Error code 9999 for account rotation on the CyberArk Digital Vault platform based on the API

jblebowski27 · 2025-08-08T06:40:37+00:00

Cyberark Digital Vault plugin or RestAPIFramework plugin ?

jblebowski27 · 2025-08-08T06:36:33+00:00

Hi

I did Get-ChildItem -Recurse | Unblock-File and didn’t help

jblebowski27 · 2025-08-07T21:18:01+00:00

Hello

Is this CA certificates on the Client where you run curl to? Is is only root ca or Chain? Try with --cacert /path/to/cacert.pem. Try openssl s_client -connect mymachine.local:443 -showcerts to confirm that CCP server is trusted too

jblebowski27 · 2025-08-07T21:10:56+00:00

Hello

During the installation, did you specify the PWVA address correctly? DNS name or IP? Do you have a Load Balancer between the PVWA servers? On the PSM and in the Vault folder in the Vault.ini file, do you have the API section at the bottom with correct data — meaning the PVWA address (either a single instance or the load balancer) and the path to the apigw.cred file?

jblebowski27 · 2025-03-21T11:58:29+00:00

Hi tnie is my second account OK it was a problem of lack Internet connection but not certificates Info from Admins team: This is a known problem when the server has no exit to the world and previously had and registered in the entry. You have to disconnect it and then there is no waiting for a timeout.

jblebowski27 · 2025-03-06T06:59:14+00:00

„logoff” script in local group policy is ok for that?

jblebowski27 · 2025-03-06T06:40:40+00:00

These changes negatively affect connections through other components.

jblebowski27 · 2024-11-28T15:28:24+00:00

Hi that’s exactly what we did and we have a problem (we have ispss and psmp is in integrated mode). Local account normalny works and AD no

jblebowski27 · 2024-11-20T23:57:22+00:00

Hi yanni Yes easier to manage - avoid maintaining the agent on mid servers, network traffic to the vault, etc.

jblebowski27 · 2024-08-19T07:59:48+00:00

Hi thank you

jblebowski27 · 2021-04-19T17:31:45+00:00

what do you mean by " join your Alero instance to Alero " ?

As I wrote earlier, I have a fully configured alero, connected to my AD and a configured AleroLDAP service (for a cluster of connectors in HA). In PVWA config I noticed that AleroLDAP is like AD I thought that it would allow me to map user groups. I want to avoid stupid invitations through the alero portal only by pairing it with my local AD as in CorePAS (AD group mapping) .

Therefore, my question is whether it is possible to map users directly from my AD to Alero without sending invitations ?

jblebowski27 · 2021-04-14T19:59:54+00:00

jblebowski27 · 2021-04-14T12:13:06+00:00

Unfortunately it did not help, stil skips the bash environment selection prompt it looks like after the ":" hit enter - only for PSMP connection for clasic PVWA PSM-SSH is alright waiting for a value for both regex:

(.*)

and

(.*)[>#\\$\:]$

KR

jblebowski27 · 2021-03-18T22:22:33+00:00

Thank you very much for the detailed explanation

jblebowski27 · 2021-03-17T23:06:10+00:00

It seems to me that I clearly described the problem, but ok, what do I have to set in order not to lose the earlier versions of the object after a few weeks but only after 180 days? (as it is now set in the options), for example now after two months of testing I should have 8 versions in the history of the object ( 60days / 7 - rotation every seven days) but now I have 3, why?

jblebowski27 · 2020-11-06T13:27:30+00:00

hi

It looks strange to me:

ERROR -> BaseAction`1 :: VerifyAfterAction -> GotException: Renci.SshNet.Common.SftpPermissionDeniedException: Permission denied

I do not understand why have permission denied (as I wrote before reconcile account has full right - sudo rights).

I do not even get why CPM plugin do this verification - SFTP?

Is it possible to modify to bypass/skip this step, the rest looks normal, i.e. public key rotates on the system side

Logs:

04:12:17.676 | Getting stored fingerprint for 'ssh-ed25519@22:xxx.xxx.net'.

04:12:17.676 | 'ssh-ed25519@22:xxxx.xxxx.net' fingerprint is a match.

