commands; error from device: {1} PAM-CM-0375 = Invalid Scheduling Frequency: {0} PAM-CM-0376 = No dates specified for trigger. PAM-CM-0377 = Unknown Frequency: {0} PAM-CM-0378 = Invalid end date. Schedule will never trigger. PAM-CM-0379 = Invalid end date. PAM-CM-0380 = The specified time has already passed. Schedule will never trigger. PAM-CM-0386 = Job {0} was cancelled by user. PAM-CM-0387 = Scan failed: {0} PAM-CM-0388 = Device Discovery Started PAM-CM-0389 = Device Discovery found host {0} PAM-CM-0390 = Device Discovery found service {0} on host {1} PAM-CM-0391 = Account Discovery Started PAM-CM-0392 = Account Discovery found account {0} PAM-CM-0393 = Account Discovery added {0} new accounts, removed {1} accounts PAM-CM-0394 = An error occurred accessing the database. Scan canceled. PAM-CM-0395 = No Account Discovery support for application type {0}. Application skipped. PAM-CM-0396 = SSH Key Discovery found {0,number} {0,choice,0#keys|1#key|1<keys} in file {1} on host {2}. PAM-CM-0397 = SSH Key Discovery added {0} new {0,choice,0#keys|1#key|1<keys}, removed {1} {1,choice,0#keys|1#key|1<keys} PAM-CM-0398 = Error updating NTAuth information: {0} PAM-CM-0399 = RuntimeException occurred attempting to retrieve NetworkProfileScanHistory PAM-CM-0400 = CA Single Sign-On Web Agent registration failed. A trusted host with the same name already exists. PAM-CM-0401 = Invalid file id specified PAM-CM-0402 = Cannot obtain DAOFactory object PAM-CM-0403 = Cannot obtain Transaction object PAM-CM-0404 = Invalid CRL schedule time PAM-CM-0405 = CRL Options update successful PAM-CM-0406 = CRL file: {0} was added. PAM-CM-0407 = CRL file: {0} was added. There is invalid CRL file: {1} PAM-CM-0408 = CRL file: {0} was added. Could not add URLs {1}. There is invalid CRL URL format: {2} PAM-CM-0409 = CRL file: {0} was added. Could not add URLs {1}. PAM-CM-0410 = CRL file: {0} was added. There is invalid CRL URL format: {1} PAM-CM-0411 = Can't update CRL configuration. PAM-CM-0412 = Can't update CRL configuration: There is invalid CRL file: {0} PAM-CM-0413 = Can't update CRL configuration: Could not add URLs {0}. There is invalid CRL URL format: {1} PAM-CM-0414 = Can't update CRL configuration. Could not add URLs {0}. PAM-CM-0415 = Can't update CRL configuration. There is invalid CRL URL format: {0} PAM-CM-0416 = CRL file: {0} was added. There is invalid CRL file: {1}. Could not add urls {2}. There is invalid CRL URL format: {3}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-32 of A-242
PAM-CM-0417 = CRL file: {0} was added. There is invalid CRL file: {1}. Could not add urls {2}. PAM-CM-0418 = CRL file: {0} was added. There is invalid CRL file: {1}. There is invalid CRL URL format: {2} PAM-CM-0419 = Error deleting object: {0} PAM-CM-0420 = Can't write to S3 bucket, please check bucket permissions. PAM-CM-0421 = Can't list S3 bucket, please check bucket permissions. PAM-CM-0422 = Cannot connect to AWS. Check network settings for domain and dns list. PAM-CM-0423 = Invalid characters for Trap Community PAM-CM-0424 = Invalid characters for Trap v2 messages destination PAM-CM-0425 = Passphrase can be omitted or should be at least eight (8) characters in length PAM-CM-0426 = SNMP trap configuration saved successfully. Trap Community: {0}. PAM-CM-0427 = Can not save SNMP trap configuration PAM-CM-0428 = The certificate is self signed and can not be used. Applets must be signed with a certificate issued by a trusted CA. PAM-CM-0429 = The certificate is missing the required Code Signing extended usage. PAM-CM-0430 = {0} has been verified. The following names are not valid hostnames: {1} PAM-CM-0431 = The certificate is self signed and can not be used. Applets must be signed with a certificate issued by a trusted CA. The following names are not valid hostnames: {0} PAM-CM-0432 = The certificate is missing the required Code Signing extended usage. The following names are not valid hostnames: {0} PAM-CM-0433 = The key file for the certificate {0} is missing. The following names are not valid hostnames: {1} PAM-CM-0434 = The following names are not valid hostnames: {0} PAM-CM-0435 = Missing parameter ipAddress PAM-CM-0436 = Missing parameter hostName PAM-CM-0437 = Missing parameter ports PAM-CM-0438 = Missing parameter timeout PAM-CM-0439 = ApplicationClusterManager.generateMetric Application cluster member {0}:{1} event={2}, skew={3}msec (ACTIVE:{4}) (INACTIVE:{5}) PAM-CM-0440 = ApplicationClusterManager.generateMetric Application cluster member {0}:{1} event={2} (ACTIVE:{3}) (INACTIVE:{4}) PAM-CM-0441 = DataSourceManager.createInstance Initialized OK (ACTIVE: {0}) (INACTIVE: {1}) PAM-CM-0442 = ApplicationImpl.initialize Begin PA startup on {0} ({1}); PAM-CM-0443 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=ON dbClustering=ON externalSyncUnlocked=YES PAM-CM-0444 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=ON dbClustering=ON externalSyncUnlocked=NO PAM-CM-0445 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=ON dbClustering=OFF externalSyncUnlocked=YES PAM-CM-0446 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=ON dbClustering=OFF externalSyncUnlocked=NO PAM-CM-0447 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=OFF dbClustering=ON externalSyncUnlocked=YES PAM-CM-0448 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=OFF dbClustering=ON externalSyncUnlocked=NO PAM-CM-0449 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=OFF dbClustering=OFF externalSyncUnlocked=YES PAM-CM-0450 = ApplicationImpl.initialize Finished PA startup on {0} ({1}) appClustering=OFF dbClustering=OFF externalSyncUnlocked=NO PAM-CM-0451 = ServerReachabilityMonitor.run Server '{0}' reachability changed: {1} PAM-CM-0452 = DataSourceManager.activated Database {0}={1} activated. (ACTIVE: {2}) (INACTIVE: {3}) PAM-CM-0453 = CustomJGroupsMembershipListener.added Application {0} first joined. PAM-CM-0454 = CustomJGroupsMembershipListener.added Application {0} rejoined (MERGE FROM SPLIT/BRAIN TRIGGERED). PAM-CM-0455 = DataSourceManager.activated Database {0}={1} stopped synchronization. (ACTIVE: {2}) (INACTIVE: {3}) PAM-CM-0456 = DataSourceManager.activated Database {0}={1} started synchronization. (ACTIVE: {2}) (INACTIVE: {3}) PAM-CM-0457 = DataSourceManager.deactivated Database {0}={1} deactivated. (ACTIVE: {2}) (INACTIVE: {3})
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-33 of A-242
PAM-CM-0458 = DataSourceManager.removed Application {0} left. PAM-CM-0459 = ReactivateDatabaseThread.run ReactivateDatabaseThread.run No active databases. Attempting to reactivate database {0}={1}. PAM-CM-0460 = DataSourceManagerHeartbeat.run Database {0}={1} is still active and alive ['{2}' => '{3}']. Time={4}ms [Total={5}ms, Count={6}, Average={7}ms, Min={8}ms, Max={9}ms]. (ACTIVE: {10}) (INACTIVE: {11}) PAM-CM-0461 = DataSourceManagerHeartbeat.run Database {0}={1} is still active and alive ['{2}' => '{3}']. Time={4}ms [Total={5}ms, Count={6}, Average={7}ms, Min={8}ms, Max={9}ms]. New Max! (ACTIVE: {10}) (INACTIVE: {11}) PAM-CM-0462 = DataSourceManagerHeartbeat.run Database {0}={1} is now active and alive, try #{2} succeeded ['{3}' => '{4}']. Time={5}ms [Total={6}ms, Count={7}, Average={8}ms, Min={9}ms, Max={10}ms]. (ACTIVE: {11}) (INACTIVE: {12}) PAM-CM-0463 = DataSourceManagerHeartbeat.run Database {0}={1} is now active and alive, try #{2} succeeded ['{3}' => '{4}']. Time={5}ms [Total={6}ms, Count={7}, Average={8}ms, Min={9}ms, Max={10}ms]. New Max! (ACTIVE: {11}) (INACTIVE: {12}) PAM-CM-0464 = DataSourceManagerHeartbeat.run Database {0}={1} is active but suspected not alive for {2}ms ['{3}' => '{4}']. Time={5}ms [Total={6}ms, Count={7}, Average={8}ms, Min={9}ms, Max={10}ms] [FailTotal={11}ms, FailCount={12}, FailAverage={13}ms]. (ACTIVE: {14}) (INACTIVE: {15}) PAM-CM-0465 = DataSourceManagerHeartbeat.run Database {0}={1} is active but suspected not alive for {2}ms ['{3}' => '{4}']. Time={5}ms [Total={6}ms, Count={7}, Average={8}ms, Min={9}ms, Max={10}ms] [FailTotal={11}ms, FailCount={12}, FailAverage={13}ms]. New Max! (ACTIVE: {14}) (INACTIVE: {15}) PAM-CM-0466 = DataSourceManagerHeartbeat.run Database {0}={1} is active but suspected not alive for {2}ms, try #{3} failed ['{4}' => '{5}']. Time={6}ms [Total={7}ms, Count={8}, Average={9}ms, Min={10}ms, Max={11}ms] [FailTotal={12}ms, FailCount={13}, FailAverage={14}ms]. (ACTIVE: {15}) (INACTIVE: {16}) PAM-CM-0467 = DataSourceManagerHeartbeat.run Database {0}={1} is active but suspected not alive for {2}ms, try #{3} failed ['{4}' => '{5}']. Time={6}ms [Total={7}ms, Count={8}, Average={9}ms, Min={10}ms, Max={11}ms] [FailTotal={12}ms, FailCount={13}, FailAverage={14}ms]. New Max! (ACTIVE: {15}) (INACTIVE: {16}) PAM-CM-0468 = DataSourceManagerHeartbeat.run Database {0}={1} is now inactive ['{2}' => '{3}']. Time=n/a [Total=n/a, Count=n/a, Average=n/a, Min=n/a, Max=n/a] [FailTotal=n/a, FailCount=n/a, FailAverage=n/a]. (ACTIVE: {4}) (INACTIVE: {5}) PAM-CM-0469 = DataSourceManagerHeartbeat.run Database {0}={1} is now inactive ['{2}' => '{3}']. Time=n/a [Total={4}ms, Count={5}, Average={6}ms, Min={7}ms, Max={8}ms] [FailTotal=n/a, FailCount=n/a, FailAverage=n/a]. (ACTIVE: {9}) (INACTIVE: {10}) PAM-CM-0470 = DataSourceManagerHeartbeat.run Database {0}={1} is now inactive ['{2}' => '{3}']. Time=n/a [Total={4}ms, Count={5}, Average={6}ms, Min={7}ms, Max={8}ms] [FailTotal={9}ms, FailCount={10}, FailAverage={11}ms]. (ACTIVE: {12}) (INACTIVE: {13}) PAM-CM-0471 = Cannot delete current system certificate {0} PAM-CM-0472 = Applied patch {0} : Applied patch {1} : PAM-CM-0473 = Mounted directory is not writable. PAM-CM-0494 = Config user id not specified PAM-CM-0495 = Config user id must be at least 6 characters long PAM-CM-0496 = Config password not specified PAM-CM-0497 = Config Password updated successfully PAM-CM-0498 = CA PAM administrator user name can not be blank PAM-CM-0499 = Config user id must be at least 5 characters long PAM-CM-0500 = You must provide password to change administrator login name PAM-CM-0504 = No RequestContext; therefore cannot authenticate. PAM-CM-0505 = Unable to create local session. PAM-CM-0506 = Cannot parse username PAM-CM-0507 = Not licensed for external API access PAM-CM-0508 = External API access not enabled PAM-CM-0509 = Cannot perform {0} operations while cluster is stopped. {1} was not executed. PAM-CM-0510 = Invalid login name {0}. PAM-CM-0511 = Invalid password for {0}. PAM-CM-0512 = API key {0} not found or is not active. PAM-CM-0513 = Unable to create SecurityContext. PAM-CM-0514 = API key {0} has privileges in excess of its user {1}. Login not allowed. PAM-CM-0515 = API key {0} has user groups that do not match its user {1} Login not allowed.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-34 of A-242
PAM-CM-0516 = API key {0} has device groups that do not match its user {1} Login not allowed. PAM-CM-0517 = External API may not be used when the in maintenance mode. PAM-CM-0518 = Database error. See Tomcat log for details. PAM-CM-0519 = Target application for Cluster is missing. ApplicationID={0}, ClusterName={1} PAM-CM-0520 = Duplicate device address. name={0}, ClusterName={1} PAM-CM-0521 = SNMP User {0} already exists PAM-CM-0522 = {0} is not a valid parameter value for {1}PAM-CM-0523 = View password is disabled for Exclusive Checkout On Auto Connect Password View policy. Message Headers PAM-CM-0530 = Validation Error: PAM-CM-0531 = Exception occurred {0} in {1} PAM-CM-0532 = Unable to load entity of type {0} with id {1} PAM-CM-0533 = The entity of type {0} with id {1} does not exist PAM-CM-0534 = The retrieved entity of type {0} does not match the expected type of {1} General Error Messages PAM-CM-0535 = Success. PAM-CM-0536 = Application error occurred. PAM-CM-0537 = Failed to connect to database. PAM-CM-0538 = Database version does not match application version. PAM-CM-0539 = A database error occurred. PAM-CM-0540 = Request failed. Credential workflow is suspended due to the state of the cluster. PAM-CM-0541 = Invalid user ID. PAM-CM-0542 = Invalid password. PAM-CM-0543 = Login failed. PAM-CM-0544 = User ID/password combination does not exist. PAM-CM-0545 = User session has not been authenticated. Please login. PAM-CM-0546 = Account suspended. PAM-CM-0547 = Missing login digest values. PAM-CM-0548 = Missing login digest. PAM-CM-0549 = Cannot login to secondary site. PAM-CM-0550 = User is authenticated, but credential must be reset. PAM-CM-0551 = User ID must have 3 to 16 characters. PAM-CM-0552 = Password must have 6 to 16 characters. PAM-CM-0553 = Authorization failed. User {0} does not have permission for this action. PAM-CM-0554 = Password must contain at least one alpha character (a-z, A-Z). PAM-CM-0555 = Password must contain at least one numeric character (0-9). PAM-CM-0556 = Password must contain at least one special character (~!@#$%^&*()_+ =-`;:|?/,.). PAM-CM-0557 = Authorization failed. User {0} does not have permission for this entity. PAM-CM-0558 = Invalid password specified. PAM-CM-0559 = Invalid license has been registered. Unable to complete request. PAM-CM-0560 = License limit has been exceeded. Unable to complete request. PAM-CM-0561 = Success. {Warning: Approaching license limit; you may need to upgrade your license.} PAM-CM-0562 = Unlimited license error. PAM-CM-0563 = Limited license error. PAM-CM-0564 = Failed to register error. Error code already defined. PAM-CM-0565 = Not authorized for updating the license. Permission required: setSystemProperty Client Messages PAM-CM-0566 = Success. PAM-CM-0567 = Failed to authenticate with the Password Authority service. PAM-CM-0568 = Unable to establish connection with client daemon. PAM-CM-0569 = Not authorized (for client daemon). PAM-CM-0570 = Unable to establish connection with Password Authority Server. PAM-CM-0571 = No data found for specified target alias. PAM-CM-0572 = An error occurred; if this problem persists then please ask your Administrator to investigate. PAM-CM-0573 = Invalid parameters specified. PAM-CM-0574 = Missing required parameter: {0} PAM-CM-0575 = Unauthorized script name.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-35 of A-242
PAM-CM-0576 = Unauthorized execution path. PAM-CM-0577 = Unauthorized execution user ID. PAM-CM-0578 = Unauthorized request server. PAM-CM-0579 = Error. Attempt to create a duplicate entry. PAM-CM-0580 = Invalid target server specified. PAM-CM-0581 = Invalid target application specified. PAM-CM-0582 = Invalid account specified. PAM-CM-0583 = Invalid request server specified. PAM-CM-0584 = Invalid script specified. PAM-CM-0585 = Invalid target alias specified. PAM-CM-0586 = Invalid host name specified. PAM-CM-0587 = Invalid IP address specified. PAM-CM-0588 = Invalid port number specified. Unable to connect. PAM-CM-0589 = Invalid execution path specified. PAM-CM-0590 = Invalid script type specified. PAM-CM-0591 = Invalid script name specified. PAM-CM-0592 = Invalid execution user ID specified. PAM-CM-0593 = Cannot update a new target alias. PAM-CM-0594 = Maximum length of target alias exceeded. PAM-CM-0595 = Application already exists for this server. PAM-CM-0596 = No patch found. PAM-CM-0597 = Patch found, but must be applied manually. PAM-CM-0598 = Patch has already been processed. PAM-CM-0599 = Privileged account cannot be used to create target alias. PAM-CM-0600 = Invalid username. PAM-CM-0601 = Invalid or no extension/application type specified. PAM-CM-0602 = Security exception. Script integrity check failed. PAM-CM-0603 = Security exception. Data tampering detected. Request denied. PAM-CM-0604 = Unauthorized request server. Fingerprint has changed. PAM-CM-0605 = Invalid XML definition. PAM-CM-0606 = Password Authority Windows Proxy operation failed. PAM-CM-0607 = Invalid file path specified. PAM-CM-0608 = Unsupported command specified. PAM-CM-0609 = Authorization mapping validation error. Invalid execution path specified for request script. PAM-CM-0610 = Authorization mapping validation error. Invalid file path specified for request script. PAM-CM-0611 = Authorization mapping validation error. Missing request script information. PAM-CM-0612 = Authorization mapping validation error. Missing hash value for request script. PAM-CM-0613 = Unsupported OS platform specified. PAM-CM-0614 = Command cannot be executed because the primary site is unavailable. PAM-CM-0615 = Primary site is unavailable. Any workflow tasks associated with the account's password view policy (dual authorization, change password, or check-in/checkout) have not been performed. PAM-CM-0616 = Data source has not been initialized. PAM-CM-0617 = Data source is not configured for clustering. PAM-CM-0618 = Connection with client daemon timed out. PAM-CM-0619 = Connection with Password Authority Server timed out. PAM-CM-0620 = No data found for specified User. PAM-CM-0621 = Invalid version specified. PAM-CM-0622 = Invalid proxy server specified. PAM-CM-0623 = Invalid proxy application specified. PAM-CM-0624 = Invalid proxy account specified. PAM-CM-0625 = Invalid account password specified. PAM-CM-0626 = Invalid identifier, approver is suspended or database is unavailable. PAM-CM-0627 = Invalid status. PAM-CM-0628 = Approval process failure. Please ask your Administrator to investigate the issue. PAM-CM-0629 = Unable to verify success or failure. Please ask your Administrator to investigate the issue. PAM-CM-0630 = Invalid group ID. PAM-CM-0631 = Invalid group name.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-36 of A-242
PAM-CM-0632 = Invalid filter ID. PAM-CM-0633 = Invalid filter name. PAM-CM-0634 = Invalid target group. PAM-CM-0635 = Invalid request group. PAM-CM-0636 = Invalid filter object class ID specified for a target group. PAM-CM-0637 = Invalid filter object class ID specified for a requestor group. PAM-CM-0638 = Delete failed. The role is in use by a user group. PAM-CM-0639 = Delete failed. The request server is in use by an authorization mapping. PAM-CM-0640 = Delete failed. The request server is in use by a request script. PAM-CM-0641 = Delete failed. The request script is in use by an authorization mapping. PAM-CM-0642 = Delete failed. The group is in use by a scheduled job. PAM-CM-0643 = Delete failed. The group is in use by an authorization mapping. PAM-CM-0644 = Delete failed. The group is in use by a user group. PAM-CM-0645 = Delete failed. No user group would leave users without user groups or roles. PAM-CM-0646 = Delete failed. The target alias is in use by an authorization mapping. PAM-CM-0647 = Invalid user ID. PAM-CM-0648 = Invalid account password specified. PAM-CM-0649 = Invalid target alias specified. PAM-CM-0650 = Invalid account access type specified. PAM-CM-0651 = Invalid account name specified. PAM-CM-0652 = Invalid application name specified. PAM-CM-0653 = Invalid cache duration specified. PAM-CM-0654 = Cannot make account privileged with active target alias. PAM-CM-0655 = Number of assigned user groups cannot exceed {0}. PAM-CM-0656 = Duplicate host name. PAM-CM-0657 = Duplicate IP address. PAM-CM-0658 = Duplicate device name. PAM-CM-0659 = Request server not found. PAM-CM-0660 = Invalid request server ID specified. PAM-CM-0661 = Invalid script authorization mapping ID specified. PAM-CM-0662 = Invalid request script ID specified. PAM-CM-0663 = Invalid target alias ID specified. PAM-CM-0664 = Invalid target server specified. PAM-CM-0665 = Invalid application specified. PAM-CM-0666 = Invalid account ID specified. PAM-CM-0667 = Invalid application type specified. PAM-CM-0668 = Account password too long. PAM-CM-0669 = Key has already been changed. Waiting for request server to accept new key. PAM-CM-0670 = Invalid pending fingerprint value. PAM-CM-0671 = Invalid account history ID. PAM-CM-0672 = Invalid account history compromised flag. PAM-CM-0673 = One or more user groups must be specified. PAM-CM-0674 = Delete failed. The target server is in use by a target alias. PAM-CM-0675 = Delete failed. The target application is in use by a target alias. PAM-CM-0676 = Cannot change the request server for this request script. Existing authorizations reference this script. PAM-CM-0677 = E-mail address length exceeded. PAM-CM-0678 = The specified user is an approver of a password view policy and cannot be deleted. PAM-CM-0679 = Cannot verify password for unsynchronized account. PAM-CM-0680 = E-mail server/account has not been set. PAM-CM-0681 = E-mail from address has not been set. PAM-CM-0682 = Invalid Authentication Type. PAM-CM-0683 = Invalid user view type specified. Valid values are admin or general. PAM-CM-0684 = Delete account failed. Target account in use by other account(s). PAM-CM-0685 = Delete account failed. Target account in use by other application(s). PAM-CM-0686 = Delete account failed. Target account ID does not exist. PAM-CM-0687 = Delete account failed. Target account is used for e-mails.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-37 of A-242
PAM-CM-0688 = The specified user is an email notifier of a password view policy and cannot be deleted. PAM-CM-0689 = Failed to send email to one or more recipients. PAM-CM-0690 = An error occurred sending the email. PAM-CM-0691 = One click approval host name is not valid. PAM-CM-0692 = Application error. PAM-CM-0693 = User.userID parameter not specified. PAM-CM-0694 = User.newUserID parameter not specified. PAM-CM-0695 = User to be renamed does not exist. PAM-CM-0696 = Error renaming user. PAM-CM-0697 = User to be deleted not found. PAM-CM-0698 = Failed to evaluate email template token {0} due to error: {1} PAM-CM-0699 = User.gkUserId value must be an integer greater than 0. PAM-CM-0700 = User.gkUserId parameter is mandatory for internal requests. PAM-CM-0701 = User.gkUserId parameter is not allowed for external requests. PAM-CM-0702 = The approver permission cannot be removed; the specified user is an approver of {0} password view policy(ies) and email notifier of {1} password view policy(ies). PAM-CM-0703 = User.gkUserId authentication value is not valid. PAM-CM-0704 = Application error. Attempt to create duplicate entry. PAM-CM-0705 = Invalid page number. Page numbers start at 1. PAM-CM-0706 = Target server not found. PAM-CM-0707 = Target application not found. PAM-CM-0708 = TargetAccount.userId value must be an integer greater than 0. PAM-CM-0709 = Target account cannot be deleted because it is owned by a user. PAM-CM-0710 = Target application cannot be deleted because it has target account(s) owned by user(s). PAM-CM-0711 = Target server cannot be deleted because it has target account(s) owned by user(s). PAM-CM-0712 = Could not generate PAM login token. PAM-CM-0713 = Error sending message to PAM. PAM-CM-0714 = Could not parse PAM response. PAM-CM-0715 = PAM returned an error response. PAM-CM-0716 = Database ID not specified. PAM-CM-0717 = active parameter not specified, or is incorrect. Valid values are true or false. PAM-CM-0718 = Specified database ID does not exist. PAM-CM-0719 = An error occurred when updating the database cluster. PAM-CM-0720 = At least one cluster member must remain active. PAM-CM-0721 = Invalid synchronization strategy specified. PAM-CM-0722 = Delete application failed. Target application in use by other application(s). PAM-CM-0723 = Delete server failed. Target server in use by application(s). PAM-CM-0724 = Delete account failed. Target account in use by password view policy(s). PAM-CM-0725 = Delete application failed. Target application in use by password view policy(s). PAM-CM-0726 = Delete server failed. Target server in use by password view policy(s). PAM-CM-0727 = User email address is mandatory. PAM-CM-0728 = User email address is invalid. PAM-CM-0729 = Cannot assign user(s) for email notification if they are missing an email address. PAM-CM-0730 = SQL error. Attempt to create duplicate entry. PAM-CM-0731 = Report contains no data. PAM-CM-0732 = Invalid format for start date. PAM-CM-0733 = Invalid format for end date. PAM-CM-0734 = List of report recipients not specified. PAM-CM-0735 = Report dates not selected. PAM-CM-0736 = Report result too large to attach to email. PAM-CM-0741 = Target application not specified. PAM-CM-0742 = Account discovery has been disabled for this application type. PAM-CM-0743 = Account discovery service class not found in target application configuration file. PAM-CM-0744 = Proxy must be specified. PAM-CM-0745 = Service host must be specified. PAM-CM-0746 = Target account must be specified. PAM-CM-0747 = List of discovered accounts must be specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-38 of A-242
PAM-CM-0748 = Target account details must be specified. PAM-CM-0749 = Target application must be specified. PAM-CM-0750 = Target account must be specified. PAM-CM-0751 = Proxy must be specified. PAM-CM-0752 = Service host must be specified. Native Call Application Error Messages PAM-CM-0753 = Application JNI error - maximum length exceeded. PAM-CM-0754 = Application JNI error - null value. PAM-CM-0755 = Maximum retries exceeded. PAM-CM-0756 = No data found. PAM-CM-0757 = A problem occurred during archive. Not all records were archived. Please run the command again. Target Manager Error Messages PAM-CM-0758 = Failed to synchronize password with target. If this problem persists then please ask your Administrator to investigate. PAM-CM-0759 = Failed to verify password with target. If this problem persists then please ask your Administrator to investigate. PAM-CM-0760 = Target server application is not responding! PAM-CM-0761 = Insufficient permission to change password on target application. PAM-CM-0762 = Authentication failed. PAM-CM-0763 = Database driver class not found. PAM-CM-0764 = Account is unsynchronized. PAM-CM-0765 = Unable to establish connection with target application! PAM-CM-0766 = Remote host closed connection during handshake. Possible invalid SSL certificate or port. PAM-CM-0767 = Invalid SSL Certificate. PAM-CM-0768 = Lock timeout, unable to process request. PAM-CM-0769 = Account update in progress, unable to process request. PAM-CM-0770 = The view password module did not respond. Role Error Messages PAM-CM-0771 = Invalid role specified. PAM-CM-0772 = Role is read-only. PAM-CM-4020 = User status cannot be null. Update User Password Error Messages PAM-CM-0773 = Invalid user password specified. PAM-CM-0774 = Invalid user authentication type. Client Error Messages PAM-CM-0775 = Client is unable to process the request. PAM-CM-0776 = Unable to connect to client. PAM-CM-0777 = Invalid metric ID. Batch Sequence Error Messages PAM-CM-0778 = Invalid parameters. PAM-CM-0779 = Invalid batch command. PAM-CM-0780 = Unable to commit transaction in database. PAM-CM-0781 = Unable to rollback transaction in database. PAM-CM-0782 = Unable to start a transaction in database. PAM-CM-0783 = Unable to upgrade database. Unsupported minimum release. PAM-CM-4021 = Failed to acquire lock. PAM-CM-0784 = Invalid file name. PAM-CM-0785 = Invalid file path. PAM-CM-0786 = Invalid file permissions. PAM-CM-0787 = Invalid file size. PAM-CM-0788 = Invalid version when running in FIPS mode. Extension Manager: General Error Messages PAM-CM-0789 = The password change process was not specified. The value assigned to the 'useOtherAccountToChangePassword' attribute must be 'true' or 'false'. PAM-CM-0790 = An invalid port number was specified. PAM-CM-0791 = An invalid Target Account ID was assigned to the 'otherAccount' attribute. PAM-CM-0792 = An invalid Target Account ID was assigned to the 'otherPrivilegedAccount' attribute.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-39 of A-242
PAM-CM-0793 = The value assigned to the 'useOtherPrivilegedAccount' attribute must be 'true' or 'false'. Extension Manager: Oracle Error Messages PAM-CM-0794 = Invalid database name. Extension Manager: UNIX Error Messages PAM-CM-0795 = The specified other account has an incompatible protocol LDAP Error Messages PAM-CM-0210 = LDAP sync log level updated successfully PAM-CM-0211 = LDAP sync log level could not be updated PAM-CM-0225 = No LDAP Servers configured in LDAP Domain. PAM-CM-0226 = LDAP Domain {0} already exists. PAM-CM-0227 = LDAP update in progress, please try again later. PAM-CM-0270 = LDAP Bind fail: Cannot contact LDAP server {0} PAM-CM-0271 = LDAP Bind fail: Invalid credentials PAM-CM-0272 = LDAP Bind fail: Invalid server type PAM-CM-0273 = LDAP Bind fail: Invalid DN syntax PAM-CM-3172 = LDAP Domain {0} added. PAM-CM-3173 = LDAP Domain {0} updated. PAM-CM-3174 = LDAP Domain {0} deleted. PAM-CM-0737 = Invalid host specified for LDAP authentication. PAM-CM-0738 = Invalid port specified for LDAP authentication. PAM-CM-0739 = Could not connect to LDAP Directory for authentication. PAM-CM-0740 = Invalid LDAP certificate. PAM-CM-0796 = No LDAP DN specified. PAM-CM-3548 = An invalid LDAP connect timeout was specified; the value must be in the range 1000..99999. PAM-CM-3549 = An invalid LDAP read timeout was specified; the value must be in the range 1000..99999. PAM-CM-3452 = An invalid LDAP connect timeout was specified; the value must be in the range 1000..99999. PAM-CM-3453 = An invalid LDAP read timeout was specified; the value must be in the range 1000..99999. PAM-CM-3471 = An invalid LDAP connect timeout was specified; the value must be in the range 1000..99999. PAM-CM-3472 = An invalid LDAP read timeout was specified; the value must be in the range 1000..99999. PAM-CM-3872 = Device in use by LDAP Domain Configuration. PAM-CM-3873 = Target application in use by LDAP Domain Configuration. PAM-CM-3874 = Target account in use by LDAP Domain Configuration. PAM-CM-3875 = Failed updating LDAP Domain Configuration. PAM-CM-4027 = {0}: LDAP Domain Configuration updated with application ID={1}. Check configuration for inconsistencies. PAM-CM-4028 = {0}: LDAP Domain Configuration updated with account ID={1}. Check configuration for inconsistencies. PAM-CM-4029 = {0}: LDAP Domain Configuration could not be updated with account ID={1}. Check configuration for inconsistencies. PAM-CM-4060 = CA LDAP Server not found on this device/port PAM-CM-4061 = Connected to CA LDAP Server, but no suitable database entry found PAM-CM-5000 = No LDAP domain found on PAM for {0}. PAM-CM-5001 = Authentication type {0} not supported on this appliance. PAM-CM-5002 = Field authenticationType is required. PAM-CM-5003 = Field groupDN is required. PAM-CM-5004 = Field domainDN is required. Database Password Change Error Messages PAM-CM-0797 = Invalid database username. PAM-CM-0798 = Invalid database password. PAM-CM-0799 = Invalid database host name. PAM-CM-0800 = Invalid database user type. PAM-CM-0801 = Failed to update database admin account. Enable Change-Password-On-View Error Messages PAM-CM-0802 = Invalid interval parameter. Scheduling Error Messages PAM-CM-0803 = Invalid schedule time. PAM-CM-0804 = This job will never run, the specified start date/time is in the past.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-40 of A-242
PAM-CM-0805 = Failed to save job. PAM-CM-0806 = A Job already exist with this name. Constraint Error Messages PAM-CM-0807 = Constraint manager parse error. PAM-CM-0808 = Invalid target server parameters. PAM-CM-0809 = Invalid target application parameters. PAM-CM-0810 = Cannot add a target application of a deprecated type. Account Error Messages PAM-CM-0811 = Invalid parameters. PAM-CM-0812 = Exceeded maximum length of access type parameter. PAM-CM-0813 = Account username may not contain whitespace characters. PAM-CM-0814 = Exceeded maximum length for username parameter. PAM-CM-0815 = Exceeded maximum length for password parameter. PAM-CM-0816 = The specified password view policy has "change password on view" enabled, but the account is unsynchronized. PAM-CM-0817 = The specified password view policy ID is invalid. PAM-CM-0818 = Duplicate compound servers are not allowed for compound account. PAM-CM-0819 = Circular reference. Account cannot refer to itself for "other account". PAM-CM-0820 = Target Server is not allowed to be added as compound server. PAM-CM-0821 = Compound account must be added as unsynchronized. PAM-CM-0822 = Servers not specified for compound account. PAM-CM-0823 = Target server cannot be specified as a compound server. PAM-CM-0824 = Invalid target account ID. PAM-CM-0825 = User does not have listOtherAccounts permission. PAM-CM-0826 = The specified password view policy has "change password on SSO" enabled, but the account is unsynchronized. PAM-CM-0827 = The specified password view policy has "change password on connection end" enabled, but the account is unsynchronized. PAM-CM-0828 = The specified password view policy has "change password on session end" enabled, but the account is unsynchronized. PAM-CM-0829 = Password and confirm password do not match. PAM-CM-0830 = Account not specified. PAM-CM-0831 = Cannot update account password of unsynchronized account. Target Alias Error Messages PAM-CM-0832 = Invalid parameters. PAM-CM-0833 = Target alias name must consist only of characters [a-z A-Z 0-9 ~ ! @ # $ % ^ . : _ - + = /]. PAM-CM-0834 = Invalid request server parameters. PAM-CM-0835 = Request Server does not exist or has never connected to Password Authority Server. PAM-CM-0836 = Connection status checking is not supported on light clients. PAM-CM-0837 = Event polling is enabled or client port is invalid. PAM-CM-0838 = Invalid status code received from client ping. PAM-CM-0839 = Connection status checking is not supported on proxies. PAM-CM-0840 = Proxy cannot be deleted because it is in use. PAM-CM-0841 = Adding windows agent via CLI command is not supported in PAM. PAM-CM-0842 = Add request server failed. PAM-CM-0843 = Invalid script parameters. PAM-CM-0844 = Invalid script authorization parameters. PAM-CM-0845 = Invalid script authorization execution user maximum length exceeded. PAM-CM-0846 = Invalid script. It is on a different client than the one specified. PAM-CM-0847 = Invalid user parameters. Role Error Messages PAM-CM-0848 = Invalid parameters. PAM-CM-0849 = Exceeded maximum length of role name. PAM-CM-0850 = Role name must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0851 = Invalid role name. PAM-CM-0852 = Exceeded maximum length of role description. PAM-CM-0853 = Role description must consist of characters [a-z, A-Z, 0-9].
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-41 of A-242
PAM-CM-0854 = Invalid role ID. PAM-CM-0855 = Role is read-only. Group Error Messages PAM-CM-0856 = Invalid parameters. PAM-CM-0857 = Exceeded maximum length of group name. PAM-CM-0858 = Group name must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0859 = Invalid group name. PAM-CM-0860 = Exceeded maximum length of group description. PAM-CM-0861 = Group description must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0862 = Invalid group ID specified. PAM-CM-0863 = Invalid permission specified. PAM-CM-0864 = Invalid object class ID. PAM-CM-0865 = Group is read-only. PAM-CM-0866 = Invalid group type. User Group Error Messages PAM-CM-0867 = Invalid parameters. PAM-CM-0868 = Exceeded maximum length of user group name. PAM-CM-0869 = User group name must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0870 = Invalid user group name. PAM-CM-0871 = Exceeded maximum length of user group description. PAM-CM-0872 = User group description must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0873 = Invalid user group ID. PAM-CM-0874 = Invalid group IDs. PAM-CM-0875 = Invalid role ID. PAM-CM-0876 = User group is read-only. PAM-CM-0877 = Invalid read only. Report Error Messages PAM-CM-0878 = Invalid parameters. System Property Error Messages PAM-CM-0879 = Invalid property name specified. PAM-CM-0880 = Exceeded maximum length of property name. PAM-CM-0881 = Property name must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0882 = Invalid property value specified E-mail Properties Validation Error Messages PAM-CM-0883 = Invalid e-mail target account. PAM-CM-0884 = Invalid e-mail server host name. PAM-CM-0885 = Invalid e-mail server port. PAM-CM-0886 = Invalid e-mail address. PAM-CM-0887 = Invalid e-mail subject. PAM-CM-0888 = Invalid e-mail body. PAM-CM-0889 = Invalid e-mail subject for update. PAM-CM-0890 = Invalid e-mail body for update. PAM-CM-0891 = Target account not specified. PAM-CM-0892 = Requesting user not specified. PAM-CM-0893 = Password view policy not specified. PAM-CM-0894 = Password view request not specified. PAM-CM-0895 = Approver not specified. US 121 Messages PAM-CM-0896 = Invalid e-mail subject for Password View. PAM-CM-0897 = Invalid e-mail body for Password View. US 120 Messages PAM-CM-0898 = Invalid e-mail subject for Expired Password View Request. PAM-CM-0899 = Invalid e-mail body for Expired Password View Request. PAM-CM-0900 = Invalid e-mail subject for External Password Approvals. PAM-CM-0901 = Invalid e-mail body for External Password Approvals. US 91 Messages PAM-CM-0902 = Invalid e-mail subject for Report Results.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-42 of A-242
PAM-CM-0903 = Invalid e-mail body for Report Results. PAM-CM-0904 = Max User Group Limit cannot be more than 25. Initial Property Error Messages PAM-CM-0905 = Invalid property name specified. Patch Error Messages PAM-CM-0906 = Invalid patch ID. PAM-CM-0907 = Invalid request server ID. PAM-CM-0908 = Invalid patch detail ID. PAM-CM-0909 = Invalid activate all flag. PAM-CM-0910 = Patch already exist. PAM-CM-0911 = Patch deployment disabled. PAM-CM-0912 = Invalid Request Server connection status. PAM-CM-0913 = Release now only supported for request servers of version 4.5.2 and up. Password Policy Error Messages PAM-CM-0914 = Invalid password policy ID. PAM-CM-0915 = Invalid password policy name. PAM-CM-0916 = Invalid password policy name. PAM-CM-0917 = Exceeded maximum length of password policy name. PAM-CM-0918 = Password policy name must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0919 = Exceeded maximum length of password policy description. PAM-CM-0920 = Password policy description must consist of characters [a-z, A-Z, 0-9]. PAM-CM-0921 = Invalid password policy type, this is a required value. PAM-CM-0922 = Invalid password policy type value. Valid values [passwordPolicy]. PAM-CM-0923 = Password policy special characters cannot contain XML characters (> < & ' "). PAM-CM-0924 = Password policy minimum length is too small. PAM-CM-0925 = Password policy maximum length is too small. PAM-CM-0926 = Minimum length must be less than the maximum length. PAM-CM-0927 = Policy validation error. PAM-CM-0928 = Password policy cannot be null. PAM-CM-0929 = Repeats cannot be allowed if duplicates are disallowed. PAM-CM-0930 = Select at least one character set in the 'Must Contain' category. PAM-CM-0931 = Select at least one character set in the 'First Must Contain' category. PAM-CM-0932 = First upper case character conflicts with no upper case characters anywhere. PAM-CM-0933 = First lower case character conflicts with no lower case characters anywhere. PAM-CM-0934 = First numeric character conflicts with no numeric characters anywhere. PAM-CM-0935 = First special character conflicts with no special characters anywhere. PAM-CM-0936 = Exclude characters, but none specified. PAM-CM-0937 = Include special characters, but none specified. PAM-CM-0938 = Include special first characters, but none specified. PAM-CM-0939 = Invalid special characters were specified anywhere in the password. PAM-CM-0940 = Invalid special characters were specified at the start of the password. PAM-CM-0941 = Excluded special characters were specified anywhere in the password. PAM-CM-0942 = Excluded special characters were specified at the start of the password. PAM-CM-0943 = Some first special characters are not allowed anywhere in the password. PAM-CM-0944 = No valid characters available. All have been excluded. PAM-CM-0945 = No valid first characters available. All have been excluded. PAM-CM-0946 = No valid first upper case characters available. All have been excluded. PAM-CM-0947 = No valid first lower case characters available. All have been excluded. PAM-CM-0948 = No valid first numeric characters available. All have been excluded. PAM-CM-0949 = No valid first special characters available. All have been excluded. PAM-CM-0950 = No valid upper case characters available. All have been excluded. PAM-CM-0951 = No valid lower case characters available. All have been excluded. PAM-CM-0952 = No valid numeric characters available. All have been excluded. PAM-CM-0953 = No valid special characters available. All have been excluded. PAM-CM-0954 = Password prefix contains excluded first character. PAM-CM-0955 = Password prefix contains excluded characters. PAM-CM-0956 = Password prefix cannot contain duplicate characters.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-43 of A-242
PAM-CM-0957 = Password prefix cannot contain repeating adjacent characters. PAM-CM-0958 = Invalid policy type. PAM-CM-0959 = Unrecognized policy type. PAM-CM-0960 = Must specify a Policy ID or Name but not both. PAM-CM-0961 = No policies were deleted. PAM-CM-0962 = No policies were found. PAM-CM-0963 = Specified password does not conform to the set password policy. PAM-CM-0964 = Password policy could not be found for parent application. PAM-CM-0965 = Failed to generate a password for the specified policy! PAM-CM-0966 = Password does not meet the minimum length requirement. PAM-CM-0967 = Password exceeds the maximum allowed length. PAM-CM-0968 = Password does not contain any uppercase characters. See password policy. PAM-CM-0969 = Password does not contain any lowercase case characters. See password policy. PAM-CM-0970 = Password does not contain any numeric characters. See password policy. PAM-CM-0971 = Password does not contain any special characters. See password policy. PAM-CM-0972 = Password contains uppercase characters in contrast of password policy. PAM-CM-0973 = Password contains lowercase characters in contrast of password policy. PAM-CM-0974 = Password contains numeric characters in contrast of password policy. PAM-CM-0975 = Password contains special characters prohibited by password composition policy. PAM-CM-0976 = Password contains excluded first character. See password policy. PAM-CM-0977 = Password contains excluded character. See password policy. PAM-CM-0978 = Password prefix mismatch. See password policy. PAM-CM-0979 = Password cannot contain duplicate characters. See password policy. PAM-CM-0980 = Password cannot contain repeating adjacent characters. See password policy. PAM-CM-0981 = Password cannot start with {#} pattern. PAM-CM-0982 = Password cannot start with spaces. PAM-CM-0983 = Password cannot end with spaces. PAM-CM-0984 = Cannot reuse the existing password. PAM-CM-0985 = Cannot reuse the last number of passwords specified in password policy. PAM-CM-0986 = Cannot reuse a password from the last number of days specified in password policy. PAM-CM-0987 = Need to add a required character of a specific type, but not enough characters available. PAM-CM-0988 = Not enough characters available to avoid repeats. PAM-CM-0989 = Password policy does not exist. PAM-CM-0990 = Not enough characters available to avoid duplicates. PAM-CM-0991 = Invalid minimum length specified. PAM-CM-0992 = Invalid maximum length specified. PAM-CM-0993 = Exceeded maximum length of password policy special characters list. PAM-CM-0994 = Password policy special characters list must consist of characters [ !"#$%&()*+,-./:;< =>?[]^_{|}~ ]. PAM-CM-0995 = Invalid minimum iterations before password can be reused. PAM-CM-0996 = Invalid minimum days before password can be reused. PAM-CM-0997 = Invalid value for 'Must contain upper case characters' boolean. PAM-CM-0998 = Invalid value for 'Must contain lower case characters' boolean. PAM-CM-0999 = Invalid value for 'Must contain numeric characters' boolean. PAM-CM-1000 = Invalid value for 'Must contain special characters' boolean. PAM-CM-1001 = Invalid value for 'First must contain upper case characters' boolean. PAM-CM-1002 = Invalid value for 'First must contain lower case characters' boolean. PAM-CM-1003 = Invalid value for 'First must contain numeric characters' boolean. PAM-CM-1004 = Invalid value for 'First must contain special characters' boolean. PAM-CM-1005 = Invalid value for 'Must not contain repeating characters' boolean. PAM-CM-1006 = Invalid value for 'Must not contain duplicates characters' boolean. PAM-CM-1007 = Invalid value for 'Must not contain characters' boolean. PAM-CM-1008 = Password policy is in use and cannot be deleted. PAM-CM-1009 = Invalid maximum password age specified. PAM-CM-1010 = Requestor ID is too long. PAM-CM-1011 = Requestor ID contains invalid characters. PAM-CM-1012 = Password view request status is too long. PAM-CM-1013 = Password view request status is invalid.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-44 of A-242
PAM-CM-1014 = Approver ID is too long. PAM-CM-1015 = Approver ID contains invalid characters. PAM-CM-1016 = Request start date format is invalid. PAM-CM-1017 = Request end date format is invalid. PAM-CM-1018 = Checked out parameter is invalid. PAM-CM-1019 = Password view request ID is invalid. PAM-CM-1020 = Password view request is expired. PAM-CM-1021 = Password view request has already been approved or acknowledged. PAM-CM-1022 = Password view request has already been denied or declined. PAM-CM-1023 = Password view request does not require approval. PAM-CM-1024 = You are not authorized to update this password view request. PAM-CM-1025 = The specified account ID is invalid. PAM-CM-1026 = You are not allowed to update your own password view request. PAM-CM-1027 = Reason must not exceed 256 characters. PAM-CM-1028 = Reason description must not exceed 1024 characters. PAM-CM-1029 = Password view request ID is invalid. PAM-CM-1030 = Unable to retrieve password view request identifier. PAM-CM-1031 = Invalid approver list specified. PAM-CM-1032 = Could not create password view request identifiers. PAM-CM-1033 = The Approval Reason can only be changed when approving, acknowledging, denying, or declining a request. PAM-CM-1034 = The Approval Reason Description can only be changed when approving, acknowledging, denying, or declining a request. PAM-CM-1035 = You are not authorized to expire this password view request. PAM-CM-1036 = SSO type value is not supported. Valid values are 'Any', 'WebBrowser', 'SSH', 'RDP', 'VNC', 'AWSAPI', 'NSXAPI', 'Telnet', or 'Other'. PAM-CM-1037 = Authentication module configuration error. PAM-CM-1038 = Authentication module not found. PAM-CM-1039 = Authentication XML invalid. PAM-CM-1040 = Password view policy name is invalid. PAM-CM-1041 = Password view policy name is too long. PAM-CM-1042 = Password view policy name contains invalid characters. PAM-CM-1043 = Password view policy description is too long. PAM-CM-1044 = Password view policy description contains invalid characters. PAM-CM-1045 = Invalid value for change password on view was specified. Valid values are "true" or "false". PAM-CM-1046 = Invalid value for change password interval was specified. Numeric value between 1 and 525600 must be specified. PAM-CM-1047 = Invalid value for checkout / check-in required was specified. Valid values are "true" or "false". PAM-CM-1048 = Invalid value for checkout / check-in interval was specified. Numeric value between 1 and 525600 must be specified. PAM-CM-1049 = Invalid value for dual authorization required was specified. Valid values are "true" or "false". PAM-CM-1050 = Invalid value for dual authorization interval was specified. Numeric value between 1 and 525600 must be specified. PAM-CM-1051 = Invalid PasswordViewPolicy.ID was specified. PAM-CM-1052 = Approvers must be specified if dual authorization is enabled in the policy. PAM-CM-1053 = Invalid list of approvers was specified. PAM-CM-1054 = Password view policy is read-only. PAM-CM-1055 = The specified password view policy name is already in use. PAM-CM-1056 = Password view policy approvers are not able to access the target account(s) that use this policy. PAM-CM-1057 = One or more of the approvers in this policy are unable to update password view requests. PAM-CM-1058 = This account is checked out by another user. PAM-CM-1059 = This account is checked out and cannot be updated. PAM-CM-1060 = This account is checked out by a different user. PAM-CM-1061 = You have this account checked out. PAM-CM-1062 = The specified password view request does not exist. PAM-CM-1063 = The password request dates specified are invalid. PAM-CM-1064 = You have a pending request to view this account password that has not been approved yet.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-45 of A-242
PAM-CM-1065 = This account has dual authorization enabled. A request for authorization to view the password has been e-mailed to the approvers of this account on your behalf. PAM-CM-1066 = Password view policy is in use and cannot be deleted. PAM-CM-1067 = Your account password request has been approved, but you are outside the approval period. PAM-CM-1068 = Password view policy has "change password on view" enabled, but the account is unsynchronized. Password will not be changed. PAM-CM-1069 = The specified status is invalid. Allowed values for Dual Authorization are approved(1), denied(2), pending(3), expired approved(6), and expired pending(8). For Retrospective Approval, the values are acknowledged (9), declined (10), and retrospectivePending (11). For Check-out/ Check-in the values are checkout(4), checked in(5). PAM-CM-1070 = Invalid value for authentication required was specified. Valid values are "true" or "false". PAM-CM-1071 = The above error occurred updating the account password, but the account has still been checked in. PAM-CM-1072 = Cannot check out synchronized accounts that are unverified. PAM-CM-1073 = Users must be specified if Email notification is enabled in the policy. PAM-CM-1074 = Invalid value for email notification required was specified. Valid values are "true" or "false". PAM-CM-1075 = Email notification failed to some of the Users. PAM-CM-1076 = Check-in/checkout interval should be less than or equal to Dual authorization interval. PAM-CM-1077 = Start and/or end date is outside the maximum allowable request period.Requests cannot be made more than {0} days in the future. PAM-CM-1078 = Max duration is {0} minutes. PAM-CM-1079 = Invalid Enable One Click Approval Value. PAM-CM-1080 = The default password view request interval must be equal or less than the maximum password view request interval. PAM-CM-1081 = Missing start date parameter. PAM-CM-1082 = Missing end date parameter. PAM-CM-1083 = Start date must not be in the past by up to 10 minutes. PAM-CM-1084 = End date must not be in the past. PAM-CM-1085 = Start date must be before end date. PAM-CM-1086 = Start date cannot be the same as end date. PAM-CM-1087 = Start date is beyond view password policy max interval days. PAM-CM-1088 = End date is beyond view password policy max interval minutes. PAM-CM-1089 = SSO type parameter not allowed for external CLI requests. PAM-CM-1090 = The specified account does not define any services. PAM-CM-1091 = The specified account is not an Active Directory account. PAM-CM-1092 = Error communicating with proxy. PAM-CM-1093 = Invalid domain specified. PAM-CM-1094 = Failed to connect to Password Authority Windows Proxy. PAM-CM-1095 = Computer name is invalid. PAM-CM-1096 = The operation is allowed only on the primary domain controller of the domain. PAM-CM-1097 = Username could not be found. PAM-CM-1098 = Windows password is too short. PAM-CM-1099 = Validation failed. Password is invalid. PAM-CM-1100 = Could not find the domain controller for the domain. PAM-CM-1101 = Unable to update the password. The provided new password does not meet the length, complexity, or history requirement of the domain. PAM-CM-1102 = Login failure: unknown username or bad password. PAM-CM-1103 = Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. PAM-CM-1104 = The specified network account name or password is not correct. PAM-CM-1106 = Password Authority Windows Proxy is not active. PAM-CM-1107 = Password Authority Windows Proxy is not responding. PAM-CM-1108 = Failed to update the services. PAM-CM-1109 = Password Authority Windows Proxy reports invalid operation. PAM-CM-1110 = Password Authority Windows Proxy has never registered. PAM-CM-1111 = The specified service does not exist as an installed service. PAM-CM-1112 = Password Authority Windows Proxy error - Invalid handle. PAM-CM-1113 = Password Authority Windows Proxy error - Specified database does not exist.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-46 of A-242
PAM-CM-1114 = Password Authority Windows Proxy error - Data area passed to a system call is too small. PAM-CM-1115 = Could not connect to server. PAM-CM-1116 = Password verification failed. Failed to connect to user account. PAM-CM-1117 = Password verification failed. Failed to set security. PAM-CM-1118 = No such login session. PAM-CM-1119 = Bad net path. PAM-CM-1120 = Service rollback failed. PAM-CM-1121 = Service rollback successful. PAM-CM-1122 = Proxy unable to access host. PAM-CM-1123 = Invalid operation at proxy. PAM-CM-1124 = Service login failed. PAM-CM-1125 = Could not find any domain controllers. PAM-CM-1126 = No proxies are defined for the target application. PAM-CM-1127 = Account is locked out. PAM-CM-1128 = Password request is only approved for View (not Auto-Connect). PAM-CM-1129 = Password request is only approved for Auto-Connect (not View). PAM-CM-1130 = Password request is only approved for different Auto-Connect type. PAM-CM-1131 = Invalid value for "Reason Required For View" was specified. Valid values are "true" or "false". PAM-CM-1132 = Invalid value for "Reason Required For Auto-Connect" was specified. Valid values are "true" or "false". PAM-CM-1133 = Invalid Service Desk Type specified. PAM-CM-1134 = Reason Required For View and Reason Required For Auto-Connect are required when Service Desk integration is specified. PAM-CM-4023 = Password View Policy changeOnConnectionEnd and changeOnSessionEnd can not be both true. PAM-CM-1135 = Password view policy has "Change Password on Auto-Connect" enabled, but the account is unsynchronized. Password will not be changed. PAM-CM-1136 = Invalid value for allow "Change Password on Auto-Connect" was specified. Valid values are "true" or "false". PAM-CM-1137 = Crypto Application error. PAM-CM-1138 = Failed to find crypto provider class. PAM-CM-1139 = Failed to instantiate crypto provider class. PAM-CM-1140 = Failed to retrieve server encryption key. PAM-CM-1141 = Failed to set server encryption key. PAM-CM-1142 = Failed to generate a server key. PAM-CM-1143 = Failed to decrypt cipher text. PAM-CM-1144 = Failed to encrypt clear text. PAM-CM-1145 = Failed to retrieve current server key. PAM-CM-1146 = Application error - Object does not contain cspm_serverkey attribute. PAM-CM-1147 = Need to decrypt prior to encrypting. PAM-CM-1148 = Key change in progress PAM-CM-1149 = Invalid key PAM-CM-1150 = Auto-Connect validation unknown error. PAM-CM-1151 = Auto-Connect validation permission error. PAM-CM-1152 = Auto-Connect validation rollback error. PAM-CM-1153 = Auto-Connect invocation unknown error. PAM-CM-1154 = Auto-Connect invocation permission error. PAM-CM-1155 = Auto-Connect invocation rollback error. PAM-CM-1156 = Auto-Connect denied by target connector. PAM-CM-1157 = Auto-Connect user does not match target account. PAM-CM-1158 = Auto-Connect parameter is missing. PAM-CM-1159 = Auto-Connect parameter is not editable. PAM-CM-1160 = Auto-Connect port range is 1-65535. PAM-CM-1161 = Auto-Connect denied by target application. PAM-CM-1162 = Auto-Connect SSO type unknown for target application. PAM-CM-1163 = Invalid interval for change password. PAM-CM-1164 = Invalid List Page Size. PAM-CM-1165 = Must specify site name, site type and host name.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-47 of A-242
PAM-CM-1166 = Must specify one of site name, site type, or host name. PAM-CM-1167 = Only one primary site can be provisioned in the system. PAM-CM-1168 = A site with the specified name already exists. PAM-CM-1169 = The specified site is not in the database. PAM-CM-1170 = The site ID to delete was not specified. PAM-CM-1171 = The specified site type is invalid. PAM-CM-1172 = The site ID to update was not specified. PAM-CM-1173 = Only this site can be set as the primary site. PAM-CM-1174 = Failed to retrieve local site information. PAM-CM-1175 = Failed to retrieve local site name. PAM-CM-1176 = Cannot provision a secondary site until the primary site has been provisioned. PAM-CM-1177 = Primary site cannot be deleted while secondary sites exist. PAM-CM-1178 = No changes to the primary site may be performed. PAM-CM-1179 = An error occurred during replication; please ask your Administrator to investigate. PAM-CM-1180 = Secondary site out of sync with primary. Secondary site has higher replication record than primary. PAM-CM-1181 = Secondary site does not have minimum replication record. PAM-CM-1182 = Primary site error while processing secondary site request (serialization). PAM-CM-1183 = Primary site error while processing secondary site request (I/O). PAM-CM-1184 = Primary site error while processing secondary site request (class not found). PAM-CM-1185 = Primary site error while processing secondary site request (execute command request). PAM-CM-1186 = Primary site error while processing secondary site request (proxy command requests). PAM-CM-1187 = Host name checking has not been disabled. PAM-CM-1188 = The Row Limit provided is invalid. PAM-CM-1189 = Password View Request Delete Interval Days is invalid. PAM-CM-1190 = The client is offline. PAM-CM-1191 = Unable to confirm whether or not the client is online. PAM-CM-1192 = The client is online. PAM-CM-1193 = Invalid current password specified. PAM-CM-1194 = The password confirm field doesn't match the new password. PAM-CM-1195 = The new password is the same as current password. PAM-CM-4022 = Invalid boolean value for enable MaxPasswordAge. Value:{0} PAM-CM-4024 = Cannot invoke command from remote host. Command name:{0} Error Code Messages Common to Multiple Target Connectors and Authenticators PAM-CM-1203 = Account is disabled PAM-CM-1204 = Account is locked PAM-CM-1205 = Account's password is expired on target PAM-CM-1206 = Account is expired PAM-CM-1207 = Must reset the password PAM-CM-1208 = Account not found PAM-CM-1209 = Not permitted to login from here Error Code Messages for Remedy Target Manager Connector PAM-CM-1210 = Change process not specified. PAM-CM-1211 = Internal target connector error. PAM-CM-1212 = Failed to synchronize password with target. PAM-CM-1213 = Failed to verify password with target. PAM-CM-1214 = Remedy server specified in the target application could not be found. PAM-CM-1215 = A port must be specified. PAM-CM-1216 = A BMCRemedyClientURL must be specified. PAM-CM-1217 = Required Remedy licensed files could not be found. PAM-CM-1218 = Could not log into Remedy server with the provided credentials. Error Code Messages for Remedy View Password Plug-in PAM-CM-1219 = A Remedy server must be specified. PAM-CM-1220 = A Remedy application must be specified. PAM-CM-1221 = A Remedy account must be specified. PAM-CM-1222 = Remedy ticket number is not specified, or incorrect. PAM-CM-1223 = Could not log into Remedy server with the provided credentials. PAM-CM-1224 = Remedy server specified in the password view policy could not be found.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-48 of A-242
PAM-CM-1225 = Remedy application specified in the password view policy could not be found. PAM-CM-1226 = Remedy account specified in the password view policy could not be found. PAM-CM-1227 = The CA NIM SM target server could not be found. PAM-CM-1228 = The CA NIM SM target application could not be found. PAM-CM-1229 = The CA NIM SM target account could not be found. PAM-CM-1230 = Could not verify ticket number with the Remedy system. PAM-CM-1231 = Required Remedy licensed files could not be found. Error Code Messages for ServiceNow View Password Plug-in PAM-CM-1232 = A ServiceNow server must be specified. PAM-CM-1233 = A ServiceNow application must be specified. PAM-CM-1234 = A ServiceNow account must be specified. PAM-CM-1235 = ServiceNow ticket number is not specified, or incorrect. PAM-CM-1236 = Could not log into ServiceNow server with the provided credentials. PAM-CM-1237 = ServiceNow server specified in the password view policy could not be found. PAM-CM-1238 = ServiceNow application specified in the password view policy could not be found. PAM-CM-1239 = ServiceNow account specified in the password view policy could not be found. PAM-CM-1240 = The CA NIM SM target server could not be found. PAM-CM-1241 = The CA NIM SM target application could not be found. PAM-CM-1242 = The CA NIM SM target account could not be found. PAM-CM-1243 = Could not verify ticket number with the ServiceNow system. Error Code Messages for CA SDM View Password Plug-in PAM-CM-1244 = A CA SDM server must be specified. PAM-CM-1245 = A CA SDM application (type: Generic) must be specified. PAM-CM-1246 = A CA SDM account must be specified. PAM-CM-1247 = CA SDM ticket number is not specified, or incorrect. PAM-CM-1248 = Could not log into CA SDM server with the provided credentials. PAM-CM-1249 = CA SDM server specified in the password view policy could not be found. PAM-CM-1250 = CA SDM application specified in the password view policy could not be found. PAM-CM-1251 = CA SDM account specified in the password view policy could not be found. PAM-CM-1252 = The CA NIM SM target server could not be found. PAM-CM-1253 = The CA NIM SM target application could not be found. PAM-CM-1254 = The CA NIM SM target account could not be found. PAM-CM-1255 = Could not verify ticket number with the CA SDM system. Error Code Messages for Salesforce Service Cloud View Password Plug-in PAM-CM-1256 = A Salesforce Service Cloud server must be specified. PAM-CM-1257 = A Salesforce Service Cloud application (type: Generic) must be specified. PAM-CM-1258 = A Salesforce Service Cloud account must be specified. PAM-CM-1259 = A SFDC Login Endpoint must be specified. PAM-CM-1260 = A SFDC Service Cloud Client URL must be specified. PAM-CM-1261 = A DateFormat must be specified. PAM-CM-1262 = A CaseObject must be specified. PAM-CM-1263 = A CaseCommentObject must be specified. PAM-CM-1264 = An AttachmentObject must be specified. PAM-CM-1265 = Salesforce Service Cloud ticket number is not specified, or incorrect. PAM-CM-1266 = Could not log into Salesforce Service Cloud server with the provided credentials. PAM-CM-1267 = Salesforce Service Cloud server specified in the password view policy could not be found. PAM-CM-1268 = Salesforce Service Cloud application specified in the password view policy could not be found. PAM-CM-1269 = Salesforce Service Cloud account specified in the password view policy could not be found. PAM-CM-1270 = The CA NIM SM target server could not be found. PAM-CM-1271 = The CA NIM SM target application could not be found. PAM-CM-1272 = The CA NIM SM target account could not be found. PAM-CM-1273 = Could not verify ticket number with the Salesforce Service Cloud system. Error Code Messages for HP Service Manager View Password Plug-in PAM-CM-1274 = An HP Service Manager server must be specified. PAM-CM-1275 = An HP Service Manager application (type: Generic) must be specified. PAM-CM-1276 = An HP Service Manager account must be specified. PAM-CM-1277 = HP Service Manager ticket number is not specified, or incorrect.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-49 of A-242
PAM-CM-1278 = Could not log into HP Service Manager server with the provided credentials. PAM-CM-1279 = HP Service Manager server specified in the password view policy could not be found. PAM-CM-1280 = HP Service Manager application specified in the password view policy could not be found. PAM-CM-1281 = HP Service Manager account specified in the password view policy could not be found. PAM-CM-1282 = The CA NIM SM target server could not be found. PAM-CM-1283 = The CA NIM SM target application could not be found. PAM-CM-1284 = The CA NIM SM target account could not be found. PAM-CM-1285 = Could not verify ticket number with the HP Service Manager system. Custom View Password Module Error Code Messages PAM-CM-1286 = The specified CA Normalized Integration Management account is in use and can't be deleted. PAM-CM-1287 = The requested operation is not allowed on the CA Normalized Integration Management Target Account. PAM-CM-1288 = The requested operation is not allowed on the CA Normalized Integration Management Target Application. PAM-CM-1289 = The requested operation is not allowed on the 'nim.pam.ca.com' Target Server. PAM-CM-1290 = The requested operation is not allowed on the selected application type. PAM-CM-1291 = An invalid issuer URL was specified. PAM-CM-1292 = An invalid console URL was specified. PAM-CM-1293 = An invalid sign-in URL was specified. PAM-CM-1294 = Exceeded maximum length for URL parameter. PAM-CM-1295 = The specified URL is not formatted correctly. PAM-CM-1296 = An invalid session duration was specified; the allowed range is 3600 - 129600 seconds. PAM-CM-1297 = An invalid policy was specified. PAM-CM-1298 = Exceeded maximum length for policy parameter. PAM-CM-1299 = The specified policy is not formatted correctly. PAM-CM-1300 = The AWS client reports that corrupted data was received from the AWS server; the error message is: {0} PAM-CM-1301 = The AWS client reports that communications with the AWS server failed; the error message is: {0} PAM-CM-1302 = An invalid session URL encoding option was specified. PAM-CM-1303 = The AWS service reported a problem; the error message is: {0} PAM-CM-1304 = The requested operation is not allowed on the AWS Access Credentials Target Application. PAM-CM-1305 = The requested operation is not allowed on the 'xceedium.aws.amazon.com' Target Server. PAM-CM-1306 = The requested command cannot be invoked from a remote host. PAM-CM-1307 = The specified federated user name is incompatible with AWS; it contains too few characters. PAM-CM-1308 = The specified federated user name is incompatible with AWS; it contains too many characters. PAM-CM-1309 = The federated user name is missing from the request. PAM-CM-1310 = The specified federated user name is incompatible with AWS. PAM-CM-1311 = The specified AWS access account is in use and can't be deleted. PAM-CM-1312 = The requested operation is not allowed on the AWS API Proxy Credentials Target Account. PAM-CM-1313 = The requested operation cannot be performed by user with the specified target application type. PAM-CM-1314 = The requested operation is not allowed. PAM-CM-1315 = The requested operation is allowed on Target Server {0} only during CAPAM license setup. PAM-CM-1316 = The specified VMware access account is in use and can't be deleted. PAM-CM-1317 = Delete Check: the requested operation would delete an existing Target Server with ID: {0} PAM-CM-1318 = Delete Check: the specified host name corresponds to one or more deleted Target Server(s): {0} PAM-CM-1319 = Delete Check: the specified host name does not correspond to any existing or deleted Target Server(s): {0} PAM-CM-1320 = Delete Check: the specified ID corresponds to a deleted Target Server: {0} PAM-CM-1321 = Delete Check: the specified ID does not correspond to an existing or deleted Target Server: {0} PAM-CM-1322 = Delete Check: the requested operation would delete an existing Request Server of type CLIENT or AGENT with ID: {0} PAM-CM-1323 = Delete Check: the specified host name corresponds to one or more deleted Request Server(s) of type {1}: {0} PAM-CM-1324 = Delete Check: the specified host name does not correspond to any existing or deleted Request Server(s) of type {1}: {0} PAM-CM-1325 = Delete Check: the specified ID corresponds to a deleted Request Server of type CLIENT or AGENT: {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-50 of A-242
PAM-CM-1326 = Delete Check: the specified ID does not correspond to an existing or deleted Request Server of type CLIENT or AGENT: {0} PAM-CM-1327 = Delete Check: the specified ID corresponds to one or more deleted Target Server(s): {0} PAM-CM-1328 = Delete Check: the specified ID does not correspond to any existing or deleted Target Server(s): {0} Extension Manager: Common Channel and Processor Target Connector API PAM-CM-1329 = Failed to process a target connector script. Refer to the log file for further information. PAM-CM-1330 = Failed to store an object in script processor memory. PAM-CM-1331 = Failed to retrieve an object from storage in script processor memory. PAM-CM-1332 = Failed to reset the script processor. PAM-CM-1333 = An error occurred while processing a target connector script. The Target Account specifies an unrecognized password change method. PAM-CM-1334 = An error occurred while processing a target connector script. The Target Account specifies an unsupported protocol. PAM-CM-1335 = An error occurred while configuring the communications channel. The Target Account specifies an unsupported protocol. PAM-CM-1336 = Failed to find {0} pattern(s) while reading from the communications channel: {1} PAM-CM-1337 = An error occurred while configuring the script processor. Failed to retrieve a Target Account with ID {0}. PAM-CM-1338 = An error occurred while configuring the script processor. The Target Account specifies another account should be used for authentication and/or verification but no value is assigned to the other account attribute. PAM-CM-1339 = An error occurred while configuring the communications channel. The specified and calculated known host key fingerprints do not match. PAM-CM-1340 = An error occurred while configuring the communications channel. Failed to decode the known host key. PAM-CM-1341 = Failed to establish a communications channel to the remote host. PAM-CM-1342 = An error occurred while configuring the script processor. An invalid pattern was specified for the password entry prompt. PAM-CM-1343 = An error occurred while configuring the script processor. An invalid pattern was specified for the password confirmation prompt. PAM-CM-1344 = An error occurred while configuring the script processor. An invalid pattern was specified for the password change prompt. PAM-CM-1345 = An error occurred while configuring the script processor. An invalid pattern was specified for the user name entry prompt. PAM-CM-1346 = Failed to remove an object from storage in script processor memory. PAM-CM-1347 = An error occurred while configuring the script processor. Failed to retrieve a Target Account with ID {0}. PAM-CM-1348 = An error occurred while configuring the script processor. The Target Account specifies another privileged account should be used but no value is assigned to the other privileged account attribute. PAM-CM-1349 = A problem occurred while executing the script processor. Please try your request again or contact your Administrator. PAM-CM-1350 = A problem occurred while executing the script processor. Failed to automatically derive a public key. Specify the public key and try again or else contact your Administrator. Extension Manager: Common Channel and Processor Target Connector UI PAM-CM-1351 = Cannot read the revised update script file. Verify the filename and ensure the patch obtained from Customer Support has been applied. PAM-CM-1352 = Cannot read the revised verify script file. Verify the filename and ensure the patch obtained from Customer Support has been applied. PAM-CM-1353 = An invalid filename was specified for the revised update script file. Verify the filename or else contact Customer Support to obtain the correct filename. PAM-CM-1354 = An invalid filename was specified for the revised verify script file. Verify the filename or else contact Customer Support to obtain the correct filename. PAM-CM-1355 = Must choose the filename of the revised update script if any are available. Only use this field if instructed to do so by Customer Support. PAM-CM-1356 = Must choose the filename of the revised verify script if any are available. Only use this field if instructed to do so by Customer Support. PAM-CM-1357 = An invalid regular expression was specified to match the Password Change prompt. PAM-CM-1358 = An invalid list of server host key types was specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-51 of A-242
PAM-CM-1359 = An invalid list of inbound compression methods was specified. PAM-CM-1360 = An invalid list of key exchange algorithms was specified. PAM-CM-1361 = An invalid list of outbound compression methods was specified. PAM-CM-1362 = An invalid list of inbound hashes was specified. PAM-CM-1363 = An invalid list of outbound hashes was specified. PAM-CM-1364 = An invalid list of inbound ciphers was specified. PAM-CM-1365 = An invalid list of outbound ciphers was specified. PAM-CM-1366 = Must specify a replacement update script. Only use this field if instructed to do so by Customer Support. PAM-CM-1367 = Must specify a replacement verify script. Only use this field if instructed to do so by Customer Support. PAM-CM-1368 = An invalid list of ciphers to detect was specified. PAM-CM-1369 = An invalid regular expression was specified to match the Password Confirmation prompt. PAM-CM-1370 = An invalid regular expression was specified to match the Password Entry prompt. PAM-CM-1371 = An invalid regular expression was specified to match the User Name Entry prompt. PAM-CM-1372 = The portal URL is missing from the request. PAM-CM-1373 = The specified portal URL is invalid. PAM-CM-1374 = The Security Token Service endpoint URL is missing from the request. PAM-CM-1375 = The specified Security Token Service endpoint URL is invalid. PAM-CM-1376 = The Security Token Service endpoint reference URI is missing from the request. PAM-CM-1377 = The specified Security Token Service endpoint reference URI is invalid. PAM-CM-1378 = The context (wctx) parameter is missing from the request. PAM-CM-1379 = The specified context (wctx) parameter is invalid. PAM-CM-1380 = Failed to load the token request template. PAM-CM-1381 = Failed to initiate federated session. PAM-CM-1382 = Failed to retrieve token request response from the Security Token Service. PAM-CM-1383 = Failed to load the federated session request template. PAM-CM-1384 = Failed to retrieve target account password. PAM-CM-1385 = The target account ID is missing from the request. PAM-CM-1386 = The specified target account ID is invalid. PAM-CM-1387 = The reason parameter is missing from the request. PAM-CM-1388 = The specified start date is invalid. PAM-CM-1389 = The specified end date is invalid. PAM-CM-1390 = The specified compound server ID is invalid. PAM-CM-1391 = Failed to encode the specified context (wctx) parameter. PAM-CM-1392 = The SSH Key Pair Policy ID is missing. PAM-CM-1393 = The specified SSH Key Pair Policy ID is invalid; it must be an integer greater than zero. PAM-CM-1394 = The SSH Key Pair Policy name is missing. PAM-CM-1395 = The specified SSH Key Pair Policy name is invalid; it must consist of characters [a-z, A-Z, 0-9]. PAM-CM-1396 = The specified SSH Key Pair Policy name is too long; reduce the number of characters that it contains. PAM-CM-1397 = The SSH Key Pair Policy description is missing. PAM-CM-1398 = The SSH Key Pair Policy description is invalid; it must consist of characters [a-z, A-Z, 0-9]. PAM-CM-1399 = The SSH Key Pair Policy description is too long; reduce the number of characters that it contains. PAM-CM-1400 = The SSH Key Pair Policy key type is missing. PAM-CM-1401 = The specified SSH Key Pair Policy key type is invalid; it must be RSA or DSA. PAM-CM-1402 = The SSH Key Pair Policy key length is missing. PAM-CM-1403 = The specified SSH Key Pair Policy key length is invalid. PAM-CM-1404 = Failed to add SSH Key Pair Policy due to error: {0} PAM-CM-1405 = Failed SSH Key Pair generation test due to error: {0} PAM-CM-1406 = The specified SSH Key Pair type and length are not compatible. PAM-CM-1407 = An SSH Key Pair Policy ID or Name must be specified. PAM-CM-1408 = Failed to load an SSH Key Pair Policy having the specified ID or Name. PAM-CM-1409 = Must specify either an SSH Key Pair Policy ID or a Name but not both. PAM-CM-1410 = Invalid subnet x.x.x.x. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx) PAM-CM-1411 = The specified VMware target account is in use and can't be deleted. Error messages for CA NIM SM target manager connector
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-52 of A-242
PAM-CM-1412 = Change process not specified. PAM-CM-1413 = Internal target connector error. PAM-CM-1414 = Failed to synchronize password with target. PAM-CM-1415 = Failed to verify password with target. Error Code Messages for CA NIM UM Target Manager Connector PAM-CM-1416 = Change process not specified. PAM-CM-1417 = Internal target connector error. PAM-CM-1418 = Failed to synchronize password with target. PAM-CM-1419 = Failed to verify password with target. Error Code Messages for ServiceNow Target Manager Connector PAM-CM-1420 = Change process not specified. PAM-CM-1421 = Internal target connector error. PAM-CM-1422 = Failed to synchronize password with target. PAM-CM-1423 = Failed to verify password with target. PAM-CM-1424 = A ServiceNow URL must be specified. PAM-CM-1425 = A ServiceNowClientURL must be specified. PAM-CM-1426 = Could not log into ServiceNow server with the provided credentials. Basic error messages for Service Desk connector PAM-CM-1427 = Error retrieving Service Desk user credentials. PAM-CM-1428 = The CA NIM UM target server could not be found. PAM-CM-1429 = The CA NIM UM target application specified in the password view policy could not be found. PAM-CM-1430 = The CA NIM UM target account specified in the password view policy could not be found. PAM-CM-1431 = Failed to synchronize password with target. PAM-CM-1432 = Failed to verify password with target. Error messages for HP Service Manager target manager connector PAM-CM-1433 = Change process not specified. PAM-CM-1434 = Internal target connector error. PAM-CM-1435 = Failed to synchronize password with target. PAM-CM-1436 = Failed to verify password with target. PAM-CM-1437 = A port must be specified. PAM-CM-1438 = A HPSMClientURL must be specified. PAM-CM-1439 = An Enabled Protocol must be specified. PAM-CM-1440 = Could not log into HP Service Manager server with the provided credentials. Error Code Messages for CA SDM Target Manager Connector PAM-CM-1441 = Change process not specified. PAM-CM-1442 = Internal target connector error. PAM-CM-1443 = SOAP Protocol must be specified. PAM-CM-1444 = SOAP Port must be specified. PAM-CM-1445 = REST Protocol must be specified. PAM-CM-1446 = REST Port must be specified. PAM-CM-1447 = Could not log into CA SDM server with the provided credentials. PAM-CM-1448 = Password composition policy (ID: {0}) associated with target application "{1}" does not exist in database. PAM-CM-1449 = Generating a password for new target account {0} based on password composition policy "{1}" failed. PAM-CM-1450 = Password for new target account {0} is not compliant with password composition policy "{1}". PAM-CM-1451 = Password is not specified for a new target account {0}. PAM-CM-1452 = Acquiring a password for a new target account {0} on target server {1} failed. PAM-CM-1453 = Users export completed. PAM-CM-1454 = Services export completed. PAM-CM-1455 = Transparent Login Configs export completed. PAM-CM-1456 = Custom Roles export completed. PAM-CM-1457 = Devices export completed. PAM-CM-1458 = Policy export completed. PAM-CM-1459 = Command Filter Lists export completed. PAM-CM-1460 = Socket Filter Lists export completed. PAM-CM-1461 = Users import completed.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-53 of A-242
PAM-CM-1462 = Services import completed. PAM-CM-1463 = Transparent Login Configs import completed. PAM-CM-1464 = Custom Roles import completed. PAM-CM-1465 = Devices import completed. PAM-CM-1466 = Policy import completed. PAM-CM-1467 = Command Filter Lists import completed. PAM-CM-1468 = Socket Filter Lists import completed. PAM-CM-1469 = SAML 2.0 SP Metadata export completed. PAM-CM-1470 = SAML 2.0 SP Metadata import completed. PAM-CM-1471 = Ready to apply patch: {0}. Reboot required PAM-CM-1472 = Error retrieving objects: {0} PAM-CM-1473 = {0} is not a valid Include IP Address. PAM-CM-1474 = {0} is not a valid Exclude IP Address. PAM-CM-1475 = Attempt to access CA PAM from {0}, which is not in the Exception List. PAM-CM-1476 = Exception list cannot be empty when X Forward Host checking is enabled. PAM-CM-1477 = {0} Exclusive-use account; Check-in time: {1}; Check-out time : {2}; by {3} PAM-CM-1478 = Retrospective Approval Request cannot be expired. PAM-CM-1479 = Retrospective Approval Request can be acknowledged or declined. PAM-CM-1480 = Dual Authorization Request can be approved or denied. PAM-CM-1481 = Retrospective Approval Request once acknowledged cannot be declined or expired. PAM-CM-1482 = Retrospective Approval Request corresponds to a non-Retrospective Approval password view policy. So, the request cannot be acknowledged or declined. PAM-CM-1483 = Dual Authorization Request corresponds to a non-Dual Authorization password view policy. So, the request cannot be approved, denied, or expired. PAM-CM-1484 = Checked out password view request can only be checked in. PAM-CM-1485 = {0} account; Retrospective Approval Request by {1} {2} by {3}. PAM-CM-1486 = {0} account; Retrospective Approval Requested by {1}. PAM-CM-1540 = Failed to locate PA server for device {0} in cluster {1} PAM-CM-1541 = Remote CA PAM Debugging Services active date changed to {0} UTC PAM-CM-1542 = Remote CA PAM Debugging Services shutdown rescheduling failed PAM-CM-1543 = Remote CA PAM Debugging Services turned off, error deleting job PAM-CM-1544 = Remote CA PAM Debugging Services turned on, error scheduling shutdown PAM-CM-1545 = Remote CA PAM Debugging Services automatically turned off PAM-CM-1555 = Cannot reset the cluster configuration while cluster is ON. PAM-CM-1556 = An error has occurred while resetting cluster configuration. PAM-CM-1557 = An error has occurred while sending cluster stopped. PAM-CM-1558 = An error has occurred while checking cluster progress. PAM-CM-1559 = An error has occurred while deleting a site from the cluster. PAM-CM-1560 = An error has occurred while join the cluster. PAM-CM-1561 = An error has occurred while leaving the cluster. PAM-CM-1562 = An error has occurred while resyncing site. PAM-CM-1563 = An error has occurred while resyncing node from primary. PAM-CM-1564 = An error has occurred while locking the node. PAM-CM-1565 = An error has occurred while unlocking the node. PAM-CM-1566 = An error has occurred while turning off the cluster. PAM-CM-1568 = Refreshed Replication Status. PAM-CM-1569 = Cluster staging task updated. Cluster={0}, Patch={1}, Status={2}. PAM-CM-1570 = Cluster is already registered. PAM-CM-1571 = Cluster has not been registered. PAM-CM-1572 = X Forwarded Host Check could not be Enabled PAM-CM-1573 = Unable to Download CA Bundle or CRLs PAM-CM-1574 = Saved clustering config locally PAM-CM-1575 = Cluster turned on PAM-CM-1576 = Cluster turned off PAM-CM-1577 = Cluster Unlocked PAM-CM-1578 = Site Resynced with Cluster PAM-CM-1579 = Member Site Resynced with Primary
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-54 of A-242
PAM-CM-1580 = Member Site Left Cluster PAM-CM-1581 = Hostname and port number are required. PAM-CM-1582 = {0} is not a valid parameter value for {1}. PAM-CM-1583 = AMQ Broker ping test. This message expires in 5 minutes from {0,date,EEE MMM dd HH:mm:ss zzz yyyy} PAM-CM-1584 = Error retrieving object by unique key: {0} PAM-CM-1585 = X Forwarded Host Check could not be Disabled PAM-CM-1588 = Removing patch "{0}". File was removed successfully. PAM-CM-1589 = Updated CRL download interval to {0} PAM-CM-1590 = Disabled CRL download schedule PAM-CM-1591 = Config User Enabled PAM-CM-1592 = Config User Disabled PAM-CM-1593 = VMware Console Enabled PAM-CM-1594 = VMware Console Disabled PAM-CM-1595 = PKI Options updated: User Login:{0}, Login Page Without CAC: {1}, Policy Identifier: "{2}", Enable Login Button: {3} PAM-CM-1596 = Login screen will not be shown,you can relogin by accessing directly the PAM URL in browser PAM-CM-1657 = Invalid file type for custom logo PAM-CM-1658 = GatekeeperCallback.invokeSpadmind Null command not allowed PAM-CM-1659 = GatekeeperCallback.invokeSpadmind Blank command not allowed PAM-CM-1660 = GatekeeperCallback.invokeSpadmind Null args not allowed PAM-CM-1661 = GatekeeperCallback.invokeSpadmind Empty args not allowed PAM-CM-1662 = GatekeeperCallback.invokeSpadmind Null arg not allowed PAM-CM-1663 = GatekeeperCallback.invokeSpadmind Empty arg not allowed PAM-CM-1664 = GatekeeperCallback.invokeSpadmind Error receiving response PAM-CM-1665 = GatekeeperCallback.invokeSpadmind Error sending request PAM-CM-1666 = Failed to get current server key PAM-CM-1667 = Failed to connect to DB PAM-CM-1668 = Invalid maximum length '{0}' specified. PAM-CM-1669 = Maximum length is insufficient because shortest possible password is {0} characters PAM-CM-1670 = Minimum length {0} cannot be less than maximum {1}. PAM-CM-1671 = Failed to generate a password in {0} attempts. PAM-CM-1672 = The specified Password Composition Policy is conflicting with passwords that are currently assigned to one or more accounts. If you assign the policy then the system will generate policy-compliant passwords when those accounts are updated. Please confirm that the target system allows passwords that conform to your specified policy. PAM-CM-1673 = Machine Id is mandatory. PAM-CM-1754 = An invalid port number was specified; the value must be in the range 0..65535. PAM-CM-1755 = An invalid OID port number was specified; the value must be in the range 0..65535. PAM-CM-1756 = Invalid value for SSL Enabled PAM-CM-1757 = Change process not specified. PAM-CM-1758 = Connection type was not specified. PAM-CM-1759 = Incorrect value specified for sysdbaAccount attribute. Valid values are true or false. PAM-CM-1760 = Incorrect value specified for replaceSyntax attribute. Valid values are true or false. PAM-CM-1761 = Failed to synchronize/verify account. See logs for details. PAM-CM-1762 = Account locked. PAM-CM-1763 = Failed to connect to host. PAM-CM-1764 = Invalid schema/SID specified. PAM-CM-1765 = Failed to synchronize/verify account. Login failed. PAM-CM-1766 = Failed to verify password with target: {0} PAM-CM-1767 = Invalid e-mail body for Retrospective Approval Request. PAM-CM-1768 = Invalid e-mail subject for Retrospective Approval Request. PAM-CM-1769 = Failed to synchronize password with target: {0} PAM-CM-1788 = The operation was successful. PAM-CM-1806 = Logged out of Credential Manager. Please close this browser window. PAM-CM-1937 = No Data to Display PAM-CM-1938 = Are you sure you want to delete the selected items?
