Enroll Cluster Members
- Update all appliances to the same appliance build (patch) prior to building your cluster.
- In order to enroll an appliance into a cluster, appliances must be able to communicate over TCP and UDP port 655 and TCP port 443. In addition, all members of a cluster must all have IPv4 or IPv6 network addresses. That is, if one appliance has only IPv4, all appliances in the cluster must have IPv4; same with IPv6. An appliance with only IPv4 cannot communicate with an appliance with only IPv6.
- Appliances can only belong to a single cluster.
- You can only enroll replica appliances to a cluster when logged into the primary appliance (using an account with Appliance Administrator permissions).
- You can only add one appliance at a time - the maintenance operation must be complete before adding additional replicas.
- Enrolling a replica can take as little as 5 minutes or as long as 24 hours depending on the amount of data to be replicated and your network.
During an enroll replica operation, the replica appliance goes into Maintenance mode. The existing members of the cluster can still process access requests as long as the member has quorum. On the primary appliance, you will see an enrolling notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. This cluster lock prevents you from doing additional maintenance activities.
Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard for Privileged Passwords.
TIP: The Activity Center contains events for the start and the completion of the enrollment process.
The primary appliance's objects and security policy configuration are replicated to all replica appliances in the cluster. Any objects (such as users, assets, and so on) or security policy configuration defined on the replica will be removed during enroll. Existing configuration data from the primary will be replicated to the replica during the enroll. Future configuration changes on the primary are replicated to all replicas.
Unjoin Cluster Members
- You can only unjoin replica appliances from a cluster. To remove a primary appliance, you can failover to a replica making the replica the new primary and then unjoin the 'old' primary appliance.
NOTE: If the cluster has consensus (that is, the majority of the remaining members are online and able to communicate), you can use the Failover option to promote a replica to be the new primary and then unjoin the 'old' primary appliance. However, if the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster.
- To perform an unjoin operation, the replica appliance to be unjoined can be in any state; however, the remaining appliances in the cluster must achieve consensus.
- You can unjoin a replica appliance when logged into any appliance in the cluster that is online (using an account with Appliance Administrator permissions).
- When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined. After the replica is unjoined, the appliance is placed in a Read-Only mode. You can however activate the appliance so you can add, delete and modify data, apply access request workflow, and so on.
NOTE: When a replica is activated, it will start to manage the assets and accounts in its own configuration.