cyberark for the enterprise04 -企業(yè)網(wǎng)絡方舟

CyberArkForTheEnterpriseIncludingDisasterRecoveryandBackupandRestoreObjectivesBytheendofthislessonyouwillbeabletodescribe:Theredundancysolutions:HighAvailabilityDisasterRecoveryTheintegrationwiththeEnterpriseAuthenticationSystemsCredentialFilesTheintegrationwiththeEnterpriseDirectoryTheremotecontrolandmonitoringcapabilitiesDatabasesOracleMSSQLDB2InformixSybaseMySQLAnyODBCOperating

SystemsWindowsUnix/LinuxAS400OS390HPUXTru64NonStopESXOVMSMacApplicationsSAPWebSphereWebLogicOracleApplicationERPSystemCenterConfigurationManagerWindows:ServicesScheduledTasksIISAppPoolsIISAnonymousCOM+GenericInterfaceSSH/TelnetODBCWindowsRegistryWebInterfacesWebSitesNetworkDevicesCiscoJuniperNortelAlcatelQuntumF5Security

AppliancesFW1,SPLATIPSOPIXNetscreenFortiGateProxySGDirectoriesand

CredentialStorageADSunOneNovelUNIXKerberosUNIXNISRemoteControl

andMonitoringHMCHPiLOALOMDigiCMDRACCyberArk’sIntegrationAcrosstheEnterpriseEnterpriseAuthenticationCredentialFilesBackupandRestoreHighAvailabilityDisasterRecoveryEnterpriseMonitoringAgendaEnterpriseAuthenticationEnterpriseauthenticationcanbebasedonRADIUSPKINTAuthenticationRSASecurIDLDAPRADIUSAuthenticationAnyRADIUSservercanbesupported:IASVascoMideyeEtc…CansupportChallengeResponseRadiusVaultRADIUSAuthenticationInstallationTheVaultshouldbedefinedasaclientfortheRADIUSserverandhaveasecretRequiresacertificate(notSelf-Signed)fortheVaultmachineUpdatedbparm.iniwithRadiusServersInfoRunCAVaultManagerSecureSecretFilestoencrypttheclientsecretontheVaultmachineForHA:shoulddefinebothnodesfortheRADIUSPKIAuthenticationCanusePKIcertificatesstored:LocallyontheendusercomputerUsingSmartCardCRLCheckVaultPKIAuthentication-InstallationRequiresacertificate(notSelf-Signed)for

theVaultmachineInstalltrustedCAonVaultmachineforclientcertificatesUpdatedbparm.iniwithTrustedCApathLDAPAuthenticationAddLDAPDirectoryUsage=AuthenticationLDAPVaultRSASecureIDAuthenticationUsingRSASecurIDagentontheVaultmachine(notmended)ThroughtheGUIClientmustbeusedassecondaryauthenticationSecurIDVaultRSASecureID-InstallationSecurIDagentshouldbeinstalledontheVaultmachinebeforetheVaultisinstalledMustbeusedassecondaryauthenticationForPVWA:SecurIDAgentshouldbeinstalledonthePVWAmachineandusefullimpersonationEnterpriseDirectoryAnyEnterprisedirectorythatsupportsLDAPprotocol:ActiveDirectoryNovelle-DirectorySunOneDirectoryAnyDirectorythatsupportsLDAPEnterpriseAuthenticationCredentialFilesBackupandRestoreHighAvailabilityDisasterRecoveryEnterpriseMonitoringAgendaCredential(Cred)FileSomeVaultcomponentscanaccesstheVaultserverwithausercredentialfilethatcontainstheuser‘snameandencryptedauthenticationdetails,preventingtheneedforinteractiveauthenticationandenablingfilesharingandtransferprocessestobeperformedautomatically.PVWADRVaultCPMBackupCreatingaCredFileEachcomponentthatusesCredfilescomeswithitownutilityforcreatingCredfilesItisrunthroughaCLIinterface(CMDinWindows)CreatingaCredFileCont.CreateCredFile.exe<name_of_the_cred_file>VaultUsername[mandatory]==>PasswordManagerVaultPassword(willbeencryptedincredentialfile)==>*******DisablewaitforDRsynchronizationbeforeallowingpasswordchange(yes/no)[No]==>ExternalAuthenticationFacility(LDAP/Radius/No)[No]==>RestricttoApplicationType[optional]==>RestricttoExecutablePath[optional]==>RestricttocurrentmachineIP(yes/no)[No]==>Restricttocurrentmachinehostname(yes/no)[No]==>RestricttoOSUsername[optional]==>DisplayRestrictionsinoutputfile(yes/no)[No]==>UseOperatingSystemProtectedStorageforcredentialsfilesecret(Machine/User/No)[No]==>Commandendedsuccessfully

