(Feature available only in Premium Edition. Procedure applicable only for builds 6800 and later)
In mission-critical environments, one of the crucial requirements is to provide un-interrupted access to passwords. PMP provides the 'High Availability' feature just to ensure this.
There will be redundant PMP server and database instances
One instance will be the Primary providing read/write access to the users. All users will be connected with primary only
The other instance will act as Secondary/Standby
At any point of time data in both Primary and Secondary will be in sync with each other. The data replication happens through a secure, encrypted channel
When Primary server goes down, the Secondary will offer emergency access to the users, until the fully-functional primary server is brought back to service. The changes made in the database in the intervening period will be automatically synchronized upon connection restoration
Scenario 1 - Primary & Secondary in different geographical locations and WAN Link failure happens between the locations
Assume that the Primary Server is in one geographical location 'A' and Secondary is deployed in another location 'B'. The users in both the locations will be connected to the Primary and will be carrying out password management activities. At any point of time data in both Primary and Secondary will be sync with each other. Assume there happens loss of network connectivity between the two locations. In such a scenario, users in location 'A' will continue to remain connected with the primary and will be doing all operations. Users in location 'B' will be able to get emergency access to the passwords from Secondary. Once the network between the two locations is up again, data in both the locations will be synchronized.
Scenario 2 - Primary & Secondary within the same network & Primary goes down
In case, the Primary crashes or goes down, the users in location 'A' & 'B' can rely upon the emergency access to the passwords from the Secondary.
Setting up high availability in PMP consists of the following four simple steps:
Step 1: Primary & Secondary Setup
You can use your current PMP installation as primary server and install another instance of PMP as secondary server in a separate workstation. To install PMP as secondary, during installation process, you need to choose the option "Configure this server as High availability secondary server". After installation, the PMP Primary & Secondary servers should have been started and stopped at least once.
Step 2: Create Data Replication Pack for High Availability in Primary
Stop Primary and Secondary Servers, if running. Ensure that the postgres process of PMP is NOT running
Open a command prompt and navigate to <PMP_Primary_Installation_Folder>/bin directory
Run the script HASetup.bat
<FQDN of PMP Primary Server> <FQDN OF PMP Secondary Server >
(Windows) / HASetup.sh <FQDN of PMP Primary Server>
<FQDN OF PMP Secondary Server > (Linux)
To run this script, you need to pass the fully qualified domain names
of the host where PMP primary and secondary servers are installed as commandline
arguments. For Example, if the primary server is running at (say) primary-server
in the domain zohocorpin.com and the secondary server
is running at (say) secondary-server in the domain
zohocorpin.com , you need to execute the above script as follows:
In Windows: HASetup.bat primary-server.zohocorpin.com
secondary-server.zohocorpin.com
In Linux: sh HASetup.sh primary-server.zohocorpin.com secondary-server.zohocorpin.com
This will create a replication package named 'HAPack.zip' under <PMP_Primary_Installation_Folder>/replication folder. This zip contains the database package for secondary
Copy the HAPack.zip. This has to be put in the PMP Secondary installation machine as detailed in Step 3 below.
Start PMP primary server
Step 3: Put the HA Data Replication Pack in Secondary
Put the HAPack.zip file copied from the PRIMARY Installation (as detailed in the previous step) in to the <PMP_Secondary_Installation_Folder> and unzip it. Take care to extract the files under <PMP_Secondary_Installation_Folder> only. It will overwrite the existing data files.
Step 4: Specify the Location of Encryption Master Key
After extracting HAPack.zip in PMP Secondary Server, navigate to <PMP_Secondary_Installation_Folder>/conf folder, edit manage_key.conf and specify the location of pmp_key.key (encryption master key). PMP requires the pmp_key.key file accessible with its full path when it starts up every time. After a successful start-up, it does not need the key anymore and so the device with the key file can be taken offline.
The High Availability configuration is ready now. To get it up and running, start secondary server.
Important Note: By default, PMP comes with self-signed SSL certificate. In case, you have overwritten it with a certificate signed by an internal CA (other than the prominent CAs like Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com) etc) at the secondary installation, you need to carry out the following additional step to install the root certificate in PMP primary server:
Stop Primary Server, if running
Open a command prompt and navigate to <PMP_Primary_Installation_Folder>/bin directory
Copy the secondary server certificate and paste it under <PMP_Primary_Installation_Folder>/bin directory
From <PMP_Primary_Installation_Folder>/bin directory, execute the following command:
importCert.bat <name of the server certificate>
This adds the certificate to the PMP certificate store.
Now start the PMP Primary server.
After carrying out the above steps, you can verify if the High Availability setup is working properly by looking at the message in "Admin General >> High Availability" page of Primary or Secondary server. If the setup is proper, you will see the following:
High Availability Status: Alive
It indicates that high availability is working fine. In case, if the status turns 'Failed', it indicates failure of the setup.
If you have configured TFA
©2009-12, ZOHO Corp. All Rights Reserved.