Read-Only Server with PostgreSQL Database

A Read-Only (RO) server is a secondary application server that allows users to execute only the Read-Only operations in PAM360 and averts them from performing any modifications to the data. Depending on the needs, any number of Read-Only servers can be configured in various locations, unlike HA, which allows you to configure one Secondary server only. All these Read-Only servers are connected and in sync with the Primary server. The Read-Only server acts like a mirror server and synchronizes all the actions carried out by the Primary server. In case of a Primary server failure, any Read-Only server can be configured as the Primary server.

Notes:

PAM360 will allow users to retrieve only the passwords through the Read-Only server.

All the operations carried out in the Read-Only server will be returned and audited in the Primary server and then replicated to other Read-Only servers.

In the event of Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server.

Setting up Primary Server and Read-Only Server

Before configuring your Primary and the Read-Only server(s), you should install the Read-Only server(s) in your environment. Once you have successfully installed the Read-Only server(s), read further to learn how to make the required configuration changes in the Primary and the Read-Only servers. Also, find below the steps to make a Read-Only server take charge as the Primary server when the current Primary server is down.

Steps Required

Prerequisite
Creating a Read-Only Server Configuration Pack in the Primary Server
Setting up the Read-Only Server
Configuring a Read-Only Server as the Primary Server
Deleting a Read-Only Server from the Cluster
Read-Only Server Audit Trials

1. Prerequisite

If you have High Availability with the PostgreSQL database configured in your server environment, remove the High Availability configuration before configuring the Read-Only server. To do so, perform the steps that follow:

Navigate to Admin >> Configuration >> High Availability.
Click the edit icon beside the available secondary server. In the pop-up that opens, update the secondary Server Name to PMPHOST.
Navigate to <PAM360_Installation_Folder>/conf folder and remove the files pmp_rr and HA.conf.
Navigate to <PAM360_Installation_Folder>/pgsql/bin folder and remove files Primary.conf and HAPrimary.conf.
Navigate to <PAM360_Installation_Folder>/pgsql/data folder and open the file pg_hba.conf in WordPad or notepad++ with the administrator privilege to do the below required changes.

In the file that opens, search for the line with the secondary server details (IP address/hostname) and remove the entire line related to it.
Now, save the file and restart the PAM360 service to proceed with the Read-Only server configuration.

2. Creating a Read-Only Server Configuration Pack in the Primary Server

Navigate to <PAM360_Installation_Folder>/bin.
Execute the following command in the Primary server to create a ROPack.zip file which will contain the files needed to be copied to the Read-Only server:
- Windows: ROSetup.bat <IP_of_RO_Server> <userName> <password> <slotName>
- Linux: ROSetup.sh <IP_of_RO_Server> <userName> <password> <slotName>

Notes:

Every Read-Only server must have a unique slotName while creating ROPack.zip.
Supply a userName and password of your choice when creating the replication pack for the first time to configure the Read-Only server. To generate additional replication packs in the future, you must provide the same username and password. Please note that the PAM360 database will not store the username and password. Hence, we recommend you save them in a secure location.

Where,

IP_of_RO_Server - Valid IP address of an Read-Only server.

userName - Username used for replication.
Constraints:

Single username and password is enough for all Read-Only servers.

Username can only contain lower case letters, numbers, and underscores.

password - Password for the replication user.

slotName - Slot name of the Read-Only server for the replication.
Constraints:

Replication slot names may only contain lower case letters, numbers, and underscores.

Each Read-Only server should have a unique slot name.

The generated replication pack zip will be found under <PAM360_Installation_Folder>/replication folder.

Execute the following commands in the Primary server to import the certificates:
Linux:

sh importCert.sh ../conf/ServerCer.cer
sh importCert.sh ../conf/CACert.pem
sh importCert.sh ../agent/ServerCer.cer

Windows:

importCert.bat ..\conf \ServerCer.cer
importCert.bat ..\conf\CACert.pem
importCert.bat ..\agent\ServerCer.cer

Note: To install custom certificates, replace the path of the certificate in the above command.

You have successfully created the Read-Only configuration pack and set up the Primary server.