ProblemwithCredFilesForusersthatuseCredfilesthepasswordinthefileandintheVaultisconstantlybeingchangedforsecuritypurposesIfthepasswordlossessyncitmustbechangedonbothsides(theVaultandtheCredFile)Step1–ChangingthePasswordintheVaultForusersthatuseCredfilesthepasswordinthefileandintheVaultisconstantlybeingchangedforsecuritypurposesIfthepasswordlossessyncitmustbechangedonbothsides(theVaultandtheCredFile)Step2–CreatingaNewCredFileGototheserverwherethecomponentisrunning

CPM,PVWA,DR,PSM,Backup…CreateanewCredfileUsethenewpasswordthatyousetinthepreviousstepStep3–ActivatingtheUserintheVaultAftersettinganewpasswordintheVaulttheuserneedstobeActivatedRestarttherelevantservice(CPM<PVWA,DRandsoon)EnterpriseAuthenticationCredentialFilesBackupandRestoreHighAvailabilityDisasterRecoveryEnterpriseMonitoringAgendaSupportstwoBackupsconfigurations:UsingCyberArkBackuputility(PAReplicate)toatemporarymachine(mended)Usinga3rdpartyBackupAgentinstalledontheVaultBackupMethodsBackupUserPredefineBackupuserwithbackuppermissionsonlyPredefineBackupGroupPAReplicateSyntaxUtilityshouldbescheduledtoruneverydayFullBackupismended(fastandreliable)WhattoBackup?ThedataandthemetadatabackupfoldersConfigurationfiles

(programfiles\privateark\server)Don’tbackuptheencryptionkeysRestoreThePARestoreutilityisusedfortherestoreprocedureTheSafedatafilesarerestoredtosamestructureAsynchronizationprocedurewilltakeplace,afterwhichuserswillbeabletoworkwiththefilesimmediately.Restore(cont.)Note:WhenyourestoreasingleSafe,itsoriginalOwnersarenotrestoredwiththeSafedata.SafeOwnersmustbeaddedmanually.Whenrestoringasinglesafe,itshouldnotexistinthevaultbeforetherestoreprocess.OnlyUserswiththe‘RestoreAllSafes’authorizationcanrestoreaSafeInFullrestoreyoushouldrun: cavaultmanager.exerestoreDBAlwaysFollowtheinstructionsintheguideInstalltheCyberArkReplicateCreatecredfile(usingCreateCredFile.exe)Modifyvault.ini(address,portetc.)RunPAReplicateHowtoGetStartedEnterpriseAuthenticationCredentialFilesBackupandRestoreHighAvailabilityDisasterRecoveryEnterpriseMonitoringAgendaHigh-AvailabilityVaultTheVaultcanbeinstalledasa

high-availabilityclusterofserverswhichprovideconstantaccesstothefiles/passwordsintheVault.ThereisalwaysatleastoneServerconnectedtotheclusterthatisonstandbyforwhenanyotherServerintheclusterfailstoprocessrequests.

VaultHAVaultSharedStorageMicrosoftClusterVaultNodeAHigh-AvailabilityVault-ArchitectureVaultNodeBHigh-AvailabilityVault-InstallationHardwarerequirements:2serverswith2NetworkcardseachSCSISharedStorageWindowsServer2008R2or2012R2IsolatedDomainwith2DomainControllers(DC)DNSservershouldbeinstalledonbothDCsSpecialhardeningscriptforHAForsmoothfailover,OperatorkeysmustbelocatedontheVaultmachine.High-AvailabilityforOtherComponentsOthercomponentscanbeinstalledwithHA:PasswordVaultWebAccessCentralPolicyManagerCentralPolicyManagerPasswordVaultWebAccessEnterpriseAuthenticationCredentialFilesBackupandRestoreHighAvailabilityDisasterRecoveryEnterpriseMonitoringAgendaDisasterRecoveryVaultTheCyberArkVaultDisasterRecoverySiteensuresthatthe

VaultisreplicatedtoaDisasterRecoveryVaultregularly,and

cantakeoverimmediatelywhentheProductionVaultstopssuddenly.3Majortasks:FailoverCheck–CheckingthattheProductionVaultisupandrunning(UsingICMP).DataReplication–ReplicatingtheMetadatafilesandtheSafesfilefromtheCyberArkProductionVaulttotheDisasterRecoveryVault.FailoverProcess–IftheProductionsiteisdown,aFailoveriscarriedoutontheDisasterRecoveryVault.StorageReplicationVaultDRVaultStorageArchitectureFailoverandFailbackFailoverUsuallyisunexpectedAutomatically/ManualFailoverFailbackCanbeplannedShouldbedonemanuallyDRserviceisinstalledontheoriginalproductionVault TheCyberArkVaultDRServiceFailoverCheck–CheckingthattheProductionVaultisupandrunning. ThenetworkavailabilitycheckiscarriedoutusingtheICMPechoprotocol(“Ping”)fromtheDisasterRecoveryVault.DataReplication–ReplicatingtheMetadatafilesandtheSafesfilefromtheCyberArkProductionVaulttotheDisasterRecoveryVault.TheMetadatareplicationisbasedonexports(fullbackup)andbinarylogs(incrementalbackups). ThereplicationwillbeexecutedaccordingtothePADR.iniparametersfile.FailoverProcess–IftheProductionsiteisdown,meaningthatthereisnonetworkconnectionbetweenthetwoServers,aFailoveriscarriedoutontheDisasterRecoveryVault. ThedecisionregardingwhenaFailovershouldbecarriedoutisevaluatedusingpredefinedparametersinthePADR.iniparametersfile. AftertheFailover,the‘PrivateArkServer’serviceontheDisasterRecoverymachinewillbemodifiedforAutomaticstartup.InstallationHardwarerequirements:2servers(sameasVault)Windows2008R2or2012R2Components:RegularVaultinstallationDRmoduleinstallationTheDRUserisusedforthereplicationTheVaultserviceontheDRMachineshouldbesettomanualItismendedtousetheDNSnamefortheVault

