Install the Primary Vault Site in a Cluster Environment

This topic describes how to install the Digital Vault as the Primary site in a cluster.

 

Ensure that your CyberArk license includes a High Availability Cluster so that you can install the CyberArk Digital Vault as a cluster. For more information about the CyberArk license, contact your CyberArk support representative.

The following diagram shows the work flow for installing the Digital Vault as a cluster on the Primary site.

The steps in the installation work flow are:

  • Perform the pre-install tasks - before installing the Digital Vault cluster, configure the servers, network cards, and storage as described in Primary-DR pre-install Tasks.

  • Create the Digital Vault cluster - install the Digital Vault application and the Disaster Recovery application on node A, and then on node B.

  • Test the cluster - Verify that the installation was completed correctly, and that the Primary site cluster is functioning as expected.

 

Use the host machine administrative user to install the Digital Vault.

Verify the pre-install tasks

Before beginning the Vault cluster installation, review all the pre-install tasks and verify that the host machines are fully prepared according to the guidelines and instructions in Primary-DR pre-install Tasks.

 

Don't continue to the next part of the Vault cluster installation until you've completed this step and restarted the machines. If the host machines haven't been prepared correctly, the Vault cluster installation won't be successful and you'll have to re-install the server operating system on each machine.
Primary Vault with your HSM device
  1. Install the HSM client on the Vault Server machine for each node before running the Vault installation and hardening.
  2. Configure the connection to the HSM server and partition. Follow your HSM vendor configuration instructions.

Install the CyberArk Digital Vault cluster

To install a Digital Vault cluster, you have to install both the Digital Vault application and the Cluster Vault Manager.

Step 1: Install node A of the cluster

  1. On the Vault machine, create a new folder and copy the contents of the installation package to it.

  2. Using the Windows Disk Management utility, ensure that the shared storage resources (Quorum + storage) in node A are online, and offline in node B.

  3. In the Server folder, right-click Setup.exe, then select Run as Administrator. The Vault installation wizard launches and verifies that all required features are installed on your machine before it can install the Digital Vault.

    If one or both of the following errors appear, install the relevant prerequisite (see Prepare the CyberArk Vault server) before continuing with the installation.

  4. If the Vault installation was initiated using an RDP session, the following message appears:

     
    • Make sure the message above appears; it confirms that the installation is being installed over the RDP session. If the message is not displayed, the RDP installation will not work as required and you will not be able to complete the installation successfully.
    • Make sure you are aware of the security consequences of opening the Digital Vault to the RDP protocol. For more information, contact your CyberArk representative.

    Click Yes.

  5. Click Install; the PrivateArk Server Setup window appears, as shown below.

     

    • You can exit the installation flow at any time by clicking Cancel.

    • You can return to the previous step by clicking Back, where applicable.

    • All user input (for example, paths and folder names) must be in standard English alphanumeric characters.

    Click Next.

  6. Review the license agreement.

    To accept the terms, click Yes.

  7. In the User Information page, enter your user information for licensing .

    • In the Name field, enter your first and last name.

    • In the Company field, enter the name of your organization.

    Click Next .

  1. In the Vault Installation Mode window, select Cluster node Vault installation.

    Click Next.

  1. In the Select Destination Location window, select the folder on the server where the server files will be located.

    • To accept the default location of the setup folder, click Next,

    or,

    • To select another location, click Browse and navigate to the new location, then click Next.

  2. In the Choose Safes Location window, manually specify a path that is located on the shared storage of the cluster environment.

     

    • You must specify a path in the shared storage partition or you won't successfully create a cluster environment, and the server operating system will have to be re-installed.

    • The path name of the Safes location can't be longer than 20 characters.

    Click OK, and then click Next.

  3. Specify a location for the license file on the server machine.

    Click Next.

  4. Specify the location of the Operator CD:

    • To accept the default location click Next,

    or,

    • To select another location, click Browse and navigate to the new location, then click Next.

  5. In the Configure the Remote Control Agent window, as part of the installation procedure, select Configure Remote Control Agent and specify the following:

    • The IP address of the machine where the Remote Control Client will be installed. Use commas to separate multiple IP addresses, for example, 1.1.1.220,1.1.1.221.

