Use the BeyondTrust API to Check PRA B Series Appliance Health and Perform Failover

The BeyondTrust API includes calls to manage and automate failover. Following the basic flows set forth in and , you can automate certain parts of these flows using the BeyondTrust API. This section provides some examples of how you can use the BeyondTrust failover API calls. You must modify the examples to fit your environment.

 

Using the built-in failover in /login and the API failover commands together could result in conflict.

API Configuration

To use the BeyondTrust API, ensure that the Enable XML API option is checked on the /login > Management > API Configuration page.

 

For full instructions on using the BeyondTrust API, please see the API Programmer's Guide.

Check B Series Appliance Health

To perform a health check on the B Series Appliance, use the API command check_health.

For more information, please see API Command: check_health.

You can use the XML responses <last_data_sync_time> and <last_data_sync_status> to make sure data syncs are occurring as expected.

If the XML response for the primary B Series Appliance includes <success>1</success>, then the B Series Appliance is functioning normally. You should not need to failover.

If the XML response for the primary B Series Appliance includes <success>0</success>, then you should take into account the time of the last successful health check. Also consider any <error_message> elements that are returned. You should put in place contingencies so that if the issue can be resolved in a reasonable time, then no action should be taken. However, if it is determined that failover is required, then you can use the API to switch failover roles.

In addition to or alternative to using the API command above, you can use https://access.example.com/check_health to check the health of a B Series Appliance. This returns an HTTP status of 200 if the probe is successful and 500 (Server Error) if not. While you will see a simple human-readable message showing success or failure, no other data is exposed.

Set Failover Roles

To set the failover role on a B Series Appliance, use the API command set_failover_role. (In the API Programmer's Guide, see API Command: set_failover_role for full details.)

It is assumed that you will have in place systems for enabling/disabling a shared IP address if your two B Series Appliances are on the same network or else automatically performing a DNS swing or NAT swing.

Once the failover roles have successfully been changed, you should receive an XML response of <success>.