InstallationPre-InstallationKeys–UsethesameCyberArkkeysasintheProductionVault.Version–UsethesameCyberArkVaultServerversionasthe ProductionVault.CustomerLicense-UsetheDRVaultlicense.xmlfileprovided.ActivateDRuserInstallationInstallaCyberArkVaultServerInstallaPrivateArkClientInstalltheCyberArkVaultDisasterRecoveryServicePADR.iniFailoverMode

–IndicateswhetherFailoveriscurrentlyactiveornot.WhenaFailoveriscarriedout,theparameterwillbeupdatedautomatically. EnableCheck-WhetherornottoperformafailurecheckEnableReplicate-Whetherornottoperformdatareplication EnableFailover-WhetherornottoperformFailover PADR.ini(cont.)ReplicateInterval–Theminimumtimeintervalinsecondsbetweendatareplications.MetadataReplicateInterval–TheminimumtimeintervalinsecondsbetweenreplicationsoftheVault’smetadata.MetadataReplicateFromHour–TheearliesthourofthedaythatreplicationoftheVaultmetadatawilloccur.MetadataReplicateToHour–ThelatesthourofthedaythatreplicationoftheVaultmetadatawilloccur.PADR.iniFileTestingtheDRVaultInstallationDisabletheconnectivitybetweentheDRVaultandtheProductionVault.CheckthattheDRVaulthasbegunworkingasanactiveVault.UsingthePrivateArkClientontheDRVaultmachine,checkthatyoucanaccesstheDRVault.ResettingtheDRVaultStoptheVaultserviceontheDRmachine.InPADR.ini,dothefollowing:Specifythefollowingparameter: Failovermode=noDeletethefollowingparameters:NextBinaryLogNumberToStartAtLastDataReplicationTimestampStarttheDRVaultservice.Checkthefollowinglogstomakesurethatareplicationwascarriedoutsuccessfully:PADR.logPAReplicate.logWhentheDRServerisinaFailed-OverStateOntheDRVaultServer,VerifythattheDRVaultServerisrunningbycheckingthePrivateArkServerAdminConsole(for

HAVaultusetheClusterAdministrator).Checkthatthe“CyberArkDisasterRecoveryservice”isstoppedandsettoautomatic

Checkthat“FailoverMode”variableinc:\ProgramFiles\Privateark\padr\padr.iniissettoYes

Reviewthepadr.logformostrecentsynchronizationConnecttotheDRvault.PADR.logDisasterRecoveryforOtherComponentsOthercomponentscanbeininstalledintheDRsiteCentralPolicyManager(CPM)Usually,duringDRscenario,passwordwillnotbechangedautomaticallyandthereforeaCPMisnotrequired.TheCPMcanmanagethesystemsintheProductionsite,incaseonlytheVaultenvironmentmovedtotheDRsite.TheCPMcanmanagethesystemsintheDRsite,incaseallenterprisesystemsarereplicatedtotheDRandthereisafullDRscenario.PasswordVaultWebAccess(PVWA)OnceyouinstallaDRVault,anadditionalPVWAshouldbeinstalledtoenableuserstoaccesspasswordsintheDRVault.RedirectingtheFront-EndPVWALocatethetheweb.configfileontheserver.The'VaultFile'parameterpointstotheVault.inifilewheretheVaultIPaddressisdefined.Itsdefaultlocationisin“\CyberArk\PasswordVaultWebAccess\Vault\Vault.ini”.

IntheVault.inifilechangetheIPaddress(orFQDN)topointtotheDREPVVaultServer.

UseDNSSynchronizetheCPMuserandPVWAgatewayaccountEnterpriseAuthenticationCredentialFilesBackupandRestoreHighAvailabilityDisasterRecoveryEnterpriseMonitoringAgendaRemoteMonitoringSNMPEventLogCPUMemoryUsageRemoteControlManageProductionandDRVaultthroughCLIEnterpriseRemoteControlCommands:StopVault,StartVaultGetLogRecords,GetCPUUsageExecutedfromaremotemachine(noneedtoopenRDPPort)UsedtomonitorDRVaultandServiceCommunicatesthroughtheCyberArkprotocolEnterpriseRemoteControl-ConfigurationTheservic