CyberArk PAM Disaster Recovery PDF
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Summary
This document provides an overview of CyberArk PAM Disaster Recovery procedures, including backup solution deployment and disaster recovery strategies. It includes steps for disaster recovery exercises, and configuration settings.
Full Transcript
PAM Administration Disaster Recovery © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: Agenda 1. Describe the CyberArk PAM...
PAM Administration Disaster Recovery © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: Agenda 1. Describe the CyberArk PAM Disaster Recovery solution 2. Configure and test Disaster Recovery © 2023 CyberArk Software Ltd. All rights reserved Disaster Recovery DR architecture Setup DR Vault failover Component failover Return to primary site © 2023 CyberArk Software Ltd. All rights reserved Architecture © 2023 CyberArk Software Ltd. All rights reserved Disaster Recovery Architecture The Disaster Recovery (DR) Vault is a standalone Disaster Recovery or clustered Vault server Environment with an extra software component installed: the PVWAs CPMs PSMs PSMs PVWAs DR service PSM and PVWA should be deployed at the DR site to provide access to users in the event of a disaster The CPM should never be configured for automatic Primary Replication DR Vault Vault failover © 2023 CyberArk Software Ltd. All rights reserved DR User The DR user is created automatically Primary Vault Disaster Recovery Environment Environment The DR service is installed on the DR Vault Authenticate The DR service on the DR Vault authenticates to the DR User Primary Vault using the Replication DR Service credentials of the DR user to replicate data from the Primary Primary Vault to the DR Vault DR Vault Vault © 2023 CyberArk Software Ltd. All rights reserved The DR Service and User The DR service runs on the DR Vault The DR user authenticates to the Primary Vault from the DR Vault as a user with permissions to: ⎼ Backup All Safes c ⎼ Restore All Safes The built-in DR user has these permissions by default © 2023 CyberArk Software Ltd. All rights reserved Enhanced DR Replication In the past, the replication of passwords was done based on an interval defined in the DR configuration file In version 9.3, the DR replication process was enhanced to ensure faster replication of passwords and improved consistency between production and DR sites Replicating the current passwords to DR sites is now done instantly and in parallel to files/recordings replication in order to avoid delays In the new replication mechanism, metadata (which includes the current passwords) is pushed from the production Vault to the DR sites as it is created © 2023 CyberArk Software Ltd. All rights reserved Enhanced DR Replication Database synchronization Near real-time Primary Vault Disaster Recovery Environment Environment Synchronization Database Database DR Service Replication DR User (1) DR User (1) Primary DR Vault Vault © 2023 CyberArk Software Ltd. All rights reserved Set up Disaster Recovery © 2023 CyberArk Software Ltd. All rights reserved Enable Data and Metadata Synchronization When a failover occurs (automatic or manual), the DR service first synchronizes the information in its database with the information in the Safe data files This is enabled in the configuration file padr.ini with the default setting EnableDbsync=Yes © 2023 CyberArk Software Ltd. All rights reserved Setup Data Replication Interval The ReplicateInterval parameter determines the length of time between synchronizations of the Vault file system, which by default is 3,600 seconds (or one hour) © 2023 CyberArk Software Ltd. All rights reserved Vault Failover © 2023 CyberArk Software Ltd. All rights reserved Automatic Failover Automatic failover is switched on with the parameter EnableFailover=Yes The CheckInterval indicates the DR Vault will contact the Primary Vault every 60 seconds. If it fails… it will try again 4 times… once every 30 seconds After which, the DR Vault considers that the Primary is down and it goes into DR mode © 2023 CyberArk Software Ltd. All rights reserved Manual Failover To configure the DR Vault for manual failover, padr.ini should be configured as follows during normal operations: EnableFailover to No (disables auto failover). EnableDbsync to Yes (default setting). ActivateManualFailover to No. In this configuration, the DR Vault will not accidentally failover if the DR service is restarted © 2023 CyberArk Software Ltd. All rights reserved Manual Failover To perform a proper manual failover, set the parameter ActivateManualFailover to Yes and then restart the DR service. On start up, the service reads its config file, sees the manual failover parameter is set to Yes, and immediately starts the failover process. © 2023 CyberArk Software Ltd. All rights reserved The Failover Process Connection fails Retry attempts, failover started Data synchronization Start PrivateArk Stop ServerDisaster Recovery service © 2023 CyberArk Software Ltd. All rights reserved Component Failover © 2023 CyberArk Software Ltd. All rights reserved Setup Component Failover It is possible to configure components to failover automatically to the DR Vault by configuring addresses for both the Primary and DR Vaults in the Vault.ini file The component will attempt to connect according to the order set in Vault.ini REMEMBER: The CPM should not be configured to failover automatically © 2023 CyberArk Software Ltd. All rights reserved CPM Failover Setup CPM should NEVER be configured for automatic failover due to the possibility of a split-brain scenario CPMs PSMs PVWAs Split-brain occurs when the passwords in the Production Vault and DR Vault are out of sync Vault Replication DR Vault CPM failover must always be a manual process © 2023 CyberArk Software Ltd. All rights reserved PSM Failover Setup Automatic failover of the PSM servers is optional CPMs PSMs PVWAs Any recordings captured on the DR Vault must be backed up or replicated back the Primary Vault before returning to normal operations Vault Replication DR Vault Consult with CyberArk services to review PSM failover options © 2023 CyberArk Software Ltd. All rights reserved PVWA Failover Setup PVWA servers can be configured for automatic failover to allow users to access passwords CPMs PSMs PVWAs without interruption Audit data should be saved via the activity log before re-enabling replication, however SIEM integration will mitigate this issue Vault Replication DR Vault © 2023 CyberArk Software Ltd. All rights reserved DNS Load Balancing A possible approach to avoiding split-brain is to use a DNS Alias for the Vaults to control which Vault is CPMs PSMs PVWAs used by the components The DNS Alias will be set in the Vault.ini file DNS Load Balancing Vault Replication DR Vault Remember: DNS Alias updates is a manual process and will extend the outage © 2023 CyberArk Software Ltd. All rights reserved Return to Primary Site © 2023 CyberArk Software Ltd. All rights reserved Return to Primary Site Data generated on the DR Vault should be replicated back to the Primary Vault before bringing it CPMs PSMs PVWAs back online DNS Alias updates and failback replication are manual processes DNS Load Balancing and will extend the outage Replication Vault DR Vault Replication © 2023 CyberArk Software Ltd. All rights reserved Restoring the DR Vault to DR Mode On the DR Vault server, edit the PADR.INI file and make the following changes: Set FailoverMode=No Delete the last two lines in PADR.ini (this will force a full replication) Restart the DR service If you are using manual failover, then you should reset the parameter ActivateManualFailover to No to avoid accidental failovers © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we covered the CyberArk PAM Disaster Recovery solution: Backup Solution Deployment Disaster Recovery Deployment © 2023 CyberArk Software Ltd. All rights reserved Disaster Recovery Step 1 ‒ Enable Automatic Failover On The DR Vault Step 2 ‒ Execute A Full Replication To The DR Vault Exercises You may now Step 3 ‒ Execute Automatic Failover Test proceed to completing the ⎼ Confirm Automatic Failover on the DR Vault following exercises: ⎼ Confirm Automatic Failover of PVWA and PSM Step 4 ‒ Execute a Full Replication back to the Primary Vault Step 5 ‒ Execute Failback Procedure by using Manual Failover ⎼ Confirm Manual Failover on the Primary Vault Step 6 ‒ Set the DR Server back to DR mode ⎼ Confirm Automatic Failover for PVWA and PSM © 2023 CyberArk Software Ltd. All rights reserved
