In PAM, Cipher Block Chaining (CBC) mode is enabled by default. Disabling this mode in PAM, ensures CBC mode is not used for communication by product components such as PAM Manager, PAM Agent, PAM Administration Console, PAM User Console, and target applications.
IMPORTANT:
When you disable CBC Mode:
It is disabled immediately on all the managers that have the registry module.
The primary registry manager is disabled first, followed by the other registry managers, and then the associated agents. Automatic re-registration of agents happens once in two days. Therefore, it may take up to two days for CBC Mode to be disabled automatically on all the agents.
For agents in Offline state, CBC Mode will be disabled only after the status changes to Online and the agents are re-registered with the manager.
Prerequisites:
Ensure that all the packages are upgraded to the latest version on all PAM agents and managers.
To disable CBC mode:
Log in to the PAM Administration Console.
Click Hosts > Host Status, and then click Disable next to CBC Mode.
(Conditional) To disable CBC mode immediately on agents, re-register agents manually. For more information about re-registering agents manually, see the Privileged Account Manager Administration Guide.