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-55 of A-242
PAM-CM-1939 = Are you sure you want to delete the selected items?This will delete all associated applications and accounts too. PAM-CM-1940 = Are you sure you want to delete the selected items?This will delete all associated accounts too. PAM-CM-1941 = No Item Has Been Selected PAM-CM-1944 = Settings have been restored PAM-CM-1945 = Are you sure you want to approve the selected password view request? PAM-CM-1946 = Are you sure you want to deny the selected password view request? PAM-CM-1949 = Are you sure you want to immediately expire this password view request? PAM-CM-1954 = A required field is missing a value PAM-CM-1955 = A required field needs an integer value PAM-CM-1956 = An invalid date was specified PAM-CM-1975 = The user password was updated successfully. PAM-CM-1992 = Minimum Of 6 Characters, Must Contain At Least One Alpha, Numeric And Special Character. PAM-CM-1999 = Do not assign 'General User' view type to users that require access to other administrative functions as they will not be able to see them PAM-CM-2003 = The User Has Been Saved Successfully PAM-CM-2004 = The User Has Been Added Successfully PAM-CM-2005 = The User Has Been Deleted Successfully PAM-CM-2006 = The User Has Been Updated Successfully PAM-CM-2007 = This user's view type is not set and will be determined by their role. PAM-CM-2008 = Error determining the authentication configuration for authentication type {0} PAM-CM-2009 = The User Status Updated Successfully PAM-CM-2010 = The User Password Updated Successfully PAM-CM-2020 = The User Group Has Been Added Successfully PAM-CM-2021 = The User Group Has Been Deleted Successfully PAM-CM-2022 = The User Group Has Been Updated Successfully PAM-CM-2026 = The User Group Has Been Saved Successfully PAM-CM-2027 = An Invalid Target Group Has Been Selected PAM-CM-2028 = An Invalid Request Group Has Been Selected PAM-CM-2067 = The selected requester server defaults have been deleted PAM-CM-2068 = No request server defaults have been selected PAM-CM-2070 = The Application Defaults Settings Have Been Updated Successfully PAM-CM-2071 = The Settings Have Been Updated Successfully PAM-CM-2072 = Error Loading General Settings PAM-CM-2073 = Error Loading A2A Settings PAM-CM-2074 = The specified value for the maximum number of report entries is invalid. PAM-CM-2075 = The specified value for the password view request delete interval is invalid. PAM-CM-2099 = The Email Settings Have Been Updated Successfully PAM-CM-2104 = Updated SailPoint configuration PAM-CM-2115 = The License Has Been Updated Successfully PAM-CM-2143 = The Patch Has Been Updated Successfully PAM-CM-2144 = No patches have been selected PAM-CM-2145 = The selected patches have been deleted PAM-CM-2200 = Are you sure you want to delete the selected scheduled job? If the job is of a checkin/checkout type the account will be checked in. PAM-CM-2212 = The Scheduled Job Has Been Saved Successfully PAM-CM-2213 = The Scheduled Job Has Been Added Successfully PAM-CM-2214 = The Scheduled Job Has Been Deleted Successfully PAM-CM-2215 = The Scheduled Job Has Been Updated Successfully PAM-CM-2216 = Scheduled Job(s) Deleted Successfully PAM-CM-2217 = No scheduled jobs have been selected PAM-CM-2251 = New license cannot be installed when cluster synchronization is on PAM-CM-2264 = The Password Composition Policy was Saved Successfully PAM-CM-2265 = The Default Options were restored PAM-CM-2266 = The Password Composition Policy was Added Successfully PAM-CM-2267 = The Password Composition Policy was Deleted Successfully PAM-CM-2268 = The Password Composition Policy was Updated Successfully
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-56 of A-242
PAM-CM-2269 = Options OK. Sample password: {0} PAM-CM-2276 = The SSH Key Pair Policy Has Been Saved Successfully PAM-CM-2277 = The Default Options were restored PAM-CM-2278 = The SSH Key Pair Policy was Added Successfully PAM-CM-2279 = The SSH Key Pair Policy was Deleted Successfully PAM-CM-2280 = The SSH Key Pair Policy was Updated Successfully PAM-CM-2281 = Options OK. Sample SSH Key Pair Fingerprint: {0} PAM-CM-2292 = No sites have been selected PAM-CM-2293 = The Selected Sites Have Been Deleted PAM-CM-2294 = The Site Was Saved Successfully PAM-CM-2303 = Database cluster member updated. PAM-CM-2304 = Are you sure you want to deactivate the selected cluster member? PAM-CM-2337 = The Password View Policy Has Been Saved Successfully PAM-CM-2338 = The Password View Policy Has Been Added Successfully PAM-CM-2339 = The Password View Policy Has Been Deleted Successfully PAM-CM-2340 = The Password View Policy Has Been Updated Successfully PAM-CM-2341 = Required Remedy licensed files could not be found. PAM-CM-2342 = Reason Required For View must be selected when using Service Desk Integration. PAM-CM-2343 = Reason Required For Auto-Connect must be selected when using Service Desk Integration. PAM-CM-2391 = Are you sure you want to deny the selected password view requests? PAM-CM-2392 = Are you sure you want to approve the selected password view requests? PAM-CM-2395 = The Password View Requests have been deleted successfully PAM-CM-2396 = The Password View Requests have been approved. PAM-CM-2397 = The Password View Requests have been denied. PAM-CM-2398 = The Password View Request is approved. PAM-CM-2399 = The Auto-Connect Request is approved. PAM-CM-2409 = The Server Was Saved Successfully PAM-CM-2413 = No servers have been selected PAM-CM-2414 = The selected servers have been deleted PAM-CM-2446 = Waiting for authentication notification from Identity Provider PAM-CM-2463 = No accounts have been selected PAM-CM-2464 = The selected accounts have been deleted PAM-CM-2465 = Account has been verified PAM-CM-2466 = Account has NOT been verified PAM-CM-2467 = Account update has failed PAM-CM-2468 = Account is checked out PAM-CM-2469 = Account is checked in PAM-CM-2533 = Failed uploading key file; please check the path and try again. PAM-CM-2534 = File {0} was uploaded. PAM-CM-2535 = The EC2 Instance User Name is formatted incorrectly or it contains the disallowed {0} character. PAM-CM-2536 = The Key Pair Name may not contain the {0} character. PAM-CM-2537 = A Key Pair Name is required. PAM-CM-2538 = Do not use elevated privileges PAM-CM-2539 = Use elevated privileges PAM-CM-2540 = Use elevated privileges with authentication PAM-CM-2541 = This account is a root account PAM-CM-2542 = Updating passphrase will update the target account with newly generated key pair PAM-CM-2579 = Unable to generate credential. No application is selected PAM-CM-2580 = Unable to generate credential. No policy defined PAM-CM-2581 = Unable to generate credential. {0} PAM-CM-2622 = Failed to load data PAM-CM-2624 = Request Created PAM-CM-2678 = The Application Was Saved Successfully PAM-CM-2679 = No applications have been selected PAM-CM-2680 = The selected applications have been deleted PAM-CM-2685 = Required Remedy licensed files could not be found. PAM-CM-2708 = No aliases have been selected
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-57 of A-242
PAM-CM-2709 = The selected aliases have been deleted PAM-CM-2710 = A client is required. PAM-CM-2711 = Client {0} is not a valid client. PAM-CM-2712 = Script Hash update request sent. PAM-CM-2713 = Script Hash update request failed to be sent. PAM-CM-2746 = Fingerprint update request sent for client. PAM-CM-2747 = All scripts hash update request sent for client. PAM-CM-2748 = Failed to send all scripts hash update request for client. PAM-CM-2749 = Key update request sent for client. PAM-CM-2750 = The Client Has Been Saved Successfully PAM-CM-2751 = The client connection status has been updated successfully. PAM-CM-2752 = The fingerprint of this client has changed! Please select accept or deny in the Pending Fingerprint Action below. PAM-CM-2753 = This client has not yet been authorized! Change the status to Active to authorize requests from this client. PAM-CM-2769 = No clients have been selected PAM-CM-2770 = The selected clients have been deleted PAM-CM-2781 = The Script Has Been Saved Successfully PAM-CM-2792 = No scripts have been selected PAM-CM-2793 = The selected scripts have been deleted PAM-CM-2802 = No proxies have been selected PAM-CM-2803 = The selected proxies have been deleted PAM-CM-2827 = Get Fingerprint PAM-CM-2828 = The Proxy Has Been Saved Successfully PAM-CM-2829 = Fingerprint update request sent to proxy. PAM-CM-2830 = Key update request sent to proxy. PAM-CM-2831 = The fingerprint of this proxy has changed! Please select accept or deny in the Pending Finger Action below. PAM-CM-2832 = This proxy has not yet been authorized! Change the status to Active to authorize this proxy. PAM-CM-2837 = No roles have been selected PAM-CM-2838 = The selected roles have been deleted PAM-CM-2843 = The Role Has Been Saved Successfully PAM-CM-2844 = No roles have been selected PAM-CM-2845 = The selected roles have been deleted PAM-CM-2846 = No role has been selected PAM-CM-2886 = The Authorization Mapping Has Been Saved Successfully PAM-CM-2887 = No authorization mappings have been selected PAM-CM-2888 = The selected mappings have been deleted PAM-CM-2889 = A valid Script must be selected if the 'Individual' option is chosen PAM-CM-2896 = No groups have been selected PAM-CM-2897 = The selected groups have been deleted PAM-CM-2904 = No Requestor Filters have been selected PAM-CM-2905 = The Selected Requestor Filters have been deleted PAM-CM-2906 = No Client Filters have been selected PAM-CM-2907 = The Selected Client Filters have been deleted PAM-CM-2909 = The list below indicates all object(s) which this Requestor Group has access to. The ability to manipulate any of these objects is dependent on the role assigned to the user's User Group. PAM-CM-2917 = No Server Filters have been selected PAM-CM-2918 = The Selected Server Filters have been deleted PAM-CM-2919 = No Application Filters have been selected PAM-CM-2920 = The Selected Application Filters have been deleted PAM-CM-2921 = No Account Filters have been selected PAM-CM-2922 = The Selected Account Filters have been deleted PAM-CM-2984 = An invalid threshold value has been entered. Value must be a positive integer or -1 to signify no threshold. PAM-CM-3091 = Group must have at least one filter PAM-CM-3092 = Static Groups need to be enabled to access this functionality
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-58 of A-242
PAM-CM-3098 = No filters have been defined PAM-CM-3099 = One or more of the selected filters have not been defined PAM-CM-3100 = A value must be entered for the filter PAM-CM-3117 = Unknown class {0} PAM-CM-3118 = Error resolving the following EL {0}. Access to view {1} restricted PAM-CM-3119 = Error resolving or calling method {0} on NavigationBean as defined in view {1} PAM-CM-3120 = Unable to load or find the common page settings PAM-CM-3142 = The changes have been saved to your preferences. Please either log out or close the Password Management tab, then either log back in or navigate back to Manage Password, for the modified settings to take effect. PAM-CM-3153 = File was successfully unpacked to the themes directory and backed up to the CSPM install directories. PAM-CM-3154 = The selected theme has been applied, please close your browser and log back in for it to be applied PAM-CM-3155 = The uploaded file is not of the correct format or structure.<br/>Files must be in a jar archive (.jar file) with a single root directory with the theme files in.<br/>The root directory name and the jar file name must be the same.<br/>The root directory may not be the 'xceedium' theme PAM-CM-3157 = The selected accounts have been added PAM-CM-3158 = No new accounts were found on the target server PAM-CM-3165 = The Settings Have Been Updated Successfully PAM-CM-3166 = Request sent to get logs for site server. Please wait... PAM-CM-3167 = Request to get logs for site server not sent. PAM-CM-3168 = Request sent to get logs for request server. Please wait... PAM-CM-3169 = Request to get logs for request server not sent. PAM-CM-3170 = Report will be displayed in a separate window PAM-CM-3171 = An error occurred running the report PAM-CM-3265 = An SSH port number must be specified. PAM-CM-3266 = A connection timeout must be specified. PAM-CM-3267 = A read timeout must be specified. PAM-CM-3268 = Invalid change process specified PAM-CM-3269 = An invalid connection timeout value was specified. PAM-CM-3270 = An invalid read timeout value was specified. PAM-CM-3271 = An invalid SSH port number was specified. PAM-CM-3272 = Failed to verify account. PAM-CM-3273 = Failed to update account. PAM-CM-3274 = An unknown error occurred; please consult the server log or contact your Administrator. PAM-CM-3275 = User not found. PAM-CM-3276 = Failed to update password; the target device is currently in use by another user. PAM-CM-3277 = Failed to connect to the target device; a timeout occured while waiting to connect. PAM-CM-3278 = Failed to authenticate to the target device due to invalid credentials. PAM-CM-3279 = A communications error occurred while receiving data from the target device. PAM-CM-3280 = User has insufficient permissions. PAM-CM-3281 = Invalid port specified. PAM-CM-3282 = Realm not specified. PAM-CM-3283 = Change process not specified. PAM-CM-3284 = Failed to synchronize/verify account. See logs for details. PAM-CM-3285 = Invalid account specified. PAM-CM-3286 = Failed to connect to host. PAM-CM-3287 = Invalid Realm specified. PAM-CM-3288 = Failed to synchronize/verify account. Login failed. PAM-CM-3289 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3290 = Failed to load the default or revised update script file. PAM-CM-3291 = Failed to load the default or revised verify script file. PAM-CM-3292 = Failed to update account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3293 = Failed to verify account credentials. Review the log file for further information or else contact your Administrator.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-59 of A-242
PAM-CM-3294 = Cannot verify account's credentials for non Privilege account type; the operation is not supported. PAM-CM-3295 = Cannot update account's credentials for non Privilege account type; the operation is not supported. PAM-CM-3296 = Cannot change password. Please enter a password with 1 to 15 characters. PAM-CM-3297 = An invalid SSH port number was specified; the value must be in the range 0..65535. PAM-CM-3298 = An invalid SSH communication timeout was specified; the value must be in the range 1000..99999. PAM-CM-3299 = An invalid script processor read timeout was specified; the value must be in the range 1000..59999. PAM-CM-3300 = The value assigned to the 'useUpdateScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. PAM-CM-3301 = The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. PAM-CM-3308 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3309 = Failed to load the default or revised update script file. PAM-CM-3310 = Failed to load the default or revised verify script file. PAM-CM-3311 = Failed to update account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3312 = Failed to verify account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3313 = An invalid SSH port number was specified; the value must be in the range 0..65535. PAM-CM-3318 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3319 = Failed to load the default or revised update script file. PAM-CM-3320 = Failed to load the default or revised verify script file. PAM-CM-3321 = Failed to update the account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3322 = Failed to verify the account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3323 = Cannot use another account's credentials to verify this account's credentials; the operation is not supported. PAM-CM-3324 = Failed to enter into privileged EXEC mode. Review the log file for further information or else contact your Administrator. PAM-CM-3325 = Failed to commit running configuration; the password has changed in running configuration only. Review the log file for further information or else contact your Administrator. PAM-CM-3326 = Failed to restore running configuration from start up configuration. Review the log file for further information or else contact your Administrator. PAM-CM-3327 = An invalid Cisco variant was specified. PAM-CM-3328 = Must specify a host key. PAM-CM-3329 = An invalid SSH port number was specified; the value must be in the range 0..65535. PAM-CM-3330 = The value assigned to the 'sshUseDefaultKeyExchangeAlgorithms' attribute must be 'true' or 'false'. PAM-CM-3331 = Must NOT specify list of key exchange algorithms because default algorithms will be used instead. PAM-CM-3332 = The value assigned to the 'sshUseDefaultCompressionAlgorithms' attribute must be 'true' or 'false'. PAM-CM-3333 = Must NOT specify list of compression algorithms because default algorithms will be used instead. PAM-CM-3334 = The value assigned to the 'sshUseDefaultServerHostKeyAlgorithms' attribute must be 'true' or 'false'. PAM-CM-3335 = Must NOT specify list of server host key algorithms because default algorithms will be used instead. PAM-CM-3336 = An invalid Telnet port number was specified; the value must be in the range 0..65535. PAM-CM-3337 = An invalid SSH communication timeout was specified; the value must be in the range 1000..99999. PAM-CM-3338 = An invalid script processor read timeout was specified; the value must be in the range 1000..59999. PAM-CM-3339 = The value assigned to the 'sshStrictHostKeyCheckingEnabled' attribute must be 'true' or 'false'. PAM-CM-3340 = The value assigned to the 'useUpdateScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. PAM-CM-3341 = The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. PAM-CM-3342 = The value assigned to the 'sshUseDefaultCiphers' attribute must be 'true' or 'false'. PAM-CM-3343 = Must NOT specify list of ciphers because default ciphers will be used instead. PAM-CM-3344 = An invalid Telnet communication timeout was specified; the value must be in the range 1000..99999.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-60 of A-242
PAM-CM-3345 = The value assigned to the 'sshUseDefaultHashes' attribute must be 'true' or 'false'. PAM-CM-3346 = Must NOT specify list of hashes because default ciphers will be used instead. PAM-CM-3347 = An invalid protocol was specified. PAM-CM-3348 = Must specify a protocol. PAM-CM-3349 = Must specify a password type. PAM-CM-3350 = The value assigned to the 'pwType' attribute must be 'user' or 'privileged'. PAM-CM-3351 = Must specify whether or not to change the AUX password. PAM-CM-3352 = The value assigned to the 'changeAuxLoginPassword' must be 'true' or 'false'. PAM-CM-3353 = Must specify whether or not the change the Console password. PAM-CM-3354 = The value assigned to the 'changeConsoleLoginPassword' must be 'true' or 'false'. PAM-CM-3355 = Must specify whether or not to change the VTY password. PAM-CM-3356 = The value assigned to the 'changeVtyLoginPassword' must be 'true' or 'false'. PAM-CM-3357 = Must specify the number of VTY ports. PAM-CM-3358 = The value assigned to the 'numVTYPorts' attribute must be an integer in the range 1..15. PAM-CM-3359 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3360 = Change process not specified. PAM-CM-3361 = Must specify an 'other account'. PAM-CM-3362 = Must specify whether the account will be verified through another account. PAM-CM-3363 = The value assigned to the 'verifyThroughOtherAccount' attribute must be 'true' or 'false'. PAM-CM-3364 = A Credential Type must be specified. PAM-CM-3365 = An unrecognized Credential Type was specified. PAM-CM-3366 = A Secret Access Key is required. PAM-CM-3367 = The Access Key ID must be composed with upper case letters, digits and must be 20 characters in length. PAM-CM-3368 = The Secret Access Key must composed with alphanumeric, "+", "/" characters and must be 40 characters in length. PAM-CM-3369 = The uploaded EC2 Private Key file does not contain a PEM-formatted certificate. PAM-CM-3370 = An Access Key ID is required. PAM-CM-3371 = An X.509 certificate file name is required. PAM-CM-3372 = The X.509 certificate file name must match the pattern "pk-[A-Z0-9]{32}.pem". Example: "pk-4QUDAEWQENET2S22ABOOJ4BMUN6AUZY5.pem" PAM-CM-3373 = A PEM-formatted certificate file containing the EC2 Private Key must be uploaded. PAM-CM-3374 = An EC2 Instance User Name is required. PAM-CM-3375 = The IAM User Name is formatted incorrectly. PAM-CM-3376 = A Key Pair Name may be specified only when the Credential Type is EC2 Private Key. PAM-CM-3377 = A Key Pair Name is required. PAM-CM-3378 = The EC2 Instance User Name is formatted incorrectly or it contains the disallowed "@" character. PAM-CM-3379 = The Key Pair Name may not contain the "@" character. PAM-CM-3380 = An User Friendly Account Name is required. PAM-CM-3381 = Duplicated User Friendly Account Name. PAM-CM-3382 = Maximum length of AWS access role name exceeded. PAM-CM-3383 = AWS access role name only allows alphanumeric and '+=,.@-' characters PAM-CM-3384 = The AWS Cloud Type must be specified. PAM-CM-3385 = The maximum length of AWS Cloud Type exceeded. PAM-CM-3386 = The valid AWS Cloud Type is government or commercial PAM-CM-3387 = Failed update AWS Access credentials. Please contact your Administrator. PAM-CM-3388 = Failed verify AWS Access credentials. Please contact your Administrator. PAM-CM-3389 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3390 = Attempted to create resources beyond the current AWS account limits. Please contact your system administrator. PAM-CM-3391 = AWS Key Pair can be changed only by random generation. PAM-CM-3392 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3397 = Change process not specified. PAM-CM-3398 = An 'other account' must be specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-61 of A-242
PAM-CM-3399 = Unable to verify the password due to an error. PAM-CM-3400 = Unable to verify the password because the account is locked. PAM-CM-3401 = Unable to verify the password; failed to connect to the target server. PAM-CM-3402 = Verification failed because the password was not accepted. PAM-CM-3403 = Unable to update the password due to an error. PAM-CM-3404 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3405 = Failed to load the default or revised update script file. PAM-CM-3406 = Failed to load the default or revised verify script file. PAM-CM-3407 = Failed to enter privilege mode. Review the log file for further information or else contact your Administrator. PAM-CM-3408 = Failed to update account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3409 = Failed to enter configuration mode. Please try again. If problem persist contact your Administrator. PAM-CM-3410 = Failed to verify account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3411 = An invalid SSH port number was specified; the value must be in the range 0..65535. PAM-CM-3419 = Invalid port number. PAM-CM-3420 = Change process not specified. PAM-CM-3421 = Invalid value for SSL Enabled PAM-CM-3422 = Failed to synchronize/verify account. See logs for details. PAM-CM-3423 = Failed to connect to database. Connection refused. PAM-CM-3424 = Failed to connect to database. Unknown host. PAM-CM-3425 = Communication failure. The target server must be SQL Server 2000 or later. PAM-CM-3426 = Invalid character in password. Single quotation mark (') is not a valid password character. PAM-CM-3427 = Failed to connect to database. Login failed PAM-CM-3428 = Failed to synchronize/verify account. See logs for details. PAM-CM-3429 = Failed to connect to host. PAM-CM-3430 = Domain name must be specified PAM-CM-3431 = Distinguished Name (DN) must be specified PAM-CM-3432 = Cannot connect to a domain controller on the specified domain PAM-CM-3433 = Certificate cannot be retrieved from the domain controller PAM-CM-3434 = Error storing certificate in certificate store PAM-CM-3435 = Proxy host name is invalid: PAM-CM-3436 = Error updating service credentials. See log for more information PAM-CM-3437 = Services could not be restarted PAM-CM-3438 = Error updating password in Active Directory. Service credentials for this account (if any) were not updated. PAM-CM-3439 = Error verifying services PAM-CM-3440 = Cannot retrieve DNS host name(s) PAM-CM-3441 = Unknown option specified for "useDNS" attribute PAM-CM-3442 = DNS server name not specified PAM-CM-3443 = Distinguished Name (DN) must be specified PAM-CM-3444 = Failed to update the services. PAM-CM-3445 = Invalid boolean value for Disable Auto-Connect Target Account. PAM-CM-3446 = Domain controller's root distinguished name could not be found. PAM-CM-3447 = One or more groups could not be found on domain controller. PAM-CM-3448 = An error occurred when discovering accounts on the domain controller. PAM-CM-3449 = Group names not specified. PAM-CM-3450 = Login account not specified. PAM-CM-3451 = Error updating task credentials. See log for more information PAM-CM-3454 = Change process not specified. PAM-CM-3455 = No Password Authority Windows Proxy specified. PAM-CM-3456 = Account type must be 'domain' or 'local'. PAM-CM-3457 = Unknown option specified for "useDNS" attribute PAM-CM-3458 = Host name and service name must have 1 to 100 characters and must not contain special characters.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-62 of A-242
PAM-CM-3459 = Force password change attribute is incorrect. PAM-CM-3460 = Administrator account not specified. PAM-CM-3461 = Cannot retrieve DNS host name(s) PAM-CM-3462 = DNS server name not specified PAM-CM-3463 = Unknown option specified for "useDNS" attribute PAM-CM-3464 = Could not contact domain controller PAM-CM-3465 = Invalid boolean value for Disable Auto-Connect Target Account. PAM-CM-3466 = Error updating task credentials. PAM-CM-3467 = Error updating service credentials. PAM-CM-3468 = Error updating account credentials. PAM-CM-3469 = Services could not be restarted. PAM-CM-3470 = Server(s) not specified. PAM-CM-3473 = Cannot use another account's credentials to verify this account's credentials; the operation is not supported. PAM-CM-3474 = The master account password is expired; unable to authenticate to remote host. Update the master account password and try again or else contact your Administrator. PAM-CM-3475 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3476 = Failed to load the default or revised update script file. PAM-CM-3477 = Failed to load the default or revised verify script file. PAM-CM-3478 = Failed to update the account credentials. The password may not meet the minimum requirements for the Linux system. Review the log file for further information or else contact your Administrator. PAM-CM-3479 = Failed to verify the account credentials. Review the log file for further information or else contact your Administrator. PAM-CM-3480 = The private key is missing from the request. PAM-CM-3481 = An invalid private key was specified. PAM-CM-3482 = The public key is missing from the request. PAM-CM-3483 = An invalid public key was specified. PAM-CM-3484 = An invalid SSH Key Policy ID was specified. PAM-CM-3485 = An invalid UNIX variant was specified. PAM-CM-3486 = Must specify a host key. PAM-CM-3487 = An invalid SSH port number was specified; the value must be in the range 0..65535. PAM-CM-3488 = Change process not specified. PAM-CM-3489 = The value assigned to the 'sshUseDefaultKeyExchangeAlgorithms' attribute must be 'true' or 'false'. PAM-CM-3490 = Must NOT specify list of key exchange algorithms because default algorithms will be used instead. PAM-CM-3491 = The value assigned to the 'sshUseDefaultCompressionAlgorithms' attribute must be 'true' or 'false'. PAM-CM-3492 = Must NOT specify list of compression algorithms because default algorithms will be used instead. PAM-CM-3493 = The value assigned to the 'sshUseDefaultServerHostKeyAlgorithms' attribute must be 'true' or 'false'. PAM-CM-3494 = Must NOT specify list of server host key algorithms because default algorithms will be used instead. PAM-CM-3495 = An invalid protocol was specified. PAM-CM-3496 = An invalid Telnet port number was specified; the value must be in the range 0..65535. PAM-CM-3497 = An invalid SSH communication timeout was specified; the value must be in the range 1000..99999. PAM-CM-3498 = An invalid script processor read timeout was specified; the value must be in the range 1000..59999. PAM-CM-3499 = The value assigned to the 'sshStrictHostKeyCheckingEnabled' attribute must be 'true' or 'false'. PAM-CM-3500 = An invalid UID/GID number was specified; the value must be in the range 0..4294967295. PAM-CM-3501 = Must specify whether the account will be verified through another account. PAM-CM-3502 = The value assigned to the 'verifyThroughOtherAccount' attribute must be 'true' or 'false'. PAM-CM-3503 = The value assigned to the 'useUpdateScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. PAM-CM-3504 = The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. PAM-CM-3505 = Must specify an 'other account'. PAM-CM-3506 = Must specify a protocol. PAM-CM-3507 = The value assigned to the 'sshUseDefaultCiphers' attribute must be 'true' or 'false'. PAM-CM-3508 = Must NOT specify list of ciphers because default ciphers will be used instead. PAM-CM-3509 = The value assigned to the 'enableChannelDebugging' attribute must be 'true' or 'false'.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-63 of A-242
PAM-CM-3510 = An invalid Telnet communication timeout was specified; the value must be in the range 1000..99999. PAM-CM-3511 = The value assigned to the 'sshUseDefaultHashes' attribute must be 'true' or 'false'. PAM-CM-3512 = Must NOT specify list of hashes because default ciphers will be used instead. PAM-CM-3513 = Invalid or missing port number. PAM-CM-3514 = Change process not specified. PAM-CM-3515 = Invalid value specified for the disableAutoConnectTargetAccount parameter. PAM-CM-3516 = Cannot connect to ESX/ESXi host. PAM-CM-3517 = Invalid login, username or password is incorrect. PAM-CM-3518 = No permission to update credentials. PAM-CM-3519 = User not found. PAM-CM-3520 = Remote system error. PAM-CM-3521 = Invalid request. PAM-CM-3522 = User not authenticated. PAM-CM-3523 = Remote security error. PAM-CM-3524 = Invalid port specified. PAM-CM-3525 = Change process not specified. PAM-CM-3526 = Database name not specified. PAM-CM-3527 = Invalid host_name qualifier. PAM-CM-3528 = Failed to synchronize/verify account. See logs for details. PAM-CM-3529 = Account locked. PAM-CM-3530 = Failed to connect to host. PAM-CM-3531 = Failed to synchronize/verify account. Login failed. PAM-CM-3532 = Failed to update account. Access violation for account. Check target server or host_name qualifier. PAM-CM-3547 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3550 = Must specify a protocol. PAM-CM-3551 = An invalid protocol was specified. PAM-CM-3552 = An invalid port number was specified; the value must be in the range 0..65535. PAM-CM-3553 = You must specify an SSL certificate. PAM-CM-3554 = An unknown error occurred. Review the log file for further information or else contact your Administrator. PAM-CM-3555 = Failed update AWS account credentials. Please contact your Administrator. PAM-CM-3556 = Failed verify AWS account credentials. Please contact your Administrator. PAM-CM-3557 = Password did not meet the requirements imposed by the account password policy. Please contact your Administrator. PAM-CM-3558 = Account is temporarily unmodifiable. Please try again after waiting several minutes or contact your Administrator. PAM-CM-3559 = Current account does not exist. Please contact your Administrator. PAM-CM-3560 = Trying to create resources beyond the current AWS account limits. Please contact your Administrator. PAM-CM-3561 = AWS Access Account must be specified. PAM-CM-3662 = Invalid port specified. PAM-CM-3663 = Change process not specified. PAM-CM-3664 = Invalid value for SSL Enabled PAM-CM-3665 = Failed to synchronize/verify account. See logs for details. PAM-CM-3666 = Failed to connect to database. PAM-CM-3667 = Failed to synchronize/verify account. Login failed. PAM-CM-3668 = Invalid or missing port number. PAM-CM-3669 = Invalid or missing port number. PAM-CM-3670 = Password was not changed PAM-CM-3671 = Max length exceeded for field sampleProperty PAM-CM-3672 = Field useOtherAccount is mandatory PAM-CM-3673 = SampleProperty is mandatory PAM-CM-3674 = Max length exceeded for field sampleProperty PAM-CM-3675 = Custom error message PAM-CM-3676 = Internal target connector error.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-64 of A-242
PAM-CM-3677 = Failed to synchronize password with target. PAM-CM-3678 = Failed to verify password with target. PAM-CM-3679 = The target server application is not responding. PAM-CM-3680 = Insufficient permission to change password on target application. PAM-CM-3681 = Authorization failed. PAM-CM-3682 = Unable to establish connection with target application. PAM-CM-3683 = Remote host closed connection during handshake. Possible invalid SSL certificate or port. PAM-CM-3684 = Unable to establish connection with target application. PAM-CM-3685 = Failed to encode user password. PAM-CM-3686 = Password policy exception. PAM-CM-3687 = Invalid credentials. PAM-CM-3688 = Invalid user. PAM-CM-3689 = Password expired. PAM-CM-3690 = Account disabled. PAM-CM-3691 = Account expired. PAM-CM-3692 = User must reset password. PAM-CM-3705 = Invalid port specified in target application for update script. PAM-CM-3706 = Invalid login account specified in target application. PAM-CM-3707 = Expect script for updating not specified in target application. PAM-CM-3708 = Invalid timeout value specified for update script in target application. PAM-CM-3709 = Invalid port specified in target application for verify script. PAM-CM-3710 = Expect script for verification not specified in target application. PAM-CM-3711 = Invalid timeout value specified for verify script in target application. PAM-CM-3712 = Failed to connect to host. PAM-CM-3713 = Failed to synchronize. PAM-CM-3714 = Unexpected error. PAM-CM-3715 = Invalid port specified. PAM-CM-3716 = Database name not specified. PAM-CM-3717 = Change process not specified. PAM-CM-3718 = Failed to synchronize/verify account. See logs for details. PAM-CM-3719 = Failed to connect to host. PAM-CM-3720 = Failed to synchronize/verify account. Login failed. PAM-CM-3721 = Domain name must be specified PAM-CM-3722 = Cannot retrieve Distinguished Name (DN) PAM-CM-3723 = Distinguished Name (DN) must be specified PAM-CM-3724 = Cannot retrieve list of DNS servers PAM-CM-3725 = Could not find any host name PAM-CM-3726 = Cannot connect to a domain controller on specified domain PAM-CM-3727 = Value for 'getDNS' attribute must be specified PAM-CM-3728 = Unknown option specified for protocol PAM-CM-3729 = SSL certificate must be specified PAM-CM-3730 = Value for 'useDN' attribute must be specified PAM-CM-3731 = Invalid value for 'appendDC' attribute PAM-CM-3732 = System Number not specified PAM-CM-3733 = Invalid numeric value for System Number PAM-CM-3734 = Client not specified PAM-CM-3735 = Invalid numeric value for Client PAM-CM-3736 = Additional Parameters must be a list of name=value pairs separated by semicolon PAM-CM-3737 = Internal target connector error PAM-CM-3738 = Failed to synchronize password with target PAM-CM-3739 = Failed to verify password with target PAM-CM-3740 = Failed to load native library PAM-CM-3741 = Failed to connect to target system. Communication error PAM-CM-3742 = BAPI User Change Function not found PAM-CM-3743 = BAPI User Change Password Function not found PAM-CM-3744 = Login Failure. See logs for details PAM-CM-3745 = AWS Master Account Name is an email address.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-65 of A-242
PAM-CM-3746 = Domain not specified PAM-CM-3747 = Invalid port number PAM-CM-3748 = Login account not found. Check login info specified in nisConnector.properties. PAM-CM-3749 = Failed to connect to host PAM-CM-3750 = Failed to initialize change password process PAM-CM-3751 = Password update failed PAM-CM-3752 = Password verify failed PAM-CM-3753 = Failed to load nisConnector.properties file PAM-CM-3754 = Invalid Verify Timeout specified in nisConnector.properties file PAM-CM-3755 = Invalid Update Timeout specified in nisConnector.properties file PAM-CM-3756 = Change process not specified. PAM-CM-3757 = Failed to verify account in CSPM. PAM-CM-3758 = Failed to update account in CSPM. PAM-CM-3759 = Account password does not adhere to password policy PAM-CM-3760 = User not found PAM-CM-3761 = User uses external authentication. Password can not be updated. PAM-CM-3762 = Failed to connect to CSPM Server PAM-CM-3763 = Telnet host name not specified. PAM-CM-3764 = Invalid port. PAM-CM-3765 = Invalid login account specified in target application. PAM-CM-3766 = Java not specified. PAM-CM-3767 = Failed to connect to host. PAM-CM-3768 = Failed to synchronize. PAM-CM-3769 = Unexpected error. PAM-CM-3770 = Script evaluation error. See logs for details PAM-CM-3773 = Failed to get server key {0} PAM-CM-3774 = Invalid number '{0}' for maximum length. PAM-CM-3775 = UpdatePolicyCmd.invoke unable to update policy, policy with id does not exist, id:{0} PAM-CM-3776 = No services found PAM-CM-3777 = {0} new service(s) added of {1} discovered PAM-CM-3778 = No tasks found PAM-CM-3779 = {0} new tasks added of {1} discovered PAM-CM-3780 = Service at line {0} requires a proxy host PAM-CM-3781 = Service at line {0} requires a service host PAM-CM-3782 = Service at line {0} requires a service name PAM-CM-3783 = Task at line {0} requires a proxy host PAM-CM-3784 = Task at line {0} requires a task host PAM-CM-3785 = Task at line {0} requires a task name PAM-CM-3786 = Unknown Element Definition Type {0} PAM-CM-3787 = Attribute at line {0} requires an attribute name PAM-CM-3788 = Attribute at line {0} requires an attribute value PAM-CM-3790 = No Data For Chart Found PAM-CM-3791 = No Data Found PAM-CM-3792 = Schema not specified. PAM-CM-3793 = Change process not specified. PAM-CM-3794 = Invalid Crystal Reports Server host name specified. PAM-CM-3795 = Invalid Crystal Reports Server port specified. PAM-CM-3796 = Invalid Crystal Reports Server application name specified. PAM-CM-3797 = Invalid Crystal Reports Server account name specified. PAM-CM-3798 = Invalid Crystal Reports database list specified. PAM-CM-3799 = Failed to synchronize/verify account. See logs for details. PAM-CM-3800 = Account locked. PAM-CM-3801 = Failed to connect to host. PAM-CM-3802 = Invalid schema/SID specified. PAM-CM-3803 = Failed to synchronize/verify account. Login failed. PAM-CM-3804 = Failed to synchronize Crystal Reports credentials. See logs for details. PAM-CM-3805 = Invalid port specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-66 of A-242
PAM-CM-3806 = Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain. PAM-CM-3807 = Logon failure: unknown user name or bad password. PAM-CM-3808 = Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. PAM-CM-3809 = The specified network account name or password is not correct. PAM-CM-3810 = The CSPM Windows Agent is not active. PAM-CM-3811 = The CSPM Windows Agent is not responding. PAM-CM-3812 = Failed to update the services. PAM-CM-3813 = Agent reports invalid operation. PAM-CM-3814 = Agent has never registered. PAM-CM-3815 = The specified service does not exist as an installed service. PAM-CM-3816 = Agent error - Invalid handle. PAM-CM-3817 = Agent error - The specified database does not exist. PAM-CM-3818 = Agent error - The data area passed to a system call is too small. PAM-CM-3819 = The RPC server is unavailable. PAM-CM-3820 = Password verification failed. Failed to connect to user account. PAM-CM-3821 = Password verification failed. Failed to set security. PAM-CM-3822 = No such login session. PAM-CM-3823 = Bad net path. PAM-CM-3824 = Service rollback failed. PAM-CM-3825 = Service rollback successful. PAM-CM-3826 = Host name and service name must have 1 to 100 characters and must not contain special characters. PAM-CM-3827 = Force password change attribute is incorrect. PAM-CM-3828 = Administrator account not specified. PAM-CM-3829 = Internal target connector error. PAM-CM-3830 = Change process not specified. PAM-CM-3831 = No agent specified. PAM-CM-3832 = Invalid domain specified. PAM-CM-3833 = Failed to connect to agent. PAM-CM-3834 = The computer name is invalid. PAM-CM-3835 = The operation is allowed only on the primary domain controller of the domain. PAM-CM-3836 = The user name could not be found. PAM-CM-3837 = Password error. (The password could be too short, be too long, be too recent in its change history, not have enough unique characters, or not meet another password policy requirement.) PAM-CM-3838 = Validation failed. The password is invalid. PAM-CM-3839 = Could not find the domain controller for the domain. PAM-CM-3840 = Invalid port number. PAM-CM-3841 = Change process not specified. PAM-CM-3842 = Invalid Crystal Reports Server host name specified. PAM-CM-3843 = Invalid Crystal Reports Server port specified. PAM-CM-3844 = Invalid Crystal Reports Server application name specified. PAM-CM-3845 = Invalid Crystal Reports Server account name specified. PAM-CM-3846 = Invalid Crystal Reports database list specified. PAM-CM-3847 = Invalid database port specified. PAM-CM-3848 = Invalid database specified. PAM-CM-3849 = Invalid port specified. PAM-CM-3850 = Invalid value for 'isRootAccount'. PAM-CM-3851 = Failed to synchronize/verify account. See logs for details. PAM-CM-3852 = Failed to connect to database. Connection refused. PAM-CM-3853 = Failed to connect to database. Unknown host. PAM-CM-3854 = Failed to synchronize Crystal Reports credentials. See logs for details. PAM-CM-3855 = Invalid port number. PAM-CM-3856 = Change process not specified. PAM-CM-3857 = Invalid Crystal Reports Server host name specified. PAM-CM-3858 = Invalid Crystal Reports Server port specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-67 of A-242
PAM-CM-3859 = Invalid Crystal Reports Server application name specified. PAM-CM-3860 = Invalid Crystal Reports Server account name specified. PAM-CM-3861 = Invalid Crystal Reports database list specified. PAM-CM-3862 = Failed to synchronize/verify account. See logs for details. PAM-CM-3863 = Failed to connect to database. Connection refused. PAM-CM-3864 = Failed to connect to database. Unknown host. PAM-CM-3865 = Communication failure. The target server must be SQL Server 2000 or later. PAM-CM-3866 = Invalid character in password. Single quotation mark (') is not a valid password character. PAM-CM-3867 = Failed to synchronize Crystal Reports credentials. See logs for details. PAM-CM-3868 = Number of accounts that were successfully managed: {0} PAM-CM-3869 = Number of accounts that were NOT successfully managed: {0} PAM-CM-3870 = Please turn off the cluster and try again. PAM-CM-3871 = Please unlock this cluster node and try again. PAM-CM-3876 = Device in use by RADIUS and TACACS+ Configuration. PAM-CM-3877 = Target application in use by RADIUS and TACACS+ Configuration. PAM-CM-3878 = Target account in use by RADIUS and TACACS+ Configuration. PAM-CM-3879 = Target account in use by Azure Configuration. PAM-CM-3880 = The requested operation is not allowed on the 'ca.portal.azure.com' Target Server. PAM-CM-3881 = Invalid archive storage parameter. Value: {0} PAM-CM-3882 = Time Servers cannot be updated while the cluster is on. PAM-CM-3883 = Date/Time cannot be updated while the cluster is on. Locale Messages PAM-CM-3950 = The locale cannot be updated while the cluster is on. PAM-CM-3951 = Locale successfully saved. For this change to take effect, please restart the appliance. PAM-CM-3976 = Updated route: Destination: {0} Netmask: {1} Gateway: {2} Device: {3} Metric: {4} PAM-CM-3977 = Updated route: Destination: {0} Gateway: {1} Device: {2} PAM-CM-4000 = Cancel failed, different user id than the one who submitted. PAM-CM-4001 = Account {0} updated. PAM-CM-4002 = Number of accounts that were successfully updated: {0} PAM-CM-4003 = Number of accounts that were NOT successfully updated: {0} PAM-CM-4004 = Applets signed successfully. PAM-CM-4005 = An error occurred while signing the Jars. Please contact support with the system logs. PAM-CM-4006 = Node Secret cleared successfully. PAM-CM-4007 = Cannot turn cluster off! PAM is currently configured for FIPS 140-2 CMVP and the password is NOT cached! PAM-CM-4008 = Cannot turn cluster on! PAM is currently configured for FIPS 140-2 CMVP and the password is NOT cached! PAM-CM-4009 = Cannot turn cluster on! Please configure PAM for FIPS 140-2 CMVP or an HSM! PAM-CM-4010 = Disabled because PAM is running in FIPS mode. PAM-CM-4011 = Cannot update view {0}; you are not the owner. PAM-CM-4012 = Cannot delete view {0}; you are not the owner. PAM-CM-4013 = Wrong file type, please select again. PAM-CM-4014 = Patch with name: {0} already exists PAM-CM-4015 = Time server {0} specifies host name, no DNS servers are specified, so time server will not be resolved. PAM-CM-4016 = Time server {0} specifies host name, DNS servers cannot be empty. PAM-CM-4017 = Slave site cannot process client requests for clients less than version 3.5. PAM-CM-4018 = Failed to connect to master site at {0). PAM-CM-4019 = Clone of an object failed. Command:{0} Object:{1} PAM-CM-4025 = {0} Mount Settings saved successfully. Bucket : {1} . PAM-CM-4026 = There are no cluster member IPs that match a local interface IP, clustering on this member can not start with this configuration. PAM-CM-4030 = Could not compact the database: {0} PAM-CM-4031 = Please switch to the maintenance mode and try again. PAM-CM-4032 = Database dumped successfully to {0} PAM-CM-4033 = RADIUS and TACACS+ Configuration requires application of type RADIUS/TACACS+ Secret. PAM-CM-4034 = TLS v1.0/v1.1 connection enabled.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-68 of A-242
PAM-CM-4035 = TLS v1.0/v1.1 connection disabled. PAM-CM-4036 = {0}: TACACS+ Configuration could not be updated with account ID={1}. Check configuration for inconsistencies. PAM-CM-4037 = {0}: RADIUS Configuration could not be updated with account ID={1}. Check configuration for inconsistencies. PAM-CM-4038 = FIPS mode has not been activated. PAM-CM-4039 = Activating or deactivating FIPS mode cannot be done while the cluster is on. PAM-CM-4040 = Time synchronization failed after 2 attempts! Please try again in a few seconds. PAM-CM-4041 = KDC server configuration with address {0} already exists. PAM-CM-4042 = Cannot change application. Account in use by another Windows Remote account. PAM-CM-4043 = Cannot change account type. Account in use by another Windows Remote account. PAM-CM-4044 = Cannot change application. Account in use for discovery by an Active Directory account. PAM-CM-4045 = Cannot change account type. Account in use for discovery by an Active Directory account. PAM-CM-4046 = Windows Remote Credential account must be a Windows Remote Administrator. PAM-CM-4047 = Windows Remote process failed because of I/O issues. PAM-CM-4048 = Windows Remote process was interrupted. PAM-CM-4049 = Windows Remote process returns {0}, with Administrator account {1} on target server {2}. PAM-CM-4050 = Windows Remote logon failed because of bad username or password, with Administrator account {0} on target server {1}. PAM-CM-4051 = Windows Remote access was denied with Administrator account {0} on target server {1}. It may be caused by Windows UAC settings. PAM-CM-4052 = Windows Remote connector cannot connect to target server {0}. Please make sure the target server is up and can be reached from CAPAM. PAM-CM-4053 = Windows Remote connector does not have Administrator account to authenticate with target server {0}. PAM-CM-4054 = Windows Remote cannot clean up on target server {0}. PAM-CM-4055 = Windows Remote Application ''{0}'' has no Administrator ID specified. PAM-CM-4056 = Change Process account must be a Windows Remote Administrator on the same application. PAM-CM-4057 = Invalid json found in the request. The request can not be parsed. PAM-CM-4058 = Invalid characters found in name of file to be uploaded. File name can only have alphanumeric characters plus dash, underscore and period. Please change the file name. PAM-CM-4059 = Time server {0} cannot be resolved to IP address. PAM-CM-4062 = Cannot update Global Configuration setting from Secondary Site. PAM-CM-4063 = Certificate retrieved, but error adding to the trust store. PAM-CM-4064 = Error retrieving certificate. Server may not support SSL. PAM-CM-4065 = Agent ID is mandatory. Provide the ID. PAM-CM-4066 = Invalid active status. Valid value is true or false. PAM-CM-4067 = Invalid preserve hostname. Valid value is true or false. PAM-CM-4068 = Invalid accept pending finger print. Valid value is true or false. PAM-CM-4069 = Agent ID is invalid. Agent ID must be numeric value. PAM-CM-4070 = Invalid patch status. Valid value is disabled or enabled. PAM-CM-4071 = Invalid port. Port must be numeric value. PAM-CM-4072 = Invalid update port flag. Valid value is true or false. PAM-CM-4073 = Concurrent Remote Connections have been enabled. PAM-CM-4074 = Concurrent Remote Connections have been disabled. PAM-CM-4075 = Error processing request. Please contact Administrator. PAM-CM-4076 = File is empty. PAM-CM-4077 = CRL file {0} expired on {1}. PAM-CM-4078 = Azure connection in use by Clustering configuration. PAM-CM-4079 = Resuming cluster. PAM-CM-4080 = Failed to bootstrap the cluster! Some members of the primary site have either lost their network connection or failed to initialize their database. You are being redirected to the cluster configuration page to resolve the problem. PAM-CM-4081 = Cluster email notifications enabled. PAM-CM-4082 = Cluster email notifications disabled. PAM-CM-4090 = Cannot PUT or POST without data.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-69 of A-242
PAM-CM-4091 = Bad Http Response code {0} from {1} PAM-CM-4092 = Invalid JSON in REST call. PAM-CM-4093 = Failed to verify password for account {0}, belonging to target application {1}. Message was: PAM-CM-4094 = Failed to update password for account {0}, belonging to target application {1}. Message was: PAM-CM-4095 = Cannot communicate with connector framework. Please contact Administrator PAM-CM-4096 = Exception in CustomConnectorUtil.generateRestCall URL {0}. Message was: {1} PAM-CM-4097 = Unable to find target application type {0} PAM-CM-4099 = User group {0} not found. PAM-CM-4100 = User id {0} not found or invalid. PAM-CM-4101 = User id {0} is actually the id of a user group. PAM-CM-4102 = Device id {0} is not found or invalid. PAM-CM-4103 = Device id {0} is actually the id of a device group. PAM-CM-4104 = Error changing logo. PAM-CM-4105 = Device address {0} is not found or invalid. PAM-CM-4106 = Password View Policy Exclusive Checkout and CheckIn/CheckOut can not be both true. PAM-CM-4107 = Password View Policy Exclusive Checkout and Change Password On View/ReAuthenticate On View/Reason required on View can not be both true. PAM-CM-4108 = Invalid value for Exclusive Checkout required was specified. Valid values are "true" or "false". PAM-CM-4109 = Invalid value for Retrospective Approval was specified. Valid values are "true" or "false". PAM-CM-4110 = Password View Policy Dual Authorization and Retrospective Approval can not be both true. PAM-CM-4111 = Error encoding filter. PAM-CM-4150 = Some Accounts were not processed by the Target Account Expired Password Processor because their referenced Application information was not found. Number of affected accounts: {0}. Please consult with Technical Support to resolve this issue. PAM-CM-5000 = No LDAP domain found on PAM for {0}. PAM-CM-5001 = Authentication type {0} not supported on this appliance. PAM-CM-5002 = Field authenticationType is required. PAM-CM-5003 = Field groupDN is required. PAM-CM-5004 = Field domainDN is required. PAM-CM-5095 = Error parsing filter. PAM-CM-5096 = AND and OR in the same filter is not supported in CA-Pam. PAM-CM-5097 = Complex filters are not supported in CA-Pam. PAM-CM-5098 = Not implemented.
PAM-CMN: Common Messages Messages display a category in the second group of letters in the message. For example, PAM-CMN refers to Common errors. Common Messages is the largest category, so it is divided into smaller categories. PAM-CMN Categories
• General Error Messages • Network Service Messages • User Management Messages • Smart Button Group Messages • User Group Management Messages • Device Management Messages • Role and Privilege Messages • Device Group Management Messages • Global Settings and Device Task Messages • LDAP Messages • CSV Import/Export Related Messages • Office365 Integration Messages, SAML IdP and SP Messages • Policy Management Messages • Management Console Messages • Managed Server Service Messages • Command and Socket Filter Messages • Logging and Reporting Messages
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-70 of A-242
• Policy Conflict Messages • Authentication-Related Messages • Access Service Messages • Credential Management Messages • View and Search Messages • Cluster Management Messages • Multi-Site Clustering Messages • Login Sessions Management Messages • Configuration Messages • HSM Configuration Messages • Secondary Transparent Login Messages • AWS, VMware, and Azure Virtual Device Management Messages • Credential Management API Non-Device Messages • Session Recording Messages • Session Manager Service Messages • Upgrade, Backup, and Recovery Messages • CA Threat Analytics Related Messages • Active Directory Messages • SAML Related Messages • SSL, FIPS, and Cryptography Messages • Other Common Messages • Transparent Login Messages
Other Message Categories • CLNT = CA PAM Client • CM = Credential Manager • LDAP = LDAP Importer • MGC = Management Console • PRX = Proxy • SPFD = Secure Port Forwarding Daemon • SRM = Session Recording Manager • UI = User Interface • UPD = Session Clean-up and Storage Status Messages
General Error Messages PAM-CMN-0000 = Error occurred while trying to complete request. ({0}) PAM-CMN-0001 = Expected an array {0}, got a scalar. PAM-CMN-0002 = Values {0} must be either 't' (true) or 'f' (false). PAM-CMN-0003 = Not authorized to perform this action. PAM-CMN-0004 = Unable to retrieve Privilege Manager. PAM-CMN-0005 = Privilege Manager unable to retrieve user. PAM-CMN-0006 = Cannot build Privilege Manager with data supplied. PAM-CMN-0007 = Invalid numeric data. {0} PAM-CMN-0008 = Invalid sort order PAM-CMN-0009 = Your login has timed out. PAM-CMN-0010 = Error occurred while trying to complete request. PAM-CMN-0011 = Invalid log database type {0}. Consult your system administrator PAM-CMN-0012 = Invalid search by field {0} PAM-CMN-0013 = No more rows. PAM-CMN-0014 = Same origin policy violation; possible cross-site request forgery. PAM-CMN-0015 = Too many rows to sort by. Use search criteria to narrow the result set and try again. PAM-CMN-0016 = All Devices PAM-CMN-0017 = All Users PAM-CMN-0018 = Duplicate entry PAM-CMN-0019 = Missing required field {0} PAM-CMN-0020 = Error occurred while trying to complete request. ({0})
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-71 of A-242
PAM-CMN-0021 = No data returned. PAM-CMN-0022 = SSH login to appliance from address {0}. Message Fragments Used by Other Messages PAM-CMN-0023 = add PAM-CMN-0024 = update PAM-CMN-0025 = delete PAM-CMN-0026 = user groups PAM-CMN-0027 = device groups PAM-CMN-0028 = Connected PAM-CMN-0029 = Waiting PAM-CMN-0030 = Unknown PAM-CMN-0031 = Detection PAM-CMN-0032 = Intervention PAM-CMN-0033 = Tampering PAM-CMN-0034 = Password Authority Groups PAM-CMN-0035 = VMware provisioning request PAM-CMN-0036 = Activated PAM-CMN-0037 = Deactivated
Network Service Messages PAM-CMN-0038 = Service name is required. PAM-CMN-0039 = Local IP address is required. PAM-CMN-0040 = Invalid IP address specified. PAM-CMN-0041 = Protocol is required. PAM-CMN-0042 = Invalid protocol specified. PAM-CMN-0043 = Web Portal is required. PAM-CMN-0044 = Invalid Web Portal value specified. PAM-CMN-0045 = Show in Column is required. PAM-CMN-0046 = Invalid Show in Column value specified. PAM-CMN-0047 = Enabled is required. PAM-CMN-0048 = Invalid Enabled value specified. PAM-CMN-0049 = Port settings are required. PAM-CMN-0050 = Invalid port setting(s) specified: {0}. PAM-CMN-0051 = Application protocol is required. PAM-CMN-0052 = Invalid application protocol value specified. PAM-CMN-0053 = Launch URL is required. PAM-CMN-0054 = Invalid launch URL specified. PAM-CMN-0055 = Invalid characters in comment. PAM-CMN-0056 = Invalid characters in service name. Semicolons, commas, percent signs, and backslashes are invalid. PAM-CMN-0057 = Existing service could not be found. PAM-CMN-0058 = Service {0} already exists. PAM-CMN-0059 = Service {0} created. PAM-CMN-0060 = Unable to delete service. Service does not exist. PAM-CMN-0061 = Service deleted. PAM-CMN-0062 = Service name cannot be changed. PAM-CMN-0063 = SSL VPN service must have at least 1 port defined. PAM-CMN-0064 = Invalid TCP ports value specified. Values must be valid TCP ports or TCP port ranges. PAM-CMN-0065 = Invalid UDP ports value specified. Values must be valid UDP ports or UDP port ranges. PAM-CMN-0066 = Service not found. PAM-CMN-0067 = Service {0} updated. PAM-CMN-0068 = Unrecognized service type. PAM-CMN-0069 = Invalid port range specified. {0} greater than {1}. PAM-CMN-0070 = Maximum number of ports in range, 500, exceeded for specified port range {0}. Consider using SSL VPN solution. PAM-CMN-0071 = Invalid port combination/redirection {0}. Combination/redirection format should be <Remote Port>:<Local Port>.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-72 of A-242
PAM-CMN-0072 = Local IP must be on the 127 network. PAM-CMN-0073 = Web portal TCP/UDP services must have LeapFrog Prevention disabled. PAM-CMN-0074 = Web portal TCP/UDP services cannot have a client application. PAM-CMN-0075 = Launch path is required. PAM-CMN-0076 = Service not added. PAM-CMN-0077 = Database corruption - more than one service was inserted. PAM-CMN-0078 = Service {0} not found or another user deleted it. PAM-CMN-0079 = Database corruption - more than one service with the same id was deleted. PAM-CMN-0080 = {0} service(s) deleted PAM-CMN-0081 = {0} service(s) not deleted because not authorized. PAM-CMN-0082 = {0} service(s) not deleted because not found. PAM-CMN-0083 = {0} service(s) not deleted because of unknown error. PAM-CMN-0084 = {0} service(s) deleted {1} {2} {3} PAM-CMN-0085 = Only the Local IP, Port Settings, Enabled, Show in Column, Client Application, and Comments of the standard service sftpftp can be updated. PAM-CMN-0086 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard service sftpftpemb can be updated. PAM-CMN-0087 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard service TSWEB can be updated. PAM-CMN-0088 = Standard service sftpftp can not be deleted. PAM-CMN-0089 = Standard service sftpftpemb can not be deleted. PAM-CMN-0090 = Standard service TSWEB can not be deleted. PAM-CMN-0091 = Standard service sftpsftp can not be deleted. PAM-CMN-0092 = Only the Local IP, Port Settings, Enabled, Show in Column, Client Application, and Comments of the standard service sftpsftp can be updated. PAM-CMN-0093 = Local socket {0}:{1} of Web Portal {2} must be unique across all web portal services. Local socket already used by Web Portal {3}. PAM-CMN-0094 = Standard service sftpsftpemb can not be deleted. PAM-CMN-0095 = Only the Local IP, Port Settings, Enabled, Show in Column, and Comments of the standard service sftpsftpemb can be updated. PAM-CMN-0096 = Invalid Hide Web Portal specified. PAM-CMN-0097 = Hide Web Portal is required. PAM-CMN-0098 = Both Show In Column and Hide Web Portal cannot be checked. PAM-CMN-0099 = Maximum number of ports in range, 500, exceeded for the sum of all specified port ranges. Consider using SSL VPN solution. PAM-CMN-0100 = A web application must have an application protocol of 'Web Portal'. PAM-CMN-0101 = Invalid web portal browser type specified. Valid types are native and CA. PAM-CMN-0102 = Invalid domain in web portal access list: {0}. PAM-CMN-0103 = AWS Management Console SSO service can not be deleted. PAM-CMN-0104 = AWS Management Console SSO is a reserved service name. PAM-CMN-0105 = The only properties of the AWS Management Console SSO service that can be changed are enabled, show in column, and access list. PAM-CMN-0106 = MS Office 365 is a reserved service name. PAM-CMN-0107 = MS Office 365 service can not be deleted. PAM-CMN-0108 = AWS Proxy Service is a reserved service name. PAM-CMN-0109 = The properties of the AWS proxy service can not be changed. PAM-CMN-0110 = The only properties of the MS Office 365 service that can be changed are enabled, show in column, and access list. PAM-CMN-0111 = AWS Proxy service can not be deleted. PAM-CMN-0112 = At least one SAML Subject Name Identifier Format must be selected for the SAML service. PAM-CMN-0113 = SAML Entity ID is a required field. PAM-CMN-0114 = SAML PEM Certificate is a required field. PAM-CMN-0115 = The specified SAML {0} certificate is not a valid PEM encoded certificate. PAM-CMN-0116 = The SAML encryption type is a required field. PAM-CMN-0117 = The SAML initiating party field is invalid: Valid values are sp or idp. PAM-CMN-0118 = Invalid SAML encryption type. Valid values are: None,NameId,Assertion. PAM-CMN-0119 = A SAML service with an entity ID of {0} already exists. SAML entity IDs must be unique.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-73 of A-242
PAM-CMN-0120 = An error occurred while parsing the SAML metadata file: {0} PAM-CMN-0121 = {0} service cannot not be deleted. PAM-CMN-0122 = Invalid SAML require signed authentication request value specified. Valid values are: t, f. PAM-CMN-0123 = The SAML encryption certificate is required if NameId or Assertion encryption is enabled. PAM-CMN-0124 = The SAML signing certificate is required if Require Signed Authn Requests is enabled. PAM-CMN-0125 = There are no SAML 2.0 SPs defined with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST (SAML 1.1 SPs are not supported). PAM-CMN-0126 = CA PAM requires an AssertionConsumerService element with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. PAM-CMN-0127 = SAML service {0} with entity ID {1} {2}. PAM-CMN-0128 = The following device(s) were {0} to host the SAML assertion consumer services: {1}. PAM-CMN-0129 = Device group {0} was provisioned with the provisioned assertion consumer devices as members. This will facilitate managing policy for all SAML devices. PAM-CMN-0130 = SAML attribute with index {0} is missing the required name field. PAM-CMN-0131 = SAML attribute with index {0} is missing the required friendly name field. PAM-CMN-0132 = There are multiple SAML attributes with the same name: {0}. Names must be unique. PAM-CMN-0133 = There are multiple SAML attributes with the same friendly name: {0}. Friendly names must be unique. PAM-CMN-0134 = SAML attribute {0} can not be deleted. It is used in the following policies: {1}. PAM-CMN-0135 = The following SAML Name Identifier Formats can not be deleted: {0}. They are used in the following policies: {1}. PAM-CMN-0136 = The auto-login method of SAML services can not be changed. PAM-CMN-0137 = Invalid web portal auto-login method specified. PAM-CMN-0138 = SAML services with the Route Through CA PAM setting enabled require the browser type setting to be set to the CA Browser. PAM-CMN-0139 = SAML services using the CA browser must be IdP initiated. PAM-CMN-0140 = VMware NSX API Proxy Service is a reserved service name. PAM-CMN-0141 = An auto-login method was provided, but only web portals can have auto-login methods. PAM-CMN-0142 = This service is configured to be recorded and must use the CA browser type. The service is configured to be recorded in the following policies: {0}. PAM-CMN-0143 = SAML service data is not valid
User Management Messages PAM-CMN-0144 = User id must be a positive integer. PAM-CMN-0145 = User {0} not found. PAM-CMN-0146 = The super user may not be deleted. PAM-CMN-0147 = User {0} deleted. PAM-CMN-0148 = User {0} not found or another user deleted them. PAM-CMN-0149 = Database corruption - more than one user with the same id was deleted. PAM-CMN-0150 = User or user group {0} already exists. Names must be unique. PAM-CMN-0151 = User {0} added. PAM-CMN-0152 = User {0} not added. PAM-CMN-0153 = Database corruption - more than one user was inserted. PAM-CMN-0154 = User {0} updated. PAM-CMN-0155 = User {0} was not updated. PAM-CMN-0156 = Database corruption - more than one user was updated. PAM-CMN-0157 = Access time day string is 7 digits long; 1 = access permitted 0 = access forbidden. PAM-CMN-0158 = AD Indirect Flag must be 0 or 1. PAM-CMN-0159 = {0} time invalid. PAM-CMN-0160 = From time must be earlier than To time. PAM-CMN-0161 = Invalid characters in user name {0}. Semicolons, commas, percent signs, single and double quotes, and backslashes are invalid. PAM-CMN-0162 = First name is a required field. PAM-CMN-0163 = Last name is a required field. PAM-CMN-0164 = Email is a required field. PAM-CMN-0165 = Invalid email address. PAM-CMN-0166 = Password is a required field.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-74 of A-242
PAM-CMN-0167 = Special characters quote, double quote, backslash, and percent are not allowed in the password. PAM-CMN-0168 = Password length must be between {0} and {1} characters long. PAM-CMN-0169 = Password must include both an alphabetic and a numeric character. PAM-CMN-0170 = Password must include both upper and lower case alphabetic characters. PAM-CMN-0171 = Password must include a special character ~!?`@#$^&*()_=+:;,<>{}|/-[]. PAM-CMN-0172 = Password must include at least two lowercase letters, two uppercase letters, two numbers and two special characters. PAM-CMN-0173 = Authorization must be Local, RSA, PKI, RADIUS, or LDAP. PAM-CMN-0174 = Password reset flag must be set on when creating a user. PAM-CMN-0175 = Active flag must be true or false. PAM-CMN-0176 = Database corruption - active flag not >= -1. PAM-CMN-0177 = Expiration date must be in the future or not set. PAM-CMN-0178 = Role structure passed in is incorrect - missing {0}. PAM-CMN-0179 = User must belong to one of the following groups {0}. PAM-CMN-0180 = Your role does not allow you to {0} this user without any groups. PAM-CMN-0181 = You may only add users to the following groups {0}. PAM-CMN-0182 = You may not delete this user. You may only remove group assignments from it. PAM-CMN-0183 = {0} user(s) deleted. PAM-CMN-0184 = {0} user(s) deleted, {1} user(s) not deleted. PAM-CMN-0185 = User or group name may not be changed from {0}. PAM-CMN-0186 = Virtual user flag must be 1 (true), or 0 (false). PAM-CMN-0187 = Invalid access time passed in. Missing a required key field. PAM-CMN-0188 = Malformed user group structure. See log for details. PAM-CMN-0189 = Invalid provisioning type {0}. PAM-CMN-0190 = User super may not have its roles changed. PAM-CMN-0191 = Non-local users may not have passwords defined in CA PAM. PAM-CMN-0192 = {0} users attempted, {1} users successfully added, {2} users not added. PAM-CMN-0193 = Short name may only be used for users with provision type of LDAP or PKI. PAM-CMN-0194 = Short name required for an LDAP provisioned user. PAM-CMN-0195 = Provision type may not be changed. PAM-CMN-0196 = Invalid user type. PAM-CMN-0197 = Active flag is required. PAM-CMN-0198 = PAP/CHAP must be specified for RADIUS authentication and only for RADIUS authentication. PAM-CMN-0199 = Warning: Global administrators may not have limited access times - any such settings will be ignored. PAM-CMN-0200 = {0} user(s) were requested to be enabled, {1} user(s) were actually enabled. PAM-CMN-0201 = An invisible (shadow) user named {0} already exists. Please choose another name. PAM-CMN-0202 = A user or group named {0} already exists. Please contact your system administrator. PAM-CMN-0203 = {0} user(s) not deleted because not authorized. PAM-CMN-0204 = {0} user(s) not deleted because not found. PAM-CMN-0205 = {0} user(s) not deleted because of unknown error. PAM-CMN-0206 = {0} user(s) deleted {1} {2} {3} {4} {5} PAM-CMN-0207 = Can't specify the user as their own login contact. Use the Email Self on Login checkbox. PAM-CMN-0208 = Login contact {0} not found. PAM-CMN-0209 = Users provisioned from LDAP may not be deleted directly, only by deleting their LDAP group. PAM-CMN-0210 = {0} LDAP users not deleted PAM-CMN-0211 = User names, group names, and short names may not be the same. PAM-CMN-0212 = Inconsistent provision and authentication types. PAM-CMN-0213 = Inconsistent data - a source user cannot be provided on an update. PAM-CMN-0214 = Invalid User Id provided for copy PAM-CMN-0215 = Unauthorized attempt to retrieve the list of users. PAM-CMN-0216 = Unauthorized attempt to add a user. PAM-CMN-0217 = Unauthorized attempt to assign a user to a group. PAM-CMN-0218 = Unauthorized attempt to retrieve user details. PAM-CMN-0219 = Unauthorized attempt to delete user from group(s). PAM-CMN-0220 = Unauthorized attempt to delete user. PAM-CMN-0221 = Unauthorized attempt to update global administrator account.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-75 of A-242
PAM-CMN-0222 = Unauthorized attempt to update a user. PAM-CMN-0223 = Unauthorized attempt to update user's properties. PAM-CMN-0224 = Unauthorized attempt to reactivate user(s). PAM-CMN-0225 = Invalid RDP user name {0}. PAM-CMN-0226 = Mainframe Display Name entry has invalid characters. Allowed characters are (alpha, numeric, underscore) PAM-CMN-0227 = Unauthorized attempt to view the effective policy of user {0}. PAM-CMN-0228 = An LDAP provisioned user may not be added directly, only imported via LDAP. PAM-CMN-0229 = LDAP-provisioned user {0}'s LDAP groups may not be changed except via LDAP import or refresh. PAM-CMN-0230 = Shadow user {0}'s membership in RADIUS group {1} may not be changed. PAM-CMN-0231 = A shadow user may not be added directly, only created via logon. PAM-CMN-0232 = User {0} may not be added to RADIUS group {1}. PAM-CMN-0233 = Duplicate Password Authority username {0}. User not added. Please contact your system administrator. PAM-CMN-0234 = User add failed. Please contact your system administrator. PAM-CMN-0235 = User is not allowed to manage the Password Authority group {0}. PAM-CMN-0236 = Roles with the Manage Credential privilege must have at least one Password Authority group to manage. PAM-CMN-0237 = Password Authority user group name {0} not found. PAM-CMN-0238 = Super user cannot change Password Authority user groups. PAM-CMN-0239 = User {0} cannot be deleted because of a Password Authority error. PAM-CMN-0240 = Duplicate user principal name {0}. User cannot be {1}. PAM-CMN-0241 = Devices provisioned from LDAP may not be deleted directly, only by deleting their LDAP group. PAM-CMN-0242 = The user has been configured to manage a Password Authority group but does not have a role with sufficient privileges. PAM-CMN-0243 = Maximum of {0} AWS API Proxy users licensed. Please remove that privilege from one or more users before proceeding to add this one. PAM-CMN-0244 = API keys must be an array of arrays of individual API keys containing id, name, target account id, active status and set of roles. PAM-CMN-0245 = Required API key array element client name not found. PAM-CMN-0246 = Required API key array element target account id not found. PAM-CMN-0247 = Required API key array element isActive not found. PAM-CMN-0248 = Required API key array element roles not found. PAM-CMN-0249 = API key array element roles must be an array. PAM-CMN-0250 = API keys must be deleted before the rest of the user. PAM-CMN-0251 = Existing API key {0} either does not belong to user {1} or does not exist at all. PAM-CMN-0252 = Users with provision type {0} can not be added to LDAP groups: {1}. PAM-CMN-0253 = The following user ids are not valid: {0}. PAM-CMN-0254 = You cannot specify an API key id when creating a user. PAM-CMN-0255 = Pap/Chap must be null if authentication type is not radius or tacacs. PAM-CMN-0256 = A user may not be locally added to an LDAP provisioned group. PAM-CMN-0257 = The following user fields may not be changed locally for an ldap user: activationDate, authType, description, email, expiration, firstName, lastName, password, phone, resetPasswordFlag. PAM-CMN-0258 = A valid password is required. Empty passwords not allowed. PAM-CMN-0259 = User not found. PAM-CMN-0260 = Maximum length of email field is 60 characters. PAM-CMN-0261 = The super user account's authentication method cannot be set to SAML. PAM-CMN-0262 = A user may not have two API keys with the same name. Change the API keys so that only one is named {0}. PAM-CMN-0263 = User with local authentication must have a password set. PAM-CMN-0264 = Password has been already used. You have to enter a new password. PAM-CMN-0265 = Invalid old password. PAM-CMN-0266 = Password must be new PAM-CMN-0267 = Special characters " ' % and are not allowed in the password PAM-CMN-0268 = Password length must be "{0}" - "{1}" characters. PAM-CMN-0269 = Must include both an alphabetic and numeric character.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-76 of A-242
PAM-CMN-0270 = Must include both upper and lower case alphabetic characters. PAM-CMN-0271 = Must include a special character ~!?`@#$^&*()_=+:;,<.>{}|/-[] PAM-CMN-0272 = Password must include at least two lowercase letters, two uppercase letters, two numbers and two special characters. PAM-CMN-0273 = User {0} must be associated with Password Authority user group {1}. PAM-CMN-0274 = The old password you entered is not correct. PAM-CMN-0275 = Password change failed. Unknown error. PAM-CMN-0276 = User groups for a SAML JIT user can only be changed by SAML. PAM-CMN-0277 = A {0} provisioned user must belong to at least one group. PAM-CMN-0278 = A SAML JIT user such as {0} can only have their user groups changed by SAML. PAM-CMN-0279 = A SAML JIT user like {0} may not be added directly, only loaded from an identity provider on login. PAM-CMN-0280 = User {0} cannot be deleted because it is configured as the login contact for the following list of users: {1}. PAM-CMN-0281 = {0} user(s) configured as login contact(s) not deleted PAM-CMN-0282 = The user has been assigned a role which requires a password authority user group to be associated with it, but no such group was specified. PAM-CMN-5405 = Unable to delete user, because it is configured for Forced Deactivation Alert.
Smart Button Group Messages PAM-CMN-0283 = Smart button group name is required. PAM-CMN-0284 = Invalid smart button group configuration file id specified. PAM-CMN-0285 = Smart button group id required. PAM-CMN-0286 = Invalid smart button group users specified. PAM-CMN-0287 = Invalid smart button group id specified. PAM-CMN-0288 = Invalid smart button group description specified. PAM-CMN-0289 = A smart button group with name {0} already exists. PAM-CMN-0290 = Invalid smart button group configuration file id specified. PAM-CMN-0291 = Smart button group {0} not found. PAM-CMN-1358 = Unexpected result from deleting smart button group PAM-CMN-1456 = Successfully deleted selected Smart Button group {0}. PAM-CMN-1551 = Unauthorized attempt to update smart button group {0} by {1} PAM-CMN-1552 = Unauthorized attempt to add smart button group {0} by user {1} PAM-CMN-1553 = Smart Button group {0} added. PAM-CMN-1554 = Smart Button group {0} not added PAM-CMN-1555 = Database corruption - more than one Smart Button group was added PAM-CMN-1556 = Unauthorized attempt to delete smart button group {0} by {1} PAM-CMN-1557 = Successfully deleted smart button group {0} PAM-CMN-1558 = Smart Button group {0} was not found and not deleted PAM-CMN-1559 = Unexpected result from deleting smart button group PAM-CMN-1590 = User {0} tried to retrieve the list of smart button groups without authorization PAM-CMN-2400 = Smart Button group {0} updated PAM-CMN-2401 = Database corruption - more than one Smart Button group was updated PAM-CMN-2402 = Smart Button group {0} updated, but users: {1} already belong to a smart button group
User Group Management Messages PAM-CMN-0292 = User group id must be a positive integer. PAM-CMN-0293 = User group not found. PAM-CMN-0294 = User group {0} deleted. PAM-CMN-0295 = User group {0} not found or another user deleted it. PAM-CMN-0296 = Database corruption - more than one user group with the same id was deleted. PAM-CMN-0297 = User group or user {0} already exists. Names must be unique. PAM-CMN-0298 = User group {0} added. PAM-CMN-0299 = User group {0} not inserted. PAM-CMN-0300 = Database corruption - more than one user group with the same id was inserted. PAM-CMN-0301 = User group {0} updated. PAM-CMN-0302 = User group {0} was not updated. PAM-CMN-0303 = Database corruption - more than one user group with the same id was updated.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-77 of A-242
PAM-CMN-0304 = Invalid user group type. PAM-CMN-0305 = User group name may not be blank. PAM-CMN-0306 = {0} user group(s) deleted. PAM-CMN-0307 = {0} user group(s) deleted, {1} user group(s) not deleted. PAM-CMN-0308 = User group not deleted. PAM-CMN-0309 = {0} user group(s) not deleted because not authorized. PAM-CMN-0310 = {0} user group(s) not deleted because not found. PAM-CMN-0311 = {0} user group(s) not deleted because of unknown error. PAM-CMN-0312 = {0} user group(s) deleted. {1} {2} {3} PAM-CMN-0313 = Unspecified user group name. PAM-CMN-0314 = Locally provisioned user groups can not have an authentication type of RSA. PAM-CMN-0315 = Locally provisioned user groups can not have an authentication type of LDAP+RSA. PAM-CMN-0316 = Invalid network range. {0} PAM-CMN-0317 = Locally provisioned user groups can not have an authentication type of LDAP+RADIUS. PAM-CMN-0318 = The following user group ids are not valid: {0}. PAM-CMN-0319 = Auth type {0} not supported. PAM-CMN-0320 = User {0} not successfully added to user group. No other users added. PAM-CMN-0321 = The following user fields may not be changed locally for an LDAP user group: description, shortName. PAM-CMN-0322 = Group id is required for an update and must be an integer > 0.
