Resolving an IP conflict between cluster nodes
The IP addresses of the HA interfaces connecting the two nodes are detected automatically, during boot. When a node comes online, it attempts to connect to the IP address 1.2.4.1. If no other node responds until timeout, then it sets the IP address of its HA interface to 1.2.4.1, otherwise (if there is a responding node on 1.2.4.1) it sets its own HA interface to 1.2.4.2.
Replaced nodes do not yet know the HA configuration (or any other HA settings), and will attempt to negotiate it automatically in the same way. If the network is, for any reason, too slow to connect the nodes on time, the replacement node boots with the IP address of 1.2.4.1, which can cause an IP conflict if the other node has also set its IP to that same address previously. In this case, the replacement node cannot join the HA cluster.
To manually assign the correct IP address to the HA interface of a node, perform the following steps:
-
Log in to the node using the IPMI interface or the physical console.
Configuration changes have not been synced to the new (replacement) node, as it could not join the HA cluster. Use the default password of the root user of One Identity Safeguard for Privileged Sessions (SPS), see "Installing the SPS hardware" in the Installation Guide.
-
From the console menu, choose 10 HA address.
Figure 319: The console menu
-
Choose the IP address of the node.
Figure 320: The console menu
-
Reboot the node.
Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status
This section explains the possible statuses of the One Identity Safeguard for Privileged Sessions (SPS) RAID device and the underlying hard disks. SPS displays this information on the Basic Settings > High Availability page. The following statuses can occur:
-
Optimal: The hard disks are working as expected.
-
Degraded: One or more hard disk has reported an error, and might have to be replaced. For assistance, contact our Support Team.
-
Failed stripes: One or more stripes of data failed on the RAID device. It is possible that data loss occurred, but unfortunately there is no way to find out the extent of the data loss (if any).
-
If you have a single SPS node: You must reinstall SPS and restore the data from the latest backup. For details, see "One Identity Safeguard for Privileged Sessions Software Installation Guide" in the Installation Guide and Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data. If you do not have backup, contact our Support Team.
-
If you have a high-availability SPS cluster: Shut the node down. Do NOT disconnect its HA interface. Reinstall the node (for details, see "One Identity Safeguard for Privileged Sessions Software Installation Guide" in the Installation Guide), power it on, then navigate to Basic Settings > High Availability, and click Join HA. For assistance, contact our Support Team.
-
-
Offline: The RAID device is not functioning, probably because several disks have broken down. SPS cannot operate properly in this case. For assistance, contact our Support Team.
Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data
The following procedure describes how to restore the configuration and data of One Identity Safeguard for Privileged Sessions (SPS) from a complete backup, for example, after a hardware replacement.
|
|
Caution:
Do not enable audited traffic to SPS restoring the system backup is complete. During the restore process, the REST-based search might not function properly, since the data to search in might still be incomplete. |
To restore the configuration and data of SPS from a complete backup
-
Connect to your backup server and locate the directory where SPS saves the backups. The configuration backups are stored in the config subdirectory in timestamped files. Find the latest configuration file (the configuration files are called PSM-timestamp.config).
-
Connect to SPS.
If you have not yet completed the Welcome Wizard, click Browse, select the configuration file, and click Import.
If you have already completed the Welcome Wizard, navigate to Basic Settings > System > Import configuration > Browse, select the configuration file, and click Import.
-
Navigate to Policies > Backup & Archive/Cleanup. Verify that the settings of the target servers and the backup protocols are correct.
-
Navigate to Basic Settings > Management > System backup, click Restore now and wait for the process to finish. Depending on the amount of data stored in the backup, and the speed of the connection to the backup server, this may take a long time.
-
Navigate to SSH Control > Connections, and click Restore ALL. Repeat this step for other traffic types. Depending on the amount of data stored in the backup, and the speed of the connection to the backup server, this may take a long time.
VNC is not working with TLS
Some vendors may use custom protocol elements and TLS-encryption that do not have available documentation. As a result, these cannot be audited by One Identity Safeguard for Privileged Sessions (SPS). Regardless of vendors, only the custom features described in the RFC 6143 are supported. As for encryptions, only those completely TLS-encapsulated streams can be processed where the TLS encryption process was started before the VNC protocol handshake.