Are the PAM Configuration Settings Unique On Each Cluster Member

book

Article ID: 126332

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction



What happens if the configuration menus are not populated the same on all cluster members?

Environment

PAM cluster running any supported release.

Resolution

The configuration menus must be populated on each cluster member.  Many of them are not replicated throughout the cluster.  As you go through the Configuration pages you will see a globe icon to the left of the page title.  The pages that have this icon are replicated through the cluster.

It is necessary to look at each one, to understand the meaning of configuration differences between the cluster members.  For example, if the cluster members point to different recording mounts the recordings will only be viewable on cluster members that point to the same recording mount.  This can be confusing, because the information about the recordings is replicated.  The list of recordings should be the same on all cluster members, but you will not be able to view a recording if it was written to a different location than is used by the cluster member to which you are connected.  That is why it is recommended to use the same recording mount for all systems.  This will depend on the throughput between each PAM instance and the recording server.  The other option would be to copy recordings to all the recording mounts outside of PAM, so they will be seen on the mount which a given PAM instance uses.  This is not very cost effective, but would meet the need, if multiple mounts are needed.

The Session Logs are unique to each PAM system.  Configuring a Syslog or Splunk server is a way of centralizing all such messages.  Configuring different Syslog or Splunk servers would defeat this purpose.

Each PAM instance would need to be configured for SNMP.  Typically, the same SNMP network management server would be used on all members of the cluster, but it would be possible for different network servers to be specified on each.

The other items under Configuration  would have similar effects if configured differently.