Device Management Messages PAM-CMN-0323 = Power must be On, Off, or Unknown.
PAM-CMN-0324 = Device {0} not found.
PAM-CMN-0325 = Device task enabled must be On or Off.
PAM-CMN-0326 = Device property terminal customization must be 0 or 1.
PAM-CMN-0327 = Device property endselect must be 0 or 1.
PAM-CMN-0328 = Device console type must be KDM, PPP, or Serial.
PAM-CMN-0329 = Device service enabled must be On or Off.
PAM-CMN-0330 = Device {0} deleted.
PAM-CMN-0331 = Device {0} not found or another user deleted them.
PAM-CMN-0332 = Database corruption - more than one device with the same id was deleted.
PAM-CMN-0333 = Device or device group name {0} already exists. Names must be unique.
PAM-CMN-0334 = Device {0} added.
PAM-CMN-0335 = Device {0} not added.
PAM-CMN-0336 = Database corruption - more than one device with the same id was inserted.
PAM-CMN-0337 = Device {0} updated.
PAM-CMN-0338 = Device {0} was not updated due to Password Authority authorization errors.
PAM-CMN-0339 = Database corruption - more than one device with the same id was updated.
PAM-CMN-0340 = Device {0} power status updated.
PAM-CMN-0341 = Device {0} power status was not updated.
PAM-CMN-0342 = Database corruption - more than one device's power status was updated.
PAM-CMN-0343 = {0} {1} {2} Failed.
PAM-CMN-0344 = {0} {1} {2} Successful.
PAM-CMN-0345 = Unknown power status of {0}: multiple power ports do not match.
PAM-CMN-0346 = Unsuccessful checking power status of {0}.
PAM-CMN-0347 = Special type device {0} already exists.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-78 of A-242
PAM-CMN-0348 = Special type device not found.
PAM-CMN-0349 = Special type device {0} not inserted.
PAM-CMN-0350 = Database corruption - more than one special type device was inserted.
PAM-CMN-0351 = Special type device {0} was not updated.
PAM-CMN-0352 = Database corruption - more than one special type device was updated.
PAM-CMN-0353 = Device group name is required.
PAM-CMN-0354 = Device domain name is required.
PAM-CMN-0355 = A device must belong to one of the following groups {0}.
PAM-CMN-0356 = Your role does not allow you to {0} this device without any groups.
PAM-CMN-0357 = You may only add or delete device membership from the following groups {0}.
PAM-CMN-0358 = You may not delete this device, only remove group assignments from it.
PAM-CMN-0359 = Device name may not be blank.
PAM-CMN-0360 = {0} device(s) deleted.
PAM-CMN-0361 = {0} device(s) deleted, {1} device(s) not deleted.
PAM-CMN-0362 = Device special type must be specified.
PAM-CMN-0363 = Invalid device special type specified.
PAM-CMN-0364 = Operating System is a required field.
PAM-CMN-0365 = Invalid operating system specified.
PAM-CMN-0366 = Invalid device id(s) {0}.
PAM-CMN-0367 = Device terminal data is required.
PAM-CMN-0368 = Device terminal type is required.
PAM-CMN-0369 = Device terminal type is invalid: {0}.
PAM-CMN-0370 = Device terminal type was not added.
PAM-CMN-0371 = Configuring device {0} as a {1} device will exceed the number of licensed {2} devices.
PAM-CMN-0372 = Expect string must be specified for all expect/response pairs.
PAM-CMN-0373 = User requires Device/Group Manager or Delegated Administrator role to add discovered devices
to CA PAM.
PAM-CMN-0374 = Device cannot have both sftpftp and sftpftpemb services.
PAM-CMN-0375 = {0} device(s) not deleted because not authorized.
PAM-CMN-0376 = {0} device(s) not deleted because not found.
PAM-CMN-0377 = {0} device(s) not deleted because of unknown error.
PAM-CMN-0378 = {0} device(s) deleted {1} {2} {3}
PAM-CMN-0379 = Invalid characters in device name {0}. Semicolons, commas, apostrophes and backslashes are
invalid.
PAM-CMN-0380 = Task {0} port setting, {1}, already in use on device.
PAM-CMN-0381 = Mainframe access methods are not permitted without a Mainframe-capable license.
PAM-CMN-0382 = Access method {0} has duplicate name {1}.
PAM-CMN-0383 = Multiple access methods of type {0} must have different names.
PAM-CMN-0384 = Device cannot have both sftpsftp and sftpsftpemb services.
PAM-CMN-0385 = A custom name for a device task may not have colons, semicolons, commas, or backslashes.
PAM-CMN-0386 = Device cannot have both telnet and ssh2telnet access methods.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-79 of A-242
PAM-CMN-0387 = Invalid tag format
PAM-CMN-0388 = Tag {0} can not be deleted
PAM-CMN-0389 = {0} Tags deleted out of {1} requested
PAM-CMN-0390 = Tag {0} was NOT renamed to {1}
PAM-CMN-0391 = Maximum number of ports in range, 500, exceeded for specified port range {0}.
PAM-CMN-0392 = Port {0} out of range. Must be less than {1}.
PAM-CMN-0393 = Port {0} out of range. Must be greater than {1}.
PAM-CMN-0394 = No access is currently permitted because this CA PAM appliance is over-provisioned. Please
contact your systems administrator.
PAM-CMN-0395 = This CA Privileged Access Manager appliance currently has more Devices defined than the
configured license permits. Please either obtain a new license from CA Technologies or delete devices to bring this
appliance back within its license constraints. Access is disabled until this is remediated.
PAM-CMN-0396 = Each power task must have a unique combination of power device and port.
PAM-CMN-0397 = Maximum number of ports in range, 500, exceeded for all specified port ranges.
PAM-CMN-0398 = Invalid value for device type Access.
PAM-CMN-0399 = Invalid value for device type Password Management.
PAM-CMN-0400 = Invalid value for device type A2A.
PAM-CMN-0401 = Request server type must be CLIENT or AGENT.
PAM-CMN-0402 = Invalid value for host name preserved.
PAM-CMN-0403 = Invalid value for autopatch.
PAM-CMN-0404 = Invalid value for request server active flag.
PAM-CMN-0405 = Invalid value for device type search.
PAM-CMN-0406 = Invalid value for request server id.
PAM-CMN-0407 = Request server id required for autoregistration.
PAM-CMN-0408 = Can't assign request server id to a device that is not a request server.
PAM-CMN-0409 = Operation aborted because Password Authority request server cannot be deleted. See log for
details.
PAM-CMN-0410 = Operation aborted because Password Authority target server cannot be deleted. See log for
details.
PAM-CMN-0411 = Device {0} not deleted because of Password Authority errors.
PAM-CMN-0412 = Device Import cannot add virtual devices only update them. Device Name = {0}.
PAM-CMN-0413 = Failed to connect to {0}.
PAM-CMN-0414 = Invalid definition of virtual device {0}.
PAM-CMN-0415 = Physical device {0} may not have an alternate id.
PAM-CMN-0416 = Virtual device not available.
PAM-CMN-0417 = Target Application {0} was not added or updated due to Password Authority authorization errors.
PAM-CMN-0418 = Device group must have a provision type.
PAM-CMN-0419 = A device group's provision type may not be changed. Delete and recreate the group.
PAM-CMN-0420 = {0} device refresh failed due to error. See log for details.
PAM-CMN-0421 = Target server {0} not found.
PAM-CMN-0422 = Request server not found.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-80 of A-242
PAM-CMN-0423 = Special device {0} may not be changed.
PAM-CMN-0424 = Connection error - is DNS working? See log for details.
PAM-CMN-0425 = A target server with the address {0} already exists. Target server {1} not added.
PAM-CMN-0426 = A request server with the address {0} already exists. Request server {1} not added.
PAM-CMN-0427 = Invalid device type (access, password, a2a) specified.
PAM-CMN-0428 = {0} provisioning already in progress. Please wait.
PAM-CMN-0429 = Terminal type VT100 is not compatible with TN5250 or TN5250SSL access methods.
PAM-CMN-0430 = Device import cannot add VMware device groups only update them. Group name = {0}.
PAM-CMN-0431 = Could not reassign user to PA user.
PAM-CMN-0432 = General error with password checkin. See log for details.
PAM-CMN-0433 = {0} is a reserved {1} name. Please use another name.
PAM-CMN-0434 = {0} is a reserved device address. Please use another address.
PAM-CMN-0435 = Device may not have applets if not of typeAccess.
PAM-CMN-0436 = Device may not have services if not of typeAccess.
PAM-CMN-0437 = Target server fields may not be defined if device is not of typePassword.
PAM-CMN-0438 = Request server fields may not be defined if device is not of typeA2A.
PAM-CMN-0439 = Device import cannot add VMware Device Groups, it may only update them (Group name = {0}).
PAM-CMN-0440 = Configuring device {0} as a {1} device will exceed the number of licensed {2} devices. Device
added without the type.
PAM-CMN-0441 = Internal error occurred while updating the runtime status of a device.
PAM-CMN-0442 = Service AWS Management Console SSO can not be added to a device.
PAM-CMN-0443 = {0} VMware devices were not deleted. See logs for details. VMware credentials are kept but the
configuration is now inactive.
PAM-CMN-0444 = {0} AWS devices were not deleted. See logs for details. AWS credentials are kept but the
configuration is now inactive.
PAM-CMN-0445 = AWS region code may not be changed on update. Delete this row and enter a new one.
PAM-CMN-0446 = AWS region code required.
PAM-CMN-0447 = Invalid AWS region code {0}.
PAM-CMN-0448 = This AWS access key and region are already provisioned.
PAM-CMN-0449 = The access key id must reference an actual Access Key target account.
PAM-CMN-0450 = The active checkbox must have a value of t or f.
PAM-CMN-0451 = Target application {0} from device {1} was not deleted.
PAM-CMN-0452 = Target application {0} was deleted from device {1}.
PAM-CMN-0453 = Service AWS API Proxy can not be added to a device.
PAM-CMN-0454 = Target group {0} not added to Password Authority. Error Message: {1}.
PAM-CMN-0455 = Unable to delete target group {0} from Password Authority. Error Message: {1}.
PAM-CMN-0456 = Request group {0} not added to Password Authority. Error Message: {1}.
PAM-CMN-0457 = Unable to delete request group {0} from Password Authority. Error Message: {1}.
PAM-CMN-0458 = AWS Proxy client authorization mapping failed. Error Message: {0}.
PAM-CMN-0459 = Deleting the AWS Proxy client authorization mapping failed. Error Message: {0}.
PAM-CMN-0460 = AWS Access key not found.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-81 of A-242
PAM-CMN-0461 = No such credential source as {0}. Device group {1} was added without it.
PAM-CMN-0462 = No such credential source as {0}. Device group {1} was updated, but the old credential was left in
place.
PAM-CMN-0463 = Invalid value for password push flag.
PAM-CMN-0464 = {0} device group membership may not be changed locally. The {1} device groups were restored.
PAM-CMN-0465 = A target server with the device name {0} already exists. Target server not added.
PAM-CMN-0466 = A request server with the device name {0} already exists. Request server not added.
PAM-CMN-0467 = A Password Authority problem prevented completing the request. Message: {0} Check log for
details.
PAM-CMN-0468 = The tag "{0}" has a length greater than {1}
PAM-CMN-0469 = Command {0} not supported for transparent login. Only the commands {1} are supported.
PAM-CMN-0470 = Password prompt for {0} command may not contain equals sign or semi-colon.
PAM-CMN-0471 = Password prompt is required for transparent login.
PAM-CMN-0472 = Full path must begin with a forward slash (/).
PAM-CMN-0473 = Must specify both full path and prompt or neither.
PAM-CMN-0474 = The same user may not be assigned twice to the same vCenter for provisioning.
PAM-CMN-0475 = Target account id is required for update of target account {0}.
PAM-CMN-0476 = Either the hostname and the target application application name, or the target application id is
required to add the target account {0}.
PAM-CMN-0477 = Target account id and user name are both required to update a target account.
PAM-CMN-0478 = VMware URL most commonly should be in the form https://<domain>[:port]/sdk. Please enter a
URL.
PAM-CMN-0479 = Provision id required.
PAM-CMN-0480 = Only the url or the active status may be changed, and one of them must be changed on an
update.
PAM-CMN-0481 = Device must be at least of type Access, Password, or A2A.
PAM-CMN-0482 = Invalid device group ids specified. The array must contain only numeric ids.
PAM-CMN-0483 = The following ids are not ids of existing device groups: {0}.
PAM-CMN-0484 = Invalid device service ids specified. The array must contain only numeric ids.
PAM-CMN-0485 = The following ids are not ids of valid TCP/UDP or RDP application services: {0}.
PAM-CMN-0486 = Invalid device VPN service ids specified. The array must contain only numeric ids.
PAM-CMN-0487 = The following ids are not ids of valid VPN services: {0}.
PAM-CMN-0488 = The following ids are not ids of valid TCP/UDP services: {0}.
PAM-CMN-0489 = The following ids are not ids of valid RDP application services: {0}.
PAM-CMN-0490 = Invalid device credential source ids specified. The array must contain only numeric ids.
PAM-CMN-0491 = The following ids are not ids of valid password devices: {0}.
PAM-CMN-0492 = Invalid device group service ids specified. The array must contain only numeric ids.
PAM-CMN-0493 = Invalid device group VPN service ids specified. The array must contain only numeric ids.
PAM-CMN-0494 = Invalid device ids specified. The array must contain only numeric ids.
PAM-CMN-0495 = The following ids are not ids of existing devices: {0}.
PAM-CMN-0496 = Target application {0} was not found.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-82 of A-242
PAM-CMN-0497 = X11 Forwarding can only be applied to the SSH applet.
PAM-CMN-0498 = Only X11 Forwarding (x11forwarding) is a valid task property.
PAM-CMN-0499 = A virtual device may not be added via local means.
PAM-CMN-0500 = Device name and domain name of a virtual device may not be changed via local means.
PAM-CMN-0501 = Virtual device {0} may not be deleted via local means.
PAM-CMN-0502 = Special device {0} may not be deleted.
PAM-CMN-0503 = Device was not found.
PAM-CMN-0504 = The specified device is not a password type device.
PAM-CMN-0505 = A target application with the specified id was not found or does not belong to the specified device.
PAM-CMN-0506 = Target account not found.
PAM-CMN-0507 = Device was not found or was not a target server.
PAM-CMN-0508 = Target application does not belong to device.
PAM-CMN-0509 = A target application with the same name already exists for the device.
PAM-CMN-0510 = Invalid target application type specified. Valid types are: Generic, UnixII.
PAM-CMN-0511 = Error occurred provisioning the target account.
PAM-CMN-0512 = A target account with the specified id was not found or does not belong to the specified device or
target application.
PAM-CMN-0513 = Error occurred updating the target account.
PAM-CMN-0514 = Tags must be an array of tag names.
PAM-CMN-0515 = The device already has the following {0} services: {1}.
PAM-CMN-0516 = Tag id must be an integer.
PAM-CMN-0517 = Transparent login parameters must be in the form command;prompt|command;prompt.
Semicolon, comma, and pipe may not be used as part of the command or the prompt.
PAM-CMN-0518 = Invalid transparent login type.
PAM-CMN-0519 = Transparent login type and parameters out of sync.
PAM-CMN-0520 = Secondary SSO must be defined as <Device Name>|<TargetApplication Name>|<TargetAccount
user name>.
PAM-CMN-0521 = Failed to assign '{0}' tag to device. '{1}' tag prefix is reserved for vSphere NSX Security {2}.
PAM-CMN-0522 = Service VMware NSX API Proxy can not be added to a device.
PAM-CMN-0523 = NSX Proxy is a reserved {0} name. Please use another name.
PAM-CMN-0524 = ca.nsx.vmware.com is a reserved device address. Please use another address.
PAM-CMN-0525 = Tags may not be defined on non-local groups.
PAM-CMN-0526 = Invalid value for Override Address.
PAM-CMN-0527 = Cannot delete Password Management device {0} because it is configured as a VMware vCenter
device for CA PAM.
PAM-CMN-0528 = Command string {0} begins with a forward slash (/), which is not allowed in transparent login
command strings.
PAM-CMN-0529 = Invalid value for Handle Legal Notice flag.
PAM-CMN-0530 = Cannot get name for a target or request group if no group ID is supplied.
PAM-CMN-0531 = Device {0} had missing terminal data; default terminal data has been assigned.
PAM-CMN-0532 = Device name {0} was successfully managed.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-83 of A-242
PAM-CMN-0533 = {0} device(s) not deleted because they are in use.
PAM-CMN-0534 = Device Manager user couldn't delete device {0} because it is a Password Management or A2A
device and the user lacks privileges to delete those types of device.
PAM-CMN-0535 = Device Manager user couldn't change name of device {0} because it is a Password Management
or A2A device and the user lacks privileges to rename those types of device.
PAM-CMN-0536 = Device Manager user couldn't change domain name of device {0} because it is a Password
Management or A2A device and the user lacks privileges to change domain names for those types of device.
PAM-CMN-0537 = Role was not found.
Role and Privilege Messages PAM-CMN-0538 = Update of role {0} failed. No matching id. PAM-CMN-0539 = Role requested to be assigned a non-existent privilege. PAM-CMN-0540 = Role id must be an integer, not {0}. PAM-CMN-0541 = Default roles may not be deleted or updated. PAM-CMN-0542 = Role not found to {0}. PAM-CMN-0543 = Role not deleted because there are still users assigned to it. PAM-CMN-0544 = Role id required when updating a role. PAM-CMN-0545 = Role id already assigned at start of add. Role was not added. PAM-CMN-0546 = Duplicate role name {0}. PAM-CMN-0547 = Create role failed for role {0}. PAM-CMN-0548 = Role name may not be changed. PAM-CMN-0549 = Role {0} missing required {1}. PAM-CMN-0550 = Role {0} with these groups may not be added to a user by this user. PAM-CMN-0551 = Role {0} may not have its {1} changed by this user. PAM-CMN-0552 = The Autodiscovery role requires Device/Group Manager role or the Delegated Administrator Role as well. PAM-CMN-0553 = A role must contain at least one privilege. PAM-CMN-0554 = Due to role restrictions, group {0} may not be added to a user except by a Global Administrator. PAM-CMN-0555 = Roles containing the AWS API Proxy privilege may not be added to groups. PAM-CMN-0556 = Role with id {0} not found. PAM-CMN-0557 = The following user groups for role {0} do not exist: {1}. PAM-CMN-0558 = The following device groups for role {0} do not exist: {1}. PAM-CMN-0559 = The API key {0} for user {1} has privileges the user does not. The API key will be disabled until this is fixed.
Device Group Management Messages PAM-CMN-0560 = Device group name is required. PAM-CMN-0561 = Invalid device group name specified. PAM-CMN-0562 = Invalid device group description specified. PAM-CMN-0563 = Invalid device group id specified. PAM-CMN-0564 = Device group name {0} already exists. PAM-CMN-0565 = Device group with name {0} not found. PAM-CMN-0566 = Device group with id {0} not found. PAM-CMN-0567 = {0} field must be an array. PAM-CMN-0568 = Device group {0} not inserted. PAM-CMN-0569 = Database corruption - more than one device group with the same id was inserted. PAM-CMN-0570 = Device group {0} not updated. PAM-CMN-0571 = Database corruption - more than one device group with the same id was updated. PAM-CMN-0572 = Device group {0} not deleted. PAM-CMN-0573 = Database corruption - more than one device group with the same id was deleted. PAM-CMN-0574 = {0} device group(s) deleted. PAM-CMN-0575 = {0} device group(s) deleted, {1} user group(s) not deleted. PAM-CMN-0576 = Device group cannot have both sftpftp and sftpftpemb services. PAM-CMN-0577 = {0} device group(s) not deleted because not authorized.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-84 of A-242
PAM-CMN-0578 = {0} device group(s) not deleted because not found. PAM-CMN-0579 = {0} device group(s) not deleted because of unknown error. PAM-CMN-0580 = {0} device group(s) deleted. {0} {1} {2} PAM-CMN-0581 = Device group cannot have both sftpsftp and sftpsftpemb services. PAM-CMN-0582 = A device group with a network address cannot have services or access methods defined. PAM-CMN-0583 = Invalid network address {0}. PAM-CMN-0584 = The following device groups do not exist: {0}. PAM-CMN-0585 = VMware device group {0} may not be deleted locally. PAM-CMN-0586 = Device group not found. PAM-CMN-0587 = The device group already has the following access methods: {0}. PAM-CMN-0588 = The device group already has the following {0} services: {1}. PAM-CMN-0589 = The specified access method id does not belong to the device group or is invalid. PAM-CMN-0590 = The specified service id does not belong to the device group or is invalid. PAM-CMN-0591 = The specified VPN service id does not belong to the device group or is invalid.
Global Settings and Device Task Messages PAM-CMN-0592 = Task name or id is required. PAM-CMN-0593 = Invalid task port specified. PAM-CMN-0594 = Task enabled is required. PAM-CMN-0595 = Invalid task enabled specified. PAM-CMN-0596 = Invalid task id specified. PAM-CMN-0597 = Task not found. PAM-CMN-0598 = Invalid task name specified. PAM-CMN-0599 = Device group contains invalid task name(s): {0}. PAM-CMN-0600 = Device group contains invalid service name(s): {0}. PAM-CMN-0601 = Device group contains invalid SSL VPN service name(s): {0}. PAM-CMN-0602 = Device group contains invalid device name(s): {0}. PAM-CMN-0603 = Device group cannot contain other device groups: {0}. PAM-CMN-0604 = Access method may not be defined twice on the same device. PAM-CMN-0605 = Invalid access method type(s) {0}.
LDAP Messages PAM-CMN-0606 = LDAP entry must be of type UserGroupType to retrieve group users. PAM-CMN-0607 = LDAP user group does not contain any users. PAM-CMN-0608 = LDAP connection failure: {0}. PAM-CMN-0609 = LDAP bind failure: {0}. PAM-CMN-0610 = LDAP query failure: {0}. PAM-CMN-0611 = Starting point for browsing LDAP directory is not under configured browse points. PAM-CMN-0612 = LDAP domain not found. PAM-CMN-0613 = LDAP update in progress, please try again later. PAM-CMN-0614 = LDAP Group {0} imported into CA PAM. {1} Users Processed: {2} New Users, {3} Updated Users, {4} Deleted Users, {5} Failed New Users, {6} Failed Updated Users, {7} Failed Deleted Users. PAM-CMN-0615 = LDAP import failed: {0} PAM-CMN-0616 = {0} LDAP group(s) completed with errors. Please check the audit log on the cluster master for more details. PAM-CMN-0617 = There are no imported LDAP groups to refresh. PAM-CMN-0618 = Warning: user {0} from LDAP group {1} has same short name, {2}, as user {3} from LDAP group {4}. RADIUS authentication process will not be able to differentiate between the two users. Both user accounts will be deactivated. PAM-CMN-0619 = Unauthorized attempt to retrieve the configuration for LDAP domains. PAM-CMN-0620 = Connection failed to LDAP domain {0} using server {1}. Failing over to the next configured LDAP server. PAM-CMN-0621 = Import Warning For LDAP Group {0}: {1} PAM-CMN-0622 = Import Error For LDAP Group {0}: {1} PAM-CMN-0623 = Invalid LDAP group(s) specified: {0}. PAM-CMN-0624 = LDAP Group {0} imported into CA PAM. {1} Devices Processed: {2} New Devices, {3} Updated Devices, {4} Deleted Devices, {5} Failed New Devices, {6} Failed Updated Devices, {7} Failed Deleted Devices.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-85 of A-242
PAM-CMN-0625 = Adding LDAP group {0} aborted. The LDAP group and all its registered members will be deleted. PAM-CMN-0626 = STARTTLS LDAP connection made to {0}. PAM-CMN-0627 = LDAP connection made to {0}. PAM-CMN-0628 = An LDAP operation is in progress. PAM-CMN-0629 = LDAPS connection made to {0}. PAM-CMN-0630 = LDAP is configured but the appliance is unlicensed. License the appliance before launching the LDAP browser. PAM-CMN-1932 = "Invalid LDAP Domain Id {0}" PAM-CMN-5405 = "Unable to delete user, because it is configured for Forced Deactivation Alert."
CSV Import/Export Related Messages PAM-CMN-0631 = Invalid file type of {0}. Import supports only CSV files of types: {1}. PAM-CMN-0632 = Import file cannot be found. PAM-CMN-0633 = Invalid CSV row type {0} on line {1}. PAM-CMN-0634 = Error importing user on line {0}: PAM-CMN-0635 = User group {0} does not exist. PAM-CMN-0636 = Role {0}, does not exist: {1}. PAM-CMN-0637 = Role user group, {0}, does not exist: {1}. PAM-CMN-0638 = Role device group, {0}, does not exist: {1}. PAM-CMN-0639 = Invalid import file. CSV headers are missing. PAM-CMN-0640 = Unrecognized CSV header: {0}. PAM-CMN-0641 = Number of CSV data fields ({0}) does not match CSV header count ({1}) on line {2}. PAM-CMN-0642 = First CSV header must be Type. PAM-CMN-0643 = User created successfully. PAM-CMN-0644 = User updated successfully. PAM-CMN-0645 = User Group created successfully. PAM-CMN-0646 = User Group updated successfully. PAM-CMN-0647 = Error occurred during import. PAM-CMN-0648 = Device Group {0} does not exist. PAM-CMN-0649 = Device created successfully. PAM-CMN-0650 = Device updated successfully. PAM-CMN-0651 = Device Group created successfully. PAM-CMN-0652 = Device Group updated successfully. PAM-CMN-0653 = Invalid task name specified: {0}. PAM-CMN-0654 = Console device {0} does not exist. PAM-CMN-0655 = Power device {0} does not exist: {1}. PAM-CMN-0656 = Device access method types do not exist: {0}. PAM-CMN-0657 = Device services do not exist: {0}. PAM-CMN-0658 = TCP/UDP services with both TCP and UDP ports defined must have the same port value(s). PAM-CMN-0659 = Service created successfully. PAM-CMN-0660 = Service updated successfully. PAM-CMN-0661 = Invalid role privileges: {0}. PAM-CMN-0662 = Role created successfully. PAM-CMN-0663 = Role updated successfully. PAM-CMN-0664 = Policy created successfully. PAM-CMN-0665 = Policy updated successfully. PAM-CMN-0666 = Device {0} does not have access method {1}. PAM-CMN-0667 = Device {0} does not have access method {1}, with name {2}. PAM-CMN-0668 = Device {0} does not have service {1}. PAM-CMN-0669 = Device {0} does not have VPN service {1}. PAM-CMN-0670 = Invalid {0} value. Valid values are: t, f. PAM-CMN-0671 = Socket filter list entry created successfully. PAM-CMN-0672 = Socket filter list entry updated successfully. PAM-CMN-0673 = Command filter list entry created successfully. PAM-CMN-0674 = Command filter list entry updated successfully. PAM-CMN-0675 = Import failed: CSV file not specified. PAM-CMN-0676 = Device {0} does not have target application {1}.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-86 of A-242
PAM-CMN-0677 = Device {0} does not have target account {1}. PAM-CMN-0678 = Target account {0} does not have the correct id. PAM-CMN-0679 = Socket filter list entry already exists and therefore will not be added. PAM-CMN-0680 = Import failed: SAML metadata file not specified. PAM-CMN-0681 = The policy for the specified SAML Service Policy doesn't exist. Provision the policy before importing the SAML Service. PAM-CMN-0682 = The SAML service {0} doesn't exist. PAM-CMN-0683 = The specified SAML service has not been assigned to the device. PAM-CMN-0684 = CSV import of type {0} initiated. PAM-CMN-0685 = Device Group {0} does not have credential source {1}.
Office365 Integration Messages, SAML IdP and SP Messages PAM-CMN-0686 = Default default contact user {0} does not exist. PAM-CMN-0687 = Invalid default contact method {0} specified. PAM-CMN-0688 = Device monitor protocol required. PAM-CMN-0689 = Device monitor port required for protocol {0}. PAM-CMN-0690 = Device monitor contact required for protocol {0}. PAM-CMN-0691 = Device monitor contact method required for protocol {0}. PAM-CMN-0692 = Invalid device monitor protocol specified. PAM-CMN-0693 = Invalid device monitor port {0} specified for protocol {1}. PAM-CMN-0694 = Invalid device contact method specified for protocol {0}. PAM-CMN-0695 = Device monitor contact {0} does not exist. PAM-CMN-0696 = Maximum buffer size is 8192. PAM-CMN-0697 = Invalid web session recording quality specified. Valid values are high and low. PAM-CMN-0698 = Unauthorized attempt to delete policies associated with the Office365 service. PAM-CMN-0699 = Calculating the certificate fingerprint for IdP {0} failed. The IdP configuration will not be saved. PAM-CMN-0700 = The SAML RP's {0} is a required field. Please enter a valid value. PAM-CMN-0701 = The SAML RP's Fully Qualified Hostname is not a valid hostname. PAM-CMN-0702 = The {0} of Identity Provider {1} is a required field. Please enter a valid value. PAM-CMN-0703 = Invalid Identity Provider SSO binding specified for Identity Provider {0}. Valid values are: {1}. PAM-CMN-0704 = The Single Sign On Service URL for Identity Provider {0} is not a valid HTTP URL. PAM-CMN-0705 = The specified {0} of Identity Provider {1} is invalid. Valid values are: true or false. PAM-CMN-0706 = The specified certificate for Identity Provider {0} is not a valid PEM certificate. PAM-CMN-0707 = Invalid Signature Algorithm specified for Identity Provider {0}. Valid values are: {1}. PAM-CMN-0708 = Invalid Name ID Formats specified for Identity Provider {0}. Valid values are: {1}. PAM-CMN-0709 = Invalid Authentication Contexts specified for Identity Provider {0}. Valid values are: {1}. PAM-CMN-0710 = Identity Provider entity IDs must be unique. The are multiple identity providers with the following entity ID(s): {0}. PAM-CMN-0711 = Invalid SAML version specified for Identity Provider {0}. Valid values are: 1.1, 2.0 PAM-CMN-0712 = CA PAM as SAML RP configuration updated. PAM-CMN-0713 = Identity Provider friendly names must be unique. The are multiple identity providers with the following friendly name(s): {0}. PAM-CMN-0714 = Invalid vulnerability reporting level specified. Valid values are 'Log' or 'Log And Warn'. PAM-CMN-0715 = Invalid vulnerability enabled specified. PAM-CMN-0716 = The following required fields in the SAML RP configuration must be specified before the configuration can be saved or an IdP can be configured: Entity ID, Fully Qualified Hostname, Certificate Key Pair. PAM-CMN-0717 = The required field, 'Fully Qualified Hostname', in the SAML configuration on cluster member {0} has not been defined. Please specify a value for the field before downloading metadata. PAM-CMN-0718 = SAML SP metadata for remote IdP {0} downloaded. PAM-CMN-0719 = An attempt was made to access the SAML IdP Proxy service when CA PAM is not deployed in a cluster. PAM-CMN-0720 = An error occurred while completing this request. Please contact your administrator for further assistance. PAM-CMN-0721 = An attempt was made to access the SAML IdP Proxy service on this node but this node is not the cluster master. PAM-CMN-0722 = The following remote IdP(s) have been deleted: {0}. PAM-CMN-0723 = The following remote IdP(s) have been added: {0}.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-87 of A-242
PAM-CMN-0724 = The id of identity provider {0} is not a valid id: {1}. PAM-CMN-0725 = Invalid value specified ({0}). Integer expected. PAM-CMN-0726 = Invalid value specified for SAML Accept RSA-SHA1 Signed Responses. Valid values are: t,f. PAM-CMN-0727 = Invalid value specified for Client Distribution Intranet URL. Only domain names and IP addresses are allowed. PAM-CMN-0728 = Invalid port specified for Client Distribution Intranet URL. PAM-CMN-1818 = No user name supplied for Office 365. PAM-CMN-1921 = Updated Microsoft Office 365 configuration PAM-CMN-1922 = Cleared Microsoft Office 365 configuration PAM-CMN-1923 = Office 365 configuration test: Connected successfully to the supplied URLs PAM-CMN-1924 = Office 365 configuration test: Error connecting to the supplied URLs PAM-CMN-2346 = Updated Microsoft Office 365 configuration PAM-CMN-2347 = Cleared Microsoft Office 365 configuration PAM-CMN-2348 = Office 365 configuration test: Connected successfully to the supplied URLs PAM-CMN-2349 = Office 365 configuration test: Error connecting to the supplied URLs
Policy Management Messages PAM-CMN-0729 = Unexpected from location for policy request of {0}. PAM-CMN-0730 = Invalid service specified in policy. PAM-CMN-0731 = Invalid task specified in policy. PAM-CMN-0732 = Invalid socket filter specified in policy. PAM-CMN-0733 = Invalid command filter specified in policy. PAM-CMN-0734 = Invalid CLI session recording flag in policy. PAM-CMN-0735 = Invalid graphical session recording flag in policy. PAM-CMN-0736 = Invalid bidirectional flag in policy. PAM-CMN-0737 = Invalid VPN service specified in policy. PAM-CMN-0738 = Invalid restrict login if agent is not running value. Valid values are: t, f. PAM-CMN-0739 = AWS Policy can be specified only for AWS service. PAM-CMN-0740 = Unable to display credentials. See log for details. PAM-CMN-0741 = Web portal recording can only be enabled for policies that contain a web portal services utilizing the CA browser. Please set the browser type property of the service to CA. PAM-CMN-0742 = Policies involving ca.aws.amazon.com may not be imported or exported via csv. PAM-CMN-0743 = Attempt to add a target account {0} to a policy that does not have access to it. PAM-CMN-0744 = There is credentials conflict in Transparent Login Window with title '{0}' ('{1}' and '{2}' RDP Applications). PAM-CMN-0745 = The policy data structure specified is invalid. {0}. PAM-CMN-0746 = The policy's device does not offer any access methods for policy. Please add access methods to the device first. PAM-CMN-0747 = The policy's device does not offer device access methods with the following id(s): {0}. PAM-CMN-0748 = The policy's device does not offer any TCP/UDP nor RDP application services for policy. Please add services to the device first. PAM-CMN-0749 = The policy's device does not offer TCP/UDP nor RDP application services with the following id(s): {0}. PAM-CMN-0750 = The policy's device does not offer any VPN services for policy. Please add VPN services to the device first. PAM-CMN-0751 = The policy's device does not offer VPN services with the following id(s): {0}. PAM-CMN-0752 = The specified target account id is invalid: {0}. PAM-CMN-0753 = The restrict login flag requires a socket filter list to be set for this policy. PAM-CMN-0754 = No applets or services which support CLI recording are selected. PAM-CMN-0755 = No applets or services which support graphical recording are selected. PAM-CMN-0756 = No applets or services which support bidirectional CLI recording are selected. PAM-CMN-0757 = The specified device does not offer any target accounts for viewing. Please add target accounts to the device first. PAM-CMN-0758 = A policy must specify either an access method, a service, a vpn service, or target accounts. PAM-CMN-0759 = The bidirectional flag may only be set on if CLI recording is selected. PAM-CMN-0760 = Transparent login not defined for any selected access method or service. PAM-CMN-0761 = A policy association between user (group) {0} and device (group) {1} doesn't exist.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-88 of A-242
PAM-CMN-0762 = No such policy exists. PAM-CMN-0763 = The specified user or user group id was not found. PAM-CMN-0764 = The specified device or device group id was not found. PAM-CMN-0765 = The specified account id is not selected in the policy for viewing. PAM-CMN-0766 = The policy does not contain the access method with id {0}. Use POST for adding. PAM-CMN-0767 = The policy already contains the access method with id {0}. Use PUT for updates. PAM-CMN-0768 = The policy does not contain the service with id {0}. Use POST for adding. PAM-CMN-0769 = The policy already contains the service with id {0}. Use PUT for updates. PAM-CMN-0770 = The policy already contains the SSLVPN service with id {0}. PAM-CMN-0771 = The policy is already configured to allow viewing the password for the account with id {0}. PAM-CMN-0772 = The following account id(s) do not belong to the specified device: {0}. PAM-CMN-0773 = A policy association between the specified user (group) and device (group) already exists. PAM-CMN-0774 = A mapping for the required SAML attribute, {0}, for users with provision type {1} must be defined. PAM-CMN-0775 = The following SAML attributes have not been mapped to a valid value: {0}. PAM-CMN-0776 = The following provision types have multiple Subject Name Identifier mappings defined: {0}. There can only be one mapping defined per provision type. PAM-CMN-0777 = The following SAML requested attribute ids for SAML resolved attributes are invalid: {0}. PAM-CMN-0778 = The format for the following SAML attribute is invalid: {0}. Expected format is: {1}. PAM-CMN-0779 = Requested SAML attribute with name {0} doesn't exist. PAM-CMN-0780 = Target servers and all associated applications and accounts were deleted from policies. PAM-CMN-0781 = Target applications and all associated accounts were deleted from policies. PAM-CMN-0782 = Target accounts were deleted from policies. PAM-CMN-0783 = Target account belonging to device {0} for target application {1} with user name {2} not found. PAM-CMN-0784 = Policies involving ca.nsx.vmware.com may not be imported or exported via csv. PAM-CMN-0785 = AWS Policy value is not specified for AWS service. PAM-CMN-0786 = ssoWindow winId {0} is not valid for RDP Application service id {1}. Either the winId doesn't exist or it is not assigned to the service. PAM-CMN-0787 = Invalid account triplet specifed: {0}
Management Console Messages PAM-CMN-0788 = Invalid policy name specified. Policy name must be alpha-numeric. PAM-CMN-0789 = Policy name required. PAM-CMN-0790 = Invalid policy version specified. PAM-CMN-0791 = Invalid policy description specified. PAM-CMN-0792 = CA PAM appliance already imported into management console. PAM-CMN-0793 = Working set with the specified name already exists. PAM-CMN-0794 = Invalid policy module specified. PAM-CMN-0795 = A policy must contain at least one module before associating it with an CA PAM appliance. PAM-CMN-0796 = Unable to successfully authenticate to server {0}. PAM-CMN-0797 = Invalid policy specified. PAM-CMN-0798 = CA PAM credentials not specified. Please set the credentials for the server or set the default credentials for all servers. PAM-CMN-0799 = Unable to establish connection to CA PAM appliance {0}. Management Console API Messages PAM-CMN-4800 = External API License is required for Management Console licensing. PAM-CMN-4801 = Once an appliance is a management console it may never revert to an ordinary PAM appliance. PAM-CMN-4802 = Invalid value for PAM Management Console. PAM-CMN-4803 = Internal user for collecting data for PAM Management Console. PAM-CMN-4804 = API key for collecting data for PAM Management Console. PAM-CMN-4805 = Successfully created internal user {0} for PAM Management Console. PAM-CMN-4806 = Failed to properly initialize PAM Management Console. PAM-CMN-4807 = Allows read only access to the PAM Management Console. PAM-CMN-4808 = Allows create and update access to the PAM Management Console. PAM-CMN-4809 = Allows access to PAM Management Console Administration UI. PAM-CMN-4810 = Failed to define proper password for MCApiUser's API key. PAM-CMN-4811 = Allows the user to view the PAM Management Console. PAM-CMN-4812 = Allows the user to change the PAM Management Console.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-89 of A-242
PAM-CMN-4813 = Allows the user to access the PAM Management Console Administration UI. PAM-CMN-4814 = The PAM Management Console API user may not have its roles changed. PAM-CMN-4815 = The PAM Management Console API user may not be deleted. PAM-CMN-4850 = User defined roles may not contain the Global Administrator privilege nor any PAM Management Console related privilege.
Managed Server Service Messages PAM-CMN-0800 = CA PAM appliance is already being managed by a management console. PAM-CMN-0801 = Apply policy {0} failed.
Command and Socket Filter Messages PAM-CMN-0802 = Violations before action value must be a positive number. PAM-CMN-0803 = Violations before action value must be greater than 0. PAM-CMN-0804 = Invalid intervention action specified. PAM-CMN-0805 = Invalid agent listening port. Port must be a valid TCP port. PAM-CMN-0806 = Invalid CA PAM appliance ID. ID must be numeric and between 1 and 254. PAM-CMN-0807 = SFA Monitoring is required. PAM-CMN-0808 = Socket filter list name required. PAM-CMN-0809 = Socket filter list type required. PAM-CMN-0810 = Invalid characters in socket filter list name. Semicolons, commas, percent signs, and backslashes are invalid. PAM-CMN-0811 = Invalid socket filter list type. Valid types are: black, white. PAM-CMN-0812 = Socket filter host address required. PAM-CMN-0813 = Invalid socket filter host address. Address must be a valid IP address. PAM-CMN-0814 = Socket filter port required. PAM-CMN-0815 = Invalid socket filter port {0}. Port must be a valid TCP port. PAM-CMN-0816 = A socket filter list with name {0} already exists. PAM-CMN-0817 = Socket filter list not found. PAM-CMN-0818 = Command filter list name required. PAM-CMN-0819 = Command filter list type required. PAM-CMN-0820 = Invalid characters in command filter list name. Semicolons, commas, percent signs, and backslashes are invalid. PAM-CMN-0821 = Invalid command filter list type. Valid types are: black, white. PAM-CMN-0822 = Invalid command filter alert value. Valid values are: t, f. PAM-CMN-0823 = Invalid command filter block value. Valid values are: t, f. PAM-CMN-0824 = Invalid command filter regular expression value. Valid values are: t, f. PAM-CMN-0825 = Command filter keyword required. PAM-CMN-0826 = A command filter list with name {0} already exists. PAM-CMN-0827 = Socket filter list id must be a positive integer. PAM-CMN-0828 = Command filter list id must be a positive integer. PAM-CMN-0829 = Command filter list not found. PAM-CMN-0830 = Duplicate entry, {0}, defined for socket filter list. PAM-CMN-0831 = Duplicate keyword, {0}, defined for command filter list. PAM-CMN-0832 = Duplicate ports {0} for socket filter host {1}. PAM-CMN-0833 = SFA Log All Access value required. PAM-CMN-0834 = Either (comma delimited) individual ports or a single port range must be specified, not ({0}). PAM-CMN-0835 = A comma delimited port string cannot be more than 512 characters long. PAM-CMN-0836 = Invalid AWS policy name {0}. Name must only have alphanumeric characters and =,.@ or -. PAM-CMN-0837 = AWS policy not found. PAM-CMN-0838 = AWS policy name cannot be longer than 128 characters. PAM-CMN-0839 = AWS policy name {0} must be unique. PAM-CMN-0840 = AWS policy is in use and may not be deleted. PAM-CMN-0841 = AWS session duration invalid. PAM-CMN-0842 = JSON for AWS policy invalid. PAM-CMN-0843 = AWS policy too large to compile. See log for details. PAM-CMN-0844 = AWS policy invalid. See log for details. PAM-CMN-0845 = AWS policy required.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-90 of A-242
PAM-CMN-0846 = In order to create an AWS policy at least one Access Key must be defined in Password Authority. PAM-CMN-0847 = Invalid filter list type specified. Valid values are: white, black. PAM-CMN-0848 = The enabled filter is not supported for SSLVPN service type. PAM-CMN-0849 = The command filter {0} has been deleted. PAM-CMN-0850 = The socket filter {0} has been deleted.
Logging and Reporting Messages PAM-CMN-0851 = Cannot add an existing report. PAM-CMN-0852 = Report name required. PAM-CMN-0853 = Choose either relative or absolute date range. PAM-CMN-0854 = Badly formed relative date interval. PAM-CMN-0855 = Invalid relative date reporting interval. PAM-CMN-0856 = Invalid relative date reporting amount. PAM-CMN-0857 = At least one column must be specified for a report. PAM-CMN-0858 = Invalid email address specified. Multiple addresses must be separated by a comma. PAM-CMN-0859 = Email address required. PAM-CMN-0860 = The interval between emails is not defined properly. PAM-CMN-0861 = The time to send the email is not defined properly. PAM-CMN-0862 = Email send interval required. PAM-CMN-0863 = Only the original author of a report or a Global Administrator may update or delete it. PAM-CMN-0864 = Relative report dates must specify the number of days, weeks or months to include in the report. PAM-CMN-0865 = Log report not found. PAM-CMN-0866 = Invalid date range format. PAM-CMN-0867 = Start date must be before end date. PAM-CMN-0868 = Invalid list of columns for report. PAM-CMN-0869 = Unable to locate recording data. The file may have been removed, or the mount may be down. PAM-CMN-0870 = Session Recording Integrity Failure: This session recording appears to have been modified since it was recorded. Proceed at your own risk. PAM-CMN-0871 = A report named {0} already exists for this user. PAM-CMN-0872 = startDate must be specified if endDate is specified. PAM-CMN-0873 = endDate must be specified if startDate is specified. PAM-CMN-0874 = Session recording can not be started for '{0}' in {1} safe mode because mount is down. PAM-CMN-0875 = Session recording can not be started for '{0}' because {1} session recording is disabled. PAM-CMN-0876 = Network mount for session recording unavailable. PAM-CMN-0877 = Invalid format of Start Date. PAM-CMN-0878 = Invalid format of End Date. PAM-CMN-0879 = Invalid selected range type format. PAM-CMN-0880 = Email daily time required. PAM-CMN-1080 = Unauthorized attempt to add a message to the audit log: {0} PAM-CMN-1371 = Log records viewed The PAM-CMN-1371 message appears twice when someone logs into the CA PAM UI. This is expected behavior as the UI queries the log to obtain information to appear under Recent Events and to populate the dashboard. PAM-CMN-1372 = Downloaded log records PAM-CMN-1373 = Failed to update status of log row {0} PAM-CMN-1374 = Log report {0} successfully added PAM-CMN-1375 = Log report {0} not added PAM-CMN-1376 = Log report {0} updated PAM-CMN-1377 = Update of log report {0} failed PAM-CMN-1378 = Log report {0} was deleted PAM-CMN-1379 = Log report {0} was not deleted PAM-CMN-1490 = Unable to purge the logs! Please, contact your administrator! PAM-CMN-1491 = All logs have been purged! PAM-CMN-1492 = Log file {0} deleted successfully PAM-CMN-1493 = Unable to delete log file {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-91 of A-242
PAM-CMN-1494 = Changed automatic Log Purge Settings. Status: Enabled, Purge interval: {0} Hour(s), Email flag: {1} Email size: {2}MB PAM-CMN-1495 = Changed automatic Log Purge Settings. Status: Disabled PAM-CMN-1496 = External Log Settings saved successfully. PAM-CMN-1497 = Cannot create log table on the external server. PAM-CMN-1498 = Created new log table on the external server. PAM-CMN-1499 = Cannot create log_user_group table on the external server. PAM-CMN-1500 = Created new log_user_group table on the external server. PAM-CMN-1501 = Cannot create log_device_group table on the external server. PAM-CMN-1502 = Created new log_device_group table on the external server. PAM-CMN-1920 = Downloaded log file {0}. PAM-CMN-2008 = logwatch[{0}]: "mail error: {1}" PAM-CMN-2009 = logwatch[{0}]: "Log id {1} to {2} deleted, no mail sent." PAM-CMN-2010 = logwatch[{0}]: "Log id {1} to {2} deleted, mail sent OK." PAM-CMN-2011 = logwatch[{0}]: "Log id {1} to {2} deleted, mail error: {3}" PAM-CMN-2012 = logwatch[{0}]: "Problem deleting log id {1} to {2}, no mail sent." PAM-CMN-2013 = logwatch[{0}]: "Problem deleting log id {1} to {2}, mail sent OK." PAM-CMN-2014 = logwatch[{0}]: "Problem deleting log id {1} to {2}, mail error: {3}" PAM-CMN-2015 = logwatch[{0}]: "Starting up logwatch" PAM-CMN-2345 = Downloaded log file {0}. PAM-CMN-2590 = Not connected to the external log server. PAM-CMN-2591 = No logs to send. PAM-CMN-2603 = No log files exist! PAM-CMN-3136 = Metrics auto archive failed. Please check configuration. PAM-CMN-3137 = Audit Log auto archive failed. Please check configuration.
Policy Conflict Messages PAM-CMN-0881 = Updating the group membership for {0} will cause a {1} filter policy conflict for {2} from the following policies: PAM-CMN-0882 = Socket filter {0} list policy {1} from association between user {2} and device {3}. PAM-CMN-0883 = Command filter {0} list policy {1} from association between user {2} and device {3}. PAM-CMN-0884 = Adding {0} to group {1} will cause a {2} filter policy conflict for {3} from the following policies: PAM-CMN-0885 = Adding device {0} to {1} will cause a {2} filter policy conflict for {3} from the following policies: PAM-CMN-0886 = Adding {0} to group {1} will cause a {2} filter policy conflict for {3} from the following policies: PAM-CMN-0887 = Policy settings for association will cause a {0} filter policy conflict for {1} and {2} from the following policies: PAM-CMN-0888 = Not authorized to retrieve policy conflicts. PAM-CMN-0889 = Policy conflicts exist in CA PAM. Navigate to the policy conflict page to view the conflicts. PAM-CMN-0890 = Credential {0} from association between user {1} and device {2}. PAM-CMN-0891 = Updating the group membership for {0} will cause a credential policy conflict for access method {1} on {2} from the following policies: PAM-CMN-0892 = Adding {0} to group {1} will cause a credential policy conflict for access method {2} on {3} from the following policies: PAM-CMN-0893 = Adding device {0} to {1} will cause a credential policy conflict for {2} for access method {3} from the following policies: PAM-CMN-0894 = Adding access method {0} to {1} will cause a credential policy conflict for {2} from the following policies: PAM-CMN-0895 = Adding {0} to group {1} will cause a credential policy conflict for {2} for access method {3} from the following policies: PAM-CMN-0896 = Adding access method {0} to group {1} will cause a credential policy conflict for {2} on {3} from the following policies: PAM-CMN-0897 = Policy settings for association will cause a credential policy conflict for {0} and access method {1} on {2} from the following policies: PAM-CMN-0898 = Policy settings cause a credential conflict for secondary login. See your CA PAM Administrator and check the log for details.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-92 of A-242
Authentication-Related Messages PAM-CMN-0899 = Invalid authentication method: {0}. PAM-CMN-0900 = Bad User ID ({0}) or Password. PAM-CMN-0901 = You are not allowed to login at this time. PAM-CMN-0902 = To login you have to accept the terms of the license. PAM-CMN-0903 = This account is deactivated. See your CA PAM Administrator. PAM-CMN-0904 = No Email Contact to Alert: {0} PAM-CMN-0905 = Email alert sent to user {0}: {1} PAM-CMN-0906 = User {0} deactivated due to reaching the password failure limit. PAM-CMN-0907 = Account {0} has expired. See your CA PAM Administrator. PAM-CMN-0908 = Account {0} is not yet activated. See your CA PAM Administrator. PAM-CMN-0909 = Account {0} has been deactivated due to extended inactivity. See your CA PAM Administrator. PAM-CMN-0910 = Unable to create security context for user {0}. PAM-CMN-0911 = Due to account modifications, please change your password. PAM-CMN-0912 = Due to password timeout, please change your password. PAM-CMN-0913 = Due to increased password security, please change your password. PAM-CMN-0914 = User {0} has logged into the CA Privileged Access Manager appliance {1}. PAM-CMN-0915 = User {0} logged in. PAM-CMN-0916 = This CA PAM appliance is in maintenance mode. Only admin level users can login. PAM-CMN-0917 = User {0} logged in successfully via {1} authentication. PAM-CMN-0918 = User deactivated. PAM-CMN-0919 = Deactivated account {0}. Exceeded inactivity limit. PAM-CMN-0920 = Deactivated account {0}. Account expired. PAM-CMN-0921 = Single Sign On authentication failed. Please retry login. PAM-CMN-0922 = You are logged out of CA PAM. PAM-CMN-0923 = Single sign-on session expired. Please re-login. PAM-CMN-0924 = Multiple CA PAM user accounts map to the same SAML identity ({0}). Rejecting the SAML authentication request and deactivating all the user accounts. Please activate one account that will be used to map to the SAML identity. PAM-CMN-0925 = User {0} from SAML enabled group {1} has the same SAML user name {2} from SAML attribute {3}. User account deactivated. PAM-CMN-0926 = Single sign-on authentication failed. Please contact your system administrator. PAM-CMN-0927 = SAML user {0} not found in CA PAM or does not belong to a SAML enabled group. PAM-CMN-0928 = SAML assertion {0} timestamp exceeds validity window by approximately {1} minutes. Assertion Issued: {2}. PAM-CMN-0929 = SAML assertion issuer, {0}, does not match configured issuer {1}. PAM-CMN-0930 = Invalid SAML assertion recipient URL: {0}. PAM-CMN-0931 = SAML assertion recipient, {0}, not recognized. Valid recipients are: {1}. PAM-CMN-0932 = SAML assertion received by authentication service at time {0} is before SAML Not-Before Condition {1}. PAM-CMN-0933 = SAML assertion received by authentication service at time {0} is after SAML Not-On-Or-After Condition {1}. PAM-CMN-0934 = SAML assertion received with a non-successful status code {0}. PAM-CMN-0935 = CA PAM appliance in FIPS mode. SAML SSO disabled. PAM-CMN-0936 = User attempted to login via SAML SSO but SAML SSO is not enabled. PAM-CMN-0937 = SAML assertion not found in request. PAM-CMN-0938 = Unable to decode SAML assertion. PAM-CMN-0939 = SAML assertion failed schema validation. PAM-CMN-0940 = Verification of SAML assertion failed: Certificate of SAML assertion producer has not been uploaded to CA PAM. PAM-CMN-0941 = Saving the SAML assertion to a temporary file failed. PAM-CMN-0942 = SAML assertion failed signature verification. PAM-CMN-0943 = There are no user or user groups with an authentication method of SAML. PAM-CMN-0944 = Login failed for user {0} due to multiple active RADIUS users having the same login name. All RADIUS users with login name {1} will be deactivated. PAM-CMN-0945 = Login Failed. Please contact your system administrator for further assistance.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-93 of A-242
PAM-CMN-0946 = Authentication Daemon communication failure: {0} PAM-CMN-0947 = Authentication Daemon access rejected message: {0} PAM-CMN-0948 = Authentication Daemon General Error occurred ({0}). Please check if the Authentication Daemon is properly set up. PAM-CMN-0949 = RADIUS user is not registered. Contact your CA PAM Administrator. PAM-CMN-0950 = Authentication failed for RADIUS user {0}. RADIUS authentication succeeded but unable to retrieve the user's RADIUS group. PAM-CMN-0951 = Authentication failed for RADIUS user {0}. RADIUS authentication succeeded but the user's RADIUS group changed from {1} to {2}. The new RADIUS group is not registered with CA PAM. User account deleted. PAM-CMN-0952 = RADIUS user {0} moved from RADIUS group {1} to RADIUS group {2}. PAM-CMN-0953 = Authentication failed for RADIUS user {0}. RADIUS authentication succeeded but the user's RADIUS group, {1}, is not registered. User will be logged out. PAM-CMN-0954 = Adding RADIUS user {0} to CA PAM failed with message(s): {1}. PAM-CMN-0955 = Authentication user {0} returned an invalid {1} challenge response for {2} authentication. Authentication request denied. PAM-CMN-0956 = Unrecognized RADIUS challenge type {0}. Authentication request for user {1} denied. PAM-CMN-0957 = SAML RADIUS authentication succeeded but the RADIUS group was not passed to CA PAM. User will be deleted and logged out. PAM-CMN-0958 = Cisco SSO RADIUS user {0} moved to registered RADIUS group {1}. PAM-CMN-0959 = User is not logged in. PAM-CMN-0960 = Verify user credentials does not support the authentication method configured for the user. PAM-CMN-0961 = User not found. PAM-CMN-0962 = Determining the least-loaded CA PAM appliance for user ({0})'s session failed. Granting the user a session on this appliance. PAM-CMN-0963 = Invalid attempt to acquire a session on this CA PAM appliance as user {0} via CA PAM load balance redirect. PAM-CMN-0964 = Login failed for user {0} due to multiple active RSA users having the same login name. All RSA users with login name {1} will be deactivated. PAM-CMN-0965 = Login Failed. Please contact your system administrator for further assistance. PAM-CMN-0966 = User {0} selected to authenticate via {1} but the configured authentication method for the user is {2}. PAM-CMN-0967 = The Active Directory user with user principal name {0} or samAccountName {1} is not registered with CA PAM. PAM-CMN-0968 = The LDAP user with attribute {0}={1} is not registered with CA PAM PAM-CMN-0969 = User {0} session is set for post-authentication load balancing to member {1}. The user's session will be destroyed on this member and resumed on member {2}. PAM-CMN-0970 = User {0} session has been post-authentication load balanced to this member. The user's session will be resumed on this member. PAM-CMN-0971 = User {0} failed LDAP+RSA authentication. The LDAP authentication failed. PAM-CMN-0972 = User {0} failed LDAP+RSA authentication. The RSA authentication failed with RSA user name {1}. PAM-CMN-0973 = User {0} attempted to access from an unauthorized IP: {1}. The only authorized networks are [{2}]. PAM-CMN-0974 = You have attempted to gain access from an invalid network. Please contact your administrator. PAM-CMN-0975 = You have not been authorized to connect. PAM-CMN-0976 = User {0} attempted an invalid PKI authentication. PAM-CMN-0977 = PKI authentication failed with error: {0} PAM-CMN-0978 = PKI user {0} not approved for access. Registration deleted. PAM-CMN-0979 = LDAP authentication failed for user {0} with error code ({1}) and error string ({2}). PAM-CMN-0980 = User {0} selected to authenticate via {1} but the user is required to authenticate via SAML from the SAML authentication inherited from the following group(s): {2}. PAM-CMN-0981 = User {0} with authentication type SAML is mapped to the same SAML user name, {1}, as other CA PAM accounts. User account deactivated. PAM-CMN-0982 = SAML SSO Authentication Failure: Status Code: {0}. Status Message: {1}. SubStatus Code: {2}. PAM-CMN-0983 = Just-In-Time provisioning of user {0} failed because the userGroup attribute of the SAML assertion does not contain a valid CA PAM user group name. The groups specified in the SAML assertion are: {1}. PAM-CMN-0984 = Just-In-Time provisioning of user {0} failed due to the following errors: {1}. PAM-CMN-0985 = Just-In-Time provisioning of user {0} failed due to missing required attribute {1}.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-94 of A-242
PAM-CMN-0986 = SAML user {0} was not found on CA PAM but the remote identity provider {1} is configured for Just In Time provisioning. CA PAM will attempt to provision an account for the user in the following CA PAM groups: {2}. PAM-CMN-0987 = The user initiated a SAML SSO Test to remote identity provider {0}. PAM-CMN-0988 = The validation of the SAML assertion of user identity {0} from remote IdP {1} succeeded but mapping the user to a SAML-enabled CA PAM account failed. PAM-CMN-0989 = User {0} logged in successfully via {1} authentication from remote IdP {2}. PAM-CMN-0990 = A SAML reauthentication request was received for a password view request but the remote IdP entity ID is missing from the user's session. PAM-CMN-0991 = The SAML reauthentication to view the password for account {0} failed: Status Code: {1}. Status Message: {2}. SubStatus Code: {3}. PAM-CMN-0992 = The SAML reauthentication to view the password for account {0} failed: {1}. PAM-CMN-0993 = The user attempted to verify their password to view an account password using SAML authentication but the user did not authenticate to CA PAM via SAML authentication. PAM-CMN-0994 = The SAML reauthentication to view the password for account {0} failed. The user identity in the SAML assertion, {1}, does not match the identity of the CA PAM user that initiated the password view request. PAM-CMN-0995 = Your LDAP password has been reset. You are required to change your password. PAM-CMN-0996 = Your LDAP password has expired. You are required to change your password. PAM-CMN-0997 = The user's LDAP domain is not configured with CA PAM to use TLS and therefore CA PAM will not enable the user to change their password. PAM-CMN-0998 = User {0} logged in successfully via {1} authentication but will be required to change their password. PAM-CMN-0999 = A user authenticated with login name {0} but a user with the specified login name is not registered with CA PAM. PAM-CMN-1000 = User {0} failed LDAP+RADIUS authentication. The LDAP authentication failed. PAM-CMN-1001 = User {0} failed LDAP+RADIUS authentication. The RADIUS authentication failed with RADIUS user name {1}. PAM-CMN-1002 = PKI user(s) {0} not approved for access. PAM-CMN-1003 = Invalid pending PKI user ids specified: {0}. PAM-CMN-1004 = PKI user(s) {0} approved for access. PAM-CMN-1005 = Unable to approve the pending PKI user {0} for access: {1}. PAM-CMN-1006 = CA PAM as a SAML SP received an authentication request for unknown SAML identity provider {0}. PAM-CMN-1007 = An error occurred while processing SAML assertion: {0}. PAM-CMN-1008 = SAML SSO Authentication Failure: The received assertion did not include a subject name identifier nor the userName SAML attribute. PAM-CMN-1009 = SAML password view request out-of-sync ({0} != {1}): The user's internal id did not match the id contained in the user's session. PAM-CMN-1010 = Please accept the license to proceed. PAM-CMN-1011 = The user was required to accept the license but canceled. Access denied. PAM-CMN-1012 = The following group names contained in the SAML assertion do not exist in CA PAM and will be ignored in the Just In Time provisioning of the user {0}: {1}. PAM-CMN-1013 = User {0} re-logged in successfully via {1} authentication. PAM-CMN-1014 = User {0} failed {1} re-authentication. PAM-CMN-1015 = Authentication type mismatch on re-authentication. PAM-CMN-1016 = User mismatch on re-authentication. PAM-CMN-1017 = Proxy authentication failed. Cannot find corresponding CA PAM user. PAM-CMN-1018 = Configuration Password is still the default value. PAM-CMN-1019 = PKI user {0} approved. User was created. PAM-CMN-1020 = Attempt to approve PKI user {0} failed. Message was {1}. PAM-CMN-1021 = SAML SSO of Just-In-Time provisioned user {0} failed due to missing required attribute {1}. PAM-CMN-1022 = SAML SSO of Just-In-Time provisioned user {0} failed because the userGroup attribute of the SAML assertion does not contain a valid CA PAM user group name. The groups specified in the SAML assertion were: {1}. PAM-CMN-1023 = The user groups of the Just-In-Time provisioned user {0} has been updated: {1}. PAM-CMN-1024 = The user groups of the Just-In-Time provisioned user {0} has been updated: {1}. The following user groups contained in the assertion are not valid CA PAM user groups and will be ignored: {2}.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-95 of A-242
PAM-CMN-1025 = SAML SSO Authentication Failed: Updating the user groups of SAML SSO Just-In-Time provisioned user {0} failed: {1} PAM-CMN-1026 = SAML SSO of Just-In-Time provisioned user {0} succeeded. The user's group membership has not changed. The assertion also contained the following group names that do not exist in CA PAM: {1}. PAM-CMN-1027 = LDAP user account {0} is disabled in Active Directory. PAM-CMN-3252 = Authentication failed. Please contact administrator or try again later. PAM-CMN-3253 = User {0} failed to access device {1}. The primary site is unreachable and the cluster is configured for security-safe mode. Credentials cannot not be serviced from the local database in security safe mode. PAM-CMN-3254 = Unauthorized access to RADIUS configuration. PAM-CMN-3255 = Failed to save the RADIUS configuration on member {0}. Unable to establish a connection to the CA PAM appliance. PAM-CMN-3256 = Saving RADIUS configuration on all cluster members failed for {0}/{1} members: {2}. PAM-CMN-3257 = RADIUS configuration saved on all cluster members. PAM-CMN-3258 = GateKeeper RADIUS configuration saved. PAM-CMN-3259 = Failed to retrieve the RADIUS configuration from primary member {0}. Unable to establish a connection to the CA PAM appliance. PAM-CMN-3260 = Synchronizing RADIUS configuration from primary cluster member {0} failed. PAM-CMN-3261 = RADIUS configuration retrieved from primary cluster member successfully. PAM-CMN-3263 = Gatekeeper RDPProxy configuration saved. PAM-CMN-3264 = Failed to save the RDP configuration on member {0}. Unable to establish a connection to the CA PAM appliance. PAM-CMN-3265 = Saving RDPProxy configuration on all cluster members failed for {0}/{1} members: {2}. PAM-CMN-3266 = RDPProxy configuration saved on all cluster members. PAM-CMN-3267 = Failed to retrieve the RDPProxy configuration from primary member {0}. Unable to establish a connection to the CA PAM appliance. PAM-CMN-3268 = Synchronizing RDPProxy configuration from primary cluster member {0} failed. PAM-CMN-3269 = RDPProxy configuration retrieved from primary cluster member successfully. PAM-CMN-3351 = The Kerberos Authentication for the device ''{0}'' will be disabled because device is defined by IP address. PAM-CMN-3352 = The Kerberos Authentication requires device to be defined by it's FQDN. Kerberos for the device ''{0}'' will be disabled. PAM-CMN-3353 = The device ''{0}'' has more than one Kerberos KDC server defined for on Group level. Kerberos Authentication will be disabled until conflict is resolved.
Access Service Messages PAM-CMN-1029 = Task not enabled. PAM-CMN-1030 = Unexpected command filter policy conflict - launch aborted. PAM-CMN-1031 = Unexpected socket filter policy conflict - launch aborted. PAM-CMN-1032 = Missing required device data - launch aborted. PAM-CMN-1033 = Unauthorized attempt by user {0} to view the access page for user {1}. PAM-CMN-1034 = Unexpected filter policy conflict - launch aborted. PAM-CMN-1035 = Unexpected credential conflict - launch aborted. PAM-CMN-1036 = Unauthorized attempt to set LDAP browser port. PAM-CMN-1037 = Unauthorized attempt to update LDAP browser domain destination. PAM-CMN-1038 = Unexpected AWS policy conflict - launch aborted. PAM-CMN-1039 = AWS Policy {0} missing. PAM-CMN-1040 = Unable to launch AWS Management Console. If this problem persists then ask your Administrator to investigate. PAM-CMN-1041 = User {0} attempted to launch recorded web portal {1} but the mount is down. Due to the configured security safe policy, the user's connection attempt will be denied PAM-CMN-1042 = User {0} attempted to launch recorded web portal {1} but the mount is down. Due to the configured operational safe policy, the user's connection attempt will be granted but not recorded. PAM-CMN-1043 = CA PAM denied web portal {0}'s connection to host {1} because it does not match an entry in the web portal's access list. PAM-CMN-1044 = CA PAM denied a request to proxy an HTTP connection to host {0} because the request could not be verified to have originated from an CA browser instance.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-96 of A-242
PAM-CMN-1045 = CA PAM denied the user's access to web portal {0}. The CA browser is not supported on the {1} operating system. PAM-CMN-1046 = CA PAM denied user's unauthorized access to web portal {0} on host {1}. PAM-CMN-1047 = CA PAM unable to find connection data authorizing service {0}'s access to host {1}. PAM-CMN-1048 = CA PAM denied the user's access to web portal {0}. The CA browser requires a 32-bit JRE. PAM-CMN-1049 = CA PAM denied the user's SSO access to the AWS Management Console with: invalid SSO credentials specified. PAM-CMN-1050 = No Office365 HTML was generated. PAM-CMN-1051 = Unable to launch Office 365 portal: Error code {0}: {1}. PAM-CMN-1052 = Unable to launch Office 365 portal: Office 365 parameters are not configured. PAM-CMN-1053 = Unable to launch Office 365 portal: Login credential not found. PAM-CMN-1054 = Access to credential denied because authorization is required. Authorization request sent. Try again later. PAM-CMN-1055 = Access to credential denied because the credential is already checked out by someone else. Try again later. PAM-CMN-1056 = Access to credential denied because authorization request is still pending. Try again later. PAM-CMN-1057 = Unable to generate AWS proxy account. Please contact CA PAM administrator PAM-CMN-1058 = Unable to generate NSX proxy account. Please contact CA PAM administrator PAM-CMN-1059 = The session URL does not match with the URL triggered by the UI PAM-CMN-1060 = Access denied because of internal failure. Please contact CA PAM administrator. PAM-CMN-1061 = Access denied because a credential was not chosen or is not available. Please launch the service and choose an available credential. PAM-CMN-1062 = Access denied because dual authorization is required. If a password view request is not pending please launch the service to create one. PAM-CMN-1063 = Proxy was not launched because the user failed to correctly respond to the pop up in time.
Credential Management Messages PAM-CMN-1064 = Credential daemon is not available. PAM-CMN-1065 = Credential id not found. PAM-CMN-1066 = No credential sources available. PAM-CMN-1067 = Could not update or save credential. Check that the title is not already in use. PAM-CMN-1068 = Password Authority invalid authentication. PAM-CMN-1069 = Password Authority unavailable. PAM-CMN-1070 = Unexpected error in source response. PAM-CMN-1071 = This password is a privileged password; it cannot be used for single sign-on for target device. PAM-CMN-1072 = No Password Authority username and password provided. PAM-CMN-1073 = The credential service did not find a cryptographic encryption key. Regenerating key; existing credentials will be lost. PAM-CMN-1074 = The credential service was not able to contact database. PAM-CMN-1075 = The internal credential source storage is currently disabled by administrator. PAM-CMN-1076 = The credential daemon has been given an invalid input. PAM-CMN-1077 = The requested credential is corrupted or cannot be decrypted. PAM-CMN-1078 = Unexpected error sent by credential daemon; please contact your administrator. PAM-CMN-1079 = Credential not available. Please contact your administrator.
View and Search Messages PAM-CMN-1081 = Badly formed data - operation not performed PAM-CMN-1082 = This view should be updated, not added. PAM-CMN-1083 = View {0} not added. PAM-CMN-1084 = Invalid search specified for view. PAM-CMN-1085 = Duplicate view name.
Cluster Management Messages Cluster Management Messages for Privileged Access Manager
PAM-CMN-1086 = Unauthorized access to cluster configuration.
PAM-CMN-1087 = Passphrase is required to generate the shared cluster key.
PAM-CMN-1088 = Cluster shared key is required.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-97 of A-242
PAM-CMN-1089 = Cluster shared key must be a 40-character-long hexadecimal string.
PAM-CMN-1090 = The interface to use for cluster communications must be specified.
PAM-CMN-1091 = Invalid cluster interface specified. Valid values are {0}.
PAM-CMN-1092 = Virtual Management IP Address is required.
PAM-CMN-1093 = Virtual Management IP Address must be a valid IP address.
PAM-CMN-1094 = Virtual Management IP Domain Name must be a valid hostname.
PAM-CMN-1095 = Invalid cluster member list specified.
PAM-CMN-1096 = Cluster must contain at least two members, including this CA PAM appliance.
PAM-CMN-1097 = The IP address specified for this CA PAM appliance in the cluster member list cannot be assigned
to the cluster interface.
PAM-CMN-1098 = This CA PAM appliance must be a member of the cluster.
PAM-CMN-1099 = The subnet of the CA PAM appliance cluster interface is required.
PAM-CMN-1100 = Invalid cluster subnet format specified.
PAM-CMN-1101 = Invalid cluster subnet network address {0}.
PAM-CMN-1102 = Invalid cluster subnet network mask {0}.
PAM-CMN-1103 = The specified cluster subnet does not have enough host addresses ({0}) for all cluster members
({1}).
PAM-CMN-1104 = The specified NAT address {0} is not a valid IP address or hostname.
PAM-CMN-1105 = The specified PAT address {0} is not a valid IP address or hostname.
PAM-CMN-1106 = The specified PAT port {0} is not a valid port number.
PAM-CMN-1107 = Failed to authenticate to cluster member {0}. Please confirm that the shared key has been
configured on the cluster member.
PAM-CMN-1108 = Failed to save the cluster configuration on member {0}. Error(s) received: {1}
PAM-CMN-1109 = Failed to save the cluster configuration on member {0}. Unable to establish a connection to the CA
PAM appliance.
PAM-CMN-1110 = Failed to start the cluster due to configuration errors.
PAM-CMN-1111 = The cluster configuration values do not match for fields: {0}.
PAM-CMN-1112 = Failed to start the cluster. The cluster configuration on members {0} and {1} are not the same. The
errors reported by {2} are: {3}.
PAM-CMN-1113 = Failed to start the cluster. Unable to check for consistent cluster configuration on member {0}. The
remote errors reported are: {1}.
PAM-CMN-1114 = Failed to start the cluster. Unable to establish a connection to member {0}.
PAM-CMN-1115 = Failed to start the cluster. Configuring the replication interface on member {0} failed.
PAM-CMN-1116 = Failed to start the cluster. Unable to successfully ping cluster member {0}.
PAM-CMN-1117 = Failed to start the cluster. Unable to retrieve hostname data from cluster member {0}.
PAM-CMN-1118 = Failed to start the cluster. Unable to save hostname data on cluster member {0}.
PAM-CMN-1119 = Failed to stop the cluster on member {0}: {1}
PAM-CMN-1120 = Failed to stop the cluster due to configuration errors.
PAM-CMN-1121 = Failed to start the cluster. Unable to configure and start the cluster runtime.
PAM-CMN-1122 = Failed to configure the cluster runtime on member {0}.
PAM-CMN-1123 = Starting the cluster runtime has failed.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-98 of A-242
PAM-CMN-1124 = Starting the cluster runtime on member {0} has failed.
PAM-CMN-1125 = Unable to start cluster members {0}.
PAM-CMN-1126 = The specified CA PAM appliance is not a member of the cluster.
PAM-CMN-1127 = Failed to stop cluster member {0} due to configuration errors.
PAM-CMN-1128 = Failed to start cluster member {0}: {1}
PAM-CMN-1129 = The cluster interface, {0}, is already in use on cluster member {1}.
PAM-CMN-1130 = Unable to make a connection to the remote CA PAM appliance {0}.
PAM-CMN-1131 = The cluster must be enabled before starting or stopping individual cluster members.
PAM-CMN-1132 = Starting the cluster ...
PAM-CMN-1133 = Checking the consistency of the cluster configuration across all members ...
PAM-CMN-1134 = Starting the cluster failed. Checking the cluster configuration consistency failed for {0} member(s):
{1}.
PAM-CMN-1135 = Computing the addresses to assign to the cluster interfaces ...
PAM-CMN-1136 = Assigning computed addresses to the cluster interfaces ...
PAM-CMN-1137 = Assigning computed addresses to the cluster interface failed for member(s): {0}.
PAM-CMN-1138 = Verifying that all cluster interfaces have been properly configured ...
PAM-CMN-1139 = Pinging all cluster members using the configured cluster interface failed for member(s): {0}.
PAM-CMN-1140 = Assigning internal hostnames to cluster members ...
PAM-CMN-1141 = Assigning internal hostnames to cluster members failed for member(s): {0}.
PAM-CMN-1142 = Configuring the cluster runtime ...
PAM-CMN-1143 = Starting the cluster runtime ...
PAM-CMN-1144 = The cluster is online.
PAM-CMN-1145 = Starting the cluster master on member {0} ...
PAM-CMN-1146 = Attempt {0}/{1}: Checking if the master is online ...
PAM-CMN-1147 = The cluster master is online. Starting the remaining cluster member(s) ...
PAM-CMN-1148 = Starting the cluster has failed. Unable to start the cluster master {0}.
PAM-CMN-1149 = Attempt {0}/{1}: Waiting for {2}/{3} member(s) to come online ...
PAM-CMN-1150 = Cluster member {0} is now online.
PAM-CMN-1151 = Cluster member {0} failed.
PAM-CMN-1152 = Starting the cluster has failed: Unable to start cluster member(s): {0}.
PAM-CMN-1153 = Stopping the cluster ...
PAM-CMN-1154 = Stopping the cluster on member {0}...
PAM-CMN-1155 = Cluster member {0} stopped.
PAM-CMN-1156 = Stopping the cluster failed on {0}/{1} member(s): {2}.
PAM-CMN-1157 = Cluster successfully stopped.
PAM-CMN-1158 = Starting cluster member {0} ...
PAM-CMN-1159 = Cluster started on member {0}.
PAM-CMN-1160 = Attempt {0}/{1}: Waiting for member to come online ...
PAM-CMN-1162 = This cluster node received a remote API call from source {0} with an incorrect shared key: {1}.
PAM-CMN-1163 = Unauthorized attempt to retrieve cluster logs on this node. The shared key did not match.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-99 of A-242
PAM-CMN-1460 = Saved cluster config locally. Virtual IP: {0}. Virtual IP FQDN: {1}. Cluster members: {2}. Status:
OFF.
PAM-CMN-1461 = ERROR: NTP problem on member {0}. {1}
PAM-CMN-1462 = ERROR: Release level of member {0} ({1}) does not match primary member ({2})
PAM-CMN-1463 = Saved cluster config to all cluster members. Cluster members: {0}. Status: {1}.
PAM-CMN-1464 = External synchronization unlocked while in cluster-stopped mode
PAM-CMN-1465 = External synchronization locked while in cluster-stopped mode
PAM-CMN-1466 = Turned cluster on
PAM-CMN-1467 = SEVERE: Unable to turn on the cluster because one or more cluster members failed cluster start
checks.
PAM-CMN-1673 = User {0} using API key {1} can't perform {2} operations while cluster is stopped. {3} was not
executed.
PAM-CMN-1675 = User {0} using API key {1} can't perform {2} operations while cluster is stopped. {3} was not
executed.
PAM-CMN-1760 = Unauthorized attempt to check synchronization status of the cluster by {0}
PAM-CMN-1761 = Cluster started.
PAM-CMN-1762 = Cluster member {0} restarted.
PAM-CMN-1763 = Cluster configuration deleted.
PAM-CMN-1881 = Cannot delete - used for PAM Cluster Synchronization. Change the provision row used on the
PAM Cluster Synchronization page before deleting.
PAM-CMN-1888 = GateKeeper cluster configuration from cluster member {0} saved. Cluster Shared Key: {0}. Cluster
Replication Interface: {1}. Cluster Members: {2}. Cluster VIP Address: {3}. Cluster VIP FQDN: {4}. Cluster Subnet: {5}.
Cluster Status: {6}.
PAM-CMN-1889 = GateKeeper cluster configuration saved. Cluster Shared Key: {0}. Cluster Replication Interface:
{1}. Cluster Members: {2}. Cluster VIP Address: {3}. Cluster VIP FQDN: {4}. Cluster Subnet: {5}. Cluster Status: {6}.
PAM-CMN-1891 = Saving cluster configuration on all cluster members failed for {0}/{1} member(s): {2}.
PAM-CMN-1892 = Cluster configuration saved on all cluster members.
PAM-CMN-1959 = As the primary member, starting the polling of all cluster members until the database is synced
across the cluster ...
PAM-CMN-1960 = Polling database sync status for member {0} (ELAPSED TIME = {1}) ...
PAM-CMN-1961 = Database sync on member {0} completed. (ELAPSED TIME = {1})
PAM-CMN-1962 = Database is still syncing on member {0} (ELAPSED TIME = {1}) ...
PAM-CMN-1963 = All databases done syncing, starting the Password Authority subsystem on each member in
sequence (ELAPSED TIME = {0})
PAM-CMN-1966 = Password Authority subsystem started on all cluster members
PAM-CMN-1967 = SEVERE: License check failed. Stopping clustering on this node!
PAM-CMN-1968 = Requesting a full database from the primary member ...
PAM-CMN-1969 = Database dump is ready on the primary member. Retrieving the dump ...
PAM-CMN-1970 = Downloading the database dump from the primary member ...
PAM-CMN-1971 = CRC verification on the primary database OK. Downloading database cluster TLS certificates ...
PAM-CMN-1972 = Dump integrity check failed: Dump completed marker not found!
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-100 of A-242
PAM-CMN-1973 = Dump integrity check failed: The number of tables in the dump ({0} != {1}) are incorrect!
PAM-CMN-1974 = All integrity checks passed, proceeding to loading master database ...
PAM-CMN-1975 = SEVERE: CRC verification on the primary database dump FAILED. Please stop the cluster and
retry
PAM-CMN-1976 = SEVERE: Integrity checks on the database dump failed. Retrying downloading the database data
(#{0}) ...
PAM-CMN-1977 = Loading the database from the primary member completed successfully.
