Symantec Privileged Access Management

  • Private Community

  • 1.  Backup database and restore on a different appliance

    Posted Jun 06, 2018 01:02 PM

    Hi

     

    We have 2 VM's with PAM 3.1.1.

    In the past, with version 2.8.3,  we could do "backup database" in VM1 and restore it on VM2 and everything worked ok.

    After we did upgrade to version 3.1.1, this procedure doesn´t appear to be working. On VM2 after restore, it boots but it says it isn't able to connect to server.

     

    Thus anyone had this issue ?

    Thanks in advance

    Best regards

    NM



  • 2.  Re: Backup database and restore on a different appliance
    Best Answer

    Broadcom Employee
    Posted Jun 06, 2018 01:57 PM

    Hi Nuno, Yes, this is a known change. There is an additional protection layer involving a KEK (key encryption key) that is stored outside of the database so that someone other than you who somehow manages to get hold of one of your database backups cannot just load it onto his own PAM instance and see all your data. The KEK is shared across a cluster. So if you have need to restore backups from one PAM instance to another, e.g. for disaster recovery, temporarily make one node in the DR site a member of the cluster, or for a single node temporarily define a cluster and add the DR node, then start the cluster. Once it's online, you can stop again, take the DR node out of the cluster and restart without it. The DR node now has the correct KEK. You can shut it down and bring it up at some future time to restore a DB backup from one of the cluster nodes. There is a task open already to get this documented properly in our online documentation.



  • 3.  Re: Backup database and restore on a different appliance

    Posted Jun 07, 2018 04:30 AM

    Ralf , thank for the information. It is very helpful to understand this behavior.

    Regarding the steps for disaster recovery that you mention. After I added the DR node to the cluster, "synchronize" KEK and remove the DR node from the cluster. Since they shared the KEK , after that I 'm able to restore future backups from VM1 to DR node ?

    Thanks once again.

    Best regards

    NM



  • 4.  Re: Backup database and restore on a different appliance

    Broadcom Employee
    Posted Jun 07, 2018 02:04 PM

    Hi Nuno, Yes.



  • 5.  Re: Backup database and restore on a different appliance

    Posted Jun 07, 2018 05:12 AM

    Just to check. This KEK is included on the configuration backup , right ?

    Thanks

    NM



  • 6.  Re: Backup database and restore on a different appliance

    Broadcom Employee
    Posted Jun 07, 2018 05:40 AM

    Hello Nuno,

     

    For what it's worth - the config file which you can download is machine specific and basically cannot be applied to a different PAM instance



  • 7.  Re: Backup database and restore on a different appliance

    Broadcom Employee
    Posted Jun 07, 2018 02:11 PM

    Hi Nuno, No, the KEK is not included in the configuration backup. That would make it too easy to get into the wrong hands.



  • 8.  Re: Backup database and restore on a different appliance

    Broadcom Employee
    Posted Jun 08, 2018 06:03 PM

    Just to mention it here, we now have this covered in online documentation for the latest PAM release 3.2, see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/administrating/maintenance/configuration-and-database-backups/restore-the-database-to-a-new-appliance. The procedure would be the same for 3.1.1.