TPAM DPA Virtual DPA and DPA Enrollment Failure

Sep. 1st 2014

TPAM DPA Virtual DPA and DPA Enrollment Failure

Virtual DPA

TPAM and its associated appliances historically have all been physical appliances, on Dell server hardware, with the exception of the SCPW client.  Earlier this year, Dell finally released the TPAM DPA software as a virtual appliance.  This virtual appliance is a viable replacement for the DPA physical appliance and is available from the Dell Software Support site http://support.software.dell.com.

If you have entitlement to the Virtual DPA software, to download the Virtual DPA appliance, navigate to the Dell Software support page.   When looking for the software, a common mistake is to enter TPAM Appliance as the software name.  While this does give access to the knowledge base and videos with many troubleshooting articles and tutorials, the only item within the download section is a link to the eDMZ site.

The virtual DPA software is actually available under the Privilege Password Manager section.  Once Privilege Password Manager has been entered as the product name, clicking on Download New Releases will expose Virtual DPA 3.38 as an option.  Clicking on the Virtual DPA 3.38 link or the Download link will give access to the Virtual Appliance and the documentation.  The virtual DPA is provided as an OVA package that is compatible with many virtualization systems.

This virtual appliance requires a minimum of 2GB of RAM, two processors, two NICs, and an initial hard drive of 12GB.  Prior to being utilized, the virtual disk needs to be extended to a minimum of 50GB to ensure there is enough space for the storage of session log recordings.  Once the appliance has been imported and the disk has been expanded, the configuration of the Virtual DPA is the same as the physical appliance.

Enrollment Failure

In working with the Virtual DPA, I came across an issue I had not encountered before.  Once I created the DPA in the TPAM cluster configuration and entered the enrollment string, TPAM reported that the Enrollment had succeeded, but the communication between the DPA and the TPAM Appliance was not working.  One indication of this is that, on the Cluster Status shows that the status in Unknown for the DPA.

1

Also, when connected to the DPA console, and option 1 is selected from the menu “Check TPAM connectivity”, the two results that could be seen are ‘Unable to identify TPAM Console connection information” or ‘Webservice is not running”.    The normal fix for this is to verify the SSH Keys on TPAM, usually when this issue arises, there are no SSH Keys installed on TPAM.

First, login to the TPAM Admin portal and mouse over keys and click on Manage SSH Keys.

2

On the Manage SSH Keys window, if the issue described above it occurring, this window should be empty.  This is the issue, which TPAM has no SSH Keys stored, and this key is what TPAM uses to communicate to the DPA.  What needs to be done is that TPAM needs to have at least one SSH key installed.

3

Click Add Key.

Enter a key name, enter a start date and click Save Changes.

4

Once the key has been done, proceed back to the Cluster Management and perform a re-enroll.

After the enrollment process complete, the TPAM connectivity test from the DPA should respond with details of the TPAM primary and any replicas joined to the cluster.

 

Author: Russ Burden, Technical Architect, LeadThem Consulting

Posted by LeadThem Consulting | in TPAM | Comments Off on TPAM DPA Virtual DPA and DPA Enrollment Failure