PAM-CMN-1978 = Sync with the primary member completed.
PAM-CMN-2353 = Turned cluster off
PAM-CMN-2551 = SEVERE: Repeated attempts to assign the VIP to this cluster member has failed! No more
attempts to assign the VIP to this member will be made until the next cluster restart.
PAM-CMN-2552 = Making attempt {0} to assign the VIP to this cluster member ...
PAM-CMN-2553 = The VIP has been successfully assigned to this cluster member after %d attempts.
PAM-CMN-2554 = WARNING: VIP Assignment Failed! The Password Authority subsystem is down (it may be in the
process of starting up)
PAM-CMN-2555 = SEVERE: Assigning the VIP to this cluster member failed.
PAM-CMN-2556 = SEVERE: VIP assignment failure limit reached! No further attempts will be made to assign the VIP
to this cluster member until the next cluster restart!
PAM-CMN-2557 = SEVERE: Member {0} has failed to respond to heartbeat messages for 20 seconds; connection
marked as down. The gateway is currently {1}
PAM-CMN-2558 = Initial connection for heartbeat messages to member {0} has been established. The gateway is
currently {1}.
PAM-CMN-2559 = WARNING: Member {0} has resumed responding to heartbeat messages after an outage lasting
{1} min(s) and {2} second(s). The gateway is currently {3}.
PAM-CMN-2560 = SEVERE: Connectivity to all members in the cluster has been lost but the gateway is reachable,
maintaining Password Authority services and assuming the VIP address.
PAM-CMN-2561 = SEVERE: Connectivity to all members in the cluster has been lost and the gateway is
unreachable, shutting down Password Authority services on this member to maintain data integrity.
PAM-CMN-2562 = WARNING: At least one other member in the cluster is now reachable, rejoining the cluster ...
PAM-CMN-2563 = Retrieving the primary database from cluster member {0} to resync my database.
PAM-CMN-2564 = SEVERE: Syncing with the primary database failed!
PAM-CMN-2565 = Resyncing with the primary database completed!
PAM-CMN-2566 = I am the only member alive and making attempt #{0} to assume the VIP.
PAM-CMN-2567 = WARNING: I should own the VIP but I do not. Assuming the VIP ...
PAM-CMN-2568 = Cluster starting ...
PAM-CMN-2569 = Retrieving primary database from cluster member {0} ...
PAM-CMN-2570 = Syncing the database with the primary cluster member succeeded.
PAM-CMN-2571 = SEVERE: Syncing the database with the primary cluster member failed!
PAM-CMN-2572 = I am the primary member in the cluster. All cluster members will sync with my database.
PAM-CMN-2573 = WARNING: I currently own the VIP but there is a cluster member that is alive with a higher
precedence. Releasing the VIP.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-101 of A-242
PAM-CMN-2574 = Can't remove current server.
PAM-CMN-2575 = Failed to update current server: server was removed but new server was not added. Please check
if connection was established.
PAM-CMN-2576 = Can't update current server: failed to remove server. Please check if connection was established.
PAM-CMN-2596 = The device lost Ehernet link while in clustering mode. Locking.
PAM-CMN-2622 = SEVERE: Download of the primary database dump FAILED. Please stop the cluster and retry
PAM-CMN-2623 = Downloading the database dump CRC from the primary member ...
PAM-CMN-2624 = Database dump and CRC downloaded. Verifying CRC ...
PAM-CMN-2625 = SEVERE: Download of the database cluster TLS certificates FAILED. Please stop the cluster and
retry
PAM-CMN-2626 = Downloading the database cluster TLS certificates CRC from the primary member ...
PAM-CMN-2627 = SEVERE: Download of the primary database dump CRC FAILED. Please stop the cluster and
retry
PAM-CMN-2628 = SEVERE: Download of the database cluster TLS certificates CRC FAILED. Please stop the cluster
and retry
PAM-CMN-2629 = SEVERE: CRC verification on the primary database TLS certificates FAILED. Please stop the
cluster and retry
PAM-CMN-2630 = CRC verification on the primary database TLS certificates OK. Downloading NIM SM database
and properties...
PAM-CMN-2631 = SEVERE: Download of the NIM SM properties FAILED. Please stop the cluster and retry
PAM-CMN-2632 = SEVERE: Download of the NIM SM database FAILED. Please stop the cluster and retry
PAM-CMN-2633 = Downloading the NIM SM CRC from the primary member...
PAM-CMN-2634 = SEVERE: Download of the NIM SM CRC FAILED. Please stop the cluster and retry
PAM-CMN-2635 = SEVERE: CRC verification on the primary NIM SM FAILED. Please stop the cluster and retry
PAM-CMN-2743 = Cluster member {0} of site {1} has left the cluster.
PAM-CMN-2744 = Node {0} was added to site {1} of an active cluster.
PAM-CMN-2745 = This configuration will be replicated to all cluster members
PAM-CMN-2746 = The delete action will be performed on all cluster members
PAM-CMN-2752 = The database of this node, {0}, is out of sync with the primary database. The cluster or node
should be resynced as soon as possible to resynchronize this node with the cluster.
PAM-CMN-2756 = The secondary site member {0} is now active.
PAM-CMN-2757 = The secondary site member {0} is inactive and will remain inactive until replication catches up to
the primary site or the member is manually resynced.
PAM-CMN-2758 = This secondary site member {0} has lost connection to the primary site for {1} since {2}.
PAM-CMN-2759 = The primary site has lost contact with secondary site member {0} for {1} since {2}.
PAM-CMN-2760 = This secondary site member, {0}, is inactive since {1} and will remain active until resynced with the
primary site.
PAM-CMN-2763 = A lag in replication has been detected between the database of this member and the primary
database.
PAM-CMN-2764 = The connection timed-out checking whether this member's database is consistent with the primary
database.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-102 of A-242
PAM-CMN-2765 = The database of this member is out-of-sync with the primary database.
PAM-CMN-2766 = The database of this member is in-sync with the primary database.
PAM-CMN-2769 = The credential management subsystem of this secondary member has failed to contact the
primary site.
PAM-CMN-2770 = The credential management subsystem of this secondary member has lost contact with the
primary site for longer than {0} seconds.
PAM-CMN-2771 = The credential management subsystem of this secondary member has lost contact with the
primary site for longer than {0} seconds.
PAM-CMN-2772 = The credential management subsystem of this secondary member is connected to the primary
site.
PAM-CMN-2773 = Primary site members are always active.
PAM-CMN-2774 = This secondary site member is active.
PAM-CMN-2775 = This secondary site member has been deactivated for lagging in replication for more than {0}
minutes behind the primary site.
PAM-CMN-2776 = The Credential Management services of this node are locked due to the state of the cluster. No
credentials can be viewed or used in autoconnect.
PAM-CMN-2777 = The request from user {0} to view credential {1} was denied due to the primary site being
unreachable and this node being configured in security safe mode.
PAM-CMN-2778 = Starting Credential Management on this member ...
PAM-CMN-2779 = Password Authority subsystem started successfully on this node (ELAPSED TIME = {0})
PAM-CMN-2780 = Requesting the primary site to activate my site, {0} ...
PAM-CMN-2781 = Password Authority subsystem startup initiated on node {0} (ELAPSED TIME = {1})
PAM-CMN-2782 = Waiting for all Password Authority subsystems to complete startup ... (ELAPSED TIME = {0})
PAM-CMN-2783 = Only queries against configuration table are allowed with ConfigService->dbQuery()
PAM-CMN-2784 = Device Console fields are deprecated.
PAM-CMN-2785 = Power device is deprecated.
PAM-CMN-2786 = Special Type Device is deprecated.
PAM-CMN-2787 = The connection timed-out checking whether the member {0}'s database is consistent with the
primary database for {1} seconds since {2}.
PAM-CMN-2788 = The database of the member {0} is out-of-sync with the primary database for {1} seconds since
{2}.
PAM-CMN-2789 = The database of the member {0} is in-sync with the primary database now.
PAM-CMN-2792 = A CSV import job has completed on this node and the updates are being replicated across the
cluster. Please wait until it is complete before initiating another.
PAM-CMN-2793 = A CSV import job has completed on this node and the updates are being replicated across the
cluster. Elapsed time is {0}.
PAM-CMN-2794 = The database status of this member is not known. This commonly happens when a new member
is subscribing to the cluster. Please press the Refresh Replication Status button for the current status.
PAM-CMN-2874 = This primary clustered PAM does not have commit permission to the RFS. You must run 'rfs-setup
--gang-client' on the RFS first.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-103 of A-242
PAM-CMN-2931 = WARNING: I currently own the VIP but there is a cluster member that is alive with a higher
precedence. Releasing the VIP.
PAM-CMN-2933 = Making attempt {0} to assign the VIP to this cluster member...
PAM-CMN-2936 = SEVERE: Repeated attempts to assign the VIP to this cluster member has failed! No more
attempts to assign the VIP to this member will be made until the next cluster restart.
PAM-CMN-2937 = The VIP has been successfully assigned to this cluster member after {0} attempts.
PAM-CMN-2938 = WARNING: VIP Assignment Failed! The Password Authority subsystem is down (it may be in the
process of starting up)
PAM-CMN-2939 = SEVERE: Assigning the VIP to this cluster member failed.
PAM-CMN-2940 = SEVERE: VIP assignment failure limit reached! No further attempts will be made to assign the VIP
to this cluster member until the next cluster restart!
PAM-CMN-2941 = SEVERE: Member {0} has failed to respond to heartbeat messages for 20 seconds; connection
marked as down. The gateway is currently {1}.
PAM-CMN-2942 = Initial connection for heartbeat messages to member {0} has been established. The gateway is
currently {1}.
PAM-CMN-2943 = WARNING: Member {0} has resumed responding to heartbeat messages after an outage lasting
{1} min(s) and {2} second(s). The gateway is currently {3}.
PAM-CMN-2944 = SEVERE: Connectivity to all members in the cluster has been lost but the gateway is reachable,
maintaining Password Authority services and assuming the VIP address.
PAM-CMN-2945 = SEVERE: Connectivity to all members in the cluster has been lost and the gateway is
unreachable, shutting down Password Authority services on this member to maintain data integrity.
PAM-CMN-2947 = WARNING: At least one other member in the cluster is now reachable, rejoining the cluster...
PAM-CMN-2948 = Retrieving the primary database from cluster member {0} to resync my database
PAM-CMN-2949 = SEVERE: Syncing with the primary database failed!
PAM-CMN-2950 = Resyncing with the primary database completed!
PAM-CMN-2952 = I am the only member alive and making attempt #{0} to assume the VIP.
PAM-CMN-2953 = WARNING: I should own the VIP but I do not. Assuming the VIP...
PAM-CMN-2954 = Cluster starting...
PAM-CMN-2955 = * Restarted to recognize site membership update
PAM-CMN-2957 = Syncing the database with the primary cluster member succeeded.
PAM-CMN-2958 = SEVERE: Starting up Credential Management on this node failed!
PAM-CMN-2959 = SEVERE: Starting up Credential Management on all nodes in secondary site failed!
PAM-CMN-2960 = SEVERE: Syncing the database with the primary cluster member failed
PAM-CMN-2961 = All other nodes were unavailable to donate their database, therefore skipping DB sync and
restarting PA on my own
PAM-CMN-2962 = I am the primary member in the cluster. All cluster members will sync with my database.
PAM-CMN-2963 = SEVERE: Starting up Credential Management on all nodes failed!
PAM-CMN-2964 = I am a node in a secondary site, will retrieve master database from the secondary site leader {0}
PAM-CMN-2965 = I am a node in a secondary site, but its secondary leader is not available, will retrieve master
database from {0} at the primary site
PAM-CMN-2966 = I am a leader node in a secondary site, will retrieve master database from {0} at the primary site
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-104 of A-242
PAM-CMN-2967 = Start daily DB backup for cluster replication
PAM-CMN-2976 = Backup DB failed!
PAM-CMN-2977 = Backup DB succeed!
PAM-CMN-2978 = Start to purge DB binary logs with the last {0} days logs
PAM-CMN-2979 = Purge DB binary log failed!
PAM-CMN-2980 = Purge DB binary log succeed!
PAM-CMN-2981 = Skip daily DB backup because cluster is not turned on
PAM-CMN-3143 = Releasing the VIP
PAM-CMN-3144 = Assuming the VIP
PAM-CMN-3145 = Communication Link Down
PAM-CMN-3146 = Cannot communicate with other cluster members, but the Gateway is UP, Promoting to VIP
PAM-CMN-3147 = Cannot communicate with other cluster members, disabling credential management services on
this node and disabling cluster orchestration daemon
PAM-CMN-3148 = This node will pull the database from the primary node
PAM-CMN-3149 = Syncing this node's database with the primary database...
PAM-CMN-3150 = Starting up Credential Management on this node failed!
PAM-CMN-3151 = Starting up Credential Management on all nodes in secondary site failed
PAM-CMN-3152 = Syncing the database with the primary cluster member failed!
PAM-CMN-3153 = Starting up Credential Management on all nodes failed
PAM-CMN-3226 = Cluster orchestration updating configuration to reflect site membership update
Multi-Site Clustering Messages PAM-CMN-2853 = This clustered member is not a member of the primary site. Please perform this operation on the primary member in the primary site! PAM-CMN-2854 = This clustered member is not the primary. Please perform this operation on the primary member! PAM-CMN-2855 = This cluster is currently ON. Please stop the cluster before performing this operation! PAM-CMN-2856 = Not all members of the cluster are reachable. PAM-CMN-2857 = The passphrase must be at least 16 characters long and contain one of [0-9][a-z][A-Z]. PAM-CMN-2858 = Failed to securely cache the password. PAM-CMN-2859 = The encryption test of FIPS mode cryptography provider failed! PAM-CMN-2860 = Unknown cryptography provider! PAM-CMN-2861 = PAM will now reboot for this change to take effect. PAM-CMN-5057 = The maximum replication lag before secondary member deactivation must be specified PAM-CMN-5058 = Successfully saved cluster configuration to all members. PAM-CMN-5060 = The entered shared keys do not match! PAM-CMN-5061 = Site name not specified for site #{0} PAM-CMN-5062 = Site name for site #{0} is not valid: valid characters are alphanumeric, space, underscore and hyphen. PAM-CMN-5063 = Duplicate site name {0} PAM-CMN-5064 = Cluster must contain at least two members, including this member. PAM-CMN-5065 = The primary site must be specified PAM-CMN-5066 = Invalid primary site index specified, valid values are 0-{0} PAM-CMN-5067 = Invalid value specified for the maximum number of queued events before a site is deactivated. Valid values are between 500 and 100000 events PAM-CMN-5069 = The cluster database consistency check period must be specified PAM-CMN-5070 = Invalid value specified for the cluster database consistency check period. Valid values are between 5 and 1440 minutes PAM-CMN-5075 = Multi-site operationally or security safe mode must be selected
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-105 of A-242
PAM-CMN-5076 = Invalid value specified for the multi-site operationally or security safe mode. Valid values are operational and security PAM-CMN-5077 = Invalid Database Replication Connection Timeout specified {0}. Valid values are between 5 and 90 seconds PAM-CMN-5078 = Invalid Database Replication Socket Timeout specified {0}. Valid values are between 5 and 90 seconds PAM-CMN-5079 = Duplicate address in cluster member list {0}: {1} PAM-CMN-5080 = Invalid IP address or host name {0}: {1} PAM-CMN-5081 = Changes have not been saved. This CA PAM member is not part of the member list. Please add your member IP to one of the existing sites below. PAM-CMN-5082 = Failed to uniquely identify the site of this CA PAM member in the cluster configuration. PAM-CMN-5083 = Unable to turn on the cluster because one or more cluster members failed cluster start checks. {0} PAM-CMN-5084 = Turning the cluster on failed{0} PAM-CMN-5085 = Cluster turned on successfully. PAM-CMN-5086 = Cluster turned off successfully. PAM-CMN-5087 = This node is unlocked. Scheduled jobs and processes that may trigger credential rotation will be allowed on this node. {0} PAM-CMN-5088 = This node must remain the first member in the primary site when the cluster is restarted or all changes will be lost after cluster restart. PAM-CMN-5089 = This node must be promoted to be the first member in the primary site when the cluster is restarted or all changes will be lost after cluster restart. PAM-CMN-5090 = Site {0} must be promoted to be the primary site and this member must be promoted to be the first member in the site when the cluster is restarted or all changes will be lost after cluster restart. PAM-CMN-5091 = This node must remain the first member in the cluster list when the cluster is restarted or all changes will be lost after cluster restart. PAM-CMN-5092 = This node must be promoted to be the first member in the cluster list when the cluster is restarted or all changes will be lost after cluster restart. PAM-CMN-5093 = Resyncing of {0} has failed. {1} PAM-CMN-5094 = Resyncing of {0} has succeeded PAM-CMN-5095 = Resyncing node {0} from site {1} with primary site PAM-CMN-5096 = Resyncing site {0}. PAM-CMN-5097 = Resyncing the selected site failed. {0} PAM-CMN-5098 = The donor member is {0}. PAM-CMN-5099 = Unable to find a member with an active database from the primary site PAM-CMN-5100 = Resync site failed, the following members of the site are unresponsive: {0} PAM-CMN-5101 = Resyncing the selected site succeeded. PAM-CMN-5102 = The specified member is not part of a multisite enabled cluster{0} PAM-CMN-5103 = CAN NOT CONNECT TO MEMBER: {0} PAM-CMN-5104 = Member is successfully removed from the cluster. PAM-CMN-5105 = This member cannot leave the cluster. The site must have at least one remaining member PAM-CMN-5106 = Failed to update member {0}, it isn't alive PAM-CMN-5107 = Stopping the cluster ... PAM-CMN-5108 = Member successfully joined the cluster. PAM-CMN-5109 = The number of sites cannot be modified as part of joining an active cluster. PAM-CMN-5110 = Adding a new member to the primary site requires a cluster restart. PAM-CMN-5111 = This node can only be added as a member of a secondary site. No other changes to the site member list are allowed. PAM-CMN-5112 = CURL request to {0} returned error ({1}): {2} PAM-CMN-5113 = NTP on this member is not properly configured PAM-CMN-5114 = The release level of the cluster ({0}), does not match the release level of this node ({1}) PAM-CMN-5115 = The locale of the cluster ({0}), does not match the locale of this node ({1}) PAM-CMN-5116 = The license of this node does not match the license of the cluster: {0} PAM-CMN-5117 = All members for site count {0} are PAM-CMN-5118 = Member: {0}=> Cannot Communicate with Member. Please make sure the member is reachable and required ports are open. PAM-CMN-5119 = Member: {0}=> License Mismatch ({1}). Please check your configuration and try again. PAM-CMN-5120 = Member: {0}=> Access Denied. Please check your configuration and try again.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-106 of A-242
PAM-CMN-5121 = Member: {0}=> Inconsistent Member List (Click Save To Cluster). PAM-CMN-5122 = Member: {0}=> OK. PAM-CMN-5123 = The cluster was in a bad state. PAM-CMN-5124 = The Credential Manager databases were still active on nodes: PAM-CMN-5125 = The Session Manager databases were out of sync. Send system logs to CA for more information. PAM-CMN-5126 = The administrator who performed this action was given guidance regarding how to remedy this, and those recommendations were acknowledged before the cluster was stopped. PAM-CMN-5127 = Cluster-off operation initiated PAM-CMN-5128 = {0}: NTP not properly configured. PAM-CMN-5129 = {0}: release level, {1}, does not match primary release level ({2}). PAM-CMN-5130 = ERROR: Locale of member {0} ({1}) does not match primary member ({2}) PAM-CMN-5131 = {0}: locale does not match primary. PAM-CMN-5132 = Primary Site cannot be deleted. PAM-CMN-5133 = Couldn't save the config file: {0}. PAM-CMN-5134 = Site deleted. PAM-CMN-5135 = {0} SAVING FAILED - {1}. PAM-CMN-5136 = {0} STATUS OK. PAM-CMN-5137 = Sending Cluster Stopped Failed On Some Members: {0} PAM-CMN-5138 = all are for sendClusterStopped command: {0} PAM-CMN-5139 = all are for saveRemote command: {0} PAM-CMN-5140 = An error occurred while saving AWS provision. PAM-CMN-5141 = Configuration successfully saved PAM-CMN-5142 = Save to cluster failed for following reasons: {0} PAM-CMN-5143 = This CA PAM node is part of the cluster and it is in the process of syncing. Try again later. Click <a href='/logoff.php'>here</a> to login. PAM-CMN-5144 = CA PAM server is starting up. Please try again later. Click <a href='/logoff.php'>here</a> to login. PAM-CMN-5145 = ERROR: Cluster member {0} is unable to connect to the primary using address {1}. PAM-CMN-5146 = Cluster member {0} is unable to connect to the primary using address {1}. PAM-CMN-5147 = Reboot is needed to enable LUNA-PCI changes PAM-CMN-5148 = The FIPS mode of the cluster ({0}), does not match the FIPS mode of this node ({1}) PAM-CMN-5149 = ERROR: FIPS mode of member {0} ({1}) does not match primary member ({2}) PAM-CMN-5150 = {0}: FIPS mode does not match primary. PAM-CMN-5151 = SEVERE: Requesting a full database from the primary member timed-out. PAM-CMN-5152 = As the primary member, checking the polling status of member timed-out... PAM-CMN-5153 = Could not change the login name of the administrator PAM-CMN-5154 = User did not enter correct password for administrator login PAM-CMN-5155 = The cryptographic provider of this node must be {0} to match the cryptographic provider of cluster PAM-CMN-5156 = ERROR: The cryptographic provider of this node {0} must be {1} to match the cryptographic provider of primary node PAM-CMN-5157 = {0}: The cryptographic provider must be {1} to match primary. PAM-CMN-5158 = The cluster is not currently turned on. PAM-CMN-5159 = The hardware platform of the cluster ({0}), does not match the hardware platform of this node ({1}) PAM-CMN-5160 = ERROR: hardware platform of member {0} ({1}) does not match the site leader member {2} ({3}) PAM-CMN-5161 = {0}: hardware platform does not match the site leader member {1}. PAM-CMN-5162 = ERROR: The site hardware platform is {0} ({1}), but a provision key {2} is provided. PAM-CMN-5163 = {0} ({1}): hardware platform does not match the provision key {2}. PAM-CMN-5164 = ERROR: The site hardware platform is {0} ({1}), but no provision key {2} is provided. PAM-CMN-5165 = {0}: The provision key {1} is missing for the hardware platform {2}. PAM-CMN-5166 = Invalid provision key specified {0}. Can't have both AWS provision key and Azure provision key at the same time. PAM-CMN-5167 = Adding a new site to the active cluster
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-107 of A-242
PAM-CMN-5168 = The site {0} has been removed from the cluster PAM-CMN-5169 = At least two sites are required for multi-site cluster. No site is allowed to be removed from the cluster PAM-CMN-5170 = Invalid site index PAM-CMN-5171 = Only one new site can be added at one time when the cluster is active PAM-CMN-5172 = The number of site names doesn't match the site count PAM-CMN-5173 = Removing the site {0} from the cluster PAM-CMN-5174 = The site {0} has been successfully removed from the cluster PAM-CMN-5175 = The total members in the primary site can not be more than 9 PAM-CMN-5176 = The total members of the cluster can not be more than 1000 PAM-CMN-5177 = The maximum replication lag before secondary member warning must be specified PAM-CMN-5178 = The maximum replication lag before secondary member out-of-sync must be specified PAM-CMN-5179 = Invalid value specified for the max replication before secondary member warning PAM-CMN-5180 = Invalid value specified for the max replication lag before secondary member out of sync. Must be larger than warning value. PAM-CMN-5181 = Invalid value specified for the max replication lag before secondary member deactivation. Must be larger than out-of-sync value. PAM-CMN-5182 = The hardware platform of the cluster ({0}), does not match the hardware platform of this node ({1}) PAM-CMN-5183 = ERROR: hardware platform of member {0} ({1}) does not match the site leader member {2} ({3}) PAM-CMN-5184 = {0}: hardware platform does not match the site leader member {1}. PAM-CMN-5185 = ERROR: The site hardware platform is {0} ({1}), but a provision key {2} is provided. PAM-CMN-5186 = {0} ({1}): hardware platform does not match the provision key {2}. PAM-CMN-5187 = ERROR: The site hardware platform is {0} ({1}), but no provision key {2} is provided. PAM-CMN-5188 = {0}: The provision key {1} is missing for the hardware platform {2}. PAM-CMN-5189 = Invalid provision key specified {0}. Can't have both AWS provision key and Azure provision key at the same time. PAM-CMN-5190 = This CA PAM appliance lost the connection to the member(s) in the primary site and is in the mode only admin level users can login. PAM-CMN-5191 = Invalid provision key specified {0}. PAM-CMN-5192 = Resync site member failed, the member {0} is unresponsive. PAM-CMN-5193 = Failed to load configuration from the member {0}: bad shared key. PAM-CMN-5195 = SEVERE: Requesting a full database dump failed because the leader failed to start the cluster, aborting... PAM-CMN-5196 = SEVERE: Requesting if the database is ready return error, aborting... PAM-CMN-5197 = SEVERE: Credential Manager is not running! PAM-CMN-5198 = Failed to join the cluster. {0} PAM-CMN-5199 = The cluster configuration has been changed on {0}. Please re-download and try again. PAM-CMN-5200 = The cluster configuration is being udpated on {0} right now, please try again later. PAM-CMN-5201 = Failed to leave the cluster. {0} PAM-CMN-5202 = Failed to eject the member. {0} PAM-CMN-5203 = Failed to remove the site. {0}
Login Sessions Management Messages PAM-CMN-1164 = Keystroke {0} Notice: {1} PAM-CMN-1165 = Date/Time: {0} User ID : {1} User Source IP: {2} Violation on: {3} Captured Keystrokes: {4} {5} PAM-CMN-1166 = Unauthorized attempt by user {0} to deactivate user account {1}. PAM-CMN-1167 = A potential tampering attempt has been detected, the end-user's local system may be compromised. Account deactivated. PAM-CMN-1168 = User {0} terminated login session of type {1} for user {2}. PAM-CMN-1169 = Failed to terminate the {0} connection to {1} for user {2}. PAM-CMN-1170 = User {0} terminated the {1} connection to {2} for user {3}. PAM-CMN-1171 = Exceeded the maximum number of allowed violations. Account deactivated. PAM-CMN-1172 = Your session has been terminated by an CA PAM administrator. PAM-CMN-1173 = Your connection to {0} on {1} has been terminated by an CA PAM administrator. PAM-CMN-1174 = Your account has been deactivated. See your CA PAM administrator. PAM-CMN-1175 = Exceeded the maximum number of allowed violations. Session terminated.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-108 of A-242
PAM-CMN-1176 = A potential tampering attempt has been detected, the end-user's local system may be compromised. Session will be terminated. PAM-CMN-1177 = Exceeded the maximum number of allowed violations but since this is a global administrator account, the account will not be deactivated. PAM-CMN-1178 = A potential tampering attempt has been detected on your system. Your session will be terminated. PAM-CMN-1179 = User {0} requested re-authentication for user {1}. PAM-CMN-1180 = Invalid action or filter criteria. PAM-CMN-1181 = Your session has been terminated. Please re-authenticate to CA PAM. PAM-CMN-1182 = SAML session types cannot be re-authenticated. PAM-CMN-2661 = Your session has been terminated because of concurrent login restriction. PAM-CMN-2968 = Blocked Access to Host {0}:{1} - Blacklist policy violation. PAM-CMN-2969 = Granted Access to Host {0}:{1} - Blacklist policy allowed host and port. PAM-CMN-2970 = Blocked Access to Host {0}:{1} - Whitelist policy violation. PAM-CMN-2971 = Granted Access to Host {0}:{1} - Whitelist policy allowed host and port. PAM-CMN-2972 = A potential tampering attempt has been detected, and the end-user's local system may be compromised. Session terminated. PAM-CMN-2973 = A potential tampering attempt has been detected, and the end-user's local system may be compromised. Account deactivated. PAM-CMN-2974 = Possible injection attack. Invalid sessionId: {0}. PAM-CMN-2974 = Possible injection attack. Invalid serviceName: {0}. PAM-CMN-3169 = A malicious client may be eavesdropping on your session. PAM-CMN-3170 = Could not grab {0}. A malicious client may be eavesdropping on your session. PAM-CMN-3171 = Enter {0}@{1}'s old password: PAM-CMN-3172 = Enter {0}@{1}'s new password: PAM-CMN-3179 = Authentication successful PAM-CMN-3181 = Invalid server PAM-CMN-3182 = Wait for the tokencode to change, then enter the new tokencode: PAM-CMN-3183 = Your new PIN has been set into the system. Please wait for the tokencode to change, then authenticate again with your complete passcode now. PAM-CMN-3184 = Your new PIN has been rejected by the system. PAM-CMN-3185 = The system has generated a new PIN for you. This PIN will form the first part of your passcode. Your PIN is: {0}. Please wait for the tokencode to change, then authenticate again with your complete passcode. PAM-CMN-3186 = System pin rejected by the system itself PAM-CMN-3187 = To continue you must enter a new PIN. Enter a new PIN of {0} alphanumeric characters: PAM-CMN-3188 = To continue you must enter a new PIN. Enter a new PIN between {0} and {1} alphanumeric characters: PAM-CMN-3189 = To continue you must enter a new PIN. Enter a new PIN of {0} digits: PAM-CMN-3190 = To continue you must enter a new PIN. Enter a new PIN between {0} and {1} digits: PAM-CMN-3226 = Cluster orchestration updating configuration to reflect site membership update PAM-CMN-3232 = Saving RDP client random key failed. RDP session connection will be terminated.
Configuration Messages PAM-CMN-1183 = CA PAM is not provisioned with a valid license. PAM-CMN-1184 = CA PAM license will expire on {0,date,medium}. PAM-CMN-1185 = CA PAM license will expire today. PAM-CMN-1186 = CA PAM license has expired and access services will be disabled on {0,date,medium}. Please contact your CA Account Representative. PAM-CMN-1187 = CA PAM license has expired and access services are now disabled. Please contact your CA Account Representative. PAM-CMN-1188 = Version value not numeric. PAM-CMN-1189 = Hardware ID not a string. PAM-CMN-1190 = Access license not an integer. PAM-CMN-1191 = Password license not an integer. PAM-CMN-1192 = A2A license not an integer. PAM-CMN-1193 = Invalid value for mainframe license.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-109 of A-242
PAM-CMN-1194 = Invalid value for AWS license. PAM-CMN-1195 = Invalid value for perpetual license. PAM-CMN-1196 = Invalid value for start date. PAM-CMN-1197 = Invalid value for end date. PAM-CMN-1198 = Invalid value for spike license. PAM-CMN-1199 = Invalid value for evaluation license. PAM-CMN-1200 = Start date is in the future. PAM-CMN-1201 = End date is greater than start date. PAM-CMN-1202 = End date is in the past. PAM-CMN-1203 = End date required but not specified. PAM-CMN-1204 = Updated license. PAM-CMN-1205 = Insufficient permissions to update license. PAM-CMN-1206 = Insufficient permissions to set hardware serial. PAM-CMN-1207 = License file contains invalid parameters PAM-CMN-1208 = Hardware ID in the license does not match the appliance. PAM-CMN-1209 = There are more CA PAM devices than this license permits. PAM-CMN-1210 = There are more Password devices than this license permits. PAM-CMN-1211 = There are more A2A devices than this license permits. PAM-CMN-1212 = New license does not permit AWS. Clear your AWS configuration before continuing. PAM-CMN-1213 = New license does not permit mainframe access. Remove existing mainframe Access Methods before continuing. PAM-CMN-1214 = CA PAM license is invalid and access services are now disabled. Please contact your CA Account Representative. PAM-CMN-1215 = AWS license requires Access and Password license nodes. PAM-CMN-1216 = The license was not updated. There was a failure deleting the Office365 device. See the audit log for more details. PAM-CMN-1217 = The license was not updated. There was an error provisioning the Office365 device. See the audit log for more details. PAM-CMN-1218 = The license was not updated. There was a failure deleting the AWS device. See the audit log for more details. PAM-CMN-1219 = The license was not updated. There was an error provisioning the AWS device. See the audit log for more details. PAM-CMN-1220 = New license does not permit Office365. Clear your Office365 configuration before continuing. PAM-CMN-1221 = There are more AWS Proxy users than this license permits. PAM-CMN-1222 = AWS Proxy license requires Access, Password, and A2A nodes. PAM-CMN-1223 = CA PAM evaluation license will expire today. PAM-CMN-1224 = CA PAM evaluation license has expired and access services will be disabled on {0,date,medium}. Please contact your CA Account Representative. PAM-CMN-1225 = CA PAM evaluation license has expired and access services are now disabled. Please contact your CA Account Representative. PAM-CMN-1226 = Spike (temporary) CA PAM license will expire on {0,date,medium}. PAM-CMN-1227 = Spike CA PAM license will expire today. PAM-CMN-1228 = Spike CA PAM license has expired and access services will be disabled on {0,date,medium}. Please contact your CA Account Representative. PAM-CMN-1229 = Spike CA PAM license has expired and access services are now disabled. Please contact your CA Account Representative. PAM-CMN-1230 = CA PAM license is invalid: {0} PAM-CMN-1231 = New license does not permit VMware. Clear your VMware configuration before continuing. PAM-CMN-1232 = VMware license requires at least one PA license node. PAM-CMN-1233 = The license was not updated. There was an error creating the NSX service. See the audit log for more details. PAM-CMN-1234 = The license was not updated. There was a failure deleting the NSX service. See the audit log for more details. PAM-CMN-1235 = There are more NSX Proxy users than this license permits. PAM-CMN-1236 = Your connection to '{0}'{1} has been terminated by VMware NSX Security Policy. PAM-CMN-1237 = The license was not updated. NSX Proxy License requires VMware license PAM-CMN-1238 = Invalid license file
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-110 of A-242
PAM-CMN-1239 = Invalid start date PAM-CMN-1240 = Invalid end date PAM-CMN-1241 = Start date in the future. PAM-CMN-1242 = More CA PAM Devices are provisioned than are permitted by this CA PAM license. PAM-CMN-1243 = More Password Devices are provisioned than are permitted by this CA PAM license. PAM-CMN-1244 = More A2A Devices are provisioned than are permitted by this CA PAM license. PAM-CMN-1245 = AWS capabilities in use, but not permitted by license. PAM-CMN-1246 = Mainframe access method policies found, but not permitted by license. PAM-CMN-1247 = Unable to determine license type. PAM-CMN-1248 = VMware capabilities in use, but not permitted by license. PAM-CMN-1249 = Office365 capabilities in use, but not permitted by license. PAM-CMN-1250 = AWS API Proxy license not an integer. PAM-CMN-1251 = AWS API Proxy license cannot be removed. There are {0} user(s) with the AwsApiProxy privilege. PAM-CMN-1252 = AWS API Proxy capabilities in use, but not permitted by license. PAM-CMN-1253 = Failed to update AWS API Proxy whitelist: {0}. PAM-CMN-1254 = Invalid action issued to AWS API Proxy whitelist: {0}. PAM-CMN-1255 = Invalid subnet {0}. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx). PAM-CMN-1256 = HSM capabilities in use, but not permitted by license. PAM-CMN-1257 = Invalid permission to activate admin mode. PAM-CMN-1258 = Web SSO not enabled. PAM-CMN-1259 = SafeNet HSM must be removed before Thales HSM may be licensed. PAM-CMN-1260 = Thales HSM must be removed before SafeNet HSM may be licensed. PAM-CMN-1261 = Only one type of HSM (SafeNet, Thales) may be specified in a license. PAM-CMN-1262 = The license was not updated. There was a failure setting up VMware. See the audit log for more details. PAM-CMN-1263 = The license was not updated. There was a failure shutting down VMware. See the audit log for more details. PAM-CMN-1264 = Upgrade failed. Please review the audit log and then perform a system recovery. PAM-CMN-1265 = Failed to install API key infrastructure. Please check the logs to find the problem and reapply the license. PAM-CMN-1266 = The license was not updated. External API feature was not added. Please check the logs to find the problem and reapply the license. PAM-CMN-1267 = The license was not updated. External API feature not removed. Existing client API keys may need to be deleted. PAM-CMN-1268 = Invalid value for External API license. PAM-CMN-1269 = Failed to update Proxy whitelist: {0}. PAM-CMN-1270 = Invalid action issued to Proxy whitelist: {0}. PAM-CMN-1271 = Invalid subnet {0}. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx). PAM-CMN-1272 = AWS Proxy Account cannot be generated. There are more AWS proxy accounts than license permits PAM-CMN-1273 = NSX Proxy Account cannot be generated. There are more NSX proxy accounts than license permits PAM-CMN-1274 = The license was not updated. Uploaded license file could not be verified or read. PAM-CMN-1275 = CA Threat Analytics license requires that External API also be licensed. PAM-CMN-1276 = The CA Threat Analytics special user is deleted when the CA Threat Analytics is no longer licensed, and may not be deleted otherwise. PAM-CMN-1277 = Invalid value for CA Threat Analytics license. PAM-CMN-1278 = The license was not updated. CA Threat Analytics feature was not added. Please check the logs to find the problem and reapply the license. PAM-CMN-1279 = The license was not updated. CA Threat Analytics feature not removed. Please check the logs to find the problem and reapply the license. PAM-CMN-2016 = CA PAM license is invalid: CA PAM is not provisioned with a valid license. PAM-CMN-2017 = CA PAM license is invalid: Invalid license file PAM-CMN-2018 = CA PAM license is invalid: Invalid start date PAM-CMN-2019 = CA PAM license is invalid: Invalid end date PAM-CMN-2020 = CA PAM license is invalid: Start date in the future.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-111 of A-242
PAM-CMN-2021 = CA PAM license is invalid: More CA PAM Devices are provisioned than are permitted by this CA PAM license. PAM-CMN-2022 = CA PAM license is invalid: More Password Devices are provisioned than are permitted by this CA PAM license. PAM-CMN-2023 = CA PAM license is invalid: More A2A Devices are provisioned than are permitted by this CA PAM license. PAM-CMN-2024 = CA PAM license is invalid: AWS capabilities in use, but not permitted by license. PAM-CMN-2025 = CA PAM license is invalid: AWS API Proxy capabilities in use, but not permitted by license. PAM-CMN-2026 = CA PAM license is invalid: VMware capabilities in use, but not permitted by license. PAM-CMN-2027 = CA PAM license is invalid: Office365 capabilities in use, but not permitted by license. PAM-CMN-2028 = CA PAM license is invalid: HSM capabilities in use, but not permitted by license. PAM-CMN-2029 = CA PAM license is invalid: Only one type of HSM (SafeNet, Thales) may be specified in a license. PAM-CMN-2030 = CA PAM license is invalid: Mainframe access method policies found, but not permitted by license. PAM-CMN-2031 = CA PAM license is invalid: Unable to determine license type. PAM-CMN-3348 = CA PAM license is invalid: Sailpoint Table Integration is installed, but not permitted by license. PAM-CMN-3400 = NSX Proxy license requires Access, Password, and A2A nodes. PAM-CMN-3401 = NSX API Proxy license cannot be removed. There are {0} users with the NsxApiProxy privilege. PAM-CMN-3402 = NSX API Proxy license is not an integer. PAM-CMN-3403 = The interval between emails is required. PAM-CMN-3404 = NSX Proxy service can not be deleted. PAM-CMN-3405 = Invalid role type: {0}. PAM-CMN-3328 = Group code {0} is not allowed. PAM-CMN-3329 = Group code is required. PAM-CMN-3330 = Group code may not be updated. PAM-CMN-4816 = Invalid value for SailPoint. PAM-CMN-5191 = Invalid provision key specified {0}.
HSM Configuration Messages PAM-CMN-1256 = HSM capabilities in use, but not permitted by license. PAM-CMN-1259 = SafeNet HSM must be removed before Thales HSM may be licensed. PAM-CMN-1260 = Thales HSM must be removed before SafeNet HSM may be licensed. PAM-CMN-1261 = Only one type of HSM (SafeNet, Thales) may be specified in a license. PAM-CMN-1280 = CA PAM is not provisioned to use an HSM PAM-CMN-1281 = Error trying to provision CA PAM for SafeNet HSM. PAM-CMN-1282 = SafeNet HSM with address {0} added. PAM-CMN-1283 = Attempt to remove the SafeNet HSM configuration failed due to the passwords currently being re-encrypted PAM-CMN-1284 = HSM with address {0} removed. PAM-CMN-1285 = Attempt to initialize LUNA PCI has failed PAM-CMN-1286 = LUNA PCI has been initialized successfully PAM-CMN-1287 = Attempt to activate LUNA PCI has failed PAM-CMN-1288 = LUNA PCI has been activated PAM-CMN-1289 = Attempt to extract LUNA PCI Key has failed PAM-CMN-1290 = LUNA PCI Key extracted PAM-CMN-1291 = Failed to securely insert the cipher key PAM-CMN-1292 = Success inserting the encrypted cipher key into the LunaPCI-E device PAM-CMN-1293 = Failed to initialize the internal LunaPCI-E device PAM-CMN-1294 = Failed to create a partition on the internal LunaPCI-E device PAM-CMN-1295 = Success initializing the internal LunaPCI-E device PAM-CMN-1296 = Failed to securely extract the cipher key PAM-CMN-1297 = Failed to PED activate the LunaPCI-E partition PAM-CMN-1298 = Failed to secure the partition password for the LunaPCI-E partition PAM-CMN-1299 = Failed to log into the partition with the supplied password PAM-CMN-1300 = Failed to generate the cypher key during the initial activation PAM-CMN-1301 = Success activating the LunaPCI-E device on this non primary clustered CA PAM PAM-CMN-1302 = Success activating the LunaPCI-E device on this primary clustered CA PAM PAM-CMN-1303 = Success activating the LunaPCI-E device on this standalone CA PAM...reboot is needed
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-112 of A-242
PAM-CMN-1304 = Error HSM script arguments are incomplete PAM-CMN-1305 = Error CA PAM is not configured to use an HSM PAM-CMN-1306 = Error the HSM password is incorrect PAM-CMN-1307 = Success updating the HSM password PAM-CMN-2547 = Cannot add a networked HSM because this PAM has an internal LunaPCI-E device PAM-CMN-2548 = Proper usage: addHSM <input_1> <input_2> <input_3> <input_4> <input_5> <input_6> PAM-CMN-2549 = The HSM software is not installed on PAM PAM-CMN-2806 = Proper usage: appendHSM <principalName> <HSM_IP> <principalPassword> <storagePassword> <storageName> PAM-CMN-2808 = The partition {0} on the first HSM does not match with {1} on this HSM PAM-CMN-2809 = PAM is not provisioned to use an HSM. Please install the first HSM. PAM-CMN-2810 = The HSM group is already at the maximum of 3 PAM-CMN-2811 = Cannot determine the primary HSM group member. PAM-CMN-2812 = The HSM {0} is already provisioned on this PAM PAM-CMN-2813 = Cannot determine the HSM group members. PAM-CMN-2815 = Unable to copy the HSM certificate PAM-CMN-2817 = This client {0} is already registered on the HSM PAM-CMN-2820 = Failed to add HSM {0}. Consistency check failed PAM-CMN-2821 = Failed to add HSM {0}. Post synch consistency check failed PAM-CMN-2822 = Success, you must reboot the appliance for this change to take effect! PAM-CMN-2823 = Proper usage: appendThalesHSM <tokenName> <RFS_IP> <HSM_IP> <tokenPassword> PAM-CMN-2824 = Cannot deploy an OCS with individual names. All cards in the OCS must be named the same and must have the same passwords. PAM-CMN-2825 = Bad HSM IP address PAM-CMN-2826 = Bad RFS IP address PAM-CMN-2827 = Failed to get the ESN and hash from {0} PAM-CMN-2828 = Failed to enroll the client to the HSM {0} PAM-CMN-2829 = Proper usage: createHSM <principalName> <HSM_IP> <principalPassword> <storagePassword> <storageName> PAM-CMN-2830 = PAM is already provisioned to use an HSM PAM-CMN-2833 = Invalid Security Principal, Password or HSM IP address. Please try again. PAM-CMN-2835 = Unable to create a Luna client certificate PAM-CMN-2836 = HSM connection test from {0} failed. PAM-CMN-2839 = PAM is not provisioned to use an HSM PAM-CMN-2840 = Failed to remove HSM {0} PAM-CMN-2841 = {0} is not a deployed HSM. PAM-CMN-2842 = Unknown HSM vendor PAM-CMN-2843 = Cannot mix HSMs from different vendors PAM-CMN-2844 = Proper usage: removeHSM <HSM_IP> PAM-CMN-2845 = The HSM {0} is not provisioned on this PAM PAM-CMN-2846 = LunaPCI-E Uninitialized PAM-CMN-2847 = LunaPCI-E Initialized PAM-CMN-2850="PAM is currently provisioned to use an HSM" PAM-CMN-2866 = Proper usage: createThalesHSM <tokenName> <RFS_IP> <HSM_IP> <tokenPassword> PAM-CMN-2867 = Failed to get the ESN and hash from {0} on port {1} PAM-CMN-2868 = Failed to setup with the RFS {0} on port {1} PAM-CMN-2869 = Failed to synch update with the RFS {0} on port {1} PAM-CMN-2870 = Failed to test login cache with the HSM token {0} PAM-CMN-2871 = Failed to test login with the HSM token {0} PAM-CMN-2872 = Failed to generate the AES256 cipher key on the HSM token {0} PAM-CMN-2873 = This standalone PAM does not have commit permission to the RFS. You must run 'rfs-setup --gang-client' on the RFS first. PAM-CMN-2875 = Failed to get the ESN and hash from {0} PAM-CMN-3234="The HSM is not functioning properly with PKCS11 result: {0}, {1}"
Secondary Transparent Login Messages PAM-CMN-1308 = Transparent Login Configuration name is empty.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-113 of A-242
PAM-CMN-1309 = Transparent Login Configuration invalid. See log for details. PAM-CMN-1310 = Transparent Login Configuration name cannot be longer than 128 characters. PAM-CMN-1311 = XML for Transparent Login Configuration invalid. PAM-CMN-1312 = Transparent Login Configuration not found. PAM-CMN-1313 = Transparent Login Configuration name {0} must be unique. PAM-CMN-1314 = The given Transparent Login Configuration is used by one or several RDP applications. PAM-CMN-1315 = Hide from user is required. PAM-CMN-1316 = Transparent Login Enabled is required. PAM-CMN-1317 = Invalid data 'Hide From User'. PAM-CMN-1318 = Invalid data 'Transparent Login Enabled'. PAM-CMN-1319 = Transparent Login window is required. PAM-CMN-1320 = Invalid Transparent Login Window. PAM-CMN-1321 = Application Fingerprint must consist of 128 characters. PAM-CMN-1322 = Invalid Application Fingerprint. Only the following characters are allowed for fingerprint: 0-9 A-F. PAM-CMN-1323 = Transparent Login Configurations for RDP Application {0} do not exist, or the Transparent Login section contains invalid data (Window Titles: {1}). PAM-CMN-1324 = Transparent Login Window with the title '{0}' already exists for this RDP application. PAM-CMN-1325 = Login failed for user {0} due to multiple active TACACS+ users having the same login name. All TACACS+ users with login name {1} will be deactivated. PAM-CMN-1326 = Login Failed. Please contact your system administrator for further assistance. PAM-CMN-1327 = TACACS+ user {0} moved from TACACS+ group {1} to TACACS+ group {2}. PAM-CMN-1328 = Authentication failed for TACACS+ user {0}. TACACS+ authentication succeeded but the user's TACACS+ group changed from {1} to {2}. The new TACACS+ group is not registered with CA PAM. User account deleted. PAM-CMN-1329 = TACACS+ user is not registered. Contact your CA PAM Administrator. PAM-CMN-1330 = Authentication failed for TACACS+ user {0}. TACACS+ authentication succeeded but unable to retrieve the user's TACACS+ group.
AWS, VMware, and Azure Virtual Device Management Messages
PAM-CMN-1331 = Duplicate {0} Provision is not allowed.
PAM-CMN-1332 = Unable to retrieve AWS proxy account. Please contact CA PAM administrator.
PAM-CMN-1333 = Unable to retrieve NSX proxy account. Please contact CA PAM administrator.
PAM-CMN-1334 = There was an error during proxy account deletion.
PAM-CMN-1331 = Duplicate {0} Provision is not allowed.
PAM-CMN-1332 = Unable to retrieve AWS proxy account. Please contact CA PAM administrator.
PAM-CMN-1333 = Unable to retrieve NSX proxy account. Please contact CA PAM administrator.
PAM-CMN-1334 = There was an error during proxy account deletion.
PAM-CMN-1438 = Unauthorized attempt to save VMware NSX configuration
PAM-CMN-1439 = Unauthorized attempt to clear VMware NSX configuration
PAM-CMN-1440 = Unauthorized attempt to retrieve VMware NSX configuration
PAM-CMN-1441 = Certificate info of VMware NSX Service Manager was successfully updated.
PAM-CMN-1442 = Failed to update certificate info of VMware NSX Service Manager.
PAM-CMN-1443 = PAM Service was successfully registered in VMware NSX Manager with URL {0}.
PAM-CMN-1444 = Failed to registered PAM Service in VMware NSX Manager with URL {0}.
PAM-CMN-1445 = PAM Service was successfully unregistered from VMware NSX Manager with URL {0}.
PAM-CMN-1446 = VMware NSX configuration ({0}) was successfully cleared.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-114 of A-242
PAM-CMN-1447 = VMware NSX configuration was cleared but PAM Service was not unregistered from VMware NSX
Manager with URL {0}.
PAM-CMN-1448 = Failed to unregister PAM Service from VMware NSX Manager with URL {0}.
PAM-CMN-1507 = Failed to connect to AWS Access key {0}. Code: {1}, Reason: {2}.
PAM-CMN-1508 = Unauthorized attempt to purge all AWS virtual devices
PAM-CMN-1509 = Unauthorized attempt to create AWS provision type
PAM-CMN-1547 = Device {0} was provisioned by another VMware user and was not updated
PAM-CMN-1550 = Connection to '{0}' has been terminated by VMware NSX Security Policy
PAM-CMN-1591 = Unauthorized attempt to purge all VMware virtual devices
PAM-CMN-1592 = {0} VMware devices were not deleted. Credentials are kept and the connection was set to inactive.
PAM-CMN-1593 = All VMware virtual devices were deleted
PAM-CMN-1594 = Unauthorized attempt to create VMware provision type
PAM-CMN-1595 = Unauthorized attempt to clear VMware provision type
PAM-CMN-1596 = Unauthorized attempt to add VMware provision key.
PAM-CMN-1597 = Synchronization of security tags and groups with VMware NSX was not done.
PAM-CMN-1598 = Synchronization of security tags and groups with VMware NSX completed successfully.
PAM-CMN-1649 = Unable to retrieve the AWS Virtual Management IP provision region. The VIP cannot be managed
on this node.
PAM-CMN-1652 = There was an error retrieving credentials for AWS
PAM-CMN-1653 = Unable to retrieve the AWS Virtual Management IP provision key. The VIP cannot be managed on
this node.
PAM-CMN-1657 = Unable to retrieve AWS secret key for use by S3 storage.
PAM-CMN-1712 = No source IP address found for AWS API Proxy request.
PAM-CMN-1713 = Invalid source IP address {0} found for AWS API Proxy request.
PAM-CMN-1714 = AWS API Proxy request came from IP address {0}, which is not on any whitelist.
PAM-CMN-1715 = AWS API Proxy request for user {0} failed due to authentication failure. See previous log
messages for details.
PAM-CMN-1716 = Completely unexpected result was returned for Authentication Service for AWS proxy
login. Returned value was {0}
PAM-CMN-1717 = AWS API Proxy user {0} was not logged in because they do not have the AWS API Proxy user
privilege
PAM-CMN-1719 = Problems communicating with AWS. Message was {0}
PAM-CMN-1746 = Added AWS policy {0}
PAM-CMN-1748 = Updated AWS policy {0}
PAM-CMN-1749 = Deleted AWS policy {0}
PAM-CMN-1751 = Unable to find AWS device by its device id
PAM-CMN-1752 = Unknown EC2 Region code {0}. Region will not be set.
PAM-CMN-1753 = Unable to open AWS provisioning lock file
PAM-CMN-1754 = AWS provisioning already in progress.
PAM-CMN-1755 = Failed to connect to AWS. Exception was {0}
PAM-CMN-1756 = Unknown AWS region code {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-115 of A-242
PAM-CMN-1757 = Cannot allow delete of access pair {0} as it is used for AWS provisioning in region {1}
PAM-CMN-1758 = Cannot allow delete of access pair {0} because it is used to access the AWS Management
console by {1} {2}
PAM-CMN-1766 = Device Group {0} is not added to VMware
PAM-CMN-1778 = Unexpected return from viewAccountPassword. Connection to VMware vCenter/NSX aborted.
PAM-CMN-1779 = Invalid VMware Configuration - invalid URL {0}
PAM-CMN-1780 = Unable to open VMWARE provisioning lock file
PAM-CMN-1781 = Failed to connect to VMware using URL {0} for user {1}.
PAM-CMN-1782 = Invalid data returned from VMware at {0} for user {1}. Data was {2}.
PAM-CMN-1783 = VMware provisioning already in progress at {0} for user {1}.
PAM-CMN-1784 = Error when attempting to create NSX device - error was {0}
PAM-CMN-1785 = No source IP address found for NSX API Proxy request.
PAM-CMN-1786 = Invalid source IP address {0} found for NSX API Proxy request.
PAM-CMN-1787 = VMware NSX API Proxy request for user {0} failed due to authentication failure. See previous log
messages for details.
PAM-CMN-1788 = Completely unexpected result was returned for Authentication Service for VMware NSX proxy
login. Returned value was {0}
PAM-CMN-1789 = VMware NSX API Proxy user {0} was not logged in because they do not have the VMware NSX
API Proxy user privilege
PAM-CMN-1803 = Unable to find master target aws credential - request aborted
PAM-CMN-1813 = No user name supplied for AWS Management console.
PAM-CMN-1814 = No AWS URL was generated for policy {0} using user friendly account name {1}
PAM-CMN-1817 = Missing owner on NSX Proxy account {0}
PAM-CMN-1819 = Added {0} to AWS API Proxy Auto-Activation Whitelist.
PAM-CMN-1820 = Removed {0} from AWS API Proxy Auto-Activation Whitelist.
PAM-CMN-1821 = Added {0} to VMware NSX API Proxy Auto-Activation Whitelist.
PAM-CMN-1822 = Removed {0} from VMware NSX API Proxy Auto-Activation Whitelist.
PAM-CMN-1824 = Error when attempting to create NSX proxy account - unable to get PA user ID for user
PAM-CMN-1825 = Error when attempting to create AWS proxy account - unable to get PA user ID for user
PAM-CMN-1826 = Missing owner on AWS Proxy account {0}
PAM-CMN-1837 = Missing required AWS getProxyToken parameter user name
PAM-CMN-1838 = Missing required AWS getProxyToken parameter password
PAM-CMN-1839 = Missing required AWS getProxyToken parameter user name, password
PAM-CMN-1840 = Missing the following required attributes to get an AssumeRole token: AWS policy.
PAM-CMN-1841 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key.
PAM-CMN-1842 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
Secret key.
PAM-CMN-1843 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
Secret key, ARN ID.
PAM-CMN-1844 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
Secret key, ARN ID, Target
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-116 of A-242
account user name.
PAM-CMN-1845 = Missing the following required attributes to get an AssumeRole token: AWS policy, Secret key.
PAM-CMN-1846 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
ARN ID.
PAM-CMN-1847 = Missing the following required attributes to get an AssumeRole token: AWS policy, Secret key,
ARN ID.
PAM-CMN-1848 = Missing the following required attributes to get an AssumeRole token: AWS policy, Secret key,
Target account user name.
PAM-CMN-1849 = Missing the following required attributes to get an AssumeRole token: AWS policy, ARN ID, Target
account user name.
PAM-CMN-1850 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
Target account user name.
PAM-CMN-1851 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
ARN ID, Target account user name.
PAM-CMN-1852 = Missing the following required attributes to get an AssumeRole token: AWS policy, Secret key,
ARN ID, Target account user name.
PAM-CMN-1853 = Missing the following required attributes to get an AssumeRole token: AWS policy, ARN ID
PAM-CMN-1854 = Missing the following required attributes to get an AssumeRole token: AWS policy, Target account
user name
PAM-CMN-1855 = Failed to find AWS access key
PAM-CMN-1856 = Failed to find AWS secret key
PAM-CMN-1857 = Failed to find AWS access key and AWS secret key
PAM-CMN-1858 = VMware configuration missing fields: VMware user name, VMware password, VMware URL.
PAM-CMN-1859 = VMware configuration missing fields: VMware user name.
PAM-CMN-1860 = VMware configuration missing fields: VMware password.
PAM-CMN-1861 = VMware configuration missing fields: VMware URL.
PAM-CMN-1862 = VMware configuration missing fields: VMware user name, VMware password.
PAM-CMN-1863 = VMware configuration missing fields: VMware user name, VMware URL.
PAM-CMN-1864 = VMware configuration missing fields: VMware password, VMware URL.
PAM-CMN-1865 = Missing required NSX getProxyToken parameters user name, password.
PAM-CMN-1866 = Missing required NSX getProxyToken parameters user name.
PAM-CMN-1867 = Missing required NSX getProxyToken parameters password.
PAM-CMN-1878 = {0} total AWS devices were not deleted. Provisioning information is kept and the connection was
set to inactive.
PAM-CMN-1879 = All AWS virtual devices were deleted
PAM-CMN-1882 = Provisioning information and AWS devices for access {0} and region {1} deleted.
PAM-CMN-1883 = {0} AWS devices were not deleted for access code and region {1}. Credentials are kept and the
connection was set to inactive.
PAM-CMN-1884 = AWS provisioning added for access key {0} in region {1}. Active state is {2}
PAM-CMN-1886 = Updated AWS refresh interval to {0}.
PAM-CMN-1893 = All VMware provisionings were deleted
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-117 of A-242
PAM-CMN-1894 = All {0} VMware provisionings were deleted
PAM-CMN-1895 = Unable to retrieve target account information for VMware provision with URL {0}.
PAM-CMN-1896 = Provisioning information and VMware devices for vCenter URL {0} and user {1} deleted.
PAM-CMN-1897 = Update of target account {0} for device {1} failed - the account must be deleted before the device
can be.
PAM-CMN-1898 = {0} VMware devices were not deleted for vCenter URL {1} and user {2}. Credentials are kept and
the connection was set to inactive.
PAM-CMN-1899 = Add VMware provisioning row, but unable to retrieve account name or device name
PAM-CMN-1900 = Added VMware provisioning for vCenter URL {0} and user {1}.
PAM-CMN-1901 = Updated VMware provisioning for {0} user {1} to URL {2} active = {3}
PAM-CMN-1902 = Activated VMware provisioning for vCenter URL {0} but unable to retrieve account name or device
name.
PAM-CMN-1903 = Deactivated VMware provisioning for vCenter URL {0} but unable to retrieve account name or
device name.
PAM-CMN-1904 = Activated VMware provisioning for vCenter URL {0} and user {1}.
PAM-CMN-1905 = Deactivated VMware provisioning for vCenter URL {0} and user {1}.
PAM-CMN-1906 = Activated all VMware provisioning. {0} were not yet activated.
PAM-CMN-1907 = Deactivated all VMware provisioning. {0} were not yet deactivated.
PAM-CMN-1909 = Updated VMware refresh interval to {0}
PAM-CMN-1943 = Missing the following required attributes to get an AssumeRole token: AWS policy, Access key,
Secret key, Target account user name.
PAM-CMN-1944 = Missing the following required attributes to get an AssumeRole token: Access key.
PAM-CMN-1945 = Missing the following required attributes to get an AssumeRole token: Access key, Secret key.
PAM-CMN-1946 = Missing the following required attributes to get an AssumeRole token: Access key, Secret key,
ARN ID.
PAM-CMN-1947 = Missing the following required attributes to get an AssumeRole token: Access key, Secret key,
Target account user name.
PAM-CMN-1948 = Missing the following required attributes to get an AssumeRole token: Access key, Secret key,
ARN ID, Target account user name.
PAM-CMN-1949 = Missing the following required attributes to get an AssumeRole token: Secret key.
PAM-CMN-1950 = Missing the following required attributes to get an AssumeRole token: Access key, ARN ID.
PAM-CMN-1951 = Missing the following required attributes to get an AssumeRole token: Secret key, ARN ID.
PAM-CMN-1952 = Missing the following required attributes to get an AssumeRole token: Secret key, Target account
user name.
PAM-CMN-1953 = Missing the following required attributes to get an AssumeRole token: ARN ID, Target account
user name.
PAM-CMN-1954 = Missing the following required attributes to get an AssumeRole token: Access key, Target account
user name.
PAM-CMN-1955 = Missing the following required attributes to get an AssumeRole token: Access key, ARN ID, Target
account user name.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-118 of A-242
PAM-CMN-1956 = Missing the following required attributes to get an AssumeRole token: Secret key, ARN ID, Target
account user name.
PAM-CMN-1957 = Missing the following required attributes to get an AssumeRole token: ARN ID
PAM-CMN-1958 = Missing the following required attributes to get an AssumeRole token: Target account user name
PAM-CMN-2132 = type = {0}; access = {1}; password = {2}; a2a = {3}; awsAPIProxy = {4}; start = {5,date,medium} {6}
PAM-CMN-2133 = type = {0}; access = {1}; password = {2}; a2a = {3}; awsAPIProxy = {4}; start = {5,date,medium} {6}
end={7,date,medium};
PAM-CMN-2226 = Unable to contact AWS Management Console for run time update. Connection aborted.
PAM-CMN-2227 = Unable to contact AWS Management Console for run time update. Attempting to connect anyway.
PAM-CMN-2228 = Master AWS Target Server. All EC2 target accounts should be associated with this device.
PAM-CMN-2276 = Unexpected PA failure on isAWSTargetType message was {0}.
PAM-CMN-2280 = Unable to calculate AWS URL for policy {0} using user friendly account name {1} - error was {2}.
PAM-CMN-2281 = Unable to calculate AWS URL - error was {0}.
PAM-CMN-2313 = Error when attempting to create NSX proxy account - error was {0}.
PAM-CMN-2314 = Error when attempting to retrieve NSX account name - error was {0}.
PAM-CMN-2315 = Error when attempting to create AWS proxy account - error was {0}.
PAM-CMN-2316 = Error when attempting to retrieve AWS account name - error was {0}.
PAM-CMN-2317 = Unable to retrieve AWS Proxy Accounts - error was {0}.
PAM-CMN-2354 = Unable to retrieve NSX Accounts. Error was {0}
PAM-CMN-2492 = Unable to contact AWS Management Console for run time update.
PAM-CMN-2493 = Unable to contact AWS Management Console for run time update. Connection aborted.
PAM-CMN-2494 = Unable to contact AWS Management Console for run time update. Attempting to connect anyway.
PAM-CMN-3237 = The AWS secret key for use by S3 storage is missing.
PAM-CMN-5350 = Azure target account is required.
PAM-CMN-5351 = Azure subscription ID is required.
PAM-CMN-5352 = The license was not updated. There was a failure deleting the Azure device. See the audit log for
more details.
PAM-CMN-5353 = Updated Azure refresh interval to {0}.
PAM-CMN-5354 = Unauthorized attempt to create Azure provision type
PAM-CMN-5355 = Unable to find AWS device by its device id
PAM-CMN-5356 = Unable to contact Azure Active Directory for run time update. Connection aborted.
PAM-CMN-5357 = Unable to contact Azure Active Directory for run time update. Attempting to connect anyway.
PAM-CMN-5358 = Unable to contact Azure Active Directory for run time update.
PAM-CMN-5359 = This subscription and resource group are already provisioned.
PAM-CMN-5360 = Failed to get Azure API access token.
PAM-CMN-5361 = Failed to access Azure API.
PAM-CMN-5362 = Azure provisioning added for target account {0} subscription {1} and resource group {2}. Active
state is {3}
PAM-CMN-5363 = Provisioning information and Azure devices for subscription {0} and resource group {1} deleted.
PAM-CMN-5364 = {0} Azure devices were not deleted for subscription {1}. The connection was set to inactive.
PAM-CMN-5365 = {0} Azure devices were not deleted. See logs for details. The configuration is now inactive.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-119 of A-242
PAM-CMN-5366 = Target account restrict delete was not set for provision row for target account {0} subscription {1}:
{2}
PAM-CMN-5367 = Unable to retrieve Azure Accounts. Error was {0}
PAM-CMN-5368 = Unable to retrieve Azure account. Please contact CA PAM administrator.
PAM-CMN-5369 = Unable to retrieve Azure target application. Please contact CA PAM administrator.
PAM-CMN-5370 = Unable to find master target azure credential - request aborted
PAM-CMN-5371 = Azure provisioning request
PAM-CMN-5372 = Device imported from Azure
PAM-CMN-5373 = Microsoft Azure Target Server. All Azure target accounts should be associated with this device.
PAM-CMN-5374 = Azure Users sync completed: {0} Azure users deleted, {1} Azure users remaining.
PAM-CMN-5375 = User {0} deleted from Azure. Deleting user ...
PAM-CMN-5376 = Azure provisioning updated for target account {0} subscription {1} and resource group {2}. User
sync state is {3} and Device sync state is {4}
PAM-CMN-5377 = The User Sync checkbox must have a value of t or f.
PAM-CMN-5378 = The Device Sync checkbox must have a value of t or f.
PAM-CMN-5379 = Azure users deprovision failed. Error getting Resource Id from Azure.
PAM-CMN-5380 = Azure user {0} unassigned from CA PAM Azure App. Deleting user ...
PAM-CMN-5381 = Updated Azure devices refresh interval to {0}.
PAM-CMN-5382 = Updated Azure users refresh interval to {0}.
PAM-CMN-5383 = Unable to retrieve Azure VIP provision configuration. Please make sure Azure connection has
been setup properly under PAM Configuration.
PAM-CMN-5384 = Unable to retrieve Azure VIP provision account details. Perhaps PA is restarting or down?
PAM-CMN-5385 = Unable to retrieve Azure VIP provision account password. Perhaps PA is restarting or down?
PAM-CMN-5386 = Failed to update Azure network interface - private IP {0} - public IP {1}. Error: {2}
PAM-CMN-5387 = Failed to get Azure IP configuration status - {0}
Credential Management API Non-Device Messages PAM-CMN-1335 = Role description may not be longer than 100 characters. PAM-CMN-1336 = Invalid target account id {0} specified. PAM-CMN-1337 = Invalid target application id specified. PAM-CMN-1338 = The password request failed: {0} PAM-CMN-1339 = Invalid type {0} for listing password view requests. PAM-CMN-3288 = Allows the use of the External API by {0}. PAM-CMN-3289 = All the privileges needed for {0} to use the external API. PAM-CMN-3290 = Allows the user to use the AWS API Proxy. PAM-CMN-3291 = Allows the user to log in, check the access page, and remotely access the AWS API Proxy PAM-CMN-3292 = Allows the user to use the VMware NSX API Proxy. PAM-CMN-3293 = Allows the user to log in, check the access page, and remotely access the VMware NSX API Proxy
Session Recording Messages PAM-CMN-1340 = Session recording mount not available. The reconciliation process was not launched. PAM-CMN-1384 = Session recording flag file ksl_logfile restored. CLI recording flag was {0}. Graphical recording flag was {1}. PAM-CMN-1385 = Syslog recording flag file ksl_sylog restored. Syslog recording flag was {0}. PAM-CMN-1503 = Updated Session Recording to be Security Safe PAM-CMN-1504 = Updated Session Recording to be Operationally Safe PAM-CMN-1549 = Session recording purging settings updated.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-120 of A-242
PAM-CMN-1747 = Session recording '{0}' was viewed PAM-CMN-1880 = Cannot delete - used for storing session recording logs. Change the provision row used on the logs configuration page before deleting. PAM-CMN-1981 = Session recording purging already running PAM-CMN-1982 = Session recording purging started... PAM-CMN-1983 = File storage went down while session recording purging was in progress PAM-CMN-1984 = Session recording purging successfully completed. {0} recording(s) was/were removed. Took {1} seconds PAM-CMN-1985 = Starting session reconciliation run. PAM-CMN-1986 = Session recording reconciliation process still running. This may indicate a problem with your system; please contact CA Technologies if you see this message occurring frequently. PAM-CMN-1987 = Unable to delete short file {0} PAM-CMN-1988 = Deleted short file {0} PAM-CMN-1989 = Ending session recording reconciliation. {0} session recording rows added to table. {1} sidecar(.inf) files added to share. {2} nearly empty files deleted from share. PAM-CMN-1990 = Unable to mount NFS after 2 attempts PAM-CMN-1991 = Unable to mount SMB after 2 attempts PAM-CMN-1992 = Unable to mount Amazon S3 bucket after 2 attempts PAM-CMN-1993 = rfscheck[{0}]: "Unable to mount NFS after 2 attempts" PAM-CMN-1994 = rfscheck[{0}]: "Unable to mount SMB after 2 attempts" PAM-CMN-1995 = rfscheck[{0}]: "Unable to mount Amazon S3 bucket after 2 attempts" PAM-CMN-2121 = Session recording mitigation not applied because API user lacked the privilege PAM-CMN-2122 = Session recording mitigation not applied. No privilege manager in session. PAM-CMN-2199 = Updated filters and session recording PAM-CMN-2207 = Session Recording PAM-CMN-2209 = CLI Session Recording: on; PAM-CMN-2210 = CLI Session Recording: off; PAM-CMN-2211 = Graphical Session Recording: on; PAM-CMN-2212 = Graphical Session Recording: off; PAM-CMN-2213 = Web Session Recording: on; PAM-CMN-2214 = Web Session Recording: off; PAM-CMN-2218 = CLI Session Recording: on bidirectional; PAM-CMN-2219 = CLI Session Recording: off bidirectional; PAM-CMN-2403 = Session recording started for {0}. {1} PAM-CMN-2404 = Session recording stopped for {0}. {1} PAM-CMN-2503 = Reported problem on NFS for Session Recording PAM-CMN-2505 = Reported problem with NFS share for Session Recording PAM-CMN-2507 = Reported problem on Amazon S3 for Session Recording PAM-CMN-2509 = Reported problem on SMB for Session Recording PAM-CMN-2728 = Storage is not mounted, can not start session recording. PAM-CMN-2730 = gatekeeper[{0}]: Fail to initialize recoding, security safe mode, service discarded PAM-CMN-2804 = Session can't be established due to a problem with session recording PAM-CMN-3134 = Primary network storage for session recording is down PAM-CMN-3220 = Failed to enable session recording on the fly, security safe mode PAM-CMN-3224 = There was a problem with the recording storage. This connection is not allowed in security-safe mode. PAM-CMN-3333 = Current session recording file "{0}" is broken or refers to other CA PAM. PAM-CMN-3334 = Access Denied! PAM-CMN-3354 = There is insufficient space to play the recording at this time. Please try again later. PAM-CMN-3355 = Invalid host id specified.
Session Manager Service Messages PAM-CMN-1341 = This CA PAM appliance is in maintenance mode. Only admin users will be able to login. PAM-CMN-4100 = Session log records must be in an array. PAM-CMN-4101 = Session log record {0} is invalid. PAM-CMN-4102 = Ignore session log level flag {0} is invalid. Value should be 1 for true, 0 for false. PAM-CMN-4103 = Session log transaction type {0} is invalid. See documentation for a list of valid types.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-121 of A-242
PAM-CMN-4014 = Created timestamp {0} is invalid. It should be number of milliseconds since the epoch or empty.
Upgrade, Backup, and Recovery Messages PAM-CMN-1342 = Applied patch '{0}'. {1} PAM-CMN-1343 = Upgrading to the same version could cause unexpected result PAM-CMN-1344 = Problem applying the upgrade package. Details: {0} PAM-CMN-1345 = Please stop the cluster before proceeding with the upgrade PAM-CMN-1346 = Upgrade package has been applied successfully PAM-CMN-1347 = Backup of the appliance takes time. Please be patient and wait until it reboots.<br/>The LCD will show the message <b>System backup! Please wait!</b> <br/> Wait until the normal operation message shows on the LCD then log in again and resume work in your browser. PAM-CMN-1348 = Recover of the appliance takes time. Please be patient and wait until it reboots.<br/>The LCD will show the message <b>System backup! Please wait!</b><br/> Wait until the normal operation message shows on the LCD then log in again and resume work in your browser. PAM-CMN-1349 = An error occurred while running the backup PAM-CMN-1350 = An error occurred while running recovery PAM-CMN-1351 = Configuration-Upgrade: Performing Backup PAM-CMN-1352 = Configuration-Recovery: Performing Recovery PAM-CMN-1353 = An error occurred while trying to delete the staging file PAM-CMN-3278 = FAILED TO RESTORE DB. {0} is too big to restore the database safely! PAM-CMN-3279 = DB can be restored successfully. Required DB size is less than Existing DB PAM-CMN-3280 = FAILED TO RESTORE DB. {0} is too big to restore. Required SPACE={1} kb PAM-CMN-3281 = DB can be successfully restored. Required Disk space={0}, HALF of Available Space={1} PAM-CMN-3282 = {0} is not a writable directory. PAM-CMN-3283 = A fatal error occurred while dumping the database. PAM-CMN-3284 = Database dumped successfully to {0} PAM-CMN-3285 = The database you are attempting to load is not compatible with the current version. PAM-CMN-3286 = This database contains settings that are not compatible with FIPS mode. Turn off FIPS mode to continue restoring. PAM-CMN-3287 = An error occurred while trying to load {0}. PAM-CMN-3288 = Allows the use of the External API by {0}. PAM-CMN-3335 = Cannot access patchinfo file. This patch must be an older package type, not installable on this version of CA PAM. PAM-CMN-3336 = CA PAM cannot be upgraded while in cluster mode. Turn off clustering before upgrading. PAM-CMN-3337 = Insufficient storage space for successful firmware upgrade.<br>Export your logs to free storage space and try again. PAM-CMN-3338 = Problem unpacking the upgrade package. PAM-CMN-3339 = This is an invalid FIPS patch. Please contact CA Technologies. PAM-CMN-3340 = Patch verification failed. PAM-CMN-3341 = This is not an approved FIPS patch. PAM-CMN-3342 = Insufficient storage for database update.<br>Export your logs and try to upgrade again. PAM-CMN-3343 = Unable to check the upgrade package version.<br>The package seems to be older. CA PAM cannot be downgraded. PAM-CMN-3344 = Cannot upgrade CA PAM. PAM-CMN-3345 = Cannot upgrade because current<br>CA PAM version {0} must equal {1}. PAM-CMN-3346 = Cannot upgrade because current<br>CA PAM version {0} must be between {2} and {3} (inclusive). PAM-CMN-3347 = Could not export record of type ''{0}'' initiated by user ''{1}''. Error message: ''{2}''. PAM-CMN-3349 = Cannot upgrade because patch is not HMAC signed. Please contact CA Technologies. PAM-CMN-3350 = Cannot upgrade because patch has invalid checksum. Please contact CA Technologies. PAM-CMN-3367 = Cannot upgrade because {0} cannot be installed on CA PAM {1}. <br>To upgrade from CA PAM {2}, please use CA PAM {3}.{4} once available. PAM-CMN-3382 = The last full appliance backup failed on {0}
CA Threat Analytics Related Messages PAM-CMN-1028 = CA Threat Analytics server is inaccessible or its configuration is invalid. PAM-CMN-1354 = CA Threat Analytics update failed. Message (if any) was {0} PAM-CMN-1355 = CA Threat Analytics update succeeded in part and failed in part.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-122 of A-242
PAM-CMN-1356 = CA Threat Analytics get failed. PAM-CMN-1357 = CA Privileged Access Manager is collecting and analyzing limited information about your client system and sessions PAM-CMN-2032 = BAPService.getRiskLevels called when {0} was not configured. Request ignored. PAM-CMN-2033 = BAPService.getUserRiskLevels called when {0} was not configured. Request ignored. PAM-CMN-2034 = User Id {0} invalid for BAPService.getUserRiskLevel. PAM-CMN-2035 = User {0} was assigned a risk level from {1}. PAM-CMN-2036 = User {0} was assigned the default risk level. PAM-CMN-2037 = Session id was not in proper format. Data was not sent to {0}. PAM-CMN-2038 = Unexpected action {0} while trying to log a connect or disconnect. Expected values are connect or disconnect PAM-CMN-2039 = Invalid connection id {0} when attempting to log a {1} event. PAM-CMN-2040 = No connection found with sequence number {0}. {1} was not logged to {2}. PAM-CMN-2041 = Unexpected reason {0} for disconnecting from client. Disconnection will not be logged. PAM-CMN-2042 = Default risk level not found. A risk level of Good will be used. PAM-CMN-2043 = Unexpected default risk level {0}. A risk level of Good will be used. PAM-CMN-2044 = Missing required service identifier. Data was not reported to {0}. PAM-CMN-2045 = Invalid url {0} for sending to {1}. PAM-CMN-2046 = Unable to construct {0} URL. Message was {1} PAM-CMN-2047 = extraData should be an array or empty PAM-CMN-2048 = Warning: extra parameters supplied will be ignored because the url contains a query string PAM-CMN-2049 = Invalid request type {0} - one of GET, POST, PUT, or DELETE should be used PAM-CMN-2050 = Unable to find {0} Authorization token. Message was {1}. PAM-CMN-2051 = Invalid administrative user id {0} when attempting to log a session logout PAM-CMN-2052 = Invalid logout reason {0} when attempting to log a session logout PAM-CMN-2053 = Session id was not in proper format. Data was not sent to {0}. PAM-CMN-2054 = Unable to get user information for logout based on administrator userid: {0}. PAM-CMN-2055 = Private IP address was not in proper format. Data was not sent to {0}. PAM-CMN-2056 = Public IP address was not in proper format. Data was not sent to {0}. PAM-CMN-2057 = Machine id was not in proper format. Data was not sent to {0}. PAM-CMN-2058 = No session found for session {0} upInit data will not be sent to {1}. PAM-CMN-2790 = User must have configuration manager, manage devices and manage network services privileges to update the TAP configuration PAM-CMN-2791 = Invalid address {0} supplied for TAP device. Update failed. PAM-CMN-3615 = Created {0} Admin Group with group name {1}. PAM-CMN-3616 = {0} group already exists, was not changed. PAM-CMN-3617 = Threat Analytics special user group is deleted when Threat Analytics is no longer licensed, and may not be deleted otherwise. PAM-CMN-3618 = Deleted {0} Admin Group {1}. PAM-CMN-3619 = Threat Analytics special user group cannot be updated. PAM-CMN-3621 = Threat Analytics special policy cannot be deleted. PAM-CMN-3622 = Threat Analytics special policy cannot be updated. PAM-CMN-3623 = Threat Analytics special user group should have super user as one of its members. PAM-CMN-3624 = Only Users with Global Administrator privilege can be added to Threat Analytics special user group and vice versa.