    • The password of the Remote Control Client. The following characters are not supported: space, ", &, <, >, |

    If you don't want to configure the Remote Control Agent, select Skip Remote Control Agent Configuration .

    Click Next.

  1. In the Vault Server Machine Hardening window, click Next.

     

    • Don't select the check box to skip hardening without first confirming with your CyberArk support representative.

    • The hardening of the server can't be reversed.

     
    • In rare cases, due to Windows services timing issues, the automatic hardening procedure might complete with errors. If it does, retry the hardening. If the automatic hardening does not succeed the second time, contact your CyberArk support representative.
    • When installing on Windows Server 2016, Japanese edition, the hardening stage of the installation may seem to complete with failures. See Troubleshooting Installation for details.

  2. In the Select Program Folder window, specify the name of the folder where the server files will be stored.

    • In the Program Folders field, enter a name for the CyberArk Vault folder inside the Windows Programs folder, then click Next,

    or,

    • Click Next to accept the default name.

    The server installation begins. You can see the progress of the installation progress via the progress bar.

     

    If the hardening procedure fails, the hardening log is displayed. Troubleshoot the issue and run the procedure again. See Troubleshooting Installation.

  1. Open the DBParm.ini file (located in .../Server/Conf/) and set a non-standard firewall rule for the storage to operate successfully.

      
    AllowNonStandardFWAddresses=[SHARED STORAGE IP],Yes,3260:outbound/tcp,3260:inbound/tcp

    To specify multiple IP addresses, specify this parameter in the DBParm.ini file as many times as necessary. For example:

     

    AllowNonStandardFWAddresses=[1.1.1.220],Yes,3260:outbound/tcp,3260:inbound/tcp

    AllowNonStandardFWAddresses=[1.1.1.221],Yes,3260:outbound/tcp,3260:inbound/tcp

  1. In the Set Built-in Users Passwords window, type the passwords for the built-in Master user and Administrator user.

     

    The Master user is a break-glass account and the Administrator user has extensive privileges in the system.

    These two users should have complex passwords. The password must be a minimum of six characters and contain at least one uppercase character, one lowercase character, and one numeric character.

    • Type the Master user’s password, then type it again to confirm.

    • Type the Administrator user’s password, then type it again to confirm.

    Click Next.

     

    If you get an error, repeat Step 1. If the problem persists, see Troubleshooting Installation.

  1. When the Setup Complete window appears, review the Server\Logs\VaultConfiguration.log file for any warnings. If there are any warnings, see Troubleshooting Installation.

    Select No, I will restart my computer later, then click Finish .

 

  • The installation automatically updates your Windows Start menu, places a PrivateArk Server shortcut icon on the desktop, and updates the computer registry information.

  • If you configured the Remote Control Agent during installation, it will start automatically after you restart your computer.

  • The Event Notification Engine is installed automatically as part of the Vault server.

Step 2: Configure node A

To configure node A of the Vault cluster

  • Open the ClusterVault.ini file in the PrivateArk\Server\ClusterVault\Conf\ folder and ensure that the following parameters are defined correctly:

    Parameter

    Description

    Environment Name – This section determines the information that is displayed in the Cluster Vault Manager utility.
    ClusterLogicalName The name of the entire cluster environment that is displayed in the Cluster Vault Manager utility.
    LocalNodeLogicalName The name of the local node that is displayed in the Cluster Vault Manager utility.
    PeerNodeLogicalName The name of the other node that is displayed in the Cluster Vault Manager utility.

    Networking – This section determines the IP addresses.
    NetworkCardName The network card name of the Public network. The Virtual IP is allocated on this network card.
    VirtualIP The virtual IP address.
    PeerNodePort

    The communication port in the private network.

    Default value: 18581
    PeerNodePrivateIP The IP of the other node in the private network.
    PeerNodePublicIP The IP of the other node in the public network that is displayed in the Cluster Vault Manager utility.
    LocalNodePublicIP The IP of the local node in the public network that is displayed in the Cluster Vault Manager utility.
    LocalNodePrivateIP The IP of the local node in the private network.

