chapter 16

Question 1

disaster recovery has 5 parts

DR architecture
Setup DR
(blank) failover
Component failover
Return to primary site

Answer 1

vault

Question 2

Disaster recovery architecture

the disaster recover (DR) vault is a standalone or clustered vault server with an extra software component installed: the (blank) service

PSM and PVWA should be deployed at the DR site to provide access to users in the event of a disaster

the (blank) should never be configured for automatic failover

Answer 2

DR

CPM

Question 3

DR user

the DR user is created automatically

the DR service is installed on the DR vault

the DR service on the DR vault authenticates to the (blank) using the credentials of the DR user to replicate data from the primary vault to the (blank)

Answer 3

primary vault

DR vault

Question 4

the DR service runs on the DR vault

the DR user autheticates to the primary vault from the DR vault as a user with permission to (blank)
(blank)

the built in DR user has these permissions by default

Answer 4

backup all safes

restore all safes

Question 5

enhanced DR replication

in the past, the replication of passwords was done based on an interval defined in the DR configuration file

in version 9.3 the DR replication process was enhanced to ensure faster replication of passwords and improved consistency between production and DR sites

replicating the current passwords to DR sites is now done instantly and in parallel to files/recording replication in order to avoid delays

in the new replication mechanism, metadata (which includes the current passwords) is pushed from the production vault to the DR sites as it is created

[none]

Question 6

How fast is DR replication?

Answer 6

near real time

Question 7

enable data and metadata synchronization

when a failover occurs ((automatic or manual) the DR service first synchronizes the information in its database with the information in the safe data files

this is enabled in the configuration file (blank) with the default setting EnableDbsync=yes

Answer 7

padr.ini

Question 8

setup data replication interval

the (blank) parameter in the padr.ini file determines the length of time between synchronizations of the (blank) file system, which by default is 3600 seconds or 1 hour

Answer 8

ReplicareInterval

vault

Question 9

automatic failover

automatic failover is switched on with the parameter (blank)

the CheckInterval indicates the DR vault will contact the primary vault every 60 seconds. if it fails, it will try again (blank) times, once every 30 seconds

after which, the DR vault considers that the primary is down and it goes into DR mode

Answer 9

EnableFailover=yes

4

Question 10

manual failover

to configure the DR Vault for manual failover, the (blank) should be configured as follows during normal operations

EnableFailover to no which (blank)

EnableDbsync to yes which (blank)

ActivateManualFailover to no

in this configuration, the DR vault will not accidentally failover if the DR service is restarted

Answer 10

disables auto failover

default setting

Question 11

manual failover

to perform a proper manual failover, set the parameter (blank) to yes and the restart the DR service.

on startup, the service reads its config file, sees the manual failover parameter is set to yes, and immediately starts the failover process

Answer 11

ActivateManualFailover

Question 12

setup component failover

it is possible to configure components to failover automatically to the DR vault by configuring addresses for both the primary and DR vaults in the (blank) file

the component will attempt to connect according to the order set in the vault.ini

the CPM should not be configured to failover automatically

Answer 12

vault.ini

Question 13

CPM failover setup

CPM should never be configured for automatic failover due to the possibility of a (blank) scenario which occurs when the passwords in the production vault and DR vault are out of sync. CPM failover must always be a manual process

Answer 13

split-brain

Question 14

PSM failover setup

automatic failover of the PSM is optional, any recording captured on the DR vault must be backed up and or replicated back to the primary vault before returning to normal operations.

consult with cyberark services to review PSM failover options

[none]

Question 15

PVWA failover setup

PVWA servers can be configured for automatic failover to allow users to access passwords without interruption

Audit data should be saved via the activity log before reenabling replication, however (blank) integration with mitigate this issue

Answer 15

SIEM

Question 16

DNS load balancing

a possible approach to avoid split-brain is to use a DNS alias for the vaults to control which vault is used by the components

the DNS alias will be set in the (blank) file

DNS alias updates is a manual process and will extend the outage

Answer 16

vault.ini

Question 17

Return to primary site

data generated on the DR vault should be replicated back to the primary vault before bringing it back online

DNS alias updates and failback replication are manual processes and will extend the outage

[none]

Question 18

restoring the DR vault to DR mode

on the DR vault server, edit the (blank) file and make the following changes

set FailoverMode=no

delete the last 2 lines in the (blank). this will force a full replication

restart the DR service

if you are using manual failover, then you should reset the parameter ActivateManualFailover to No to avoid accidental failovers

Answer 18

PADR.ini

PADR.ini