Skip to Content

Starting and stopping the product

As the system administrator, you can start, stop, and recover the BMC AMI Security Privileged Access Manager product by using various methods.

Related topics

Administering

Starting PAM

To start PAM, use the following standard MVS start command:

S memberName

Replace memberName with the name of the member that you copied from the RSSSAMP library to your procedure library, for example, PAMPROC.

​​​​​​You can start ​PAM in the following ways:

Cold start

When you perform a cold start, PAM starts in an initialized state without restoring the previous user states.

To perform a cold start, in the PAM EXEC PARM, define 'START=COLD'.

During a cold start, based on the project type, PAM performs the following actions in sequence:

ProjectActions
Userpool
  1. Identifies all user IDs connected to the project’s RACF group (via the RACFGroup parameter), links these user IDs to the project, and makes them available for use.
  2. Resets and revokes all identified user IDs on the master and all connected agent systems.
Self-elevation
  1. Identifies all user IDs connected to the project’s RACF group (via the RACFGroup parameter). These are user IDs that might have their self-elevation sessions active.
  2. Disconnects all identified user IDs from the project’s ConnectGroup and RACFGroup.

Warm start

When you perform a warm start, PAM starts in an initialized state and restores the user states at shutdown.

To perform a warm start, in the PAM EXEC PARM, define 'START=WARM'.

During a warm start, PAM performs the following actions in sequence for both project types:

ProjectActions
Userpool
  1. Identifies all user IDs connected to the project’s RACF group (via the RACFGroup parameter) and links these user IDs to the project.
  2. Restores user states of PAM user records, from the checkpoint records, in the following manner:
    • User IDs in ActiveOnTerm defined projects and were in the InUse state at shutdown are restored to InUse and the user ID access is retained.
    • User IDs that are not in ActiveOnTerm defined projects and were in the InUse state at shutdown are restored to the PasswordWait state and user IDs are reset and revoked. To use the user IDs again after the restart, requesters must restore the user IDs to an active state by using the Set Password button.
    • User IDs in other states are restored to the state that they were in at shutdown.
  3. User IDs that didn't require a restore are reset and initialized like in a cold start.
Self-elevation

For more information on using the warm start feature to restore a PAM session, see Recovering PAM environments.

Stopping PAM

To stop PAM, use one of the following methods:

  • Use a standard MVS purge command:
    P memberName
  • Use a SHUTDOWN command through the MVS MODIFY (F) command:
    ​F memberName,SHUTDOWN

Replace memberName with the name of the member that you copied from the RSSSAMP library to your procedure library, for example, PAMPROC. You don't need a confirmation about the successfule running of either command, and the product address space shuts down immediately.

To prevent the unauthorized use of PAM-controlled elevated access while PAM is down, PAM performs the following actions at shutdown:

  • Resets and revokes all user pool IDs that are in use and returns them to the PasswordWait state
  • Disconnects all ConnectGroups from self-elevated user IDs.

If you need to retain access to the active user pool or self-elevation sessions for a project during shutdown, specify the AccessRetention ActiveOnTerm parameter in the project configuration. However, PAM can't control these active elevations while it is down.

If the product does not shut down normally, use the following cancel command:

​C memberName

Where to go from here

To start using the product, see Using.

For more information about recovering the product, see Recovering PAM environments.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Privileged Access Manager 2.3