Symantec Privileged Access Management

 View Only
  • 1.  Minimizing downtime in a multi-site V2P migration

    Broadcom Employee
    Posted Feb 15, 2019 02:03 PM

    A client has 2 sites, each with 3 virtual nodes; the primary site is in primary data center, and the secondary site is in the DR data center.

     

    The client now wants to migrate both sites to physical appliances whilst minimizing cluster downtime.

     

    Assume that all other cluster pre-reqs will be met, such as: software+patch levels, licenses, SSL certificates, etc, would this high level procedure be the best way to accomplish that task (migrate while minimizing downtime):

     

    1. In the DR site, add physical devices to the existing secondary site
      1. this can be done whilst the cluster is online - if I recall correclty?
    2. Configure a NEW Secondary site in the primary datacenter with the physical devices
      1. this will require cluster downtime to configure
    3. Start the cluster to allow replication to the new secondary site.
    4. After the NEW Secondary site has fully replicated, take down the cluster again
      1. Promote the NEW site to primary (Physical)
      2. Remove old Primary Site (VMs)
      3. Remove virtual nodes from secondary site configuration
      4. Start the cluster
    5. Update DNS entries to point to new primary site VIP and secondary site VIP, accordingly

     

    am i forgetting a major step?

    is there a better way?

    are there any pitfalls with this approach?

    is this documented somewhere?



  • 2.  Re: Minimizing downtime in a multi-site V2P migration

    Posted Feb 15, 2019 04:38 PM

    Adding a new site to a Multisite cluster is described here:  Add a Cluster Site - CA Privileged Access Manager - 3.2.4 - CA Technologies Documentation.  Adding a member to an existing site is described in item 7 here:  Cluster Configuration - CA Privileged Access Manager - 3.2.4 - CA Technologies Documentation.  Your procedure looks good to me, though you didn't include anything about certifcates.  Make sure you plan getting new certificates, that include your new nodes.  There is a document in our knowledge library describing how to do this; How to create and apply a certificate for all memb - CA Knowledge.  If you need any further assistance please open a ticket.



  • 3.  Re: Minimizing downtime in a multi-site V2P migration
    Best Answer

    Broadcom Employee
    Posted Feb 15, 2019 04:49 PM

    Thanks Ed, I should've specified - that we can assume that all other cluster pre-reqs will be met, such as: software+patch levels must match across nodes; licenses must match, NEW SSL certificates will be requested/installed on new nodes, etc;

     

    I'll updated the main post to reflect that.

     

    thanks Ed for your feedback.