Implementing a Cyberark High Availability (HA) Vault cluster is crucial for large organizations to ensure seamless and uninterrupted access to privileged account management. This robust setup minimizes downtime by providing failover capabilities, thereby enhancing operational continuity and security. Moreover, the HA architecture ensures data integrity and protection against single points of failure, safeguarding sensitive credentials and reducing the risk of breaches. Ultimately, Cyberark HA Vault clusters are vital for maintaining the resilience and efficiency of enterprise security infrastructures.

This is the first of a series of 4 articles in which we’ll be implementing a solid HAVault Cluster instance in a demo lab.

Our demo project will require some storage and network pre-installation according with next diagram:

Prepare the Network Infrastructure

According with Cyberark Documentation We need to prepare a specific Network Infrastructure configuration. Basically, we’ll have Vault machines connected to a Private Network and Public Network.

For this demo, we’re using 2 Netowrks: CyberarkEcosystem (Public) and Private Cluster (Private)

1. iSCI Storage Preparation

Data and Metada is stored in a shared disk. However, a quroum disk is necessesary for the active/passive node determination, so let’s prepare the storage infrastructure for our demo project.

Quorum disk capacity only need to be 1GB. Data will not be stored here, this is just for pointing to the active node.

Let’s make sure we have the necessary Windows Server Role installed. We’ll be leveraging the Windows iSCSI for the virtual Disk assignation.

Before using the disks we first need to initialize them. We can start this console directly by running compmgmt.msc

Now we can set them online from the Storage Panel

1.1. Volume Creation

Let’s create our first Volume for the Shared Storage

1. Go to panel File and Storage Services > iSCSI and start a new task

   

2. Select the Virtual Disk location. Let’s start with the Shared storage

   

3. Set a name and description

   

4. Set full size and dynamically expanding to save space

   

5. New iscsi target

   

6. Let’s assign a name to the target

   

7. The method to identify the initiator will be IPAddress. This is the Private IP address of our nodes, we need to set this up in our achitecture beforehand

   

   

8. No authentication enabled for our demo but we should enable CHAP authentication, at least, when deploying on PRODUCTION environment.

   

9. View the results

   

Now we need to do the same for the quorum disk. At the end our storage environmet should look like this

2. Conclusions

Till now we have prepared our storage environment, for te sake of this demo, in the same host our ActiveDirectory DC is installed.

In the next article we’ll be preparing our Vault machine for Cyberark HAVault Deployment