Primary-DR pre-install Tasks

This topic describes the tasks and prerequisites that you should handle right before you install the Digital Vault server in a Primary-DR environment.

 

Before installing, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Verify the server requirements

Check that the Vault server machine has the requirements as listed in Digital Vault Server.

If you are installing a cluster environment, you should also verify the requirements described in Digital Vault Cluster (High Availability).

Local drive setup for the Vault

You must decide where to install the CyberArk Vault server application on the server, and where the Safes will be installed. These applications should reside in separate folders. We recommend that you install the Safes on an NTFS drive so you can control the permissions.

 

You must use the same file system on all the Vault servers. For example, if your Safes are on an NTFS partition, the replicated Safes should also be on an NTFS partition (not FAT/FAT32).

The recommended partition size is double the average size of the Safes (the data size).

Make sure that the Vault server is part of a local Workgroup, and not part of a Domain.

Sync the Vault with Network Time Protocol (NTP) 

The Vault must be synchronized with the organization’s NTP server to ensure that the Vault’s activity is in synch with records on all other servers. For additional steps needed to enable connectivity between the hardened Vault and the NTP server, see Configure time synchronization on the Vault Server using NTP.

 

All Digital Vaults must be configured with NTP. We recommend using the same NTP server for all your Vaults.

Vault installation package

Verify that you have the following items for the installation procedure:

  • CyberArk Vault server and Disaster Recovery Vault software packages

  • Master CD

  • Operator CD

  • License file

Hardware Security Module (HSM) for the server keys

If you are going to use an HSM to store the server keys, do the following before running the Vault installation and hardening:

  1. Review the system requirements for the HSM. See Digital Vault Server.
  2. Install the HSM client on the Vault server machine.
  3. Configure the connection to the HSM server and partition. Follow your HSM vendor configuration instructions.

Administrator user

Only users with Administrator authorizations can install the CyberArk Vault. When you install the Vault, log on to the Server machine as an Administrator user.

Configure the Vault interface language for non-Unicode programs

On the Vault machine, configure the Vault interface language for non-Unicode programs so that you will be able to create Safes, users, and files in multiple languages.

  1. In the Control Panel, select Clock, Language, and Region, the Clock, Language and Region window appears.

  2. Select Region and Language; the Region and Language window appears.

  3. In the Administrative tab, click Change system locale and select the required language for the non-unicode programs.

  4. Click OK; you will now be able to create Safes, users, and files in the PrivateArk Client in English and in the language configured in the previous step.

 

The configuration should be the same on the IIS server, and on the machine where you install the PVWA.

Prepare the CyberArk Vault server

The following preparations should be carried out by the Administrator user.

  1. Install a clean Operating System or image with no third-party software, as described in Digital Vault Server.

     

    • It is essential to install a clean operating system or image, and not clean up an existing system. Do not install any additional software.

    • Update the operating system with the latest Microsoft security updates.

  2. Install Microsoft Visual C++ Redistributable for Visual Studio 2015-2022 32-bit and 64-bit versions.

     

    For more information about how Windows determines if .NET is installed, see https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed.
  3. Install Microsoft Framework .NET 4.8 Runtime, and restart the machine.
  4. Ensure that the Administrator password is appropriately strong. As a best practice, we recommend setting a minimum of 14 alphanumeric characters.

  5. Check that the server IP address is correctly configured, and that it is static.

  6. In the Network Connection properties, clear the Preferred DNS Servers check box.

     

    DNS connectivity is only allowed for specific scenarios. See Avoid using DNS on the Digital Vault Server.

  1. Review the number of network cards, so that later you can verify that the Vault has recognized them all.

  2. Ping a known IP address to check the network connection is working correctly.

     

    It is important to verify the network connection before installing the CyberArk Vault.

  1. In the server machine BIOS security, set the server machine’s boot sequence to boot from the hard drive first.

     

    This is recommended for additional physical security.

  1. Secure the server machine BIOS by setting a password.

  2. Enable DEP if it is supported on the Vault machine.

     

    For more information about implementing DEP, refer to Microsoft documentation.

  1. (Non-clustered environments only) Uninstall all protocols except the following TCP/IP protocols.

     

    This step is not applicable for Windows Server 2019.

    hardening 1.PNG

  1. Reboot the server.

Complete these tasks on the host machines for both node A and node B before continuing to the Vault installation.

  1. Run chkdsk to confirm that the drive where you will install the Digital Vault is healthy.

  2. Configure the network

    • Allocate three IP addresses on your enterprise network for the Vault Cluster node’s public addresses and the Virtual IP. The public IPs and the Virtual IP must be from the same subnet.

    • If using a Private Cluster Network, create the network and connect one NIC from each Cluster Vault node to it. Otherwise, connect one NIC from each Cluster Vault node directly using a cross-over cable.

     

    When configuring IP addresses for firewall rules (inbound and outbound) used by enterprise integrations, such as SMTP, Syslog and Radius server, configure the Cluster Virtual (shared) IP and the two public IP Addresses of each Vault nodes for both the Primary Cluster site as well as the DR Cluster site (if applicable)

  1. Configure the network cards

    1. Configure the public network card and private network card on each node.

       

      Do not configure the Virtual IP now.

    1. Save the network card name of the public network of each node for later use.

    2. On the public network card for each node:

      1. Uncheck Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks on the Public Networking properties.

      1. Disable Internet Connection Sharing on the Public Sharing Properties.

    3. Ensure that the Administrator password for each server is appropriately strong. As a best practice, we recommend setting a minimum of 14 alphanumeric characters.

    4. Reboot each server.

  1. Prepare shared storage with two drives. One drive is for the Vault data and metadata, and the other drive is for the Quorum Disk.

    • Before installing the Cluster Vault, format the drives to make sure they are healthy.

    • Ensure that the drive letters for the Quorum are identical in both nodes. For example, if the Quorum drive in node A is assigned to Q:, make sure that the Quorum drive on node B is also assigned to Q:.

    • Ensure that the drive letters for storage are identical in both nodes.

       

      If necessary, configure more drives for saving the Vault data. For example, you can save the PSM recordings on a different drive.

  1. Requirements for installing both nodes:

    • Using the Windows Disk Management utility, ensure that the shared storage resources are only online in one node in order to avoid access conflicts to the disk and prevent potential data integrity issues. Make sure that following installation (and before triggering a failover between the cluster nodes), there are no open files or folders on the shared storage (such as PADR.ini).

    • Before restarting a Vault machine with the Cluster running on it, it is recommended to stop the node from the Cluster Vault Management utility in order to make sure that all resources are shut down properly.