Recovering a HA PAM Server

This section looks at how to recover a failed PAM Server which that is part of a HA Pair.

• Introduction
• Active Primary PAM Server Fails
• Standby Secondary PAM Server fails

Introduction

When a PAM Server in your HA Pair fails for whatever reason, the recovery procedure will differ and be dependant upon which server has failed - Active or Standby.

Click on one of the following recovery procedures based on your failure:

• Active Primary PAM Server fails
• Standby Secondary PAM Server fails

Active Primary PAM Server Fails

In BAU, the Active is the Primary PAM Server which receives all the user traffic. If the Active PAM Server goes down, all user connections will be disconnected. Therefore, you will need to failover to the Standby Secondary PAM Server so users can connect to a working PAM Server while the Primary is fixed.

Note

This recovery assumes that the Active PAM Server is no longer working and can not be fixed. The virtual appliance is offline and will be deleted.

The recovery steps for this scenario are as follows:

• Failover to the Secondary PAM Server
• Create a replacement Primary PAM Server
• Failback to the replacement Primary PAM Server

Failover to the Secondary PAM Server

To allow your PAM users to continue working, the first thing to do will be to failover to the Standby Secondary PAM Server:

1. Open up a web browser and enter the address of the Secondary PAM Server:

   [PAM Server Address]:8443

   You will be presented with the PAM Management Interface.

2. Login with a username and password.

   Note

   PAM user must belong to the PAM Owner group that gives them Owner role level access to PAM.

   

3. You will be presented with PAM Management Interface SSH window.

   

4. At the prompt type ha-failover and press ENTER.

5. Read what will happen during the failover, then type y and press ENTER to continue.

   

6. Wait while the Secondary server is promoted to Active.

   

   As the Primary server has gone down and it is not contactable it will not be demoted.

7. Log back onto the Secondary PAM Server [https://PAM-Server-Address]

8. Select PAM Server > Browser (HTTP) to open up the Admin Interface.

9. Within the Admin Interface navigate to System configuration > High Availability tab which will show that the Secondary PAM Server has been promoted and have a state of Promoted Active Secondary.

   

10. Backup the Secondary PAM Server. We recommend you have a recent Osirium backup file as well as VM Level backup or Snapshot.

11. Your users can now log back onto PAM.

    • If you are using a floating IP address, users can log back into PAM using the same IP address.

      [PAM Server Floating IP Address]

    • If you are not using a floating IP address then you will have to inform all your users of the IP address of the promoted Secondary PAM Server so they can log back onto PAM.

      [PAM Server Secondary IP Address]

12. Delete the Primary PAM Server virtual appliance.

Create a replacement Primary PAM Server

Prerequisites

To create a replacement Primary PAM Server, you will need the following:

Prerequisite	Description
Hardware & Software	Ensure the correct resources are available before deploying. The following outlines the hardware and software requirements.
Ports	For information on the ports required by PAM and used between PAM components click here.
Software downloads	The software installation package is supplied in Open Virtual Appliance (OVA) and Virtual hard disk (VHD) formats, ready for deployment into your existing virtual infrastructure. To implement a PAM HA Pair you must use release version 8.2 or above. To download the latest software, click here. NOTE: SHA256 checksum is available to verify the integrity of the download.
Disk space	Ensure the internal disk has a minimum of 5GB free disk space.

Deploying the PAM Server

The first step will be to deploy the software package into your chosen supported infrastructure. Click on the appropriate link below to be navigated to the deployment steps.

• Deploy using VMware vSphere
• Deploy using Microsoft Azure
• Deploy using Microsoft Hyper-V
• Deploy using Amazon Web Services
• Deploy using Nutanix Prism Central

Configure the replacement Primary

Follow these configuration steps if you are setting up a replacement Primary.

1. Within the Console window, press ENTER when prompted to start the setup and configuration.

2. Read and accept the EULA to continue.

3. Select HA Secondary (or replacement Primary) as the installation type.

   

4. Within the Configure Networking screen, configure the following server settings. Press TAB to navigate between the fields.

   • IP Address: Enter the IP Address which will be used to connect to the server.
   • Netmask: Enter the network mask.
   • Gateway: Enter the network default gateway IP address.
   • Primary DNS: Enter the network primary DNS IP address.
   • (Secondary DNS): Enter the secondary DNS IP address if relevant, else leave blank.
   • (Tertiary DNS): Enter the tertiary DNS IP address if relevant, else leave blank.
   • (DNS Suffixes): Enter the DNS Suffixes. Multiple entries can be separated with a comma, else leave blank.

   

5. Once completed TAB down to the OK button and press ENTER.

6. Within the Enter a hostname window, enter a name to identify the new server.

7. TAB down to the OK button and press ENTER.

8. Once the setup has completed a message will be displayed. Your system is now ready for High Availability.
   
   Make a note of the joining code displayed on the screen as it will be required to re-initialise your PAM Server HA Pair.

   

Failback to the replacement Primary PAM Server

1. Before you failback to the new Primary PAM Server ensure all users have been disconnected.

2. Backup the Secondary PAM Server. We recommend you have a recent Osirium backup file as well as VM Level backup or Snapshot.

3. Open up a web browser and enter the address of the Secondary PAM Server:

   [PAM Server Address]:8443

   You will be presented with the PAM Management Interface.

