Read-Only Server with PostgreSQL Database
(This feature is available from PMP build 12300)

A Read-Only (RO) server is a redundant application server that allows users to execute only the Read-Only operations in Password Manager Pro and prevents them from performing any modifications to the data. Based on the enterprise requirement, you can configure any number of Read-Only servers in various locations. The Read-Only server set-up differs from a High Availability set-up, which allows you to configure only a single Secondary server. All the configured Read-Only servers are connected and in sync with the Primary server, which ensures data consistency.

Notes:

  • Password Manager Pro will allow users to retrieve only the passwords through the Read-Only server.
  • All the operations carried out in the Read-Only server will be returned and audited in the Primary server and then replicated to other Read-Only servers.
  • In the event of Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server.

Setting up Primary Server and Read-Only Server

Before configuring your Primary and the Read-Only server(s), you should install the Read-Only server(s) in your environment. Once you have successfully installed the Read-Only server(s), read further to learn how to make the required configuration changes in the Primary and the Read-Only servers. Also, find below the steps to make a Read-Only server take charge as the Primary server when the current Primary server is down.

Steps Required

  1. Prerequisite
  2. Creating a Read-Only Server Configuration Pack in the Primary Server
  3. Setting up the Read-Only Server
  4. Configuring a Read-Only Server as the Primary Server
  5. Deleting a Read-Only Server from the Cluster
  6. Read-Only Server Audit Trials

1. Prerequisite

If you have High Availability with the PostgreSQL database configured in your server environment, remove the High Availability configuration before configuring the Read-Only server. To do so, perform the steps that follow:

  1. Navigate to Admin >> Configuration >> High Availability.
  2. Click the edit icon beside the available secondary server. In the pop-up that opens, update the secondary Server Name to PMPHOST.
  3. Navigate to <Password Manager Pro_Installation_Folder>/conf folder and remove the files pmp_rr and HA.conf.
  4. Navigate to <Password Manager Pro_Installation_Folder>/pgsql/bin folder and remove files Primary.conf and HAPrimary.conf.
  5. Navigate to <Password Manager Pro_Installation_Folder>/pgsql/data folder and open the file pg_hba.conf in WordPad or notepad++ with the administrator privilege to do the below required changes.
    1. In the file that opens, search for the line with the secondary server details (IP address/hostname) and remove the entire line related to it.
    2. Now, save the file and restart the Password Manager Pro service to proceed with the Read-Only server configuration.

2. Creating a Read-Only Server Configuration Pack in the Primary Server

  1. Navigate to <PMP_Installation_Folder>/bin.
  2. Execute the following command in the Primary server to create a ROPack.zip file which will contain the files needed to be copied to the Read-Only server:
    • Windows: ROSetup.bat <IP_of_RO_Server> <userName> <password> <slotName>
    • Linux: ROSetup.sh <IP_of_RO_Server> <userName> <password> <slotName>
  3. Notes:

    • Every Read-Only server must have a unique slotName while creating ROPack.zip.
    • Supply a userName and password of your choice when creating the replication pack for the first time to configure the Read-Only server. To generate additional replication packs in the future, you must provide the same username and password. Please note that the Password Manager Pro database will not store the username and password. Hence, we recommend you save them in a secure location.

Where,

  1. IP_of_RO_Server - Valid IP address of an Read-Only server.
  2. userName - Username used for replication.

    Constraints:

    • Single username and password is enough for all Read-Only servers.
    • Username can only contain lower case letters, numbers, and underscores.
  3. password - Password for the replication user.
  4. slotName - Slot name of the Read-Only server for the replication.

    Constraints:

    • Replication slot names may only contain lower case letters, numbers, and underscores.
    • Each Read-Only server should have a unique slot name.

The generated replication pack zip will be found under <PMP_Installation_Folder>/replication folder.

  1. Execute the following commands in the Primary server to import the certificates:

    Linux:

    • sh importCert.sh ../conf/ServerCer.cer
    • sh importCert.sh ../conf/CAcert.pem
    • sh importCert.sh ../agent/ServerCer.cer

    Windows:

    • importCert.bat ..\conf \ServerCer.cer
    • importCert.bat ..\conf\CAcert.pem
    • importCert.bat ..\agent\ServerCer.cer

    Note: To install custom certificates, replace the path of the certificate in the above command.

You have successfully created the Read-Only configuration pack and set up the Primary server.

