Upgrading, known issues, and security considerations
Review this section for information about upgrading DR, known issues, and security considerations.
Upgrading SOAR Disaster Recovery
Before you can upgrade the SOAR Platform or
DR, you must disable DR and then upgrade the SOAR Platform on each of the appliances. When SOAR Platform and DR are upgraded, the steps include enabling
DR, which can take some time and requires downtime on master.
About this task
For the upgrade scenario described here, DR is currently enabled.
Procedure
Security considerations for Disaster Recovery
It is important to encrypt the SSH key vault file and SSL certs and follow the security practices described in this guide.
- Refresh the SSH keys
- If you need to refresh the SSH keys, run the
enable_dr.yml
playbook with new keys in thessh_vault.yml
SSH key vault file. The new keys will be used and the old keys will be removed. - Replace the SSL certs
- If you need to replace the SSL certs, manually remove the certs, install the new certs using
either the
manual
or supplymethod
, as described in Step 3: Configuring Postgres for SSL, and run theenable_dr.yml
playbook with the new SSL certs in the SSL certs vault files.
Known issues for SOAR Disaster Recovery
This section provides information about any known issues.
- Certs not matching
- If the
root.crt
configured on the receiver appliance does not match theserver.crt
on the master appliance, SSL communication fails. This causes theenable_dr.yml
playbook to fail when taking a base backup from the master postgres database and the playbook leaves the receiver database in an archived state. If this happens the playbook attempts to automatically use the created backup archive to restore the database to its original state.The backup archive file is located in the
/crypt
directory if you want to manually restore the receiver database. The file name is based on the time stamp, for example, /crypt/database20180702-1635.gz. (database%Y%d-%H%M.gz
). - Run actions as resadmin
-
To avoid changing file ownership, you must run all of the actions, including Ansible-vault
decrypt/encrypt
, as theresadmin
user. - Synchronization problems from master appliance
- If there are unexpected problems during synchronization from the master appliance, it can cause the receiver database to be corrupted, and PostgreSQL does not start.