What are the limitations for Rest API and Remote CLI operations on secondary site cluster nodes?

book

Article ID: 130318

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We are using The PAM Rest API and its remote CLI utility to publish data into PAM. The online documentation is not very clear about what operations are supported on secondary sites of PAM cluster. Right now we are publishing data to the master node, the first node in the primary site, but we may have to promote another site to primary site at one point in the future

Can secondary site nodes be used for CRUD operations using the Rest API and remote CLI?

Environment

Any supported PAM release as of April 2019.

Resolution

Secondary site nodes only support Read operations. These site are meant to be used by PAM users, not PAM administrators, and most administrative activities are not allowed.
If you try Create, Update or Delete operations on secondary site nodes using the Rest API, you will get a 403 error with message: "PAM-CMN-2740: Only read-only REST methods (GET) are allowed on secondary sites."
We do have a note related to this topic in online documentation, see the following comment on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/external-api-for-integrating-applications/use-the-external-api-programmers:
"Use the External API in a Clustered Environment 
In a clustered environment, use the primary VIP for bulk operations."

Similarly most CUD operations with the remote CLI will return status code 442 on secondary site nodes with description "PAM-CM-0608: Unsupported command specified. Command not supported at secondary site".
Some update commands are allowed, such as checkInAccountPassword or forceCheckInAccountPassword. For these commands you can find a comment in our online documentation "This command can be run on a secondary site", see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/forcecheckinaccountpassword

As of 3/31/19 we have a generic comment on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/deploying/set-up-a-cluster#SetUpaCluster-Multi-SiteClusterandSecondarySites:
 
  • Secondary site members are intended to support end-user access rather than global administrative functions. Some local administrative functions are available on Secondary members, including: managing sessions, logs, and recordings; managing password approvals and disaster recovery; some diagnostics; network, and security

We are working with the documentation team to be more explicit about the impact this has on API calls.