Active Directory Messages PAM-CMN-2177 = The user must reset their password. PAM-CMN-2178 = The user's password has expired. PAM-CMN-2179 = The user entered an incorrect password. PAM-CMN-2180 = The user's account is disabled in Active Directory. PAM-CMN-2181 = The user's account has expired in Active Directory. PAM-CMN-2182 = The user's account has been locked in Active Directory. PAM-CMN-2183 = The user's account cannot be found in Active Directory. PAM-CMN-2184 = The user is not permitted to login in Active Directory. PAM-CMN-2185 = The user is not permitted to login on this workstation in Active Directory.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-123 of A-242
SAML Related Messages PAM-CMN-1360 = PAM received a request to issue an assertion for SAML service {0}, but the user is not authorized to access this service. PAM-CMN-1361 = SAML assertion for service {0} will not be released because the subject name ID format was not specified in the policy for this user. PAM-CMN-1362 = SAML assertion for service {0} will not be released because the following required attributes have not been mapped or resolved to a value: {1} PAM-CMN-1363 = PAM SAML IdP issued an authentication failed response to SAML service {0} with entity ID {1} via {2} PAM-CMN-1364 = PAM SAML IdP issued an authentication failed response to SAML service {0} with entity ID {1} via {2} authenticated via {3} PAM-CMN-1365 = PAM SAML IdP has issued an assertion to SAML service {0} with entity ID {1} via {2} as subject {3} PAM-CMN-1366 = PAM SAML IdP has issued an assertion to SAML service {0} with entity ID {1} via {2} as subject {3} authenticated via {4} PAM-CMN-1367 = There is a SAML Subject Identifier Format policy conflict for user {0} for SAML service {1} involving the following policies: {2} PAM-CMN-1368 = There is a SAML Subject Identifier Value policy conflict for user {0} for SAML service {1} involving the following policies: {2} PAM-CMN-1369 = PAM SAML IdP request: Message did not meet security requirements. {0} PAM-CMN-1370 = PAM received a request to issue an assertion for recorded SAML service {0}, but the user did not access the service using the CA Technologies browser, as required for web session recording. The user must access the service using the CA Technologies browser from the PAM access page. PAM-CMN-1520 = PAM SAML IdP request: {0} PAM-CMN-1731 = SAML SSO Enabled PAM-CMN-1732 = SAML SSO Disabled PAM-CMN-1908 = PAM SAML IdP request: Message did not meet security requirements. Authentication request received from unknown SAML SP {0} PAM-CMN-2158 = Error parsing the SAML metadata file. PAM-CMN-2159 = Metadata file does not contain any SAML IdP entities. PAM-CMN-2160 = SAML entity {0} does not contain a SingleSignOnService with a valid Post binding. Acceptable Post bindings are: {1}. PAM-CMN-2161 = SAML entity {0} does not contain a SingleSignOnService with a Post or Redirect binding. PAM-CMN-2162 = SAML entity {0} does not contain any key data. PAM-CMN-2163 = There are no valid SAML 2.0 IdP descriptors in the metadata file. PAM-CMN-2164 = SAML Remote IdP(s) added: {0}. PAM-CMN-2186 = SAML user provisioned via Just In Time provisioning from Remote Identity Provider {0} PAM-CMN-2747 = SAML configuration (except Fully Qualified Hostname) will be replicated to all cluster members PAM-CMN-5388 = Refreshing the metadata for SAML identity provider %s failed. Please ensure the source URL is accessible and that if configured for validation, that the certificate fingerprint corresponds to the certificate used to sign the metadata. PAM-CMN-5389 = Metadata refresh is enabled but there are no IdPs configured with a source URL for metadata refresh. PAM-CMN-5390 = SAML metadata refresh for IdP %s completed successfully but there were no updates. PAM-CMN-5391 = SAML metadata refresh for IdP %s completed successfully: %s certificates added, %s certificates removed. PAM-CMN-5392 = Saving the updated certificates during SAML metadata refresh failed with the following error: %s PAM-CMN-5393 = Specifying the fingerprint for the metadata refresh signing certificate requires the source URL where the metadata can be retrieved. PAM-CMN-5394 = The metadata source URL is not a valid URL. PAM-CMN-5395 = Specified metadata refresh certificate fingerprint is not a valid SHA-1 certificate fingerprint. PAM-CMN-5396 = Invalid SP metadata refresh mode specified.
SSL, FIPS, and Cryptography Messages PAM-CMN-2724 = OpenSSL configuration error: {0}, {1} PAM-CMN-2831 = PAM is currently provisioned to use OpenSSL and the password is not cached!PAM-CMN-2832 = PAM is re-encrypting the DB. Please try again later.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-124 of A-242
PAM-CMN-2837 = PAM is currently provisioned to use WolfSSL and the password is not cached! PAM-CMN-2848 = Proper usage: useOpenSSL <provider> PAM-CMN-2849 = password and confirmed password do not match! PAM-CMN-2851 = PAM is currently provisioned to use non-FIPS mode cryptography provider PAM-CMN-2852 = PAM is currently provisioned to use FIPS mode cryptography provider PAM-CMN-3105 = Warning: client selects unsupported cipher. PAM-CMN-3107 = WolfSSL JNI library result: {0}, Replicating WolfSSL config settings to non primary members PAM-CMN-3108 = WolfSSL JNI library result: {0}, Memory allocation error in getKeyFromLabel PAM-CMN-3109 = WolfSSL JNI library result: {0}, failed to decrypt the key in getKeyFromLabel PAM-CMN-3110 = WolfSSL JNI library result: {0}, Failed to logon to WolfSSL JNI layer PAM-CMN-3111 = WolfSSL JNI library result: {0}, Failed to generate random AES key with RDRAND PAM-CMN-3112 = WolfSSL JNI library result: {0}, Failed to generate random AES key using WolfSSL PAM-CMN-3113 = WolfSSL JNI library result: {0}, Successfully generated the random AES key with WolfSSL PAM-CMN-3114 = WolfSSL JNI library result: {0}, Failed to encrypt the secret key PAM-CMN-3115 = WolfSSL JNI library result: {0}, Failed to PEM encode the secret key PAM-CMN-3116 = WolfSSL JNI library result: {0}, Failed to find label to encrypt PAM-CMN-3117 = WolfSSL JNI library result: {0}, Failed to get key to encrypt PAM-CMN-3118 = WolfSSL JNI library result: {0}, Failed to get input string to encrypt PAM-CMN-3119 = WolfSSL JNI library result: {0}, Failed to encrypt since input string is zero length PAM-CMN-3120 = WolfSSL JNI library result: {0}, Encryption failed. The result is empty PAM-CMN-3121 = WolfSSL JNI library result: {0}, Failed to find label to decrypt PAM-CMN-3122 = WolfSSL JNI library result: {0}, Failed to get key to decrypt PAM-CMN-3123 = WolfSSL JNI library result: {0}, Failed to get input string to decrypt PAM-CMN-3124 = WolfSSL JNI library result: {0}, Failed to decrypt since input string is zero length PAM-CMN-3125 = WolfSSL JNI library result: {0}, Decryption failed. The result is empty PAM-CMN-3165 = WolfSSL JNI library result: {0}, Successfully generated the random AES key with hardware RDRAND PAM-CMN-3166 = SSL Config result: {0}, Failed to generate random data using hardware RDRAND PAM-CMN-3167 = SSL Config result: {0}, Failed to generate random data using OpenSSL PAM-CMN-3168 = SSL Config result: {0}, Failed to open masking file for writing PAM-CMN-3173 = SSL Config result: {0}, Encryption test error! PAM-CMN-3174 = SSL Config result: {0}, Failed to open encryption test file for writing PAM-CMN-3175 = SSL Config result: {0}, Memory allocation error PAM-CMN-3176 = SSL Config result: {0}, Failed to PEM encode the masked password PAM-CMN-3177 = SSL Config result: {0}, Failed to open password file for writing PAM-CMN-3178 = SSL Config result: {0}, Failed to open masking file for reading PAM-CMN-3180 = SSL Config result: {0}, Failed to open password file for reading PAM-CMN-3191 = SSL Config result: {0}, Successfully generated random data with hardware RDRAND PAM-CMN-3192 = SSL Config result: {0}, Successfully generated random data with OpenSSL PAM-CMN-3193 = SSL Config result: {0}, Failed to generate random data using WolfSSL PAM-CMN-3194 = SSL Config result: {0}, Successfully generated random data with WolfSSL PAM-CMN-3195 = SSL Config result: {0}, Failed to generate master passphrase using hardware RDRAND PAM-CMN-3196 = SSL Config result: {0}, Failed to generate master passphrase using OpenSSL PAM-CMN-3197 = SSL Config result: {0}, Successfully generated master passphrase with hardware RDRAND PAM-CMN-3198 = SSL Config result: {0}, Successfully generated master passphrase with OpenSSL PAM-CMN-3199 = SSL Config result: {0}, Failed to generate master passphrase using WolfSSL PAM-CMN-3200 = SSL Config result: {0}, Successfully generated master passphrase with WolfSSL PAM-CMN-3294 = OpenSSL JNI library result: {0}, No cached OpenSSL password, using default key PAM-CMN-3295 = OpenSSL JNI library result: {0}, Replicating OpenSSL config settings to non primary members PAM-CMN-3296 = OpenSSL JNI library result: {0}, Memory allocation error in getKeyFromLabel PAM-CMN-3297 = OpenSSL JNI library result: {0}, ERROR, Non default OpenSSL key and OpenSSL password is not cached. PAM-CMN-3298 = OpenSSL JNI library result: {0}, Memory allocation error in getKeyFromLabel PAM-CMN-3299 = OpenSSL JNI library result: {0}, failed to decrypt the key in getKeyFromLabel PAM-CMN-3302 = OpenSSL JNI library result: {0}, Successfully generated the random AES key with hardware RDRAND PAM-CMN-3303 = OpenSSL JNI library result: {0}, Failed to generate random AES key using OpenSSL
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-125 of A-242
PAM-CMN-3304 = OpenSSL JNI library result: {0}, Successfully generated the random AES key with OpenSSL PAM-CMN-3305 = OpenSSL JNI library result: {0}, Failed to logon to OpenSSL JNI layer, using defaults PAM-CMN-3306 = OpenSSL JNI library result: {0}, Failed to generate random AES key with hardware RDRAND PAM-CMN-3307 = OpenSSL JNI library result: {0}, Failed to encrypt the secret key PAM-CMN-3308 = OpenSSL JNI library result: {0}, Failed to PEM encode the secret key PAM-CMN-3309 = OpenSSL JNI library result: {0}, Failed to find label to encrypt PAM-CMN-3310 = OpenSSL JNI library result: {0}, Failed to get key to encrypt PAM-CMN-3311 = OpenSSL JNI library result: {0}, Failed to get input string to encrypt PAM-CMN-3312 = OpenSSL JNI library result: {0}, Failed to encrypt since input string is zero length PAM-CMN-3313 = OpenSSL JNI library result: {0}, Encryption failed. The result is empty PAM-CMN-3314 = OpenSSL JNI library result: {0}, Failed to find label to decrypt PAM-CMN-3315 = OpenSSL JNI library result: {0}, Failed to get key to decrypt PAM-CMN-3316 = OpenSSL JNI library result: {0}, Failed to get input string to decrypt PAM-CMN-3317 = OpenSSL JNI library result: {0}, Failed to decrypt since input string is zero length PAM-CMN-3318 = OpenSSL JNI library result: {0}, Decryption failed. The result is empty
Other Common Messages PAM-CMN-1359 = CA Single Sign-On disabled. Rebooting Apache... capam33 PAM-CMN-1359 = CA Single Sign-On disabled. Rebooting Apache... PAM-CMN-1371 = Log records viewed The PAM-CMN-1371 message appears twice when someone logs into the CA PAM UI. This is expected behavior as the UI queries the log to obtain information to appear under Recent Events and to populate the dashboard. PAM-CMN-1372 = Downloaded log records PAM-CMN-1373 = Failed to update status of log row {0} PAM-CMN-1374 = Log report {0} successfully added PAM-CMN-1375 = Log report {0} not added PAM-CMN-1376 = Log report {0} updated PAM-CMN-1377 = Update of log report {0} failed PAM-CMN-1378 = Log report {0} was deleted PAM-CMN-1379 = Log report {0} was not deleted PAM-CMN-1380 = Unable to retrieve all device data for applet. Check device properties and terminal types for device. PAM-CMN-1381 = Credential service is down, user must enter their own credentials PAM-CMN-1382 = Credential not found for association PAM-CMN-1383 = Missing session host data for device, unable to launch applet PAM-CMN-1386 = Unable to find sequence number for device {0} service {1} protocol {2} PAM-CMN-1387 = Check Conflicts require either a task or a service to check against. PAM-CMN-1389 = Unable to find secondary login credential for transparent login PAM-CMN-1390 = CSV {0} of type {1} initiated by user {2}. PAM-CMN-1391 = CSV {0} of type {1} initiated by user {2} completed in {3}. PAM-CMN-1392 = A CSV import/export job is already running and is at {0} percent completion. Please wait until it is complete before initiating another. PAM-CMN-1393 = A CSV {0} of {1} is running in the background and is at {2} percent completion. It has been running for {3}. PAM-CMN-1394 = A CSV {0} of {1} is running in the background and is at {2} percent completion. It has been running for {3}. Please wait until it is complete before initiating another. PAM-CMN-1395 = Downloaded CSV output file {0} generated from the {1} of {2}. PAM-CMN-1396 = Error running scheduled database backup - unable to retrieve account information. PAM-CMN-1397 = Error running scheduled database backup - Invalid number of parameters. PAM-CMN-1398 = Credential service is down PAM-CMN-1399 = Error obtaining device information for backup destination PAM-CMN-1400 = Error obtaining target IP for backup destination PAM-CMN-1401 = Invalid device address {0}. Address should be IP address or hostname. PAM-CMN-1402 = An error occurred while uploading patch. Unknown error
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-126 of A-242
PAM-CMN-1403 = An error occurred while uploading patch. File is not uploaded PAM-CMN-1404 = An error occurred while uploading patch. Can't move file to staging folder PAM-CMN-1405 = An error occurred while uploading patch. No file was uploaded PAM-CMN-1406 = An error occurred while uploading patch. Invalid file size PAM-CMN-1407 = An error occurred while uploading patch. File was uploaded partially PAM-CMN-1408 = Unauthorized access to Upgrade service PAM-CMN-1409 = Patch with name: {0} already exists PAM-CMN-1410 = Ready to apply patch: {0}. Reboot required PAM-CMN-1411 = This upgrade requires a reboot of the system. PAM-CMN-1412 = Incorrect file name {0}. Patch not found. PAM-CMN-1413 = Error in canceling apply patch process. PAM-CMN-1414 = Wrong file type, please select again. PAM-CMN-1415 = Patch with name '{0}' has been uploaded successfully. PAM-CMN-1416 = Specified patch file does not exist. PAM-CMN-1417 = PAM appliance ({0}) attempted to perform cluster operation, but is not part of the cluster list. PAM-CMN-1418 = Error retrieving credential id. Message was {0} PAM-CMN-1419 = The credential with the id {0} is not used in any policy for this user and device {1}. PAM-CMN-1420 = Target account: {0} PAM-CMN-1421 = User {0}'s access to applet(s) {1} and service(s) {2} on device {3} disabled due to policy conflicts. Navigate to the View Conflicts page for more details. PAM-CMN-1422 = User {0}'s access to applet(s) {1} on device {2} disabled due to policy conflicts. Navigate to the View Conflicts page for more details. PAM-CMN-1423 = User {0}'s access to service(s) {1} on device {2} disabled due to policy conflicts. Navigate to the View Conflicts page for more details. PAM-CMN-1424 = User {0}'s connection to {1} has multiple command filter {2} list policies. Enforcing union of command filter policies: {3}. PAM-CMN-1425 = User '{0}' attempted to access the unauthorized page: {1}. PAM-CMN-1426 = Ping test: Error connecting to {0}. PAM-CMN-1427 = setServletState: Error connecting to the Server Control integration servlet. PAM-CMN-1428 = getEncryptedPassword: Could not encrypt the password. res={0} PAM-CMN-1429 = An error occurred clearing Server Control integration data. PAM-CMN-1430 = Failed to insert into configuration table (name = '{0}', value = '{1}') PAM-CMN-1431 = Failed to update configuration table (name = '{0}', value = '{1}') PAM-CMN-1432 = An error occurred saving Server Control integration data. PAM-CMN-1433 = An error occurred contacting Server Control integration servlet. PAM-CMN-1434 = Deleted certificate: {0} PAM-CMN-1435 = User switched to Configuration Section PAM-CMN-1436 = Unauthorized connection to /config2/ from IP {0}. PAM-CMN-1437 = PAM Config Login OK. PAM-CMN-1449 = Updates in Global Settings: {0} PAM-CMN-1450 = Invalid limit specified for query. Value was {0}. Limit was ignored. PAM-CMN-1451 = Invalid offset specified for query. Value was {0}. Offset was ignored. PAM-CMN-1452 = Downloaded database backup public key file {0}. PAM-CMN-1453 = Error downloading database backup public key file. PAM-CMN-1454 = S3 mount operation unsuccessful. {0}. PAM-CMN-1455 = S3 bucket already mounted. {0}. PAM-CMN-1457 = Created System Diagnostic file PAM-CMN-1458 = Remote PAM Debugging Services turned {0} PAM-CMN-1459 = External logging failure PAM-CMN-1468 = User session initialized ({0}) PAM-CMN-1469 = User switched to Administration Section PAM-CMN-1470 = User {0} attempted to access the unauthorized feature: {1}. PAM-CMN-1471 = Importing {0} from file {1} aborted. Imported: {2}, Added: {3}, Updated: {4}, Errors: {5}. {6}/{7} {0} imported before abort. PAM-CMN-1472 = Imported {0} from file {1}. Imported: {2}, Added: {3}, Updated: {4}, Errors: {5}. PAM-CMN-1473 = Super username changed from ({0}) to ({1}). PAM-CMN-1474 = PAM denied unauthorized JAR download request to {0}.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-127 of A-242
PAM-CMN-1475 = JAR file {0} was not found. PAM-CMN-1476 = Invalid LDAP domain specified for authenticating user {0}. PAM-CMN-1477 = Unable to retrieve LDAP servers for domain {0} for authenticating user {1}. PAM-CMN-1478 = Unauthorized connection to /config/ from IP {0}. PAM-CMN-1479 = Uploaded license file "{0}". PAM-CMN-1480 = {0} {1} copied from {2}. Copied all {3} associations! PAM-CMN-1481 = Session expired PAM-CMN-1482 = Logout OK PAM-CMN-1483 = Office 365 policy between user {0} and device {1} deleted. PAM-CMN-1484 = Association between user {0} and device {1} deleted. PAM-CMN-1485 = Association between user {0} and device {1} does not contain any services, SSL VPN services, or applets. Removing association. PAM-CMN-1486 = The CA PAM database has been reset successfully. PAM-CMN-1487 = Database backup schedule deleted successfully! PAM-CMN-1488 = Problem deleting the database backup schedule! PAM-CMN-1489 = Unable to save the database backup schedule! PAM-CMN-1505 = Did not add virtual device {0} to the non-existent group {1} PAM-CMN-1506 = Did not add virtual device {0} to the non-AWS group {1} PAM-CMN-1510 = Unauthorized attempt to retrieve device groups by {0} PAM-CMN-1511 = Unauthorized attempt to add a device group by {0} PAM-CMN-1512 = Unauthorized attempt to update device group by user {0} PAM-CMN-1513 = Unauthorized attempt to update properties of device group {0} by {1}. PAM-CMN-1514 = Unauthorized attempt to add devices to group {0} by {1}. PAM-CMN-1515 = Unauthorized attempt to delete a device group by {0} PAM-CMN-1516 = Device Group {0} successfully deleted PAM-CMN-1517 = Device Group {0} was not found and not deleted PAM-CMN-1518 = Unexpected result from deleting device group PAM-CMN-1519 = Unauthorized attempt to delete device group {0} by {1} PAM-CMN-1521 = {0} device group(s) deleted, {1} device group(s) not deleted for lack of privilege, {2} device group(s) not found, {3} unknown device group delete errors. PAM-CMN-1522 = Special type device {0} deleted PAM-CMN-1523 = Special type device {0} not deleted PAM-CMN-1524 = Special type device {0} updated PAM-CMN-1525 = Special type device {0} not updated PAM-CMN-1526 = User Defined Special type device {0} inserted PAM-CMN-1527 = Special type device {0} not inserted PAM-CMN-1528 = Database corruption - more than one special type device was inserted PAM-CMN-1529 = User {0} tried to update device PAM-CMN-1530 = Unauthorized attempt to update device {0} by {1} PAM-CMN-1531 = Unknown expected response from multi device delete. Response = {0} for device id {1} PAM-CMN-1532 = Completely unexpected response {0} when deleting device PAM-CMN-1533 = Device was not found and not deleted - disregard message above PAM-CMN-1534 = Device {0} was not found and not deleted - disregard delete log message above PAM-CMN-1535 = Unexpected result from deleting device PAM-CMN-1536 = Unauthorized attempt to add a device {0} by {1} PAM-CMN-1537 = User {0} tried to autoregister device {1} without authorization PAM-CMN-1538 = User {0} tried to change the host name of a device via autoregistration without authorization PAM-CMN-1539 = Device {0} is not a request server, but has a request server id. The address was not updated. PAM-CMN-1540 = User {0} tried to update the target server without proper privileges without authorization PAM-CMN-1541 = User {0} not authorized to delete device PAM-CMN-1542 = User {0} tried to assign device {1} to device groups {2} without authorization PAM-CMN-1543 = User {0} tried to {1} device {2} without assigning the device to an authorized group. PAM-CMN-1544 = Unexpected provisioning type id when updating {0} PAM-CMN-1545 = User {0} tried to initiate autodiscovery without authorization PAM-CMN-1546 = Mismatch on provision types in reconcile virtual devices. Expected {0} got {1} PAM-CMN-1548 = Unknown response when adding ldap group {0} PAM-CMN-1549 = Session recording purging settings updated.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-128 of A-242
PAM-CMN-1551 = Unauthorized attempt to update smart button group {0} by {1} PAM-CMN-1552 = Unauthorized attempt to add smart button group {0} by user {1} PAM-CMN-1553 = Smart Button group {0} added. PAM-CMN-1554 = Smart Button group {0} not added PAM-CMN-1555 = Database corruption - more than one Smart Button group was added PAM-CMN-1556 = Unauthorized attempt to delete smart button group {0} by {1} PAM-CMN-1557 = Successfully deleted smart button group {0} PAM-CMN-1558 = Smart Button group {0} was not found and not deleted PAM-CMN-1559 = Unexpected result from deleting smart button group PAM-CMN-1560 = Unauthorized attempt to access group list by {0} PAM-CMN-1561 = Tag {0} was renamed to {1} PAM-CMN-1562 = Tag {0} was deleted PAM-CMN-1563 = User {0} tried to manage tags without authorization PAM-CMN-1564 = User {0} tried to rename a label to {1} without authorization PAM-CMN-1565 = User {0} tried to delete a label without authorization PAM-CMN-1566 = Unauthorized attempt to change user group {0} by {1} PAM-CMN-1567 = User group {0} successfully updated PAM-CMN-1568 = Database corruption - more than one user group was updated PAM-CMN-1569 = Unauthorized attempt to add users to groups by {0} PAM-CMN-1570 = Unauthorized attempt to add users to group {0} by {1} PAM-CMN-1571 = Unauthorized attempt to add user group {0} by {1} PAM-CMN-1572 = User group {0} not inserted PAM-CMN-1573 = Database corruption - more than one user group was inserted PAM-CMN-1574 = {0} user group(s) deleted, {1} user group(s) not deleted for lack of privilege, {2} user group(s) not found, {3} unknown user group delete errors PAM-CMN-1575 = Unauthorized attempt to delete user group {0} by {1} PAM-CMN-1576 = User group {0} successfully deleted PAM-CMN-1577 = User group {0} was not found and not deleted PAM-CMN-1578 = Unexpected result from deleting user group PAM-CMN-1579 = Unauthorized attempt to get user groups by {0} PAM-CMN-1580 = Unauthorized attempt to access group id {0} by {1} PAM-CMN-1581 = Unauthorized attempt to access group name {0} by {1} PAM-CMN-1582 = User {0} not found or not authorized to read, so it was not deleted PAM-CMN-1583 = {0} user(s) deleted, {1} user(s) not deleted for lack of privilege, {2} user(s) not found, {3} ldap users not deleted, {4} login contact user(s) not deleted, {5} unknown user delete errors PAM-CMN-1584 = User {0} tried to add user {1} without authorization PAM-CMN-1585 = User {0} did not have name set, so it was not updated PAM-CMN-1586 = User {0} tried to update user {1} without authorization PAM-CMN-1587 = Unauthorized Attempt to update user {0} with id {1}. This method can only update the logged in user. PAM-CMN-1588 = Unauthorized attempt to change user fields on self update PAM-CMN-1589 = User {0} not deleted or another user deleted them PAM-CMN-1590 = User {0} tried to retrieve the list of smart button groups without authorization PAM-CMN-1599 = User {0} tried to add target server {1} without authorization PAM-CMN-1600 = User {0} tried to delete PA user {1} without authorization PAM-CMN-1601 = No PM user groups found for a user with credential manager privilege PAM-CMN-1602 = User {0} tried to update target server {1} without authorization PAM-CMN-1603 = Target server {0} unexpectedly not found PAM-CMN-1604 = Target server {0} updated and renamed to {1} PAM-CMN-1605 = Request server {0} unexpectedly not found. PAM-CMN-1606 = User {0} tried to delete target server {1} without authorization PAM-CMN-1607 = User {0} tried to add request server {1} without authorization PAM-CMN-1608 = User {0} tried to delete request server {1} without authorization PAM-CMN-1609 = User {0} tried to add service {1} without authorization PAM-CMN-1610 = Failed to add service {0}. PAM-CMN-1611 = Database corruption - more than one service was inserted PAM-CMN-1612 = Service {0} not added
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-129 of A-242
PAM-CMN-1613 = User {0} tried to add SSL VPN service {1} without authorization PAM-CMN-1614 = SSL VPN Service {0} not added. PAM-CMN-1615 = Database corruption - more than one SSL VPN Service was inserted PAM-CMN-1616 = User {0} tried to update service {1} without authorization PAM-CMN-1617 = User {0} tried to update SSL VPN service {1} without authorization PAM-CMN-1618 = User {0} tried to delete service {1} without authorization PAM-CMN-1619 = Service {0} deleted PAM-CMN-1620 = User {0} tried to delete SSL VPN service {1} without authorization PAM-CMN-1621 = SSL VPN Service {0} deleted PAM-CMN-1622 = SSL VPN Service {0} not deleted PAM-CMN-1623 = Database corruption - more than one SSL VPN Service was deleted PAM-CMN-1624 = User {0} tried to retrieve services without authorization PAM-CMN-1625 = User {0} tried to retrieve SSL VPN service {1} without authorization PAM-CMN-1626 = User {0} tried to retrieve service {1} without authorization PAM-CMN-1627 = Unauthorized attempt to get role name list by {0} PAM-CMN-1628 = Unauthorized attempt to get role privileges by {0} PAM-CMN-1629 = Unauthorized attempt to update roles by {0} PAM-CMN-1630 = Attempt to update role {0} failed - no matching id PAM-CMN-1631 = Updated role {0} PAM-CMN-1632 = Unauthorized attempt to add role by {0} PAM-CMN-1633 = Attempt to create role {0} failed PAM-CMN-1634 = Role {0} has been created. PAM-CMN-1635 = Unauthorized attempt to delete role by {0} PAM-CMN-1636 = Attempted delete of role with a non-integer id {0} PAM-CMN-1637 = Attempt to change default role by {0} PAM-CMN-1638 = Deleted role {0} PAM-CMN-1639 = Unexpected result from deleting role - were multiple roles deleted? PAM-CMN-1640 = Unauthorized attempt to read roles by {0} PAM-CMN-1641 = Unauthorized attempt to read role details by {0} PAM-CMN-1642 = Unauthorized attempt to get restrictions for roles by {0} PAM-CMN-1643 = User {0}'s connection to {1} has multiple socket filter policies. Enforcing union of socket filter policies: {2} PAM-CMN-1644 = SSL VPN Configuration updated; Network: {0}/{1} PAM-CMN-1645 = SSL VPN Configuration updated; Network: {0}/{1}; Split tunneling enabled PAM-CMN-1648 = User attempted to connect via CA PAM Client but it is not permitted by configuration. PAM-CMN-1649 = Unable to retrieve the AWS Virtual Management IP provision region. The VIP cannot be managed on this node. PAM-CMN-1650 = Failed to initialize {0} user PAM-CMN-1651 = CA PAM Client connection terminated due to the empty Client Distribution URL PAM-CMN-1652 = There was an error retrieving credentials for AWS PAM-CMN-1653 = Unable to retrieve the AWS Virtual Management IP provision key. The VIP cannot be managed on this node. PAM-CMN-1654 = Attaching of additional storage to this virtual appliance ({0}) initiated, this appliance will be rebooted... PAM-CMN-1655 = Detaching of additional storage from this virtual appliance initiated, this appliance will be rebooted... PAM-CMN-1656 = Attachment of additional storage completed successfully PAM-CMN-1657 = Unable to retrieve AWS secret key for use by S3 storage. PAM-CMN-1658 = Detachment of additional storage completed successfully PAM-CMN-1659 = Invalid number of parameters sent to ldapDomainDelete. Nothing was deleted. PAM-CMN-1660 = Ldap domain {0} not found - delete aborted PAM-CMN-1661 = Run ping on host {0} PAM-CMN-1662 = Run traceroute on host {0} PAM-CMN-1663 = Unable to traceroute {0} PAM-CMN-1664 = Failed to delete ldap servers from domain {0}. Domain will not be deleted. PAM-CMN-1665 = Failed to delete ldap domain {0} PAM-CMN-1666 = Scan Timeout! No results from the host! IP address: {0}. Ports: {1}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-130 of A-242
PAM-CMN-1667 = Unable to scan the host! IP address: {0}. Ports: {1} PAM-CMN-1668 = The servers of LDAP Domain {0} and associated users of one and devices of one are deleted PAM-CMN-1669 = Run Port Scan on IP address: {0}. Ports: {1} PAM-CMN-1670 = Error resolving {0} PAM-CMN-1671 = Run nslookup on host {0} PAM-CMN-1672 = Problem starting SNMP Agent PAM-CMN-1673 = User {0} using API key {1} can't perform {2} operations while cluster is stopped. {3} was not executed. PAM-CMN-1674 = Invalid login name {0}. PAM-CMN-1675 = User {0} using API key {1} can't perform {2} operations while cluster is stopped. {3} was not executed. PAM-CMN-1676 = API key {0} not found for user {1}. PAM-CMN-1677 = SNMP Agent started successfully PAM-CMN-1678 = API key {0} for user {1} is inactive. PAM-CMN-1679 = Problem stopping SNMP Agent PAM-CMN-1680 = SNMP Agent stopped successfully PAM-CMN-1681 = User {0} is disabled. Unable to log on with API key {1}. PAM-CMN-1682 = Can not save SNMP daemon configuration! PAM-CMN-1683 = SNMP poll configuration saved successfully. Read-only Community: {0} PAM-CMN-1684 = User {0} using API key {1} can't log in while maintenance mode is enabled. {2} called by HTTP {3} was not executed. Please check with an administrator for further details PAM-CMN-1685 = User {0} using API key {1} called {2} via HTTP {3} PAM-CMN-1686 = Problem changing the SNMP Agent startup flag! PAM-CMN-1687 = SNMP Agent startup flag changed successfully. Start at boot: on PAM-CMN-1688 = SNMP Agent startup flag changed successfully. Start at boot: off PAM-CMN-1689 = Unable to build privilege manager for user {0} and API key {1}. Request was {2} via HTTP {3} PAM-CMN-1690 = Incorrect password for {0} external API user for {1}. Request was {2} via HTTP {3} PAM-CMN-1691 = Can not save SNMP trap configuration! PAM-CMN-1692 = SNMP trap configuration saved successfully. Trap Community: {0} PAM-CMN-1693 = An attempt was made to access unlicensed External REST API PAM-CMN-1694 = An attempt was made to access deactivated External REST API PAM-CMN-1695 = SNMPv3 Username "{0}" not found! PAM-CMN-1696 = Can not delete SNMPv3 user "{0}"! PAM-CMN-1697 = SNMPv3 Username "{0}" deleted successfully! PAM-CMN-1698 = Credential Service daemon is either not running or not reachable PAM-CMN-1699 = An attempt was made to access unlicensed External REST API documentation PAM-CMN-1700 = An attempt was made to access deactivated External REST API documentation PAM-CMN-1701 = Unauthorized access to service controller. PAM-CMN-1702 = Unauthorized access to External API Documentation PAM-CMN-1703 = Unauthorized access to External API Documentation: The user is not a global admin nor has API keys assigned. PAM-CMN-1704 = Downloaded Certificate {0} PAM-CMN-1705 = Downloaded CSR {0} PAM-CMN-1706 = Downloaded private key file {0} PAM-CMN-1707 = Uploaded Certificate {0} PAM-CMN-1708 = Certificate Upload: {0} ({1}) PAM-CMN-1709 = Unable to retrieve host name for username {0}. Transparent Login for window '{1}' will not work. PAM-CMN-1710 = Error shortening url. Message was: {0} PAM-CMN-1711 = Problem with credential when logging. Launch aborted. PAM-CMN-1712 = No source IP address found for AWS API Proxy request. PAM-CMN-1713 = Invalid source IP address {0} found for AWS API Proxy request. PAM-CMN-1714 = AWS API Proxy request came from IP address {0}, which is not on any whitelist. PAM-CMN-1715 = AWS API Proxy request for user {0} failed due to authentication failure. See previous log messages for details. PAM-CMN-1716 = Completely unexpected result was returned for Authentication Service for AWS proxy login. Returned value was {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-131 of A-242
PAM-CMN-1717 = AWS API Proxy user {0} was not logged in because they do not have the AWS API Proxy user privilege PAM-CMN-1718 = No policy found connecting {0} and {1} PAM-CMN-1719 = Problems communicating with AWS. Message was {0} PAM-CMN-1720 = Unable to create target account for API key {0}-{1}. Message was {2}. PAM-CMN-1721 = API key {0} not found. Delete aborted. PAM-CMN-1722 = API key {0} deleted PAM-CMN-1723 = API key {0} was already deleted. PAM-CMN-1724 = Uploaded Certificate with Private Key {0} PAM-CMN-1725 = Uploaded Intermediate Certificate {0} PAM-CMN-1726 = Uploaded CA Bundles {0} PAM-CMN-1727 = Uploaded Certificate Revocation List {0} PAM-CMN-1728 = There is invalid CRL URL format: {0} PAM-CMN-1729 = There is invalid CRL file: {0} PAM-CMN-1730 = CRL file: {0} was added. PAM-CMN-1733 = External REST API Access has been enabled PAM-CMN-1734 = External REST API Access has been disabled PAM-CMN-1735 = External Password Authority API Access has been enabled PAM-CMN-1736 = External Password Authority API Access has been disabled PAM-CMN-1737 = {0} deleted successfully PAM-CMN-1738 = Unable to delete {0} PAM-CMN-1739 = Problem updating system certification to {0} PAM-CMN-1740 = Updated system certificate to {0} PAM-CMN-1741 = Command String has been enabled PAM-CMN-1742 = Command String has been disabled PAM-CMN-1743 = Config Password updated successfully PAM-CMN-1744 = Failed to delete target account for api key {0} PAM-CMN-1745 = Failed to retrieve target server for policy. PAM-CMN-1750 = Unknown device state name {0} code {1} for {2} PAM-CMN-1759 = Could not find domain name or ip address for {0}. Device is not added PAM-CMN-1764 = Invalid data supplied when reconciling device groups PAM-CMN-1765 = Unexpected provision type when reconciling device group {0} PAM-CMN-1767 = Duplicate address {0} for device {1}. Device not added. PAM-CMN-1768 = Unable to retrieve virtual device {0}, so skipping update. PAM-CMN-1769 = New address would result in duplicate domain name {0} for device {1}. Device is not updated. PAM-CMN-1770 = Proxy deactivation request came from IP {0}, which is not on any whitelist. PAM-CMN-1771 = Error deactivating device - {0}: {1} PAM-CMN-1772 = Successfully deactivated device {0} PAM-CMN-1773 = Attempt to deactivate by {0} is failed because it does not exist in the system. PAM-CMN-1774 = Added Transparent Login Configuration {0} PAM-CMN-1775 = Updated Transparent Login Configuration {0} PAM-CMN-1776 = Deleted Transparent Login Configuration {0} PAM-CMN-1777 = Unexpected sourceIP restriction value {0}. Value was ignored PAM-CMN-1790 = No policy found connecting {0} and {1}. PAM-CMN-1791 = Attempt to add target server {0} outside of licensing when Password Authority is not configured. PAM-CMN-1792 = Unresolvable device conflict. Target server {0} wants to use the same domain/host name as the device {1} PAM-CMN-1793 = Unable to find GK user {0} PAM-CMN-1794 = Unable to find PA user {0} PAM-CMN-1795 = Unable to find changed PA user {0} PAM-CMN-1796 = Unable to update password for PA user {0} PAM-CMN-1797 = Unable to reset password for PA user {0}. Error was {1} PAM-CMN-1798 = Could not rename user {0}. Error was {1} PAM-CMN-1799 = Successfully changed PA user {0} to {1} PAM-CMN-1800 = Failed to execute searchUser command for {0} PAM-CMN-1801 = Target Server not retrieved from Password Authority. Error Message {0} PAM-CMN-1802 = Failed to retrieve id from request server {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-132 of A-242
PAM-CMN-1804 = Unable to retrieve Password Authority target account for username {0}. See previous log message for details. PAM-CMN-1805 = Unable to retrieve Password Authority target account for username {0}. Error: {1} PAM-CMN-1806 = Password view request returned warning code {0}. Message was {1}. Request ignored. PAM-CMN-1807 = Unable to retrieve Password Authority password for username {0}. See previous log message for details PAM-CMN-1808 = Unable to retrieve Password Authority password for username {0}. Error: {1} PAM-CMN-1809 = Could not generate PA Username for GK user name {0} PAM-CMN-1810 = Duplicate Password Authority username {0}. User not added PAM-CMN-1811 = Missing required fields to delete target account. Hostname = {0} Application name = ${1} and username = {2} PAM-CMN-1812 = Target account {0} for API key was already deleted or never existed. Proceeding as though the delete were successful. PAM-CMN-1815 = Unable to locate {0} of type {1} belonging to {2} PAM-CMN-1816 = Unable to find target server with id = {0} when looking for credentials PAM-CMN-1823 = Unable to locate Password View Policy for dual auth view request - defaulting to 60 minute request interval. PAM-CMN-1827 = Duplicate role name {0} not added. PAM-CMN-1828 = Duplicate User Group {0} not added. PAM-CMN-1829 = Unable to find privilege manager in session while trying to get list of user groups PAM-CMN-1830 = Attempt to promote/demote user {0} to credential user group {1} failed. Group not found. PAM-CMN-1831 = Unable to find pa user id for user {0} PAM-CMN-1832 = Could not get details on credentials management user groups for user {0} PAM-CMN-1833 = Could not get details on credentials management roles for user {0} PAM-CMN-1834 = Could not get credentials management user groups for user {0} PAM-CMN-1835 = API key {0} has privileges in excess of its user {1}. Login not allowed. PAM-CMN-1836 = User {0} using API key {1} can't perform {2} operations on private API methods in this configuration. {3} was not executed. PAM-CMN-1868 = {0} user already exists, was not changed. PAM-CMN-1869 = Cannot remove {0} license feature. Please remove custom user roles with {0} privilege PAM-CMN-1870 = Cannot remove {0} license feature. Please remove CA TAP API User role from the following users: {1} PAM-CMN-1871 = Cannot remove {0} license feature while users still have API client keys. PAM-CMN-1872 = An error occurred saving CA Threat Analytics configuration. PAM-CMN-1873 = An error occurred clearing CA Threat Analytics configuration. PAM-CMN-1874 = Maintenance mode has been enabled for this appliance PAM-CMN-1875 = Maintenance mode has been disabled for this appliance PAM-CMN-1876 = Failed to create target application {0} PAM-CMN-1877 = Cannot remove External API license feature while users still have API client keys. PAM-CMN-1885 = Updated active flag for {0} region {1} to {2} PAM-CMN-1887 = Invalid refresh interval {0}. No change was made. PAM-CMN-1910 = Updated CRL download interval to {0} PAM-CMN-1911 = Disabled CRL download schedule PAM-CMN-1912 = Restarting Apache Web Server PAM-CMN-1913 = Downloaded database file {0} PAM-CMN-1914 = S3 mounting performed successfully PAM-CMN-1915 = Unmounting performed successfully PAM-CMN-1916 = Unmount operation unsuccessful. PAM-CMN-1917 = Database file {0} deleted successfully. PAM-CMN-1918 = Unable to load PAM certificate for SSO user {0}. User will not be able to log-in PAM-CMN-1919 = Remote CA-PAM Debugging Services turned {0} PAM-CMN-1925 = Created Self-Signed Certificate {0} PAM-CMN-1926 = Created CSR {0} PAM-CMN-1927 = Missing required information for launch. Missing device id, RDP application {0}. User {1} PAM-CMN-1928 = Message for device {0}: {1} PAM-CMN-1930 = Device is marked as a target server, but no target server exists. Please set the value of the Password Management check box as you wish and click OK.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-133 of A-242
PAM-CMN-1931 = Device is marked as a request client, but no request client exists. Please set the value of the A2A check box as you wish and click OK. PAM-CMN-1964 = Sending Password Authority subsystem start command to member {0} (ELAPSED TIME = {1}) ... PAM-CMN-1965 = Password Authority subsystem started on node {0} (ELAPSED TIME = {1}) PAM-CMN-1979 = {0}: failed: {1} PAM-CMN-1980 = {0} restarted PAM-CMN-1996 = CPU temperature has recovered. PAM-CMN-1997 = Chassis fan has recovered. PAM-CMN-1998 = Primary drive has recovered. PAM-CMN-1999 = Secondary drive has recovered. PAM-CMN-2000 = Primary (leftmost) power supply unit has recovered. PAM-CMN-2001 = Secondary (rightmost) power supply unit has recovered. PAM-CMN-2002 = CPU temperature is higher than 134 degrees Fahrenheit! PAM-CMN-2003 = Chassis fan has failed! PAM-CMN-2004 = Primary drive has failed! PAM-CMN-2005 = Secondary drive has failed! PAM-CMN-2006 = Primary (leftmost) power supply unit has failed! PAM-CMN-2007 = Secondary (rightmost) power supply unit has failed! PAM-CMN-2059 = gkmonitor[{0}]: {1}--{2} {3}--Failed {4} PAM-CMN-2060 = gkmonitor[{0}]: {1}--{2} {3}--Succeeded {4} PAM-CMN-2061 = gkmonitor[{0}]: {1}--{2} {3}–{4} PAM-CMN-2062 = gkmonitor[{0}]: {1} PAM-CMN-2063 = gkmonitor[{0}]: Unable to send email! {1} email configuration is incorrect! PAM-CMN-2064 = gkmonitor[{0}]: {1} started PAM-CMN-2065 = gkmonitor[{0}]: {1} terminated PAM-CMN-2066 = gkmonitor[{0}]: Monitor Parameter {1} has an empty value ... Exiting ! PAM-CMN-2067 = {0}: Received Error {1} PAM-CMN-2068 = Connection Restored to the Database PAM-CMN-2069 = Unable to create session log PAM-CMN-2070 = Logged {0} event from client. Return status was {1}. PAM-CMN-2071 = Invalid userId {0} for get DbRiskLevel. No risk level will be returned. PAM-CMN-2072 = Malformed or invalid JSON when posting a {0} event to {1}. Http response code is {2}. PAM-CMN-2073 = Malformed or invalid JSON when posting a {0} event to {1}. Http response code is {2}. Status was {3} . PAM-CMN-2074 = Malformed or invalid JSON when posting a {0} event to {1}. Http response code is {2}. Status message was {3}. PAM-CMN-2075 = Malformed or invalid JSON when posting a {0} event to {1}. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2076 = Not authorized to connect to {0} during {1} event. Http response code is {2}. PAM-CMN-2077 = Not authorized to connect to {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2078 = Not authorized to connect to {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2079 = Not authorized to connect to {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2080 = Forbidden to connect to {0} during {1} event. Http response code is {2}. PAM-CMN-2081 = Forbidden to connect to {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2082 = Forbidden to connect to {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2083 = Forbidden to connect to {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2084 = Resource or nested resource not found in {0} during {1} event. Http response code is {2}. PAM-CMN-2085 = Resource or nested resource not found in {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2086 = Resource or nested resource not found in {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2087 = Resource or nested resource not found in {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2088 = Request method not allowed in {0} during {1} event. Http response code is {2}.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-134 of A-242
PAM-CMN-2089 = Request method not allowed in {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2090 = Request method not allowed in {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2091 = Request method not allowed in {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2092 = Too many requests to connect to {0} during {1} event. Http response code is {2}. PAM-CMN-2093 = Too many requests to connect to {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2094 = Too many requests to connect to {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2095 = Too many requests to connect to {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2096 = Server error on connection to {0} during {1} event. Http response code is {2}. PAM-CMN-2097 = Server error on connection to {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2098 = Server error on connection to {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2099 = Server error on connection to {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2100 = {0} temporarily unavailable during {1} event. Http response code is {2}. PAM-CMN-2101 = {0} temporarily unavailable during {1} event. Http response code is {2}. Status was {3}. PAM-CMN-2102 = {0} temporarily unavailable during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2103 = {0} temporarily unavailable during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2104 = Unable to connect to {0} during {1} event. Http response code is {2}. PAM-CMN-2105 = Unable to connect to {0} during {1} event. Http response code is {2}. Status was {3} . PAM-CMN-2106 = Unable to connect to {0} during {1} event. Http response code is {2}. Status message was {3}. PAM-CMN-2107 = Unable to connect to {0} during {1} event. Http response code is {2}. Status was {3} . Status message was {4}. PAM-CMN-2108 = Privilege manager not found in session - risk levels not reset. PAM-CMN-2109 = User {0} tried to set risk levels for user {1} without authorization. PAM-CMN-2110 = Invalid user id {0}. User risk level was not changed. PAM-CMN-2111 = No user found for user id {0}. User risk level was not changed. PAM-CMN-2112 = Invalid risk level {0}. Risk level not changed. PAM-CMN-2113 = User {0}'s risk level was changed to {1}. PAM-CMN-2114 = Privilege manager not found in session. PAM-CMN-2115 = Created {0} API user {1} with user id {2}. PAM-CMN-2116 = Invalid risk level value {0}. User risk level not added. PAM-CMN-2117 = Deleted {0} API user {1}. PAM-CMN-2118 = Session id was not in proper format. Can't start recording active connections PAM-CMN-2119 = Applying mitigations to user: {0}. PAM-CMN-2120 = Invalid user id {0} specified for apply mitigation for user. No mitigations were applied. PAM-CMN-2123 = Failed to close remote factories. Exception was {0}. Message was {1}. PAM-CMN-2124 = Problem with PAM {0}, {1} PAM-CMN-2125 = Test from PAM {0}, process {1} PAM-CMN-2126 = This is a test from the PAM Monitor to make sure mail is working<br/>properly, and is also an indication that the PAM Monitor is<br/>attempting to be started. PAM-CMN-2127 = Licensing Message from PAM Instance '{0}' PAM-CMN-2128 = <br/>;<br/>The following message from the PAM license monitor on PAM instance:<br/><br/> {0}<br/><br/>requires your attention. Please review the message below and see the logs on your CA PAM instance for further information<br/><br/> {1}<br/> PAM-CMN-2129 = Message from PAM {0}, Host {1} PAM-CMN-2130 = ********ERROR*******ERROR*************<br/>{0} PAM-CMN-2131 = ***********INFORMATION****************<br/>{0} PAM-CMN-2134 = No users are disabled in PAM. PAM-CMN-2135 = Disabled user account: {0} removed from PAM PAM-CMN-2136 = Inactive user account: {0} has been disabled in PAM PAM-CMN-2137 = Error generating credentials for database backup! PAM-CMN-2138 = No remote server specified!
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-135 of A-242
PAM-CMN-2139 = Unable to backup CA PAM database! PAM-CMN-2140 = Unable to backup CA PAM configuration! PAM-CMN-2141 = Error uploading {0} to {1}! PAM-CMN-2142 = Specified mount {0} is down! PAM-CMN-2143 = Protocol not specified for database and configuration backup scheduler! PAM-CMN-2144 = Scheduled backup files {0} and {1} sent to {2} PAM-CMN-2145 = DB compact already in progress! PAM-CMN-2146 = Place system in maintenance mode before compacting the database PAM-CMN-2147 = A fatal error occured while dumping the database for the DB compact. PAM-CMN-2148 = An error occured while saving the database dump for compacting. PAM-CMN-2149 = An error occured while dropping the database for the database compacting. PAM-CMN-2150 = A fatal error occured while restoring the database for the DB compact, {0}. PAM-CMN-2151 = PAM databases have been compacted. PAM-CMN-2152 = Too many instances of rotate_coredumps.pl running PAM-CMN-2153 = Found {0} memory dumps PAM-CMN-2154 = Found {0} memory dumps, pruned {1} PAM-CMN-2155 = Failed to push new {0} risk level for user to {1}. Exception was {2}. Message was {3}. PAM-CMN-2156 = Logged {0} event from device {1}. Return status was {2}. PAM-CMN-2157 = Logged {0} event from device {1} for reason {2}. Return status was {3}. PAM-CMN-2165 = Unauthorized word {0} typed. PAM-CMN-2166 = No email contact to alert. PAM-CMN-2167 = Exceeded the maximum number of allowed violations. Session terminated. PAM-CMN-2168 = The value for sortBy must begin with either + for ascending sort or - for descending sort. Make sure to URL encode the + symbol. PAM-CMN-2169 = External API not licensed. Authentication refused. PAM-CMN-2170 = Authentication required. PAM-CMN-2171 = External API may not be used when the cluster is stopped. Please check with an administrator for further details. PAM-CMN-2172 = Not Found PAM-CMN-2173 = The attempt to retrieve the user's password for login failed. Please check with an administrator for further details. PAM-CMN-2174 = User {0} can't login while maintenance mode is enabled. PAM-CMN-2175 = Unable to build privilege manager for user {0} and API key {1}. PAM-CMN-2187 = Unable to retrieve credential for getting the role token. PAM-CMN-2188 = Unable to retrieve credential for getting the role token. Message was {0} PAM-CMN-2189 = Couldn't change {0}. PAM-CMN-2190 = API Key target server. All api key target accounts are associated with this device. PAM-CMN-2191 = Policy id must be a positive integer. PAM-CMN-2192 = Updated policy. PAM-CMN-2193 = Created policy. PAM-CMN-2194 = User: {0}; PAM-CMN-2195 = Host: {0}; PAM-CMN-2196 = Credential(s): {0}; PAM-CMN-2197 = Services PAM-CMN-2198 = Policy: {0} PAM-CMN-2200 = Filtering PAM-CMN-2201 = Command Filtering: off; PAM-CMN-2202 = Command Filtering: black-list: {0}; PAM-CMN-2203 = Command Filtering: white-list: {0}; PAM-CMN-2204 = Socket Filtering: black-list: {0}; PAM-CMN-2205 = Socket Filtering: white-list: {0}; PAM-CMN-2206 = Socket Filtering: off; PAM-CMN-2215 = User's access to service {0} on device {1} disabled due to {2} conflicts. The conflicting associations are between PAM-CMN-2216 = User's access to access method {0} on device {1} disabled due to {2} conflicts. The conflicting associations are between PAM-CMN-2217 = User/Group {0} and Device/Group {1}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-136 of A-242
PAM-CMN-2220 = Command filter white lists are ignored for Mainframe Access Methods; PAM-CMN-2221 = Transparent Login: on; PAM-CMN-2222 = Transparent Login: off; PAM-CMN-2223 = Server Control Login: on; PAM-CMN-2224 = Server Control Login: off; PAM-CMN-2225 = Kerberos KDC server connection for host: {0}. PAM-CMN-2229 = The device {0} has more than one target account defined for command string transparent login. PAM-CMN-2230 = The target account {0} belonging to target application {1} on the device {2} is used by the users/groups PAM-CMN-2231 = Service is disabled until the conflict is resolved. PAM-CMN-2232 = Applet is disabled until the conflict is resolved. PAM-CMN-2233 = User group {0} successfully added. {1} PAM-CMN-2234 = Unknown error on multi user group delete {0} PAM-CMN-2235 = Unrecognized return type from delete of user group {0} response was {1} PAM-CMN-2236 = Unknown error on multi user delete {0} PAM-CMN-2237 = Virtual user {0} successfully added. PAM-CMN-2238 = User {0} successfully added. PAM-CMN-2239 = Activation: Now; PAM-CMN-2251 = Activation: {0}; PAM-CMN-2252 = Expiration: Never; PAM-CMN-2253 = Expiration: {0}; PAM-CMN-2254 = User {0} successfully deleted. {1} PAM-CMN-2255 = Local IP: {0}; PAM-CMN-2256 = Ports: {0}; PAM-CMN-2257 = Protocol: {0}; PAM-CMN-2258 = Application Protocol: Disabled; PAM-CMN-2259 = Application Protocol: {0}; PAM-CMN-2260 = Target Server {0} is not added to Password Authority. Error Message: {1}; PAM-CMN-2261 = Password Authority failure to try to activate user {0}. Message: {1}. PAM-CMN-2262 = PA User {0} not updated. Error message: {1}. PAM-CMN-2263 = Target Server {0} is not updated. Error message: {1}. PAM-CMN-2264 = Target server search failed. Error message: {0}. PAM-CMN-2265 = Target Server {0} is not deleted. Reason: {0}. PAM-CMN-2266 = Request Server not retrieved from Password Authority. Error Message: {0}. PAM-CMN-2267 = Request Server is not added to Password Authority. Error Message: {0}. PAM-CMN-2268 = Request server {0} is not updated. Error message: {1}. PAM-CMN-2269 = Request Server {0} is not deleted. Reason: {1}. PAM-CMN-2270 = searchUser request for {0} failed. Error Message: {1}. PAM-CMN-2271 = User {0} is not found in Password Authority. PAM-CMN-2272 = User {0} is not deleted from Password Authority. Error Message: {1}. PAM-CMN-2273 = User {0} is deleted from Password Authority. PAM-CMN-2274 = Unable to retrieve Password Authority target account for username {0}. Error: {1}. PAM-CMN-2275 = Unable to retrieve Password Authority password for username {0}. Error: {1}. PAM-CMN-2277 = User {0} is not added to Password Authority - error was {1}. PAM-CMN-2278 = Could not successfully retrieve Password Authority Managed Data for Dashboard. Error: {0} PAM-CMN-2279 = Unable to delete target account {0} for API Key - error was {1}. PAM-CMN-2282 = Unable to retrieve target account list for policies - error was {0}. PAM-CMN-2283 = Unable to retrieve target account list - error was {0}. PAM-CMN-2284 = Web Portal Launch URL: {0}; PAM-CMN-2285 = Browser Type: {0}; PAM-CMN-2286 = Access List: {0}; PAM-CMN-2287 = Error when attempting to retrieve password view requests - error was {0}. PAM-CMN-2288 = Client Application: {0}; PAM-CMN-2289 = Enabled: on; PAM-CMN-2290 = Enabled: off; PAM-CMN-2291 = Service {0} added successfully. {1} PAM-CMN-2292 = Service {0} updated successfully. {1}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-137 of A-242
PAM-CMN-2293 = A Password Authority problem prevented completing the request. Error when attempting to retrieve password view requests. Check log for details. PAM-CMN-2294 = Unknown error on multi service delete {0} PAM-CMN-2295 = {0} SSL VPN service(s) deleted, {1} SSL VPN service(s) not deleted for lack of privilege, {2} SSL VPN service(s) not found, {3} unknown SSL VPN service delete errors PAM-CMN-2296 = {0} service(s) deleted, {1} service(s) not deleted for lack of privilege, {2} service(s) not found, {3} unknown service delete errors PAM-CMN-2297 = Reenabled {0} user(s): {1} PAM-CMN-2298 = {0} users were requested to be enabled, {1} users were actually enabled: {2} PAM-CMN-2299 = Error when attempting to retrieve target account with ID {0} - error was {1}. PAM-CMN-2300 = Error when attempting to retrieve target account with device Name {0}, target application name {1}, user name {2} - error was {3}. PAM-CMN-2301 = Error when attempting to update a password view request status - error was {0}. PAM-CMN-2302 = Error when attempting to retrieve pa user id via access user id - error was {0}. PAM-CMN-2303 = Error when attempting to retrieve password composition policies - error was {0}. PAM-CMN-2304 = Error when attempting to retrieve ssh key pair policies - error was {0}. PAM-CMN-2305 = Error when attempting to add target account for username {0} - error was {1}. PAM-CMN-2306 = Error when attempting to update target account for username {0} - error was {1}. PAM-CMN-2307 = Error when attempting to check in password - error was {0}. PAM-CMN-2308 = Error when attempting to retrieve target application domain name - error was {0}. PAM-CMN-2309 = Error when attempting to locate master target application - error was {0}. PAM-CMN-2310 = Unable to retrieve EC2 shared keypair names - error was {0}. PAM-CMN-2311 = Error when attempting to retrieve account name - error was {0}. PAM-CMN-2312 = Error when trying to find target server id with name {0} - error was {1}. PAM-CMN-2318 = Unable to delete target group from Password Authority. Error Message: Call to deleteDynamicGroup with neither groupId nor groupName specified. PAM-CMN-2319 = Unable to delete request group from Password Authority. Error Message: Call to deleteDynamicGroup with neither groupId nor groupName specified. PAM-CMN-2320 = Unable to delete target group {0} from Password Authority. Error Message: Group name {1} and group id {2} did not match. PAM-CMN-2321 = Unable to delete request group {0} from Password Authority. Error Message: Group name {1} and group id {2} did not match. PAM-CMN-2322 = Attempt to rotate password failed - error was {0}. PAM-CMN-2323 = Missing required field: name for role. PAM-CMN-2324 = Missing required field: permissions for role.. PAM-CMN-2325 = Missing required field: name for user group.. PAM-CMN-2326 = Missing required field: role id for user group.. PAM-CMN-2327 = Missing required field: Command String. PAM-CMN-2328 = Synchronized time with Time Servers PAM-CMN-2329 = Time synchronization failed after 2 attempts!<br>Please, try again in a few seconds PAM-CMN-2330 = Error updating Time Servers information. PAM-CMN-2331 = Updated Time Servers. Synchronize at boot: Enabled, Servers: {0} PAM-CMN-2332 = Updated Time Servers. Synchronize at boot: Disabled, Servers: {0} PAM-CMN-2333 = Date/Time changed successfully. New time: {0} in Timezone: {1}. PAM-CMN-2334 = Unable to change Date/Time. PAM-CMN-2335 = Target Server {0} is added to Password Authority. PAM-CMN-2336 = Target server {0} is updated. PAM-CMN-2337 = Restarting Apache Web Server PAM-CMN-2338 = Downloaded database file {0} PAM-CMN-2339 = S3 mounting performed successfully PAM-CMN-2340 = Unmounting performed successfully PAM-CMN-2341 = Unmount operation unsuccessful. PAM-CMN-2342 = Database file {0} deleted successfully. PAM-CMN-2343 = Unable to load PAM certificate for SSO user {0}. User will not be able to log-in PAM-CMN-2344 = Remote CA-PAM Debugging Services turned {0} PAM-CMN-2350 = Created Self-Signed Certificate {0} PAM-CMN-2351 = Created CSR {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-138 of A-242
PAM-CMN-2352 = Target server {0} is deleted. PAM-CMN-2355 = Missing required information for launch. Device {0} Missing id of what to launch (no task, service, or rdp application Id. User {1} PAM-CMN-2356 = Missing required information for launch. Device {0}, task {1}, service {2}, RDP application {3}. User {4} PAM-CMN-2357 = Missing required information for launch. Device {0}, service {1}, RDP application {2}. User {3} PAM-CMN-2358 = Missing required information for launch. Device {0}, task {1}, service {2}. User {3} PAM-CMN-2359 = Missing required information for launch. Device {0}, task {1}, RDP application {2}. User {3} PAM-CMN-2360 = Missing required information for launch. Device {0}, task {1}. User {2} PAM-CMN-2361 = Missing required information for launch. Device {0}, service {1}. User {2} PAM-CMN-2362 = Missing required information for launch. Device {0}, RDP application {1}. User {2} PAM-CMN-2363 = Missing required information for launch. Missing device id Missing id of what to launch (no task, service, or rdp application Id. User {0} PAM-CMN-2364 = Missing required information for launch. Missing device id, task {0}, service {1}, RDP application {2}. User {3} PAM-CMN-2365 = Missing required information for launch. Missing device id, service {0}, RDP application {1}. User {2} PAM-CMN-2366 = Missing required information for launch. Missing device id, task {0}, service {1}. User {2} PAM-CMN-2367 = Missing required information for launch. Missing device id, task {0}, RDP application {1}. User {2} PAM-CMN-2368 = Missing required information for launch. Missing device id, task {0}. User {1} PAM-CMN-2369 = Missing required information for launch. Missing device id, service {0}. User {1} PAM-CMN-2370 = Request server {0} is updated PAM-CMN-2372 = User {0} successfully updated. PAM-CMN-2373 = Account disabled; PAM-CMN-2374 = Account enabled; PAM-CMN-2375 = SSL VPN Service {0} added successfully. PAM-CMN-2376 = SSL VPN Service {0} added successfully. TCP Ports: {1}; PAM-CMN-2377 = SSL VPN Service {0} added successfully. UDP Ports: {1}; PAM-CMN-2378 = SSL VPN Service {0} added successfully. TCP Ports: {1}; UDP Ports: {2}; PAM-CMN-2379 = SSL VPN Service {0} updated successfully. PAM-CMN-2380 = SSL VPN Service {0} updated successfully. TCP Ports: {1}; PAM-CMN-2381 = SSL VPN Service {0} updated successfully. UDP Ports: {1}; PAM-CMN-2382 = SSL VPN Service {0} updated successfully. TCP Ports: {1}; UDP Ports: {2}; PAM-CMN-2383 = Unable to add user {0} PAM-CMN-2384 = Service {0} added successfully. PAM-CMN-2385 = Service {0} added successfully. Launch Path: {1}; PAM-CMN-2386 = Service {0} added successfully. Enabled: {1}; PAM-CMN-2387 = Service {0} added successfully. Launch Path: {1}; Enabled: {2}; PAM-CMN-2388 = Service {0} updated successfully. PAM-CMN-2389 = Service {0} updated successfully. Launch Path: {1}; PAM-CMN-2390 = Service {0} updated successfully. Enabled: {1}; PAM-CMN-2391 = Service {0} updated successfully. Launch Path: {1}; Enabled: {2}; PAM-CMN-2392 = restrictDelete was not set for provision row for vCenter authorization server {0} and user {1}. Url was {2} Message was {3} PAM-CMN-2393 = Unable to retrieve vCenter target server information. PAM-CMN-2394 = Unable to retrieve vCenter target server information. Message was unable to retrieve vCenter target server information. PAM-CMN-2395 = {0} Connection aborted. PAM-CMN-2396 = {0} Attempting to connect anyway. PAM-CMN-2397 = {0} Could not retrieve device information from PAM. PAM-CMN-2398 = Roles: None; PAM-CMN-2399 = Roles: {0}; PAM-CMN-2405 = Error adding ldap group: {0} PAM-CMN-2406 = Access methods: {0}; PAM-CMN-2407 = Access methods: None; PAM-CMN-2408 = Services: {0}; PAM-CMN-2409 = Services: None;
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-139 of A-242
PAM-CMN-2410 = VPN Services: {0}; PAM-CMN-2411 = VPN Services: None; PAM-CMN-2412 = Credential sources removed; PAM-CMN-2413 = Credential sources: {0}; PAM-CMN-2414 = Tags: {0}; PAM-CMN-2415 = Tags: None; PAM-CMN-2416 = Device Group {0} added successfully. PAM-CMN-2417 = Unknown error on multi device group delete {0} PAM-CMN-2418 = Unrecognized return type from delete of device group {0} PAM-CMN-2419 = Group {0} updated successfully. Devices in group updated. PAM-CMN-2420 = New name: {0}; PAM-CMN-2421 = Group description updated; PAM-CMN-2422 = Provision type updated; PAM-CMN-2423 = Password push flag updated; PAM-CMN-2424 = Legal Notice flag updated; PAM-CMN-2425 = Groups: None; PAM-CMN-2426 = Groups: {0}; PAM-CMN-2427 = Runtime update automatically updated virtual device. PAM-CMN-2428 = Runtime update automatically updated virtual device. address: {0} PAM-CMN-2429 = Runtime update automatically updated virtual device. status: active PAM-CMN-2430 = Runtime update automatically updated virtual device. status: inactive PAM-CMN-2431 = Runtime update automatically updated virtual device. address: {0} status: active PAM-CMN-2432 = Runtime update automatically updated virtual device. address: {0} status: inactive PAM-CMN-2433 = Unknown error on multi device delete {0} for device id {1} PAM-CMN-2434 = Device {0} successfully deleted. {1} {2} PAM-CMN-2435 = Transparent logins: {0} PAM-CMN-2436 = Transparent Logins were deleted. PAM-CMN-2437 = Device {0} added successfully. PAM-CMN-2438 = Unable to grant access to {0} because '{1}' PAM-CMN-2439 = {0} aborted. {1} PAM-CMN-2471 = Failed to retrieve user data for user {0}. PAM-CMN-2472 = Invalid OS {0} for target application. PAM-CMN-2473 = Invalid task for target application. PAM-CMN-2474 = Target application {0} on {1} is created. PAM-CMN-2475 = Target application {0} on {1} is not created. Reason: {2}. PAM-CMN-2476 = Request Server {0} is added to A2A via autoregistration. PAM-CMN-2477 = Request Server {0} is added to A2A. PAM-CMN-2478 = Request Server {0} is modified via autoregistration. PAM-CMN-2479 = Password Authority request server {0} is deleted. PAM-CMN-2480 = User {0} is added to PA with group membership: {1}. PAM-CMN-2481 = Target Application {0} was updated on device {1}. PAM-CMN-2482 = Target Application {0} was added to device {1}. PAM-CMN-2483 = Either name or ID must be specified to delete a user group. PAM-CMN-2484 = Request server {0} is updated. Request server name is changed to {1}. PAM-CMN-2485 = Operation failed because of unknown Password Authority error. PAM-CMN-2486 = GB{0} has come up. PAM-CMN-2487 = GB{0} has gone down! PAM-CMN-2488 = device inactive PAM-CMN-2489 = device deleted PAM-CMN-2490 = ok PAM-CMN-2491 = connection failure PAM-CMN-2495 = {0} virtual device scan completed for access key {1} region {2}. {3} devices added, {4} devices updated, {5} devices deleted. PAM-CMN-2496 = {0} virtual device scan completed for access key {1} region not found. {2} devices added, {3} devices updated, {4} devices deleted. PAM-CMN-2497 = {0} virtual device scan completed for vCenter URL {1} user {2}. {3} devices added, {4} devices updated, {5} devices deleted.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-140 of A-242
PAM-CMN-2498 = {0} virtual device scan completed. {1} devices added, {2} devices updated, {3} devices deleted. PAM-CMN-2499 = Device {0} had the same ip address {1} as the devices {2} and was not processed. PAM-CMN-2500 = Device {0} had the same domain {1} as the devices {2} and was not processed. PAM-CMN-2504 = Reported problem on NFS for DB backup PAM-CMN-2506 = Reported problem with NFS share for DB Backup PAM-CMN-2508 = Reported problem on Amazon S3 for DB backup PAM-CMN-2510 = Reported problem on SMB for DB backup PAM-CMN-2518 = {0} Exclusive-use account; Check-in time: {1}, Check-out time: {2}; by {3} PAM-CMN-2519 = The device {0} has more than one target account defined for command string transparent login. PAM-CMN-2520 = The target account {0} belonging to target application {1} on the device {2} is used by the users/groups. PAM-CMN-2521 = Service is disabled until the conflict is resolved. PAM-CMN-2522 = Applet is disabled until the conflict is resolved. PAM-CMN-2523 = Keyword: {0} Alert: {1} Regex: {2} Block: {3}; PAM-CMN-2524 = On PAM-CMN-2525 = Off PAM-CMN-2526 = Command Filter List {0} Updated. Name: {1} Type: black Keywords: None; PAM-CMN-2527 = Command Filter List {0} Updated. Name: {1} Type: white Keywords: None; PAM-CMN-2528 = Command Filter List {0} Updated. Name: {1} Type: black Keywords: {2}; PAM-CMN-2529 = Command Filter List {0} Updated. Name: {1} Type: white Keywords: {2}; PAM-CMN-2530 = Command Filter List Created. Name: {0} Type: black Keywords: None; PAM-CMN-2531 = Command Filter List Created. Name: {0} Type: white Keywords: None; PAM-CMN-2532 = Command Filter List Created. Name: {0} Type: black Keywords: {1}; PAM-CMN-2533 = Command Filter List Created. Name: {0} Type: white Keywords: {1}; PAM-CMN-2534 = Socket Filter List Created. Name: {0} Type: black Hosts: None; PAM-CMN-2535 = Socket Filter List Created. Name: {0} Type: white Hosts: None; PAM-CMN-2536 = Socket Filter List Created. Name: {0} Type: black Hosts: {1}; PAM-CMN-2537 = Socket Filter List Created. Name: {0} Type: white Hosts: {1}; PAM-CMN-2538 = Socket Filter List {0} Updated. Name: {1} Type: black Hosts: None; PAM-CMN-2539 = Socket Filter List {0} Updated. Name: {1} Type: white Hosts: None; PAM-CMN-2540 = Socket Filter List {0} Updated. Name: {1} Type: black Hosts: {2}; PAM-CMN-2541 = Socket Filter List {0} Updated. Name: {1} Type: white Hosts: {2}; PAM-CMN-2542 = Command Filter Configuration Updated. Blacklist Violation Message: {0} Whitelist Violation Message: {1} Violation Additional e-mail Message: {2} Violations Before Action: {3} Action After Limit Exceeded: {4} PAM-CMN-2543 = Socket Filter Configuration Updated. Agent Port: {0} SFA Monitoring: Enabled Appliance ID: {1} Violation Message: {2} Violation Additional e-mail Message: {3} Violations Before Action: {4} Action After Limit Exceeded: {5} Log All Access: Enabled PAM-CMN-2544 = Socket Filter Configuration Updated. Agent Port: {0} SFA Monitoring: Enabled Appliance ID: {1} Violation Message: {2} Violation Additional e-mail Message: {3} Violations Before Action: {4} Action After Limit Exceeded: {5} Log All Access: Disabled PAM-CMN-2545 = Socket Filter Configuration Updated. Agent Port: {0} SFA Monitoring: Disabled Appliance ID: {1} Violation Message: {2} Violation Additional e-mail Message: {3} Violations Before Action: {4} Action After Limit Exceeded: {5} Log All Access: Enabled PAM-CMN-2546 = Socket Filter Configuration Updated. Agent Port: {0} SFA Monitoring: Disabled Appliance ID: {1} Violation Message: {2} Violation Additional e-mail Message: {3} Violations Before Action: {4} Action After Limit Exceeded: {5} Log All Access: Disabled PAM-CMN-2550 = Transparent logins: None PAM-CMN-2577 = Can't add Splunk server. PAM-CMN-2578 = Message {0} PAM-CMN-2583 = Full path PAM-CMN-2584 = Prompt PAM-CMN-2585 = users in group {0} PAM-CMN-2586 = users common to groups {0} PAM-CMN-2587 = devices in group {0} PAM-CMN-2588 = devices common to groups {0} PAM-CMN-2589 = Internal communication error PAM-CMN-2592 = {0} rows to move {1} actually moved.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-141 of A-242
PAM-CMN-2593 = Could not find the group id for the group {0} PAM-CMN-2594 = Could not delete group members! PAM-CMN-2595 = Could not delete the group {0} PAM-CMN-2597 = You have not registered. PAM-CMN-2598 = You have configured this GateKeeper to Managed mode. PAM-CMN-2599 = Your Login has Timed Out. PAM-CMN-2600 = Email Alerted {0}: {1} PAM-CMN-2601 = CA Single Sign-On Web Agent disabled. For this change to take affect, please restart Apache. PAM-CMN-2602 = An error occured disabling CA Single Sign-On Weg Agent. PAM-CMN-2604 = No form exists PAM-CMN-2605 = Invalid port number! Please, enter a number between 1 and 65535! PAM-CMN-2606 = Database backup schedule saved successfully! PAM-CMN-2607 = Problem saving the database backup schedule:<br>{0} PAM-CMN-2608 = All calendar fields are required in this form! PAM-CMN-2609 = Need to specify an account to use for authentication PAM-CMN-2610 = Invalid database backup account - backup settings are not reset PAM-CMN-2611 = Unable to set database backup account! PAM-CMN-2612 = Unable to reset database values! PAM-CMN-2613 = Unable to connect: Code: {0}, Message: {1} PAM-CMN-2614 = Error connecting to the local listener! PAM-CMN-2615 = gatekeeper: {0} connected to {1} PAM-CMN-2616 = gatekeeper: {0} closed connection to {1} PAM-CMN-2617 = GB {0} has come up. PAM-CMN-2618 = GB {0} has come down. PAM-CMN-2620 = GK Auth system started on {0}:{1} PAM-CMN-2621 = Shutting down GK authentication engine PAM-CMN-2727 = Quitting CSPM due to critical failure. PAM-CMN-2740 = Only read-only REST methods (GET) are allowed on secondary sites. PAM-CMN-2741 = Update failed. Please try again later. PAM-CMN-2742 = My Info has been updated successfully, but your changes are pending. PAM-CMN-2748 = This CA-PAM appliance is a member of a secondary site. Most admin functions are disabled and must be performed from the primary site. PAM-CMN-2749 = Config user logged in successfully. PAM-CMN-2750 = Config user failed to log in. PAM-CMN-2751 = Deleting RADIUS user {0} failed: Unable to connect to the primary site ({1}) to delete the user. PAM-CMN-2807 = Partition status file does not exist PAM-CMN-2814 = No storage element for PAM on {0} PAM-CMN-2816 = Cannot determine the fully qualified hostname of this PAM PAM-CMN-2818 = Cannot register PAM into {0} PAM-CMN-2819 = Cannot assign a partition for {0} PAM-CMN-2831 = PAM is currently provisioned to use OpenSSL and the password is not cached! PAM-CMN-2832 = PAM is re-encrypting the DB. Please try again later. PAM-CMN-2834 = No storage element for PAM on {0}. Please try again. PAM-CMN-2837 = PAM is currently provisioned to use WolfSSL and the password is not cached! PAM-CMN-2838 = Success, you must reboot PAM for this change to take effect. PAM-CMN-3016 = Access denied. PAM-CMN-3017 = Too many authentication failures for {0} PAM-CMN-3018 = Cannot change user when server not running as root. PAM-CMN-3022 = bad service request {0} PAM-CMN-3026 = Change of username or service not allowed: ({0},{1}) -> ({2},{3}) PAM-CMN-3075 = Timeout, your session not responding. PAM-CMN-3076 = wait: {0} PAM-CMN-3077 = Command terminated on signal {0}. PAM-CMN-3078 = wait returned status {0} PAM-CMN-3079 = server_input_channel_req: unknown channel %d PAM-CMN-3081 = socket: {0} PAM-CMN-3082 = bind: {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-142 of A-242
PAM-CMN-3083 = listen: {0} PAM-CMN-3084 = Session.c: Only subsystem SFTP allowed PAM-CMN-3085 = Could not create pipes: {0} PAM-CMN-3086 = Could not create socket pairs: {0} PAM-CMN-3087 = fork failed: {0} PAM-CMN-3088 = dup #1 failed: {0} PAM-CMN-3089 = dup #2 failed: {0} PAM-CMN-3090 = Protocol error: you already have a pty. PAM-CMN-3102 = Your ssh version is too old and is no longer supported. Please install a newer version. PAM-CMN-3103 = Connection to remote server failed PAM-CMN-3104 = Client disconnected PAM-CMN-3106 = IP Spoofing check bytes do not match. PAM-CMN-3142 = DNS Error resolving IP PAM-CMN-3154 = AuthBroker: Some general exception occurred PAM-CMN-3155 = Unknown Exception caught in AuthDaemon. Shutting down engine. Exiting PAM-CMN-3156 = ServiceThread: Caught exception unbeknownst to anyone. Eating up this exception PAM-CMN-3157 = This Authentication Type is not supported by the PAM GK yet. PAM-CMN-3158 = No server session id found in the accesschallengeretort message. PAM-CMN-3159 = The Protocol demands that userId must be blank while responding to a challenge but I found this lingering userid: {0} PAM-CMN-3160 = No GKAutheticationAgent found for the given session id in the accesschallengeretort message. PAM-CMN-3161 = Only challenge response expected at this point. PAM-CMN-3162 = Different Session id in the challenge retort PAM-CMN-3163 = Your password will expire in {0} day(s) PAM-CMN-3164 = Your account will expire in {0} day(s) PAM-CMN-3234 = The HSM is not functioning properly with PKCS11 result: {0}, {1} PAM-CMN-3235 = OpenSSL JNI library result: {0}, {1} PAM-CMN-3240 = Submit PAM-CMN-3241 = Submit Response PAM-CMN-3242 = Your new PIN has been set into the system. Please wait for the tokencode to change, then authenticate again with your complete passcode now. PAM-CMN-3243 = To continue you must enter a new PIN. Enter a new PIN of {0} alphanumeric characters: PAM-CMN-3244 = To continue you must enter a new PIN. Enter a new PIN between {0} and {1} alphanumeric characters: PAM-CMN-3245 = To continue you must enter a new PIN. Enter a new PIN of {0} digits: PAM-CMN-3246 = To continue you must enter a new PIN. Enter a new PIN between {0} and {1} digits: PAM-CMN-3250 = Applets signed successfully with {0} and domain(s) {1}. PAM-CMN-3251 = The Java KeyStore file doesn't exist at {0}. Aborting signature. PAM-CMN-3274 = No response from Password Authority. PAM-CMN-3275 = {0} does not exist or is empty. PAM-CMN-3276 = {0} is not readable. PAM-CMN-3277 = {0} is not a regular file. PAM-CMN-3300 = Reauthentication request failed for user {0}. PAM-CMN-3301 = Session id was not in proper format. Cannot apply reauthentication mitigation for the session PAM-CMN-3319 = Exceeded the maximum number of allowed violations. Session will be terminated. PAM-CMN-3320 = User name exceeds maximum length of {0}. PAM-CMN-3321 = User group name exceeds maximum length of {0}. PAM-CMN-3322 = Device name exceeds maximum length of {0}. PAM-CMN-3323 = Device group name exceeds maximum length of {0}. PAM-CMN-3324 = User's first name exceeds maximum length of {0}. PAM-CMN-3325 = User's last name exceeds maximum length of {0}. PAM-CMN-3326 = Invalid numeric data. Device Group id must be a positive integer. PAM-CMN-3327 = The database has been loaded successfully from {0}. PAM-CMN-3331 = Attempt was made to update command filter metrics on a session with no matching command filter configuration PAM-CMN-3356 = Remote CA PAM Debugging Services is ON. PAM-CMN-3357 = MySQL Enterprise Monitor is installed. This should be used for debugging only.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-143 of A-242
PAM-CMN-3358 = This appliance is in maintenance mode. PAM-CMN-3359 = This appliance's local PA is inactive. PAM-CMN-3360 = This secondary site member is deactivated. PAM-CMN-3361 = This secondary site member's access db is OOS with the primary site. PAM-CMN-3363 = Filter ''{0}'' not updated. List type for this entry does not match first entry type of ''{1}''. PAM-CMN-3364 = Getting all filters to export ... PAM-CMN-3365 = Invalid task information for device, see log for details. PAM-CMN-3366 = Auto-login initiated with target account Name : {0} and target account Id : {1} and ticket ID : {2}. PAM-CMN-4058 = Invalid characters found in name of file to be uploaded. File name can only have alphanumeric characters plus dash, underscore and period. Please change the file name. PAM-CMN-4059 = Time server {0} cannot be resolved to IP address. PAM-CMN-5400 = Failed to save NIM credentials on member {0}. Unable to establish a connection to the CA PAM appliance. PAM-CMN-5401 = Saving NIM credentials on all cluster members failed for {0}/{1} members: {2}. PAM-CMN-5402 = NIM credentials saved on all cluster members. PAM-CMN-5403 = Saving NIM credentials failed. PAM-CMN-5404 = NIM credentials saved. PAM-CMN-5406 = PKI authentication failed. Contact your system administrator to check the session log for errors. Product Menu
Transparent Login Messages PAM-TLGN-0060: CA PAM user who is transparently logged into RDP Application <ApplicationName> to
<WindowsTitle> window as <Username> user, at <Device> device.
PAM-TLGN-0060: CA PAM user who is transparently logged into RDP Application <ApplicationName> to
<WindowsTitle> window as <Username> user, at <Device> device.
