Configure a list of prioritized Vaults in Distributed Vaults environment for CyberArk clients

This topic describes how to configure a list of prioritized Vaults in a Distributed Vaults environment for CyberArk clients.

Overview

To provide better network connection and lower latency, Distributed Vaults architecture enables several clients to communicate directly for read-only operations with either a Primary Vault or Satellite Vault, based on the closest geographic location.

You can configure the priority list via an IP-based or DNS-SRV records to determine the communication with your Satellite Vaults.

 

The DNS-SRV record must not include a Primary Vault.

IP-based priority list

The IP-based priority list enables client redundancy when there is a failure to connect to a specific Vault.

The priority list contains a list of Vaults that the client tries to connect to according to the order specified in the list.

When a connection cannot be established to the first Vault IP address, an attempt is initiated to connect to the next IP address on the priority list. This process continues until either a successful connection is established, or attempts to connect to all IPs on the priority list have failed.

If the client cannot connect to any Vault, the client will be isolated from the PAM environment.

In a Cluster environment, the Virtual IP (VIP) must be configured in the priority list. The first IP address on the list must always be the Vault IP that is the closest one that serves the client. The remaining Vaults in the list must be based on the same proximity.

This configuration is supported for all components and services.

 

You can provide availability of the clients connected to the Primary Vault by specifying at least the Primary Vault and the Primary Candidate Vault in the client configuration.

DNS-SRV record

In a DNS-SRV configuration, the Vault that is accessed is determined by the DNS, according to the Vault's priority and weight. For example, the first Vault in the list will have the highest priority (the lowest number), and heaviest weight (the highest number).

If the first Vault is unavailable, the client tries to connect to the next Vault until a successful connection is established.

In a Cluster environment, the Virtual IP (VIP) must be configured in the priority list.

You can create multiple DNS-SRV records with different priority settings for the Vaults. You can also have a dedicated DNS-SRV record that includes only the Primary Vault and the Primary Candidate Vault for components that connect to the Primary Vault.

We recommend that the Vault capacity for client connections is configured no higher than 75% of the Vault capacity. This allows the Vault to handle a load of additional clients that may be assigned to the Vault during a connection failure scenario.

This configuration is only supported for Secrets Manager components.

 

The DNS SRV records must be configured to reflect the required failover order, not for load balancing. Assign each Vault entry a different priority. You can't assign the same priority to more than one Vault.

Vault Failure

Primary Vault failure

If there is a temporary failure of the Primary Vault, and a priority list has not been configured, only read-only operations will be allowed on the Satellite Vaults.

After the Primary Vault returns to a normal operating state, the Satellite Vaults will also return to a normal operating state with read-write operations.

Users that are logged on to PVWA during a failure can continue working in the same session, but will be in read-only mode. To regain full read-write operations, users must log in to PVWA again.

If the priority list is configured during a failure of the Primary Vault, and the next vault in the list is promoted to take over as the Primary Vault, the promotion process will be completed within 3-5 minutes.

Satellite Vault failure

A Satellite Vault failure occurs as a result of one of the following scenarios:

  • A Satellite Vault is disconnected from the topology

  • A Satellite Vault fails

When a Satellite Vault fails, the clients try to connect to the next Vault specified in the client configuration file.

If a priority list is not configured, and the Satellite Vault was disconnected from the topology, the Satellite Vault can still provide read-only operations to clients. After the connection to the Primary Vault is restored, read-write operations are restored to the clients.

If a priority list is configured, and the Satellite Vault was disconnected from the topology, the Satellite Vault that is promoted will allow read-write operations to the Vault. Before reconnecting the Satellite Vault to the topology, the promoted Satellite Vault must be switched back to a regular Satellite Vault, and then manually connected back to the topology as a Satellite Vault.

There cannot be two Primary Vaults in the same environment.

 

When a failure occurs on the Primary Vault, write operations will not be available until a new Primary Vault becomes available, either after satellite promotion or after the original Primary Vault is up and running. As a result, client environments cannot be created during a Primary Vault failure.

Configure the list of prioritized Vaults

This section describes the configuration options for the list of prioritized Vaults.

Common use cases and configurations

 

You cannot be connected to two different Vault types at the same time. You can only be connected to either a Primary Vault or a Satellite Vault.

Configure an IP-based priority list

  1. In the client installation folder, open the Vault.ini file.

  2. If the client will connect to a Satellite Vault, add the DISTRIBUTEDVAULTS parameter, and set it to static.

     
    DISTRIBUTEDVAULTS=static
  1. Do one of the following, depending on which Vault type you are configuring the connection for:

    • For a Primary Vault in the Address parameter, specify a comma-separated IP address for the Primary Vaults and the Primary Candidate Vault.

       

      This applies to components that connect only to the Primary Vault.

    • For the Satellite Vault, in the Address parameter, specify a comma-separated IP address for the Vaults, based on their priority, from highest to lowest.

  2. Save the Vault.ini file, and close it.

 

Do not configure clients that directed to a Satellite Vault directly to a Primary Vault.

Configure a DNS-SRV-based priority list

The following components and clients are supported:

  • Credential Provider

  • Export Vault Data (EVD) Utility

  • Replicate

  • PVWA

To configure DNS:

  1. In a Microsoft DNS server, configure a DNS SRV:

    1. Open the DNS Manager, and navigate to the folder in which you want to create the SRV record.

    2. Right-click the folder, and select Other New Records

    3. In the Resource Record Type list, select Service Location (SRV).

    4. In the New Resource Record window, enter the details of the service, including the Service (area) and Priority.

     

    DNS SRV records must be configured in the required failover order, not for load balancing. Assign each Vault entry a different priority (you can't assign the same priority to more than one Vault).

  2. Define a record for each Vault and service that you want to appear in the list in the DNS server.

    The following example shows three records that list the details of three Vaults. These Vaults comprise the service list for the US service.

    The service name that you specify in the Client's vault.ini is comprised of the record's hierarchy. In the following example, the DNS SRV name would be US._vault.AA.provider.com.

  3. Test the validity of your configuration with nslookup:

    1. On a Windows machine that is configured to use your DNS server, open a Command line window, and run nslookup.

    2. Specify the following information:

      • server server_address - for example, server 10.10.1.1

      • set type=SRV

      • DNS SRV name - for example, US._vault.AA.provider.com

      A list of Vaults, their priorities, and additional data is returned.

  4. In the client installation folder, open the Vault.ini file.

  5. If the client connects to a Satellite Vault, add the DISTRIBUTEDVAULTS parameter, and set it to yes.

     
    DISTRIBUTEDVAULTS=yes
  6. In the Address parameter, enter an address that returns a DNS SRV record.

  7. Save and close the Vault.ini file.

Active Primary Vault only priority list

  1. In the client installation folder, open the Vault.ini file.

  2. Delete the DISTRIBUTEDVAULTS parameter.

  1. Modify the Address parameter: specify a comma-separated IP address for the Primary Vault and the Primary Candidate Vaults.

  2. Save and close the Vault.ini file.

 

Clients can only connect to the active Primary Vault.