We have 2 VM's with PAM 3.1.1.
In the past, with version 2.8.3, we could do "backup database" in VM1 and restore it on VM2 and everything worked ok.
After we did upgrade to version 3.1.1, this procedure doesn´t appear to be working. On VM2 after restore, it boots but it says it isn't able to connect to server.
Thus anyone had this issue ?
Thanks in advance
Hi Nuno, Yes, this is a known change. There is an additional protection layer involving a KEK (key encryption key) that is stored outside of the database so that someone other than you who somehow manages to get hold of one of your database backups cannot just load it onto his own PAM instance and see all your data. The KEK is shared across a cluster. So if you have need to restore backups from one PAM instance to another, e.g. for disaster recovery, temporarily make one node in the DR site a member of the cluster, or for a single node temporarily define a cluster and add the DR node, then start the cluster. Once it's online, you can stop again, take the DR node out of the cluster and restart without it. The DR node now has the correct KEK. You can shut it down and bring it up at some future time to restore a DB backup from one of the cluster nodes. There is a task open already to get this documented properly in our online documentation.
Ralf , thank for the information. It is very helpful to understand this behavior.
Regarding the steps for disaster recovery that you mention. After I added the DR node to the cluster, "synchronize" KEK and remove the DR node from the cluster. Since they shared the KEK , after that I 'm able to restore future backups from VM1 to DR node ?
Thanks once again.
Hi Nuno, Yes.
Just to check. This KEK is included on the configuration backup , right ?
For what it's worth - the config file which you can download is machine specific and basically cannot be applied to a different PAM instance
Hi Nuno, No, the KEK is not included in the configuration backup. That would make it too easy to get into the wrong hands.
Just to mention it here, we now have this covered in online documentation for the latest PAM release 3.2, see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/administrating/maintenance/configuration-and-database-backups/restore-the-database-to-a-new-appliance. The procedure would be the same for 3.1.1.