IBM Security Privileged Identity Manager, Version 2.0

Getting access to a target resource when check-in fails or the adapter is not able to connect to the resource

If the IBM Security Privileged Identity Manager cannot establish a connection with the managed endpoint because a network adapter is not working, or the adapter is not configured correctly, for example, with a wrong password, the PIM Manager might want to view the password for the endpoint to regain control.

The following scenarios describe the possible workarounds that the PIM Manager can do to view the password for an endpoint.

Workaround for a scenario with a connection problem with a pending check-in

Scenario
  1. As a privileged user, James, checks out a credential for a Linux host with the self-care interface.
  2. To simulate a connection problem, as a PIM Manager, log in to the administrator console. Tamper with the Service profile for the host by changing the adapter password to an invalid password. IBM Security Privileged Identity Manager cannot connect to the host.
  3. As privileged user James, checks in the account with the self-care interface.

    The In Process message is displayed.

    Under View Requests, there is a Check-In event with status Pending that is displayed for James.

    James can no longer see the credential when View Password is selected, and cannot check in the credential again.

  4. As PIM Manager, in the administrator console, the credential is still checked-out to James, but the Check-In option is disabled.
Solution
  1. As a PIM Manager, complete the following tasks:
    1. Go to View Requests to cancel the pending request from James.

      The Check-In command for the credential is enabled.

    2. Disconnect the credential from the resource.
    3. Click Check-In for the disconnected credential.
  2. When James attempts to check out credentials, the credential is available for selection again.
  3. James checks out the credential again, and can see the most recent password.

Workaround for a scenario with a configuration problem with a check-in that is completed with a warning

Scenario
  1. As a privileged user, James, checks out a credential for a Linux host with the self-care interface.
  2. To simulate a configuration problem, as a PIM Manager, log in to the administrator console. Tamper with the Service profile for the host by changing the IP address without providing a new password. IBM Security Privileged Identity Manager cannot connect to the host.
  3. As a privileged user, James, checks in the account with the self-care interface. The message Completed with warning is displayed.

    There is a Check-in event with the Warning status for James under View Requests.

    Error message displays Missing userPwd attribute in request.

    James can still see the credential when View Password is selected, and can still try to check in again.

  4. As PIM Manager, in the administrator console, the credential is still checked-out to James, and the Check-In command for the credential is enabled.
  5. When the PIM Manager clicks Check In, the credential remains checked-out by James.

    Under View Requests, there is a check-in event with status Warning for PIM Manager.

    You cannot clear the requests, as the requests are presumably completed, although with a warning.

Solution

  1. As PIM Manager, complete the following steps:
    1. Disconnect the credential from the resource.
    2. Check in the disconnected credential.
  2. In the self-care interface, James notices that the credential is checked-in, but the credential is available for check-out again.
  3. James checks out the credential again, and can see the most recent password.
Parent topic: Shared access

Feedback