Safeguard for Privileged Passwords provides a solution for disaster recovery scenarios by allowing you to configure a cluster of appliances. Clustering ensures continuation of vital technology infrastructure and systems and recovery from a natural or human-induced disaster.
A Safeguard for Privileged Passwords cluster consists of two or more Safeguard for Privileged Passwords Appliances configured to communicate over TCP port 655. One appliance in the cluster is designated as the "primary". Non-primary appliances are referred to as "replicas".
All vital data stored on the primary appliance is also stored on the replicas. In the event of a disaster, where the primary appliance is no longer functioning, you can promote a replica to be the new primary appliance. This reduces downtime and data loss. While you can only have one primary, you can have up to four replicas. The replicas provide a read-only view of the security policy configuration; however, users can log into replicas to request access, generate reports or audit the data.
Keep the following considerations in mind when performing the enroll replica and unjoin replica operations to create a Safeguard for Privileged Passwords cluster.
During an "enroll replica" operation, Safeguard for Privileged Passwords puts the replica appliance in Maintenance mode and locks down the remaining appliances in the cluster. On the primary appliance, you will see an "enrolling" notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. While a cluster-wide operation is occurring, all appliances in the cluster are locked down meaning that no modifications, password change or check requests, or access requests can be performed on any of the appliances in the cluster.
Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard for Privileged Passwords.
|
TIP: The Activity Center contains events for the start and the completion of the enrollment process. |
For detailed instructions, see Enrolling replicas into a cluster.
You can only unjoin replica appliances from a cluster.
To remove a primary appliance, you can failover to a replica making the replica the new primary and then unjoin the 'old' primary appliance. For more information, see Failing over to a replica by promoting it to be the new primary.
|
NOTE: If the cluster has consensus (that is, the majority of the remaining members are online and able to communicate), you can use the Failover option to promote a replica to be the new primary and then unjoin the 'old' primary appliance. However, if the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus. |
When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined. After the replica is unjoined, the appliance is placed in a Read-Only mode. You can however activate the appliance so you can add, delete and modify data, apply access request workflow, and so on. For more information, see Activating a read-only appliance.
|
NOTE: When a replica is activated, it will start to manage the assets and accounts in its own configuration. |
For detailed instructions, see Unjoining replicas from a cluster.
Safeguard for Privileged Passwords allows the Appliance Administrator to create a cluster of up to five appliances, one primary and four replicas.
Prior to enrolling cluster members into a Safeguard for Privileged Passwords cluster, review the enrollment considerations; see Enrolling and unjoining cluster members
|
NOTE: It is highly recommended that you take a backup of your primary appliance before enrolling replicas to a cluster. |
To enroll a replica
Safeguard for Privileged Passwords connects to the replica and displays the login screen for the replica appliance.
In the Add Replica confirmation dialog, enter the words Add Replica and click (or tap) OK to proceed with the operation.
Safeguard for Privileged Passwords displays (synchronizing icon) and
(lock icon) next to the appliance it is enrolling and puts the replica appliance in Maintenance mode while it is enrolling into the cluster.
On all of the appliances in the cluster, you will see an "enrolling" banner at the top of the cluster view, indicating that a cluster-wide operation is in progress and all appliances in the cluster are locked down.
Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again make access requests.
|
NOTE: Enrolling a replica can take up to 24 hours depending on the amount of data to be replicated and your network. |
Log into the replica appliance as the Appliance Administrator.
Notice that the appliance has a state of Replica (meaning it is in a Read-Only mode); and contains the objects and security policy configuration defined on the primary appliance.
|
NOTE: You cannot add, delete or modify the objects or security policy configuration on a replica appliance; however, you can perform password change and check operations and make password release and session access requests. Network configuration is done on each unique appliance, whether it is the primary or a replica. |
Safeguard for Privileged Passwords allows the Appliance Administrator to unjoin replica appliances from a cluster.
Prior to unjoining a replica from a Safeguard for Privileged Passwords cluster, review the unjoin considerations: See Enrolling and unjoining cluster members.
|
NOTE: After a replica appliance is unjoined from a cluster, it remains in a Read-Only mode. See Activating a read-only appliance for instructions on how to bring this appliance back online. |
To unjoin a replica from a cluster
In the Unjoin confirmation dialog, enter the word Unjoin and click (or tap) OK to proceed.
Safeguard for Privileged Passwords displays (synchronizing icon) and
(lock icon) next to the appliance it is unjoining and puts the replica appliance in Maintenance mode while it is unjoining from the cluster.
Once the operation has completed, the replica appliance no longer appears in the cluster view (left pane).
|
NOTE: If you log into the replica appliance using the desktop client while Safeguard for Privileged Passwords is processing an unjoin operation, you will see the maintenance mode screen. At the end of the maintenance mode, you will see a Restart Desktop Client button indicating that the unjoin operation completed successfully. |
© 2019 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy