The Disaster Recovery Vault is the PrivateArk Server service that is installed on the Disaster Recovery machine. It is an updated replication of the Production Vault and can be activated either automatically or manually in the case of a Disaster Recovery situation. This post is to summarize the steps to set up CyberArk Vault DR service.
Related Post:
Disaster Recovery Concepts
The CyberArk Vault Disaster Recovery service
This is an automatic service that is responsible for the 3 major recovery tasks:
■ | Failover Check – Checking that the Production Vault is up and running. |
■ | Data Replication – Replicating the external files (Safes files and Safes folders) from the CyberArk Production Vault to the Disaster Recovery Vault. |
■ | The Data Replication will be executed according to the settings in the Disaster Recovery configuration file (PADR.ini). |
■ | Metadata Replication – Replicating the metadata files based on exports (full backup) and binary logs (incremental backups). Metadata replication from the Vault to the Disaster Recovery Vault occurs at the completion of each event. |
■ | Failover Process – If the Production Vault is down or the Production site is unavailable, meaning that there is no network connection between the two Servers, a Failover is carried out on the Disaster Recovery Vault. |
Network Failover (loss of communication between the Production Vault and the Disaster Recovery Vault while the Production Vault is still up and running) will cause the Disaster Recovery Vault to start automatically even though it is not a Disaster Recovery situation
|
Prerequisites to the DR Vault Installation
2 Use the same CyberArk Vault Server version as the Production Vault.
3 Network Time Protocol - The DR Vault must be synchronized with the organization’s NTP server to ensure that the Vault’s activity is in synch with records on all other servers.
4 Customer License - Use the DR Vault license.xml file provided by your CyberArk support representative especially for the DR Vault.
Notes: If your Safes are on an NTFS partition, the replicated Safes should also be on an NTFS partition, and not FAT/FAT3.
Pre-Installation of DR Service
2 After you have installed the CyberArk Vault Server on the DR site, start the DR Vault and check that it is up and running, even though it is an empty Vault.
3 Stop the CyberArk Vault Server on the DR site.
Installation of DR Service
■ | Double-click Setup.exe |
■ | On systems that are UAC-enabled, right-click Setup.exe, then select Run as Administrator. |
4 Read the license agreement, then click Yes to accept its terms and proceed to the next step of the installation which enables you to enter user information for licensing purposes.
5 In the Name field, enter your first and last name. In the Company field, enter the name of your organization. Click Next to proceed to the next step of the installation, which enables you to select the folder on the server in which the Disaster Recovery Vault files will be located.
6 Click Next to accept the default location provided by the Disaster Recovery Vault installation, displayed in the Destination Folder area, and proceed to the next step of the installation, or, Click Browse to select another location, and then click Next to proceed to the next step of the installation.
7 The next step of the installation prompts you for a password for the DR User
Note: This User must be an Owner with backup permissions on all of the Safes that the User might need to replicate to the Disaster recovery site. In addition, this User must be an Owner on the system Safe (only with backup permissions). It is recommended to use the ‘DR’ user that has been created in the Vault especially for this purpose.
A user credentials file for automatic logon is created for this Replicate user. This credentials file contains the specified username and an encrypted version of the specified password.
8 Click Next to proceed to the next step of the installation where you specify the Address and the port of the Production Vault.
9 Click Next to proceed to the next step of the installation where you click Finish to complete the Setup. The CyberArk Vault Disaster Recovery service starts automatically when you restart the machine.
Post-Installation of DR Service
1. Check PADR.log for installation logs
2. Enable DR User account
3. Configure DR Vault Environment
4. Specify how frequently the DR Vault will be updated
5. Configure NTP
Test DR Service Installation
-
Disable the connectivity between the DR Vault and the Production Vault.
-
In the PrivateArk Server console, check that the DR Vault has begun working as an active Vault. For details, see Check that the CyberArk Digital Vault started successfully.
-
In the PrivateArk Client on the DR Vault machine, define the new DR Vault and check that you can access it with the DR user. For more information, refer to Defining a Vault in the Privileged Access Security Implementation Guide.
Reset DR Vault for next failover
-
On the DR Vault machine, stop the PrivateArk Server service.
-
In PADR.ini, do the following:
- Specify the following parameter:
■ | Failovermode=no |
- Delete the following parameters:
■ | NextBinaryLogNumberToStartAt |
■ | LastDataReplicationTimestamp |
-
Start the CyberArk Vault Disaster Recovery service.
-
Check the PADR.log file to make sure that a replication was initiated successfully.
References
via Blogger https://ift.tt/2AYONfK
July 13, 2020 at 03:51PM CyberArk