Read-Only Server with PostgreSQL Database (This feature is applicable from build 12300 only)
11 minutes to read
A Read-Only (RO) server is a redundant application server that allows users to execute only the Read-Only operations in Password Manager Pro and prevents them from performing any modifications to the data. Based on the enterprise requirement, you can configure any number of Read-Only servers in various locations. The Read-Only server set-up differs from a High Availability set-up, which allows you to configure only a single Secondary server. All the configured Read-Only servers are connected and in sync with the Primary server, which ensures data consistency.
Notes:
Password Manager Pro will allow users to retrieve only the passwords through the Read-Only server.
All the operations carried out in the Read-Only server will be returned and audited in the Primary server and then replicated to other Read-Only servers.
In the event of Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server.
(Applicable from build 13100 onwards)
Password Manager Pro allows users to launch RDP, SSH, and VNC connections via the available Read-Only servers.
To playback the recorded sessions from the Read-Only server, the storage configuration for recording should be configured with a network path in the Session Configuration setting.
Setting up Primary Server and Read-Only Server
Before configuring your Primary and the Read-Only server(s), you should install the Read-Only server(s) in your environment. Once you have successfully installed the Read-Only server(s), read further to learn how to make the required configuration changes in the Primary and the Read-Only servers. Also, find below the steps to make a Read-Only server take charge as the Primary server when the current Primary server is down.
If you have High Availability with the PostgreSQL database configured in your server environment, remove the High Availability configuration before configuring the Read-Only server. To do so, perform the steps that follow:
Navigate to Admin >> Configuration >> High Availability.
Click the edit icon beside the available secondary server. In the pop-up that opens, update the secondary Server Name to PMPHOST.
Navigate to the <Password-Manager-Pro-Installation-Directory>/conf folder and remove the files pmp_rr and HA.conf.
Navigate to the <Password-Manager-Pro-Installation-Directory>/pgsql/bin folder and remove files Primary.conf and HAPrimary.conf.
Navigate to the <Password-Manager-Pro-Installation-Directory>/pgsql/data folder and open the file pg_hba.conf in WordPad or notepad++ with the administrator privilege to do the below required changes.
In the file that opens, search for the line with the secondary server details (IP address/hostname) and remove the entire line related to it.
Now, save the file and restart the Password Manager Pro service to proceed with the Read-Only server configuration.
2. Creating a Read-Only Server Configuration Pack in the Primary Server
Navigate to the <Password-Manager-Pro-Installation-Directory>/bin folder.
Execute the following command in the Primary server to create a ROPack.zip file which will contain the files needed to be copied to the Read-Only server:
Every Read-Only server must have a unique slotName while creating ROPack.zip.
Supply a userName and password of your choice when creating the replication pack for the first time to configure the Read-Only server. To generate additional replication packs in the future, you must provide the same username and password. Please note that the Password Manager Pro database will not store the username and password. Hence, we recommend you save them in a secure location.
Where,
IP_of_RO_Server - Valid IP address of a Read-Only server.
userName - Username used for replication.
Constraints:
Single username and password is enough for all Read-Only servers.
Username can only contain lower case letters, numbers, and underscores.
password - Password for the replication user.
slotName - Slot name of the Read-Only server for the replication.
Constraints:
Replication slot names may only contain lower case letters, numbers, and underscores.
Each Read-Only server should have a unique slot name.
The generated replication pack zip will be found under the <Password-Manager-Pro-Installation-Directory>/replication folder.
Execute the following commands in the primary server to import the certificates:
Linux:
sh importCert.sh ../conf/ServerCer.cer
sh importCert.sh ../conf/CAcert.pem
sh importCert.sh ../agent/ServerCer.cer
Windows:
importCert.bat ..\conf \ServerCer.cer
importCert.bat ..\conf\CAcert.pem
importCert.bat ..\agent\ServerCer.cer
Note: To install custom certificates, replace the path of the certificate in the above command.
You have successfully created the Read-Only configuration pack and set up the primary server.
3. Setting up the Read-Only Server
Navigate to the <Password-Manager-Pro-Installation-Directory> in Read-Only server and extract the ROPack.zip file. This will replace the files from the primary server that are already available here.
