# Read-Only Server Model using PostgreSQL Database The Read-Only Server model enhances PAM360’s high availability strategy by adding a critical layer of resilience. Configurable across multiple locations, Read-Only servers are dedicated to executing read operations, thereby preserving data integrity by preventing modifications. These servers operate in synchronization with the primary server, effectively functioning as mirror servers. In case of a Primary server failure, any Read-Only server can be configured as the Primary server. > **Caution** > > - PAM360 will allow users to retrieve only the passwords through the Read-Only server. > - In the event of Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server. > - Audit logs for operations performed on Read-Only servers will not be visible until the primary PAM360 service is online or the Read-Only server is converted to a primary server. > - From build 8400 onwards, PAM360 allows users to launch RDP, SSH, and VNC connections via the available Read-Only servers. Also, to playback the recorded sessions from the Read-Only server, the storage configuration for session recording should be configured with a network path in the [Session Configuration](https://www.manageengine.com/privileged-access-management/help/session-recording.html#Session_Recording_for_all_Resources) setting. ## How Does the Read-Only Server Model Work? In the event of a primary server failure or catastrophic incident, any Read-Only server can seamlessly transition to assume the role of the primary server, ensuring uninterrupted operational continuity. Unlike other high-availability configurations, which allow for only one secondary server, organizations can configure multiple Read-Only servers in various locations, offering greater flexibility. When the primary server fails, administrators can easily convert any Read-Only server into the primary server, reconfiguring the remaining servers to point to the new primary instance. This capability ensures that PAM360 remains resilient and operational, even in the face of unexpected disruptions. However, PAM360 allows only password retrieval and remote session initiation operations to be performed through Read-Only servers. All operations conducted on these servers are logged and audited by the primary server, with records replicated to other Read-Only servers. ![ro-server-architechture](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/ro-server-architechture.webp) ## Setting up Primary Server and Read-Only Servers Before beginning the configuration process on your Primary and Read-Only servers, ensure that PAM360 is successfully installed on all Read-Only servers within your environment. Once installation is complete, proceed with the following document to apply the necessary configuration adjustments on both the Primary and Read-Only servers. Additionally, find detailed instructions below on how to promote a Read-Only server to function as the Primary server in the event of a Primary server failure. > **Caution** > > - If you have a [secondary server model](https://www.manageengine.com/privileged-access-management/help/high-availability-pgsql.html) with the PostgreSQL database configured in your server environment, [remove](https://www.manageengine.com/privileged-access-management/help/remove-high-availability.html) the secondary server configuration before configuring the Read-Only server. > - Ensure that Microsoft Visual C++ Redistributable for Visual Studio 2015 or later is installed on the server you are planning to deploy as a read-only server, if Application Gateways are deployed in your environment. 1. [Creating a Read-Only Server Configuration Pack in the Primary Server](#creating-a-read-only-server-configuration-pack-in-the-primary-server) 2. [Setting up the Read-Only Server](#setting-up-the-read-only-server) 3. [Configuring a Read-Only Server as the Primary Server](#configuring-read-only-server-as-the-primary-server) 4. [Deleting a Read-Only Server from the Cluster](#deleting-a-read-only-server-from-the-cluster) 5. [Read-Only Server Audit Trials](#read-only-server-audit-trials) 6. [Troubleshooting Tip](#troubleshooting-tip) ## 1. Creating a Read-Only Server Configuration Pack in the Primary Server 1. Navigate to the **/bin** folder in the primary server and execute the following commands based on your operating system. This will create a **ROPack.zip** file which will contain the files needed to be copied to the Read-Only server. **Windows:** ```bat ROSetup.bat ``` **Linux:** ```sh ROSetup.sh ``` **Additional Details** - Every Read-Only server must have a unique **slotName** while creating **ROPack.zip**. - Supply a **userName** and **password** of your choice when creating the replication pack for the first time to configure the Read-Only server. To generate additional replication packs in the future, you must provide the same username and password. Please note that the PAM360 database will not store the username and password. Hence, we recommend you save them in a secure location. Where: i. **IP_of_RO_Server** is the valid IP address of a Read-Only server. ii. **userName** is the Username used for replication. iii. **password** is the Password for the replication user. iv. **slotName** is the Slot name of the Read-Only server for the replication. > **Caution** > > - Single username and password is enough for all Read-Only servers. > - Username can only contain lower case letters, numbers, and underscores. > - Replication slot names may only contain lower case letters, numbers, and underscores. > - Each Read-Only server should have a unique slot name. The replication pack zip will be successfully generated and found under **/replication** folder. 