Configuring Disaster Recovery Setup
A disaster recovery strategy is a key part of any business continuity plan. It covers the processes that should be followed in the event of a disaster to ensure that the business can recover and keep operating. It is a strategy to resume operations in an alternate data center (usually in a geographic location) if the primary data center becomes unavailable. Failover (to another location) is a fundamental part of disaster recovery.
Sectona supports 1+1 node manual failover for DR. Sectona Web Access and embedded vault can be configured with a standby DR instance. Sectona Embedded Vault DR node, once configured, is in near real-time sync with the Primary Vault node.
This guide is intended to help with configuring and implementing the system as a standalone DR instance for the embedded vault. Please contact Sectona Support or Professional Services team to design your DR strategy and options for the DR setup.
Another option for the Sectona DR instance is the External Vault node using MS SQL Server. For more details on MS SQL Server Disaster Recovery options and configurations, refer here.
This section covers
Before You Begin
Ensure that the same version of the Sectona PAM application is installed on both the primary and DR nodes.
The Primary and DR node for Web Access and Vault should have identical resources. Session log storage must be provisioned at a minimum of up to 20% of the Primary node to satisfy the requirement if the operations are run using DR site PAM for a month.
The interfaces associated with the IP addresses we use for DR configuration in Sectona PAM should have static IP address configuration, not DHCP or PPPoE.
Adding Application DR Node
This section helps you to add a DR node in your application:
Login to the Sectona PAM portal as an administrator.
Go to System→ System Status → App Services and start the service called SystemHighAvailabilityService.
Click on the High Availability option in the left side menu and select the Application.
Click on the + Add Node button and fill in the required details.
A few minutes after the service’s first trigger interval is completed, check the Primary and DR Application node status in Sectona. The Primary Application node 'Current Role' should be 'Primary-1', and DR Application Node 'Current Role' should be 'DR-1'. This status signifies that the DR configuration of the Application node is successfully done. The following are the attributes to be filled in for adding a node:
Attribute | Description |
|---|---|
Host Name | Enter the hostname of the DR application node |
Port | Enter the port number for the DR application node |
System Role | Select DR |
IP Address | Enter the IP address of DR Application node |
URL | Provide the URL for the DR Application node |
Priority | Select the priority from the dropdown |
Adding Embedded Vault DR Node
This section helps you to add a remote node in your vault:
Login to the Sectona PAM portal as an administrator.
Go to System→ System Status → App Services and start the service called SystemHighAvailabilityService.
Click on the High Availability option in the left side menu and select the Vault
Click on the + Add Node button and fill in the required details.
A few minutes after the service’s first trigger interval is completed, check the Primary and DR Vault node status in Sectona. The Primary Vault node 'Current Role' should be 'Primary-1', and the status should be 'Master.' Similarly, the DR Vault node 'Current Role should be 'DR-1', and the status should be Slave – Waiting for Master to send events.' This status signifies that the DR configuration of the Vault node is successfully done. The following are the attributes to be filled in for adding a node:
Attribute | Description |
|---|---|
Host Name | Enter the hostname of the DR vault node |
Port | Enter the port number for DR node |
System Role | Select DR |
IP Address | Enter the IP address of the DR node |
Handling a Failover to DR
If the Sectona Primary instance fails, then the DR instance must be manually promoted as Primary to allow end-users access through the DR instance. To enable access end-user through the DR instance, follow the below steps with Sectona 'admin' login:
Login to Sectona DR node URL (E.g., https://www.pam-dr.com/login?LoginFlag=ByPassAppNodeCheck). This URL syntax is required to have direct login to the DR node using standard DR Sectona Web Access. URL is restricted as its status is configured as DR in Sectona.
The above URL with additional postfix parameters allows browsing DR node URL.
Login with admin ID, Go to System > High Availability > Application Node > click on the 'Switch Over Primary' button to promote the DR node as the Primary node.
Now log in to the DR node using the standard URL (E.g., https://www.pam-dr.com). It will now allow you to browse and log in.