ApplicationName– The name of the RDP application defined in Privileged Access Manager
WindowsTitle– The title of the window that the end-user used to log in
Username– The name of the target account that was used
Device– The credential source
PAM-CS: Cluster Status Messages PAM-CS-0001 = Database Cluster Replication Status from PAM Instance {0} PAM-CS-0002 = The following primary site cluster members are no longer participating in database replication: {0} PAM-CS-0003 = Failed retrieving list of unavailable cluster replication members: {0} PAM-CS-0004 = ONLINE PAM-CS-0005 = OFFLINE PAM-CS-0006 = RECOVERING PAM-CS-0007 = UNREACHABLE PAM-CS-0008 = ERROR PAM-CS-0009 = MISSING PAM-CS-0010 = The following primary site cluster members are no longer participating in database replication: {0} PAM-CS-0011 = Database cluster replication status: {0}. PAM-CS-0012 = Failed refreshing list of unavailable cluster replication members PAM-CS-0013 = The database is out of sync with the primary site for the following secondary site members: {0} PAM-CS-0014 = CA PAM Cluster Failure: Please check the status of each member in the primary site PAM-CS-0015 = CA PAM instance {0} lost its connection to other members of the primary site, and has limited functionality. Please check the availability of other primary site members to ensure that they are online and reachable. Next, check their status by visiting their respective URLs: {1}. If you cannot access other members, visit https://{2} to repair the cluster. PAM-CS-0016 = CA PAM Cluster is recovering PAM-CS-0017 = CA PAM instance {0} can now communicate with all members of the cluster's primary site. To recover from a previous failure, we are rebooting the CA PAM instance. PAM-CS-0018 = CA PAM Cluster is recovering the primary site
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-144 of A-242
PAM-CS-0019 = We are rebooting all the members in the primary site of CA PAM Cluster to try to recover it from a previous failure. PAM-CS-0020 = PAM appliance attempted to perform cluster operation on {0}, but is not part of its cluster list. PAM-CS-0021 = The database is back online and participating in replication for the following primary site cluster members: {0} PAM-CS-0022 = If the database is out of sync with the primary site for {0} more minutes, deactivation occurs. PAM-CS-0023 = The database is back in sync with the primary site for the following secondary site members: {0}
PAM-IMP: Import and Export Constants PAM-IMP-0001="Export" PAM-IMP-0002="Import" PAM-IMP-0003="Devices" PAM-IMP-0004="Users" PAM-IMP-0005="Services" PAM-IMP-0006="Transparent Login Configs" PAM-IMP-0007="Custom Roles" PAM-IMP-0008="Policy" PAM-IMP-0009="Socket Filter Lists" PAM-IMP-0010="Command Filter Lists" PAM-IMP-0011="SAML 2.0 SP Metadata"
PAM-LDAP: LDAP Importer Messages PAM-LDAP-0000 = Error updating member {0} {1} PAM-LDAP-0001 = The CA PAM cluster is not synchronized. LDAP update will not be attempted. PAM-LDAP-0002 = The CA PAM cluster is not synchronized. LDAP operation will not be attempted. PAM-LDAP-0003 = All servers to LDAP domain {0} are down. LDAP sync for group {1} will not be attempted. PAM-LDAP-0004 = An exception ( {0} ) occurred while processing LDAP group {1}. LDAP sync for this group will be aborted. PAM-LDAP-0005 = Device {0} deleted from LDAP group {1} but is a member of other registered LDAP groups. PAM-LDAP-0006 = User {0} deleted from LDAP group {1} but is a member of other registered LDAP groups. PAM-LDAP-0007 = Updating LDAP Group {0} failed. Connection to all configured LDAP servers failed. {1} New Users, {2} Updated Users, {3} Deleted Users, {4} Failed New Users, {5} Failed Updated Users, {6} Failed Deleted Users, {7} Users Retrieved From LDAP Directory Server PAM-LDAP-0008 = Updating LDAP Group {0} failed. Connection to all configured LDAP servers failed. {1} New Devices, {2} Updated Devices, {3} Deleted Devices, {4} Failed New Devices, {5} Failed Updated Devices, {6} Failed Deleted Devices, {7} Devices Retrieved From LDAP Directory Server PAM-LDAP-0009 = LDAP Group {0} updated. {1} New Users, {2} Updated Users, {3} Deleted Users, {4} Failed New Users, {5} Failed Updated Users, {6} Failed Deleted Users, {7} Users Retrieved From LDAP Directory Server PAM-LDAP-0010 = LDAP Group {0} updated. {1} New Devices, {2} Updated Devices, {3} Deleted Devices, {4} Failed New Devices, {5} Failed Updated Devices, {6} Failed Deleted Devices, {7} Devices Retrieved From LDAP Directory Server PAM-LDAP-0011 = Error occurred while replicating LDAP changes across the cluster PAM-LDAP-0012 = Exception occurred while replicating LDAP changes across the cluster PAM-LDAP-0013 = Error occurred while removing deleted import data {0}{1}{2} PAM-LDAP-0014 = Error occurred while importing member {0}{1}{2} PAM-LDAP-0015 = Warning adding device {0} {1} PAM-LDAP-0016 = Error adding device {0} {1} PAM-LDAP-0017 = Warning adding user {0} {1} PAM-LDAP-0018 = Error adding user {0} {1} PAM-LDAP-0019 = Error occurred while removing deleted import data {0}{1}{2} PAM-LDAP-0020 = SQL error occurred importing ldap member {0}{1}{2} PAM-LDAP-0021 = There was a problem importing member {0}{1}{2} PAM-LDAP-0022 = User {0} was moved to: {1} PAM-LDAP-0023 = Exception occurred while trying to retrieve the members of group {0} via the primary group token {1} PAM-LDAP-0024 = Search or processing of group {0} failed with exception {1} PAM-LDAP-0025 = LDAP group {0} not found in domain.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-145 of A-242
PAM-LDAP-0026 = Group {0} was moved to {1} PAM-LDAP-0027 = Group {0} was deleted on LDAP server PAM-LDAP-0028 = Search of group {0} failed with exception {1} PAM-LDAP-0029 = Search of OU {0} failed with exception {1} PAM-LDAP-0030 = Exception occurred while retrieving the members of group {0} Exception: {1} PAM-LDAP-0031 = Retrieving attributes of member {0} failed with exception {1} PAM-LDAP-0032 = LDAP member {0} not found in domain {1} PAM-LDAP-0033 = CA PAM is unable to determine the domain that owns SID {0}. Is the domain configured with CA PAM? Unable to import member from group {1} PAM-LDAP-0034 = The object class of the member {0} is unrecognized: {1} PAM-LDAP-0035 = Binding to domain {0} failed. Invalid LDAP admin password configured. PAM-LDAP-0036 = Unable to connect to domain {0}. All configured LDAP servers are down. PAM-LDAP-0037 = Exception occurred while processing a search on entity {0}: {1} PAM-LDAP-0038 = Connection to LDAP {0} failed. Failing over to the next configured server for the domain.
PAM-MGC: Management Console Messages PAM-MGC-0001 = Failed to determine cluster structure. Service cannot start. Name:{0}
PAM-MGC-0002 = Failed to determine any node IP addresses. Service cannot start. Name:{0}
PAM-MGC-0003 = Local addresses count:{0}
PAM-MGC-0004 = Failed to determine REST request path. Request:{0}, Message:{1}
PAM-MGC-0005 = Recognized REST request path. Request:{0}
PAM-MGC-0006 = Failed to recognize REST request path. Request:{0}
PAM-MGC-0007 = Management Console servlet status:{0}, Servlet:{1}, Active:{2}, Mode:{3}, Message:{4}
PAM-MGC-0008 = Failed to determine local IP address. Message:{0}
PAM-MGC-0009 = Failed to retrieve cluster structure. Message:{0}
PAM-MGC-0010 = Failed to read cluster structure data. Message:{0}
PAM-MGC-0011 = Failed to check Management Console license.
PAM-MGC-0012 = Failed to read cluster structure object. Message:{0}
PAM-MGC-0013 = Failed to obtain public addresses from cluster structure. Message:{0}
PAM-MGC-0014 = Failed to read cluster info data. Message:{0}
PAM-MGC-0015 = Failed to read cluster data. Message:{0}
PAM-MGC-0016 = Failed to read system Info data. Message:{0}
PAM-MGC-0017 = Cluster member added. IP:{0}
PAM-MGC-0018 = Cluster Member removed. IP:{0}
PAM-MGC-0019 = Could not create target download directory. Path:{0}
PAM-MGC-0020 = Could not create staged patch directory. Path:{0}
PAM-MGC-0021 = Failed to download entire patch file. ID:{0}, Downloaded Size:{1}, Expected size:{2}
PAM-MGC-0022 = Failed to download the patch without errors. ID:{0}, Downloaded SHA1:{1}, Expected SHA1:{2}
PAM-MGC-0023 = Patch download completed. ID:{0}, File:{1}, Size:{2}
PAM-MGC-0024 = Failed to move downloaded patch to target dir. ID:{0}, From:{1}, To:{2}
PAM-MGC-0025 = Failed to verify existing patch file match. File:{0}, Message:{1}
PAM-MGC-0026 = Failed to decrypt target API password from configuration. Message:{0}
PAM-MGC-0027 = Could not obtain Management Console session ID. Task was aborted -- will retry. Task Name:{0}
PAM-MGC-0028 = Incomplete task prerequisites. Task was aborted -- will retry. Task Name:{0}
PAM-MGC-0029 = Task failed. Task:{0}, Message:{1}
PAM-MGC-0030 = Could not construct staged inventory lookup map.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-146 of A-242
PAM-MGC-0031 = Could not construct appliance lookup map.
PAM-MGC-0032 = Failed to submit status request to Management Console. Status:{0}, Reason:{1}, URI:{2}
PAM-MGC-0033 = Failed to submit status request data. URI:{0}
PAM-MGC-0034 = Unknown section type in Management Console status request processing. Type:{0}
PAM-MGC-0035 = Scheduling purge for a staged patch. ID:{0}
PAM-MGC-0036 = Processing status response. Version:{0}
PAM-MGC-0037 = Unimplemented staging task request. Request:{0}, File:{1}
PAM-MGC-0038 = Failed to submit ACK for a previously received file. Downloading again. File:{0}, Inventory:{1}
PAM-MGC-0039 = Failed to submit ACK for symlink staged file. File:{0}, To:{1}, Inventory:{2}
PAM-MGC-0040 = Failed to make symlink to inventory file. From:{0}, To:{1}, Inventory:{2}, Message:{3}
PAM-MGC-0041 = Failed to start patch download. Task ID:{0}, Status:{1}, Message:{2}, URI:{3}
PAM-MGC-0042 = Failed to submit ACK for downloaded staged file. File:{0}, Inventory:{1}
PAM-MGC-0043 = Failed to download patch file. Task ID:{0}, Message:{1}
PAM-MGC-0044 = Failed to delete patch file. Task ID:{0}, File:{1}
PAM-MGC-0045 = Failed to submit ACK for received patch download. File:{0}, Size:{1}, Task ID:{2}, Status:{3},
Message:{4}
PAM-MGC-0046 = Could not extract download tag information. ID:{0}, Tag:{1}, Message:{2}
PAM-MGC-0047 = Failed to read the inventory of managed patches.
PAM-MGC-0048 = Managed patch directory does not exist. Directory:{0}
PAM-MGC-0049 = Could not delete managed inventory file. File:{0}, Message:{1}
PAM-MGC-0050 = Could not find the aggregator IP address. MC Reporting task was aborted -- will retry.
PAM-MGC-0051 = Appliance has not yet registered with the aggregator node. Will attempt.
PAM-MGC-0052 = Failed to read the appliance registration record. Hardware ID:{0}, Message:{1}
PAM-MGC-0053 = Failed to read the appliance record. Hardware ID:{0}, Message:{1}
PAM-MGC-0054 = Failed to submit appliance update request to the aggregator node. Status:{0}, Reason:{1},
Aggregator IP:{2}, Hardware ID:{3}
PAM-MGC-0055 = Failed to update the appliance with the aggregator node. Aggregator:{0}, Hardware ID:{1},
Message:{2}
PAM-MGC-0056 = Failed to submit appliance registration request to the aggregator node. Status:{0}, Reason:{1},
Aggregator:{2}, Hardware ID:{3}
PAM-MGC-0057 = Failed to auto-register the appliance with the aggregator node. Aggregator:{0}, Hardware ID:{1},
Message:{2}
PAM-MGC-0058 = Failed to read the inventory of staged patches. Message:{0}
PAM-MGC-0059 = Could not delete file from staging directory. Path:{0}, Message:{1}
PAM-MGC-0060 = Could not delete patch file link from upgrade-stage dir. Path:{0}, Message:{1}
PAM-MGC-0061 = Patch file not yet available in staged inventory. File:{0}
PAM-MGC-0062 = Failed to make symlink for upgrade file. From:{0}, To:{1}, Message:{2}
PAM-MGC-0063 = Failed to read ACK record from database. Item:{0}, Hardware ID:{1}, Patch ID:{2}, Message:{3}
PAM-MGC-0064 = Unexpected response to staging action report from the aggregator node. Status:{0}, Reason:{1},
Aggregator:{2}, Hardware ID:{3}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-147 of A-242
PAM-MGC-0065 = Failed to send staging action request to the aggregator node. Aggregator:{0}, Hardware ID:{1},
Patch ID:{2}, Action:{3}, Message:{4}
PAM-MGC-0066 = Could not delete staged inventory file. File:{0}, Message:{1}
PAM-MGC-0067 = Failed to download information. Message:{0}, Patch ID:{1}, URI:{2}, Message:{3}
PAM-MGC-0068 = Starting PAMMC servlet task. Task type:{0}
PAM-MGC-0069 = Ended Management Console servlet task. Task type:{0}
PAM-MGC-0070 = Management Console servlet task failed. Task type:{0}, Message:{1}
PAM-MGC-0071 = Could not read license file. Message:{0}
PAM-MGC-0072 = Unknown command in activate. Name:{0}
PAM-MGC-0074 = Rejected request from remote address. IP Address:{0}
PAM-MGC-0075 = Serviced an HTTP request. Action=(0}, Status:{1}
PAM-MGC-0076 = Management Console servlet task failed to initialize. Task type:{0}
PAM-MGC-0077 = Management Console servlet task timers were stopped. Enabled-Check task running status:{0}
PAM-MGC-0079 = Failed to stop the Management Console integration servlet. Response code:{0}
PAM-MGC-0082 = Connected successfully to the Management Console. Host:{0}
PAM-MGC-0083 = Could not connect to the Management Console. Host:{0}
PAM-MGC-0084 = Connected successfully to the Management Console integration API. Host:{0}, Message:{1}
PAM-MGC-0085 = Could not connect to the Management Console integration API. Service is temporarily unavailable.
Host:{0}
PAM-MGC-0086 = Management Console integration API test failed. Host:{0}, Status:{1}
PAM-MGC-0087 = Failed to retrieve aggregator credentials for Reporting API test.
PAM-MGC-0088 = Connected successfully to the Management Console reporting API. Host:{0}, Message:{1}
PAM-MGC-0089 = Could not connect to the Management Console Reporting API. Service is temporarily unavailable.
Host:{0}
PAM-MGC-0090 = Management Console reporting API test failed. Host:{0}, Status:{1}
PAM-MGC-0091 = Failed to stop the Management Console service servlet. Response Code:{0}
PAM-MGC-0093 = Console appliance created: Location:{0}, Name:{1}
PAM-MGC-0094 = This member is not registered for Management Console reporting.
PAM-MGC-0095 = This member is already registered for Management Console reporting.
PAM-MGC-0096 = Failed to perform local appliance lookup test. Message:{0}
PAM-MGC-0097 = Console appliance updated: Location:{0}, Name:{1}
PAM-MGC-0098 = Console appliance deleted: Location:{0}, Name:{1}
PAM-MGC-0104 = Console cluster created. Name:{0}, Active:{1}
PAM-MGC-0106 = Console cluster name is not defined.
PAM-MGC-0108 = Console cluster updated. Name:{0}, Active:{1}
PAM-MGC-0109 = Device host for cluster is missing. Host ID:{0}, Cluster Name:{1}
PAM-MGC-0111 = Error processing status report. Message:{0}
PAM-MGC-0112 = Unknown request protocol. Version:{0}
PAM-MGC-0113 = Unrecognized status section in FullStatus. Section ID:{0}, Cluster:{1}
PAM-MGC-0114 = Unrecognized status value in staging task. Value:{0}
PAM-MGC-0115 = Unknown response protocol. Version:{0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-148 of A-242
PAM-MGC-0116 = Unsupported request/response protocol pair: Request:{0}, Response:{1}
PAM-MGC-0117 = Console inventory patch ID is not defined.
PAM-MGC-0118 = Upload file is not available. Name:{0}
PAM-MGC-0119 = Unimplemented staging task ACK command. Command:{0}, Task:{1}
PAM-MGC-0121 = Patch staging task created. Cluster:{0}, Patch:{1}, Action:{2}
PAM-MGC-0122 = Recall action skipped for staging task. Task ID:{0}, Task state:{1}
PAM-MGC-0123 = Cluster staging task updated. Cluster:{0}, Patch:{1}, Action:{2}, Status:{3}
PAM-MGC-0124 = Error occurred while deleting staging tasks for Cluster. Cluster ID:{0}
PAM-MGC-0125 = Deleted staging task. Task ID:{0}
PAM-MGC-0126 = Error occurred while deleting staging task. Task ID:{0}
PAM-MGC-0127 = Unknown servlet action request. Name:{0}
PAM-MGC-0128 = Error processing request. Message:{0}
PAM-MGC-0129 = Processing patch upload file. File:{0}, Directory:{1}
PAM-MGC-0130 = Completed processing patch upload file. File:{0}, Object:{1}
PAM-MGC-0131 = Error decrypting patch file. BIN file:{0}, Message:{1}
PAM-MGC-0132 = Error loading patch metadata file. INF file:{0}, Message:{1}
PAM-MGC-0133 = Error examining flags in the patch BIN file. File:{0}, Message:{1}
PAM-MGC-0134 = Error decompressing the uploaded file. File:{0}, Message:{1}
PAM-MGC-0135 = Error calculating file SHA1 hash. File:{0}, Message:{1}
PAM-MGC-0136 = Servlet stopped.
PAM-MGC-0137 = Patch download from Management Console succeeded. File:{0}
PAM-MGC-0138 = Patch download from Management Console failed. File:{0}
PAM-MGC-0139 = Call to Credential Manager failed. Message:{0}
PAM-MGC-0140 = Failed to get upgrade history for patch. Patch ID:{0}, Message:{1}
PAM-MGC-0141 = Could not obtain Management Console integration servlet configuration.
PAM-MGC-0142 = Management Console integration servlet startup is not required. Servlet is disabled.
PAM-MGC-0143 = Could not obtain local node hardware ID.
PAM-MGC-0144 = Servlet started.
PAM-MGC-0145 = Could not perform integration test. Test:{0}, Message:{1}
PAM-MGC-0146 = Could not call Management Console integration servlet. Test:{0}, Message:{1}
PAM-MGC-0147 = Management Console integration module was activated.
PAM-MGC-0148 = Management Console integration module was deactivated.
PAM-MGC-0149 = Could not activate Management Console integration module.
PAM-MGC-0150 = Could not deactivate Management Console integration module.
PAM-MGC-0151 = Unknown protocol. Version:{0}
PAM-MGC-0152 = Unknown submitted status object. Message:{0}
PAM-MGC-0153 = Console cluster deleted. Name:{0}
PAM-MGC-0154 = Console inventory item created. Patch ID:{0}
PAM-MGC-0155 = Console inventory item updated. Patch ID:{0}, Archive:{1}
PAM-MGC-0156 = Console inventory item deleted. Patch ID:{0}
PAM-MGC-0157 = Patch file name is not defined.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-149 of A-242
PAM-MGC-0158 = Failed to move patch file to inventory. Location:{0}
PAM-MGC-0159 = Console licenses created. Cluster name:{0}
PAM-MGC-0160 = Console licenses updated. Cluster name:{0}
PAM-MGC-0161 = Console licenses deleted. Cluster name:{0}
PAM-MGC-0162 = Console licenses ID is not defined.
PAM-MGC-0163 = Console cluster ID is not defined.
PAM-MGC-0164 = Unknown archive file type. Name:{0}
PAM-MGC-0165 = File upload succeeded. Name:{0}
PAM-MGC-0166 = Could not call Management Console service servlet. Test:{0}, Message:{1}
PAM-MGC-0167 = Management Console service module was activated.
PAM-MGC-0168 = Management Console service module was deactivated.
PAM-MGC-0169 = Could not activate Management Console service module.
PAM-MGC-0170 = Could not deactivate Management Console service module.
PAM-MGC-0171 = Device for Management Console cluster. Cluster:{0}, Device ID:{1}, Message:{2}
PAM-MGC-0172 = Failed to create device for cluster. Name:{0}
PAM-MGC-0173 = Failed to create application for cluster. Cluster name: {0}
PAM-MGC-0174 = Target account for cluster is missing. Account ID:{0}, Cluster name:{1}
PAM-MGC-0175 = Device/Host for cluster is missing. Host ID:{0}, Cluster name:{1}
PAM-MGC-0176 = Could not obtain status processing lock. Cluster cookie:{0}
PAM-MGC-0177 = This cluster is already managed by the Management Console.
PAM-MGC-0178 = This cluster is not managed by the Management Console.
PAM-MGC-0179 = Requested task to retry does not exist. ID:{0}
PAM-MGC-0180 = Failed to parse staging event action hint. Value:{0}
PAM-MGC-0181 = Could not mark the successful transfer completion for a Staging Task. Task ID:{0}, Message:{1}
PAM-MGC-0182 = Could not obtain Management Console service servlet configuration.
PAM-MGC-0183 = Could not obtain Management Console service bandwidth limiter configuration.
PAM-MGC-0184 = Management Console Service servlet startup is not required. Servlet is disabled.
PAM-MGC-0185 = Patch was recalled from staging inventory. File:{0}
PAM-MGC-0186 = Staged patch was deleted. File:{0}
PAM-MGC-0187 = Staging inventory item created. Patch ID:{0}
PAM-MGC-0188 = Staging inventory item updated. Patch ID:{0}, Archive:{1}
PAM-MGC-0189 = Staging inventory item deleted. Patch ID:{0}
PAM-MGC-0190 = Upgrade patch was staged. File:{0}
PAM-MGC-0191 = Upgrade patch was removed. File:{0}
PAM-MGC-0192 = Error extracting file checksum hash. File:{0}
PAM-PRX: Proxy Messages PAM-PRX-0000 = X11 forwarded as {0} PAM-PRX-0001 = Launched X11 application PAM-PRX-0002 = Enabled X11 forwarding as {0} PAM-PRX-0003 = Executed {0} as {1} PAM-PRX-0004 = gatekeeper[{0}]: telnetproxy, fail to activate SFA, SFA enforced, service discarded PAM-PRX-0005 = gatekeeper[{0}]: telnetproxy, cannot get address info
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-150 of A-242
PAM-PRX-0006 = gatekeeper[{0}]: telnetproxy, fail to connect to target device PAM-PRX-0007 = gatekeeper[{0}]: sshproxy, fail to connect to target device PAM-PRX-0008 = gatekeeper[{0}]: sshproxy, fail to activate SFA, SFA enforced, service discarded PAM-PRX-0009 = File transfers are not permitted via SSH TCP service PAM-PRX-0010 = SSH TCP service unknown sub-system PAM-PRX-0011 = This connection cleaned up due to a problem with the recording storage. PAM-PRX-0012 = Launched X11 application "{0}" PAM-PRX-0013 = File transfers are not permitted via SSH TCP service. PAM-PRX-0014 = X11 forwarding services are not permitted PAM-PRX-0015 = Services are not permitted via SSH TCP service. PAM-PRX-0016 = Executed "{0}" using transparent login as {1} PAM-PRX-0017 = Session disconnected due to a problem with session recording PAM-PRX-0018 = Auto-login using username {0} PAM-PRX-0019 = no authentication methods enabled PAM-PRX-0020 = Connection from {0} with IP options: {1} PAM-PRX-0021 = Received data for nonexistent channel {0}. PAM-PRX-0022 = Received extended_data for bad channel {0}. PAM-PRX-0023 = Received extended_data after EOF on channel {0}. PAM-PRX-0024 = Received ieof for nonexistent channel {0}. PAM-PRX-0025 = Received close for nonexistent channel {0}. PAM-PRX-0026 = Received oclose for nonexistent channel {0}. PAM-PRX-0027 = Received close confirmation for out-of-range channel {0}. PAM-PRX-0028 = Received close confirmation for non-closed channel {0} (type {1}). PAM-PRX-0029 = Received open confirmation for non-opening channel {0}. PAM-PRX-0030 = Received open failure for non-opening channel {0}. PAM-PRX-0031 = getaddrinfo: fatal error PAM-PRX-0032 = Protocol error for port forward request: received packet type {0}. PAM-PRX-0033 = Requested forwarding of port {0} but user is not root. PAM-PRX-0034 = Dynamic forwarding denied PAM-PRX-0035 = protocol error: rcvd type {0} PAM-PRX-0036 = bad server public DH value PAM-PRX-0037 = Protocol error: no matching DH grp found PAM-PRX-0038 = Protocol error: expected packet type {0}, got {1} PAM-PRX-0039 = SSH1, Bad packet length {0}. PAM-PRX-0040 = crc32 compensation attack: network attack detected PAM-PRX-0041 = packet_read_poll1: len {0} != buffer_len {1}. PAM-PRX-0042 = Corrupted check bytes on input. PAM-PRX-0043 = SSH2, Bad packet length {0}. PAM-PRX-0044 = Corrupted MAC on input. PAM-PRX-0045 = Corrupted padlen {0} on input. PAM-PRX-0046 = Packet corrupt PAM-PRX-0047 = Bad packet length {0}. PAM-PRX-0048 = deattack denial of service detected PAM-PRX-0049 = Invalid ssh1 packet type: {0} PAM-PRX-0050 = Invalid ssh2 packet type: {0} PAM-PRX-0051 = Packet integrity error. PAM-PRX-0052 = Possible attack: attempt to open a session after additional sessions disabled PAM-PRX-0053 = command execution failed PAM-PRX-0054 = shell execution failed PAM-PRX-0055 = Protocol error waiting for compression response. PAM-PRX-0056 = Protocol error waiting for pty request response. PAM-PRX-0057 = Protocol error waiting for X11 forwarding PAM-PRX-0058 = Protocol error during RSA authentication: {0} PAM-PRX-0059 = Protocol error waiting RSA auth response: {0} PAM-PRX-0060 = respond_to_rsa_challenge: rsa_private_decrypt failed PAM-PRX-0061 = respond_to_rsa_challenge: bad challenge length {0} PAM-PRX-0062 = Protocol error: got {0} in response to {1}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-151 of A-242
PAM-PRX-0063 = Your password will expire in {0} day(s) PAM-PRX-0064 = Your account will expire in {0} day(s) PAM-PRX-0065 = Could not grab keyboard or mouse.A malicious client may be eavesdropping on your session. PAM-PRX-0066 = Enter your OpenSSH passphrase: PAM-PRX-0067 = Could not grab {0}. A malicious client may be eavesdropping on your session. PAM-PRX-0068 = Enter {0}@{1}'s old password: PAM-PRX-0069 = Enter {0}@{1}'s new password: PAM-PRX-0070 = Retype {0}@{1}'s new password: PAM-PRX-0071 = Fail to activate SFA, SFA enforced, service discarded PAM-PRX-0072 = Too many authentication failures for {0} {1} from {2} port {3} {4} PAM-PRX-0073 = Authentication rejected for uid {0}. PAM-PRX-0074 = gatekeeper[{0}]: {1}, failed to connect to target device
PAM-SP: SailPoint Messages PAM-SP-0001 = Exported CA-PAM Roles into SailPoint: {0} roles added, {1} roles deleted. PAM-SP-0002 = Exported CA-PAM User Groups into SailPoint: {0} groups added, {1} groups deleted. PAM-SP-0003 = Exported CA-PAM Users into SailPoint: {0} users added, {1} users modified, {2} users deleted. PAM-SP-0004 = Created SailPoint Account {0}. PAM-SP-0005 = Updated SailPoint Account {0}. PAM-SP-0006 = Deleted SailPoint Account {0}. PAM-SP-0007 = Created SailPoint User Group {0}. PAM-SP-0008 = Updated SailPoint User Group {0}. PAM-SP-0009 = Deleted SailPoint User Group {0}. PAM-SP-0010 = Created SailPoint Role {0}. PAM-SP-0011 = Updated SailPoint Role {0}. PAM-SP-0012 = Deleted SailPoint Role {0}. PAM-SP-0013 = Imported user {0} from SailPoint. PAM-SP-0014 = Imported User Group {0} from SailPoint for user {1}. PAM-SP-0015 = Imported role {0} from SailPoint for user {1}. PAM-SP-0016 = Deleted user {0} that was deleted from SailPoint. PAM-SP-0017 = Removed User Group {0} that was deleted from SailPoint for user {1}. PAM-SP-0018 = Removed role {0} that was deleted from SailPoint for user {1}. PAM-SP-0019 = Import of SailPoint data successful: {0} records processed. PAM-SP-0020 = Disabled SailPoint Account {0}. PAM-SP-0021 = Enabled SailPoint Account {0}. PAM-CM-2104 = Updated SailPoint configuration
PAM-SPFD: Secure Port Forwarding Daemon Messages PAM-SPFD-0001 = CA PAM[{0}]: Connections to local addresses not permitted. PAM-SPFD-0002 = Connection to '{0}' has been blocked by VMware NSX Security Policy. PAM-SPFD-0003 = CA PAM[{0}]: Mismatched version of Monitoring agent is running on target device. PAM-SPFD-0004 = CA PAM[{0}]: Monitoring agent is not running on device. PAM-SPFD-0005 = CA PAM[{0}]: Login is not allowed if Monitoring agent is unreachable. PAM-SPFD-0006 = CA PAM[{0}]: Unable to open connection to this resource PAM-SPFD-0007 = CA PAM[{0}]: Lost access to remote storage. Connection closed. PAM-SPFD-0008 = CA PAM[{0}]: Credentials for VNC SSO are invalid. PAM-SPFD-0009 = CA PAM[{0}]: Fail to create session. Login session expired after {1} minute(s) of idle time. PAM-SPFD-0010 = Invalid license. PAM-SPFD-0011 = Current hosts ({0}) exceed licensed value ({1}) PAM-SPFD-0012 = CA PAM[{0}]: {1} connected to {2}:{3}; Idle time out: {4};{5} PAM-SPFD-0013 = CA PAM[{0}]: {1} initialized SSLVPN; {2} PAM-SPFD-0014 = Failed to launch connection as the session recording can not be started. PAM-SPFD-0015 = CA PAM[{0}]: Connection terminated; Duration: {1};{2} PAM-SPFD-0016 = Failed to check certificate revocation status due to CRL expiration. Please update CRL. PAM-SPFD-0017 = Preventing X-Forwarded-Host = {0} PAM-SPFD-0018 = Preventing Cross Site Scripting Attempt PAM-SPFD-0019 = FIPS module not included!
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-152 of A-242
PAM-SPFD-0020 = FIPS module initialized! PAM-SPFD-0021 = Session recording started for '{0}'. Triggered by CA Threat Analytics. PAM-SPFD-0022 = Your session has been terminated. Contact your PAM Administrator. PAM-SPFD-0023 = Applet Timed Out due to user inactivity PAM-SPFD-0024 = Your connection to '{0}' {1} has been blocked by VMware NSX Security Policy. PAM-SPFD-0025 = Error in prelogin call to '{0}' endpoint. Message: '{1}' PAM-SPFD-0026 = Cannot set FIPS mode to {0}: {1} PAM-SPFD-0027="CA PAM[{0}]: Starting processing of session recording;" PAM-SPFD-0028="CA PAM[{0}]: Closing processing of session recording;"
PAM-SRM: Session Recording Manager Messages PAM-SRM-0000 = Graphical session recording: failed to access data base while writing file transfer event PAM-SRM-0001 = Graphical session recording: Failed to access data base while writing Decryption key for hostId:{0} userID:{1} PAM-SRM-0002 = Graphical session recording: failed to access data base while writing event with type {0} in recording file. PAM-SRM-0003 = Graphical session recording: Failed to write general event in file : {0} PAM-SRM-0004 = Graphical session recording: Failed to Complete recording for file : {0} PAM-SRM-0005 = Graphical session recording: Failed to access database while writing file header for file : {0} PAM-SRM-0006 = Graphical session recording: Failed to write file header for file : {0}BufferSize = {1}Bytes Written = {2} PAM-SRM-0007 = Graphical session recording: Failed to write file header for file : {0} PAM-SRM-0008 = Graphical session recording: Failed to update end time for file : {0} PAM-SRM-0009 = Partially completed post-processing of session recording for {0}. PAM-SRM-0010 = Completed post-processing of session recording for {0}. PAM-SRM-0011 = An error occurred while post-processing of session recording: Can not process connect request. Probably security settings at remote server are too high. Deleting the file: {0} PAM-SRM-0012 = An error occurred while post-processing of session recording: Recording file contains only file header packet. Possibly the remote server is powered off or security settings are too high. Deleting the file: {0} PAM-SRM-0013 = An error occurred while post-processing of session recording: NLA login was canceled or invalid credentials were entered. Deleting the file: {0} PAM-SRM-0014 = An error occurred while post-processing of session recording: Can't process TLS handshake. Deleting the file: {0} PAM-SRM-0016 = Failed to synchronize NSX Securing Tags/Groups: wrong credentials PAM-SRM-0017 = Failed to synchronize NSX Securing Tags/Groups: invalid NSX configuration PAM-SRM-0018 = Failed to synchronize NSX Securing Tags/Groups: NSX manager response status code {0} PAM-SRM-0019 = Failed to synchronize NSX Securing Tags/Groups: inner error PAM-SRM-0020 = Failed to update ServiceManager of CA PAM Service: wrong credentials PAM-SRM-0021 = Failed to update ServiceManager of CA PAM Service: invalid NSX configuration PAM-SRM-0022 = Failed to update ServiceManager of CA PAM Service: NSX manager response status code {0} PAM-SRM-0023 = Failed to update ServiceManager of CA PAM Service: inner error PAM-SRM-0024 = Synchronization of security policies with VMware NSX completed successfully. PAM-SRM-0025 = An error occurred while post-processing of session recording: Can't process TLS handshake. File: {0} PAM-SRM-0026 = An error occurred while post-processing of session recording: {0} File: {1} PAM-SRM-0027 = Failed to register CA PAM Service: wrong credentials PAM-SRM-0028 = Failed to register CA PAM Service: invalid NSX configuration PAM-SRM-0029 = Failed to register CA PAM Service: NSX manager response status code {0} PAM-SRM-0030 = Failed to register CA PAM Service: inner error PAM-SRM-0031 = Failed to unregister CA PAM Service: wrong credentials PAM-SRM-0032 = Failed to unregister CA PAM Service: invalid NSX configuration PAM-SRM-0033 = Failed to unregister CA PAM Service: NSX manager response status code {0} PAM-SRM-0034 = Failed to unregister CA PAM Service: inner error PAM-SRM-0035 = Failed to synchronize NSX security service: wrong credentials PAM-SRM-0036 = Failed to synchronize NSX security service: invalid NSX configuration PAM-SRM-0037 = Failed to synchronize NSX security service: NSX manager response status code {0} PAM-SRM-0038 = Failed to synchronize NSX security service: inner error
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-153 of A-242
PAM-SRM-0039 = Failed to add NSX firewall rule to unknown VM "{0}": wrong credentials PAM-SRM-0040 = Failed to add NSX firewall rule to unknown VM "{0}": invalid NSX configuration PAM-SRM-0041 = Failed to add NSX firewall rule to unknown VM "{0}": NSX manager response status code {1} PAM-SRM-0042 = Failed to add NSX firewall rule to unknown VM "{0}": inner error PAM-SRM-0043 = Failed to open access to {0}:{1} by adding NSX firewall rule: wrong credentials PAM-SRM-0044 = Failed to open access to {0}:{1} by adding NSX firewall rule: invalid NSX configuration PAM-SRM-0045 = Failed to open access to {0}:{1} by adding NSX firewall rule: NSX manager response status code {2} PAM-SRM-0046 = Failed to open access to {0}:{1} by adding NSX firewall rule: inner error PAM-SRM-0047 = Failed to remove NSX firewall rule: wrong credentials PAM-SRM-0048 = Failed to remove NSX firewall rule: invalid NSX configuration PAM-SRM-0049 = Failed to remove NSX firewall rule: NSX manager response status code {0} PAM-SRM-0050 = Failed to remove NSX firewall rule: inner error PAM-SRM-0051 = Starting post-processing of session recording {0} PAM-SRM-0052 = Failed post-processing of session recording {0} PAM-SRM-0053 = Session recording file {0} is inaccessible as primary network storage is down. Cannot start post-processing PAM-SRM-0054 = Session recording file {0} is inaccessible as failover network storage is down. Cannot start post-processing
PAM-TELE: Telemetry Segment Messages PAM-TELE-0001 = Unable to Save Telemetry Data. Proxy Server details provided for telemetry are invalid or it is not reachable. PAM-TELE-0002 = Unable to Submit Telemetry Data. There is an error connecting to the Telemetry server. PAM-TELE-0003 = Unable to Submit Telemetry Data. Proxy Server details provided for telemetry are invalid or it is not reachable. PAM-TELE-0004 = Telemetry details with PLA Agreement Enabled : {0},Company Domain : {1},Enterprise Site ID : {2},Internal Identifier : {3},Manual Feed : {4},Proxy Enabled : {5} are saved. PAM-TELE-0005 = Identify call to Segment API is made with below details : {0} PAM-TELE-0006 = Track call to Segment API is made with below details : {0} PAM-TELE-0007 = This CA-PAM appliance is a member of a secondary site. Saving of Telemetry data is an admin function and must be performed from the primary site.
PAM-UI: User Interface Messages PAM-UI-0001 = Group Saved.
PAM-UI-0003 = Group Deleted.
PAM-UI-0004 = Context specific server error message. Module:ExampleFeature
PAM-UI-0005 = Contact Saved.
PAM-UI-0006 = Contact Deleted.
PAM-UI-0007 = Context specific server error message. Module:ExampleFeature
PAM-UI-0008 = Settings Saved.
PAM-UI-0009 = Failed to load settings.
PAM-UI-1001 = Item Saved.
PAM-UI-1002 = Item Deleted.
PAM-UI-1003 = Context specific server error message. Module:Common
PAM-UI-1004 = User information has been updated
PAM-UI-1005 = Authorization failed. User does not have permission for this action.
PAM-UI-1006 = Search View deleted.
PAM-UI-1007 = Error deleting search view.
PAM-UI-1008 = Search View saved.
PAM-UI-1009 = Communication failure.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-154 of A-242
PAM-UI-1010 = Transaction aborted.
PAM-UI-1100 = Request Group deleted.
PAM-UI-1101 = Error deleting request group.
PAM-UI-1102 = Request Group saved.
PAM-UI-1103 = Script deleted.
PAM-UI-1104 = Error deleting script.
PAM-UI-1105 = Script saved.
PAM-UI-1106 = Authorization Mapping deleted.
PAM-UI-1107 = Error deleting authorization mapping.
PAM-UI-1108 = Authorization Mapping saved.
PAM-UI-1110 = This client has not yet been authorized! Change the status to Active to authorize requests from this
client.
PAM-UI-1111 = Fingerprint update request was sent
PAM-UI-1112 = Fingerprint update request failed
PAM-UI-1113 = Change key update request was sent
PAM-UI-1114 = Change key update request failed
PAM-UI-1115 = All script hash update request was sent
PAM-UI-1116 = All script hash update request failed
PAM-UI-1117 = Script hash update request was sent
PAM-UI-1118 = Script hash update request failed
PAM-UI-1119 = Connection status check completed
PAM-UI-1120 = Connection status check failed
PAM-UI-1121 = Get log request was sent
PAM-UI-1122 = Get log request failed
PAM-UI-1200 = Error checking in password view
PAM-UI-1201 = Password View checked in
PAM-UI-1202 = Error getting access credentials
PAM-UI-1203 = Error generating proxy account
PAM-UI-1300 = AWS Connection Deleted.
PAM-UI-1301 = AWS Connection Saved.
PAM-UI-1302 = Context specific server error message. Module:Config
PAM-UI-1303 = VMware vCenter Deleted.
PAM-UI-1304 = VMware vCenter Saved.
PAM-UI-1305 = Context specific server error message. Module:Config
PAM-UI-1306 = RADIUS and TACACS+ Configuration Deleted.
PAM-UI-1307 = RADIUS and TACACS+ Configuration Saved.
PAM-UI-1308 = Context specific server error message. Module:Config
PAM-UI-1309 = Splunk Configuration Deleted.
PAM-UI-1310 = Splunk Configuration Saved.
PAM-UI-1311 = Context specific server error message. Module:Config
PAM-UI-1312 = LDAP Domain Deleted.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-155 of A-242
PAM-UI-1313 = LDAP Domain Saved.
PAM-UI-1314 = Context specific server error message. Module:Config
PAM-UI-1315 = RSA Configuration File Deleted.
PAM-UI-1316 = Context specific server error message. Module:Config
PAM-UI-1317 = AWS API Proxy Auto-Activation Whitelist successfully updated.
PAM-UI-1318 = Context specific server error message. Module:Config
PAM-UI-1319 = NSX API Proxy Auto-Activation Whitelist successfully updated.
PAM-UI-1320 = Context specific server error message. Module:Config
PAM-UI-1321 = File deleted successfully. For this change to take effect, please restart Tomcat.
PAM-UI-1322 = Context specific server error message. Module:Config
PAM-UI-1323 = CA Threat Analytics configuration was successfully saved
PAM-UI-1324 = CA Threat Analytic configuration was successfully cleared.
PAM-UI-1325 = Successfully connected to CA Threat Analytic server
PAM-UI-1326 = CASSO configuration was successfully saved. For this change to take effect, please restart Apache.
PAM-UI-1327 = CA PAM Server Control configuration was successfully saved.
PAM-UI-1328 = CA PAM Server Control configuration was successfully cleared.
PAM-UI-1329 = Date/Time changed successfully.
PAM-UI-1330 = Time Servers information updated successfully
PAM-UI-1331 = NTP IFF key saved: {0} security policy {1}
PAM-UI-1332 = Database file deleted successfully
PAM-UI-1333 = Context specific server error message. Module:Config
PAM-UI-1334 = CA PAM configuration restored successfully from file {0}. The CA PAM appliance is being rebooted.
PAM-UI-1335 = CA PAM database restored successfully from file {0}. The CA PAM appliance is being rebooted.
PAM-UI-1336 = Downloaded database file {0}
PAM-UI-1337 = Database dumped successfully; CA PAM configuration saved successfully
PAM-UI-1338 = The CA PAM database has been reset successfully. The CA PAM appliance is being rebooted.
PAM-UI-1339 = Database compacted. The CA PAM appliance is being rebooted.
PAM-UI-1340 = Database backup schedule saved successfully
PAM-UI-1341 = Database backup schedule deleted successfully
PAM-UI-1342 = {0} mount performed successfully
PAM-UI-1343 = {0} unmounting performed successfully
PAM-UI-1344 = Exception Rules Saved
PAM-UI-1345 = Set Time Successful
PAM-UI-1346 = Hardware Serial Saved
PAM-UI-1347 = License File Uploaded
PAM-UI-1348 = Successfully updated the monitoring configuration
PAM-UI-1349 = Monitor startup flag changed successfully
PAM-UI-1350 = Monitor started successfully
PAM-UI-1351 = Monitor stopped successfully
PAM-UI-1352 = The Automatic Log Purge Settings have been saved successfully.
PAM-UI-1353 = The External Log Settings have been saved successfully.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-156 of A-242
PAM-UI-1354 = Log file deleted successfully
PAM-UI-1355 = Context specific server error message. Module:Config
PAM-UI-1356 = Log records saved to file.
PAM-UI-1357 = Purged logs up till
PAM-UI-1358 = All logs have been purged
PAM-UI-1359 = Syslog configuration updated successfully
PAM-UI-1360 = Keystroke Logging configuration updated successfully
PAM-UI-1361 = {0} Mount settings saved successfully.
PAM-UI-1362 = Session Recording Preference saved successfully.
PAM-UI-1363 = Network settings updated successfully. Please reboot the appliance or click the Restart Networking
button for the changes to take effect
PAM-UI-1364 = Network IPv4 Route Deleted
PAM-UI-1365 = Context specific server error message. Module:Config
PAM-UI-1366 = Network IPv6 Route Deleted
PAM-UI-1367 = Context specific server error message. Module:Config
PAM-UI-1368 = Network IPv4 Route Saved
PAM-UI-1369 = Network IPv6 Route Saved
PAM-UI-1370 = IP Address Deleted
PAM-UI-1371 = Context specific server error message. Module:Config
PAM-UI-1372 = IP Address Saved
PAM-UI-1373 = Certificate Revocation List deleted
PAM-UI-1374 = Error deleting Certificate Revocation List
PAM-UI-1375 = Session Recording Purge saved successfully.
PAM-UI-1376 = SNMP poll configuration saved successfully
PAM-UI-1377 = SNMP user saved successfully
PAM-UI-1378 = SNMP User Deleted
PAM-UI-1379 = Context specific server error message. Module:Config
PAM-UI-1380 = SNMP trap configuration saved successfully
PAM-UI-1381 = Management Console configuration was successfully saved.
PAM-UI-1382 = Management Console configuration was successfully cleared.
PAM-UI-1383 = Connected successfully to AWS.
PAM-UI-1384 = Connected successfully to vCenter.
PAM-UI-1385 = All the vCenter accounts provisioned are now Active.
PAM-UI-1386 = Updated config password
PAM-UI-1387 = Updated super user name
PAM-UI-1388 = Network HSM Removed
PAM-UI-1389 = Success initializing the internal LunaPCI-E device
PAM-UI-1390 = Locale successfully saved. For this change to take effect, please restart the appliance.
PAM-UI-1391 = Always Allow View Password on Secondary Site setting has been updated successfully
PAM-UI-1392 = Refreshed Credential Manager Database Sync Status
PAM-UI-1393 = Disabled because PAM is running in FIPS mode.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-157 of A-242
PAM-UI-1394 = Cluster configuration was successfully reset
PAM-UI-1395 = Cluster configuration reset failed
PAM-UI-1396 = The AWS Refresh Interval has been saved.
PAM-UI-1397 = The VMware Refresh Interval has been saved.
PAM-UI-1398 = Success, you must reboot CA PAM for this change to take effect
PAM-UI-1399 = Success updating the HSM password
PAM-UI-1400 = Selected application must be of type LDAP, Active Directory, or Windows Proxy.
PAM-UI-1401 = Success, updating the cryptography password.
PAM-UI-1402 = FIPS Password Error
PAM-UI-1403 = Cannot delete site: Cluster must have at least two members. Click RESET to delete the cluster.
PAM-UI-1404 = Selected application must be of type RADIUS/TACACS+ Secret.
PAM-UI-1405 = Please acknowledge the cluster warning message before powering off the appliance.
PAM-UI-1406 = Please acknowledge the cluster warning message before rebooting the appliance.
PAM-UI-1407 = Access settings saved
PAM-UI-1408 = Success, CA PAM will now reboot for this change to take effect.
PAM-UI-1409 = The IdP settings cannot be updated while the cluster is on
PAM-UI-1410 = Sailpoint configuration settings have been saved
PAM-UI-1411 = CA-PAM data has been exported to Sailpoint. See log for details
PAM-UI-1412 = CA-PAM data has been imported from Sailpoint. See log for details
PAM-UI-1413 = Sailpoint Integration tables have been installed.
PAM-UI-1414 = KDC Server Configuration Deleted.
PAM-UI-1415 = KDC Server Configuration Saved.
PAM-UI-1416 = KDC failed
PAM-UI-1417 = X Forwarded Host Check has been changed. This change requires an appliance restart to take
effect.
PAM-UI-1418 = The Azure Refresh Interval has been saved.
PAM-UI-1419 = Azure Connection Deleted.
PAM-UI-1420 = Azure Connection Saved.
PAM-UI-1421 = Azure Connection Failed
PAM-UI-1422 = Connected successfully to Azure.
PAM-UI-1423 = No subscriptions available. Please make sure you have granted access to the PAM instance.
PAM-UI-1424 = No resource groups available. Please make sure you have granted access to the PAM instance.
PAM-UI-1425 = Azure MSI is not available! Please make sure Managed Service Identity has been enabled on the
PAM instance in order to use Azure functionalities.
PAM-UI-1426 = Azure MSI is not available! Please make sure Managed Service Identity has been enabled on the
PAM instance in order to configure VIP properly
PAM-UI-1427 = UI Logs Purged
PAM-UI-1500 = Device Saved.
PAM-UI-1501 = Device Deleted.
PAM-UI-1502 = Context specific server error message. Module:Devices
PAM-UI-1503 = Device Group Saved.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-158 of A-242
PAM-UI-1504 = Device Group Deleted.
PAM-UI-1505 = Context specific server error message. Module:Devices
PAM-UI-1506 = Tag Saved.
PAM-UI-1507 = Tag Deleted.
PAM-UI-1508 = Context specific server error message. Module:Devices
PAM-UI-1509 = Access Method Saved.
PAM-UI-1510 = Access Method Deleted.
PAM-UI-1511 = Context specific server error message. Module:Devices
PAM-UI-1512 = VMware devices refreshed
PAM-UI-1513 = AWS devices refreshed
PAM-UI-1514 = Device address is invalid
PAM-UI-1801 = Error deleting policy.
PAM-UI-1802 = Policy Saved.
PAM-UI-1803 = Policy Deleted.
PAM-UI-1804 = Error retrieving association information between user(group) and device(group).
PAM-UI-1805 = Error deleting socket filter
PAM-UI-1806 = Socket Filter Deleted.
PAM-UI-1807 = Error deleting command filter
PAM-UI-1808 = Policy Command Filter Deleted.
PAM-UI-1809 = Command Filter Config Saved.
PAM-UI-1810 = Socket Filter Config Saved.
PAM-UI-1811 = Error deleting AWS policy.
PAM-UI-1812 = AWS Policy Saved.
PAM-UI-1813 = AWS Policy Deleted.
PAM-UI-1814 = Policy Command Filter Saved.
PAM-UI-1815 = Policy Socket Filter Saved.
PAM-UI-1816 = Please assign the AWS policy to the Target Account {0}.
PAM-UI-1901 = Error deleting Service.
PAM-UI-1902 = Service Saved.
PAM-UI-1903 = Service Deleted.
PAM-UI-1904 = Error deleting Transparent Login Config.
PAM-UI-1905 = Transparent Login Config Saved.
PAM-UI-1906 = Transparent Login Config Deleted.
PAM-UI-2001 = Discovered Device Updated.
PAM-UI-2005 = Profile Job submitted
PAM-UI-2006 = Profile Job failed:
PAM-UI-2007 = Profile Job {0} Canceled.
PAM-UI-2008 = Profile Job {0} Deleted.
PAM-UI-2009 = Account Scan Profile Job Saved.
PAM-UI-2010 = Account Scan Profile Job Deleted.
PAM-UI-2011 = Context specific server error message. Module:Discovery
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-159 of A-242
PAM-UI-2012 = Account Profile Job submitted
PAM-UI-2013 = Account Profile Job failed:
PAM-UI-2014 = Manage Accounts failed:
PAM-UI-2015 = Accounts were successfully managed.
PAM-UI-2016 = Device Scan Profile Saved.
PAM-UI-2018 = Device Scan Profile Deleted.
PAM-UI-2019 = Context specific server error message. Module:Discovery
PAM-UI-2020 = Context specific server error message. Module:Discovery
PAM-UI-2021 = Update Accounts failed:
PAM-UI-2022 = Accounts were successfully Updated.
PAM-UI-2101 = Report Saved.
PAM-UI-2102 = Report Deleted.
PAM-UI-2103 = Context specific server error message. Module:Sessions
PAM-UI-2200 = Alias deleted.
PAM-UI-2201 = Error deleting alias.
PAM-UI-2202 = Proxy deleted.
PAM-UI-2203 = Error deleting proxy.
PAM-UI-2204 = Proxy saved.
PAM-UI-2205 = Target Group deleted.
PAM-UI-2207 = Target Group saved.
PAM-UI-2209 = Error deleting target group.
PAM-UI-2210 = Password Composition Policy deleted.
PAM-UI-2211 = Error deleting password composition policy.
PAM-UI-2212 = Password Composition Policy saved.
PAM-UI-2213 = Could not read Request Server Global Settings.
PAM-UI-2214 = Could not retrieve logs.
PAM-UI-2215 = Fingerprint update request sent to proxy.
PAM-UI-2216 = Key update request sent to proxy.
PAM-UI-2217 = Request sent to get logs for request server. Please wait...
PAM-UI-2218 = Could not read Fingerprint Settings.
PAM-UI-2219 = SSH key pair policy deleted.
PAM-UI-2220 = Error deleting SSH key pair policy.
PAM-UI-2221 = SSH key pair policy saved.
PAM-UI-2222 = Could not read SSH Key Pair Policy defaults.
PAM-UI-2223 = Options OK. Sample SSH Key Pair Fingerprint:
PAM-UI-2224 = Target Application saved.
PAM-UI-2225 = Target Account saved
PAM-UI-2226 = Target Account deleted
PAM-UI-2227 = The Password View Request is approved.
PAM-UI-2228 = Credential verification performed
PAM-UI-2229 = Credential verification has failed
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-160 of A-242
PAM-UI-2230 = Unable to generate credential. No application is selected.
PAM-UI-2231 = You have this account checked out.
PAM-UI-2232 = Account has been checked in
PAM-UI-2233 = Account check-in has failed
PAM-UI-2234 = Service Host required
PAM-UI-2235 = Service required
PAM-UI-2236 = No services found.
PAM-UI-2237 = {0} new services added of {1} discovered.
PAM-UI-2238 = Task Host required
PAM-UI-2239 = Task required
PAM-UI-2240 = No task found.
PAM-UI-2241 = {0} new tasks added of {1} discovered.
PAM-UI-2242 = Service at line {0} requires a service host.
PAM-UI-2243 = Service at line {0} requires a service name.
PAM-UI-2244 = Task at line {0} requires a task host.
PAM-UI-2245 = Task at line {0} requires a task name.
PAM-UI-2246 = Required Remedy licensed files could not be found.
PAM-UI-2247 = Updating passphrase will update the target account with newly generated key pair
PAM-UI-2248 = No filters have been defined. Group must have at least one filter.
PAM-UI-2301 = Could not read timezone regions.
PAM-UI-2302 = Could not read user's current time.
PAM-UI-2303 = Could not read server current time.
PAM-UI-2304 = Could not read dashboard items.
PAM-UI-2305 = Error deleting request server subnet.
PAM-UI-2306 = Request Server Subnet Saved.
PAM-UI-2307 = Request Server Subnet Deleted.
PAM-UI-2308 = Request Server Settings Saved.
PAM-UI-2309 = General Settings Saved.
PAM-UI-2310 = Global Settings Saved
PAM-UI-2311 = Email Settings Saved
PAM-UI-2401 = Error deleting user.
PAM-UI-2402 = User Saved.
PAM-UI-2403 = User Deleted.
PAM-UI-2404 = Error deleting group.
PAM-UI-2405 = Group Saved.
PAM-UI-2406 = Group Deleted.
PAM-UI-2407 = Error deleting role.
PAM-UI-2408 = Role Saved.
PAM-UI-2409 = Role Deleted.
PAM-UI-2410 = Error deleting CAC User.
PAM-UI-2411 = Error approving CAC User.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-161 of A-242
PAM-UI-2412 = CAC User Approved.
PAM-UI-2413 = CAC User Deleted.
PAM-UI-2414 = Error deleting Credential Manager role.
PAM-UI-2415 = Credential Manager Role Saved.
PAM-UI-2416 = Credential Manager Role Deleted.
PAM-UI-2417 = Error deleting Credential Manager user group.
PAM-UI-2418 = Credential Manager User Group Saved.
PAM-UI-2419 = Credential Manager User Group Deleted.
PAM-UI-2500 = Password view policy deleted.
PAM-UI-2501 = Error deleting Password view policy.
PAM-UI-2502 = Password view policy saved.
PAM-UI-2503 = Required Remedy licensed files could not be found.
PAM-UI-2504 = Reason Required For View must be selected when using Service Desk Integration.
PAM-UI-2505 = Reason Required For Auto-Connect must be selected when using Service Desk Integration.
PAM-UI-2506 = The Password View Requests have been deleted successfully.
PAM-UI-2507 = Error deleting Password View Requests.
PAM-UI-2508 = The Password View Requests have been approved.
PAM-UI-2509 = Error approving Password View Requests.
PAM-UI-2510 = The Password View Requests have been denied.
PAM-UI-2511 = Error denying Password View Requests.
PAM-UI-2600 = Scheduled Job deleted.
PAM-UI-2601 = Error deleting Scheduled Job.
PAM-UI-2602 = Scheduled Job saved.
PAM-UI-2700 = Cluster information was saved.
PAM-UI-2701 = Patch staging request was saved.
PAM-UI-2702 = Patch information was saved.
PAM-UI-2703 = Appliance information was deleted.
PAM-UI-2704 = Appliance delete failed.
PAM-UI-2705 = Cluster information was deleted.
PAM-UI-2706 = Cluster update failed.
PAM-UI-2707 = Cluster licenses were deleted.
PAM-UI-2708 = Delete of cluster licenses failed.
PAM-UI-2709 = Delete of patch information failed.
PAM-UI-2710 = Patch information was deleted.
PAM-UI-2711 = Patch staging recall request was saved.
