Upgrading from a Standalone PAM to PAM HA Pair

This section looks at how to upgrade from an existing standalone PAM Server to a PAM HA Pair configuration.

• Prerequisites

• Upgrade procedure

• Post upgrade tasks

Prerequisites

Before you can configure a PAM HA Pair you will need the following prerequisites:

Prerequisite	Description
Upgrade path	Review the Upgrade paths to ensure you are applying the correct upgrade method based on the version you are upgrading from and to.
Hardware and Software	Ensure the correct resources are available before upgrading. The following outlines the hardware and software requirements.
Software downloads	Download the latest upgrade kit click here.
Disk space	Ensure the internal disk has a minimum of 5GB free disk space.
Recent backup	We recommend that you have a recent Osirium backup as well as VM Level backup or Snapshot of the standalone PAM Server being upgraded.
No active user connections	Ensure there are no active user connections.
Disable Task 'Regenerate Account Credentials for all devices'	Within the Admin Interface, disable all scheduled Regenerate Account Credentials for all devices tasks within profiles.
Osirium Support account	Within the Admin Interface ensure the Osirium Support account has been enabled and a password set.
.local DNS domains	If you are using .local DNS domains, ensure matching records have been entered in the DNS Search Suffixes.

We also recommend the following:

Prerequisite	Description
SMB filestore	RECOMMENDED Configure an SMB filestore to store Session Recording files. For instructions click here SMB Filestore.
Floating IP address	RECOMMENDED Allocating a floating ip address will allow the ip address to be dynamically assigned to the active PAM Server. This means the user will only need a single ip address when connecting to PAM and not have to switch ip addresses if a failure occurs.

Upgrade procedure

The diagram provides a high-level overview of the process for upgrading a standalone PAM Server to a PAM HA Pair configuration.

Standalone to PAM HA Pair upgrade procedure flowchart

Upgrade steps

• Upgrade the Standalone PAM Server
• System Configuration
• Deploy the Secondary PAM Server
• Configure a Secondary PAM Server
• Initialise High Availability

Upgrading the Standalone PAM Server

1. Open a file transfer tool of your preference and copy the upgrade kit onto the standalone PAM Server using the osirium_support account.

2. Open the PAM Server Console window, then press ALT + F2. The server login prompt appears.

   Note

   Alternatively, you could use an SSH connection to the PAM Server.

   

3. Enter osirium_support at the login prompt and press ENTER.

4. When prompted, enter the password of the osirium_support account and press ENTER.

5. Extract the upgrade kit copied to the server using the following command:

   sudo bash Osirium_PAM_Server_vA.B.C_upgrade.bin

   Where A.B.C is the version you are upgrading to.

6. Enter the osirium_support account password when prompted and press ENTER.

7. When the kit has been extracted, type the command specified on the screen and press ENTER.

8. Press ENTER when prompted to start the setup and configuration.

9. The EULA screen will be displayed. Press ENTER once you have read it.

10. Wait while the upgrade completes and the server is rebooted.

System Configuration

The following system configuration steps are required on the upgraded PAM Server:

• SMB Filestore (RECOMMENDED)

• Uploading a trusted certificate (RECOMMENDED)

SMB Filestore RECOMMENDED

We highly recommend that an SMB filestore is configured to maintain resilience and ensure session recordings continue to be available in case of any failovers.

Warning

If an SMB filestore is not configured then you are at risk of losing files stored locally on the PAM Server.

To configure:

1. Within the Admin Interface navigate to the System configuration > System settings tab.

2. Click on the next to SMB share configuration.

3. Enter the SMB share details.

   

   Field name	Description
   UNC path	The UNC path by which PAM can connect to the SMB share. For example \server-name\shared-resource-pathname
   Username	The username of the SMB share location.
   Password	The password of the SMB share location.
   Options (comma-separated)	Optional Allows additional parameters to be passed to the SMB share as a comma separated list if required.

4. Click SAVE.

5. Click on the next to File store.

6. Select SMB Share and click SAVE.

Uploading a trusted certificate RECOMMENDED

By default, Osirium PAM provides a generic certificate to allow secure web connections to the UI and Admin Interface.

We recommend that you upload a trusted certificate valid within your organisation. For further details on the types of certificates that can be uploaded click here.

The steps to upload a certificate differ depending upon the certificate type.

• Certificate with RSA private key
• PKCS12 archive file

Certificate with RSA private key

To upload:

1. Within the Admin Interface navigate to the System configuration > Certificates tab.

2. On the Certificates tab, click LOAD NEW CERTIFICATE.

3. In the Upload TLS Certificate window, upload your trusted certificate and RSA private key. Both are required for a successful upload.

   • TLS Certificate: Uploaded certificates will be verified to ensure they are an X.509 certificate with a .pem file format.
   • RSA Private Key: Uploaded keys are verified to ensure they are an rsa key with a .key file format. Passwords/passphrase are NOT supported on the the rsa key.

