Symantec Privileged Access Management

Is there any documents or tips on how to set up clustering of CA PAM in the AWS environment?

The documentations provides is not very detailed.

Anyone that has set up clustering of CA PAM in AWS environment, please ping me on this.

Thank you.

Hi Eric.  Here is the link to the "AWS AMI Cluster Requirements" section of the 3.1.1 PAM documentation wiki:  Cluster Deployment Requirements - CA Privileged Access Manager - 3.1.1 - CA Technologies Documentation.  What is it that is not sufficient?  The documentation assumes that you know how to perform the necessary tasks in AWS, such as create VPCs, Security Groups, Elastic IPs, and how to Launch AMIs.  I will be posting an article about deploying PAM in AWS, in general.  I am just waiting for it to be approved.  With this article, and the information in the link I provided, you should be set.  Let us know if you need anything else.

Hi Ed,

Finally, i think i only can reach out to you here in CA Communities.

In regards to the section of AWS AMI Cluster Requirements, it is quite vague. I've done all the steps mentioned. However, i faced difficulty in performing Step 4: Create an extra EIP to serve as the cluster VIP address, but do not assign this EIP to any instance.

This is actually not detailed enough. There is additional step like assigning an internal IP to the extra EIP as CA PAM cannot take in just the EIP only when configuring the cluster.

So, I've assigned an internal IP from Zone 1 to the EIP, another internal IP from Zone 1 as well to Primary CA PAM and 1 more internal IP from Zone 2 to Secondary CA PAM.

However, this will means that the CA PAM cluster is facing towards the Internet as any users can access CA PAM as long he /she knows the VIP (EIP). This raise security concerns and customers is not comfortable at all. In addition, there is also concern that if AWS - Zone 1 is down, the whole cluster will break as VIP resides in Zone 1.

So, I have no choice but to deploy an AWS ELB in front of the CA PAMs to do the load balancing and users will mainly access the Primary CA PAM based on stickiness set in the ELB. Users will only access Secondary CA PAM if Primary CA PAM is down and the routing is done automatically by the AWS ELB. I also have set up to a cluster  to ensure that the both CA PAM maintains database sync and the VIP eventually becomes useless in this set up.

I will like to to ask a question to you, Ed. In terms of redundancy for CA PAM, is the latter set up a better choice over the former one?

Here is the link to the document I put together on how to deploy a PAM AMI in AWS:  How to deploy CA PAM in AWS - CA Knowledge.  It does not include clustering, but the information about the EIP in the manual should be sufficient. 

Bear in mind, the documentation covers the use of PAM's load balancing functionality.  If you use an Elastic Load Balancer from AWS then you should configure that according to the AWS documentation.  Which is better depends on your need.  PAM will load balance between cluster members depending on the clustering method used.  Multimaster clustering has one site with all cluster members.  There is one VIP for the cluster.  This can be used when you have only a single location.  Multisite clustering was developed to better support PAM implementations with multiple locations.  You may have 1 or more members in each site.  Each site has its own VIP. 

When using PAM's load balancing, your users will connect using the appropriate VIP, and will be directed to one of the site's members, by the primary for that site, depending on the load.  Some customer's prefer to use an external load balancer.  This is fine.  Just make sure your external load balancer uses the health check to know if PAM is running or not, or if it is in Maintenance Mode.  This can be done with the following url: 

https://<your PAM's IP or FQDN>/health.php.

This should be sufficient.  If you need to discuss this further it might be best to open a ticket

Ed,

is this specific to a kind of load-balancer? I tried to test against an appliance in Maintenance Mode and it still only returned with a blank page

As far as I can tell, if it returns a blank page, PAM is up (but CM could be out of sync, or appliance could be in MM)

if it returns a 404 error page, its down.

No, it is not specific to any type of load balancer, at least not to my knowledge.  As long as the load balancer has the ability to be configured to provide the health check string then you should be good.  You need to put your browser into debug mode to see the reply, and you have to go to the right location in debug mode to see the reply after you have entered a url with the PAM instance's IP address, or FQDN, followed by /health.php.  In IE 11 press the F12 key, or select the Developer tool on the Settings menu.  With the Developer Tool open, enter the url as described above.  You will see the reply on the Network tab; 200 means OK, 503 means the node is in Maintenance Mode.  If you do this without the Developer Tool open you will see a blank page.