PAM-UI-2720 = The patch is already in the inventory: {0}
PAM-UI-2721 = Bad SHA1 hash: {0}
PAM-UI-2722 = Cannot decrypt patch file: {0}
PAM-UI-2723 = Cannot read metadata file: {0}
PAM-UI-2724 = Missing metadata element: {0}
PAM-UI-2725 = Cannot find patch metadata: {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-162 of A-242
PAM-UI-2726 = Unknown archive file type: {0}
PAM-UI-2727 = File upload succeeded: {0}
PAM-UI-2728 = Could not extract files from uploaded ZIP: {0}
PAM-UI-2729 = Patch file name does not match the package name: {0}
PAM-UIL: UI Logging Messages PAM-UIL-0001 = Could not obtain internal session ID. Task: {0} PAM-UIL-0002 = Purge task failed. Task: {0} PAM-UIL-0003 = Internal purge error. Task: {0} PAM-UIL-0004 = Failed to initialize purge task configuration. Task: {0} PAM-UIL-0005 = Task started: {0} PAM-UIL-0006 = Task completed: {0} Number of purged records: {1}
PAM-UPD: Session Clean-up and Storage Status Messages PAM-UPD-0001 = Closed expired session for user {0}. PAM-UPD-0002 = Terminating session for user {0}, as it is timed out! PAM-UPD-0003 = SAML session timed-out for user {0}. PAM-UPD-0004 = Session login timed-out for user {0}. PAM-UPD-0005 = There was a problem with the recording storage. This connection is not allowed in security-safe mode. PAM-UPD-0006 = This client has not responded to PAM messages. We have assumed the client has gone away, and the session is being reaped. PAM-UPD-0007 = There was a problem with PAM's connection to this client. There may be network issues, or the client may have gone away without properly logging out. This session will be cleaned up. PAM-UPD-0008 = There was a problem with PAM's connection to this client. There may be network issues, or the client may be not properly configured. Session data will be discarded. PAM-UPD-0009 = User {0} opened a Web Portal to {1} on {2} PAM-UPD-0010 = User {0} closed the Web Portal to {1} on {2} PAM-UPD-0012 = Your session has timed out. PAM-UPD-0013 = Primary network storage for session recording is up PAM-UPD-0014 = Primary network storage for session recording is down PAM-UPD-0015 = Failover network storage for session recording is up PAM-UPD-0016 = Failover network storage for session recording is down PAM-UPD-0017 = Network storage for database backup is up PAM-UPD-0018 = Network storage for database backup is down PAM-UPD-0019 = Network storage for database backup does not have enough free space! PAM-UPD-0020 = Check local database size failed
Credential Manager Client Return Codes Credential Manager clients generate these return codes and the associated messages. These clients include A2A (application to application), Windows Proxy, Windows Remote, client integrations, and their associated components. Message Headers Error Codes and Associated Messages Message Headers error.validation.header =Validation Error: error.exception =Exception occurred {0} in {1} error.loadingEntity =Unable to load entity of type {0} with id {1} error.entityDoesNotExist =The entity of type {0} with id {1} does not exist error.entityNotCorrectType =The retrieved entity of type {0} does not match the expected type of {1} Error Codes and Associated Messages General Messages
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-163 of A-242
error.code.0=Success. error.code.1=Application error occurred. error.code.2=Failed to connect to database. error.code.3=Database version does not match application version. error.code.4=A database error occurred. error.code.5=Request failed. The Xsuite cluster is in stopped mode. error.code.10=Invalid user ID. error.code.11=Invalid password. error.code.12=Login failed. error.code.13=User ID/password combination does not exist. error.code.14=User session has not been authenticated. Please log in. error.code.15=Account suspended. error.code.16=Missing login digest values. error.code.17=Missing login digest. error.code.18=Cannot log in to secondary site. error.code.19=User is authenticated, but credential must be reset. error.code.20=User ID must have 3 to 16 characters. error.code.21=Password must have 6 to 16 characters. error.code.22=Authorization failed. User {0} does not have permission for this action. error.code.23=Password must contain at least one alpha character (a-z, A-Z). error.code.24=Password must contain at least one numeric character (0-9). error.code.25=Password must contain at least one special character (~!@#$%^&*()_+=-`;:|?/,.). error.code.26=Authorization failed. User {0} does not have permission for this entity. error.code.27=Invalid password specified. error.code.30=Invalid license has been registered. Unable to complete request. error.code.31=License limit has been exceeded. Unable to complete request. error.code.32=Success. {Warning: Approaching license limit; you may need to upgrade your license.} error.code.33=Unlimited license error. error.code.34=Limited license error. error.code.35=Failed to register error. Error code already defined. error.code.36=Not authorized for updating the license. Permission required: setSystemProperty Client Error Messages error.code.400=Success. error.code.401=Failed to authenticate with the Password Authority service. error.code.402=Unable to establish connection with client daemon. error.code.403=Not authorized (for client daemon). error.code.404=Unable to establish connection with Password Authority Server. error.code.405=No data found for specified target alias. error.code.406=An error occurred; if this problem persists then please ask your Administrator to investigate. error.code.407=Invalid parameters specified. error.code.408=Missing required parameter: {0} error.code.409=Unauthorized script name. error.code.410=Unauthorized execution path. error.code.411=Unauthorized execution user ID. error.code.412=Unauthorized request server. error.code.413=Error. Attempt to create a duplicate entry. error.code.414=Invalid target server specified. error.code.415=Invalid target application specified. error.code.416=Invalid account specified. error.code.417=Invalid request server specified. error.code.418=Invalid script specified. error.code.419=Invalid target alias specified. error.code.420=Invalid host name specified. error.code.421=Invalid IP address specified. error.code.422=Invalid port number specified. Unable to connect. error.code.423=Invalid execution path specified. error.code.424=Invalid script type specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-164 of A-242
error.code.425=Invalid script name specified. error.code.426=Invalid execution user ID specified. error.code.427=Cannot update a new target alias. error.code.428=Maximum length of target alias exceeded. error.code.429=Application already exists for this server. error.code.430=No patch found. error.code.431=Patch found, but must be applied manually. error.code.432=Patch has already been processed. error.code.433=Privileged account cannot be used to create target alias. error.code.434=Invalid username. error.code.435=Invalid or no extension/application type specified. error.code.436=Security exception. Script integrity check failed. error.code.437=Security exception. Data tampering detected. Request denied. error.code.438=Unauthorized request server. Fingerprint has changed. error.code.439=Invalid XML definition. error.code.440=Password Authority Windows Proxy operation failed. error.code.441=Invalid file path specified. error.code.442=Unsupported command specified. error.code.446=Authorization mapping validation error. Invalid execution path specified for request script. error.code.447=Authorization mapping validation error. Invalid file path specified for request script. error.code.448=Authorization mapping validation error. Missing request script information. error.code.449=Authorization mapping validation error. Missing hash value for request script. error.code.450=Unsupported OS platform specified. error.code.451=Command cannot be executed because the primary site is unavailable. error.code.452=Primary site is unavailable. Any workflow tasks associated with the account's password view policy (dual authorization, change password, or checkin/checkout) have not been performed. error.code.460=Data source has not been initialized. error.code.461=Data source is not configured for clustering. error.code.462=Connection with client daemon timed out. error.code.463=Connection with Password Authority Server timed out. error.code.464=No data found for specified User. error.code.465=Invalid version specified. error.code.466=Invalid proxy server specified. error.code.467=Invalid proxy application specified. error.code.468=Invalid proxy account specified. error.code.469=Invalid request create date: {date}, address: {address}. error.code.515=Invalid account password specified. error.code.800=Invalid identifier, approver is suspended or database is unavailable. error.code.801=Invalid status. error.code.802=Approval process failure. Please ask your Administrator to investigate the issue. error.code.803=Unable to verify success or failure. Please ask your Administrator to investigate the issue. error.code.900=Invalid group ID. error.code.901=Invalid group name. error.code.902=Invalid filter ID. error.code.903=Invalid filter name. error.code.904=Invalid target group. error.code.905=Invalid request group. error.code.906=Invalid filter object class ID specified for a target group. error.code.907=Invalid filter object class ID specified for a requestor group. error.code.960=Delete failed. The role is in use by a user group. error.code.970=Delete failed. The request server is in use by an authorization mapping. error.code.971=Delete failed. The request server is in use by a request script. error.code.980=Delete failed. The request script is in use by an authorization mapping. error.code.990=Delete failed. The group is in use by a scheduled job. error.code.991=Delete failed. The group is in use by an authorization mapping. error.code.992=Delete failed. The group is in use by a user group. error.code.993=Delete failed. No user group would leave users without user groups or roles.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-165 of A-242
error.code.1001=Delete failed. The target alias is in use by an authorization mapping. error.code.1002=Invalid user ID. error.code.1003=Invalid account password specified. error.code.1004=Invalid target alias specified. error.code.1005=Invalid account access type specified. error.code.1006=Invalid account name specified. error.code.1007=Invalid application name specified. error.code.1008=Invalid cache duration specified. error.code.1009=Cannot make account privileged with active target alias. error.code.1010=Number of assigned user groups cannot exceed {0}. error.code.1011=Duplicate host name. error.code.1012=Duplicate IP address. error.code.1013=Duplicate device name. error.code.1015=Request server not found. error.code.1016=Invalid request server ID specified. error.code.1017=Invalid script authorization mapping ID specified. error.code.1018=Invalid request script ID specified. error.code.1019=Invalid target alias ID specified. error.code.1020=Invalid target server specified. error.code.1021=Invalid application specified. error.code.1022=Invalid account ID specified. error.code.1023=Invalid application type specified. error.code.1024=Account password too long. error.code.1025=Key has already been changed. Waiting for request server to accept new key. error.code.1026=Invalid pending fingerprint value. error.code.1027=Invalid account history ID. error.code.1028=Invalid account history compromised flag. error.code.1029=One or more user groups must be specified. error.code.1030=Delete failed. The target server is in use by a target alias. error.code.1031=Delete failed. The target application is in use by a target alias. error.code.1033=Cannot change the request server for this request script. Existing authorizations reference this script. error.code.1034=E-mail address length exceeded. error.code.1035=The specified user is an approver of a password view policy and cannot be deleted. error.code.1036=Cannot verify password for unsynchronized account. error.code.1037=E-mail server/account has not been set. error.code.1038=E-mail from address has not been set. error.code.1039=Invalid Authentication Type. error.code.1040=Invalid user view type specified. Valid values are admin or general. error.code.1041=Delete account failed. Target account in use by other account(s). error.code.1054=Delete account failed. Target account in use by other application(s). error.code.1042=Delete account failed. Target account ID does not exist. error.code.1043=Delete account failed. Target account is used for e-mails. error.code.1044=The specified user is an email notifier of a password view policy and cannot be deleted. error.code.1045=Failed to send email to one or more recipients. error.code.1046=An error occurred sending the email. error.code.1047=One click approval host name is not valid. error.code.1048=Application error. error.code.1049=User.userID parameter not specified. error.code.1050=User.newUserID parameter not specified. error.code.1051=User to be renamed does not exist. error.code.1052=Error renaming user. error.code.1053=User to be deleted not found. error.code.1055=Failed to evaluate email template token {0} due to error: {1} error.code.1056=User.gkUserId value must be an integer greater than 0. error.code.1057=User.gkUserId parameter is mandatory for internal requests. error.code.1058=User.gkUserId parameter is not allowed for external requests.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-166 of A-242
error.code.1059=The approver permission cannot be removed; the specified user is an approver of {0} password view policy(ies) and email notifier of {1} password view policy(ies). error.code.1060=User.gkUserId authentication value is not valid. error.code.1062=Application error. Attempt to create duplicate entry. error.code.1063=Invalid page number. Page numbers start at 1. error.code.1064=Target server not found. error.code.1065=Target application not found. error.code.1066=TargetAccount.userId value must be an integer greater than 0. error.code.1067=Target account cannot be deleted because it is owned by a user. error.code.1068=Target application cannot be deleted because it has target account(s) owned by user(s). error.code.1069=Target server cannot be deleted because it has target account(s) owned by user(s). error.code.1070=Could not generate Xsuite login token. error.code.1071=Error sending message to Xsuite. error.code.1072=Could not parse Xsuite response. error.code.1073=Xsuite returned an error response. error.code.1080=Database ID not specified. error.code.1081=active parameter not specified, or is incorrect. Valid values are true or false. error.code.1082=Specified database ID does not exist. error.code.1083=An error occurred when updating the database cluster. error.code.1084=At least one cluster member must remain active. error.code.1085=Invalid synchronization strategy specified. error.code.1086=Delete application failed. Target application in use by other application(s). error.code.1087=Delete server failed. Target server in use by application(s). error.code.1088=Delete account failed. Target account in use by password view policy(s). error.code.1089=Delete application failed. Target application in use by password view policy(s). error.code.1090=Delete server failed. Target server in use by password view policy(s). error.code.1100=User email address is mandatory. error.code.1101=User email address is invalid. error.code.1102=Cannot assign user(s) for email notification if they are missing an email address. error.code.1169=SQL error. Attempt to create duplicate entry. error.code.1200=Report contains no data. error.code.1201=Invalid format for start date. error.code.1202=Invalid format for end date. error.code.1203=List of report recipients not specified. error.code.1204=Report dates not selected. error.code.1205=Report result too large to attach to email. error.code.1206=Invalid storage type. error.code.1207=Storage: {FAILOVER | PRIMARY} error.code.1208=Storage error error.code.1300=Invalid host specified for LDAP authentication. error.code.1301=Invalid port specified for LDAP authentication. error.code.1302=Could not connect to LDAP Directory for authentication. error.code.1303=Invalid LDAP certificate. error.code.1304=Target application not specified. error.code.1305=Account discovery has been disabled for this application type. error.code.1306=Account discovery service class not found in target application configuration file. error.code.1307=Proxy must be specified. error.code.1308=Service host must be specified. error.code.1309=Target account must be specified. error.code.1310=List of discovered accounts must be specified. error.code.1311=Target account details must be specified. error.code.1312=Target application must be specified. error.code.1313=Target account must be specified. error.code.1314=Proxy must be specified. error.code.1315=Service host must be specified. Native Call Application Error Messages error.code.1400=Application JNI error - maximum length exceeded.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-167 of A-242
error.code.1401=Application JNI error - null value. error.code.1500=Maximum retries exceeded. error.code.1501=No data found. error.code.1502=A problem occurred during archive. Not all records were archived. Please run the command again. Target Manager Error Messages error.code.1600=Failed to synchronize password with target. If this problem persists then, please ask your Administrator to investigate. error.code.1601=Failed to verify password with target. If this problem persists then, please ask your Administrator to investigate. error.code.1602=Target server application is not responding! error.code.1603=Insufficient permission to change password on target application. error.code.1604=Authentication failed. error.code.1605=Database driver class not found. error.code.1606=Account is unsynchronized. error.code.1607=Target Manager cannot store credential error.code.1650=Unable to establish connection with target application! error.code.1651=Remote host closed connection during handshake. Possible invalid SSL certificate or port. error.code.1652=Invalid SSL Certificate. error.code.1660=Lock timeout, unable to process request. error.code.1661=Account update in progress, unable to process request. error.code.1662=The view password module did not respond. Role Error Messages error.code.1700=Invalid role specified. error.code.1701=Role is read-only. error.code.1702=User status cannot be null. Update User Password Error Messages error.code.1703=Invalid user password specified. error.code.1704=Invalid user authentication type. Client Error Messages error.code.1800=Client is unable to process the request. error.code.1801=Unable to connect to client. error.code.1802=Client internal error processing request. error.code.1900=Invalid metric ID. Batch Sequence Error Messages error.code.1910=Invalid parameters. error.code.1911=Invalid batch command. error.code.1912=Unable to commit transaction in database. error.code.1913=Unable to rollback transaction in database. error.code.1914=Unable to start a transaction in database. error.code.1920=Invalid start date error.code.1921=Invalid end date error.code.1922=Invalid result limit error.code.1930=Unable to upgrade database. Unsupported minimum release. error.code.1940=Another archive operation is in progress. error.code.1950=Invalid file name. error.code.1951=Invalid file path. error.code.1952=Invalid file permissions. error.code.1953=Invalid file size. error.code.1954=Invalid version when running in FIPS mode. Extension Manager: General Error Messages error.code.2001=The password change process was not specified. The value assigned to the 'useOtherAccountToChangePassword' attribute must be 'true' or 'false'. error.code.2002=An invalid port number was specified. error.code.2003=An invalid Target Account ID was assigned to the 'otherAccount' attribute. error.code.2006=An invalid Target Account ID was assigned to the 'otherPrivilegedAccount' attribute. error.code.2007=The value assigned to the 'useOtherPrivilegedAccount' attribute must be 'true' or 'false'. Extension Manager: Oracle Error Messages
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-168 of A-242
error.code.2011=Invalid database name. Extension Manager: UNIX Error Messages error.code.2031=The specified other account has an incompatible protocol LDAP Error Messages error.code.2041=No LDAP DN specified. Database Password Change Error Messages error.code.2101=Invalid database username. error.code.2102=Invalid database password. error.code.2103=Invalid database host name. error.code.2104=Invalid database user type. error.code.2150=Failed to update database admin account. Enable Change-Password-On-View Error Messages error.code.2201=Invalid interval parameter. Scheduling Error Messages error.code.2301=Invalid schedule time. error.code.2302=This job will never run, the specified start date/time is in the past. error.code.2303=Failed to save job. error.code.2304=A Job already exists with this name. Constraint Error Messages error.code.3000=Constraint manager parse error. error.code.3100=Invalid target server parameters. error.code.3200=Invalid target application parameters. error.code.3201=Cannot add a target application of a deprecated type. Account Error Messages error.code.3300=Invalid parameters. error.code.3301=Exceeded maximum length of access type parameter. error.code.3302=Account username may not contain whitespace characters. error.code.3303=Exceeded maximum length for username parameter. error.code.3304=Exceeded maximum length for password parameter. error.code.3305=The specified password view policy has "change password on view" enabled, but the account is unsynchronized. error.code.3306=The specified password view policy ID is invalid. error.code.3307=Duplicate compound servers are not allowed for compound account. error.code.3308=Circular reference. Account cannot refer to itself for "other account". error.code.3309=Target Server is not allowed to be added as compound server. error.code.3310=Compound account must be added as unsynchronized. error.code.3311=Servers are not specified for compound account. error.code.3312=Target server cannot be specified as a compound server. error.code.3313=Invalid target account ID. error.code.3314=User does not have listOtherAccounts permission. error.code.3315=The specified password view policy has "change password on SSO" enabled, but the account is unsynchronized. error.code.3316=Cannot use a password view policy with change on connection end with unsynchronized account. error.code.3317=Cannot use a password view policy with change on session end with unsynchronized account. error.code.3350=Password and confirm password do not match. error.code.3351=Account not specified. error.code.3360=Cannot update account password of unsynchronized account. Target Alias Error Messages error.code.3400=Invalid parameters. error.code.3401=Target alias name must consist only of characters [a-z A-Z 0-9 ~ \! @ \# $ % ^ . \: _ - + = \\ /]. error.code.3500=Invalid request server parameters. error.code.3501=Request Server does not exist or has never connected to Password Authority Server. error.code.3502=Connection status checking is not supported on light clients. error.code.3503=Event polling is enabled or client port is invalid. error.code.3504=Invalid status code received from client ping. error.code.3505=Connection status checking is not supported on proxies. error.code.3506=Proxy cannot be deleted because it is in use.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-169 of A-242
error.code.3507=Adding windows agent via CLI command is not supported in Xsuite. error.code.3508=Add request server failed. error.code.3600=Invalid script parameters. error.code.3700=Invalid script authorization parameters. error.code.3701=Invalid script authorization execution user maximum length exceeded. error.code.3702=Invalid script. It is on a different client than the one specified. error.code.3800=Invalid user parameters. Role Error Messages error.code.3900=Invalid parameters. error.code.3901=Exceeded maximum length of role name. error.code.3902=Role name must consist of characters [a-z, A-Z, 0-9]. error.code.3903=Invalid role name. error.code.3904=Exceeded maximum length of role description. error.code.3905=Role description must consist of characters [a-z, A-Z, 0-9]. error.code.3906=Invalid role ID. error.code.3907=Role is read-only. Group Error Messages error.code.3950=Invalid parameters. error.code.3951=Exceeded maximum length of group name. error.code.3952=Group name must consist of characters [a-z, A-Z, 0-9]. error.code.3953=Invalid group name. error.code.3954=Exceeded maximum length of group description. error.code.3955=Group description must consist of characters [a-z, A-Z, 0-9]. error.code.3956=Invalid group ID specified. error.code.3957=Invalid permission specified. error.code.3958=Invalid object class ID. error.code.3959=Group is read-only. error.code.3960=Invalid group type. User Group Error Messages error.code.3970=Invalid parameters. error.code.3971=Exceeded maximum length of user group name. error.code.3972=User group name must consist of characters [a-z, A-Z, 0-9]. error.code.3973=Invalid user group name. error.code.3974=Exceeded maximum length of user group description. error.code.3975=User group description must consist of characters [a-z, A-Z, 0-9]. error.code.3976=Invalid user group ID. error.code.3977=Invalid group IDs. error.code.3978=Invalid role ID. error.code.3979=User group is read-only. error.code.3980=Invalid read only. Report Error Messages error.code.4000=Invalid parameters. System Property Error Messages error.code.4100=Invalid property name specified. error.code.4101=Exceeded maximum length of property name. error.code.4102=Property name must consist of characters [a-z, A-Z, 0-9]. error.code.4103=Invalid property value specified. E-mail Properties Validation Error Messages error.code.4105=Invalid e-mail target account. error.code.4106=Invalid e-mail server host name. error.code.4107=Invalid e-mail server port. error.code.4108=Invalid e-mail address. error.code.4109=Invalid e-mail subject. error.code.4110=Invalid e-mail body. error.code.4111=Invalid e-mail subject for update. error.code.4112=Invalid e-mail body for update. error.code.4113=Target account not specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-170 of A-242
error.code.4114=Requesting user not specified. error.code.4115=Password view policy not specified. error.code.4116=Password view request not specified. error.code.4117=Approver not specified. US 121 Messages error.code.4118=Invalid e-mail subject for Password View. error.code.4119=Invalid e-mail body for Password View. US 120 Messages error.code.4120=Invalid e-mail subject for Expired Password View Request. error.code.4121=Invalid e-mail body for Expired Password View Request. error.code.4122=Invalid e-mail subject for External Password Approvals. error.code.4123=Invalid e-mail body for External Password Approvals. US 91 Messages error.code.4124=Invalid e-mail subject for Report Results. error.code.4125=Invalid e-mail body for Report Results. error.code.4126=Max User Group Limit cannot be more than 25. Initial Property Error Messages error.code.4150=Invalid property name specified. Patch Error Messages error.code.4200=Invalid patch ID. error.code.4201=Invalid request server ID. error.code.4202=Invalid patch detail ID. error.code.4203=Invalid activate all flag. error.code.4204=Patch already exists. error.code.4205=Patch deployment disabled. error.code.4206=Invalid Request Server connection status. error.code.4207=Release now only supported for request servers of version 4.5.2 and up. Password Policy Error Messages error.code.4300=Invalid password policy ID. error.code.4301=Invalid password policy name. error.code.4302=Invalid password policy name. error.code.4303=Exceeded maximum length of password policy name. error.code.4304=Password policy name must consist of characters [a-z, A-Z, 0-9]. error.code.4305=Exceeded maximum length of password policy description. error.code.4306=Password policy description must consist of characters [a-z, A-Z, 0-9]. error.code.4307=Invalid password policy type, this is a required value. error.code.4308=Invalid password policy type value. Valid values [passwordPolicy]. error.code.4309=Password policy special characters cannot contain XML characters (> < & ' "). error.code.4310=Password policy minimum length is too small. error.code.4311=Password policy maximum length is too small. error.code.4312=Minimum length must be less than the maximum length. error.code.4313=Policy validation error. error.code.4314=Password policy cannot be null. error.code.4315=Repeats cannot be allowed if duplicates are disallowed. error.code.4316=Select at least one character set in the 'Must Contain' category. error.code.4317=Select at least one character set in the 'First Must Contain' category. error.code.4318=First upper case character conflicts with no upper case characters anywhere. error.code.4319=First lower case character conflicts with no lower case characters anywhere. error.code.4320=First numeric character conflicts with no numeric characters anywhere. error.code.4321=First special character conflicts with no special characters anywhere. error.code.4322=Exclude characters, but none specified. error.code.4323=Include special characters, but none specified. error.code.4324=Include special first characters, but none specified. error.code.4325=Invalid special characters were specified anywhere in the password. error.code.4326=Invalid special characters were specified at the start of the password. error.code.4327=Excluded special characters were specified anywhere in the password. error.code.4328=Excluded special characters were specified at the start of the password.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-171 of A-242
error.code.4329=Some first special characters are not allowed anywhere in the password. error.code.4330=No valid characters available. All have been excluded. error.code.4331=No valid first characters available. All have been excluded. error.code.4332=No valid first upper case characters available. All have been excluded. error.code.4333=No valid first lower case characters available. All have been excluded. error.code.4334=No valid first numeric characters available. All have been excluded. error.code.4335=No valid first special characters available. All have been excluded. error.code.4336=No valid upper case characters available. All have been excluded. error.code.4337=No valid lower case characters available. All have been excluded. error.code.4338=No valid numeric characters available. All have been excluded. error.code.4339=No valid special characters available. All have been excluded. error.code.4340=Password prefix contains excluded first character. error.code.4341=Password prefix contains excluded characters. error.code.4342=Password prefix cannot contain duplicate characters. error.code.4343=Password prefix cannot contain repeating adjacent characters. error.code.4344=Invalid policy type. error.code.4345=Unrecognized policy type. error.code.4346=Must specify a Policy ID or Name but not both. error.code.4347=No policies were deleted. error.code.4348=No policies were found. error.code.4350=Specified password does not conform to the set password policy. error.code.4351=Password policy could not be found for parent application. error.code.4352=Failed to generate a password for the specified policy! error.code.4353=Password does not meet the minimum length requirement. error.code.4354=Password exceeds the maximum allowed length. error.code.4355=Password does not contain any uppercase characters. See password policy. error.code.4356=Password does not contain any lowercase case characters. See password policy. error.code.4357=Password does not contain any numeric characters. See password policy. error.code.4358=Password does not contain any special characters. See password policy. error.code.4359=Password contains uppercase characters in contrast of password policy. error.code.4360=Password contains lowercase characters in contrast of password policy. error.code.4361=Password contains numeric characters in contrast of password policy. error.code.4362=Password contains special characters prohibited by password composition policy. error.code.4363=Password contains excluded first character. See password policy. error.code.4364=Password contains excluded character. See password policy. error.code.4365=Password prefix mismatch. See password policy. error.code.4366=Password cannot contain duplicate characters. See password policy. error.code.4367=Password cannot contain repeating adjacent characters. See password policy. error.code.4368=Password cannot start with {#} pattern. error.code.4369=Password cannot start with spaces. error.code.4370=Password cannot end with spaces. error.code.4371=Cannot reuse the existing password. error.code.4372=Cannot reuse the last number of passwords specified in password policy. error.code.4373=Cannot reuse a password from the last number of days specified in password policy. error.code.4374=Need to add a required character of a specific type, but not enough characters available. error.code.4375=Not enough characters available to avoid repeats. error.code.4376=Password policy does not exist. error.code.4377=Not enough characters available to avoid duplicates. error.code.4401=Invalid minimum length specified. error.code.4402=Invalid maximum length specified. error.code.4403=Exceeded maximum length of password policy special characters list. error.code.4404=Password policy special characters list must consist of characters [ \!"\#$%&()*+,-./\:;<\=>?[]^_{|}~ ]. error.code.4405=Invalid minimum iterations before password can be reused. error.code.4406=Invalid minimum days before password can be reused. error.code.4407=Invalid value for 'Must contain upper case characters' boolean. error.code.4408=Invalid value for 'Must contain lower case characters' boolean. error.code.4409=Invalid value for 'Must contain numeric characters' boolean.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-172 of A-242
error.code.4410=Invalid value for 'Must contain special characters' boolean. error.code.4411=Invalid value for 'First must contain upper case characters' boolean. error.code.4412=Invalid value for 'First must contain lower case characters' boolean. error.code.4413=Invalid value for 'First must contain numeric characters' boolean. error.code.4414=Invalid value for 'First must contain special characters' boolean. error.code.4415=Invalid value for 'Must not contain repeating characters' boolean. error.code.4416=Invalid value for 'Must not contain duplicates characters' boolean. error.code.4417=Invalid value for 'Must not contain characters' boolean. error.code.4418=Password policy is in use and cannot be deleted. error.code.4419=Invalid maximum password age specified. error.code.4420=Requestor ID is too long. error.code.4421=Requestor ID contains invalid characters. error.code.4422=Password view request status is too long. error.code.4423=Password view request status is invalid. error.code.4424=Approver ID is too long. error.code.4425=Approver ID contains invalid characters. error.code.4426=Request start date format is invalid. error.code.4427=Request end date format is invalid. error.code.4428=Checked out parameter is invalid. error.code.4429=Password view request ID is invalid. error.code.4431=Password view request is expired. error.code.4432=Password view request has already been approved. error.code.4433=Password view request has already been denied. error.code.4434=Password view request does not require approval. error.code.4435=You are not authorized to update this password view request. error.code.4436=The specified account ID is invalid. error.code.4437=You are not allowed to update your own password view request. error.code.4438=Reason must not exceed 256 characters. error.code.4439=Reason description must not exceed 1024 characters. error.code.4440=Password view request ID is invalid. error.code.4441=Unable to retrieve password view request identifier. error.code.4442=Invalid approver list specified. error.code.4443=Could not create password view request identifiers. error.code.4444=The Approval Reason can only be changed when approving or denying a request. error.code.4445=The Approval Reason Description can only be changed when approving or denying a request. error.code.4446=You are not authorized to expire this password view request. error.code.4447=SSO type value is not supported. Valid values are 'Any', 'WebBrowser', 'SSH', 'RDP', 'VNC', AWSAPI', 'NSXAPI', 'Telnet', or 'Other'. error.code.4500=Authentication module configuration error. error.code.4501=Authentication module not found. error.code.4502=Authentication XML invalid. error.code.4600=Password view policy name is invalid. error.code.4601=Password view policy name is too long. error.code.4602=Password view policy name contains invalid characters. error.code.4603=Password view policy description is too long. error.code.4604=Password view policy description contains invalid characters. error.code.4605=Invalid value for change password on view was specified. Valid values are "true" or "false". error.code.4606=Invalid value for change password interval was specified. Numeric value between 1 and 525600 must be specified. error.code.4607=Invalid value for checkout / checkin required was specified. Valid values are "true" or "false". error.code.4608=Invalid value for checkout / checkin interval was specified. Numeric value between 1 and 525600 must be specified. error.code.4609=Invalid value for dual authorization required was specified. Valid values are "true" or "false". error.code.4610=Invalid value for dual authorization interval was specified. Numeric value between 1 and 525600 must be specified. error.code.4611=Invalid PasswordViewPolicy.ID
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-173 of A-242
was specified. error.code.4612=Approvers must be specified if dual authorization is enabled in the policy. error.code.4613=Invalid list of approvers was specified. error.code.4614=Password view policy is read-only. error.code.4615=The specified password view policy name is already in use. error.code.4616=Password view policy approvers are not able to access the target account(s) that use this policy. error.code.4617=One or more of the approvers in this policy are unable to update password view requests. error.code.4618=This account is checked out by another user. error.code.4619=This account is checked out and cannot be updated. error.code.4620=This account is checked out by a different user. error.code.4621=You have this account checked out. error.code.4622=The specified password view request does not exist. error.code.4623=The password request dates specified are invalid. error.code.4624=You have a pending request to view this account password that has not been approved yet. error.code.4625=This account has dual authorization enabled. A request for authorization to view the password has been e-mailed to the approvers of this account on your behalf. error.code.4626=Password view policy is in use and cannot be deleted. error.code.4627=Your account password request has been approved, but you are outside the approval period. error.code.4628=Password view policy has "change password on view" enabled, but the account is unsynchronized. Password will not be changed. error.code.4629=The specified status is invalid. Allowed values for Dual Authorization are approved(1), denied(2), pending(3), expiredapproved (6), or expiredpending (8). For Check-out/ Check-in the values are checkout (4), checkedin (5). error.code.4630=Invalid value for authentication required was specified. Valid values are "true" or "false". error.code.4631=The above error occurred updating the account password, but the account has still been checked in. error.code.4632=Cannot check out synchronized accounts that are unverified. error.code.4633=Users must be specified if Email notification is enabled in the policy. error.code.4634=Invalid value for email notification required was specified. Valid values are "true" or "false". error.code.4635=Email notification failed to some of the Users. error.code.4636=Checkin/checkout interval should be less than or equal to Dual authorization interval. error.code.4637=Start and/or end date is outside the maximum allowable request period. Requests cannot be made more than {0} days in the future. error.code.4638=Max duration is {0} minutes. error.code.4639=Invalid Enable One Click Approval Value. error.code.4640=The default password view request interval must be equal or less than the maximum password view request interval. error.code.4641=Missing start date parameter. error.code.4642=Missing end date parameter. error.code.4643=Start date must not be in the past by up to 10 minutes. error.code.4644=End date must not be in the past. error.code.4645=Start date must be before end date. error.code.4646=Start date cannot be the same as end date. error.code.4647=Start date is beyond view password policy max interval days. error.code.4648=End date is beyond view password policy max interval minutes. error.code.4649=SSO type parameter not allowed for external CLI requests. error.code.4650=The specified account does not define any services. error.code.4651=The specified account is not a Windows domain service account. error.code.4652=Error communicating with proxy. error.code.4653=Invalid domain specified. error.code.4654=Failed to connect to Password Authority Windows Proxy. error.code.4655=Computer name is invalid. error.code.4656=The operation is allowed only on the primary domain controller of the domain. error.code.4657=Username could not be found. error.code.4658=Windows password is too short. error.code.4659=Validation failed. Password is invalid. error.code.4660=Could not find the domain controller for the domain.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-174 of A-242
error.code.4661=Unable to update the password. The provided new password does not meet the length, complexity, or history requirement of the domain. error.code.4662=Login failure: unknown username or bad password. error.code.4663=Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. error.code.4664=The specified network account name or password is not correct. error.code.4664=The specified network account name or password is not correct. error.code.4665=Password Authority Windows Proxy is not active. error.code.4666=Password Authority Windows Proxy is not responding. error.code.4667=Failed to update the services. error.code.4668=Password Authority Windows Proxy reports invalid operation. error.code.4669=Password Authority Windows Proxy has never registered. error.code.4670=The specified service does not exist as an installed service. error.code.4671=Password Authority Windows Proxy error - Invalid handle. error.code.4672=Password Authority Windows Proxy error - Specified database does not exist. error.code.4673=Password Authority Windows Proxy error - Data area passed to a system call is too small. error.code.4674=Could not connect to server. error.code.4675=Password verification failed. Failed to connect to user account. error.code.4676=Password verification failed. Failed to set security. error.code.4677=No such login session. error.code.4678=Bad net path. error.code.4679=Service rollback failed. error.code.4680=Service rollback successful. error.code.4681=Proxy unable to access host. error.code.4682=Invalid operation at proxy. error.code.4683=Service login failed. error.code.4684=Could not find any domain controllers. error.code.4685=No proxies are defined for the target application. error.code.4686=Account is locked out. error.code.4690=Password request is only approved for View (not Auto-Connect). error.code.4691=Password request is only approved for Auto-Connect (not View). error.code.4692=Password request is only approved for different Auto-Connect type. error.code.4693=Invalid value for "Reason Required For View" was specified. Valid values are "true" or "false". error.code.4694=Invalid value for "Reason Required For Auto-Connect" was specified. Valid values are "true" or "false". error.code.4695=Invalid Service Desk Type specified. error.code.4696=Reason Required For View and Reason Required For Auto-Connect are required when Service Desk integration is specified. error.code.4698=Password view policy has "Change Password on Auto-Connect" enabled, but the account is unsynchronized. Password will not be changed. error.code.4699=Invalid value for allow "Change Password on Auto-Connect" was specified. Valid values are "true" or "false". error.code.4700=Crypto Application error. error.code.4701=Failed to find crypto provider class. error.code.4702=Failed to instantiate crypto provider class. error.code.4703=Failed to retrieve server encryption key. error.code.4704=Failed to set server encryption key. error.code.4705=Failed to generate a server key. error.code.4706=Failed to decrypt ciphertext. error.code.4707=Failed to encrypt cleartext. error.code.4708=Failed to retrieve current server key. error.code.4709=Application error - Object does not contain cspm_serverkey attribute. error.code.4710=Need to decrypt prior to encrypting. error.code.4711=Key change in progress error.code.4712=Invalid key error.code.4800=Invalid interval for change password. error.code.4801=Invalid List Page Size.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-175 of A-242
error.code.4850=Auto-Connect validation unknown error. error.code.4851=Auto-Connect validation permission error. error.code.4852=Auto-Connect validation rollback error. error.code.4853=Auto-Connect invocation unknown error. error.code.4854=Auto-Connect invocation permission error. error.code.4855=Auto-Connect invocation rollback error. error.code.4856=Auto-Connect denied by target connector. error.code.4857=Auto-Connect user does not match target account. error.code.4858=Auto-Connect parameter is missing. error.code.4859=Auto-Connect parameter is not editable. error.code.4860=Auto-Connect port range is 1-65535. error.code.4861=Auto-Connect denied by target application. error.code.4862=Auto-Connect SSO type unknown for target application. error.code.4900=Must specify site name, site type and host name. error.code.4901=Must specify one of site name, site type, or host name. error.code.4902=Only one primary site can be provisioned in the system. error.code.4903=A site with the specified name already exists. error.code.4904=The specified site is not in the database. error.code.4905=The site ID to delete was not specified. error.code.4906=The specified site type is invalid. error.code.4907=The site ID to update was not specified. error.code.4908=Only this site can be set as the primary site. error.code.4909=Failed to retrieve local site information. error.code.4910=Failed to retrieve local site name. error.code.4911=Cannot provision a secondary site until the primary site has been provisioned. error.code.4912=Primary site cannot be deleted while secondary sites exist. error.code.4913=No changes to the primary site may be performed. error.code.4950=An error occurred during replication; please ask your Administrator to investigate. error.code.4951=Secondary site out of sync with primary. Secondary site has higher replication record than primary. error.code.4952=Secondary site does not have minimum replication record. error.code.4953=Primary site error while processing secondary site request (serialization). error.code.4954=Primary site error while processing secondary site request (I/O). error.code.4955=Primary site error while processing secondary site request (class not found). error.code.4956=Primary site error while processing secondary site request (execute command request). error.code.4957=Primary site error while processing secondary site request (proxy command requests). error.code.4960=Host name checking has not been disabled. error.code.4965=The Row Limit provided is invalid. error.code.4970= Password View Request Delete Interval Days is invalid. error.code.4980=The client is offline. error.code.4981=Unable to confirm whether or not the client is online. error.code.4982=The client is online. error.code.4984=Invalid current password specified. error.code.4985=The password confirm field doesn't match the new password. error.code.4986=The new password is the same as current password. error.code.4997=Invalid URL characters error.code.4998=URL maximum length exceeded error.code.4999=Cannot invoke command from remote host: {s} Error Code Messages Common to Multiple Target Connectors and Authenticators error.code.5000=Account is disabled error.code.5001=Account is locked error.code.5002=Account's password is expired on target error.code.5003=Account is expired error.code.5004=Must reset the password error.code.5005=Account not found error.code.5006=Not permitted to logon from workstation error.code.5050=Internal target connector error. error.code.5051=Change process not specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-176 of A-242
error.code.5052=No agent specified. error.code.5053=Invalid domain specified. error.code.5054=Failed to connect to agent. error.code.5055=The computer name is invalid. error.code.5056=The operation is allowed only on the primary domain controller of the domain. error.code.5057=The user name could not be found. error.code.5058=Password error. (The password could be too short, be too long, be too recent in its change history, not have enough unique characters, or not meet another password policy requirement.). error.code.5059=Validation failed. The password is invalid. error.code.5060=Could not find the domain controller for the domain. error.code.5061=Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain. error.code.5062=Logon failure: unknown user name or bad password. error.code.5063=Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. error.code.5064=The specified network account name or password is not correct. error.code.5064=The specified network account name or password is not correct. error.code.5065=The CSPM Windows Agent is not active. error.code.5066=The CSPM Windows Agent is not responding. error.code.5067=Failed to update the services. error.code.5068=Agent reports invalid operation. error.code.5069=Agent has never registered. error.code.5070=The specified service does not exist as an installed service. error.code.5071=Agent error - Invalid handle. error.code.5072=Agent error - The specified database does not exist. error.code.5073=Agent error - The data area passed to a system call is too small. error.code.5074=The RPC server is unavailable. error.code.5075=Password verification failed. Failed to connect to user account. error.code.5076=Password verification failed. Failed to set security. error.code.5077=No such login session. error.code.5078=Bad net path. error.code.5079=Service rollback failed. error.code.5080=Service rollback successful. error.code.5081=Host name and service name must have 1 to 100 characters and must not contain special characters. error.code.5082=Force password change attribute is incorrect. error.code.5083=Administrator account not specified. error.code.5100=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.5101=Failed to load the default or revised update script file. error.code.5102=Failed to load the default or revised verify script file. error.code.5103=Failed to update the account credentials. Review the log file for further information or else contact your Administrator. error.code.5104=Failed to verify the account credentials. Review the log file for further information or else contact your Administrator. error.code.5105=Cannot use another account's credentials to verify this account's credentials; the operation is not supported. error.code.5106=Failed to enter into privileged EXEC mode. Review the log file for further information or else contact your Administrator. error.code.5107=Failed to commit running configuration; the password has changed in running configuration only. Review the log file for further information or else contact your Administrator. error.code.5108=Failed to restore running configuration from start up configuration. Review the log file for further information or else contact your Administrator. error.code.5110=The private key is missing from the request. error.code.5111=An invalid private key was specified. error.code.5112=The public key is missing from the request. error.code.5113=An invalid public key was specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-177 of A-242
error.code.5120=An invalid Cisco variant was specified. error.code.5121=Must specify a host key. error.code.5122=An invalid SSH port number was specified; the value must be in the range 0.65535. error.code.5123=The value assigned to the 'sshUseDefaultKeyExchangeAlgorithms' attribute must be 'true' or 'false'. error.code.5124=Must NOT specify list of key exchange algorithms because default algorithms will be used instead. error.code.5125=The value assigned to the 'sshUseDefaultCompressionAlgorithms' attribute must be 'true' or 'false'. error.code.5126=Must NOT specify list of compression algorithms because default algorithms will be used instead. error.code.5127=The value assigned to the 'sshUseDefaultServerHostKeyAlgorithms' attribute must be 'true' or 'false'. error.code.5128=Must NOT specify list of server host key algorithms because default algorithms will be used instead. error.code.5129=An invalid Telnet port number was specified; the value must be in the range 0.65535. error.code.5130=An invalid SSH communication timeout was specified; the value must be in the range 1000.99999. error.code.5132=An invalid script processor read timeout was specified; the value must be in the range 1000.59999. error.code.5133=The value assigned to the 'sshStrictHostKeyCheckingEnabled' attribute must be 'true' or 'false'. error.code.5135=The value assigned to the 'useUpdateScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. error.code.5136=The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. error.code.5137=The value assigned to the 'sshUseDefaultCiphers' attribute must be 'true' or 'false'. error.code.5138=Must NOT specify list of ciphers because default ciphers will be used instead. error.code.5139=An invalid Telnet communication timeout was specified; the value must be in the range 1000.99999. error.code.5140=The value assigned to the 'sshUseDefaultHashes' attribute must be 'true' or 'false'. error.code.5141=Must NOT specify list of hashes because default ciphers will be used instead. error.code.5170=An invalid protocol was specified. error.code.5171=Must specify a protocol. error.code.5172=Must specify a password type. error.code.5173=The value assigned to the 'pwType' attribute must be 'user' or 'privileged'. error.code.5174=Must specify whether or not to change the AUX password. error.code.5175=The value assigned to the 'changeAuxLoginPassword' must be 'true' or 'false'. error.code.5176=Must specify whether or not the change the Console password. error.code.5177=The value assigned to the 'changeConsoleLoginPassword' must be 'true' or 'false'. error.code.5178=Must specify whether or not to change the VTY password. error.code.5179=The value assigned to the 'changeVtyLoginPassword' must be 'true' or 'false'. error.code.5180=Must specify the number of VTY ports. error.code.5181=The value assigned to the 'numVTYPorts' attribute must be an integer in the range 1.15. error.code.5200=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.5240=Change process not specified. error.code.5241=Must specify an 'other account'. error.code.5242=Must specify whether the account will be verified through another account. error.code.5243=The value assigned to the 'verifyThroughOtherAccount' attribute must be 'true' or 'false'. error.code.5250=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.5251=An invalid LDAP connect timeout was specified; the value must be in the range 1000.99999. error.code.5252=An invalid LDAP read timeout was specified; the value must be in the range 1000.99999. error.code.5253=Must specify a protocol. error.code.5254=An invalid protocol was specified. error.code.5255=An invalid port number was specified; the value must be in the range 0.65535. error.code.5256=You must specify an SSL certificate. error.code.5301=An invalid port number was specified; the value must be in the range 0.65535. error.code.5302=Schema not specified. error.code.5303=Change process not specified. error.code.5304=Incorrect value specified for racService attribute. Valid values are true or false. error.code.5305=Incorrect value specified for sysdbaAccount attribute. Valid values are true or false. error.code.5306=Incorrect value specified for replaceSyntax attribute. Valid values are true or false. error.code.5307=Invalid value for SSL Enabled. error.code.5308=Invalid Crystal Reports database list specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-178 of A-242
error.code.5310=Failed to synchronize/verify account. See logs for details. error.code.5311=Account locked. error.code.5312=Failed to connect to host. error.code.5313=Invalid schema/SID specified. error.code.5314=Failed to synchronize/verify account. Login failed. error.code.5315=Failed to synchronize Crystal Reports credentials. See logs for details. error.code.5500=Invalid port number. error.code.5501=Change process not specified. error.code.5502=Invalid value for SSL Enabled. error.code.5510=Failed to synchronize/verify account. See logs for details. error.code.5511=Failed to connect to database. Connection refused. error.code.5512=Failed to connect to database. Unknown host. error.code.5513=Communication failure. The target server must be SQL Server 2000 or later. error.code.5514=Invalid character in password. Single quotation mark (') is not a valid password character. error.code.5515=Failed to connect to database. Login failed. error.code.5500=Invalid port number. error.code.5501=Change process not specified. error.code.5504=Invalid Crystal Reports Server host name specified. error.code.5505=Invalid Crystal Reports Server port specified. error.code.5506=Invalid Crystal Reports Server application name specified. error.code.5507=Invalid Crystal Reports Server account name specified. error.code.5508=Invalid Crystal Reports database list specified. error.code.5510=Failed to synchronize/verify account. See logs for details. error.code.5511=Failed to connect to database. Connection refused. error.code.5512=Failed to connect to database. Unknown host. error.code.5513=Communication failure. The target server must be SQL Server 2000 or later. error.code.5514=Invalid character in password. Single quotation mark (') is not a valid password character. error.code.5515=Failed to synchronize Crystal Reports credentials. See logs for details. error.code.5550=Domain name must be specified. error.code.5551=Cannot retrieve Distinguished Name (DN). error.code.5552=Distinguished Name (DN) must be specified. error.code.5553=Cannot retrieve list of DNS servers. error.code.5554=Could not find any host name. error.code.5555=Cannot connect to a domain controller on specified domain. error.code.5556=Value for 'getDNS' attribute must be specified. error.code.5557=Unknown option specified for protocol. error.code.5558=SSL certificate must be specified. error.code.5559=Value for 'useDN' attribute must be specified. error.code.5560=Invalid value for 'appendDC' attribute. error.code.5330=Change process not specified. error.code.5331=An 'other account' must be specified. error.code.5340=Unable to verify the password due to an error. error.code.5341=Unable to verify the password because the account is locked. error.code.5342=Unable to verify the password; failed to connect to the target server. error.code.5343=Verification failed because the password was not accepted. error.code.5344=Unable to update the password due to an error. error.code.5401=Invalid port specified. error.code.5402=Change process not specified. error.code.5403=Invalid value for SSL Enabled. error.code.5410=Failed to synchronize/verify account. See logs for details. error.code.5411=Failed to connect to database. error.code.5412=Failed to synchronize/verify account. Login failed. error.code.5450=Failed to synchronize/verify account. See logs for details. error.code.5451=Failed to connect to host. error.code.5601=Invalid port specified in target application for update script. error.code.5602=Invalid login account specified in target application. error.code.5603=Expect script for updating not specified in target application.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-179 of A-242
error.code.5604=Invalid timeout value specified for update script in target application. error.code.5605=Invalid port specified in target application for verify script. error.code.5606=Expect script for verification not specified in target application. error.code.5607=Invalid timeout value specified for verify script in target application. error.code.5610=Failed to connect to host. error.code.5611=Failed to synchronize. error.code.5612=Unexpected error. error.code.5650=Invalid port specified. error.code.5651=Database name not specified. error.code.5652=Change process not specified. error.code.5670=Failed to synchronize/verify account. See logs for details. error.code.5671=Failed to connect to host. error.code.5672=Failed to synchronize/verify account. Login failed. error.code.5750=Domain name must be specified. error.code.5751=Distinguished Name (DN) must be specified. error.code.5753=Cannot connect to a domain controller on the specified domain. error.code.5754=Certificate cannot be retrieved from the domain controller. error.code.5755=Error storing certificate in certificate store. error.code.5756=Proxy host name is invalid:. error.code.5757=Error updating service credentials. See log for more information. error.code.5758=Services could not be restarted. error.code.5759=Error updating password in Active Directory. Service credentials for this account (if any) were not updated. error.code.5760=Error verifying services. error.code.5761=Cannot retrieve DNS host name(s). error.code.5762=Unknown option specified for "useDNS" attribute. error.code.5763=DNS server name not specified. error.code.5764=Distinguished Name (DN) must be specified. error.code.5765=Failed to update the services. error.code.5766=Invalid boolean value for Disable Auto-Connect Target Account. error.code.5767=Domain controller's root distinguished name could not be found. error.code.5768=One or more groups could not be found on domain controller. error.code.5769=An error occurred when discovering accounts on the domain controller. error.code.5770=Group names not specified. error.code.5771=Login account not specified. error.code.5772=Error updating task credentials. See log for more information. error.code.5773=An invalid LDAP connect timeout was specified; the value must be in the range 1000.99999. error.code.5774=An invalid LDAP read timeout was specified; the value must be in the range 1000.99999. Error Code Messages for Remedy Target Manager Connector (5800 through 5819) error.code.5800=Change process not specified. error.code.5801=Change process not specified. error.code.5802=Internal target connector error. error.code.5803=Failed to synchronize password with target. error.code.5804=Failed to verify password with target. error.code.5805=Remedy server specified in the target application could not be found. error.code.5806=A port must be specified. error.code.5807=A BMCRemedyClientURL must be specified. error.code.5808=Required Remedy licensed files could not be found. error.code.5809=Could not log into Remedy server. error.code.5820=Failed to verify account in CSPM. error.code.5821=Failed to update account in CSPM. error.code.5822=Account password does not adhere to password policy. error.code.5823=User not found. error.code.5824=User uses external authentication. Password cannot be updated. error.code.5825=Failed to connect to CSPM Server. error.code.5850=System Number not specified. error.code.5851=Invalid numeric value for System Number.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-180 of A-242
error.code.5852=Client not specified. error.code.5853=Invalid numeric value for Client. error.code.5854=Additional Parameters must be a list of name=value pairs separated by semicolon. error.code.5860=Internal target connector error. error.code.5861=Failed to synchronize password with target. error.code.5862=Failed to verify password with target. error.code.5863=Failed to load native library. error.code.5864=Failed to connect to target system. Communication error. error.code.5865=BAPI User Change Function not found. error.code.5866=BAPI User Change Password Function not found. error.code.5867=Login Failure. See logs for details. error.code.5900=Telnet host name not specified. error.code.5901=Invalid port. error.code.5902=Invalid login account specified in target application. error.code.5903=Java not specified. error.code.5910=Failed to connect to host. error.code.5911=Failed to synchronize. error.code.5912=Unexpected error. error.code.5913=Script evaluation error. See logs for details. error.code.5950=Invalid port number. error.code.5951=Change process not specified. error.code.5954=Invalid Crystal Reports Server host name specified. error.code.5955=Invalid Crystal Reports Server port specified. error.code.5956=Invalid Crystal Reports Server application name specified. error.code.5957=Invalid Crystal Reports Server account name specified. error.code.5958=Invalid Crystal Reports database list specified. error.code.5959=Invalid database port specified. error.code.5960=Invalid database specified. error.code.5961=Invalid port specified. error.code.5962=Invalid value for 'isRootAccount'. error.code.5963=An invalid SSH communication timeout was specified; the value must be in the range 1000.99999. error.code.5964=An invalid script processor read timeout was specified; the value must be in the range 1000.59999. error.code.5965=The value assigned to the 'sshStrictHostKeyCheckingEnabled' attribute must be 'true' or 'false'. error.code.5966=An invalid UID/GID number was specified; the value must be in the range 0.65535. error.code.5973=Failed to synchronize Crystal Reports credentials. See logs for details. error.code.5976=Must specify whether the account will be verified through another account. error.code.5977=The value assigned to the 'verifyThroughOtherAccount' attribute must be 'true' or 'false'. error.code.5979=The value assigned to the 'useUpdateScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. error.code.5982=The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. error.code.5984=Must specify an 'other account'. error.code.5986=Must specify a protocol. error.code.5987=The value assigned to the 'sshUseDefaultCiphers' attribute must be 'true' or 'false'. error.code.5988=Must NOT specify list of ciphers because default ciphers will be used instead. error.code.5989=The value assigned to the 'enableChannelDebugging' attribute must be 'true' or 'false'. error.code.5990=An invalid Telnet communication timeout was specified; the value must be in the range 1000.99999. error.code.5995=Failed to update the account credentials. Review the log file for further information or else contact your Administrator. error.code.5996=Failed to verify the account credentials. Review the log file for further information or else contact your Administrator. error.code.5997=The value assigned to the 'sshUseDefaultHashes' attribute must be 'true' or 'false'. error.code.5998=Must NOT specify list of hashes because default ciphers will be used instead. error.code.6000=Invalid port specified. error.code.6001=Change process not specified. error.code.6002=Database name not specified. error.code.6003=Invalid host_name qualifier.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-181 of A-242
error.code.6004=Max length exceeded for field sampleProperty. error.code.6005=Field useOtherAccount is mandatory. error.code.6006=SampleProperty is mandatory. error.code.6007=Max length exceeded for field sampleProperty. error.code.6008=Custom error message. error.code.6010=Failed to synchronize/verify account. See logs for details. error.code.6011=Account locked. error.code.6012=Failed to connect to host. error.code.6013=Failed to synchronize/verify account. Login failed. error.code.6014=Failed to update account. Access violation for account. Check target server or host_name qualifier. error.code.6101=A Credential Type must be specified. error.code.6102=An unrecognized Credential Type was specified. error.code.6103=A Secret Access Key is required. error.code.6104=The Access Key ID must be composed with upper case letters, digits and must be 20 characters in length. error.code.6105=The Secret Access Key must composed with alphanumeric, "+", "/" characters and must be 40 characters in length. error.code.6106=The uploaded EC2 Private Key file does not contain a PEM-formatted certificate. error.code.6107=An Access Key ID is required. error.code.6108=An X.509 certificate file name is required. error.code.6109=The X.509 certificate file name must match the pattern "pk-[A-Z0-9]{32}.pem". Example: " pk-4QUDAEWQENET2S22ABOOJ4BMUN6AUZY5.pem". error.code.6110=A PEM-formatted certificate file containing the EC2 Private Key must be uploaded. error.code.6111=An EC2 Instance User Name is required. error.code.6113=The IAM User Name is formatted incorrectly. error.code.6114=A Key Pair Name may be specified only when the Credential Type is EC2 Private Key. error.code.6115=A Key Pair Name is required. error.code.6116=The EC2 Instance User Name is formatted incorrectly or it contains the disallowed "@" character. error.code.6117=The Key Pair Name may not contain the "@" character. error.code.6118=An User Friendly Account Name is required. error.code.6119=Duplicated User Friendly Account Name. error.code.6120=Maximum length of AWS access role name exceeded. error.code.6121=AWS access role name only allows alphanumeric and '+=,.@-' characters. error.code.6122=The AWS Cloud Type must be specified. error.code.6123=The maximum length of AWS Cloud Type exceeded. error.code.6124=The valid AWS Cloud Type is government or commercial. error.code.6125=Failed update AWS Access credentials. Please contact your Administrator. error.code.6126=Failed verify AWS Access credentials. Please contact your Administrator. error.code.6130=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.6131=Attempted to create resources beyond the current AWS account limits. Please contact your system administrator. error.code.6132=AWS Key Pair can be changed only by random generation. error.code.6201=AWS Master Account Name is an email address. error.code.6280=Invalid or missing port number. error.code.6301=Domain not specified. error.code.6302=Invalid port number. error.code.6303=Login account not found. Check login info specified in nisConnector.properties. error.code.6311=Failed to connect to host. error.code.6312=Failed to initialize change password process. error.code.6313=Password update failed. error.code.6314=Password verify failed. error.code.6315=Failed to load nisConnector.properties file. error.code.6316=Invalid Verify Timeout specified in nisConnector.properties file. error.code.6317=Invalid Update Timeout specified in nisConnector.properties file. error.code.6401=Invalid port specified. error.code.6402=Realm not specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-182 of A-242
error.code.6403=Change process not specified. error.code.6410=Failed to synchronize/verify account. See logs for details. error.code.6411=Invalid account specified. error.code.6412=Failed to connect to host. error.code.6413=Invalid Realm specified. error.code.6414=Failed to synchronize/verify account. Login failed. error.code.6450=Invalid or missing port number. error.code.6451=Change process not specified. error.code.6452=Invalid value specified for the disableAutoConnectTargetAccount parameter. error.code.6470=Cannot connect to ESX/ESXi host. error.code.6471=Invalid login, username or password is incorrect. error.code.6472=No permission to update credentials. error.code.6473=User not found. error.code.6474=Remote system error. error.code.6475=Invalid request. error.code.6476=User not authenticated. error.code.6477=Remote security error. error.code.6500=An SSH port number must be specified. error.code.6501=A connection timeout must be specified. error.code.6502=A read timeout must be specified. error.code.6503=Invalid change process specified. error.code.6504=An invalid connection timeout value was specified. error.code.6505=An invalid read timeout value was specified. error.code.6506=An invalid SSH port number was specified. error.code.6525=Failed to verify account. error.code.6526=Failed to update account. error.code.6527=An unknown error occurred; please consult the server log or contact your Administrator. error.code.6528=User not found. error.code.6529=Failed to update password; the target device is currently in use by another user. error.code.6530=Failed to connect to the target device; a timeout occurred while waiting to connect. error.code.6531=Failed to authenticate to the target device due to invalid credentials. error.code.6532=A communications error occurred while receiving data from the target device. error.code.6533=User has insufficient permissions. error.code.6551=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.6552=Failed to load the default or revised update script file. error.code.6553=Failed to load the default or revised verify script file. error.code.6554=Failed to update account credentials. Review the log file for further information or else contact your Administrator. error.code.6555=Failed to verify account credentials. Review the log file for further information or else contact your Administrator. error.code.6580=An invalid SSH port number was specified; the value must be in the range 0.65535. error.code.6600=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.6601=Failed to load the default or revised update script file. error.code.6602=Failed to load the default or revised verify script file. error.code.6603=Failed to enter privilege mode. Review the log file for further information or else contact your Administrator. error.code.6604=Failed to update account credentials. Review the log file for further information or else contact your Administrator. error.code.6605=Failed to enter configuration mode. Please try again. If problem persist contact your Administrator. error.code.6606=Failed to verify account credentials. Review the log file for further information or else contact your Administrator. error.code.6630=An invalid SSH port number was specified; the value must be in the range 0.65535. error.code.6660=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.6670=Failed update AWS account credentials. Please contact your Administrator.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-183 of A-242
error.code.6671=Failed verify AWS account credentials. Please contact your Administrator. error.code.6672=Password did not meet the requirements imposed by the account password policy. Please contact your Administrator. error.code.6673=Account is temporarily unmodifiable. Please try again after waiting several minutes or contact your Administrator. error.code.6674=Current account does not exist. Please contact your Administrator. error.code.6675=Trying to create resources beyond the current AWS account limits. Please contact your Administrator. error.code.6680=AWS Access Account must be specified. error.code.6700=An unknown error occurred. Review the log file for further information or else contact your Administrator. error.code.6701=Failed to load the default or revised update script file. error.code.6702=Failed to load the default or revised verify script file. error.code.6703=Failed to update account credentials. Review the log file for further information or else contact your Administrator. error.code.6704=Failed to verify account credentials. Review the log file for further information or else contact your Administrator. error.code.6705=Cannot verify account's credentials for non Privilege account type; the operation is not supported. error.code.6706=Cannot update account's credentials for non Privilege account type; the operation is not supported. error.code.6707=Cannot change password. Please enter a password with 1 to 15 characters. error.code.6720=An invalid SSH port number was specified; the value must be in the range 0.65535. error.code.6721=An invalid SSH communication timeout was specified; the value must be in the range 1000.99999. error.code.6722=An invalid script processor read timeout was specified; the value must be in the range 1000.59999. error.code.6723=The value assigned to the 'useUpdateScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. error.code.6724=The value assigned to the 'useVerifyScriptType' attribute must be 'DEFAULT', 'REVISED' or 'REPLACEMENT'. error.code.8001=LDAP authentication module configuration error. error.code.8002=LDAP authentication module configuration error. error.code.8003=LDAP authentication module configuration error. error.code.8004=LDAP authentication module configuration error. error.code.8005=LDAP authentication module configuration error. error.code.8006=Failed to connect to LDAP server. error.code.8007=LDAP authentication module commit error. error.code.8008=LDAP authentication failed. error.code.8009=LDAP authentication failed. error.code.8201=Kerberos authentication module configuration error. error.code.8202=Kerberos authentication module error - clock skew too great. error.code.8203=Kerberos authentication module error - Communication Timeout. error.code.8204=Kerberos authentication module configuration error. error.code.8205=Kerberos authentication module configuration error. error.code.8301=X509 authentication module invalid credentials. error.code.8302=X509 authentication module error - expired certificate. error.code.8303=X509 authentication module error - certificate not yet valid. error.code.8304=X509 authentication module error - certificate revoked. error.code.8305=X509 authentication module error - root CA invalid. error.code.8306=X509 authentication module error - invalid certificate signature. error.code.8307=X509 authentication module error - invalid configuration. error.code.8308=X509 authentication module error - invalid certificate store file. error.code.8309=X509 authentication module error - invalid certificate store. error.code.8310=X509 authentication module error - invalid LDAP port. error.code.8311=X509 authentication module error - invalid LDAP certificate store. error.code.8401=X509 LDAP authentication module invalid credentials. error.code.8402=X509 LDAP authentication module error - expired certificate. error.code.8403=X509 LDAP authentication module error - certificate not yet valid. error.code.8404=X509 LDAP authentication module error - certificate revoked. error.code.8405=X509 LDAP authentication module error - root CA invalid.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-184 of A-242
error.code.8406=X509 LDAP authentication module error - invalid certificate signature. error.code.8407=X509 LDAP authentication module error - invalid configuration. error.code.8408=X509 LDAP authentication module error - invalid certificate store file. error.code.8409=X509 LDAP authentication module error - invalid certificate store. error.code.8410=X509 LDAP authentication module error - invalid LDAP port. error.code.8411=X509 LDAP authentication module error - invalid LDAP certificate store. error.code.8501=Active Directory authentication module configuration error. error.code.8502=Active Directory authentication module configuration error. error.code.8503=Active Directory authentication module configuration error. error.code.8504=Active Directory authentication module configuration error. error.code.8505=Active Directory authentication module configuration error. error.code.8506=Failed to connect to Active Directory Server. error.code.10001=Failed to log into the LunaSA Module. error.code.10002=Failed to retrieve key from LunaSA Module. error.code.10003=Failed to persist key in LunaSA Module. error.code.10004=Failed to generate key in LunaSA Module. error.code.10101=Failed to login to the LunaSA Module. error.code.10102=Failed to retrieve key from LunaSA Module. error.code.10103=Failed to persist key in LunaSA Module. error.code.10104=Failed to generate key in LunaSA Module. error.code.10201=Failed to log into the LunaSA Module. error.code.10202=Failed to retrieve key from LunaSA Module. error.code.10203=Failed to persist key in LunaSA Module. error.code.10204=Failed to generate key in LunaSA Module. error.code.12000=targetServerHostName property not found in authorization.xml. error.code.12001=Target Server named in authorization.xml not found in Password Authority. error.code.12002=targetApplication property not found in authorization.xml. error.code.12003=Target Application named in authorization.xml not found in Password Authority. error.code.12004=targetAccount property not found in authorization.xml. error.code.12005=Target Account named in authorization.xml not found in Password Authority. error.code.12006=groupClassMemberList property not found in authorization.xml. error.code.12007=userSearchFilter property not found in authorization.xml. error.code.12050=Error communicating with the LDAP server. error.code.12051=Error authenticating with the LDAP server. error.code.12052=Target account/application in authorization.xml file must be of type LDAP or Windows Domain Service. error.code.12053=Cannot retrieve DNS host name(s). error.code.12054=DNS server name not specified. error.code.12100=targetServerHostName property not found in authorization.xml. error.code.12101=Target Server named in authorization.xml not found in Password Authority. error.code.12102=targetApplication property not found in authorization.xml. error.code.12103=Target Application named in authorization.xml not found in Password Authority. error.code.12104=targetAccount property not found in authorization.xml. error.code.12105=Target Account named in authorization.xml not found in Password Authority. error.code.12106=userSearchFilter property not found in authorization.xml. error.code.12107=Error communicating with the Active Directory Server. error.code.12108=Error authenticating with the Active Directory Server. Error Code Messages for Remedy View Password Plug-in (13000 - 13099) error.code.13000=A Remedy server must be specified. error.code.13001=A Remedy application must be specified. error.code.13002=A Remedy account must be specified. error.code.13003=Remedy ticket number is not specified, or incorrect. error.code.13004=Could not log into Remedy server. error.code.13005=Remedy server specified in the password view policy could not be found. error.code.13006=Remedy application specified in the password view policy could not be found. error.code.13007=Remedy account specified in the password view policy could not be found. error.code.13008=The CA NIM SM target server could not be found.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-185 of A-242
error.code.13009=The CA NIM SM target application could not be found. error.code.13010=The CA NIM SM target account could not be found. error.code.13011=Could not retrieve the ticket from the Remedy system. error.code.13012=Required Remedy licensed files could not be found. Error Code Messages for ServiceNow View Password Plug-in (13100 - 13199) error.code.13100=A ServiceNow server must be specified. error.code.13101=A ServiceNow application must be specified. error.code.13102=A ServiceNow account must be specified. error.code.13103=ServiceNow ticket number is not specified, or incorrect. error.code.13104=Could not log into ServiceNow server. error.code.13105=ServiceNow server specified in the password view policy could not be found. error.code.13106=ServiceNow application specified in the password view policy could not be found. error.code.13107=ServiceNow account specified in the password view policy could not be found. error.code.13108=The CA NIM SM target server could not be found. error.code.13109=The CA NIM SM target application could not be found. error.code.13110=The CA NIM SM target account could not be found. error.code.13111=Could not retrieve the ticket from the ServiceNow system. Error Code Messages for CA SDM View Password Plug-in (13200 - 13299) error.code.13200=A CA SDM server must be specified. error.code.13201=A CA SDM application (type: Generic) must be specified. error.code.13202=A CA SDM account must be specified. error.code.13207=CA SDM ticket number is not specified, or incorrect. error.code.13208=Could not log into CA SDM server. error.code.13209=CA SDM server specified in the password view policy could not be found. error.code.13210=CA SDM application specified in the password view policy could not be found. error.code.13211=CA SDM account specified in the password view policy could not be found. error.code.13212=The CA NIM SM target server could not be found. error.code.13213=The CA NIM SM target application could not be found. error.code.13214=The CA NIM SM target account could not be found. error.code.13215=Could not retrieve the ticket from the CA SDM system. Error Code Messages for Salesforce Service Cloud View Password Plug-in (13400 - 13499) error.code.13400=A Salesforce Service Cloud server must be specified. error.code.13401=A Salesforce Service Cloud application (type: Generic) must be specified. error.code.13402=A Salesforce Service Cloud account must be specified. error.code.13403=An SFDC Login Endpoint must be specified. error.code.13404=An SFDC Service Cloud Client URL must be specified. error.code.13405=A DateFormat must be specified. error.code.13406=A CaseObject must be specified. error.code.13407=A CaseCommentObject must be specified. error.code.13408=An AttachmentObject must be specified. error.code.13409=Salesforce Service Cloud ticket number is not specified, or incorrect. error.code.13410=Could not log into Salesforce Service Cloud server. error.code.13411=Salesforce Service Cloud server specified in the password view policy could not be found. error.code.13412=Salesforce Service Cloud application specified in the password view policy could not be found. error.code.13413=Salesforce Service Cloud account specified in the password view policy could not be found. error.code.13414=The CA NIM SM target server could not be found. error.code.13415=The CA NIM SM target application could not be found. error.code.13416=The CA NIM SM target account could not be found. error.code.13417=Could not retrieve the ticket from the Salesforce Service Cloud system. Error Code Messages for HP Service Manager View Password Plug-in (13500 - 13599) error.code.13500=An HP Service Manager server must be specified. error.code.13501=An HP Service Manager application (type: Generic) must be specified. error.code.13502=An HP Service Manager account must be specified. error.code.13506=HP Service Manager ticket number is not specified, or incorrect. error.code.13507=Could not log into HP Service Manager server. error.code.13508=HP Service Manager server specified in the password view policy could not be found. error.code.13509=HP Service Manager application specified in the password view policy could not be found.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-186 of A-242
error.code.13510=HP Service Manager account specified in the password view policy could not be found. error.code.13511=The CA NIM SM target server could not be found. error.code.13512=The CA NIM SM target application could not be found. error.code.13513=The CA NIM SM target account could not be found. error.code.13514=Could not retrieve the ticket from the HP Service Manager system. Custom View Password Module Error Code Messages (14000 - 14999) error.code.14000=The specified CA Normalized Integration Management account is in use and can't be deleted. error.code.14001=The requested operation is not allowed on the CA Normalized Integration Management Target Account. error.code.14002=The requested operation is not allowed on the CA Normalized Integration Management Target Application. error.code.14003=The requested operation is not allowed on the 'nim.pam.ca.com' Target Server. error.code.14004=The requested operation is not allowed on the selected application type. error.code.15000=An invalid issuer URL was specified. error.code.15001=An invalid console URL was specified. error.code.15002=An invalid sign-in URL was specified. error.code.15003=Exceeded maximum length for URL parameter. error.code.15004=The specified URL is not formatted correctly. error.code.15005=An invalid session duration was specified; the allowed range is 3600 - 129600 seconds. error.code.15006=An invalid policy was specified. error.code.15007=Exceeded maximum length for policy parameter. error.code.15008=The specified policy is not formatted correctly. error.code.15009=The AWS client reports that corrupted data was received from the AWS server; the error message is: {0} error.code.15010=The AWS client reports that communications with the AWS server failed; the error message is: {0} error.code.15011=An invalid session URL encoding option was specified. error.code.15012=The AWS service reported a problem; the error message is: {0} error.code.15013=The requested operation is not allowed on the AWS Access Credentials Target Application. error.code.15014=The requested operation is not allowed on the 'xceedium.aws.amazon.com' Target Server. error.code.15015=The requested command cannot be invoked from a remote host. error.code.15016=The specified federated user name is incompatible with AWS; it contains too few characters. error.code.15017=The specified federated user name is incompatible with AWS; it contains too many characters. error.code.15018=The federated user name is missing from the request. error.code.15019=The specified federated user name is incompatible with AWS. error.code.15020=The specified AWS access account is in use and can't be deleted. error.code.15021=The requested operation is not allowed on the AWS API Proxy Credentials Target Account. error.code.15022=The requested operation cannot be performed by user with the specified target application type. error.code.15023=The requested operation is not allowed error.code.15099=The specified VMware access account is in use and can't be deleted. error.code.15100=Delete Check: the requested operation would delete an existing Target Server with ID: {0} error.code.15101=Delete Check: the specified host name corresponds to one or more deleted Target Server(s): {0} error.code.15102=Delete Check: the specified host name does not correspond to any existing or deleted Target Server(s): {0} error.code.15103=Delete Check: the specified ID corresponds to a deleted Target Server: {0} error.code.15104=Delete Check: the specified ID does not correspond to an existing or deleted Target Server: {0} error.code.15105=Delete Check: the requested operation would delete an existing Request Server of type CLIENT or AGENT with ID: {0} error.code.15106=Delete Check: the specified host name corresponds to one or more deleted Request Server(s) of type {1}: {0} error.code.15107=Delete Check: the specified host name does not correspond to any existing or deleted Request Server(s) of type {1}: {0} error.code.15108=Delete Check: the specified ID corresponds to a deleted Request Server of type CLIENT or AGENT: {0}
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-187 of A-242
error.code.15109=Delete Check: the specified ID does not correspond to an existing or deleted Request Server of type CLIENT or AGENT: {0} error.code.15110=Delete Check: the specified ID corresponds to one or more deleted Target Server(s): {0} error.code.15111=Delete Check: the specified ID does not correspond to any existing or deleted Target Server(s): {0} Extension Manager: Common Channel and Processor Target Connector API (15200 - 15299) error.code.15200=Failed to process a target connector script. Refer to the log file for further information. error.code.15201=Failed to store an object in script processor memory. error.code.15202=Failed to retrieve an object from storage in script processor memory. error.code.15203=Failed to reset the script processor. error.code.15204=An error occurred while processing a target connector script. The Target Account specifies an unrecognized password change method. error.code.15205=An error occurred while processing a target connector script. The Target Account specifies an unsupported protocol. error.code.15206=An error occurred while configuring the communications channel. The Target Account specifies an unsupported protocol. error.code.15207=Failed to find {0} pattern(s) while reading from the communications channel: {1} error.code.15208=An error occurred while configuring the script processor. Failed to retrieve a Target Account with ID {0}. error.code.15209=An error occurred while configuring the script processor. The Target Account specifies another account should be used for authentication and/or verification but no value is assigned to the other account attribute. error.code.15210=An error occurred while configuring the communications channel. The specified and calculated known host key fingerprints do not match. error.code.15211=An error occurred while configuring the communications channel. Failed to decode the known host key. error.code.15212=Failed to establish a communications channel to the remote host. error.code.15213=An error occurred while configuring the script processor. An invalid pattern was specified for the password entry prompt. error.code.15214=An error occurred while configuring the script processor. An invalid pattern was specified for the password confirmation prompt. error.code.15215=An error occurred while configuring the script processor. An invalid pattern was specified for the password change prompt. error.code.15216=An error occurred while configuring the script processor. An invalid pattern was specified for the user name entry prompt. error.code.15217=Failed to remove an object from storage in script processor memory. error.code.15218=An error occurred while configuring the script processor. Failed to retrieve a Target Account with ID {0}. error.code.15219=An error occurred while configuring the script processor. The Target Account specifies another privileged account should be used but no value is assigned to the other privileged account attribute. error.code.15220=A problem occurred while executing the script processor. Please try your request again or contact your Administrator. error.code.15221=A problem occurred while executing the script processor. Failed to automatically derive a public key. Specify the public key and try again or else contact your Administrator. Extension Manager: Common Channel and Processor Target Connector UI (15300 - 15399) error.code.15300=Cannot read the revised update script file. Verify the filename and ensure the patch obtained from Customer Support has been applied. error.code.15301=Cannot read the revised verify script file. Verify the filename and ensure the patch obtained from Customer Support has been applied. error.code.15302=An invalid filename was specified for the revised update script file. Verify the filename or else contact Customer Support to obtain the correct filename. error.code.15303=An invalid filename was specified for the revised verify script file. Verify the filename or else contact Customer Support to obtain the correct filename. error.code.15304=Must choose the filename of the revised update script if any are available. Only use this field if instructed to do so by Customer Support. error.code.15305=Must choose the filename of the revised verify script if any are available. Only use this field if instructed to do so by Customer Support. error.code.15306=An invalid regular expression was specified to match the Password Change prompt. error.code.15307=An invalid list of server host key types was specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-188 of A-242
error.code.15308=An invalid list of inbound compression methods was specified. error.code.15309=An invalid list of key exchange algorithms was specified. error.code.15310=An invalid list of outbound compression methods was specified. error.code.15311=An invalid list of inbound hashes was specified. error.code.15312=An invalid list of outbound hashes was specified. error.code.15313=An invalid list of inbound ciphers was specified. error.code.15314=An invalid list of outbound ciphers was specified. error.code.15315=Must specify a replacement update script. Only use this field if instructed to do so by Customer Support. error.code.15316=Must specify a replacement verify script. Only use this field if instructed to do so by Customer Support. error.code.15317=An invalid list of ciphers to detect was specified. error.code.15318=An invalid regular expression was specified to match the Password Confirmation prompt. error.code.15319=An invalid regular expression was specified to match the Password Entry prompt. error.code.15320=An invalid regular expression was specified to match the User Name Entry prompt. Error Messages for Microsoft Office 365 (Online Portal) (15400 - 15499) error.code.15400=The portal URL is missing from the request. error.code.15401=The specified portal URL is invalid. error.code.15402=The Security Token Service endpoint URL is missing from the request. error.code.15403=The specified Security Token Service endpoint URL is invalid. error.code.15404=The Security Token Service endpoint reference URI is missing from the request. error.code.15405=The specified Security Token Service endpoint reference URI is invalid. error.code.15408=The context (wctx) parameter is missing from the request. error.code.15409=The specified context (wctx) parameter is invalid. error.code.15410=Failed to load the token request template. error.code.15411=Failed to initiate federated session. error.code.15412=Failed to retrieve token request response from the Security Token Service. error.code.15413=Failed to load the federated session request template. error.code.15414=Failed to retrieve target account password. error.code.15415=The target account ID is missing from the request. error.code.15416=The specified target account ID is invalid. error.code.15419=The reason parameter is missing from the request. error.code.15421=The specified start date is invalid. error.code.15423=The specified end date is invalid. error.code.15424=The specified compound server ID is invalid. error.code.15425=Failed to encode the specified context (wctx) parameter. Error Messages for SSH Key Pair Policy (15500 - 15599) error.code.15500=The SSH Key Pair Policy ID is missing. error.code.15501=The specified SSH Key Pair Policy ID is invalid; it must be an integer greater than zero. error.code.15502=The SSH Key Pair Policy name is missing. error.code.15503=The specified SSH Key Pair Policy name is invalid; it must consist of characters [a-z, A-Z, 0-9]. error.code.15504=The specified SSH Key Pair Policy name is too long; reduce the number of characters that it contains. error.code.15505=The SSH Key Pair Policy description is missing. error.code.15506=The SSH Key Pair Policy description is invalid; it must consist of characters [a-z, A-Z, 0-9]. error.code.15507=The SSH Key Pair Policy description is too long; reduce the number of characters that it contains. error.code.15508=The SSH Key Pair Policy key type is missing. error.code.15509=The specified SSH Key Pair Policy key type is invalid; it must be RSA or DSA. error.code.15510=The SSH Key Pair Policy key length is missing. error.code.15511=The specified SSH Key Pair Policy key length is invalid. error.code.15512=Failed to add SSH Key Pair Policy due to error: {0} error.code.15513=Failed SSH Key Pair generation test due to error: {0} error.code.15514=The specified SSH Key Pair type and length are not compatible. error.code.15515=An SSH Key Pair Policy ID or Name must be specified. error.code.15516=Failed to load an SSH Key Pair Policy having the specified ID or Name. error.code.15517=Must specify either an SSH Key Pair Policy ID or a Name but not both. error.code.15600=Invalid subnet x.x.x.x. Format should be in CIDR notation (xxx.xxx.xxx.xxx/xx)
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-189 of A-242
error.code.15601=Cannot change host name. Device in use by LDAP Domain Configuration. error.code.15602=Cannot change host name. Application in use by LDAP Domain Configuration. error.code.15603=Cannot change application. Account in use by LDAP Domain Configuration. error.code.15604=Failure updating LDAP configuration error.code.15605=Cannot change host name. Device in use by RADIUS and TACACS+ Configuration. error.code.15606=Cannot change application type. Application in use by RADIUS and TACACS+ Configuration. error.code.15607=Cannot change application. Account in use by RADIUS and TACACS+ Configuration. Remote Agent Error Codes (15608 - 15622) error.code.15608=Remote Agent other account error.code.15609=Cannot change application. Account in use by another Windows Remote Agent account. error.code.15610=Cannot change account type. Account in use by another Windows Remote Agent account. error.code.15611=Cannot change application. Account in use for discovery by an Active Directory account. error.code.15612=Cannot change account type. Account in use for discovery by an Active Directory account. error.code.15613=Not a Remote Agent admin error.code.15614=Remote Agent I/O error error.code.15615=Remote Agent process interrupted error.code.15616=Remote Agent process abnormal exit error.code.15617=Remote Agent logon failed error.code.15618=Remote Agent access denied error.code.15619=Remote Agent connection error error.code.15620=No Remote Agent admin error.code.15621=Remote Agent cannot clean up error.code.15622=No Remote Agent admin ID error.code.15623=Account is in use by Azure Configuration. error.code.15624=Operation is not permitted on Azure access credentials target server Error messages for CA NIM SM target manager connector (15700 - 15719) error.code.15701=Change process not specified. error.code.15702=Internal target connector error. error.code.15703=Failed to synchronize password with target. error.code.15704=Failed to verify password with target. Error Code Messages for CA NIM UM Target Manager Connector (15720 - 15739) error.code.15721=Change process not specified. error.code.15722=Internal target connector error. error.code.15723=Failed to synchronize password with target. error.code.15724=Failed to verify password with target. Error Code Messages for ServiceNow Target Manager Connector (15740 - 15759) error.code.15741=Change process not specified. error.code.15742=Internal target connector error. error.code.15743=Failed to synchronize password with target. error.code.15744=Failed to verify password with target. error.code.15745=A ServiceNow URL must be specified. error.code.15746=A ServiceNowClientURL must be specified. error.code.15747=Could not log into ServiceNow server. Basic error messages for Service Desk connector (15760 - 15779) error.code.15760=Error retrieving Service Desk user credentials. error.code.15761=The CA NIM UM target server could not be found. error.code.15762=The CA NIM UM target application specified in the password view policy could not be found. error.code.15763=The CA NIM UM target account specified in the password view policy could not be found. error.code.15764=Failed to synchronize password with target. error.code.15765=Failed to verify password with target. Error messages for HP Service Manager target manager connector (15780 - 15799) error.code.15780=Change process not specified. error.code.15781=Internal target connector error. error.code.15782=Failed to synchronize password with target. error.code.15783=Failed to verify password with target. error.code.15784=A port must be specified. error.code.15785=A HPSMClientURL must be specified.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-190 of A-242
error.code.15786=An Enabled Protocol must be specified. error.code.15787=Could not log into HP Service Manager server. Error Code Messages for CA SDM Target Manager Connector (15800 - 15819) error.code.15800=Change process not specified. error.code.15801=Internal target connector error. error.code.15802=SOAP Protocol must be specified. error.code.15803=SOAP Port must be specified. error.code.15804=REST Protocol must be specified. error.code.15805=REST Port must be specified. error.code.15806=Could not log into CA SDM server.
Configure Diagnostic Logs The Privileged Access Manager Diagnostic Logs page is available from the Configuration, Diagnostics menu. The information that is collected there is used for CA Technologies Support analysis of Privileged Access Manager operation. The Log Levels tab configures the information being collected. After you set your levels, select the Submit button. The Download tab enables you to download the logs for diagnostic inspection.
• Tomcat Logs • CA PAM as SAML RP Log Level • CA PAM as SAML IdP Log Level • Web Services Log Level • LDAP Sync Log Level • Applet Log Level • Applet Debugging • System Log Configuration File • Download System Diagnostics • Download SPFD Logs • CA Remote Engineer Zip File • Analytics Logs • Service Desk Logs
Tomcat Logs On the Log Levels tab, use the Tomcat Log Levels drop-down list to filter by log level, from Off to Finest, defaulting to Warning. Select Recent Log Entries for Tomcat on the Download tab to open a dialog showing recent unfiltered log entries. Select Download to save the Credential Management "catalina.out" logfile for this appliance to your local client access computer. CA PAM as SAML RP Log Level Use this option only with the aid of CA Technologies Privileged Access Manager Support. Otherwise, set the Log Level to "Normal". To see recent entries, select the Recent Log Entries button for CA PAM as SAML RP on the Download tab. CA PAM as SAML IdP Log Level Use this option only with the aid of CA Technologies Privileged Access Manager Support. Otherwise, set the Log Level to "Normal". To see recent entries, select the Recent Log Entries button for CA PAM as SAML IdP on the Download tab. Web Services Log Level Use this option only with the aid of CA Technologies Privileged Access Manager Support. Otherwise, set the Log Level to "Error". LDAP Sync Log Level Use this option only with the aid of CA Technologies Privileged Access Manager Support. Otherwise, set the Log Level to "Normal". Applet Log Level Use this option only with the aid of CA Technologies Privileged Access Manager Support. Otherwise, set the Log Level to "Error". Log files can grow rapidly if you set the log level to "Debug." Restore it to a lower level when practical. Monitor the disk usage ("System Info"), and if it is high, reboot Privileged Access Manager. Rebooting clears these logs. Applet Debugging Use this option only with the aid of CA Technologies Privileged Access Manager Support.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-191 of A-242
System Log Configuration File If CA Technologies Support provides a system configuration file, use the Browse button to upload it. Download System Diagnostics Use this option only with the aid of Broadcom Support. If Support asks for System Log Files, use the button in this panel to download them. If core dumps are being collected, they are contained in this download. Download SPFD Logs Select Download to save the SPDF log of the service provider daemon for this appliance to your local client access computer. CA Remote Engineer Zip File Select Download to save a CA Remote Engineer Zip file to your local client access computer. CA Remote Engineer captures log files, configuration files, and other information about your system. Use this option only with the aid of Broadcom Support. For more information about CA Remote Engineer, see the CA Remote Engineer documentation. Analytics Logs Select Download to save the Analytics log file to your local client access computer. Use this option only with the aid of Broadcom Support. Service Desk Logs If you have integrated Privileged Access Manager with a service desk solution and you have to troubleshoot it, you can download the service desk logs. Select Download to save the service desk log file to your local client access computer. Use this option only with the aid of Broadcom Support.
Import LDAP User Groups As an Administrator, an efficient method of creating an LDAP user group is to import an LDAP user group from a
remote LDAP server. To import a user group, you must use the built-in LDAP Browser, which gets launched during
the import procedure.
This topic explains the following tasks:
• Launch the LDAP Browser
• Import LDAP Groups
• Refresh LDAP Groups
• Nested Groups
• LDAP Browser Menus and Controls
• About Pagination
• Search and Quick Search Options
• Double-Byte Characters for User and User Group Names
Launch the LDAP Browser
To import LDAP Groups into Privileged Access Manager, follow these steps:
1. Verify that your appliance is licensed on the Configuration, Licensing page. A license is required to launch
the LDAP Browser.
2. Navigate to Configuration, 3rd Party, LDAP, and configure access to an LDAP server.
Provisioning the LDAP server is necessary to make LDAP groups available for import.
3. Select Users, Manage User Groups.
4. Select Import LDAP Groups.
The LDAP Browser launches. You are prompted to select an LDAP domain.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-192 of A-242
Note: Privileged Access Manager does not support SSH and LDAP connections from a native browser due to
strong cryptography support. Update your local JCE with unlimited strength policy jars that are based on your
JRE version.
5. Go to the next procedure to import the LDAP group.
If the LDAP server does not support the cipher suite that is used by the Privileged Access Manager LDAP browser, a
connection failure occurs. The following error message appears: “Possible cipher mismatch with LDAP server.”
During provisioning, ensure that the ciphers that are supported on the target LDAP server include those ciphers that
are supported by the LDAP browser.
Import LDAP Groups
In the LDAP Browser, the Explore tab in the left pane shows a graphical representation of an LDAP tree. Select any
object to see the object attributes.
Follow these steps: 1. Select the LDAP domain and select OK to connect to it.
The browser connects and displays all records below that domain.
2. Navigate the LDAP tree in the left pane and locate the device group that you want to import. Traverse the tree
in any order or direction.
3. To import a device group to import, select the checkbox next to the group.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-193 of A-242
4. Repeat these steps for each group you want to import.
5. (Optional) Review the device groups that are selected for import:
a. Select PAM Groups, Manage selected groups to register with the PAM appliance.
The list of the Distinguished Names for all selected groups displays.
b. Select and edit any group DN, or remove it from the staging list.
6. Select PAM Groups, Register selected groups with the PAM appliance.
A window opens displaying a list of the staged groups. You can watch the progress, and can display any
messages that are associated with the actions.
7. When ready to import the groups, select Register Groups in the lower-left corner. Privileged Access Manager
imports the groups in the order that they are listed. The browser provides feedback and cancellation options
throughout the process. You can cancel registration of a group, or you can cancel the registration of all groups,
even after they have started. When the imports are finished, each line item in the registration window shows a
green checkmark for success or a red X for import failure/cancellation.
8. (Optional) Review the status of the full list and each individual group by selecting its line item. If you made
changes to an individual group or any errors occurred, the lower Messages panel provides details.
9. Go to Users, Manage User Groups, and confirm that the imported user groups appear on the page.
Roles are inherited from the LDAP group. The default role is Standard User. Ignore the Roles panel, which indicates "No roles selected."
You cannot delete a record from an imported device group. Also, you cannot edit an LDAP-imported field.
Refresh LDAP Groups
You can refresh an LDAP Group to update the records in the group.
Follow these steps: 1. In the UI, select Users, Manage User Groups. 2. Toward the right side of the page, select Refresh LDAP Groups.
The LDAP Browser launches the Refresh Registered LDAP Groups window.
3. Select one or more groups you want to refresh and select Refresh Selected Groups.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-194 of A-242
Refresh Active Directory User Groups After an OU Change
A change to organization unit (OU) of a user results in a change to the user DN. The modified DN can impact an
access policy. CA PAM handles an OU change when the Active Directory group is refreshed automatically. During a
refresh, the appliance searches the remote Active Directory Server and updates its user record. Despite the OU
change, the policy for that user is preserved.
To reflect an OU change immediately, you can manually refresh an Active Directory group in CA PAM. To keep the
data in sync with Active Directory, refresh all the groups that now contain the user and all the groups from where the
user moved.
Nested Groups
If an LDAP group is in a parent group member attribute, then users in the parent and child groups are imported with
the parent. For example, consider groups CommunityA and CommunityB, and Person1. CommunityB is a member of
CommunityA and it is nested in CommunityA. Person1 is the sole member of the group CommunityB. If you import
the CommunityA group, you see every member of CommunityA and member Person 1 from CommunityB.
LDAP Browser Menus and Controls
The following table explains the LDAP Browser menus and controls options:
Text Menu
Function
Copy icon Copy the Distinguished Name of selected entry to the Clipboard.
Group icon Display all the groups in this container.
After first selecting an object in the tree under the Explore tab, clicking this button will then
switch you to the Results tab. Once there, you see a (fully expanded) tree of all groups
(objectClass: group) contained within the selected object.
File
Connect Log in to an LDAP database. Invokes a pop-up window from which you can select from
currently accessible domains.
Disconnect Log out from the current LDAP domain.
Print Print currently selected node.
Exit Close browser window. The browser continues running while the connection is active.
During that time, you can invoke the LDAP Browser by selecting Users, Manage Groups,
Import LDAP Group.
View Viewing options for graphical menu items below the main menu
Show Button Bar Icon-based menu
Default: On
Show Search Bar Icon-based menu
Default: On
Options
Set LDAP Connection
Timeout
Maximum time (seconds) before a connection attempt is canceled. This timeout is useful
when multiple servers are specified for a particular LDAP domain in Configuration, 3rd Party.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-195 of A-242
Default: 60 seconds
Set Result Set Page Size Maximum number of records in an LDAP directory before pagination is triggered for
representation in the browser tree.
Number of records in each page of a paginated subtree.
Default: 1000
Bookmark A bookmark can be made on any leaf in a tree. You can select the bookmark later directly
from the menu. Bookmarks are saved for each domain, and appear only when the
browser is connected to that domain.
Add Bookmark Opens an editing window for bookmarking currently selected leaf:
• DN – pre-populated with the current Distinguished Name (DN)
• Bookmark Name – pre-populated with the current Common Name (CN)
Edit Bookmark Opens a bookmark selection window. Selection in turn opens a bookmark editing window
(see Add Bookmark).
Delete Bookmark Opens a bookmark selection window. Selection in turn deletes and confirms deletion of
the bookmark.
Search
Search Dialog Opens a detailed search specification window. (Contrast to Quick Search.)
Delete Filter Opens a window with a list of filters for selection and deletion.
Return Attribute Lists
Paged Results
Next Page of Results Retrieve next page of results and display page wrapper (Page n Results) in the Explore
tree (when green; otherwise, gray when inapplicable).
Tools
Stop Action Suspends current LDAP request. Stopping a request is useful when the page size is large
and the browser is searching a large database.
Privileged Access
Manager
Groups
Privileged Access Manager
-specific menu items
Manage selected groups
to register with the
appliance.
Lists all items that are currently selected (or staged) for importing to
Privileged Access Manager
.
Register selected groups
with the appliance
Perform the input operation on the items that are selected, which are listed in Manage
selected groups to register with the appliance.
About Pagination
Pagination is available for Active Directory (AD) and OpenLDAP.
The LDAP Browser has a pagination feature to reduce overhead on LDAP access. The browser setting Result Set Page Size specifies the maximum number of members (directories, groups, or objects; or nodes) for any directory.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-196 of A-242
(This value is initially set to a default of 1000.) If the overhead required to display all directory members is too heavy,
the administrator can reduce this variable value.
For example, set this value to 5 to insert a pagination leaf for more than five members in any directory. The LDAP
Browser inserts the initial pagination leaf is when that directory is opened, before displaying the actual directory
contents.
Search and Quick Search Options
If you know the name of the directory or object you are looking for, use one of two search options available in LDAP
Browser. If the tree appears paginated in the browser, the search can still traverse the entire tree.
You can use the Quick Search button in the upper-right corner of the browser to locate the desired object.
Follow these steps: 1. In the Explore tab tree, select the node that you want to be at the top of the search.
Your choice is reflected in the Quick Search label.
2. To the right of the Search From label, select an attribute from the drop-down list, and enter a search string in
the text box.
3. Select Quick Search.
A filtered tree appears in the Results tab.
4. Select an object in the tree to see Entry Attributes on the right.
LDAP Browser Search Options To refine search results to a limited subset of objects or saved for future use, select menu item Search, Search Dialog.
The following table explains the search settings.
Field/Button Definition
Filter Name Assign a bookmark name for the filter: When you have filled in the remainder of this
dialog, select Save in the lower right. The filter is then available from the Search menu.
Start Searching From Identify the root node for your search.
Alias Options
Resolve aliases while
searching
When checked: LDAP Browser returns the real entry to which the alias points. When
unchecked: LDAP Browser returns all alias entries as regular entries.
Resolve aliases when
finding base object
Search Level
Select Search Level Search Base Object
Search Next Level
Search Full Subtree
Information to retrieve Allows you to select from a saved list in Return Attributes Lists.
Filter Operators
Not Negative of (entire) constructed entry
[Expression]
[Attribute] Menu of all LDAP attributes: accountExpires through x500uniqueIdentifier
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-197 of A-242
[Operator] Logic to apply to the attribute in this expression
[Character string] Text being tested with this expression
More Add another logic template to concatenate with other defined logic
Less Remove most recently defined logic
Save Save entire filled-in template to the label assigned in a filter name
Load Load existing filter to this template for editing or copying.
View Show the LDAP filter
[Template Commands]
Search Perform search as currently defined in this template.
Cancel Close dialog without executing a search or saving it to a filter name
Double-Byte Characters for User and User Group Names
Privileged Access Manager provides double-byte character support. The appliance allows East Asian characters in
data store and in the UI representation of user and user group names. LDAP usernames are imported and displayed
with the double-byte characters maintained.
User records with double-byte characters can be imported to LDAP groups but not to individual local user records.
Configure Users Each person accessing resources through CA PAM must have a user account. A user represents a login account with a specific set of privileges to perform actions on the appliance. Every login account constitutes a user. Users are displayed, defined, and managed through the Users menu in the UI. When referring to users managed by the appliance, the user is a managed object or account. This user is distinct from the actual person ("user") who uses the managed account.
• Privileges and Roles • User Groups • Configuring User Accounts
Privileges and Roles Each user must be represented by at least one role attribute. A role is a set of access privileges. Each privilege allows the user to perform certain functions on the appliance. A set of predefined roles is provided with the basic installation. These user types include:
• End Users An end user is a managed user who primarily accesses managed devices and views a password of a managed target account. This user has a predefined role of Standard User, which is assigned by default when the User template is used to create an account. All end-user activity is performed on the Access page (which is unlabeled). These Users have no access to the Admin menu. The privileges of a Standard User are not a subset of all other predefined roles. There are administrator roles that do not allow access or password viewing.
• Administrators An administrator is a user who can exercise privileges beyond Standard User privileges. As a result, an administrator sees a full or partial Admin menu, or has access to the Config menu.
• super and config administrators Two administrator accounts, config and super, are predefined on the appliance. These two administrators have certain special privileges and characteristics to perform initial configuration and other operations:
o super has a predefined role of Global Administrator. This role appears in the Users list on the Manage Users page.
o config has access only to the Configuration menu, including the Change Password menu. The config user does not appear on the Users list on the Manage Users page.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-198 of A-242
The privileges of the config account differ from the privileges that are assigned to the Configuration Administrator role. The config user gains access solely through the /config/ directory. The config user is also the only account with access to the Change Password menu.
Though you can change the names of the super and config users, we recommend that you leave the names as is. If you do change the names, these two accounts always constitute the two baseline user accounts.
User Groups User Groups let you apply user attributes to all members belonging to a group. Privileged Access Manager user groups are distinct from Credential Manager user groups. Configuring User Accounts User accounts can be created in two ways:
• Individually using the UI • Imported from a CSV file, which contains a set of user records. When users are imported from a CSV file,
these users are automatically established as a group.
Set a User-Device Policy Apply a policy to a user-device pair to allow that user access to the device or to view a password based in the device. Follow these steps:
1. Select Policy, Manage Policies. The policy page appears. 2. In the User (Group) field, start typing the User or User Group you want, and select the matching full name
from the filtered drop-down list. 3. In the Device (Group) field, start typing the Device or Device Group you want, and select the matching full
name from the filtered drop-down list. 4. In the upper-right corner of the page body, click the Create Policy link. A policy template opens. 5. (Optional) To use an Access Method, click Add (or Edit) to the right of Access, and from the drop-down list
select an available type:port (for example, RDP:3389). A blank field opens to the right. a. (Optional) To allow auto-connection to the device, click in this field and select a target account - target account pair.
6. (Optional) To use a previously provisioned local Service, click Add (or Edit) to the right of Services, and from the drop-down list select a Service (for example, PuTTY). A blank field opens to the right. . (Optional) To allow auto-connection to the device, click in this field and select a target account - target account pair.
7. (Optional) To allow this user to view a target account password: . Click Add (or Edit) to the right of Passwords. From the drop-down list, select a target application.
A blank field opens to the right. a. Click in this field. Select an available target account from the drop-down list for the application which stores the password.
8. (Optional) To apply a Command Filter to all connections, select one from the drop-down list. 9. (Optional) To apply a Socket Filter to all connections, select one from the drop-down list.
. (Optional) To prevent device access whenever its Socket Filter Agent (SFA) is not running, select Restrict login if agent is not running .
10. (Optional) To activate recording, select Graphical for RDP or VNC connections or Command Line for CLI connections.
. (Optional) For CLI connections, to capture both output and input lines, select Bidirectional . Otherwise, only output lines are captured. a. (Optional) To start recording only after the user commits a (filter) violation, select On Violation. Otherwise, all connections are recorded from start to finish.
11. Click Save. You return to the policy list. The activated device or password access is now available for execution from the Access page of the user.
Set Up a Policy As an administrator, apply a policy to a user-device pair. The policy defines user access to the device or to view a password for the device. Assign a policy using one of the following methods:
• Policy template • Imported CSV file
A policy can also be applied based on inheritance from a parent group.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-199 of A-242
A User effective policy spans these categories, as the union of all policy assignments. It reflects the range of device and access options available to a user as represented on the User Access page. As an administrator, you can view a User effective policy in Users, Manage Users, Update, Manage Policy. The configuration of a Device provides a template for choosing access methods are allowed for a particular User. The scope of this template has previously been defined by the attributes that are assigned in the Device record. A unique policy can exist between every match of each of the first (Users and User Groups) with each of the second (Devices and Device Groups). For example, if there are three Users and three Devices, after matching each User with each Device, there could be up to nine different policies. Prerequisites
• Session recording activation requires that storage is configured in advance on the Configuration, Logs, Session Recording page.
• Define Users, Devices, Access Types, Services, and Filters. Configure the components of a policy first so that they are available to include in a policy.
Policy Template Create an association with a user and device using the policy template. These procedures begin from the Policy menu. However, for some user records, you can edit a policy template from the user record by selecting Manage Policy. Follow these steps:
1. Select Policies, Manage Policies. 2. Complete one of the following actions:
• Create a new policy by clicking Add. • Select an existing policy record and click Update. If the policy record is not listed, find it by
selecting the User/User Group or Device/Device group search criteria at the top of the screen. 3. If you are adding a new policy, use the fields in the Association section to locate the user or device that you
want to associate in a policy. Select the search icon in one of the fields to display the list of choices. Double-click an entry and it gets added to the Association screen. If you select a Device Group, only those Access Methods that are specified for the group, are displayed.
4. On the Access tab, select one or more entries from the list and move it to the Selected Access list. 5. On the Services tab, select one or more services available for a provisioned device. 6. On the SAML tab, set SAML options as appropriate. (SAML must already be configured for anything to
show here.) 7. On the Password tab, select the passwords the user or user group can manage. Then, select from
the available Device or Device Group defined target applications. When you select a target application, you can also select one or more provisioned target accounts for that application that the user can manage.For AWS AMI instance on UNIX and Linux Devices, only EC2 keys auto-populate as options.
8. If Socket Filter Agents are installed in the environment, select the available command and socket filters to assign to the black and white lists on the Filters tab. The filters listed are those set up in the Filters option of the UI. Select the Restrict login if agent is not running check box.
• If the product cannot detect a running SFA on the device and an SFA-monitored connection is attempted, the login is rejected. Unmonitored connection instances are never rejected by selecting this option.
• SFAs monitor the following connections: Access Method GUI, CLI, and mainframe applets; and RDP, VNC, and ICA Services.
• SFAs do not monitor: standard (customized) Services and Web Portal Services. [XGK-231 As user, ability to launch a "normal" or "Web Portal" Service which has "set.]
9. If session recording capability is configured, specify the types of recording to make using the options on the Recording tab. Set one or more of the following available options (availability depends on the selected access methods on the Access tab):
• Graphical (available for RDP and VNC access methods): Record user activity graphically.
• Command Line (available for TELNET, SSH, and Console access methods): Record user activity on the target device as plain text.
• Bidirectional (applicable for command line recordings only): Record command line output from the operating system or application as well as what the user types. Bidirectional recording is
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-200 of A-242
required for SSH Proxy applets. All mainframe-access applets apply bidirectional session recording when you enable recording.
