Symantec Privileged Access Management

Expand all | Collapse all

CA PAM migration from on premise to AWS

Jump to Best Answer
  • 1.  CA PAM migration from on premise to AWS

    Posted 06-17-2020 03:22 PM

    Hello gurus,

    Do you have any materials I can use to do a migration of CA PAM server on premise to AWS?

    possible solutions I thought are the below:

    1- perhaps create a fail over cluster using the machine on premise and an EC2 on AWS and then fail over to AWS EC2.
    2- Some how replicating the on premise CA PAM to a CA PAM Server on AWS (EC2 server)

    Can you send me any links in relation to this?

    Much appreciated!!!

     



    ------------------------------
    V/R
    ------------------------------


  • 2.  RE: CA PAM migration from on premise to AWS

    Posted 06-18-2020 10:45 AM
    Option 1 above is the ideal method.  Build PAM in AWS, join it to the cluster as a secondary site and allow to replicate, then make that site your primary site.

    The steps are here:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery.html#concept.dita_f58a3e782c2b3c5b616dff2be1c3b751b73c276b_SitePromotionUsingReplicationAnalysis

    You can skip the replication analysis part (steps 2&3) and simply select the AWS site in step 4.


  • 3.  RE: CA PAM migration from on premise to AWS

    Posted 06-18-2020 11:21 AM

    Thanks a lot sir!

    I will do exactly that!!




  • 4.  RE: CA PAM migration from on premise to AWS

    Posted 06-29-2020 12:22 PM

    Question for you:

    So building PAM on AWS will cost me for a new licensing and everything or
    will the license for the original server should remain valid for the building of the PAM on the new server in AWS? 




  • 5.  RE: CA PAM migration from on premise to AWS

    Posted 06-29-2020 01:02 PM
    The customer should talk to their account manager.

    Essentially PAM has two licences that customers pay for:
    1. PAM server license (AWS, OVA, Hardware)
    2. managed device licenses (for each device accessed via pam, or that PAM manages a credential on)

    If they intend to run more PAM nodes/servers, then they would need additional PAM server licenses. If the intention is simply to move from on-prem to AWS, then their account manager may be able to change the license type for their PAM server(s), at which point they would get a new license for their AWS node and decommission the on-prem node as soon as the migration is complete.


  • 6.  RE: CA PAM migration from on premise to AWS

    Posted 06-30-2020 01:24 PM

    I really appreciate your time and inputs. 

    So my company has physical appliances to migrate to AWS and clustering does not allow between Hardware appliances and AWS AMIs.

    " The AWS AMI instance can only be clustered with other AWS AMI instances."
        https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-0-1/deploying.html

    Any thoughts on this?

    I am thinking to have PAM installed on an AWS EC2 (if not prohibited)  instance and then have the physical and the EC2 in  one cluster and then fail over to the EC2.

    If not "an VMware OVA VM instances and the hardware appliance can be in the same cluster. " So I can convert the VMware OVA to AWS AMI and create an EC instance using the AMI. But again if the pam cannot be run on an EC2, the AMI may not work as well. So can you confirm if PAM can be installed on an EC2 instance (EC2 are just like any machine except they are on AWS cloud).

    V/R





  • 7.  RE: CA PAM migration from on premise to AWS

    Posted 06-30-2020 06:25 PM
    I had never seen that in the documentation before. I am 99.9% positive that we support mixing AWS, Azure, and on-prem PAM into a cluster, so long as they are each on separate sites (primary+secondary).  For latency reasons you couldn't use them in the same site.

    I suspect that the intent was to say that AMI instances can only be in the same cluster site with other AMI instances.  I will try to confirm this and have the documentation corrected.

    I have heard of people using the OVA to deploy on an EC2 instance... however I don't believe that is supported.  If you want to deploy in AWS, the only supported method I am aware of is AMI.



  • 8.  RE: CA PAM migration from on premise to AWS

    Posted 06-30-2020 07:06 PM
    I have confirmed with coworkers that the statement you highlighted in the documentation is false.  We have requested that it be corrected.

    You can absolutely mix all PAM server types in a multi-site cluster.  We have some very large installations using a mix of on-prem and cloud sites in their cluster.  Just keep the AWS instances in their own site(s).

    The only difficulty you may have is if you use Hardware Security Modules in your physical appliances.  If you do, you may be able to use CloudHSM, though I would have to research if we support that or not.


  • 9.  RE: CA PAM migration from on premise to AWS

    Posted 07-01-2020 12:26 PM

    Oh that is a wonderful news!!

    One more questions I have for you is that we can only have one physical appliance on one site (on premise) and then the second site (on AWS) can also have only one virtual instance (the EC2 created using the AMI you guys provide). Just making sure that the multi site does not require that we have a multi master set up in our on premise environment.

    Thanks in advance!




  • 10.  RE: CA PAM migration from on premise to AWS

    Posted 07-01-2020 01:04 PM
    Many customers run 1x1 clusters (one in primary site, one in secondary site)... this configuration is what I would consider the optimal PAM arrangement for a small environment/user load where cost is more important than high availability.


  • 11.  RE: CA PAM migration from on premise to AWS

    Posted 07-02-2020 10:07 AM
    Hello Joseph,

    So the plan is to migrate from DHS on premise environment to the AWS environment. So for that purpose, what we need is just have just one machine on premise on which CA PM is deployed (existing deployment) and then another one EC2 instance on which CA PAM is deployed (to be created). And then create a cluster between this on premise server (physical appliance) to the EC2 instance based CA PAM. Then do a fail over from the on premise to the AWS EC2 and then after we can have additional EC2 based CA PAM servers to create a cluster between those in the AWS environment.


  • 12.  RE: CA PAM migration from on premise to AWS
    Best Answer

    Posted 07-02-2020 10:27 AM
    Yes... exactly as you describe.  We would typically call it "promoting a site" rather than "fail over"... and that is what you will want to search for in our documentation.