3. Setting up the Read-Only Server

Navigate to the <PAM360_Installation_Folder> in Read-Only server and extract the ROPack.zip file. This will replace the files from the Primary server that are already available here.
Copy pam360_key.key file from Primary server to the Read-Only servers and update the Path of the pam360_key.key file in <PAM360_Installation_Folder>/conf/manage_key.conf file.
If the manage_key.conf file is not present in the Read-Only server, then create a new file named manage_key.conf and mention the location of the encryption key. If the encryption key is in a remote path, mention the path in a UNC format.
Navigate to <PAM360_Installation_Folder>/bin and execute the following command in the Read-Only server to import the certificates:
Linux:
- sh importCert.sh ../conf/ServerCer.cer
- sh importCert.sh ../conf/CACert.pem
- sh importCert.sh ../agent/ServerCer.cer

Windows:

importCert.bat ..\conf\ServerCer.cer
importCert.bat ..\conf\CACert.pem
importCert.bat ..\agent\ServerCer.cer

<PAM360_Installation_Folder>/conf

You have successfully set up the Read-Only server. Navigate to Admin >> Configurations >> Read-Only server to view the configured Read-Only servers in the PAM360 interface.

4. Configuring Read-Only Server as the Primary Server

Stop the Read-Only server that is to be converted as the Primary server.
Remove the 'standby.signal' file from the <PAM360_Installation_Folder>/pgsql/data folder.
Open the 'postgres_ext.conf' file from the <PAM360_Installation_Folder>/pgsql/ext_conf folder. Remove all the entries below 'recovery props'.
Delete the entry readonly.mode=true in the <PAM360_Installation_Folder>/conf/configurations.properties file.
Open the 'serverstate.conf' file from the <PAM360_Installation_Folder>/conf folder. Search for 'ro' and change it to 'master'.
Start the PAM360 server and now this Read-Only server will start as the Primary server. You have successfully configured the Read-Only server as the Primary server.
Now, execute the following commands to remove the IP address of the converted Read-Only server from the database.
Windows:
- <PAM360_Installation_Folder>\bin\DeleteROServerIP.bat <IP_Address_of_RO_that_was_converted_to_Primary>
- <PAM360_Installation_Folder>\bin\DeleteSlot.bat <slotName_of_RO_that_was_converted_to_Primary>
Linux:
- <PAM360_Installation_Folder>/bin/DeleteROServerIP.sh <IP_Address_of_RO_that_was_converted_to_Primary>
- <PAM360_Installation_Folder>/bin/DeleteSlot.sh <slotName_of_RO_that_was_converted_to_Primary>
Now, follow step 1 (Creating a Read-Only server Configuration Pack in the Primary Server) and step 2 (Setting up the Read-Only server) to reconfigure the existing Read-Only servers to be in sync with this Primary server.

5. Deleting a Read-Only Server from the Cluster

Execute the following commands from the Primary Server to remove a Read-Only server from the cluster:

To delete an existing Read-Only server,
Windows:

<PAM360_Installation_Folder>\bin\DeleteROServerIP.bat <RO_IP_Address>

Linux:

<PAM360_Installation_Folder>/bin/DeleteROServerIP.sh <RO_IP_Address>
To delete an existing slot configured to the Read-Only server,
Windows:

<PAM360_Installation_Folder>\bin\DeleteSlot.bat <RO Slot Name>

Linux:

<PAM360_Installation_Folder>/bin/DeleteSlot.sh <RO Slot Name>

Note: After upgrading to build 6600, deleting existing slots configured to the Read-Only server will be executed automatically by the PostgreSQL server.

6. Read-Only Server Audit Trials

When Read-Only server is enabled, the Read-Only server audits will be displayed as separate columns with the full audit trails under Resource Audit and User Audit. Click here to learn more about audits.

Troubleshooting Tips

Navigate to Admin >> Configurations >> Read-Only Server and check if the status of the Read-Only server(s) is inactive. If so, follow the below steps to troubleshoot:

Primary Server:

Navigate to the <PAM360_installation_folder>/pgsql/data folder.
Open the pg_hba.conf file and check if the IP Address of the Read-Only server and the replication user name are correct.

Read-Only Server:

Navigate to the <PAM360_installation_folder>/conf folder.
1. Open the 'pg_hba.conf' file and check if the Primary and Read-Only server IP address are correct.
2. Now, open the configuration.properties file and check for the value "readonly.mode=true".
Navigate to the <PAM360_installation_folder>/pgsql/data folder.
1. Open 'pg_hba.conf' file and check if the Primary server IP, Port, replication username, password and the slot name are correct.

If the problem persists, send us the log files from the directory paths <PAM360_installation_folder>/logs and <PAM360_installation_folder>/pgsql/data/pg_log to pam360-support@manageengine.com for further assistance.