Application Scaling in PAM360 using Microsoft SQL Server

In general, Scaling is the process of making an application bigger and better, and scalability is the inherent capacity of an application to handle growth without any hindrance. For a privileged access security solution like PAM360, it is essential to make it highly available and scalable so that even with increased complexity, the application can render the maximum overall performance, without having any significant effect on the average service level per node.

The Application Scaling model in PAM360, designed using Microsoft SQL server, is aimed at providing enhanced scalability and performance while ensuring uninterrupted access to the privileged resources and passwords stored in PAM360. The model works with one main PAM360 node and several sub-nodes, all of them connected to a single MS-SQL database cluster.

Note: The application scaling model in PAM360 currently works only with the MS-SQL database cluster.

  1. How does it Work?
  2. Steps to Configure the Main Node and Sub-nodes
  3. Steps to Change a Sub-node into a Main Node

1. How does it Work?

The main node for PAM360 and all its sub-nodes must point to the same MS-SQL cluster, though they do not have to be connected individually. However, the main node, i.e., the machine that will carry out the scheduled operations, requires to fulfill either of the following conditions:

  1. The main node and the target end-points, having the agentless password management capabilities enabled from PAM360, should reside in the same subnet.  
    (OR)
  2. If the main node and the target end-points reside in different networks, they should be able to communicate with each other, i.e., they should not be blocked by a firewall or reside outside the range of connectivity such as demilitarized zones.

 The Schematic Architecture Diagram Depicting Application Scalablity in PAM360

Notes:

  1. You can assign any of the secondary nodes as the main node, provided it has proper connectivity to other machines to carry out the scheduled operations without any interference.
  2. The current model allows you to assign up to three machines as sub-nodes.

2. Steps to Configure the Main Node and Sub-Nodes

To configure sub-nodes pointing to the same cluster, follow the below steps:

  1. Install PAM360 in the machine which you want as the main node. 
  2. Configure an SSL certificate in your MS SQL cluster using these steps, import the certificate into PAM360, and point the application to a SQL listener IP/Host. Now, the PAM360 application operating as the main node will work using the MS SQL Cluster.
  3. Install PAM360 in the secondary application servers, which you want as sub-nodes. During the installation process, choose the Primary Server in the installation wizard. Once the installation is complete, PAM360 will start with the default PostgreSQL database. Stop the PAM360 service after the initial startup.
  4. Copy and paste the MS SQL cluster certificate into the <PAM360 Installation Folder>\bin directory in all the sub-nodes. Open a command prompt and execute the command importCert.bat Your_cluster_cert.cer. This command will import the MS SQL cluster certificate into all the sub-nodes.
  5. Copy the pam360_key.key file from the main node and paste it into any directory in the sub-nodes. Now, update the full path of the pam360_key.key file in the <PAM360-Home>\conf\manage_key.conf file in all the sub-nodes. If the key is stored in a remote directory, then supply the full path of the remote location in the manage_key.conf file.
  6. Open the services console (services.msc) in all the sub-nodes and update the service account of the PAM360 service. Ensure that this service account has all the necessary permissions to connect to the MS SQL cluster and to read the pam360_key.key file.
  7. Open command prompt as administrator in all the sub-nodes and navigate to the <PAM360 Installation Folder>\bin directory and execute the command ChangeDB.bat. In the DB Change Configuration wizard, select SQL server as the backend, supply the MS SQL Cluster hostname in the format SERVER:port. For example, CLUSTER01:5432. If port number is specified in this format, the Instance name field can be left empty. If Cluster is using dynamic ports, then supply the correct hostname and the instance name separately. Provide the correct SQL database name using which the main node is working and select Windows as the authentication option. For this option to work, note that command prompt should be running with an account that has access to the SQL database. Click Test and once it is successful, click Save to save the changes.
  8. Edit the file named system_properties.conf present in the path <PAM360_installation_directory>\conf\ in the sub-nodes using Wordpad with administrator rights. Add the line ignore.scheduler=true at the end of the file and save it.
  9. Now, start the PAM360 service in all the sub-nodes. As a result of all the previous steps, all the sub-nodes will start using the same MS SQL Cluster as the backend database.
  10. The default URL of the sub-nodes will look like https://subnode_servername:8282. To apply your license file in all the sub-nodes, open the URL of all the sub-nodes in a web browser and login. Click the profile icon in the top right corner and click the License option. Here, add your license XML file and apply.
  11. Navigate to Admin >> Configuration >> PAM360 Server and update your SSL certificate keystore with the correct password. If required, change the port from 8282 to 443 and save the settings.
  12. Restart the PAM360 service in all the sub-nodes. Now all the sub-nodes will start with the correct SSL certificate and use the same MS SQL Cluster backend.

2.1 Steps to View the Configured Nodes in PAM360

Once the main node and sub-nodes are configured, follow the below steps to view them from the PAM360 interface.

  1. Navigate to Admin >> Configuration >> Application Scaling.
  2. Here, you can enable or disable the sub-nodes using the toggle button. However, you need to restart the main node and decommission the sub-nodes for the changes to take effect.

3. Steps to Change a Sub-Node into a Main Node

Follow the below steps to change any secondary node into the main node. This change can be done at any point of time from any sub-nodes.

  1. Keep the MS-SQL database running.
  2. Stop all application servers including the main node.
  3. Open a command prompt and execute the following commands:
  4. For Windows:
    <PAM360_installation_directory>\bin\makePrimary.bat

    For Linux:
    <PAM360_installation_directory>/bin/sh makePrimary.sh

  5. Current main node and the list of available servers will be displayed. Choose any server from the drop-down and click Save.

  6. Restart all application servers that were stopped earlier.
  7. The selected server will be assigned as the main node now.

Click here for more information on how to set up a Microsoft SQL cluster.

Top