Skip to Content

Recovering PAM environments

To restore the product state that existed at shutdown, restart the BMC AMI Security Privileged Access Manager (PAM) master server by performing a warm start. You can also restart and restore the master instance on a system different from the one on which it ran earlier.

Restoring user ID requests

After a warm start, PAM restores active user ID requests as follows:

  • Requests in the Pending approval state remain in Pending approval.
  • Requests in the Pending accept state remain in Pending accept.
  • Requests in the In Use state are restored as follows:
    • User IDs in projects that have the AccessRetention ActiveOnTerm parameter defined are retained in the InUse state.
    • UserDs in projects that do not have the AccessRetention ActiveOnTerm parameter defined are restored to the PasswordWait state.

After PAM restores an ActiveOnTerm InUse user ID, the following message is displayed in the PAM started task (STC) log

PAM0446I BMC PAM: projectName    User projectUserID  Access by logonUserID retained

After PAM restores other user IDs, the following message is displayed in the PAM started task (STC) log:

PAM0446I BMC PAM: projectName    User projectUserID  Access by logonUserID restored

Recovering a PAM environment on a new master system

After a restart, if you restore PAM on a new master system, PAM restores requests that were active on the old master system to the new master system and displays the following message

PAM0517I BMC PAM: projectName    User projectUserID  Previous master oldMasterSystem state restored to new master newMasterSystem

If PAM restores a user ID from an ActiveOnTerm-enabled user pool project on a new master system, requesters' password reusability for that user ID depends on the following conditions:

  • If the new system shares RACF databases with the previous system, requesters can reuse their passwords.
  • If the new system does not share RACF databases, requesters might not be able to reuse their passwords.

If you recover PAM on a new master system, we recommend that requesters set a new password on the new master system by using the Reset Password button. To remind requesters to set a new password, PAM displays the following message in the STC:

PAM0518I BMC PAM: projectName    User projectUserID  Activeonterm user restored to new env - validate password

Exporting checkpoint files

When you recover PAM on a new master system, ensure that the new system can access the PAM checkpoint file. If the new system does not share file systems with the old system, transmit the checkpoint file to the new system by using the following sample jobs in the RSSSAMP library:

Job nameDescription
PAMCKEXPCustomize this job and use it to send the checkpoint file from the old system to the new system.
PAMCKIMPAfter you receive the checkpoint file on the new system, use this job on the new system to set up the checkpoint file.

After you run both these jobs, the checkpoint file becomes available on the new master system for the PAM STC to use it.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Privileged Access Manager 2.3