2. Now, execute the following commands to import the certificates: **Windows:** ```bat importCert.bat \conf\ServerCer.cer importCert.bat \conf\CACert.pem importCert.bat \agent\ServerCer.cer ``` **Linux:** ```sh sh importCert.sh /conf/ServerCer.cer sh importCert.sh /conf/CACert.pem sh importCert.sh /agent/ServerCer.cer ``` **Additional Details** To install the custom certificates, replace the entire path of the certificate in the above command with the absolute path. You have successfully created the Read-Only configuration pack and set up the Primary server. ## 2. Setting up the Read-Only Server 1. Navigate to the PAM360 installation directory in Read-Only server and extract the **ROPack.zip** file. This will replace the files from the Primary server that are already available here. 2. Copy the **pam360_key.key** file from Primary server to the Read-Only servers and update the path of the **pam360_key.key** file in the **/conf/manage_key.conf** file. 3. If the **manage_key.conf** file is not present in the Read-Only server, then create a new file named **manage_key.conf** and mention the location of the encryption key. If the encryption key is in a remote path, mention the path in a UNC format. 4. After generating the setup pack, you should import the necessary certificates. Execute the following commands to import the default SSL certificate: **Windows:** ```bat importCert.bat \conf\ServerCer.cer importCert.bat \conf\CACert.pem importCert.bat \agent\ServerCer.cer ``` **Linux:** ```sh sh importCert.sh /conf/ServerCer.cer sh importCert.sh /conf/CACert.pem sh importCert.sh /agent/ServerCer.cer ``` 5. If you are using a custom SSL certificate for your PAM360 installation, copy the SSL certificate from the primary server to the **/conf** folder on the Read-Only server. Then, open command prompt/terminal and execute the following command based on your operating system to import the certificate: **Windows:** ```bat importcert.bat ``` **Linux:** ```sh sh importcert.sh ``` For example, if the certificate file name is **servercert.pfx**, execute the command `importcert.bat servercert.pfx` for Windows deployment. You have successfully set up the Read-Only server. Navigate to **Admin >> Business Continuity >> Read-Only** server to view the configured Read-Only servers in the PAM360 interface. ![ro-pgsql-1](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/ro-pgsql-1.webp) ## 3. Configuring Read-Only Server as the Primary Server 1. Stop the Read-Only server that is to be converted as the Primary server. 2. Remove the **standby.signal** file from the **/pgsql/data** folder. 3. Open the **postgres_ext.conf** file from the **/pgsql/ext_conf** folder. Remove all the entries below **recovery props**. 4. Delete the entry **readonly.mode=true** in the **/conf/configurations.properties** file. 5. Open the **serverstate.conf** file from the **/conf** folder. Search for **ro** and change it to **master**. 6. Start the PAM360 server and now this Read-Only server will start as the Primary server. You have successfully configured the Read-Only server as the Primary server. 7. Now, execute the following commands to remove the IP address of the converted Read-Only server from the database. **Windows:** ```bat \bin\DeleteROServerIP.bat \bin\DeleteSlot.bat ``` **Linux:** ```sh /bin/DeleteROServerIP.sh /bin/DeleteSlot.sh ``` 8. Now, follow step 1 (Creating a Read-Only Server Configuration Pack in the Primary Server) and step 2 (Setting up the Read-Only Server) to reconfigure the existing Read-Only servers to be in sync with this Primary server. ## 4. Deleting a Read-Only Server from the Cluster Execute the following commands from the Primary Server to remove a Read-Only server from the cluster: 1. To delete an existing Read-Only server, execute the following command: **Windows:** ```bat \bin\DeleteROServerIP.bat ``` **Linux:** ```sh /bin/DeleteROServerIP.sh ``` 2. To delete an existing slot configured to the Read-Only server, execute the following command: **Windows:** ```bat \bin\DeleteSlot.bat ``` **Linux:** ```sh /bin/DeleteSlot.sh ``` **Additional Details** After upgrading to build 6600, deleting existing slots configured to the Read-Only server will be executed automatically by the PostgreSQL server. ## 5. Read-Only Server Audit Trials When Read-Only server is enabled, the Read-Only server audits will be displayed as separate columns with the full audit trails under **Resource Audit** and **User Audit**. Click [here](https://www.manageengine.com/privileged-access-management/help/audit_notifications.html) to learn more about audits. ![ro-pgsql-2](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/ro-pgsql-2.webp) ## 6. Troubleshooting Tip Navigate to **Admin >> Business Continuity >> Read-Only Server** and check if the status of the Read-Only servers is inactive. If so, follow the below steps to troubleshoot: **Follow these steps for the Primary Server:** 1. Navigate to the **/pgsql/data** folder. 2. Open the **pg_hba.conf** file and check if the **IP Address** of the Read-Only server and the **replication user name** are correct. **Follow these steps for the Read-Only Server:** 1. Navigate to the **/pgsql/data** folder and perform the following actions: i. Open the **pg_hba.conf** file and check if the **Primary** and **Read-Only server IP address** are correct. ii. Navigate to the **# TYPE DATABASE USER ADDRESS METHOD** section and verify that the **replication username**, **IP address**, and **slot** details are correctly formatted. For example, `host replication pmpuser 10.214.147.123/32 md5`. iii. Open the **configuration.properties** file and check for the value **readonly.mode=true**. If the problem persists, send us the log files from the directory paths **/logs** and **/pgsql/data/pg_log** to [pam360-support@manageengine.com](mailto:pam360-support@manageengine.com) for further assistance.