PAM Decommission

book

Article ID: 193660

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

As there is no PAM decommission documentation, this document tries to cover some topics that may be relevant at the moment PAM has to be decommissioned from an installation.

Environment

Product: Layer 7 Privileged Access Manager
Version: 3.x

Resolution

  • How to play PAM session recordings after the decommission in case of audit?
    A PAM Appliance belonging to the cluster has to be kept during the session recording retention period (it can be normally switched off and switched on only when necessary) as the session recordings can be only played back from the appliance that recorded them.
  • Software to uninstall.
    The PAM infrastructure is mainly based on the PAM Appliances themselves, so they must be properly shutdown in case of decommission.
    However other pieces of software can be optionally installed on other computers and they should be also uninstalled:
    PAM Client and PAM Agent installed on the PAM operators' workstations.
    Socket Filter Agents on some devices that required them.
    PAM Management Console.
    MySQL tables on the external log server, if any.
    PAM Windows Proxy on some windows computers requiring it. 
  • Stop the password rotation and collect all the current passwords.
    Otherwise you will not be able to access the devices.
  • Make a backup copy of the database in the primary-primary node.
    To have it all in place in case that the system shoul be restarted.
  • Make sure the cluster is healthy before shutting down the system.
    First turn the cluster off and then shutdown the appliances in this status. This will allow a safer PAM restart in case of needing it.