• Web Portal (available for VNC access method only): Record user activity on the web portal graphically.
• On Violation (only valid if no other recording options are set): Start recording only when a user causes a violation against a Command Filter or Socket Filter during a session. The recording continues until the user ends the connection session.
To view session recordings when accessed through a Juniper SA appliance, configure a policy for allowing custom headers.
10. Select Login Integration on the CA PAM Server Control tab if you are integrating with CA PAM Server Control.
11. Select a Login on the Transparent Login tab if you are using Transparent Login. Junos Configuration Required for Viewing Session Recordings To view session recordings when Privileged Access Manager is accessed through a Juniper SA appliance, configure a policy for allowing custom headers. Follow these steps:
1. Navigate to Resource Policies, Web, Custom Headers. 2. Create a policy. 3. Specify the IP address of the web portal resource that this policy applies to, with protocol specification, for
example: https://192.0.2.123
4. Select the allow custom headers action.
Device Setup In addition to Device Discovery, Devices can be created using the Manage Devices page, or by using CSV import.
This topic describes how to use the Manage Devices page to add devices.
• Prerequisites for Adding a Device
• Basic Info Configuration
• Tag Creation and Assignment
• Specify Access Methods
• Select Services
• Customize Terminal Access to a Device
• Transparent Login
• Edit a Device from a Policy
• Edit Targets from the Manage Devices Page
Prerequisites for Adding a Device
Access types might need to be set up before Device setup. These types include:
• Access Methods invoke a proprietary Java applet that is downloaded from Privileged Access Manager to a
local client computer.
• TCP/UDP Services: See Create TCP/UDP Services for more information.
• Native Services invoke a resident application on a local Client computer.
• Web Portals invoke an HTTP/HTTPS website. See Configure Automatic Login to Web Portals for more
information.
• RDP Applications invoke resident application on target RDP Device. See RDP Applications
Configuration for more information.
Basic Info Configuration
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-201 of A-242
Follow these steps: 1. Log in to the UI.
2. Select Devices, Manage Devices. 3. To specify a new device, select Add.
4. Complete the fields on the Basic Info tab. Required fields are highlighted with a red asterisk.
Name: This field specifies the name that is displayed on the Access page. You can enter double-byte
characters.
Address: The device IP address or FQDN
• For FQDN, DNS must be set up properly on the Configuration, Network, Network Settings page.
• A specified FQDN can be no longer than 255 characters.
• If you are updating a Device that is imported from AWS, Azure, or VMware, an Override Address checkbox appears. To edit the Address, for example, to use a private IP address, select
the Override Address checkbox.
Scan: Select this option to execute a port scan. The scan detects services that are configured. The detected
services appear on the Access Methods and Services tabs.
Description: Enter an optional description.
Location: Enter an optional location. To help you organize your device list, you can sort entries in this
column.
Operating System: Select the device operating system. To help you organize your device list, you can sort
entries in this column.
Device Type: Select the functions that you want to apply to the device:
• Access for access to remote systems
• Password Management for designating a device as a target device for credential management.
• A2A for Application-to-Application credential management. An A2A Client must be installed on the
remote system: The following additional A2A fields are required:
• Active: Select Active to allow the A2A Client to receive credentials
• Preserve Hostname: Select this box to prevent the host name of the request server from
being overwritten each time the A2A Client registers. If you do not select this option, the
existing host name can be overwritten.
5. Select OK.
Tag Creation and Assignment
Device tags are text strings of any form and length that you can use to group and search for Devices. Tags have no
dependence on any other characteristics of those devices. You create a device tag within a specific device record.
After it is created, you can copy the tag to other devices. Multiple tags can be assigned to a device, so it is possible
to create a wide variety of groupings.
A tag is applied to a device record. How you apply a tag depends on whether it exists or you are creating a tag:
• For an existing tag, select from drop-down list of tags. An existing tag must be used in at least one device
record. Start typing and a list of available tags appears in the drop-down list.
• For a new tag, enter a tagname.
To view and edit tags, see Manage Tags.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-202 of A-242
The following guidelines apply when you tag devices and device groups:
• A device in a device group does not inherit the tag that is assigned to the device group.
• If a device and a device group have the same tag,
CA PAM
treats the single device as part of the device group. If a single device has the same tag as a device
group, any policy that applies to the device group also applies to the device.
Example of Using Tags: A number of devices use the Windows operating system, but some do not. For network maintenance purposes, you
want to group all Windows devices. Tag all devices with the tag Windows.
In the Manage Devices and Access pages, you can then search for "windows" to collect all instances.
Specify Access Methods
From the Access Method tab, specify the method by which users gain access to a device. The defaults methods are
RDP, SSH, Telnet, and VNC. Mainframe licenses also provide the following methods: TN3270, TN3270SSL, TN5250,
TN5250SSL.
Follow these steps: 1. Select the Access Methods option.
2. Select the plus sign to add a method.
3. In the Name field, select an access method from the pull-down menu.
The SSH access method can provide X11 forwarding using SSH. To enable X11 forwarding, select the X11 checkbox. For forwarding to work, the client computer must have a configured X11 server, such as
OpenText Exceed.
Be aware of the following limitations with X11:
• The product supports key stroke logging and command filtering for all activities that are conducted
within the SSH applet. However, the X11 server runs on the local client, so it cannot provide
graphical session recording or command filtering for the forwarded graphical application.
• The X11 feature cannot currently be applied to device groups.
RDP has a Console checkbox to specify that access is through the device console interface.
4. Optionally, specify a Custom Name. The default Name is the Access Method (such as SSH). A custom
name is required if a device uses the same access method on two different ports. For example, if a device
listens for SSH connections on port 22 and on port 2200, you define an SSH access method for each port.
Both access methods cannot have the same name, so at least one of them has to have a custom name.
You can also use a custom name to have a non-standard name appear on the access page for this method
on this device.
5. In the Port field, accept the default port or specify a different port number.
6. Repeat the previous steps for each method you want added.
7. Select OK to save your selections, or continue to the next tab.
Select Services
Services are the way to customize access to devices.
Follow these steps: 1. Select the Services option.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-203 of A-242
2. For each Service you want, select the checkbox.
3. Select the arrow to move the services over to the Selected Services list.
4. Select OK to save your selections, or continue to the next tab.
Customize Terminal Access to a Device
Set up terminal access to a device so that any user receives an administrator-recommended screen presentation.
Configuring the look of the terminal is helpful for users who do not know the ideal settings.
A user can override this customization by specifying user-based terminal settings.
Follow these steps: 1. Select the Terminal option.
2. Configure each field using the pull-down lists. Most fields are self-explanatory.
The "End to select" checkbox function is deprecated.
Transparent Login
Transparent login lets a user issue password-enforced commands whose passwords are unknown to the user. The
user must be logged on to a target device to use transparent login.
The RDP and SSH services support transparent login. Support for the graphical RDP transparent login feature on
Windows machines is on the Services page. Support for the SSH applet and the SSH proxy is also defined on the
Services page. Specify one or both UNIX/Linux applications pbrun or sudo. When these applications are invoked,
the applications are silently presented with valid managed credentials, effecting an automated transparent login.
To use sudo/pbrun at run time, specify a credential for auto-connection on the policy for this device, and select the
Transparent Login checkbox.
Follow these steps: 1. Select the Transparent Login tab.
2. In the drop-down list, select sudo/pbrun.
The sudo/pbrun fields appear.
3. In the Full Path field, enter the path on the target device where the application executable resides. For
example, /usr/bin
4. In the Password Prompt field, specify a substring of the text that is presented to the user. The closer a
string match that you provide, the greater the security. For example, the full prompt to the user might be sudo password for user, where user represents the dynamically applied user name. The maximum literal
that can be applied is then "sudo password for".
Command Strings for Transparent Login
You can also specify a set of command strings and a prompt. This feature is disabled by default for security reasons.
To enable it, go to Configuration, Security, Access, and select Enabled for Command String.
To use the Command String feature, follow these steps: 1. Enable Command String on the Configuration, Security, Access page.
2. Select the Transparent Login tab.
3. In the drop-down list, select Command String. The Command String fields appear.
4. In the Authentication Prompt field, specify a substring of the text that is presented to the user. The closer a
string match that you provide, the greater the security. For example, the full prompt to the user might be
password for user, where user represents the dynamically applied username. The maximum literal that can
be applied is then "password for".
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-204 of A-242
5. Select the plus icon to add the actual command string. The user must match the command string exactly. To
support shortened versions of the command string, add them as separate command strings. For example,
"ENABLE" would be one command string, and "EN" would be another command string.
6. Select OK to save your settings.
7. Set Up a Policy for the device and an account to use the transparent login feature. Unlike sudo/pbrun, auto-
connect configuration is unnecessary for Command String transparent login.
The password from the specified target account is sent under the following conditions:
• You type a string that matches the specified command string
• SSH returns the specified prompt, whether you are using an SSH applet or the SSH proxy.
Edit a Device from a Policy
An administrator can edit a Device from the Manage Policies page.
1. Open the Policy, Manage Policies page.
2. Select a Policy to Update for a given Device.
3. Select the Manage Device button on the Policy window.
The corresponding Device window appears. Edit Targets from the Manage Devices Page
An administrator can add a Target Application from the Manage Devices page:
1. Select a Device from the list, then select the Manage Target Applications button.
If the Device record is already open, you can select Save and Add Target Applications at the bottom of
the Device window.
2. The Add Target Application window opens in front of the Target Applications List. The GUI controls are
presented as they are on Targets, Target Applications.
3. When finished, select OK.
Access Methods A Privileged Access Manager Access Method is a Java connection applet for a particular communication protocol.
You activate Access Methods in Global Settings and then assign them to Devices.
• RDP Client Prerequisite
• Using Global Settings and the Device Template
• SSH SCP and SFTP File Transfer (Optional)
• Logging for File Transfer Transactions (Optional)
RDP Client Prerequisite
The RDP client applet supports TLS 1.2 connections and supports the TLS_RSA_WITH_AES_256_CBC_SHA256
cipher suite. The RDP Client also supports forward secrecy using the following supported cipher suites:
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
For the highest level of security, ensure your RDP server (target Windows Device) is configured to use forward
secrecy with TLS 1.2 communication.
Note: You receive an error if Privileged Access Manager is in FIPS mode, but the remote desktop server does not
offer a FIPS-compliant communication option to the RDP client: Cannot connect to <Target Server> because the
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-205 of A-242
server did not offer a FIPS-compliant option for communication. Ask your Administrator to verify the server
configuration. <Target Server> is the hostname.
Using Global Settings and the Device Template
Access Method applets can be manually enabled using a two-stage process.
Allow the Access Method Through Privileged Access Manager
1. Select Settings, Access Methods.
2. Select the methods to be made generally available for device configuration.
This setting configures the "outer boundaries" of available methods. If any particular method is not Enabled, it is not
available on any device.
Configure Access Method on a Specific Device
Assuming you have already configured the specific Device in Privileged Access Manager:
1. Select Devices, Manage Devices.
2. Locate desired device, and click on its line item to open its record.
3. In the Access Methods pane: From the Available Methods links, click a desired applet, add an optional
Custom Name, and click Save. Repeat as necessary to allow more methods to be used.
As each method is added, it appears in a vertical list below the Add links. Any previously configured method
can be removed by clicking its Remove link.
4. When you are finished adding methods (and making any other changes to the Device record), click the Save button at the top or bottom of the record. Privileged Access Manager saves these settings and
collapse the record back to a line item.
When you open the record again, you see a line; click Edit to return to an editing view.
SSH SCP and SFTP File Transfer (Optional)
You can configure Privileged Access Manager to allow Users to SCP or SFTP files while connected through the SSH
Access Method. The SSH Access Method uses the Privileged Access Manager client MindTerm applet, and can
record these transactions.
The MindTerm applet command line window has a 512-column by 512-row limit. If you require a larger window, you
can use PuTTY with Create TCP/UDP Services.
Administrator Setup
To provide every user that has a provisioned SSH Access Method applet the ability to SCP or SFTP file transfer:
1. Log in to Privileged Access Manager as an administrator (for example, as "super").
2. Navigate to Global Settings.
3. In the Applet Customization panel, click Configure Terminal Settings to open its interface.
4. In the SSH Terminal File Transfer drop-down list, select Enable SCP/SFTP.
5. At the bottom of the page, click Save Global Settings.
6. Set up Policy for User that permits use of the SSH Access Method to applicable target Devices.
User Experience
When SSH Terminal File Transfer has been enabled as noted in Administrator Setup, the user has access to the
SCP and SFTP file transfer features as described in the following procedure:
1. Log in to Privileged Access Manager as a User permitted to execute the SSH Access Method.
2. Navigate (if necessary) to the Access page.
3. Click an SSH Access Method to open a MindTerm applet to its configured target Device.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-206 of A-242
4. In the MindTerm Java applet window (labeled with your Device Name), select Plugins, SCP File Transfer to open a file transfer window.
5. Use the MindTerm – SCP (Internal_IP_address) applet file transfer window to perform any of these
functions:
o Use arrow buttons between directory content lists to move files between the Local System (your
client computer) to the Remote System (target Device).
o For each of the two system directories:
Double-click: [..] to jump to the parent directory, or [directory_name] to enter it
ChDir – for a pop-up window allowing you to specify a directory to jump to
MkDir – for a pop-up window allowing you to make a new directory
Rename – for a pop-up window allowing you to change the name of the selected directory
Delete – to delete the currently selected file or directory
Refresh – to reload the current directory
Logging for File Transfer Transactions (Optional)
This table describes the types of log entries now effected by file transfer transactions.
GUI Button Log Entry Syntax
Transaction Details
--> put Upload localpath/filename* (size) to remotepath/filename
as user remote user
<-- get Download localpath/filename* (size) from
remotepath/filename as user remote user
*A directory (with or without files) can also be copied, but
that action is not logged. Files within copied directories are
each copied and logged.
ChDir (no log entry)
Delete alert [Remote | Local] [file | folder] pathname has been deleted
by user remote user
MkDir alert [Remote | Local] folder pathname has been created by user
remote user
Refresh (no log entry)
Rename alert [Remote | Local] [file | folder] path/old name
has been renamed to path/new name by user remote user
Device Group Setup You can group devices that share common access methods and functionality. Though any devices can be member of a device group, group together functionally similar devices. Before you can add a device to a group, you must first configure a device with Password Management as its device type. When using device groups, the action deny takes precedence, unless otherwise specified. The service is available at the group level only if it is available at the device level. The most restrictive policy is used when a conflict arises. The following topics apply to device groups:
• Credential Sources for Device Groups
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-207 of A-242
• Add or Modify a Device Group • Create an AWS Device Group for Linux/UNIX Devices • Edit a Device Group from the Manage Policies Page
Credential Sources for Device Groups A credential source is a particular target device or set of devices that stores user credentials. An Active Directory Server is an example of a credential source. If you specify a credential source for a device group, CA PAM can find the credentials that are applicable to devices in that device group. CA PAM uses these credentials to enable a user to log in to any device in the group. Using Multiple Credential Sources You can assign more than one credential source for a particular device group. If you configure multiple credential sources, CA PAM gathers all available credentials from all sources. The appliance then creates a combined list of target accounts for a specific set of users or many users and applications. A device group does not have to include the credential source device. If you exclude the credential source from the group, you can avoid creating a policy that provides direct access to the credential source. Instead, the group contains only the devices that rely on the credential source for authentication. Credentials from any target account that is associated with any credential source can be used to access any device group member. Using Credential Sources in a Policy When you configure a policy for a device group, all accounts from the multiple credential sources are available for selection. When a user initiates a connection, these administrator-selected options are presented so that the user can select one. You can use all access methods and services configured for the devices in a device group with one or more credential sources. Add or Modify a Device Group
1. On the Devices, Manage Device Groups page, select Add. The Add Device Group window opens.
2. Enter a Name and Description for the group. Double-byte characters are supported. 3. If you are using AWS, select the AWS Provision Type. AWS groups are determined by settings in
Configuration, 3rd Party, AWS. For AWS, the Device Group acts as a container for Devices that are created as a result of an import of AWS devices. Each device should have a tag Key of "PamGroups" and a Value of "[CA PAM Group Name]". Following import, the group cannot be deleted unless the 3rd Party, AWS Configuration is cleared or the group becomes empty. The group is updated according to the schedule in the AWS Configuration.
4. Optionally, select one or more Credential Sources from the available device list. 5. Optionally apply tags on the Tags tab, if available. 6. On the Access Methods and Services (to Access Type members), select Access Methods and Services to
enable them for group members. 7. On the Enable tab, you can:
• Provide Credentials for 'Always Prompt For Password': If a Windows device has this setting, you can automatically provide obfuscated credentials.
• Handle 'Legal Notice' on Logon Screen: Select this option to handle the "Legal Notice" during login. This option only works when Provide Credentials for 'Always Prompt for Password' is enabled.
Create an AWS Device Group for Linux/UNIX Devices In AWS, Linux and UNIX instances use AWS Key Pairs. If all instances in a planned Device Group use the same key pair, group policy can be provisioned to use that key pair for auto-connection.
1. Create an AWS Type Device Group. 2. Assign AWS instance imported Devices to it, all of which use the same key pair. 3. Create a policy with that Device Group. 4. From the SSH applet credential pop-up box, select the key pair that is held in common.
This key pair is used for auto-connection for any Device in the group. Edit a Device Group from the Manage Policies Page An administrator can edit a Device Group record by invoking it directly from the Manage Policies page.
1. Open the Policy, Manage Policies page. 2. Populate the Device (Group) field with a record name. 3. Double-click the name to display its editing template in a shadow box window. 4. When finished, select Save (or Cancel) to return to the Manage Policies page.
Set up Command Filter Lists (CFL)
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-208 of A-242
Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy. • A blacklist is a list of commands that a user cannot type. If the user attempts to type the command,
Privileged Access Manager can flag (log), alert, remediate, and stop the command from being processed. All other commands are allowed.
• A whitelist is a list of the commands that a user can type. All other commands are prohibited. Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets. Create Command Filter Lists (CFLs) in the user interface using the CFL template or by importing a CSV. Use the CFL Template Use the following procedure to create and manage Socket Filter Lists using the SFL template. Follow these steps:
1. Select from the Menu Bar: Policies, Manage Policy Filters. 2. The Command Filters page appears. 3. Select the ADD button. The Add Command Filter window appears. 4. Enter a Name for this socket filter list. 5. Specify the Type of list:
• A Blacklist denies only the listed command strings. If a user submits a CLI command to a device that is on the blacklist, the user request is denied. This denial applies per character: After sufficient characters (literal Keyword or Regexp) are entered match a violation criterion, the specified action (Alert/Block) is applied. You must configure a policy for this user that specifies the blacklist.
• A Whitelist allows access only the listed command strings. If a user submits a CLI command to a device that is on the whitelist, then those commands are allowed. This allowance applies per line string entered. The permission test is made following a linefeed/Enter/carriage return. You must configure a policy for this user that specifies the whitelist.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets. 6. Select the plus icon to Add a new Keyword. 7. In the Keyword field, enter a command string. Depending on which type of list you are creating:
. If you are creating a blacklist, then for each Keyword to test, you must select one or more controls: • Alert – Select this box to alert Monitoring administrator immediately by email with each
instance of Keyword violation. • Block – Select this box for the command line containing the Keyword to be canceled
immediately, and prevented from executing. • Regexp – Select this box if the Keyword field specifies a regular expression to be applied
to the actual command entered. Whenever a command that is entered by the User conforms to the regexp, the command is flagged as a violation.
• When both Regexp and Alert are selected, the body of the alert message does not include the Keyword regular expression string for security reasons. Select at least one of the three checkboxes or the Keyword has no effect. Important: When populating the Keyword field for a blacklist using Regexp, begin with a start-of-line metacharacter, typically ^. However, because a blacklist keyword string is evaluated character by character, the end-of-line metacharacter (ordinarily: $) is never interpreted and is therefore unnecessary. Example: Match (prevent) a user key entry of exactly who -a Fill the Keyword field with one of the following regular expressions:
• Correct: ^who -a
• Correct: ^who -a$
However, each of the following regular expressions does not work correctly: • Incorrect:
who -a • Incorrect:
who -a$
a. If you are creating a whitelist, then for each Keyword to test, you can select: • Regexp – Select this box if the Keyword field specifies a regular expression to be applied to the
actual command entered. The regular expressions that are permitted follow the syntax that is supported by the Perl-based Oracle® java.util.regex API. The command succeeds only when it conforms to one or more of the regexp or commands in this whitelist.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-209 of A-242
When populating the Keyword field for a whitelist when using Regexp, it does not matter whether you include the start-of-line (ordinarily: ^) or end-of-line (ordinarily: $) metacharacters. These metacharacters are implied. The string that the user enters is automatically anchored by both of these metacharacters. Example: Match (allow) a user entry of exactly: who Enter Keyword field content of any of the following regular expressions:
• Correct: who
• ^who
• ^who$
• who$
Example: [Ll][Ss] + This regular expression permits variations of uppercase or lowercase on the UNIX command ls, but requires that a space be added for the expression to be accepted. Example: [Ll][Ss] +\-[LlAa][LlAa]? This regular expression is a variant of the previous example, which is based on ls-al, in which uppercase, and lowercase are again permitted. But the order of the two characters al is arbitrary, and two or more spaces are required between the command and its argument. Because the command filter string is anchored by start-of-line and end-of-line metacharacters, trailing spaces are prohibited in this example.
8. Select the OK button to save the settings. The list is now effective in Privileged Access Manager, and available for inspection or editing to the Command Filter list page.
Search Command Filter Lists You can search existing command filter lists for matches to a character substring by using the Search field. This search flags a list when there is a match in its Name field, and when there is a match in any of the Keyword fields for that list.
Apply Global Settings The Global Settings page includes the master provisioning settings for Privileged Access Manager. Credential
Manager specific settings, however, are in a separate location.
The Settings, Global Settings page contains options that let you customize functions for all Users and Devices. The
tabs allow customization of global user policies, such as passwords and access methods
To save the settings, select the Save button at the bottom of the page. The screen refreshes to display the updated
configuration and the "Global Settings Saved" text appears on the screen. The login page has a non-configurable
timeout of 3 minutes. This time is for the life of the page itself, not the Login Timeout setting for logged-in idle time.
After that time, the page must be refreshed before Privileged Access Manager accepts a login.
• Basic Settings
• Passwords
• Accounts
• Warnings
• Applet Customization
• Client Settings
• SAML
• CA Threat Analytics
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-210 of A-242
• Default Preferences
Basic Settings The basic settings include:
• Default Auth Method (Login Page): Specify the default authentication method that appears on the login
page from the following values. At least one user must be created with that authentication method before
this option becomes available. The options are:
o Local
o LDAP
o RSA
o RADIUS
o TACACS+
o PKI-CAC
o LDAP+RSA
o LDAP+RADIUS
• Default Page Size: The number of Device line items when a user initially hits the Access page after login.
• Login Timeout: Set the number of minutes of inactivity before your connection to CA PAM times out.
Activity is communication between the client user and the CA PAM, including connections to targets. A
timeout requires you to log in again with your username and password. Set to zero for no timeout.
• Applet Timeout: Set the number of minutes of inactivity before a session (such as Telnet, SSH, Virtual
Machine) with an external device times out. In that case, you connect to that device again. Set to zero for no
timeout, though after 48 hours, it will time out.
• Table Refresh Interval: Set the default refresh interval, in seconds, for Discovery Scan tables. The default
interval is 60, and 0 indicates no refresh.
• Scan Purge Interval: Set the number of days to keep Discovery scans.
• Default Device Type: Define the default template that is provided when a Device is added manually. The
choices can be overridden on the template itself.
o Access: Default: Initially active and selected
o Password Management: Checkbox is active only with a Password Management license.
o A2A: Checkbox is active only with an A2A license.
• External API Buttons o Enable: Show and activate the Try It Out test button at the bottom of every API page in the
API Doc. The Try it Out button enables external API calls from that page. This option is activated
by default, but the Enable External REST API option in Configuration, Security, Access is not.
To prevent external API calls from that page, clear the Enable checkbox for the Enable API Buttons
setting.
Passwords You can customize the password requirements for Local users by changing these fields. Other authentication
method password policies are enforced by their infrastructure and CA PAM cannot control them. Unlike other
accounts, the super account never expires. Super is not deactivated, even if the password failures limit is activated.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-211 of A-242
• Security Level: Set the level of password security you require for User passwords:
o 0 - New Password: The new password must be different from the previous password.
o 1 - 0+ Length Constraints: Level 0 and password length must be between the Minimum Password
Length and the Maximum Password Length, which are defined on this page
o 2 - 1+ Require [a-zA-Z0-9]: Level 0, 1 and password must have both an alphabet character and a
digit.
o 3 - 2+ Both Upper and Lower Case: Level 0, 1, 2 and password must have both an Upper and
Lower alphabet character.
o 4 - 3+ Special Character: Level 0, 1, 2, 3 and password must contain a special character such as:
!, @, #, $, %, ^
o 5 - DoD strong password: DoD requires a minimum of 15 characters. There must be
at least:
Two uppercase letters
Two lowercase letters
Two integers
Two special characters, such as: !, @, #
• Minimum Length: If the Password Level is 1 or above, set the minimum password length.
• Maximum Length: If the Password Level is 1 or above, set the maximum password length.
• Change Interval (Days): Set the number of days between forced password changes for all users.
• History: Set the number of recent passwords that cannot be reused.
• Failure Limit: Set the number of failed login attempts before a user account is deactivated.
• Failure Counter Reset (Minutes): Set the number of minutes for which an account is deactivated after
exceeding the Failure Limit.
Accounts • Disable Inactive After (Days): Set the number of days after which inactive user accounts are disabled.
If the backup is older than the time limit, accounts are disabled when restoring a database from a backup.
• Remove Disabled After (Days): Set the number of days from when an account is disabled until it is deleted.
• Forced Deactivation Alert: Select an administrator to receive an alert when a user is deactivated.
Monitoring must be configured for this feature to function.
Warnings Two optional warning messages can be applied to users. They can be customized to reflect individual company
policies. The License Warning box scrolls to accommodate a long message. Upon setting either option, a text field in
which you can customize the warning message appears.
• Show License Warning: Set this option to display the specified warning text on the login page for all
users. Double-byte characters such as those used for traditional Chinese are supported for warning
messages.
Select User must accept license to require each user to accept the license.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-212 of A-242
• Show Recording Warning: Set this option to display the specified notification when a user opens a
recorded applet or service session. For example, when a user opens an SSH console, the following warning
appears in the window title bar and in the console: "Warning you are being monitored."
The Show Recording Warning option is ignored for applet sessions that are made by users who are a
member of any user group, deferring to setting of the Applet Recording Warning specified for the group or
groups. This global setting applies for all TCP/UDP and RDP service sessions.
The specified message text is also used for applet recording warnings, even if the Show Recording Warning option is not set.
Applet Customization The Applet Customization tab allows specification of the default terminal display characteristics for all users and all
devices. These settings apply for Telnet and SSH applets, and include a switch to allow or disallow copy-and-paste
text buffering.
• An administrator can override the defaults on a device basis by changing the Terminal Type, Key Mapping, and Terminal Customization settings for individual devices.
• A user can override the defaults by changing the SSH and Telnet CLI Terminal Customization on the User Information page.
Clicking the Configure Terminal Settings link button brings up a submenu with various terminal settings that you
can define on a global basis. These settings are the systemwide default settings. Any terminal customization that is
made at the user, user group, device, or device group level takes precedence.
User terminal customization supersedes Device terminal customization, which in turn supersedes global terminal
customization.
• Character Encoding: Default: UTF-8
• Font Family: Default: Monospaced
• Font Size: Default: 12
• Cursor Foreground: Default: #33ff33
• Foreground Color: Default: #ffffff
• Background Color: Default: #000000
• Terminal Size: Default: [80,24]
• Buffer Size: Default: 100
• Scroll Position: Default: Left
• RDP Keyframes Duration: The keyframe duration determines how RDP is compressed. A small keyframe
duration is equivalent to more frequent full frames of video data. The increased frequency results in a large
file, but allows more a rapid seek in the RDP viewer. For sessions using RDP 6.1, file size can be reduced
significantly by increasing the keyframe duration. Reductions to about half the size have been observed.
o Small (Fast Seek/Large File): Default
o Medium
o Large
o X Large (Slow Seek / Small File)
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-213 of A-242
• Web Recording Quality: Specify the color depth and frame rate to use when recording a web portal
session:
o High: 24 BPP / 7 FPS (default)
o Medium: 16 BPP / 5 FPS
o Low: 8 bits per pixel / 3 frames per second
• Applet Copy Paste: Enable the use of copy and paste within any applet: This feature activates in the applet
window an Edit menu with Copy and Paste commands. When this option is disabled, the Edit tab is still
visible but it is dimmed.
• RDP Drive Mapping: When you enable this feature, a mouseover popup appears with a list of the mapped
client Windows drives. Each available drive can be selected using a checkbox for mapping.
• SSH Terminal File Transfer: When "Enable SCP/SFTP" is selected, the MindTerm based SSH Access
Method applet provides the menu items "Plugins, SFTP File Transfer" and "Plugins, SCP File Transfer". Each menu item invokes a new applet window to operate SFTP or SCP, which provides a file transfer
interface.
• Transparent Login Cache: After using the Learn Tool and testing transparent login configurations, you can
enable the Transparent Login Cache. This feature caches the Learn Tool, the Transparent Login Agent, and
the Control Viewer on the RDP server. On subsequent connections to that Windows target, the load times
for these applications are reduced.
• Retrieve Public Address: An administrator can enable or disable the Java applet Access Agent to retrieve
the public address of the user. After a user logs in to CA PAM, the Java Applet Access Agent is downloaded
to the user desktop. The applet retrieves the address of the gateway that is used for external access for
auditing and for the VMware NSX feature. In some environments, this behavior is not desirable. The
Retrieve Public Address setting lets administrators disable this feature.
Client Settings Use these settings to control distribution and use of the CA PAM Client.
• Operating Mode: Select "Enabled" to allow CA PAM Clients to log in to this appliance.
• Distribution Method: Select "Internet (CA Delivery Network)" to allow CA PAM to engage CDN to deliver
client installers (following requests from the GUI login page). Select "Intranet" to specify a CDN conforming
server to deliver installers, and enter it in the text box.
• Download Button on Login Page: Select "Enabled" to display and activate the Download CA PAM Client buttons. These buttons appear below the white panel on the login page.
SAML Use these settings to adjust SAML Web SSO authentication.
• Require Inherited SAML Auth: Select this option to force the inheritance of the user record Authentication setting on all members of a User Group. All group members inherit the settings regardless of whether
individual authentication settings are set to "SAML". This setting is selected by default.
• SAML Re-authentication Period: Set the number of minutes of inactivity before a SAML session times out.
The session is between the RP and CA PAM as an Identity Provider. After a timeout, the next SSO request
requires the user to log in again. Default: 60 minutes
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-214 of A-242
Default Preferences You can customize how Privileged Access Manager displays dates and times in the UI. Dates are stored in UTC, but
can be displayed in the specified time zone for the user. Selecting a custom time zone can only be done through the
GUI. This tab sets Default Preferences for all users, while User Information Preferences set preferences only for the
logged on user.
• Select a Date Format, such as MM/DD/YYYY.
• Select a Time Format, such as 12 or 24 Hour.
• Select a Time Zone Region, then a Time Zone.
The Server Time is always displayed in UTC. If the user saves any changes, they are reflected in User's Current Time. Modifications do not take effect until the next login session.
Configure Network Connections for the Appliance After you set up the hardware appliance, configure the IP network interfaces so the appliance can access a network.
You can set up your network connections using the LCD panel, the CA PAM UI, or a Console port. The appliance is
inaccessible to the network until its IP address is assigned.
• Use the LCD Panel to Configure Network Connections
• Use the UI to Configure the Network Connections
• Use the Console Port to Configure Network Connections
Use the LCD Panel to Configure Network Connections The LCD panel on the front of the appliance provides the interfaces to complete the initial hardware setup and
network configuration. The LCD panel is a two-line, 16-character-per-line LCD display.
To connect to a device that cannot auto-negotiate speed or the duplex mode such as older switches and hubs, use
the UI.
Using the LCD Panel Menu Familiarize yourself with the LCD Menu on the front of the hardware appliance. The menu allows for basic network
configuration of the device.
The LCD Menu Control has four buttons under the LCD Menu Panel, from left to right: < ^ v >. These buttons
function as follows:
Button Functions
< (left arrow) • Move Left
• Undo/Cancel
> (right arrow) • Move Right
• Enter/Confirm
^ (up arrow) • Move up
• Increase value
v (down arrow) • Move down
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-215 of A-242
• Decrease value
Older hardware appliances have an ENTER and an ESC button instead of the left and right arrows. Use the ENTER
button to move right or to confirm an entry. Use the ESC button to move left or undo an entry.
The LCD menu includes the following options to operate the appliance:
Network Setup This option allows the installer to provide the required network configuration to get the appliance operational. Use the
Up or the Down arrows to navigate through the menu.
Menu item 1:
Network Setup
Reset Password This option resets the configuration password to the default password. Select the left arrow and the password is
reset. A message displays after a successful reset.
Menu item 2:
Reset Password
After selecting >:
Password reset!
After about 30 seconds:
Reset Password
Reboot This option reboots the appliance. After you power down and restart the appliance, the LCD displays the Network
Setup screen.
Menu item 3:
Reboot
After selecting >:
Rebooting...
After about 60 seconds:
Shuts down, Boots up
Power Off This option turns off the power, displaying the following message:
Menu item 4:
Poweroff
After selecting >:
Powering off...
After about 30 seconds:
Shuts down
The power switch remains in the "on" position, but you can switch it off.
Halt The Halt command stops all processes. The power is still on, but the device is unusable because all processes are
stopped. The LCD has the following display:
Menu item 5:
Halt
After selecting >:
Halted.
After about 15 seconds:
Shuts down
Use the Halt command when the power must remain on. For example, if a monitoring system raises alarms due to
power loss, use Halt.
Turn On FIPS This option turns on FIPS mode. FIPS mode is fully compatible with PKI smartcard use, including the US DoD CAC
system.
The LCD Menu option turns on the FIPS flag and reboots the appliance when it switches to FIPS mode.
• Use FIPS mode only when applicable. After the FIPS mode is activated, the LCD is no longer available for
configuration. Use the UI to make all subsequent changes.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-216 of A-242
• To operate with socket filters in FIPS mode, the monitored devices must have release 2.7 or later Socket Filter
Agents (SFAs).
• If for any reason FIPS activation fails, the LCD displays: PATCH FAILED / UPGRADE ABORTED. If this failure
happens, the appliance cannot be revalidated until after it is returned to
CA Technologies
.
Menu item 7 (if set):
Turn on FIPS
After selecting >:
[several process messages]
Reboot ->
in FIPS mode
Basic Network Configuration Using the LCD Panel After the appliance powers up, perform the basic network configuration using the menu on the LCD panel. The
following steps assume that you have installed the appliance.
Follow these steps: 1. Connect the desired number of Ethernet cable connections to ports 1 through 8 on the appliance. These ports
correspond to GB1 through GB8 in the LCD and UI interfaces.
2. Connect the power cord, first to the appliance and then to an outlet.
3. Power up the appliance:
a. Turn on the power switch on the back of the appliance. Hold the switch until the unit powers on.
b. Verify that the LCD is lit, indicating power.
During power-up, the menu cycles through several message screens until boot is complete.
4. Navigate to the Network Setup menu item on the screen, and press the right arrow (>).
The first screen is the Default Gateway: Default Gateway
000.000.000.000
5. To configure the Default Gateway IP address, set the value of a digit for each digit position in the address. Use
the up and down arrows to go through and select an integer from 0 to 9. Move to the other positions in the IP
address using the > (forward) or < (backward) arrows. Complete this process for each address you want to
configure.
Each octet is expressed on the display using three digits. For each octet that is less than 100, the first
characters are zero. For example, the address 10.44.146.3 is expressed in the LCD as 010.044.146.003
These settings are saved when the Save option later in the procedure. For the settings to take effect after
saving, the appliance must first be rebooted.
6. After you have set the last position in the IP address, press > to go to the next screen Interface Setup.
To cancel the Network Setup and return to the Network Setup menu, press the left arrow.
7. Press > to go to the Pick Interface screen. This screen shows the interface available for configuration.
a. Use the arrows to select the label GB1 through GB8 corresponding to the label of the desired Ethernet
port (1 through 8).
b. Use the up and down arrows to go through and select an integer from 0 to 9
c. Press > to set the IP address for the selected interface.
g. After setting the interface, enter the netmask for the same interface, on the Netmask for GBn screen.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-217 of A-242
h. At the final Interface Setup screen, enter one of the following options. Use the up and down arrows to position
the arrow on the option and press > to enter this selection.
Interface Setup
Cont/Sav/eXit C
• Select Cont (Continue) to repeat the procedure for another interface.
• Select Sav (Save) to save your configuration.
• Select X (exit) to discard all network settings that you configured after the last save and restore the
previous settings.
The LCD returns to the Network Setup display.
8. From Network Setup, navigate to Reboot, and press the forward arrow (>).
The appliance reboots and it is ready for configuration.
Use the UI to Configure the Network Connections An alternative to the LCD panel for network setup is the CA PAM UI. If your device is unable to auto-negotiate speed
or the duplex mode, use the UI to configure the network connection.
The following steps assume that you have installed the appliance.
Follow these steps: 1. Configure a PC with a static IP address of: 192.168.98. x, where x is not 100. The IP address of GB1 as
shipped is 192.168.98.100.
2. Connect this PC directly to the 1 port on the front of the appliance. Port 1 corresponds to GB1 in the UI. This
port is auto-sensing, so you do not need a crossover if using a laptop with the same.
3. Open a Java-enabled browser and enter the following URL, including the slash at the end
https://192.168.98.100/config/ The trailing address slash is required.
4. Log in to the UI:
a. Accept the license
b. In the Windows Security pop-up window which follows, enter the default configuration
username/password (config/config)
The Configuration, Network Settings page appears.
5. Set the appropriate values in the Network Settings and Network Interfaces sections.
6. (Optional) Speed autosensing does not work with all network appliances. If you experience connectivity
issues, set the Speed and Duplex settings to static values for the network interfaces.
7. Click Update when you are finished configuring the settings.
8. Click Restart Networking to commit your changes. While the network is restarting, the appliance is temporarily
unavailable.
9. After the browser refreshes, use the Toolbar: Logout button (in the upper-right corner) to end your session.
10. Confirm that your settings have been correctly configured by accessing the login page using your newly
assigned address.
Use the Console Port to Configure Network Connections If you cannot use the LCD Panel or the UI, use the Console port. The Console port is above the nonfunctional USB
ports. This port enables you to connect the appliance to a monitor. A console cable is supplied.
Note the following port specifications:
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-218 of A-242
• Speed: 115200
• Data bits: 8
• Stop bits: 1
• Parity: none
• Flow control: XON/XOFF
Configure Date/Time Settings This content describes how to configure Privileged Access Manager date and time settings which you access by
selecting Configuration, Date/Time.
Change the date, time, and time zone configuration to set a new clock value.
Warning: Some processes that are running, such as SysInfo and Session Recordings, continue to use the previous
clock value until the services are restarted. To ensure that all processes become synchronized after making a time
change, reboot the system.
Set the Date and Time Modify the date and time settings for the Privileged Access Manager server using the controls on the Date/Time tab.
The time settings implement the Network Time Protocol (NTP).
Each field in the Date/Time tab is static, reflecting the clock value at the time the page was opened. If you update the
date and time manually, copy the time from a reliable source. Alternatively, use Time Servers.
To modify the date and time settings, enter accurate values in the Date and Time fields, and select Update.
Specify Time Servers To obtain the time from an NTP server, specify the time servers in the Time Servers tab. Some public servers are
provided by default.
When you use a hostname rather than an IP address for an NTP server, ensure that a DNS server is configured. The
DNS server ensures that the hostname resolves properly. Configure DNS Servers at Configuration, Network, Network Settings.
Follow these steps: 1. To specify time servers, enter the fully qualified domain name of each time server you want to use to obtain
the current time.
2. Optionally, select the Synchronize at boot check box to synchronize the time upon startup or a reboot the
system.
3. Select Save.
If you are using NTP servers to set the time clock, you can configure NTP authentication so that the server can
authenticate the time source.
Configure the Use of Authenticated NTP Configure the list of NTP servers in the Authenticated NTP tab.
Follow these steps: 1. Paste the NTPv4 Autokey obtained from each NTP server into this section.
2. Select Authentication Required to use only authenticated NTP, and not communicate with unauthenticated
peers.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-219 of A-242
3. Select Save.
NTP Status The NTP Status tab displays the status output from the NTP servers, in three parts:
List of Time Servers
The first section is a list of time servers with a summary of the state of each server.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-220 of A-242
The character in the left margin indicates time server status. This character is mapped to the value of the condition
column in the Association Identifiers section.
Character Condition Description
space reject
The peer is discarded as unreachable, synchronized to this server (sync
loop), or outrageous synchronization distance.
x falsetick The peer is discarded by the intersection algorithm as a falseticker.
.
excess
The peer is discarded as not among the first ten peers, which are sorted by
synchronization distance. This peer is probably a poor candidate for further
consideration.
- outlyer
The peer is discarded by the clustering algorithm as an outlyer.
+ candidate The peer is a survivor and a candidate for the combining algorithm.
# selected
The peer is a survivor, but not among the first six peers sorted by
synchronization distance. If the association is ephemeral, it may be
demobilized to conserve resources.
*
sys.peer
The peer has been declared the system peer and lends its variables to the
system variables.
o
pps.peer
The peer has been declared the system peer and lends its variables to the
system variables. However, the actual system synchronization is derived
from a pulse-per-second (PPS) signal, either indirectly by the PPS
reference clock driver or directly by kernel interface.
Association Identifiers The second section is a list of association identifiers for the server being queried, with status and condition. The reach column indicates the reachability of the server as yes or no. The condition column indicates its current state.
The value sys.peer means that the time server is selected for use, while candidate means that the time server can be
used.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-221 of A-242
NTP Variables The third section lists Privileged Access Manager NTP system variables in name-value pairs.
Troubleshooting If no record in the second section has value sys.peer in its condition column, then you do not have a good time
server. Because time server synchronization takes time, you may need to select the Refresh button several times to
get the latest status.
Power, Reboot and FIPS Mode Controls Use the controls on the Power page to shut down, or reboot the appliance instance. You also activate FIPS mode on this page.
• Physical Appliance Power Settings • Virtual Appliance Power Settings • FIPS Mode Activation • Upgrades and FIPS Mode Operation
Physical Appliance Power Settings On a physical appliance, the Configuration, Power page provides the following two options:
• Power Off Appliance – shuts down the appliance remotely. o The power switch on the physical appliance remains in the ON position. o On the CA PAM UI, the screen indicates that the appliance is shutting down but does not update.
• Reboot Appliance – shuts down then reboots the appliance remotely.
Virtual Appliance Power Settings To shut down or reboot the CA PAM virtual appliance safely, use the following options on the Configuration, Power page in the CA PAM UI:
• Stop Instance
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-222 of A-242
• Reboot Instance
If the CA PAM UI is not accessible, use the options for your platform:
• For Azure, use the Start, Stop, and Restart options from the Azure portal. • For AWS and VMware instances, use the Reboot or Power off option on the
CA PAM Utility Console.
If you are using the vSphere client, do not shut down the CA PAM instance using the Power Off option. Use the vSphere Power, Shutdown Guest OS, or Restart Guest OS option.
FIPS Mode Activation To implement FIPS encryption, enable FIPS mode on your CA PAM appliance. The FIPS software is available from the CA Support site. After you activate FIPS mode, it cannot be undone.
Download the FIPS Software Follow these steps to obtain the FIPS software:
1. Log in to the CA Support and navigate to the Download Management page. 2. In the top field, begin entering Privileged Access Manager until you can select the product. 3. From the list of software, locate the Privileged Access Manager with FIPS DEBIAN entry. 4. In the Release drop-down list next to the entry, select the release number then select on the entry name. A
list of files appears. 5. Select the cloud icon next to the entry and select a download method.
The file downloads to your appliance. Activate FIPS Warning
• Before you activate FIPS mode for appliances in a cluster, turn off the cluster first. To turn off the cluster, navigate to Configuration, Clustering. Stopping or rebooting a cluster member requires cluster resynchronization.
• Ensure that you have access to the certificates that you have uploaded. You have to upload them again after activating FIPS.
After you install the CA PAM with FIPS, follow these steps:
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-223 of A-242
1. If you are using PKI/Smart Card for user login, disable this feature: a. Navigate to Configuration, Security, Access, and select the PKI/Smart Card Options tab. b. Set the PKI/SmartCard User Login option to Disabled. c. Select Save.
2. Navigate to Configuration, Power and select Activate FIPS Mode. The appliance reboots automatically after activation. When CA PAM is rebooted from the UI, the message the following message displays: "CA PAM appliance is rebooting... Please wait until the login screen appears ..." After the appliance reboots, the UI login page is presented. When a reboot is initiated through a web browser, the login page might not display after the appliance reboots. If you are not returned to the login page automatically, refresh the browser or navigate to the login page by entering the URL for the UI.
3. To verify that FIPS is enabled, select System Info in the top-right corner of the UI. On the Basic Info tab, the FIPS Mode status should say Enabled.
4. After you enable FIPS mode, reload the certificates from the Configuration, Security, Certificates page. See Create a Self-Signed Certificate or a Certificate Signing Request for detailed instructions.
5. If you are using PKI/Smart Card for user login, re-enable the option on the Configuration, Security, Access page.
Unavailable Configuration Options in FIPS Mode In FIPS mode, the following configuration options are not available:
• Security, SAML, RP Configuration, the Accept RSA-SHA1 Signed Responses option is hidden. • Security, SAML, RP Configuration, Configured Remote SAML IdP, when you add an Identity Provider,
RSA-SHA1 is disabled as a Signature Algorithm option. • Security, Access, the TLS 1.0/1.1 Connection Allowed is disabled • Clustering configuration, the Generate Key button is disabled. • SNMP version 2c does not work. Use SNMP version 3 with FIPS Mode.
Upgrades and FIPS Mode Operation To maintain FIPS mode operation or apply FIPS as part of an upgrade, note the following information:
• If CA PAM is already operating in FIPS mode, when you upgrade to a newer release, the appliance remains in FIPS mode.
• If CA PAM is not in FIPS mode, you can upgrade to a release that can operate in FIPS mode. Contact CA support for the necessary software.
Deploy the Hardware Appliance The following topics provide information about the Lanner 404L hardware appliance, and instructions on how to install
it:
• Unpack the Hardware Appliance from the Packaging
• Mount the Hardware Appliance in a Rack
• Configure Network Connections for the Appliance
• Appliance Power Supply Units
• Hardware Appliance Specifications
No software installation is required on the appliance.
Unpack the Hardware Appliance from the Packaging The hardware appliance package contains, at minimum, the items identified in the following table. If any of these
items are missing, contact Broadcom Support.
Item
404L (Dual Power Supply model)
No Name Quantity Illustrations / Notes
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-224 of A-242
1. L-shaped
brackets
4
2. Sliding rail
assemblies
2 Each sliding rail assembly can be separated into an inner frame and
an outer frame assembly.
2a. Inner rail frame 1 per sliding rail
assembly
The inner frame (or inner rail) has an outer safety lock (see step 2c.)
for securing it to the outer rail frame assembly. This rail is attached
to the appliance.
2b. Outer rail
frame assembly
1 per sliding rail
assembly
The outer frame assembly consists of two heavy-gauge rail frames
(center rail and outer rail) attached to each other. Each frame
incorporates a ball-bearing slide. One frame attaches and allows
extension of the two frames with each other. One frame attaches
and allows extension of the inner rail frame with the center rail. The
rail assembly has an inner safety lock (see step 4). This assembly,
with two L-shaped brackets, is attached to the rack.
3. Short flat-head
screws
8
4a. Long flat-head
screws
8
4b. Nuts for long flat-
head screws
8
5a. Flat countersink
screws
12
5b. Conical washers
for flat
countersink
screws
12
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-225 of A-242
6a. Front ear
brackets
2
6b. Ear bracket
screws
6
7. Appliance
chassis
1
8. Power cords 2
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-226 of A-242
9a. Console cable 1
9b. Ethernet patch
cord
1
Mount the Hardware Appliance in a Rack With the provided equipment, you can mount the appliance into a standard rack.
1. Remove the two rail assemblies from their packaging.
Model 404L rail assembly, inner side up
2. Separate the inner rail frame from the outer and center rail frames on each of the two assemblies:
a. Place one rail assembly as shown:
Model 404L closed frame assembly, inner side up
b. Slide the inner rail frame all the way to the left. The frame stops at about half its length:
Model 404L inner rail extended to left, inner side up
c. Turn the assembly upside down so that its outer side is visible as shown here:
Model 404L inner rail that is extended to left, outer side up, with arrow
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-227 of A-242
d. Press down the outer safety lock tab (indicated by the arrow), and – holding the tab down – pull the
inner rail frame firmly to the left so that it is removed.
Model 404L separation of inner and outer rail
e. Repeat this inner rail frame separation with the other rail assembly.
3. Attach the inner rail frames and ear brackets to the appliance chassis
.
a. Align the three indicated mounting holes of the inner rail to the screw holes on the chassis frame
with the outer safety lock tab facing out and the notched end of the rail that is located at the rear of
the unit. (These are connected by vertical dashed lines in the figure.) Attach it to the appliance
using three of the short flat-head screws. Attach one of the two front ear brackets to the chassis
using the small black screws provided in the ear bracket package.
The two attached parts should now appear as in this diagram:
b. Repeat these steps to attach the other inner rail and front ear bracket to the other side.
Model 404L inner rail and Ear bracket attachment to appliance chassis
Model 404L ear bracket and inner rail frame mounted on the right side of appliance
The L-shaped brackets secure the outer rail frame assembly to the rack. Attach these brackets to
the outer rail assemblies first, before attaching the combination to the rack.
4. Attach two L-shaped brackets to each of the two outer frame assemblies:
. On one outer rail assembly, attach an L-shaped bracket at each end: Front bracket: Close the
outer rail assembly so that the center rail frame is lined up or flush with the outer rail frame. Slide
the inner ball bearing assembly all the way to the right to expose four oval holes on the left.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-228 of A-242
Model 404L outer rail assembly closed, inner side facing up, with ball bearing assembly slid to right.
Locate an L-shaped bracket so that the curved edge on the bracket wraps around the outer rail
assembly outer frame (when held up on its side edge as shown), and the left end of the bracket
points down toward you.
Model 404L: Orientation of the L-shaped bracket against outer rail assembly
Insert a long flat head screw (see Package Contents Table, Item 4a) through the first oval hole on
the inner frame of the frame assembly, through to the outer frame, then through the L-shaped
bracket long groove, and finally attach (but not tighten) a nut (see Package Contents Table, Item
4b) to the end of the screw. Repeat this with a second screw and nut through another pair of rail
holes. (The third or fourth hole pair provides the best support. The additional two hole pairs are
intended for alternative equipment that is not used here.)
Do not tighten the nuts yet because you need to adjust the location of the brackets when you
mount the bracket-rail assembly to the rack.
Model 404L: Front bracket onto outer rail assembly, inner side view, with screw and nut before
attachment
Rear bracket: Slide the outer rail away all the way to the right so that the inner safety lock snaps in
place, exposing the screw holes on the outer rail:
Model 404L: Outer rail assembly after sliding the outer rail (on the bottom side) to the right
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-229 of A-242
Attach the second L-shaped bracket to the other end of the outer rail with two long flat head
screws, one through the first or second oval hole (Figure 176) from the center, and one through the
third oval hole near the end.
Model 404L: Rear bracket onto left outer rail assembly, inner side view, with screw and nut before
attachment
a. Repeat these steps to attach the other two L-shaped brackets to the other outer rail
assembly. When you turn the assembly around so that its outer edge faces you, it should appear
with the brackets loosely mounted (for now):
Model 404L: Outer and center rails with brackets (loosely) attached (Step 4), front at left, outer side
view
5. Mount each bracket-rail assembly to the rack in an appropriate rack bay:
. Install the outer rail with the attached bracket to the front rack post by using two countersink screws and, if the rack
holes are not pre-threaded (which might require clips), the conical washers provided. Note that the front end of the
rail assembly has a black plastic H-shaped component.
a. Extend and adjust the rear bracket to meet the depth of the rack and secure it to the rack post with
two countersink screws and conical washers.
b. Repeat steps (a) and (b) above to install the other rail to the other side of the rack.
c. You can now use a wrench to tighten the nuts and the screws that attach the L-shaped brackets to
each of the rails.
Model 404L: Right side rail, with the front bracket attached, mounted at the front right side of rack
6. Place the appliance (with ear brackets and inner rails attached) in the rack, as shown here:
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-230 of A-242
Model 404L: Placing the appliance into the rack
7. Slide the appliance into the frame. As you do, hold the tabs on the outer safety locks (as in 2.d.) on the left
and right sides of the appliance, so that the appliance can slide all the way in, while the attached inner rails
are prevented from sliding back out.
8. Attach the ear brackets to the frame through their remaining (center) holes.
9. Connect the Ethernet patch cable to an Ethernet port on the front panel (example: port 1, which corresponds
to GB1 in the LCD and GUI interfaces), and to the network.
10. Connect the power cords to the two PSUs and to outlets.
Configure Network Connections for the Appliance After the appliance is installed and optionally, mounted in a rack, Configure Network Connections for the Appliance.
Appliance Power Supply Units Each power supply is a modular unit that slides out of the appliance for offline replacement or repair. The power
supplies are held in place by release levers that are easily accessible when facing the rear of the appliance. Each
power supply unit (PSU) uses a standard detachable power cord.
If the power supplied to the appliance is interrupted (power fails or a supply unit is removed or unseated), the unit
sounds a steady alarm tone. This alarm continues until the silence switch turns off the alarm.
The silence switch is a small button at the back of the unit, immediately to the left of the power supplies. Press the
silence switch to turn off the alarm. After the switch is pressed, it is reset only after the power is restored and recycled
back to each appliance. Power restoration means that each power supply is seated in the appliance, and that each
power cord is plugged in to a live power outlet.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-231 of A-242
Hardware Appliance Specifications The Dual Power Supply Model 404L hardware appliance provides redundant modular power support to promote
continuous uptime. The hardware appliance can host any supported CA PAM release and has the following
specifications:
Item Description
System components
Chassis 1U IPC
Power Supply Redundant dual hot-swappable 300-W Power Supply Units (PSUs)
System Board Intel C236 Chipset (Skylake PCH)
CPU Intel Xeon E3-1275v6 processor Quad core (8 threads)
Memory 64-GB DDR4 2400MHz DIMM with ECC support
Primary Storage 240-GB Solid-State Drive (SSD)
Secondary Storage (Backup) 240-GB Solid-State Drive (SSD)
Display 2 line x 20 character LCD
Hardware Security Module (HSM) (Optional) SafeNet 1700 PCIe
Standard interfaces
Network Eight (8) 1-Gigabit Ethernet Ports
LCD inputs Four-button control
Serial One RJ-45 Console Serial Port
USB ports Not functional
Physical specifications
Height 1.73" (44 mm)
Width 17.2" (438 mm)
Depth 18.4" (468 mm)
Unit Weight 15.4 lb (7 kg)
Enclosure Fits standard 19" rack
Environmental specifications
Storage Environment -20 Celsius to 70 Celsius
5 - 95 percent RH, noncondensing
Operating Environment 0 Celsius to 40 Celsius
5 - 90 percent RH, noncondensing
Cooling Processor: Passive heatsink System: 3x cooling fan
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-232 of A-242
Install and Configure a Socket Filter Agent Privileged Access Manager Socket Filter Agents (SFAs) restrict access either to server-based devices or from server-
based devices. Socket filters provide a different kind of access control than devices with finite command sets, such as
routers, for which command filtering is applied.
SFAs work with Socket Filter Lists (SFLs) configured on the appliance.
• Socket Filter Agent Installation Requirements
• Download the Socket Filter Agent Software
• Install and Configure a Socket Filter Agent on Windows
• Install and Configure a Socket Filter Agent on UNIX
Socket Filter Agent Installation Requirements
This section describes SFA requirements for installing a Socket Filter Agent.
• Network Port Requirements: SFAs have the following network port requirements:
o By default, port 8550 must be allowed between the target host containing the SFA and the
appliance. You can configure the SFA to use a different port.
o Port 443 must also be open to allow communication back to the appliance, including messages for
log entries.
For AWS or Azure, ensure that these ports are also open in the AWS or Azure network settings,
and the OS firewall of the instance.
• Permissions: SFA installation requires administration privileges, such as those provided by the Windows default
Administrator account or the UNIX root account
• Supported Operating Systems: See Supported Environments for operating systems that support the SFA.
Use the following optional procedure to monitor the status of SFA agents from the CA PAM UI.
Download the Socket Filter Agent Software Use this procedure to download the SFA software package.
Follow these steps: 1. Open the CA Support Download Center in a browser and login, if necessary.
2. Enter "CA Privileged Access Credential Manager DEBIAN" in the Select a Product field.
3. Select the appropriate software version from the Select a Release drop-down list.
4. Select Go.
5. Select the Download link for one of the following entries in the list of available downloads:
• Windows Socket Filter Agent
• UNIX Socket Filter Agent 6. Uncompress the .zip file that downloads to a directory on a local drive.
Install and Configure a Socket Filter Agent on Windows Windows Socket Filter Agents are provided as MSI self-extracting packages. This section describes how to install
and configure SFAs on a Windows target system.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-233 of A-242
On Window targets, Socket Filter policies are not enforced against users who log in to targets directly, bypassing
Privileged Access Manager.
Install a Windows SFA Using the Installer UI Use this procedure to install a Windows SFA using the installer UI.
The account that is used to install the SFA impacts which accounts can uninstall the SFA. If one of the following
accounts installs the SFA, no other account can uninstall the agent:
• A domain-based account with local Administrator privileges
• A local account with local Administrator privilege installs the SFA, but not the Administrator itself
• A local Administrator account with local Administrator privileges
If the installing domain-based or local account becomes obsolete or invalid, you might not be able to uninstall the
SFA. To uninstall the SFA product under these circumstances, contact CA Technologies Support.
Follow these steps: 1. Ensure that all installation prerequisites are met.
2. Log in to the target Windows device as a local administrator.
3. Use the Add/Remove Programs window (or equivalent) to remove any existing Windows SFA from the
target device.
4. Navigate to the directory where you uncompressed the SFA download.
5. Start the installer by double-clicking the WinSFA.exe file.
6. Follow the prompts.
After installation, the SFA starts and runs as a background Windows service with the default name "CA Technologies
Socket Filter". Use the local Windows Services interface for service settings and control.
Install an SFA Silently on Windows Use this procedure to install a Windows SFA silently with automatic startup.
The account that is used to install the SFA impacts which accounts can uninstall the SFA. If one of the following
accounts installs the SFA, no other account can uninstall the agent:
• A domain-based account with local Administrator privileges
• A local account with local Administrator privilege installs the SFA, but not the Administrator itself
• A local Administrator account with local Administrator privileges
If the installing domain-based or local account becomes obsolete or invalid, you might not be able to uninstall the
SFA. To uninstall the SFA product under these circumstances, contact CA Technologies Support.
Follow these steps: 1. Ensure that all installation prerequisites are met.
2. Log in to the target Windows device as a local administrator.
3. Use the Add/Remove Programs window (or equivalent) to remove any existing Windows SFA from the
target device.
4. Navigate to the directory where you uncompressed the SFA download.
5. Open a Command Prompt window and navigate to the directory where you uncompressed the SFA
download.
On Windows Server 2008 and Windows Server 2012, right-click on the Command Prompt icon and select Run as Administrator.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-234 of A-242
6. Enter the following command:
path\WinSFA.exe /s /v"/qn /liwe c:\XCDM_SFA.log"
Where path is the path where the WinSFA.exe file is located.
The /q and /l options and parameters are recommended but not required.
After installation, the SFA starts and runs as a background Windows service (with the default name "CA Technologies
Socket Filter"). Use the local Windows Services interface for service settings and control.
Change Basic Windows SFA Configuration Settings Run the SFAConfig.exe configuration utility to change basic SFA settings.
Follow these steps: 1. Navigate to SFA_Install_Dir/Bin.
SFA_Install_Dir is the SFA installation directory. Default: C:\Program Files (x86)\CATech\Socket Filter.
2. Execute SFAConfig.exe.
3. Change any of the following settings, as required:
• Port: The port that the SFA uses to communicate with the appliance. Default: 8550
• Service Name: The name of the SFA Windows service. Default: "CA Technologies
Socket Filter."
• Service Description: The description of the SFA Windows service. Default: "CA Technologies
Socket Filter."
• Run Agent in Verbose mode: Determines whether the SFA produces detailed log messages for
diagnostic purposes. Default: off.
4. Select Save.
After you save the new settings, the SFA restarts.
Troubleshoot a Windows SFA Turn on Verbose mode using the SFAConfig.exe configuration utility to generate detailed log messages.
Log messages are stored in the log.txt file that is located in the installation directory.
Uninstall a Windows SFA To uninstall a Windows SFA, do one of the following steps:
• Access the Windows Control Panel and use the Add/Remove Programs window (or equivalent).
• Open a Command Prompt window and enter the following text:
MsiExec.exe /X{5A2A2643-2BD6-4D09-9B03-E08098887B06} /norestart
Install and Configure a Socket Filter Agent on UNIX This section describes how to install and configure a Socket Filter Agent (SFAs) on a UNIX target.
On UNIX and Linux targets, the Socket Filter Agent only filters non-root users. A Socket Filter List in a policy
becomes effective only for non-root users logging in to targets through CA PAM. Afterwards, the filter is in effect,
even if the user logs in to the target directly. Socket filters for all users are reset after root restarts the socket agent
(gksfd).
Install a UNIX SFA The UNIX SFA download package contains a separate installer script for each supported UNIX operating system.
Each script has a descriptive filename of the following format:
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-235 of A-242
gksfd_sfa-version_os-version[_64]_linux_install.sh
Where sfa-version is the SFA release version and os-version is the UNIX version.
For example:
• gksfd_2.70_debian6_64_linux_install.sh for a Release 2.7 SFA for Debian 6 (64-bit)
• gksfd_2.70_rh6_linux_install.sh for a Release 2.7 SFA for Red Hat EL 6 (32-bit)
Depending on the OS, there are different methods of deploying the SFAs. Because minimal configuration is required
on the managed target device, an SFA can be deployed through preexisting software delivery mechanisms.
Follow these steps: 1. Ensure that all installation prerequisites are met.
2. Log in to the target device as a local administrator.
3. Remove any existing UNIX SFA from the target device.
4. Open a terminal window.
5. Copy the appropriate installer script for your operating system to the directory where you want to install the
SFA.
6. Run the installer script. For example, to install a 2.7 SFA on Red Hat Enterprise Linux (32-bit):
[root]# sh gksfd_2.70_rh6_linux_install.sh
A terminal window opens, allowing you to interact with the installer script.
7. Follow the online directions. When requested, supply a destination directory to install the SFA. The default
is /usr/sbin.
For AIX, the control script is installed in /etc/rc.d/init.d/. For all other versions of UNIX, the control script is
installed in /etc/init.d/.
If you specify a location different from the default installation location, you might encounter unexpected
behavior. CA Technologies recommend against moving from default locations.
Configure and Operate a UNIX SFA A configuration file (/etc/gksfd.cfg) and a control script control UNIX SFA operation. For Linux, the control script is
located at /etc/init.d/rc.gksfd. Other OS versions store this script in corresponding locations.
The following table describes key settings in the gksfd.cfg configuration file.
Name Setting Description
Login control SECURE_LOGIN= [ 0 | 1 ] 0: Allow login from outside the CA PAM
1: Allow login only from a CA PAM connection
Secure user list SECURE_USER= <username_1> ,
<username_2>, … <username_N>
Specifies every SFA superuser: every device login
user that is not subjected to any socket filter policy.
Each username is delimited with comma, with no
spaces permitted.
The syntax to run the control script is as follows:
rc.gksfd { start | stop | restart | reload }
The syntax for the UNIX SFA executable is as follows:
gksfd [-options]
The following table describes the options.
Option Default values when option is not set Description
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-236 of A-242
-h
Display online help.
-l logfile
/var/log/gksfd.log
.
Specify the log file used.
-p port#
8550
Set the port to communicate with the appliance.
-v
info
Set log-level to Verbose mode. For example:
/usr/sbin/gksfd –v >> /var/log/gksfdmessages
Set this option only when extra logging is required.
-ver
Display the version number.
To apply persistent changes, set the UNIX SFA options in the rc.gksfd file.
Some platforms, such as Red Hat Linux, might block port 8550 by default, which inhibits SFA operation. To determine
whether the port is blocked, use the netstat command. If necessary, open port 8550 using the command iptables -I
INPUT 1 -p tcp --dport 8550 -j ACCEPT, and restart the SFA.
Troubleshoot a UNIX SFA Use the -v option to turn on Verbose mode to generate detailed log messages.
The default location for log messages is /var/log/gksfd.log.
Uninstall a UNIX SFA
Follow these steps: 1. Stop the gksfd daemon from the directory where the executable was installed. The following example is for
Red Hat 6 Linux:
[root]# /etc/init.d/rc.gksfd stop
2. Delete the following files:
• The executable, typically located at /usr/sbin/gksfd
• The control script, typically located at /etc/init.d/rc.gksfd
Upgrade to Release 3.3 Once your deployment is at release 3.2, 3.2.1, 3.2.2, or 3.2.4, you can upgrade directly to 3.3. Do not attempt to upgrade to Release 3.3 from Service Pack 3.2.5. The software in 3.2.5 is newer (by date) than 3.3 and contains incompatible updates. To upgrade to the 3.3 release stream from 3.2.5, wait for and upgrade to the 3.3.1 Service Pack which will support direct upgrade from 3.2.5. For information about the Service Pack strategy and release timelines, see CA PAM Fix Strategy. To upgrade successfully, follow these procedures. Begin with the upgrade prerequisites, then go to the procedure for your deployment:
• Upgrade Prerequisites for 3.3 • Upgrade a Single Appliance to 3.3 • Upgrade Appliances in a Cluster to 3.3
Upgrade Prerequisites for 3.3 Complete the following upgrade prerequisites before starting the upgrade to 3.3:
• Review Minimum Free Space • Change the Login Timeout to 0
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-237 of A-242
• Back Up Your Privileged Access Manager Instance • Upgrade for VMware Originating in 2.x • Put Your Appliance Into Maintenance Mode • Prepare the Hardware Appliance • Ensure Clustering Ports are Open • Review Strong Cryptography on Cisco and UNIX Target Connectors and the SSH Access Method • Follow the Upgrade Path
Review Minimum Free Space Ensure that your hard drive has at least 4 GB of space available to upload, decompress, and install the new release. Two seemingly unrelated errors can be caused by insufficient disk space:
• PAM-CMN-1344: Problem applying the upgrade package. Details: Error verifying the authenticity of the upgrade package! This error occurs because there is not enough space to decrypt the encrypted upgrade file.
• PAM-CMN-3349: Cannot upgrade because patch is not HMAC signed. This error occurs because there is not enough space to extract required files after decryption.
Change the Login Timeout to 0 If you do not change the Login Timeout setting to 0, your UI connection might time out while applying the patch. Navigate to Settings, Global Settings and set the Login Timeout to 0. This setting effectively removes the timeout to allow time to upload and upgrade. Log out and log in to ensure the change.
Back Up Your Privileged Access Manager Instance Before you upgrade a Privileged Access Manager appliance, create a backup of your appliance instance. If the upgrade is unsuccessful, revert to the backup. Depending on the type of appliance you have, follow the relevant guidelines:
• Privileged Access Manager Hardware appliances: The hardware appliance, which has a secondary drive, creates a backup automatically as a first step. No action is required.
• VMware appliances: Take a snapshot of the VMware OVA. For specific instructions on creating a snapshot of an OVA, go to VMware documentation.
• AWS AMI appliances: Take a snapshot of the AMI instance. For specific instructions on backing up an AMI instance, go to AWS documentation.
If you take an OVA or AMI snapshot while the instance is operating, the snapshot can take a long time to complete. To save time and storage media, shut down the instance and then take the snapshot. Before you upgrade, take a snapshot of the appliance, even if you took one before a previous upgrade.
Upgrade for VMware Originating in 2.x There is a file system partition error in CA PAM 2.x for VMware. This problem went undetected until version 3.3, whose upgraded OS detects the problem and refuses to boot up. If your first version of CA PAM is 3.x, you can ignore this procedure. There have been multiple iterations of the PAM 2.8 to 3.0 migration patch. The R3.0 version corrects this problem. However, if you migrated from 2.8 to 3.0 with an earlier version (before March 12, 2019), this procedure applies to you. (The bin file is dated 2/27/2019.) For VMware, the 3.3 upgrade patch copies the CA PAM disk to a second virtual disk while it corrects the error. If necessary, attach an empty virtual disk during the upgrade. The patch detects the problem when you attempt to upgrade. If there is no need to correct the partition, or if you have a large enough second drive attached, the patch asks if you are ready to reboot. If corrections are necessary and you do not have a second drive that is attached, you receive an error message like this: Error: PAM-CMN-1344: Problem applying the upgrade package. Details: Bad VMware boot partition. Should be 326656 but is only 321300 sectors. Attach a second disk of at least X GB so upgrade can repair it. If you have a second virtual disk drive attached but it is too small, the error alerts you: The currently attached second disk is only X GB. Attach a second disk of at least Y GB so upgrade can repair it. Once the upgrade is complete, the second disk drive is no longer needed, and can be detached from the system. You must shut down the instance to do this.
Put Your Appliance Into Maintenance Mode Put your appliance into Maintenance Mode before initiating the upgrade.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-238 of A-242
Prepare the Hardware Appliance When upgrading a physical appliance, Privileged Access Manager copies the primary drive data (including database and configuration files) onto its backup drive before applying the update. If there is any issue with the upgrade, you can restore your appliance to its preupgrade state from the backup. If an upgrade error occurs, follow the instructions in Recover the Hardware Appliance.
Ensure Clustering Ports are Open If you are upgrading a cluster, ensure that ports 3307, 13307, and 8443 are open. These ports are required for the enhanced clustering in version 3.3.
Review Strong Cryptography on Cisco and UNIX Target Connectors and the SSH Access Method Release 3.3 supports the latest recommended strong cryptography for secure SSH communications in the SSH Access Method, and in Cisco and UNIX target connectors. These target servers must support at least one of the security algorithms from each of the three categories listed here. If you are using Cisco or UNIX target connectors, or the SSH Access Method, upgrade the ciphers, kex, and hmacs information on the UNIX server and Cisco Router before you upgrade to 3.3. See your UNIX server and Cisco Router documentation about how to do this. These are the security algorithms that are supported by Privileged Access Manager 3.3: Key Exchange Methods = ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 with up to DH 4096-bit key. Ciphers = aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr Hashes= hmac-sha2-512, hmac-sha2-256 In addition, when CA PAM is not operating in FIPS-mode, some SHA-1 hash algorithms remain available for use with the UNIX and Cisco target connectors. If CA PAM is in FIPS mode, these are not available. These SHA-1 algorithms include:
• Hashes: hmac-sha1, hmac-sha1-96 • Key Exchange methods: diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
You can disable the SHA-1 algorithms on the SSH-2 tab of the UNIX or Cisco target application configuration. For more information, go to Add a Cisco Target Connector or Add a UNIX Target Connector. Read the instructions for the SSH-2 Tabs - Cipher, Hash, Key Exchange, Compression, Server Host Key. When existing target applications are using algorithms that have been manually configured under the SSH-2 tab, and one or more of them is obsolete in 3.3, the upgraded 3.3 target application removes the obsolete algorithms from the list. When existing target applications use algorithms that have been manually configured under the SSH-2 tab, and all of these algorithms are obsolete in 3.3, the target application replaces the entire list with a new list of strong cryptography algorithms in order of priority. This list appears in the user interface.
Follow the Upgrade Path The valid path for upgrading to Release 3.3 is shown in the following graphic. Upgrade path to 3.3
You can upgrade from Release 3.0 directly to Release 3.0.2 or higher 3.0.x release. An upgrade to Release 3.0.1 is not required. You only need to upgrade to Release 3.1.1; it is not necessary to install later 3.1.x releases.
Upgrade a Single Appliance to 3.3 After Privileged Access Manager is operating at version 3.2.x, follow these instructions to upgrade the software on a
single hardware or virtual appliance.
• Review the Upgrade Prerequisites
• Download the Patch
• Prepare for the Upgrade
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-239 of A-242
• Perform the Upgrade
• Post Upgrade Procedures
Allow sufficient time to upgrade. The process takes some time to complete because it backs up your previous
software, configuration, and provisioning database. Do not interrupt it.
Review the Upgrade Prerequisites Before you upgrade, review the prerequisites.
Download the Patch The software for this release is on the Download Management page.
Follow these steps: 1. Go to the CA Support site and log in to the Download Management page.
2. In the top field, begin entering Privileged Access Manager until you can select this product from the list.
3. Locate the Privileged Access Manager- DEBIAN entry in the product downloads table. You can also type
the name in the Filter Search Results field.
4. In the Release drop-down next to the entry, select 3.3 then select the entry name, which takes you to the
software.
5. Select the cloud icon next to the entry Privileged Access Manager Upgrade Patch R3.3.
6. Download the file to your local system.
Prepare for the Upgrade Complete this procedure before starting the upgrade.
Follow these steps: 1. Confirm that all prerequisites are completed.
2. Unzip the patch. This patch contains the CAPAM_3.3.0.p.bin file.
3. Log in to the CA PAM UI as a Configuration Manager or Global Administrator. You must have privileges to
modify Configuration options and Global Settings.
4. To prevent users from logging in during the upgrade, turn on Maintenance Mode from Configuration, Diagnostics, System.
5. If your installation uses an NFS, CIFS, or Amazon S3 mount to store session recordings, ensure that the
mount is up:
a. Navigate to Configuration, Logs, Session Recording.
b. Select the External Storage tab.
c. In the Primary Mount Settings section, confirm that Mount Status states "mounted".
6. Navigate to Settings, Global Settings and set the Login Timeout to 0. This setting effectively removes the
timeout to allow time to upload and upgrade. Log out and log in to ensure the change. If you do not change
the Login Timeout setting to 0, your UI connection might time out while applying the patch. If the UI times
out, verify whether the patch is applied. If it is not applied, set the Login Timeout to 0 and apply the patch
again.
After you are finished with this procedure, perform the upgrade.
Perform the Upgrade After you prepare for the upgrade, apply the upgrade patch.
Follow these steps:
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-240 of A-242
1. From the CA PAM UI, navigate to Configuration, Upgrade.
2. In the Upgrade History section, confirm that the installed upgrades include any necessary patches to
upgrade to the current release. For more information about the necessary patches, see Upgrade Paths.
3. Select Choose File and browse to the CAPAM_3.3.0.p.bin file.
4. Select Upload and Apply to apply the patch automatically after the file uploads, or select Upload and Apply separately. The upgrade begins.
Depending on the size of your database, the upgrade might take a long time to complete. Keep your
browser open until you see a reboot message. Do not interrupt the upgrade process.
5. After the upgrade is complete, a dialog appears. Select OK to reboot the appliance.
This guideline applies to any patch that includes a reboot: If the reboot message still appears in the UI or the
LCD display (hardware appliance) after 5 minutes, continue to the next step.
6. Log back into the UI. If you cannot initially log in, wait from 15 to 30 minutes and try again.
7. Review the following items to confirm that the upgrade is successful:
• The Upgrade History section shows the correct file name, with the current time and date.
• The correct release number is shown in footer of the Upgrade panel.
8. Continue to complete any post upgrade procedures.
Post Upgrade Procedures After the upgrade completes successfully, complete the relevant post-upgrade tasks:
• Clear the Browser and JRE caches
• Reconfigure Your AWS API Proxy Setup
• Update the REST API Call Endpoint
• Update SAML Settings at the Service Provider
• Update the Credential Manager Remote CLI and Java API
• Verify OCS Smart Card for Thales nShield HSM is Installed
• Review Kerberos KDC Server Changes
• Change the Login Timeout
If you turned on Maintenance Mode, turn it off after you complete the post-upgrade tasks.
Clear Browser and JRE Caches Instruct users who connect to the CA PAM appliance through a web browser to clear their browser and JRE caches
before they log in again. Communicate this instruction to administrators and standard users.
Follow these steps: 1. For each browser that you use to access Privileged Access Manager, clear its cache, and close it.
2. Clear the Java cache in the Java JRE.
3. Restart the browser.
If you do not clear the Java cache, the following error message appears on the Access page:The Access page failed
to load. Please verify that Java is installed and is enabled in your browser, and that the Next-generation Java Plug-in
is enabled.
If so, then the download of the Java applet might be taking too long. Please try again. If the problem persists, please
contact your administrator.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-241 of A-242
Reconfigure Your AWS API Proxy Setup If you use the AWS API Proxy, complete this procedure to reconfigure your AWS Proxy setup.
Follow these steps: 1. Select Credentials, Manage A2A, Mappings.
a. Select the ID of the target alias that is named AWS API Proxy Access Accounts and
select Update.
b. Verify that the Check Execution User option is set and clear the Check Execution Path and Check File Path options.
c. Select OK.
2. Select Policies, Manage Policies.
3. Select the Password tab and delete all the password view options between
the xceedium.aws.amazon.com device and the AWS API Proxy Access users.
4. Select Credentials, Manage Targets, Accounts, and delete all target accounts belonging to the target
application AWS API Proxy Access Accounts.
5. Select Credentials, Manage Credential Groups, Credential Groups.
6. Select Add and create a credential group with the following properties:
• Name: AWS Proxy Accessors
• Description: Promote or demote users to be able to add or delete Proxy target accounts
• Role: TargetAdmin
• Target Group: AWS API Proxy Access Accounts
7. Select OK.
When AWS API Proxy User logs in to the UI, from the Access page a user can view the password for the AWS
API Proxy. Viewing the password triggers the creation of the account, which can then be reused.
Update the REST API Call Endpoint Beginning with 3.2, the REST API call endpoint has changed. If your application makes API calls to the /cspm/rest/
endpoint, update these calls to use the /cspm/ext/rest endpoint. For example, to list the global settings configuration
properties, the REST API call is:GET https://111.12.32.1/cspm/ext/rest/configProperties
Update SAML Settings at the Service Provider Beginning with 3.0, CA PAM servers that are configured as Remote IdPs no longer accept HTTP-Redirect. The
default SAML SSO protocol binding is now HTTP_POST.
After you upgrade to 3.x, follow these steps: 1. In the UI, go to Configuration, Security, SAML, RP Configuration tab.
2. On the RP Configuration page, select the Configured Remote SAML IdP tab.
3. Modify the following settings accordingly:
• Single Sign-on Protocol Binding: SAML 2.0 bindings: HTTP-POST
• Single Sign-on Service: Ensure the URL to the SSO service uses POST. For example: https://idp_domain/idp_service/SAML2/POST/SSO
4. Select OK.
5. Download the RP metadata and reimport the file to the remote IdP.
Annex A to Symantec Privileged Access Manager 3.3 Common Criteria Guidance Supplement
Doc No: 2090-000-D105 Version: 1.3 Date: 29 May 2020 Page A-242 of A-242
Update the Credential Manager Remote CLI and Java API If you use the Remote CLI or Java API to manage Credential Manager, update to the 3.3 version of RemoteCLI zip
on your designated client system. For more information, see Install and Set Up the Remote CLI and Java API.
Verify OCS Smart Card for Thales nShield HSM is Installed On the hardware appliance or a VMware OVA, the Credential Manager can work with a Thales nShield HSM for
hardware encryption.
After you upgrade, ensure that the OCS smart card for the HSM is inserted into the Thales nShield HSM.
The smart card is necessary in the following situations:
• Before you reboot CA PAM
• Before you restart a cluster
• After you apply a patch
After PAM is successfully communicating with the HSM, you can remove the card.
Review Kerberos KDC Server Changes Kerberos KDC servers are now assigned at the device level. If you upgraded from a 2.8.x release, be aware of the
following changes:
• The upgrade might automatically assign KDC Servers to devices.
• The device assignment overrides any device group assignment that you configure after an upgrade. To
prevent the override, remove the device assignment.
Change the Login Timeout If you changed the Login Timeout before doing the upgrade, change it back to your preferred setting. Navigate
to Settings, Global Settings and set the Login Timeout.