    Storage – This section determines the storage disks.
    StorageIdentifier The storage disk signature. For more information, see the next step.
    QuorumDiskIdentifier The quorum disk signature. For more information, see the next step.

    Advanced Settings – This section determines the failover process.

    HealthCheckInterval

    The minimum time interval in seconds between cluster health checks.

    Default value: 10 seconds
    RetryCountOnFailure

    The number of retries when encountering an issue during startup, monitoring, or shutdown of resources.

    Default value: 1
    ResourceControlTimeout

    The allowed timeout in seconds before a resource failure.

    Default value: 60 seconds

To configure the Vault cluster storage

  1. From an elevated command prompt, run the StorageManager.exe. By default, this is in the PrivateArk\Server\ClusterVault folder.

     

    Before running this command, using the Windows Disk Management utility, make sure that the Quorum disk is online and that you have saved the ClusterVault.ini.
    Specify the following parameters as input in UPPERCASE:
    –qDRIVE_LETTER – Defines the Quorum drive letter.
    –sDRIVE_LETTER – Defines the storage drive letter.

    After the utility is run, the disk identifiers are stored in the ClusterVault.ini file in the StorageIdentifier and QuorumDiskIdentifier parameters.

  2. Restart the Vault server.

  3. Check the ClusterVault console log to ensure that the Vault cluster starts up in active mode. The following message will appear in the ClusterVaultConsole.log: CVMCS124I Resources startup completed.

  4. Stop the Vault Cluster service and ensure that all Vault services are stopped. The following message will appear in the ClusterVaultConsole.log: “CVMCS137I Cluster Vault shut down completed successfully.”

     

    Only the CVM service is configured as automatic. Do not stop and start other Vault services.

Step 3: Install the Disaster Recovery application on node A

  1. Using the Windows Disk Management utility, make sure the shared storage and Quorum partitions are online.

  2. Start the Digital Vault application and verify that it is running properly.

  3. Open the Cluster Vault Management utility and stop the node.

  4. Set the CyberArk Cluster Vault Management service to Manual.

  5. Open the Windows Disk Management utility and verify that the Shared Storage and Quorum partitions are offline in node B.

  6. Close the Cluster Vault Management utility (and any open files on all server partitions).

  1. Right-click Setup.exe, then select Run as Administrator.

    The DR Vault wizard starts automatically and the CyberArk Installation window is displayed.

    Click Next.

     

    • You can exit the Disaster Recovery application installation at any time by clicking Cancel.

    • You can return to the previous installation window by clicking Back, where applicable.

  2. Read and accept the terms of the license agreement.

    Click Yes.

  3. Enter your user information:

    1. In the Name field, enter your first and last name.

    2. In the Company field, enter the name of your organization.

    Click Next.

  4. Select the folder on the server in which the DR Vault files will be located.

    Click Next to accept the default location

    or,

    Click Browse to select another location, and then click Next to proceed to the next step of the installation.

  5. Enter the user name and password you created for the DR Vault.

     

    You must create a unique DR user for each Vault. The DR user contains a credentials file with the specified username and an encrypted version of the specified password. For more information about DR users, see Disaster Recovery Users.

    Click Next.

  6. Specify the IP address and the port of the other Cluster node.

    Click Next.

  7. Click No, I will restart my computer later.

  8. Click Finish to complete the setup.

  9. Set the CyberArk Cluster Vault Management service to Automatic.

  1. Check that the installation was successful

    • Open the PADR.log and check that the DR Vault was installed successfully and a replication was initiated immediately.

    • Later, make sure that one full replication and at least one incremental replication were carried out. This may take several hours.

  2. Secure the Protected Credentials file.

    During installation, a user credential file is generated automatically with the name and authentication details of the Replicate user, and is stored in the Disaster Recovery installation folder. This enables automatic Vault replication to the Disaster Recovery site regularly, according to the ReplicateInterval parameter in PADR.ini.

