Switch between the primary and DR CPMs

This topic describes how to switch back and forth between the primary CPM and the DR CPM during a disaster recovery scenario.

 

Only one active instance of the CPM can be available at any time.

Switch to the DR CPM

  1. Stop the following services on the DR CPM machine:

    • CyberArk Password Manager Service

    • CyberArk Central Policy Manager Scanner

  2. In the System Health dashboard, reset the password of the DR CPM user. By default this user is PasswordManager. For more information, see Restore component connectivity .

  3. Log on to the DR CPM server, and create/replace the credential file.

    1. From a command prompt, go to the Vault subfolder of the CPM installation folder. By default, this is C:\Program Files (x86)\CyberArk\Password Manager\Vault.

    2. Enter the following command, and use the password from Step 2 of this procedure:

      CreateCredFile.exe user.ini Password /Username {username} /Password {password} /AppType CPM /EntropyFile /DPAPIMachineProtection

       

      • {username} and {password} are placeholders. The default username is PasswordManager.

      • To configure advanced settings, use the CreateCredFile.exe utility. For more information, see User credential files.

  4. Start the following services:

    • CyberArk Password Manager Service

    • CyberArk Central Policy Manager Scanner

  5. Verify that the migration process completed successfully by checking the CPM PMConsole.log for errors. By default, this file is stored in C:\Program Files (x86)\CyberArk\Password Manager\Logs.

 

  • If any restrictions were applied to the CPM user (using Trusted Network Area), make sure you enable the IP address of the DR CPM IP for the same application user.

  • If you specified an incorrect password when creating the credential file for the DR CPM, you will not be able to switch to the DR CPM.

Switch back to the primary CPM

  1. Stop the following services on the primary CPM machine:

    • CyberArk Password Manager Service

    • CyberArk Central Policy Manager Scanner

  2. In the System Health dashboard, reset the password of the primary CPM user. For more information, see Restore component connectivity .

  3. Log on to the DR CPM server, and create/replace the credential file.

    1. From a command prompt, go to the Vault subfolder of the CPM installation folder. By default, this is C:\Program Files (x86)\CyberArk\Password Manager\Vault.

    2. Enter the following command, and use the password from Step 2 of this procedure:

      CreateCredFile.exe user.ini Password /Username {username} /Password {password} /AppType CPM /EntropyFile /DPAPIMachineProtection

       

      • {username} and {password} are placeholders. The default username is PasswordManager.

      • To configure advanced settings, use the CreateCredFile.exe utility. For more information, see User credential files.

  4. After the password is reset, on the primary CPM, start the following services:

    • CyberArk Password Manager Service

    • CyberArk Central Policy Manager Scanner

 

  • If any restrictions were applied to the CPM user (using Trusted Network Area), make sure you enable the IP address of the primary CPM IP for the same application user.

  • If you specified an incorrect password when creating the credential file for the primary CPM, you will not be able to switch to the primary CPM.