What options do I have to recover a failed primary policy server?
If you have secondary policy servers configured in your environment, your Unix agents and sudo plugins will automatically go to the secondary servers for policy evaluation and logging. In addition, Privilege Manager for Sudo plugins have an offline mode, which allows them to continue to function with the latest cached policy, even when no policy servers are available.
However, without a primary policy server, you will not be able to make any updates to your policy, and you will not be able search the event and keystroke logs via the Management Console or using the pmlogsearch command.
Ideally, you will have a recent full backup of your primary policy server, so that you can restore the primary policy server on new hardware, and fully recover the functionality of your Privilege Manager policy group.
If you are not able to recover the primary policy server, your next best option is to create a new primary policy server (and new policy group), and rejoin all of the secondaries, and Unix/Sudo hosts to this new policy group. You should be able to recover the latest policy from the policydir (usually /etc/opt/quest/qpm4u/policy) on the secondary policy servers, or sudo plugin host.
· (on a secondary policy server) archive the existing policy files:
tar cvf /tmp/policy.tar --exclude='.*' policy
· (on the new primary policy server)
copy and restore the archived policy files in a temporary directory:
tar xvf policy.tar
· configure the new primary policy server with the restored policy:
pmsrvconfig -m sudo -f /tmp/policy -a -p (SUDO)
pmsrvconfig -m pmpolicy -f /tmp/policy -a -x (UNIX)
· re-configure the secondary policy servers to join the new primary:
· re-join the sudo/Unix hosts to the new primary:
Please see the following knowledgebase article if you wish to copy the policy revision history to the new Primary policy server: