Install the Digital Cluster Vault Server in an HA Environment on Windows 2012 R2 or 2016

In Windows 2012 R2 and Windows 2016, high availability is provided by the CyberArk Digital Cluster Vault Server, a group of two independent Vault Servers that share access to common networks and storage. To all other CyberArk components, the two Vault Servers in the cluster can be viewed as a single system, which allows high availability of the Vault services and allows for the loss of one Vault server without service disruption.

CyberArk Digital Cluster Vault Server Architecture

Following is a depiction of the CyberArk Digital Cluster Vault Server, showing the active and passive nodes and the other components.

The CyberArk Digital Cluster Vault Server is made up of the following:

Cluster Vault Node – A single Vault server that is paired with another Vault server as part of a cluster.
Cluster Vault Manager – The service monitoring the CyberArk Digital Cluster Vault resources and connections to other CyberArk Digital Cluster Vault components. The CVM service must be installed on a local drive.

In the active node, the CVM service monitors the local resources. In the passive node, the CVM service monitors (via a private network) the CVM status in the active node. The failover procedure is triggered by the failure of Vault services, storage availability, or virtual IP availability, or by the loss of Quorum ownership. On the CyberArk Digital Cluster Vault on the DR site, the CVM service monitors the relevant local resources, such as the database and the DR.

Shared Storage – A set of disks, commonly fibre-channel SAN, accessible to both of the CyberArk Digital Cluster Vault nodes, that host the Cluster Vault Metadata (database) and data (external files). Both Cluster Vault nodes are connected to the shared storage, but only the active node can read and write to the disk.
Shared Address (Virtual IP) – A single IP address that represents the CyberArk Digital Cluster Vault in the public network of the organization and does not correspond to an address of a single node. The Virtual IP is allocated on the active node during start up. During the failover procedure, the CVM service switches the Virtual IP to the other node.
 

To prevent any conflicts, each node must have only one static IP.

Quorum Disk – A small disk that is used to identify the connectivity and availability of the active node. The Quorum mechanism is used to prevent communication errors from causing split brain scenarios. Quorum is based on a voting algorithm. Each node in the cluster has a vote. The cluster keeps working as long as more than half of the voters are online.
 

The Quorum Disk and Shared Storage must use separate storage drives.

Cluster Private Network – The isolated network that connects the CyberArk Digital Cluster Vault nodes, and is used for cluster heartbeat communication.
Monitored Vault Services – Mandatory and optional services that are monitored for failure by the Cluster Vault Manager. Failure of these services will result in automatic failover of the following services to the second node:
PrivateArk Server service (Vault)
PrivateArk Database service
Logic Container service
Cyber-Ark Event Notification Engine service (optional)
PrivateArk Remote Control Agent service (optional)

Configuration requirements

To ensure stability and resiliency of the Cluster Vault and in order to provide the most robust availability solution, make sure your environment complies with the following requirements:

Only physical servers are supported. You can install Vaults on Virtual machines using virtual availability solutions offered by the various vendors.
The two Cluster Vault Nodes must be connected directly via a private network or cross-over cable. In order to isolate and maintain the security of the Vault Cluster, this network must contain only the Vault Cluster servers.
The shared storage between the Vault Cluster machines can be configured by a shared device that supports the SCSI3 protocol. For best performance and availability, CyberArk recommends an enterprise-grade fibre-channel SAN solution.
 

For Windows 2012 users, if the CyberArk Digital Cluster Vault Server is installed on an iSCSi network storage location over TCP/IP, Windows update KB2955164 must be installed to ensure database stability (https://www.microsoft.com/en-us/download/details.aspx?id=42738)

Make sure that the shared storage supports Persistent Reservation. In SCSI3, this configuration is supported by default. Some vendors this may have to be configured manually.
Make sure to use GPT and MBR disks, not dynamic disks.
Multipath I/O (MPIO) is supported for shared storage.
Multipath I/O (MPIO) for the Quorum disk is only supported in the Failover Only policy mode. All other MPIO policies are not supported.
The Vault machines must meet the recommended system requirements described in the Privileged Access Security System Requirements document.
It is highly recommended that both nodes have the same amount of physical memory. However, if they do not have the same amount of physical memory, the innodb_log_file_size parameter in the my.ini file must be configured identically.
The clocks on both cluster nodes must be synchronized.
The Cluster Vault nodes must be synchronized with the organization’s NTP server to ensure that the Vault’s activity is in synch with records on all other servers. For additional steps needed to enable connectivity between the hardened Vault and the NTP server, see Following Installation.

Installation overview

The following steps describe how to install the CyberArk Digital Cluster Vault Server. The details are provided in the following sections.

  • Before installing the CyberArk Digital Cluster Vault Server, configure the servers, network cards, and storage.

  • Install the first node of the CyberArk Digital Cluster Vault Server.

  • Install the second node of the CyberArk Digital Cluster Vault Server.

  • Test the CyberArk Digital Cluster Vault Server installation.

Install the CyberArk Digital Cluster Vault Server on the first node

 

Use the administrative user for this task.

On the first node, install the Vault Server as described in Install the CyberArk Vault, using the following guidelines:

Install the CyberArk Digital Cluster Vault Server on the second node

The following instructions describe how to install the CyberArk Digital Cluster Vault Server on the second node in the Cluster.

 

Use the administrative user for this task.

Set up the second node in the same way as the first node, using the following guidelines:

Test the CyberArk Digital Cluster Vault server installation

You have now finished setting up the CyberArk Digital Cluster Vault server in a clustered environment.

 
TruePrivileged Access Security11.5