    This credentials file includes a security restriction which specifies that it can only be used by the DR Vault. To create a credentials file that specifies more security restrictions, use the CreateCredFile utility in the PADR installation folder. For more information, refer to User credential files.

Step 4: Prepare the configuration data

When the Vault is installed in a cluster, there is configuration data that must be identical on both nodes. Before you install the Vault on node B, you must prepare the needed data so it can be applied to node B.

  1. Create a temporary file where you can store the node A configuration data for copying to node B after it is installed.

  2. In the PrivateArk\Server\Conf\ folder, open DBParm.ini and copy the following to the temporary file:

    • The value of the VaultID parameter.

       

      This parameter must be identical on both nodes to enable both Vaults in the cluster to be seen as a single Vault.

    • If you are using storage that requires TCP/IP connectivity (iSCSi) and you have set one or more non-standard firewall rules, copy them all.

  3. In the PrivateArk\Server\Database folder, open my.ini and copy the value of the server-id parameter to the temporary file.

     

    This parameter must be identical on both nodes to enable the cluster to identify the database that is shared between the two nodes.

  4. Using the Windows Disk Management utility, make sure that the shared disks resources (Quorum + storage) are offline.

  5. Stop the CyberArk Disaster Recovery service.

Step 5: Install node B of the cluster

  1. On the Vault machine, create a new folder and copy the contents of the installation package to it.

  2. Using the Windows Disk Management utility, ensure that the shared disks resources (Quorum + storage) are offline in Node A and online in Node B.

  3. Use the same set of keys from when you installed node A of the Digital Vault.

  4. Copy the additional keys that were generated during the installation of node A to the same location on node B:

    To follow security best practices on Microsoft Server 2019, the clipboard is hardened and the copy/paste functionality is blocked. For more information about allowing copy/paste functionality, see CAVaultHarden utility FAQs.

    • Backup.key – The location of this file is specified in the BackupKey parameter in DBParm.ini.

    • VaultUser.pass – The location of this file is specified in the DatabaseConnectionPasswordFile parameter in DBParm.ini.

    • ReplicationUser.pass – The location of this file is specified in the DatabaseReplicationPasswordFile parameter in DBParm.ini.

    • VaultEmergency.pass – This file is found in the ‘keys’ folder on node A.

  5. In the Server folder, right-click Setup.exe, then select Run as Administrator. The Vault installation wizard launches and verifies that all required features are installed on your machine before it can install the Digital Vault.

    If one or both of the following errors appear, install the relevant prerequisite (see Prepare the CyberArk Vault server) before continuing with the installation.

  6. If the Vault installation was initiated using an RDP session, the following message appears:

     
    • Make sure the message above appears; it confirms that the installation is being installed over the RDP session. If the message is not displayed, the RDP installation will not work as required and you will not be able to complete the installation successfully.
    • Make sure you are aware of the security consequences of opening the Digital Vault to the RDP protocol. For more information, contact your CyberArk representative.

    Click Yes.

  7. Click Install; the PrivateArk Server Setup window appears, as shown below.

     

    • You can exit the installation flow at any time by clicking Cancel.

    • You can return to the previous step by clicking Back, where applicable.

    • All user input (for example, paths and folder names) must be in standard English alphanumeric characters.

    Click Next.

  8. Review the license agreement.

    To accept the terms, click Yes.

  9. In the User Information page, enter your user information for licensing .

    • In the Name field, enter your first and last name.

    • In the Company field, enter the name of your organization.

    Click Next .

  1. In the Vault Installation Mode window, select Cluster node Vault installation.

    Click Next.

  1. In the Select Destination Location window, select the folder on the server where the server files will be located.

    • To accept the default location of the setup folder, click Next,

    or,

    • To select another location, click Browse and navigate to the new location, then click Next.

  2. In the Choose Safes Location window, manually specify a path that is located on the shared storage of the cluster environment.

     

    • You must specify the same location that is used for node A.

    Click OK, and then click Next.

  3. Specify a location for the license file on the server machine.

    Click Next.

  4. Specify the location of the Operator CD:

    • To accept the default location click Next,

    or,

    • To select another location, click Browse and navigate to the new location, then click Next.

