Symantec Privileged Access Management

 View Only
  • 1.  Unable to change Admin password

    Posted Aug 20, 2019 06:01 AM
    Dear All,

    While we Configure in DR. We upload the database backup of the DC PAM.
    we successfully upload and it works fine but when we log in to Admin user(super user name changed).
    it asks for changed the password while we changed the password it shows user not updated.

    In Logs

    Please Suggest how to resolve this one?

    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    ------------------------------


  • 2.  RE: Unable to change Admin password
    Best Answer

    Broadcom Employee
    Posted Aug 20, 2019 06:37 AM
    Hello Sudip,

    Can you explain the process on how you have copied over the DB from DC to DR?
    Did you download the DB from the DC and saved it locally on your desktop and then upload the same to the DR environment?

    https://docops.ca.com/ca-privileged-access-manager/3-2/EN/administrating/maintenance/configuration-and-database-backups/restore-the-database-from-a-backup-file

    From the product documentation: Note: Beginning in version 3.0.1, only the appliance that performed the database backup can restore the database and function properly. Another appliance can restore the database, but it cannot decrypt the password data, so any functionality involving that data fails. To create a duplicate appliance for disaster recovery or migration purposes, see Restore the Database to a New Appliance.

    So, this means that you can't just copy over the database from one CA PAM node to another CA PAM node, you will have to follow the process as defined in Restore the Database to a New Appliance.

    Thanks,
    Reatesh.


    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: Unable to change Admin password

    Posted Aug 20, 2019 07:11 AM
    Hi Reatesh,

    Yes, I download the DB from the DC and saved it locally on your desktop and then upload the same to the DR environment.

    So For DR can we do as you say in Document.
    Can we configure the new appliance as a member of a secondary site and for DC  PAM primary site? For this configuration what is the requirement? 
    Is this need the Extra License?
    Are you talking about the Management Console?
    Please, can you give suggestions for this?



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    ------------------------------



  • 4.  RE: Unable to change Admin password

    Broadcom Employee
    Posted Aug 20, 2019 07:33 AM
    Hi Sudip,

    You should be able to configure the new node as a member of the secondary site.
    The primary site will push all the updates to all the members of the primary site as well as to the members of the secondary site.

    You do not require any additional license, but the licensed features must be same across all the nodes which will be part of the cluster.

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 5.  RE: Unable to change Admin password

    Posted Aug 20, 2019 10:32 AM
    Hi Reatesh,
    Thank you for your information.

    you mean if their license is the same we can configure as the primary node and secondary node.

    Now in a cluster, we have configured two PAM appliance in primary sites and can we configure DR site in Secondary node.
    Is there any issue?
    In our scenario to sync the data of production, we need a management console.

    Can you please send me a document that I can tell them we can configure node a secondary site and data where also sync.

    Please, can you provide me that document which helps to configure Primary and secondary site in a cluster?

    Thank you,

    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    ------------------------------



  • 6.  RE: Unable to change Admin password

    Broadcom Employee
    Posted Aug 21, 2019 01:01 PM
    Hello Sudip,
    Configuration of multi-site clusters is covered in our online documentation, see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2-5/en/deploying/set-up-a-cluster, and pages under it.

    The procedure Reatesh pointed you to asks you to make one DR node part of the production cluster temporarily, so that it gets the keys that are needed to decrypt passwords from a production database. Once that is done, you can take the node out of the production cluster and use it as master node (first primary site node) in your DR cluster. When you start up the DR cluster, all other DR nodes will get the same keys and will be able to decrypt passwords from production databases.

    If you only need a single PAM instance for DR purposes, you could leave the DR node in the production cluster permanently, configure the cluster to be operationally save, and just redirect user traffic to the DR site when needed. A secondary site node would not be able to update any credentials, but that may be what you would want anyway.


  • 7.  RE: Unable to change Admin password

    Posted Aug 22, 2019 02:58 AM

    Hi Ralf,

    Below CA link tells that "The backup requires the key encryption key from the original appliance for restoration". Can you tell me where we have to download the key encryption from DC PAM and where we have to upload the key in DR PAM.

    https://docops.ca.com/ca-privileged-access-manager/3-2/EN/administrating/maintenance/configuration-and-database-backups/restore-the-database-to-a-new-appliance.

    Can you tell me with out multi-site cluster can we restore the database to DR.

    regards
    Ramesh




  • 8.  RE: Unable to change Admin password

    Broadcom Employee
    Posted Aug 22, 2019 10:09 AM
    Hi Ramesh, You don't have to worry about the key. As discussed in here, and in the online documentation, all you have to do is make one DR PAM node part of the production cluster at one point in time. At that point the DR node gets the necessary encryption keys and you can restore production databases on it later on, even after taking it out of the production cluster. Just remember that this node has to be the master in the DR cluster, so that the keys are copied to other DR cluster nodes, after which all production and DR nodes can read the same database backups.