4. Login with a username and password.

   Note

   PAM user must belong to the PAM Owner group that gives them Owner role level access to PAM.

   

5. You will be presented with PAM Management Interface SSH window.

   

6. At the prompt type ha-failback and press ENTER.

7. Read what will happen during the failback process, then type y and press ENTER to continue.

   

8. As this is a new PAM Server and a replacement for the failed Primary, you will be asked to enter the IP address and joining code which will be displayed on the Console window of the Primary PAM Server.
   
   Type y and press ENTER to continue.

   

9. Enter the IP address of the new Primary PAM Server and press ENTER.

10. Enter the joining code of the new Primary PAM Server and press ENTER.

    

11. Wait while HA failbacks from the Secondary PAM Server to the new primary PAM Server.

12. Backup the Primary PAM Server. We recommend you have a recent Osirium backup file as well as VM Level backup or Snapshot.

13. Your users can now log back onto PAM.

    • If you are using a floating IP address, users can log back into PAM using the same IP address.

      [PAM Server Floating IP Address]

    • If you are not using a floating IP address then you will have to inform all your users of the IP address of the promoted Primary PAM Server so they can log back onto PAM.

      [PAM Server Secondary IP Address]

Standby Secondary PAM Server Fails

In BAU, the Standby is the Secondary PAM Server which receives replication data from the Primary PAM Server. If the Standby Secondary PAM Server goes down, there will be no disruption to user connections. Replication will stop until the server is reinstated.

Note

This recovery assumes that the Standby PAM Server is no longer working and can not be fixed. The virtual appliance is offline and will be deleted.

The recovery steps for this scenario is as follows:

• Create a replacement Secondary PAM Server
• Initialise High Availability

Create a replacement Secondary PAM Server

Prerequisites

To create a replacement Primary PAM Server, you will need the following:

Prerequisite	Description
Hardware & Software	Ensure the correct resources are available before deploying. The following outlines the hardware and software requirements.
Ports	For information on the ports required by PAM and used between PAM components click here.
Software downloads	The software installation package is supplied in Open Virtual Appliance (OVA) and Virtual hard disk (VHD) formats, ready for deployment into your existing virtual infrastructure. To implement a PAM HA Pair you must use release version 8.2 or above. To download the latest software, click here. NOTE: SHA256 checksum is available to verify the integrity of the download.
Disk space	Ensure the internal disk has a minimum of 5GB free disk space.

Deploying the PAM Server

The first step will be to deploy the software package into your chosen supported infrastructure. Click on the appropriate link below to be navigated to the deployment steps.

• Deploy using VMware vSphere
• Deploy using Microsoft Azure
• Deploy using Microsoft Hyper-V
• Deploy using Amazon Web Services
• Deploy using Nutanix Prism Central

Configure the replacement Secondary

Follow these configuration steps if you are creating a replacement Secondary HA PAM Server.

1. Within the Console window, press ENTER when prompted to start the setup and configuration.

2. Read and accept the EULA to continue.

3. Select HA Secondary (or replacement Primary) as the installation type.

   

4. Within the Configure Networking screen, configure the following server settings. Press TAB to navigate between the fields.

   • IP Address: Enter the IP Address which will be used to connect to the server.
   • Netmask: Enter the network mask.
   • Gateway: Enter the network default gateway IP address.
   • Primary DNS: Enter the network primary DNS IP address.
   • (Secondary DNS): Enter the secondary DNS IP address if relevant, else leave blank.
   • (Tertiary DNS): Enter the tertiary DNS IP address if relevant, else leave blank.
   • (DNS Suffixes): Enter the DNS Suffixes. Multiple entries can be separated with a comma, else leave blank.

   

5. Once completed TAB down to the OK button and press ENTER.

6. Within the Enter a hostname window, enter a name to identify the new server.

7. TAB down to the OK button and press ENTER.

8. Once the setup has completed a message will be displayed. Your system is now ready for High Availability.
   
   Make a note of the joining code displayed on the screen as it will be required to initialise your PAM HA pair.

   

Initialise High Availability

Once you have recreated your Secondary PAM Server, you will need to initialise your HA pair to setup replication again.

1. Open up a web browser and enter the address of the Primary PAM Server:

   [PAM Server Address]:8443

   You will be presented with the PAM Management Interface.

2. Login with a username and password.

   Note

   PAM user must belong to the PAM Owner group that gives them Owner role level access to PAM.

   

3. You will be presented with PAM Management Interface SSH window.

   

4. At the prompt type ha-initialise and press ENTER.

   Note

   If you don't have an SMB filestore configured you will be prompted with a warning. We recommend an SMB filestore is configured before continuing.

5. Enter the IP address of the Secondary PAM Server and press ENTER.

   

6. Enter a floating IP address and press ENTER.

7. Read what will happen on the secondary then type y and press ENTER to continue.

   

8. Enter the joining code of your Secondary PAM Server which can be found on the server console window and press ENTER.

   

   

9. Wait while the joining procedure completes.

10. When the operation has completed, you will be asked to confirm you can connect to the Management Interface of the Secondary PAM Server .
    Follow the instructions on screen and log in using the superadmin username and password set on the Primary PAM Server during configuration.

    

    The message on the Secondary PAM Server console window will also change and state the PAM Server is in standby.

11. Backup the Primary PAM Server. We recommend you have a recent Osirium backup file as well as VM Level backup or Snapshot.