  5. In the Configure the Remote Control Agent window, as part of the installation procedure, select Configure Remote Control Agent and specify the following:

    • The IP address of the machine where the Remote Control Client will be installed. Use commas to separate multiple IP addresses, for example, 1.1.1.220,1.1.1.221.

    • The password of the Remote Control Client. The following characters are not supported: space, ", &, <, >, |

    If you don't want to configure the Remote Control Agent, select Skip Remote Control Agent Configuration .

    Click Next.

  1. In the Vault Server Machine Hardening window, click Next.

     

    • Don't select the check box to skip hardening without first confirming with your CyberArk support representative.

    • The hardening of the server can't be reversed.

     
    • In rare cases, due to Windows services timing issues, the automatic hardening procedure might complete with errors. If it does, retry the hardening. If the automatic hardening does not succeed the second time, contact your CyberArk support representative.
    • When installing on Windows Server 2016, Japanese edition, the hardening stage of the installation may seem to complete with failures. See Troubleshooting Installation for details.

  2. In the Select Program Folder window, specify the name of the folder where the server files will be stored.

    • In the Program Folders field, enter a name for the CyberArk Vault folder inside the Windows Programs folder, then click Next,

    or,

    • Click Next to accept the default name.

    The server installation begins. You can see the progress of the installation progress via the progress bar.

     

    If the hardening procedure fails, the hardening log is displayed. Troubleshoot the issue and run the procedure again. See Troubleshooting Installation.

  1. When the Setup Complete window appears, review the Server\Logs\VaultConfiguration.log file for any warnings. If there are any warnings, see Troubleshooting Installation.

    Select No, I will restart my computer later, then click Finish .

 

  • The installation automatically updates your Windows Start menu, places a PrivateArk Server shortcut icon on the desktop, and updates the computer registry information.

  • If you configured the Remote Control Agent during installation, it will start automatically after you restart your computer.

  • The Event Notification Engine is installed automatically as part of the Vault server.

Step 6: Configure node B

After installing the Vault on node B, you must apply the configuration data that you prepared after you installed node A. In addition, you must also configure the Vault cluster using the ClusterVault.ini file.

  1. In the PrivateArk\Server\Conf\ folder, open DBParm.ini and apply the value for the VaultID parameter that you copied from node A.

  2. If you copied one or more non-standard firewall rules, apply them here.

  3. In the PrivateArk\Server\Database folder, open my.ini and apply the value of the server-id parameter that you copied from node A.

In the PrivateArk\Server\ClusterVault\Conf\ folder, open the ClusterVault.ini and make sure that the following parameters are defined correctly.

Parameter

Description

Environment Name – This section determines the information that is displayed in the Cluster Vault Manager utility.
ClusterLogicalName The name of the entire cluster environment that is displayed in the Cluster Vault Manager utility.
LocalNodeLogicalName The name of the local node that is displayed in the Cluster Vault Manager utility.
PeerNodeLogicalName The name of the other node that is displayed in the Cluster Vault Manager utility.

Networking – This section determines the IP addresses.
NetworkCardName The network card name of the Public network. The Virtual IP is allocated on this network card.
VirtualIP The virtual IP address.
PeerNodePort

The communication port in the private network.

Default value: 18581
PeerNodePrivateIP The IP of the other node in the private network.
PeerNodePublicIP The IP of the other node in the public network that is displayed in the Cluster Vault Manager utility.
LocalNodePublicIP The IP of the local node in the public network that is displayed in the Cluster Vault Manager utility.
LocalNodePrivateIP The IP of the local node in the private network.

Storage – This section determines the storage disks.
StorageIdentifier The storage disk signature. For more information, see the next step.
QuorumDiskIdentifier The quorum disk signature. For more information, see the next step.

Advanced Settings – This section determines the failover process.

HealthCheckInterval

The minimum time interval in seconds between cluster health checks.

Default value: 10 seconds
RetryCountOnFailure

The number of retries when encountering an issue during startup, monitoring, or shutdown of resources.

Default value: 1
ResourceControlTimeout

The allowed timeout in seconds before a resource failure.

