Latest Posts

CyberArk PAS HA, Backup, Failover and Failback Process

PAM Solution High Availability Design Sample
CyberArk Privileged Session Management (PSM) is a popular central control point that helps to protect target systems that are accessed by privileged accounts users throughout your data center. It usually works in conjunction with the CyberArk market-leading Privileged Identity Management Suite, an enterprise and a policy based solution that enforces, manages and secures workflows and procedures for all shared and privileged accounts in data centers.



High Availability or Load Balancing

For PVWA - HA
PVWA is using IIS. The easiest way to do load balancing for PVWA is using DNS round robin method as show in following screenshot:

To redirect iis homepage, set following error code redirect configuration based on your PVWA url:

For CPM - Manual Load Balancing
You can have multiple CPM installed in a distributed environment, unfortunately it does not support high availability. It can be configured load balancing manually, which means you can use one CPM to manage certain amounts safes or accounts, and another CPM can handle other amount of safes and accounts. Typical implementation is one CPM handles Windows accounts, another CPM handles *NIX accounts.

For PSM - HA



For Vault - HA (DR)




Backup - PAReplicate


Backup.cmd File at C:\Program Files (x86)\PrivateArk\Replicate

PAReplicate.exe vault.ini /logonFromFile user.ini /fullbackup /tsparmfile tsparm.ini
















DR Failover


Scenario:
 - PROD Vault is down
 - DR Vault has started

Pre-configuration:
Both PVWA has configured to use PROD Vault and DR Vault. It will automatically to detect alive vault by record order and make a connection to it.
On DR PVWA, first record for valut is DR vault. On Prod PVWA, first record is PROD vault.

Failover procedure:
1. Navigate to DR PVWA UI - 10.1.7.18/PasswordVault
2. Login as Admin2 (ie.)

3. Browse to System Configuration -> Platform Management -> Platform Name -> Edit
 - Edit UI& Workflows -> Privileged Session Management:



Change ID to PSMServer object name (As defined in Options -> Privileged Session Management -> Configured PSM Servers

Prod Failback

Please refer to following CyberArk article:
How to perform a manual DR Failover (Backup Link)

Failback to prod PVWA and PSM procedures:

1.  Start the PROD Vault using PrivateArkServer Console on the desktop of the Vault


2.  Stop the DR VAult server using PrivateArkServer Console on the desktop of the DR VAult


3.  Open c:\Program files(x86)\PrivateArk\PADR\conf\padr.ini and edit the file:




FailoverMode=Yes  ->  Change Yes to No
NextBinaryLogNumberToStartAt=0 - Remove this line
LastDataReplicationTimestamp=1570820901835879 -> remove this line

Save the file.

3.  Start the Cyberark Disaster Recovery Service on the DR VAult.


4.  Confirm replication by navigating to c:\Program files(x86)\PrivateArk\PADR\logs\padr.log.  Open this file to confirm:
[11/10/2019   15:37:22.532136]    ::    PADR0010I Replicate ended.
[11/10/2019   15:37:23.534770]    ::    PADR0099I Metadata Replication is running successfully.

Above two lines appears at the end of the padr.log file



5. log into primary pvwa UI and edit the platforms to change the UI & Workflows-> Privileged Session Management ID to the PROD PSM server (PSMServer)




No comments