search cancel

Functionality when all Primaries are down


Article ID: 243641


Updated On:


CA Privileged Access Manager (PAM)


What happens in PAM when all primaries are down?


Release : 4.0.x



Ultimately when a Cluster is in "Operational Safe" - if all your primaries are down in your Primary Cluster and it you have secondary's then during this time period you will get the following message in session logs:

PAM-CMN-1080: Unauthorized attempt to add a message to the audit log: Code: PAM-CMN-5164 Parameters: 
Message:  PAM-CMN-5164: Could not get the IP of the king of the Group Replication

During the time period it is down, we also send the following messages to Splunk:

PAM-CM-0615: Primary site is unavailable. Any workflow tasks associated with the account's password view policy (dual authorization, change password, or check-in/checkout) have not been performed..

So the user will be able to auto-connect or view the password without the PVP taking place.

However in Splunk - it will forward the following messages as well:

PAM-CMN-1420: Auto-login initiated with target account Name : root and target account Id : 35001

with the servername:

hostname=dedke01-pam40a (Secondary servername) ,log_id=5400002,trans_type=connection,created=2022-06-08 17:41:20,ip_source=<ip address>,u_name=super,dom_name=<ip address>,port=,task_name=SSH,detail=PAM-CMN-1420: Auto-login initiated with target account Name : root and target account Id : 35001 .,local_ip_source=<ip address> ,public_ip_source=,s_name=,hostID=24001,extlog_sent=0,sessionID=0,h_id=<target device name>,target_account=root,pvr_id=4001,machine_id=E05C6EAE95BDD806A96DC1C0EACEE8C9108414A9


Additional Information

If you don't want this to happen, than you need to:

  • Promote the secondary site to a primary
  • or configure the cluster with "Security Safe" -> which will allow no password checkouts, views, auto connections until the cluster is fully operational.