3. Setting up the Read-Only Server

  1. Navigate to the <PMP_Installation_Folder> in Read-Only server and extract the ROPack.zip file. This will replace the files from the Primary server that are already available here.
  2. Copy pmp_key.key file from Primary server to the Read-Only servers and update the Path of the pmp_key.key file in <PMP_Installation_Folder>/conf/manage_key.conf file.
  3. If the manage_key.conf file is not present in the Read-Only server, then create a new file named manage_key.conf and mention the location of the encryption key. If the encryption key is in a remote path, mention the path in a UNC format.
  4. Navigate to <PMP_Installation_Folder>/bin and execute the following command in the Read-Only server to import the certificates:

    Linux:

    • sh importCert.sh ../conf/ServerCer.cer
    • sh importCert.sh ../conf/CAcert.pem
    • sh importCert.sh ../agent/ServerCer.cer

    Windows:

    • importCert.bat ..\conf\ServerCer.cer
    • importCert.bat ..\conf\CAcert.pem
    • importCert.bat ..\agent\ServerCer.cer
  5. [or]

    If you are using a custom SSL certificate for the PMP installation, copy the SSL certificate from the primary server and paste it in this path in the Read-Only server: <PMP_Installation_Folder>/conf. To install custom certificates, replace the path of the certificate in the above command.

You have successfully set up the Read-Only server. Navigate to Admin >> Configurations >> Read-Only server to view the configured Read-Only servers in the Password Manager Pro interface.

4. Configuring Read-Only Server as the Primary Server

  1. Stop the Read-Only server that is to be converted as the Primary server.
  2. Remove the standby.signal file from the <PMP_Installation_Folder>/pgsql/data folder.
  3. Open the postgres_ext.conf file from the <PMP_Installation_Folder>/pgsql/ext_conf folder. Remove all the entries below "recovery props".
  4. Delete the entry readonly.mode=true in the <PMP_Installation_Folder>/conf/configurations.properties file.
  5. Open the serverstate.conf file from the <PMP_Installation_Folder>/conf folder. Search for "ro" and change it to "master".
  6. Start the Password Manager Pro server and now this Read-Only server will start as the Primary server.
    You have successfully configured the Read-Only server as the Primary server.
  7. Now, execute the following commands to remove the IP address of the converted Read-Only server from the database.

    Windows:

    • <PMP_Installation_Folder>\bin\DeleteROServerIP.bat <IP_Address_of_RO_that_was_converted_to_Primary>
    • <PMP_Installation_Folder>\bin\DeleteSlot.bat <slotName_of_RO_that_was_converted_to_Primary>

    Linux:

    • <PMP_Installation_Folder>/bin/DeleteROServerIP.sh <IP_Address_of_RO_that_was_converted_to_Primary>
    • <PMP_Installation_Folder>/bin/DeleteSlot.sh <slotName_of_RO_that_was_converted_to_Primary>
  8. Now, follow step 1 (Creating a Read-Only server Configuration Pack in the Primary Server) and step 2 (Setting up the Read-Only server) to reconfigure the existing Read-Only servers to be in sync with this Primary server.

5. Deleting a Read-Only Server from the Cluster

Execute the following commands from the Primary Server to remove a Read-Only server from the cluster:

  1. To delete an existing Read-Only server,

    Windows:

    <PMP_Installation_Folder>\bin\DeleteROServerIP.bat <RO_IP_Address>

    Linux:

    <PMP_Installation_Folder>/bin/DeleteROServerIP.sh <RO_IP_Address>

  2. To delete an existing slot configured to the Read-Only server,

    Windows:

    <PMP_Installation_Folder>\bin\DeleteSlot.bat <RO Slot Name>

    Linux:

    <PMP_Installation_Folder>/bin/DeleteSlot.sh <RO Slot Name>

  3. Note: After upgrading to build 12400, deleting existing slots configured in the Read-Only server will be executed automatically by the PostgreSQL server.

6. Read-Only Server Audit Trials

When Read-Only server is enabled, the Read-Only server audits will be displayed as separate columns with the full audit trails under Resource Audit and User Audit. Click here to learn more about audits.

Troubleshooting Tips

Navigate to Admin >> Configurations >> Read-Only Server and check if the status of the Read-Only server(s) is inactive. If so, follow the below steps to troubleshoot:

Primary Server:

  1. Navigate to the <PMP_Installation_Folder>/pgsql/data folder.
  2. Open the pg_hba.conf file and check if the IP Address of the Read-Only server and the replication user name are correct.

Read-Only Server:

  1. Navigate to the <PMP_Installation_Folder>/conf folder.
    1. Open pg_hba.conf file and check if the Primary and Read-Only server IP address are correct.
    2. Now, open the configuration.properties file and check for the value "readonly.mode=true".
  2. Navigate to the <PMP_Installation_Folder>/pgsql/data folder.
    1. Open pg_hba.conf file and check if the Primary server IP, Port, replication username, password and the slot name are correct.

If the problem persists, send us the log files from the directory paths <PMP_Installation_Folder>/logs and <PMP_Installation_Folder>/pgsql/data/pg_log to passwordmanagerpro-support@manageengine.com for further assistance.

Top