Switching deployment control from the main site console to the destination site console

When you activate the destination site, Ariel data synchronization and all Ariel copy profiles are disabled on the main site but services are not suppressed.

Before you begin

Complete the Prerequisite tasks described in QRadar Console-only DR by using Data Synchronization app.

After a backup is generated, the system transfers that backup to another site. Open the Backup and Recovery screen to check whether the transferred backup is visible. If the transferred backup is not visible, refresh the Backup and Recovery screen.

For the following scenarios, you can switch deployment control from the main site console to the destination site console.

Important:
  • The console-only features of the current Data Synchronization app support failover and failback for the following scenarios.
    • An actual disaster recovery where the console is not available but the other deployment hosts are still running.
    • A disaster recovery exercise where the main site is still available during the disaster recovery process.
  • If any managed host is down during failover operation due to any reason, it might cause the destination site to show unexpected behavior at activation. To resolve this issue, contact IBM Support. This issue will be resolved in a future release of the Data Synchronization app.
  • Backups from both the main and destination sites should be backed up in an alternate location. If they are deleted due to a retention policy or any other reason, the alternate location should serve as a source for restoring the backups.
Remember:

Apps that are installed on console is only supported during failover and failback operations. If apps are installed on AppHost, then apps are not restored or migrated during the failover and failback operations.

Apps volume backup are being transferred automatically as per daily schedule. However it is advised to take latest volume backup.

  1. To take an app volume backup from the main site console:
    • Apps that run on the console
      1. See Backing up and restoring app data to back up an app volume data from the destination site console.
      2. Transfer the app volume backup from the destination site console to the main site console by running the following command on the destination site console.
        systemctl start app_sync
      3. Verify the transfer on the destination site console directory (/store/app_sync/backups). If the transfer is unsuccessful or with issues, copy the app volume backup from the main site console (/store/apps/backup) directory to the destination site console (/store/app_sync/backups) directory.
    • Apps that run on AppHost
      1. Move all installed apps to the destination site console
      2. See Backing up and restoring app data to back up an app volume data from the main site console.
      3. Transfer the app volume backup from the main site console to the main site console by running the following command on the main site console.
        systemctl start app_sync
      4. Verify the transfer on the destination site console directory (/store/app_sync/backups). If the transfer is unsuccessful or with issues, copy the app volume backup from the main site console (/store/apps/backup) directory to the destination site console (/store/app_sync/backups) directory.
  2. To take an app volume backup from the destination site console (Apps that run on the console):
    1. See Backing up and restoring app data to back up app volume data from the destination site console.
    2. Transfer app volume backup data from the destination site console (/store/app_sync/backups) to the main site console (/store/app_sync/backups) directory.
  3. After failover / failback procedure, If any app will get stuck in ERROR, STARTING, STOPPED, UPGRADING, or CREATING state, apps restore will not start on restore site.
  4. If QRadar services restart in between apps restoration process, then apps restore will not work properly.

An actual disaster recovery where the console is not available but the other deployment hosts are still running

Before you begin

When the main site console is not available and apps are running on AppHost, you must back up app volume data before you proceed to the switching procedure.
  1. Back up apps volume backup from AppHost. See Backing up and restoring app data to back up an app volume data.
  2. Manually transfer apps volume backup from AppHost (/store/apps/backup) to the destination site console (/store/app_sync/backups) directory.

Procedure

  1. On the destination QRadar Console, click Admin > Data Synchronization app.
  2. Open the app menu and select Activate destination site.
  3. Click Activate and then confirm the activation.
    Tip: The restoration process is skipped on the main site because the main site is not available. The restoration process starts on the destination site with the last backup, which is then transferred from the main site to the destination site.
  4. After the restoration is completed on the destination site, go to the Admin tab and deploy the changes. The destination site is now active.