Copy pmp_key.key file from the primary server to the Read-Only servers and update the path of the pmp_key.key file in the <Password-Manager-Pro-Installation-Directory>/conf/manage_key.conf folder.
If the manage_key.conf file is not present in the Read-Only server, then create a new file named manage_key.conf and mention the location of the encryption key. If the encryption key is in a remote path, mention the path in a UNC format.
Navigate to the <Password-Manager-Pro-Installation-Directory>/bin folder and execute the following command in the Read-Only server to import the certificates:
Linux:
sh importCert.sh ../conf/ServerCer.cer
sh importCert.sh ../conf/CAcert.pem
sh importCert.sh ../agent/ServerCer.cer
Windows:
importCert.bat ..\conf\ServerCer.cer
importCert.bat ..\conf\CAcert.pem
importCert.bat ..\agent\ServerCer.cer
[or]
If you are using a custom SSL certificate for the Password Manager Pro installation, copy the SSL certificate from the primary server and paste it in this path in the Read-Only server: <Password-Manager-Pro-Installation-Directory>/conf. To install custom certificates, replace the path of the certificate in the above command.
You have successfully set up the Read-Only server. Navigate to Admin >> Configurations >> Read-Only Server to view the configured Read-Only servers in the Password Manager Pro interface.
4. Configuring Read-Only Server as the Primary Server
Stop the Read-Only server that is to be converted as the Primary server.
Remove the standby.signal file from the <Password-Manager-Pro-Installation-Directory>/pgsql/data folder.
Open the postgres_ext.conf file from the <Password-Manager-Pro-Installation-Directory>/pgsql/ext_conf folder. Remove all the entries below "recovery props".
Delete the entry readonly.mode=true in the <Password-Manager-Pro-Installation-Directory>/conf/configurations.properties file.
Open the serverstate.conf file from the <Password-Manager-Pro-Installation-Directory>/conf folder. Search for "ro" and change it to "master".
Start the Password Manager Pro server and now this Read-Only server will start as the Primary server.
You have successfully configured the Read-Only server as the Primary server.
Now, execute the following commands to remove the IP address of the converted Read-Only server from the database.
Now, follow step 1 (Creating a Read-Only server Configuration Pack in the Primary Server) and step 2 (Setting up the Read-Only server) to reconfigure the existing Read-Only servers to be in sync with this Primary server.
5. Deleting a Read-Only Server from the Cluster
Execute the following commands from the Primary Server to remove a Read-Only server from the cluster:
Note: After upgrading to build 12400, deleting existing slots configured in the Read-Only server will be executed automatically by the PostgreSQL server.
6. Read-Only Server Audit Trials
When Read-Only Server is enabled in Password Manager Pro, the audits of it will be displayed as separate columns with the full audit trails in the Read-Only Server tab under Resource Audit and User Audit. Click here to learn more about audits.
Troubleshooting Tips
Navigate to Admin >> Configurations >> Read-Only Server and check if the status of the Read-Only server(s) is inactive. If so, follow the below steps to troubleshoot:
Primary Server:
Navigate to the <Password-Manager-Pro-Installation-Directory>/pgsql/data folder.
Open the pg_hba.conf file and check if the IP Address of the Read-Only server and the replication user name are correct.
Read-Only Server:
Navigate to the <Password-Manager-Pro-Installation-Directory>/pgsql/data folder and perform the following actions:
Open the pg_hba.conf file and check if the Primary and Read-Only server IP address are correct.
Additionally, navigate to the # TYPE DATABASE USER ADDRESS METHOD section and verify that the replication username, IP address, and slot details are correctly formatted. For example, host replication pmpuser 10.214.147.123/32 md5.
Now, open the configuration.properties file and check for the value "readonly.mode=true".
If the problem persists, send us the log files from the directory paths <Password-Manager-Pro-Installation-Directory>/logs and <Password-Manager-Pro-Installation-Directory>/pgsql/data/pg_log to passwordmanagerpro-support@manageengine.com for further assistance.