Symantec Privileged Access Management

Hello

When using PAM version 2.7 we had a laptop which was deemed to be our breakglass laptop, we ran a virtual instance of the PAM and we could then import backups from the production PAM on a regular basis meaning that if the unthinkable happened and we lost both PAMs we could view the passwords on our offline version.

We have now upgraded to 3.3 and breakglass was something that I basically forgot about! Reading some of the documentation now it doesn't look like the method we used for 2.7 is viable anymore, is that the case or have I miss read things? It seems as though our breakglass laptop version of the PAM would have to be in the cluster, which isn't really possibile as the datacentre where our PAMs exist is many miles away!

Any views on how we could still make use of the breakglass laptop and offline version of PAM would be excellent!

Thanks,

M

HI S3curity Guy

Only the cluster nodes can access the database, you must have the database backups correctly configured and in the event of an incident or failure to restore one of these backups.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/schedule-a-backup-of-the-database.html
Original Message:
Sent: 06-17-2020 10:10 AM
From: S3curity Guy
Subject: Breakglass Options

Hello

When using PAM version 2.7 we had a laptop which was deemed to be our breakglass laptop, we ran a virtual instance of the PAM and we could then import backups from the production PAM on a regular basis meaning that if the unthinkable happened and we lost both PAMs we could view the passwords on our offline version.

We have now upgraded to 3.3 and breakglass was something that I basically forgot about! Reading some of the documentation now it doesn't look like the method we used for 2.7 is viable anymore, is that the case or have I miss read things? It seems as though our breakglass laptop version of the PAM would have to be in the cluster, which isn't really possibile as the datacentre where our PAMs exist is many miles away!

Any views on how we could still make use of the breakglass laptop and offline version of PAM would be excellent!

Thanks,

M

Your old method will work fine... but the laptop would need to be joined to the cluster (as a secondary site) at least once to pull the encryption keys over.

After that, you should have no trouble restoring backups from the other cluster nodes, even if the laptop is removed from the cluster.

PAM doesn't care how far away secondary sites are... latency isn't nearly as critical with secondary sites.  So one option would be to actually leave your breakglass node in the cluster, and just power it on periodically and "resync site" to replicate the database to it before powering it off again.  The only downside to this is you may get warnings and alerts about the offline node/site.
Original Message:
Sent: 06-17-2020 10:10 AM
From: S3curity Guy
Subject: Breakglass Options

Hello

When using PAM version 2.7 we had a laptop which was deemed to be our breakglass laptop, we ran a virtual instance of the PAM and we could then import backups from the production PAM on a regular basis meaning that if the unthinkable happened and we lost both PAMs we could view the passwords on our offline version.

We have now upgraded to 3.3 and breakglass was something that I basically forgot about! Reading some of the documentation now it doesn't look like the method we used for 2.7 is viable anymore, is that the case or have I miss read things? It seems as though our breakglass laptop version of the PAM would have to be in the cluster, which isn't really possibile as the datacentre where our PAMs exist is many miles away!

Any views on how we could still make use of the breakglass laptop and offline version of PAM would be excellent!

Thanks,

M

Thanks both for the replies.

Will have to have a think about how I can get this working as the breakglass laptop can't be connected to the network that the PAMs are on easily! Think my only option will be heading down to the datacentre at some point to do the one off connection!
Original Message:
Sent: 06-18-2020 10:50 AM
From: Joseph Fry
Subject: Breakglass Options

Your old method will work fine... but the laptop would need to be joined to the cluster (as a secondary site) at least once to pull the encryption keys over.

After that, you should have no trouble restoring backups from the other cluster nodes, even if the laptop is removed from the cluster.

PAM doesn't care how far away secondary sites are... latency isn't nearly as critical with secondary sites.  So one option would be to actually leave your breakglass node in the cluster, and just power it on periodically and "resync site" to replicate the database to it before powering it off again.  The only downside to this is you may get warnings and alerts about the offline node/site.
Original Message:
Sent: 06-17-2020 10:10 AM
From: S3curity Guy
Subject: Breakglass Options

Hello

When using PAM version 2.7 we had a laptop which was deemed to be our breakglass laptop, we ran a virtual instance of the PAM and we could then import backups from the production PAM on a regular basis meaning that if the unthinkable happened and we lost both PAMs we could view the passwords on our offline version.

We have now upgraded to 3.3 and breakglass was something that I basically forgot about! Reading some of the documentation now it doesn't look like the method we used for 2.7 is viable anymore, is that the case or have I miss read things? It seems as though our breakglass laptop version of the PAM would have to be in the cluster, which isn't really possibile as the datacentre where our PAMs exist is many miles away!

Any views on how we could still make use of the breakglass laptop and offline version of PAM would be excellent!

Thanks,

M

Again, your going to be joining the laptop as a secondary site node... it does not need to be local to the primary site to do so.

The only requirement for secondary site connectivity is that your network must allow bi-drectional traffic over TCP ports 443, 8443, and 3307.

Your laptop will need to have the same version of PAM, the same license counts/features, and have NTP configured.  Then follow the directions here to create a secondary site: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-3/deploying/set-up-a-cluster/configure-a-cluster/add-a-cluster-site.html 

NOTE: You don't need to stop the cluster to create a secondary site.

Then join your laptop to the secondary site using these instructions: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-3/deploying/set-up-a-cluster/configure-a-cluster/add-a-cluster-member.html

Once it's done, your laptop will have the full database on it.

If you don't want to leave the secondary site and member in the cluster config you will have to delete the secondary site (cannot remove the only/last node in a stie).  I don't recall if this can be done while the cluster is on (the button is available, so I expect so).

One thing you need to be VERY careful about after doing this, is that the laptop never tries to perform any password management functions after you have removed it from the cluster.  Place the laptop PAM in maintenance mode before you start and leave it that way forever!  If possible, lock it's database from the config>clustering>global settings page (can't remember if you can do this on a standalone node or not).
Original Message:
Sent: 06-18-2020 11:23 AM
From: S3curity Guy
Subject: Breakglass Options

Thanks both for the replies.

Will have to have a think about how I can get this working as the breakglass laptop can't be connected to the network that the PAMs are on easily! Think my only option will be heading down to the datacentre at some point to do the one off connection!
Original Message:
Sent: 06-18-2020 10:50 AM
From: Joseph Fry
Subject: Breakglass Options

Your old method will work fine... but the laptop would need to be joined to the cluster (as a secondary site) at least once to pull the encryption keys over.

After that, you should have no trouble restoring backups from the other cluster nodes, even if the laptop is removed from the cluster.

PAM doesn't care how far away secondary sites are... latency isn't nearly as critical with secondary sites.  So one option would be to actually leave your breakglass node in the cluster, and just power it on periodically and "resync site" to replicate the database to it before powering it off again.  The only downside to this is you may get warnings and alerts about the offline node/site.
Original Message:
Sent: 06-17-2020 10:10 AM
From: S3curity Guy
Subject: Breakglass Options

Hello

When using PAM version 2.7 we had a laptop which was deemed to be our breakglass laptop, we ran a virtual instance of the PAM and we could then import backups from the production PAM on a regular basis meaning that if the unthinkable happened and we lost both PAMs we could view the passwords on our offline version.

We have now upgraded to 3.3 and breakglass was something that I basically forgot about! Reading some of the documentation now it doesn't look like the method we used for 2.7 is viable anymore, is that the case or have I miss read things? It seems as though our breakglass laptop version of the PAM would have to be in the cluster, which isn't really possibile as the datacentre where our PAMs exist is many miles away!

Any views on how we could still make use of the breakglass laptop and offline version of PAM would be excellent!

Thanks,

M