We’ve recently had a number of enquiries around the best way of Stopping and Restarting Passwordstate. Most of these enquiries have been related to businesses getting ready to test their Annual DR (Disaster Recovery) and BCP (Business Continuity Plans).
With this scenario in mind, we’ll establish for the sake of the blog entry, that we’re talking about a Passwordstate Primary Instance with HA (High Availability) instance in an Active / Passive configuration. It is assumed that the HA instance is on a separate network with associated infrastructure enabling it to be contactable as required.
The image above represents a simplified logical view for this blog entry. The webserver and database servers are installed on separate Windows Servers and all members in the example are connected over a traditional diverse pathed ethernet networks. The Passwordstate webservers site behind a load balancer.
What Needs to Be Stopped?
The premise for this blog is you want to ensure your High Availability Instance is running and can be pointed to in the event your Primary instance is non-functional. In order to test this, you need to effectively stop your Primary instance and then test your HA instance is functioning. But how do you do this?
You could simply shutdown the Primary instance webserver. Or you could follow shutdown the Primary Instance Passwordstate Windows Service and IIS (Internet Information Services) Site. The Passwordstate Windows Service is used to perform all background tasks for the website, which typically includes;
- Sending email notifications,
- Sending out scheduled reports,
- Performing scheduled password resets, heartbeats and discovery jobs,
- Checking for new builds online,
- Removing expiring access to passwords, and,
- Sending auditing data from you HA server to your primary server (in Active/Passive HA configuration)
However, simply shutting down the Passwordstate Windows Service is not enough. This will only stop the scheduled actions listed above. You’ll also need to Stop the Passwordstate IIS Site to prevent people form being able to login to Passwordstate and access Credentials via the API or via our Browser Extensions.
How do I stop the Windows Service and IIS Site?
There are a couple of ways of stopping the Passwordstate Windows Service. The first is via Windows Services App. Simply start the Services App, Search down the list of services for Passwordstate Service, right click on the service and select Stop as per the image below;
Alternatively, you could fire up the Windows CMD Shell as an Administrator and type in Net Stop “Passwordstate Service” and hit enter as per the image below;
Next, you’ll need to stop the Passwordstate IIS website. To do this you’ll need to start the Internet Information Services (IIS Manager) App on your webserver. Expand the sites folder, select Passwordstate and click on Stop under Manage Website as per the image below;
This instance of Passwordstate is now effectively stopped and will not service logins, credential access via API or Browser Extensions and no scheduled background actions will run.
How do my Load balancers monitor the availability of Passwordstate?
If you were using a High Availability instance of Passwordstate, that is running in Active/Active mode, then it’s possible that you have a load balancer in front of both of your sites. Typically, your load balancer should automatically fail over to a working site, if one of them became unavailable.
Passwordstate has a dedicated page that your load balancers can monitor, to confirm if it is running successfully, and this page is called “keepalive”. This is designed to provide a return code of 200 if a Passwordstate instance is up and running. The keepalive page your load balancer should periodically check is <your Passwordstate URL> with ‘/keepalive’ appended to the URL.
You may be tempted to use your normal Passwordstate login URL but you shouldn’t. The reason for this is you may have Anonymous Authentication disabled for your Passwordstate login page. If so ten this may return results that your load balancer may interpret as a failure triggering a failover when it isn’t required. Many Load Balancers don’t like pages that redirect and your primary URL will redirect to different login pages, depending on the type of authentication you have set.
The Keep Alive page is always set to use Anonymous Authentication and it will never redirect.
How to restart the Windows Service and IIS Site?
Once you’ve finished your testing simply start the Internet Information Services (IIS Manager) App on your webserver, expand the sites folder, select Passwordstate and click on Start under Manage Website as per the image below;
Then start either the Services App searching for the Passwordstate Service, right click on the service and select Start as per the image below;
Or fire up the Windows CMD Shell as an Administrator and type in Net Start “Passwordstate Service” and hit enter as per the image below;
That’s all there is to it. As outlined above you have a number of methods of effectively shutting down a Passwordstate instance for DR and BCP testing.
If you have feedback and are unsure where to send it? Send it through to support@clickstudios.com.au.