We are using The PAM Rest API and its remote CLI utility to publish data into PAM. The online documentation is not very clear about what operations are supported on secondary sites of PAM cluster. Right now we are publishing data to the master node, the first node in the primary site, but we may have to promote another site to primary site at one point in the future
Can secondary site nodes be used for CRUD operations using the Rest API and remote CLI?
Any supported PAM release as of April 2019.
Secondary site nodes only support Read operations. These site are meant to be used by PAM users, not PAM administrators, and most administrative activities are not allowed.
If you try Create, Update or Delete operations on secondary site nodes using the Rest API, you will get a 403 error with message: "PAM-CMN-2740: Only read-only REST methods (GET) are allowed on secondary sites."
We do have a note related to this topic in online documentation, see the following comment on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/external-api-for-integrating-applications/use-the-external-api-programmers:
"Use the External API in a Clustered Environment
In a clustered environment, use the primary VIP for bulk operations."
Similarly most CUD operations with the remote CLI will return status code 442 on secondary site nodes with description "PAM-CM-0608: Unsupported command specified. Command not supported at secondary site".
Some update commands are allowed, such as checkInAccountPassword or forceCheckInAccountPassword. For these commands you can find a comment in our online documentation "This command can be run on a secondary site", see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/forcecheckinaccountpassword
As of 3/31/19 we have a generic comment on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/deploying/set-up-a-cluster#SetUpaCluster-Multi-SiteClusterandSecondarySites: