Credential Escrow Gateway can be restored on another location with minimal steps through a unique disaster recovery procedure. When enabling Disaster Recovery in Escrow Gateway, we use an Active Passive setup with a common network file store. This way, at any given time, both active and passive servers cannot be turned on and be mounted to the NFS mountpoint (passive node needs to be in an off state). This would otherwise lead to loss of requests and possibly corruption of data in the shared store. Currently disaster recovery is only support from Credential Escrow Gateway 1.2.0

Server type

OS

Version

IP

DNS

Mount points

NFS Server

Unbuntu

18.04.4 LTS (Bionic Beaver)

172.16.84.234

/home/eg/redis/data

/home/eg/composeconfig

EG-Active Server

Photon

EUC Credential Escrow Gateway 1.2.0

172.16.70.52

https://beta1eg.ssdevrd.com/

/opt/vmware/docker/ceg/redis/data

/opt/vmware/docker/ceg/compose-config

EG- Passive Server

Photon

EUC Credential Escrow Gateway 1.2.0

172.16.70.128

https://beta2eg.ssdevrd.com/

/opt/vmware/docker/ceg/redis/data

/opt/vmware/docker/ceg/compose-config

Workspace ONE UEM environment

Windows

2008

172.16.99.159

https://egmma2007.ssdevrd.com/

N/A

Active Server Set up

NFS Server Setup

  1. Create mount directories with appropriate permissions (Redis and other services running on EG requires read and write permission for user 1001 to read/write to the mounted folders)

    mkdir -p /home/eg/redis/data
    chown -R 1001:1001/home/eg/redis/data
    chmod -R 755/home/eg/redis/data
    
    mkdir -p /home/eg/composeconfig
    chown -R 1001:1001/home/eg/composeconfig
    chmod -R 755/home/eg/composeconfig
  2. Copy the initial configuration information from EG's active server to NFS server. This should be done only once for a given NFS server. The following example uses scp to copy.

    scp -r /opt/vmware/docker/ceg/compose-config/* admin@172.16.84.234:/home/eg/composeconfig
  3. Update /etc/exports

    vi /etc/exports

    Add the following lines to the end of the file by specifying the IP of Active EG server

    /home/eg/redis/data  172.16.70.52(rw,sync,no_subtree_check)
    /home/eg/composeconfig  172.16.70.52(rw,sync,no_subtree_check)
  4. Restart nfs to apply changes

    service nfs-kernel-server restart

Credential Escrow Gateway Active Server Setup:

  1. Install nfs utils

    Tdnf install nfs-utils
  2. Stop docker services

    docker stack rm ceg
  3. Mount the file system to NFS server by specifying the IP of the NFS server

    mount -t nfs 172.16.84.234:/home/eg/redis/data /opt/vmware/docker/ceg/redis/data
    mount -t nfs 172.16.84.234:/home/eg/composeconfig /opt/vmware/docker/ceg/compose-config
  4. [Optional] Configure Encryption*. Please refer to the escrow gateway configuration guide. If encryption is enabled, encryption configuration needs to be done on application startup and only once in the lifetime of a given EG setup. Both active and passive nodes need to be configured to use the same encryption configuration which will be taken care of automatically if this setup guide is followed.

  5. Start docker services

    docker stack deploy -c /opt/vmware/docker/ceg/docker-compose.yml ceg
  6. Configure UEM instance to point to the Active Server by calling the Escrow Gateway Configuration API with the url of Active EG server

    curl --location --request PUT 'https://egmma2007.ssdevrd.com/api/system/groups/96429a7f-6f42-4a17-a451-d487633d2336/escrow-gateway-settings'\
    --header 'Content-Type: application/json'\
    --header 'aw-tenant-code: XfGiwT8DxsMOopVdtJztHKc8b4DjiSknHF4cpdCQ9EU='\
    --header 'Authorization: Basic YWRtaW5pc=='\
    --data-raw '{ 
    "gateway_url": "https://beta1eg.ssdevrd.com",
     "client_cert_thumbprint": <thumbprint>
    }'

Fail-over Setup

NFS Server Setup

  1. Update /etc/exports

    vi /etc/exports

    Change the IP to point to Passive EG server

    /home/eg/redis/data  172.16.70.128(rw,sync,no_subtree_check)
    /home/eg/composeconfig  172.16.70.128(rw,sync,no_subtree_check)
  2. Restart nfs to apply changes

    service nfs-kernel-server restart

Credential Escrow Gateway Passive Server Setup

  1. Install nfs utils

    tdnf install nfs-utils
  2. Stop docker services

    docker stack rm ceg
  3. Mount the file system to NFS server by specifying the IP of the NFS server

    mount -t nfs 172.16.84.234:/home/eg/redis/data /opt/vmware/docker/ceg/redis/data
    mount -t nfs 172.16.84.234:/home/eg/composeconfig /opt/vmware/docker/ceg/compose-config
  4. Start docker services

    docker stack deploy -c /opt/vmware/docker/ceg/docker-compose.yml ceg
  5. Configure UEM instance to point to the Passive Server by calling the Escrow Gateway Configuration API by specifying the url of Passive EG server

    curl --location --request PUT 'https://egmma2007.ssdevrd.com/api/system/groups/96429a7f-6f42-4a17-a451-d487633d2336/escrow-gateway-settings' \
    --header 'Content-Type: application/json' \
    --header 'aw-tenant-code: XfGiwT8DxsMOopVdtJztHKc8b4DjiSknHF4cpdCQ9EU=' \
    --header 'Authorization: Basic YWRtaW5pc==' \
    --data-raw '{ 
    "gateway_url": "https://beta2eg.ssdevrd.com",
    "client_cert_thumbprint": <thumbprint>
    }'