   

4. If the private key you are uploading has been encrypted, enter the password in the Key password (optional) input box.

5. Click UPLOAD. The certificate is uploaded.

PKCS12 archive file

To upload:

1. Within the Admin Interface navigate to the System configuration > Certificates tab.

2. On the Certificates tab, click LOAD NEW CERTIFICATE.

3. In the Upload TLS Certificate window, upload your PKCS #12 file.

   • The certificate contained within the PKCS #12 file will be verified to ensure it is a X.509 certificate.
   • The private key contained within the PKCS #12 file will be verified to ensure it is an rsa key.

   

4. If the private key you are uploading has been encrypted, enter the password in the Key password (optional) input box.

5. Click UPLOAD. The certificate is uploaded.

Deploy the Secondary PAM Server

To create the HA Pair you will need to create a Secondary PAM Server. Deploy the software package into your chosen supported infrastructure. Click on the appropriate link below to be navigated to the deployment steps.

• Deploy using VMware vSphere
• Deploy using Microsoft Azure
• Deploy using Microsoft Hyper-V
• Deploy using Amazon Web Services
• Deploy using Nutanix Prism Central

Configure a Secondary PAM Server

Follow these configuration steps if you are setting up a new Secondary PAM Server.

1. Within the Console window, press ENTER when prompted to start the setup and configuration.

2. Read and accept the EULA to continue.

3. Select HA secondary (or replacement primary) as the installation type.

   

4. Within the Configure Networking screen, configure the following server settings. Press TAB to navigate between the fields.

   • IP Address: Enter the IP Address which will be used to connect to the server.
   • Netmask: Enter the network mask.
   • Gateway: Enter the network default gateway IP address.
   • Primary DNS: Enter the network primary DNS IP address.
   • (Secondary DNS): Enter the secondary DNS IP address if relevant, else leave blank.
   • (Tertiary DNS): Enter the tertiary DNS IP address if relevant, else leave blank.
   • (DNS Suffixes): Enter the DNS Suffixes. Multiple entries can be separated with a comma, else leave blank.

   

5. Once completed TAB down to the OK button and press ENTER.

6. Within the Enter a hostname window, enter a name to identify the new server.

7. TAB down to the OK button and press ENTER.

8. Once the setup has completed a message will be displayed. Your system is now ready for High Availability.
   
   Make a note of the joining code displayed on the screen as it will be required to initialise your PAM HA pair.

   

Initialise High Availability

Once you have upgraded your standalone PAM Server and deployed and configured your Secondary PAM Servers, the final step is to initialise your HA pair and setup replication.

1. Open up a web browser and enter the address of the Primary PAM Server:

   [PAM Server Address]:8443

   You will be presented with the PAM Management Interface.

2. Login with a username and password.

   Note

   PAM user must belong to the PAM Owner group that gives them Owner role level access to PAM.

   

3. You will be presented with PAM Management Interface SSH window.

   

4. At the prompt type ha-initialise and press ENTER.

   Note

   If you don't have an SMB filestore configured you will be prompted with a warning. We recommend an SMB filestore is configured before continuing.

5. Enter the IP address of the Secondary PAM Server and press ENTER.

   

6. Enter a floating IP address and press ENTER.

7. Read what will happen on the secondary then type y and press ENTER to continue.

   

8. Enter the joining code of your Secondary PAM Server which can be found on the server console window and press ENTER.

   

   

9. Wait while the joining procedure completes.

10. When the operation has completed, you will be asked to confirm you can connect to the Management Interface of the Secondary PAM Server . Follow the instructions on screen and log in using the superadmin username and password set on the Primary PAM Server during configuration.

    

    The message on the Secondary PAM Server console window will also change and state the PAM Server is in standby.

    HA Pair configuration is now complete.

Post upgrade tasks

Once the PAM Server upgrade to a HA Pair has successfully completed, log on to the Primary PAM Server and check the following before allowing users to reconnect:

Post upgrade task	Description
Trigger AD audit	Before opening any device connections that use an Active Directory account, an audit needs to be manually triggered on all provisioned Active Directories. You can do this by right clicking the Active Directory on the Manage Active Directory page, and select Trigger audit from the menu.
Check device states	Check device status to ensure they are running successfully.
Check user connections	Check users can connect to devices.
Re-enable scheduled tasks	Re-enable scheduled Regenerate Account Credentials for all devices tasks.
Backup	Take an Osirium backup as well as VM Level backup of both the HA Pair PAM Servers.
Upgrade PAM UI	If you are using a standalone PAM UI Server then use the PAM Component Compatibility Matrix to check if the PAM UI Server needs updating inline with the PAM version you have upgraded to. Upgrade as appropriate.
Upgrade MAP Server	If you are using a MAP Server then use the PAM Component Compatibility Matrix to check if the MAP Server needs updating inline with the PAM version you have upgraded to. Upgrade as appropriate.