Symantec Privileged Access Management

  • 1.  CA PAM Cluster Configurations

    Posted Nov 27, 2017 10:23 AM

    Hello Team,

     

    While configuring the PAM Cluster, we are getting below error:

     

    2017-11-27 15:12:37 SEVERE <IP1> Unable to turn on the cluster because one or more cluster members failed cluster start checks.
    2017-11-27 15:12:37 INFO <IP1> ERROR: NTP problem on member <IP2>. No primary servers found!
    2017-11-27 15:12:37 INFO <IP1> ERROR: NTP problem on member <IP1>. No primary servers found!
    2017-11-27 15:12:34 INFO <IP1> Saved cluster config to all cluster members. Virtual IP: <IP2>. Virtual IP FQDN: gotsva1172.got.volvocars.net. Cluster members: <IP1>: <IP2>. Status: OFF.
    2017-11-27 15:12:26 INFO <IP1> Saved cluster config locally. Virtual IP: <IP2>. Virtual IP FQDN: gotsva1172.got.volvocars.net. Cluster members: <IP1>, <IP2>. Status: OFF.

     

    I am getting pop-up saying :

     

    "NTP not properly configured"

     

    I have checked the date/time section and it was a delay of 6 minutes between our 2 appliances. I have updated the time in both the cluster and make it in sync. 

     

    Can you please help here? Also, what needs to be done with the Key which we are generating? Do we need to use that to add the member in Cluster? 

     

    We have 2 appliances and want them to be in cluster and we can access both of them with their individual URL. After cluster configurations, do we have to use only 1 primary appliance URL ? 

     

    If you have any documentation which has step-by-step procedure then please provide us. We can follow that. 

     

    Let me know if you need any further information. 

     

    Thanks,

    Nikunj



  • 2.  Re: CA PAM Cluster Configurations
    Best Answer

    Broadcom Employee
    Posted Nov 27, 2017 11:30 AM

    Hello, Please follow instructions at https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/deploying/set-up-a-cluster to set up a cluster. Under https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/deploying/set-up-a-cluster/cluster-deployment-requirements you will find the requirement to configure NTP servers. The fact that your appliances were off by 6 minutes tells us that NTP is not configured at present.



  • 3.  Re: CA PAM Cluster Configurations

    Posted Nov 28, 2017 03:02 AM

    Thanks. I have configured the NTP server in the Config-> Date/Time -> Time Servers. And then started the cluster and both the clusters are in Sync now. Many Thanks for your help. 

     

    Cheers,

    Nikunj



  • 4.  Re: CA PAM Cluster Configurations

    Broadcom Employee
    Posted Nov 27, 2017 11:31 AM

    Nikunj,

     

    Please check the status of the NTP server(s) on the Config/Date and Time/NTP Status tab.  What the status' say in the boxes below are very inmportant the IPs will tell you whether the NTP servers are being communicated to by CAPAM.  See a sample output below.  The two most import things below are 1) the * on one of the IPs means that the IP it is over is the IP being used for NTP and 2) the number in "reach" is a fairly high number in the range below showing a good connection to the server.  If reach is too low then there will be issues.  Some of the other numbers will be different as we4ll when the connection is not very good or non-existent.

     

    CA Privileged Access Manager

     

     

    If the servers are not true NTP servers, meaning that they are "Windows NTP" servers that are not connecting to the internet to check the time as true NTP servers, you will receive this message as well.  CAPAM checks that your NTP servers are connecting to the internet for updating the time from there.  Setting the time manually will not work because these settings will go out of sync pretty quickly and the time does not have to be off by much to have clustering problems.

     

    Once you set or reset the IPs for NTP server(s), you may have to wait up to 10 or 15 minutes for the connections to be solidly connected.  Another tip is to also have more than one NTP server due to issues that occur if you lose that server.  There are NTP time servers out on the internet that are avaiable to use as backup NTP servers or main NTP.  You can try NIST Internet Time Service  in the US, or the follwing at www.pool.ntp.org and click on Global — pool.ntp.org to see NTP servers around the world.  The following are what you can put in the IP field to just reach out and have these IP addresses connect to the closest NTP servers it can find.

    0.pool.ntp.org

    1.pool.ntp.org

    2.pool.ntp.org

    3.pool.ntp.org                         

     

    Lastly, you can see the list above, there are 4 servers entered in the IP field.  It can only be suggested that you have more than one NTP server, but it does make sense.  If you have clustering enabled, wanting your CAPAM setup duplicated and backed up, then it would make sense to have at least two IPs for NTP servers as well.

    Regards,

     

    Anthony



  • 5.  Re: CA PAM Cluster Configurations

    Posted Nov 28, 2017 03:00 AM

    Thanks Anthony. But I have not configured the NTP server.  I have done that and it's working now. Many Thanks again. Cheers.