Adding Nodes to a PAM Farm

This page provides guidance on adding PAM nodes to an existing PAM farm.

Some general restrictions:

• PAM nodes can only be added to a farm that was previously deployed with the PAM CDM.
• PAM nodes cannot be removed from a farm, or have their roles changed (master to remote, worker to session, etc).
• If a single-master PAM farm was originally deployed with the embedded Apache Derby database, additional PAM master nodes cannot be added to the farm.
• If a single-master PAM farm was originally deployed without a load balancer, additional PAM master nodes cannot be added to the farm.

Intended Use Case

The intended use case begins with a PAM farm deployed through the PAM CDM with the following configuration:

• Two PAM master nodes.
• Any number of PAM master, session, or worker nodes.
• A load balancer is in place (Apache-managed Ansible or external).
• Database is either Ansible-managed PostgreSQL or external (not embedded Apache Derby).

Over time, the PAM farm may grow to meet business needs. The expected areas of growth are:

• Adding additional PAM master nodes.
• Adding additional PAM remote, session, or worker nodes.

Initial Configuration

The initial Ansible inventory might look like this:

[pam_master]
pam-master-1.corp.net
pam-master-2.corp.net

[pam_apache]
pam-lb.corp.net

[pam_postgres]
pam-db.corp.net

Running the PAM deployment playbooks with this inventory file will yield:

• Two PAM master nodes
• Ansible-managed PostgreSQL database
• Ansible-managed Apache load balancer
• No PAM remote nodes

This is just an example. Production PAM farms should not use Ansible-managed PostgreSQL or Ansible-managed Apache.

Adding PAM Remote Nodes

Update the Ansible inventory to add two remote nodes:

[pam_master]
pam-master-1.corp.net
pam-master-2.corp.net
    
[pam_apache]
pam-lb.corp.net
  
[pam_postgres]
pam-db.corp.net

[pam_remote]
pam-remote-1.corp.net
pam-remote-2.corp.net

Important: The original PAM Master, Apache, and PostgreSQL nodes should remain in the inventory file.

When the install_all.yml playbook is run with this inventory, the PAM Master, Apache, and PostgreSQL hosts should not be changed. But the two remote PAM nodes will be installed.

Adding an Additional PAM Master Node

Update the Ansible inventory to add a third master node:

[pam_master]
pam-master-1.corp.net
pam-master-2.corp.net
pam-master-2.corp.net
    
[pam_apache]
pam-lb.corp.net
  
[pam_postgres]
pam-db.corp.net

[pam_remote]
pam-remote-1.corp.net
pam-remote-2.corp.net

Important: The third master node is added to the inventory without removing any other hosts.

When the install_all.yml playbook is run with this inventory, the new PAM Master node should be added without changing any other hosts.