PSM in a Vault Disaster Recovery Site

The PSM can be configured to work with a Vault that is located in a DR site. In a Disaster Recovery situation, PSM activities are transferred to the DR Vault automatically, which ensures complete continuity when the Production Vault stops working for any reason.

Configuring the PSM for a Disaster Recovery Situation

Install the DR Vault, as described in Install the DR Vault.

When the DR Vault automatically starts working and replaces the Production Vault, PSM will be directed to the DR Vault automatically as part of the DR Vault implementation.

 

By default, the Production Vault is replicated to the DR Vault every hour, including PSM recordings that have been uploaded to the Vault. Session recordings that have not yet been uploaded to the Vault will be uploaded to the DR Vault automatically and then replicated to the Production Vault when it begins working again. However, active session recordings might be corrupted or lost. To upload PSM recordings more frequently, configure replications to be performed more frequently.

Troubleshooting

In rare cases, when the internal user credentials are not synchronized between the Production Vault and the DR Vault replication, the PSM will not be able to function smoothly. The following instructions describe how to resynchronize the user credentials and continue working on the DR Vault.

In the PrivateArk Administrative Client:

  1. Log onto the Vault with the Vault user who installed the PSM.

  2. Change the passwords of the following users:

    • PSMApp_<MachineName>

    • PSMGW_<MachineName>

On the PSM server machine:

  1. Stop the PSM Server service.

  2. In the \CyberArk\PSM\Vault folder, copy all the *.cred and *.ini files and save them in a different location.

  3. Use the CreateCredFile utility to create new credentials files for the PSMApp and PSMGW users.

    1. From a command prompt, go to the Vault subfolder of the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM\Vault.

    2. Enter the following command:

      • For version 12.1 and lower:

        • For the PSMApp user

           
          CreateCredFile.exe psmapp.cred Password /Username {username} /Password {password} /AppType PSMApp /UseOSProtectedStorage Machine /ExePath {capsm.exe file path}
        • For the PSMGW user

           
          CreateCredFile.exe psmgw.cred Password /Username {username} /Password {password} /AppType PSMApp /UseOSProtectedStorage Machine /ExePath {capsm.exe file path}
      • For version 12.1.1 and higher:

        • For the PSMApp user

           
          CreateCredFile.exe psmapp.cred Password /Username {username} /Password {password} /AppType PSMApp /DPAPIMachineProtection /EntropyFile /ExePath {capsm.exe file path}
        • For the PSMGW user

           
          CreateCredFile.exe psmgw.cred Password /Username {username} /Password {password} /AppType PSMApp /DPAPIMachineProtection /EntropyFile /ExePath {capsm.exe file path}
      • {username} - A placeholder for the PSMApp or PSMGW user name. The value can be found in the psmapp.cred or psmgw.cred file under the Vault subfolder of the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM\Vault.

      • {password} - A placeholder for the password you entered for the user in PrivateArk.

      • {capsm.exe file path} - A placeholder for the path of the capsm exe, which is located in the PSM installation folder.

       

      You can find the location of the PSM installation folder in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CyberArk\CyberArk Privileged Session Manager registry.

  4. Start the PSM Server service.

For more information, refer to User credential files.