Primary-DR Vault installation requirements

This topic describes the Digital Vault requirements and prerequisites that you should review and confirm before beginning the server installation. It applies to Primary-DR Vault architectures, both standalone and clustered.

 

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Vault server resources

You should have already determined the how many servers you need for the Enterprise Password Vault during the environment planning stage. Make sure that you have a dedicated server for each Vault you'll install. This is essential for file security, because the Vault uses a unique protocol and blocks all incoming and outgoing communication except legitimate Vault communication.

If you are installing a Digital Vault cluster for a High Availability implementation, make sure that you have a dedicated server for each cluster node. For more information, see Digital Vault Cluster (High Availability).

Vault cluster requirements

To ensure stability and resiliency of the Vault cluster and in order to provide the most robust availability solution, make sure your environment complies with the following requirements:

Only physical servers are supported. You can install Vaults on virtual machines using virtual availability solutions offered by the various vendors.
The two cluster nodes must be connected directly via a private network or cross-over cable. In order to isolate and maintain the security of the cluster, this network must contain only the cluster servers.
The shared storage between the cluster machines can be configured by a shared device that supports the SCSI3 protocol. For best performance and availability, CyberArk recommends an enterprise-grade fibre-channel SAN solution.
 

For Windows 2012 users, if the CyberArk Digital Cluster Vault Server is installed on an iSCSi network storage location over TCP/IP, Windows update KB2955164 must be installed to ensure database stability (https://www.microsoft.com/en-us/download/details.aspx?id=42738)

Make sure that the shared storage supports Persistent Reservation. In SCSI3, this configuration is supported by default. Some vendors this may have to be configured manually.
Make sure to use GPT and MBR disks, not dynamic disks.
Multipath I/O (MPIO) is supported for shared storage.
Multipath I/O (MPIO) for the Quorum disk is only supported in the Failover Only policy mode. All other MPIO policies are not supported.
 

Setting the Policy mode to a non-supported mode, will lead to Vault database corruption, and will require re-installation of the cluster.

The Vault machines must meet the recommended system requirements described in the Privileged Access Security System Requirements document.
It is highly recommended that both nodes have the same amount of physical memory. However, if they do not have the same amount of physical memory, the innodb_log_file_size parameter in the my.ini file must be configured identically.
The clocks on both cluster nodes must be synchronized.
The Cluster Vault nodes must be synchronized with the organization’s NTP server to ensure that the Vault’s activity is in synch with records on all other servers. For additional steps needed to enable connectivity between the hardened Vault and the NTP server, see Primary-DR post-install tasks.

Vault installation package

Your CyberArk support representative provides the installation package, which contains the following:

  • CyberArk Vault server and Disaster Recovery software packages

  • Master folder

  • Operator folder

  • License file

Prepare the CyberArk Vault keys

The keys for the Vault (server key and recovery public key) are stored in the Operator folder. These keys are required during installation and each time the server is restarted. After start up, remove the keys and place them in a physical safe for security reasons.

If the Vault machine is in a secure physical location, you can copy the keys to the hard drive to enable the Remote Control feature to work. We highly recommend that you store the keys in a folder on an NTFS drive which is protected by OS Access Control.

Specify the following permissions to enable access to the NTFS drive:

Folder Group Permission
PAKeys Administrators Read/Write/Modify
 

You must use the same set of CyberArk Vault keys for all of your Vaults.

Vault licenses

When you install your Digital Vault servers, you should use the Primary license for the Primary Vault, and the DR license for any of the following Vault types:

  • Disaster Recovery Vault

  • Primary Candidate Vault

  • Satellite Vault

For cluster sites, use the same Primary and DR licenses for both the Active node and the Passive node.

 

If you don't have a Vault server license, contact your CyberArk support representative.

Server key storage on a Hardware Security Module (HSM)

If your implementation requires the server key to be stored on a Hardware Security Module (HSM), gather the following information:

  • The IP address of the HSM device

  • The TCP/UDP ports used by the HSM device for communication