Before you start, please make sure to take a backup and download it off of the appliance.
1. Unjoin a Replica appliance using an old hardware:
Log in to an appliance in the cluster, as an Appliance Administrator.
- Navigate to Cluster > Cluster Management.
- In the cluster view, select the replica node to be unjoined from the cluster.
- In the details view on the right, click Unjoin.
- In the Unjoin confirmation dialog, enter the word Unjoin and click OK to proceed.
Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is unjoining and puts the replica appliance in Maintenance mode while it is unjoining from the cluster.
Once the operation has completed, the replica appliance no longer appears in the cluster.
You may then proceed with the decomission of the old Replica appliance to avoid its IP address conflict if you will be using the same IP for the new hardware appliance.
Considerations to unjoin cluster members
- You can only unjoin replica appliances from a cluster.
- the replica appliance to be unjoined can be in any state; however, the remaining appliances in the cluster must achieve consensus.
- You can unjoin a replica appliance when logged into any appliance in the cluster that is online (using an account with Appliance Administrator permissions).
- When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined.
- After the replica is unjoined, the appliance is placed in a Read-Only mode.
2. Perform the initial setup on the new hardware appliance. Please refer to the Appliance Setup guide
here3. Upgrade the new hardware appliance to the same SPP version as currently installed in the SPP cluster.
4. Enroll the new hardware appliance as a Replica to the cluster:
- In order to enroll an appliance into a cluster, appliances must be able to communicate using the following ports:
- For SPP running 7.0 LTS or above, the nodes use UDP/655 & TCP/443
Note: Starting with SPP versions 7.0 or above, Cluster node communications no longer support mesh networking and therefore each SPP node must have direct connections to all other nodes for all internal VPN communications.
- In addition, all members of a cluster must all have IPv4 or IPv6 network addresses. That is, if one appliance has only IPv4, all appliances in the cluster must have IPv4; same with IPv6. An appliance with only IPv4 cannot communicate with an appliance with only IPv6.
- Appliances can only belong to a single cluster.
- You can only enroll replica appliances to a cluster when logged into the primary appliance (using an account with Appliance Administrator permissions).
- You can only add one appliance at a time - the maintenance operation must be complete before adding additional replicas.
- Enrolling a replica can take as little as 5 minutes or as long as 24 hours depending on the amount of data to be replicated and your network.
- During an enroll replica operation, the replica appliance goes into Maintenance mode. The existing members of the cluster can still process access requests as long as the member has quorum. On the primary appliance, you will see an enrolling notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. This cluster lock prevents you from doing additional maintenance activities.
- Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard for Privileged Passwords.
TIP: The Activity Center contains events for the start and the completion of the enrollment process.
- The primary appliance's objects and security policy configuration are replicated to all replica appliances in the cluster. Any objects (such as users, assets, and so on) or security policy configuration defined on the replica will be removed during enroll. Existing configuration data from the primary will be replicated to the replica during the enroll. Future configuration changes on the primary are replicated to all replicas.
5. Repeat the same steps 1 to 4 above for each Replica appliance being replaced.
6. Once all Replicas are replaced with the new hardware then perform a failover for remaining old hardware Primary role to promote one of the new hardware Replicas as new Primary:
- Safeguard for Privileged Passwords allows you to failover to a replica appliance by promoting it to be the new primary.
NOTE: You can promote a replica to be the new primary anytime the cluster has consensus (that is, the majority of the cluster nodes are online and able to communicate)
To promote a replica to be the new primary in a cluster
- log in to a healthy cluster member as an Appliance Administrator.
- Navigate to Cluster > Cluster Management.
- In the cluster view, select the replica node that is to become the new primary.
- Click Failover.
- In the Failover confirmation dialog, enter the word Failover and click OK to proceed.
During the failover operation, all of the appliances in the cluster are placed in Maintenance mode.
Once the failover operation completes, the selected replica appliance appears as the primary with a state of online. All other appliances (including the "old" primary) in the cluster appear as replicas with a state of online.
7. Repeat the same steps 1 to 4 above to replace the last old hardware (old Primary which is now a Replica) node.
Note: For assistance with the migration process, we recommend consulting with One Identity Professional Services team by discussing this further with your account manager.