What to do next

Apps that are installed on AppHost are not restored or migrated during the failover and failback operations. To restore the main site apps on the destination console, take the following steps:

  1. If a user at the destination site needs to access an application that was available on the main site but is not accessible from the destination site, it should be reinstalled by using Destination Console site -> IBM QRadar Hub (formerly known as IBM QRadar Assistant) -> Applications-> Installed Extensions section.
  2. Back up volume data of the existing apps on the destination site console before you proceed to restoration operations.
    • Ensure that the correct apps volume backup is available on the destination site console. To restore transferred apps volume backups, copy the app volume backup data from /store/app_sync/backups to /store/apps/backup.
    • Restore only the necessary apps and the apps of smaller sizes. To restore more apps on the destination site or to keep the apps on the DR site for a longer time:
      1. Migrate the apps from the destination site console to AppHost.
      2. Proceed to the restoration procedure.
    • See Backing up and restoring app data to restore app volume data. The standard practice is to use UUID while restoring apps volume backup.
    • Do not restore the Data Synchronization app volume on the destination site console. Data Synchronization app is necessary to maintain its own state and to run failback operation as to activate the main site.
  3. If any apps are found in an Error state after restoration is complete or after the failover or failback operation, restart the apps by using the qappmanager utility (/opt/qradar/support/qappmanager).
  4. In Console-Only setup, during failover and failback, only the license key information is restored. The managed host retains the corresponding nonConsoleEventLimit or flowLimit parameters that are defined within the license key. You need to manually reconfigure license pool allocations by using Console Admin -> System and License Management -> Change Display Drop down: Licenses -> License Pool Management.

A disaster recovery exercise where the main site is still available during the disaster recovery process

Before you begin

When the main site console is available and apps are running on AppHost, ensure to back up apps volume data before you proceed to the switching procedure.
  1. Back up apps volume backup from AppHost. See Backing up and restoring app data to back up an app volume data.
  2. Manually transfer apps volume backup from AppHost (/store/apps/backup) to the destination site console (/store/app_sync/backups) directory.

Procedure

  1. On the destination QRadar Console, click Admin > Data Synchronization app.
  2. Open the app menu and select Activate destination site.
  3. Click Activate and then confirm the activation.
    Tip: The restoration process starts on the main site with the last backup that was transferred from the destination site. After the main site restoration, the destination site restoration starts with the last backup that was transferred from the main site.
  4. On the Admin tab on the main site and the destination site, click Advanced > Deploy full configuration.

What to do next

  1. After you complete the activation process, the pairing connection between both sites is removed. To establish the pairing connection again, you must run the following pairing commands from both the sites:
    1. On the main site QRadar Console, run the following script: 
      /opt/ibm/si/dr/bin/dr_create_ssh.sh -i <destination_site_ip>
    2. On the destination site QRadar Console, run the following script: 
      /opt/ibm/si/dr/bin/dr_create_ssh.sh -i <main_site_ip>
  2. Apps that are installed on AppHost are not restored or migrated during the failover and failback operations. To restore the main site apps on the destination console, take the following steps:
    1. If a user at the destination site needs to access an application that was available on the main site but is not accessible from the destination site, it should be reinstalled by using Destination Console site -> IBM QRadar Hub (formerly known as IBM QRadar Assistant) -> Applications-> Installed Extensions section.
    2. Back up volume data of the existing apps on the destination site console before you proceed to restoration operations.
      • Ensure that the correct app volume backups are available on the destination site console. To restore transferred apps volume backups, copy the apps volume backup data from /store/app_sync/backups to /store/apps/backup.
      • Restore only the necessary apps and the apps of smaller sizes. To restore more apps on the destination site or to keep the apps on the DR site for a longer time:
        1. Migrate the apps from the destination site console to AppHost.
        2. Proceed to the restoration procedure.
      • See Backing up and restoring app data to restore app volume data. The standard practice is to use UUID while restoring apps volume backup.
      • Do not restore the Data Synchronization app volume on the destination site console. Data Synchronization app is necessary to maintain its own state and to run failback operation as to activate the main site.
    3. If any apps are found in an Error state after restoration is complete or after the failover or failback operation, restart the apps by using the qappmanager utility (/opt/qradar/support/qappmanager).
  3. In Console-Only setup, during failover and failback, only the license key information is restored. The managed host retains the corresponding nonConsoleEventLimit or flowLimit parameters that are defined within the license key. You need to manually reconfigure license pool allocations by using Console Admin -> System and License Management -> Change Display Drop down: Licenses -> License Pool Management.