CyberArk Vault Disaster Recovery Service Installation and Configuration - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, July 13, 2020

CyberArk Vault Disaster Recovery Service Installation and Configuration

The Disaster Recovery Vault is the PrivateArk Server service that is installed on the Disaster Recovery machine. It is an updated replication of the Production Vault and can be activated either automatically or manually in the case of a Disaster Recovery situation. This post is to summarize the steps to set up CyberArk Vault DR service. 
Related Post:

Here are some concepts for Disaster Recovery Vault copied from CyberArk Website:

Disaster Recovery Concepts

The CyberArk Vault Disaster Recovery service

This is an automatic service that is responsible for the 3 major recovery tasks:
Failover Check – Checking that the Production Vault is up and running.
The network availability check is carried out using the ICMP echo protocol (“Ping”) from the Disaster Recovery Vault.
Data Replication – Replicating the external files (Safes files and Safes folders) from the CyberArk Production Vault to the Disaster Recovery Vault.
The Data Replication will be executed according to the settings in the Disaster Recovery configuration file (PADR.ini).
Metadata Replication – Replicating the metadata files based on exports (full backup) and binary logs (incremental backups). Metadata replication from the Vault to the Disaster Recovery Vault occurs at the completion of each event.
Failover Process – If the Production Vault is down or the Production site is unavailable, meaning that there is no network connection between the two Servers, a Failover is carried out on the Disaster Recovery Vault.
The decision regarding when a Failover should be carried out is evaluated using predefined parameters in the PADR.ini parameters file.
After the Failover, the ‘PrivateArk Server’ service on the Disaster Recovery machine will be modified for Automatic startup.
Network Failover (loss of communication between the Production Vault and the Disaster Recovery Vault while the Production Vault is still up and running) will cause the Disaster Recovery Vault to start automatically even though it is not a Disaster Recovery situation
The parameter files (DBParm.ini and other ini files) are not replicated due to optional hardware changes and different Vault configuration.

Prerequisites to the DR Vault Installation

1  Keys – Use the same CyberArk keys as in the Production Vault. (Operator CD)

2  Use the same CyberArk Vault Server version as the Production Vault.

3  Network Time Protocol - The DR Vault must be synchronized with the organization’s NTP server to ensure that the Vault’s activity is in synch with records on all other servers. 

4  Customer License - Use the DR Vault license.xml file provided by your CyberArk support representative especially for the DR Vault.

Notes: If your Safes are on an NTFS partition, the replicated Safes should also be on an NTFS partition, and not FAT/FAT3.

Pre-Installation of DR Service

This process is for non-HA Environment. 
Note: Make sure you have copied over Vault Server & Client Installation files on DR server.
1 On the Disaster Recovery machine, install a CyberArk Vault Server and PrivateArk Client, as described in Install the CyberArk Vault.
Some important points for installation Vault server:

  • Upgrade system to latest before changing network settings. . 
  • Install .net framework 4.5. If not, Vault Server will install for you then reboot system to continue vault installation.
  • Remove DNS settings / Gateway Settings
  • Remove all tcp/ip protocol except tcp/ip v4 & tcp/ip v6 if tcp/ip v6 can not be removed. 
2 After you have installed the CyberArk Vault Server & Client on the DR site, start the DR Vault and check that it is up and running, even though it is an empty Vault.

3 Stop the CyberArk Vault Server on the DR site.

Installation of DR Service

1 In the installation folder that you copied to the local drive from the installation package at the beginning of Install the CyberArk Vault Server, display the contents of the Disaster Recovery folder.

2 Start the installation procedure:
Double-click Setup.exe
On systems that are UAC-enabled, right-click Setup.exe, then select Run as Administrator.
The Disaster Recovery Vault wizard starts automatically and the CyberArk Installation window is displayed, as shown below.
3 Click Next to proceed to the next step of the Disaster Recovery Vault installation, which enables you to view the Disaster Recovery Vault license and accept the terms of the license agreement.

4 Read the license agreement, then click Yes to accept its terms and proceed to the next step of the installation which enables you to enter user information for licensing purposes.

5 In the Name field, enter your first and last name. In the Company field, enter the name of your organization. Click Next to proceed to the next step of the installation, which enables you to select the folder on the server in which the Disaster Recovery Vault files will be located.

6 Click Next to accept the default location provided by the Disaster Recovery Vault installation, displayed in the Destination Folder area, and proceed to the next step of the installation, or, Click Browse to select another location, and then click Next to proceed to the next step of the installation.

7 The next step of the installation prompts you for a password for the DR User
Note: This User must be an Owner with backup permissions on all of the Safes that the User might need to replicate to the Disaster recovery site. In addition, this User must be an Owner on the system Safe (only with backup permissions). It is recommended to use the ‘DR’ user that has been created in the Vault especially for this purpose.

A user credentials file for automatic logon is created for this Replicate user. This credentials file contains the specified username and an encrypted version of the specified password.

8 Click Next to proceed to the next step of the installation where you specify the Address and the port of the Production Vault.

9 Click Next to proceed to the next step of the installation where you click Finish to complete the Setup. The CyberArk Vault Disaster Recovery service starts automatically when you restart the machine.

Post-Installation of DR Service

1. Check PADR.log for installation logs
2. Enable DR User account
3. Configure DR Vault Environment
4. Specify how frequently the DR Vault will be updated
5. Configure NTP

  1. DR user password has to be reset after you install PADR service, which means you also has to use createcredfile in other side to regenerate user.ini file for replication once you did reset. After that, failover / failback does not need to do reset anymore.
  2. By default, in padr.ini, EnableFailover=Yes. This will enable a automatically failover once PADR service detected primary vault is down (5  times heartbeat detection, about 5 minutes). If for some reasons, you want to have a controlled manual failover, this can be set to no). PADR service will not bring vault server service up even detected a failure on main vault server. 
  3. Extra settings for manual failover, you also has to put a new option into PADR.ini:  ActivateManualFailover=Yes. 
  4. DR service (PADR) will not copy all files changed on primary site, such as dbparm.ini will not be copied over. CA signed certificate for vault also will not copied over. 

Test DR Service Installation

  1. Disable the connectivity between the DR Vault and the Production Vault.
  2. In the PrivateArk Server console, check that the DR Vault has begun working as an active Vault. For details, see Check that the CyberArk Digital Vault started successfully.
  3. In the PrivateArk Client on the DR Vault machine, define the new DR Vault and check that you can access it with the DR user. For more information, refer to Defining a Vault in the Privileged Access Security Implementation Guide.

    Failback to Main Site

    1. Install PADR service if not done that yet. 
    2. Reset DR user
    3. Restart machine, Primary vault will replicated all changes from DR vault
    4. On Primary Vault server, edit PADR.ini  for manual failover
      • Set EnableFailover=No
      • Add the following line: ActivateManualFailover=Yes
    5. Restart PADR service to take this change into effect.

    Reset DR Vault for next failover (Failback)

    This is part of failback process:

      1. On the DR Vault machine, stop the PrivateArk Server service.
      2. In PADR.ini, do the following:
      1. Specify the following parameter:
      1. Delete the following parameters: (it will force a full replication)
      1. Start the CyberArk Vault Disaster Recovery service.
      2. Check the PADR.log file to make sure that a replication was initiated successfully.
      Later, make sure that one full replication and at least one incremental replication were carried out. This may take several hours.

      YouTube Video:


      No comments:

      Post a Comment