Symantec Privileged Access Management

If you could put an external load balancer in front of PAM, then you could get a kind of HA.

The LB could be configured to forward all traffic to the single node in primary site. If the LB detects that the primary is unavailable, then it could forward all traffic to the single node in the secondary site. Assuming that you're running in "operationally safe" mode, end users can continue to obtain passwords and make connections.

Obviously, administrators will not be able to make any updates as the node in the secondary site is read-only. So you would need to factor in a short down-time to promote that site to primary (or alternatively, you can recover the primary node in a reasonable time frame)

Hello Pearse,

Thanks for your response!!

I assume this to happen even in absence of the external load balancer i.e. while running in operationally safe mode ,when the single node primary site is not available, All the user traffic will directed to secondary node automatically ? Is my assumption wrong and what happens to the cluster VIP (EIP in case of AWS) while the primary site is down.

Does the clustering requirement of CA-PAM differ for Multi-Master and Multi site?

Thanks,

Manoj

Hi Manoj

Your assumption is wrong. As Christian pointed out in a previous post, if the single node in the primary site fails, the node in the secondary site will not take over the internal VIP. The internal VIP is only valid for a given site. The secondary site would typically have its own internal VIP (assuming more than one member). This is why I suggested an external load balancer for your case.

And yes, the clustering requirement for multi site does differ to the clustering requirement for multi-master.

Multi-master clustering (i.e. the primary site) is intended for, and best suits, a single data center. If you have several data centers, then you should use multi site clustering between the data centers. Your primary site will still use multi-master clustering between the nodes in the site. Though, in your case that's not relevant, as you only have a single node in the primary site

Note: Above response is for the general case, not specific to AWS.

Regards

Pearse

Hi Pearse,

I see the below in documentation as cluster deployment requirement. Now is this requirement for establishing Multi site or a multi-master cluster in AWS. 

To use AWS AMI instances in your cluster, set up your AWS environment correctly.

Follow these steps:

1. Create an AWS virtual private cloud (VPC) with at least one public subnet in which to locate your cluster. Assign an AWS Security Group that permits intra-subnet communication, inbound and outbound traffic through port 3306 (for the MySQL requirement of Credential Manager).
2. Configure the members of your AWS cluster and assign them to the VPC you created. Note the local subnet address for each.
3. Create an elastic IP address (EIP) for each member of your cluster and assign it to that member. Note which EIP is assigned to which instance. 
4. Create an extra EIP to serve as the cluster VIP address, but do not assign this EIP to any instance.

To set up clusters on other AWS sites, AWS connections have to be configured in CA Privileged Access Manager. To configure the AWS connections

I am looking for cluster pre-requisites\requirements for having multisite cluster on an AWS spread across two Availability Zones. Could you please help with this pre-requisite.

Thanks,

Manoj

The above is for multi-master - i.e. communication between the nodes in the primary site

The requirements would be the same for communication between the nodes in the secondary site, as the secondary site could be promoted to a primary site.

For communication between sites, it should not be necessary to open port 3306. The nodes in the secondary site need to be able to connect to the nodes in the primary site, and the VIP in the primary site, over port 443

Thanks for your prompt response.

Just to confirm things, In my scenario to have single node on primary site and single node on the secondary site I Just need a standalone PAM AMI's launched on both sites and establish communication over 443 between nodes in primary site and secondary site.

Regards,

Manoj

Hello,

The LB here cannot be configured to direct traffic only to primary site ( Only one Node) as both primary and secondary sites keep listening on https. LB will looking for a factor to stop sending traffic to secondary node. Since the secondary continues to accept user connections this really cannot be configure in LB. And If this is only choice we have from LB, what would be behavior of the secondary node while the LB is allowed to direct the traffic to both the nodes with no restrictions. Will secondary node be able to serve users like primary site when the traffic is sent from LB and when primary is down what would be behaviour of the secondary site 

What are the problems that we can foresee if the LB sends traffic to both the primary and secondary sites?

For users, it shouldn't really matter. They will be able to do the same thing on both sites (with one or two exceptions like creating personal views, which can only be done on the primary)

If admins are sent to the secondary, they won't be able to make any updates. They must go to the primary.

If primary and secondary have a different mounted drive for session recordings, then user recordings could be in two different places.

Thanks for your response!!

I am just thinking of a particular scenario, where there is user who hits the LB and gets directed to secondary site and performs password check out and after 5 minutes he check's-in. Assuming that the policy is set to change the password immediately after every check-in and secondary site being only read only,it is the primary which can push password changes.  

1. How will the password change be handled in this scenario

2. In next immediate connection to the user and assuming that the LB directs the users to primary site, what would be status of that particular account in primary site that was checked-in in the secondary site in the previous connection. Will it be available for user to connect to the target ?

3. What would be the status of the secondary site while the primary site goes down? Operationally safe mode ? 

4. Is secondary site in operationally safe mode  even while the primary site is up and running?

Thanks,

MANOJ

Hi kenpe02 I have the same question as Manoharan. As secondary nodes are read-only and if some one checks out a password while primary is not available what happens then if the PVP is set to change password on view? What will be the status of the account in primary once the primary is back?

To be honest I have the same exact questions in my mind as Manohar. Eagerly expecting your reply.

It depends on whether you configure the secondary sites to be "operationally safe" or "security safe". See docs for explanation of both parameters

Pearse