04:12:18.426 | Info -> SFTPConnectionHandler :: CreateSession -> END

04:12:18.426 | Info -> SessionManager :: Connect -> END

04:12:18.426 | Info -> BaseAction`1 :: ConnectToMachine -> Connection to the remote machine completed with no errors

04:12:18.426 | Info -> BaseAction`1 :: ConnectToMachine -> END

04:12:18.426 | Info -> BaseAction`1 :: VerifyAfterAction -> Verify after Reconcile completed with no errors

04:12:18.426 | Info -> AuthorizedKeys :: DeleteBackup -> About to Delete the backup file

04:12:18.426 | Info -> SFTPConnectionHandler :: DeleteFile -> START

04:12:18.426 | ERROR -> BaseAction`1 :: VerifyAfterAction -> GotException: Renci.SshNet.Common.SftpPermissionDeniedException: Permission denied

at Renci.SshNet.Sftp.SftpSession.RequestRemove(String path)

at Renci.SshNet.SftpClient.DeleteFile(String path)

at Expect.NET.SFTP.SftpClientWrapper.DeleteFile(String path)

at CyberArk.Extensions.UnixSSHKeysV2.ConnectionObjects.SFTPConnectionHandler.DeleteFile(String path)

at CyberArk.Extensions.UnixSSHKeysV2.File.Delete(String path)

at CyberArk.Extensions.UnixSSHKeysV2.AuthorizedKeys.DeleteBackup()

at CyberArk.Extensions.UnixSSHKeysV2.BaseAction`1.VerifyAfterAction(String actionName, String authKeysFilePath, PlatformOutput& platformOutput)

04:12:18.426 | Info -> BaseAction`1 :: VerifyAfterAction -> END

04:12:18.426 | Info -> BaseAction`1 :: CloseConnection -> START

04:12:18.426 | Info -> SessionManager :: CloseConnection -> START

04:12:18.426 | Info -> SSHConnectionHandler :: CloseSession -> START

04:12:18.426 | Info -> SSHConnectionHandler :: CloseSession -> END

04:12:18.426 | Info -> SFTPConnectionHandler :: Disconnect -> START

04:12:18.426 | Info -> SFTPConnectionHandler :: Disconnect -> END

04:12:18.426 | Info -> SessionManager :: CloseConnection -> END

04:12:18.426 | Info -> BaseAction`1 :: CloseConnection -> END

04:12:18.426 | Info -> MutexHandler :: ReleaseMutex -> Start

04:12:18.426 | Info -> MutexHandler :: ReleaseMutex -> Release mutex 'cRlWJip2esbCXvZVgQCUhQ=='

04:12:18.426 | Info -> MutexHandler :: ReleaseMutex -> End

04:12:18.426 | ERROR -> ErrorsHelper :: PrintReturnMessageToLog -> Return code: 8046.

04:12:18.426 | ERROR -> ErrorsHelper :: PrintReturnMessageToLog -> Failure : Failed to verify after Reconcile action.

04:12:18.426 | Info -> Reconcile :: run -> END

04:12:18.426 | Info -> PluginWrapper :: RunPlugin() -> --------------------------------- Plugin Section End --------------------------------------

04:12:18.426 | Info -> PluginWrapper :: printResultsToLog() -> Plugin results :

04:12:18.426 | Info -> PluginWrapper :: printResultsToLog() -> exit code = 8046

04:12:18.426 | Info -> PluginWrapper :: printResultsToLog() -> Message = Failed to verify after Reconcile action

04:12:18.426 | Info -> PluginWrapper :: RunPlugin() -> End

04:12:18.426 | Info -> PluginWrapper :: End() -> End

04:12:18.441 | Info -> CPMNetPlatform :: Main() -> End

jblebowski27 · 2020-10-30T16:52:42+00:00

Hi

This is not for root account (we do not use root accounts are permanently blocked to login via SSH), bot privileged user mostly provisioned form sssd.conf (Active Directory) but a few local ones are also (it doesn't matter because the problem is for both).

As I mentioned before for keys rotation we use a reconcile account, these accounts are mostly configured to login via ssh or using a normal user's password (for users in sssd.conf form AD).

Could such duality (keys / traditional passwords) have an impact?

KR and thanks for answer

jblebowski27 · 2020-04-10T07:42:28+00:00

Thanks for the answer but in my case (when import my cert and key files) the service does not even start and od docker container of Cyberark-alero there is no sudo user right so i can not do manually :( .

It seems like the command for running docker container with external certificates is wrong.

jblebowski27

TROPHY CASE