1. The very first step is to create Security Group so that PAM nodes can communicate each other as per cluster network requirements, i.e. we need to allow communication on TCP/443, TCP/3306 (MySQL), TCP/5900 (Hazelcast), TCP/7900 (JGroups), TCP/7901 (JGroups heartbeat). Refer to https://docops.ca.com/ca-privileged-access-manager/2-8-3/EN/deploying/set-up-a-cluster/cluster-deployment-requirements/#ClusterDeploymentRequirements-NetworkRequirements for more details.
Login to AWS Console using your account and go to EC2 Console and select NETWORK & SECURITY > Security Groups and then click [Create Security Group] button and create Security Group in the same VPC. See example Security Group setup below. In this example both PAM nodes are in 10.0.0.0/24 subnet.
2. Assign the Security Group to both PAM nodes. From EC2 Console select INSTANCES > Instances and select the 1st PAM node instance and select [Actions] > Networking > Change Security Groups. Change Security Groups dialog appears. Select created Security Group at step 1 above and click [Assign Security Groups] button. Redo this for the 2nd PAM node instance.
3. Assign Secondary Private IP to the 1st PAM node. From EC2 Console select INSTANCES > Instances and select the 1st PAM node instance and select [Actions] > Networking > Manage IP Addresses. Manage IP Addresses dialog appears. Click the Assign new IP blue link and then the [Yes, Update] button. A new Private IP will be auto-assigned. Note down both primary and secondary private IPs.
4. Create 3 Elastic IPs, i.e. one for each PAM node and the 3rd one for VIP. From EC2 Console select NETWORK & SECURITY > Elastic IPs and then click [Allocate new address] button. Click [Allocate] button then new Elastic IP is allocated. Click [Close] button. Redo the steps until you create 3 Elastic IPs.
5. Assign the 1st Elastic IP to the 1st PAM node instance and assign the 2nd Elastic IP to the 2nd PAM node instance. Select the 1st Elastic IP and then select [Actions] > Associate address. Select Instance as resource type and select the 1st PAM node instance from the Instance drop down. Select primary private IP from the Private IP drop down. Click [Associate]. Once it is associated successfully click [Close] button. Redo similar steps to assign the 2nd Elastic IP to the 2nd PAM node instance.
6. Assign the 3rd Elastic IP to the 1st PAM node instance's secondary private IP. Select the 3rd Elastic IP and then [Actions] > Associate address. Select Instance as resource type and select the 1st PAM node instance from the Instance drop down. Select secondary private IP from the Private IP drop down. Click [Associate]. Once it is associated successfully click [Close] button.
7. Note down all the Public IP address (Elastic IP address) and its Private IP address pairs as per below table. They are needed in the next PAM cluster configuration steps below.
|1st PAM node||2nd PAM node||VIP Address|
8. If the PAM nodes are stopped, start them.
9. Now, we need to create an AWS connection before we can setup cluster. Access the 1st PAM node (https://A.A.A.A) from your enterprise network (network that is allowed in Security Group) using Internet browser. Login as super user. Go to Targets > Accounts page, click [Add] button and click the magnifying glass icon beside Application Name field and select AWS Access Credential Accounts as application. Host Name and Device Name will be defaulted to xceedium.aws.amazon.com. Select Access Key as AWS Access Credential Type and key in your AWS account's Access Key ID and Secret Access Key along with appropriate User Friendly Account Name (arbitrary name that you can remember). You should use the same AWS account you have used to create/configure PAM instances. Click the [Save] button.
Click [Save Config Locally].
Copy the Shared Key and access the 2nd PAM node, go to Config > Clustering page, paste the Shared Key and click [Save Config Locally].
Now, go back to the 1st PAM node's Config > Clustering page and click [Save To Cluster]. You should see "Successfully saved cluster configuration to all members" message.
11. The last step is to start cluster by clicking [Turn Cluster ON]. Once cluster is up, click [View Cluster Logs] and verify there is no error. Try to access using VIP and verify VIP works as expected.