Default value: 60 seconds

  1. From an elevated command prompt, run the StorageManager.exe. By default, this is in the PrivateArk\Server\ClusterVault folder. Make sure that the Quorum disk is online before running this command and that you have saved the ClusterVault.ini.

Specify the following parameters as input in UPPERCASE:
–qDRIVE_LETTER – Defines the Quorum drive letter.
–sDRIVE_LETTER – Defines the storage drive letter.

The disk identifiers are stored in the ClusterVault.ini file in the StorageIdentifier and QuorumDiskIdentifier parameters.

  1. Restart the Vault server.

  2. Check the ClusterVault console log to ensure that the Cluster Vault starts up in active mode.

    The following message appears in the ClusterVaultConsole.log:

    CVMCS124I Resources startup completed.

  3. Start the Cluster Vault Manager utility in Node A and ensure that it is in passive mode.

Step 7: Install the Disaster Recovery application on node B

  1. Using the Windows Disk Management utility, make sure the shared storage and Quorum partitions are online.

  2. Start the Digital Vault application and verify that it is running properly.

  3. Open the Cluster Vault Management utility and stop the node.

  4. Set the CyberArk Cluster Vault Management service to Manual.

  5. Open the Windows Disk Management utility and verify that the Shared Storage and Quorum partitions are offline in node B.

  6. Close the Cluster Vault Management utility (and any open files on all server partitions).

  1. Right-click Setup.exe, then select Run as Administrator.

    The DR Vault wizard starts automatically and the CyberArk Installation window is displayed.

    Click Next.

     

    • You can exit the Disaster Recovery application installation at any time by clicking Cancel.

    • You can return to the previous installation window by clicking Back, where applicable.

  2. Read and accept the terms of the license agreement.

    Click Yes.

  3. Enter your user information:

    1. In the Name field, enter your first and last name.

    2. In the Company field, enter the name of your organization.

    Click Next.

  4. Select the folder on the server in which the DR Vault files will be located.

    Click Next to accept the default location

    or,

    Click Browse to select another location, and then click Next to proceed to the next step of the installation.

  5. Specify the IP address and the port of the other Cluster node.

  6. Set the CyberArk Cluster Vault Management service to Automatic.

  7. To promote the DR Vault to the primary Vault, modify the PADR.ini file (which is located in the Disaster Recovery installation folder SharedStorage\PrivateArk\PADR\Conf), as follows:

    FailoverMode=Yes

Test the CyberArk Digital Vault cluster

  1. From the active node, start the Cluster Vault Manager utility. A shortcut is available on the desktop.

  2. Ensure that:

    • All services are running in the active node. In the diagram below, all the services under Node A are running.

       

      The node where you opened the utility is shown on the left side of the Cluster Vault Manager utility.

    • The storage disk is online and the Quorum Disk is reserved. In the diagram below, they are online, as shown in the Shared Storage area.

    • All other details, such as names, addresses, and so on, are shown in the dashboard. These can be seen at the top of the diagram below.

  1. Make sure that there are no open files or folders on the shared storage.

  2. Perform a switchover test:

    1. Click the Switchover button.

    2. Click Continue to confirm the message.

    The operation is done when the node statuses are switched. If the operation encounters a problem, refer to the logs for additional details.

  1. Connect to the Vault server using the Virtual IP and make sure you can access the Vault. For example, try to log on to the Vault in the PrivateArk Administrative Client.

  2. Connect to the second node and perform a failover.

  3. Using the Windows Disk Management utility, make sure that the shared storage disks are only online in the active node.

  4. Ensure you can access the Vault again.

Reset the DR user

During the installation process, the DR user is configured for the client with the password provided by the installer for the main user. This procedure syncs the password on the server side.

This DR user is used for the Primary Vault in a failback scenario, after a failover event where a DR Vault became the Primary Vault and you want to replicate to the recovered server.

It uses the default 'DR user' that comes out of the box with the Vault application.

  1. Log in to the Primary Vault with the Vault admin user.

  2. Find the built-in DR user and do the following:

    1. Create a password for this user, which you will use during the installation process.

    2. Activate this user.