Randomization and replication

Bravura Privilege replication is implemented at the stored procedure level. When a stored procedure is run on any Bravura Privilege node, the name of the procedure and all of its arguments are serialized into a replication message which is placed in an outgoing queue file. An outgoing queue file is maintained for each replica and the database service on each node is responsible for periodically sending messages in its outgoing queue files to the database services running on its replicas. Simultaneously, each database service receives replication messages from its replicas and places them in its incoming queue file.

The database service processes each message in its incoming queue file one by one by unpacking the name and arguments of the stored procedure and executing them against its backend database. In this manner, every node executes the same set of stored procedures, and should maintain synchronization. Note that, because the incoming queue is processed one message at a time, it takes an unpredictable amount of time for two nodes to be synchronized with respect to any particular message. If the queue is empty, the message will be processed nearly instantaneously. If there’s a significant queue backlog because of long-running stored procedures, the message must wait and the nodes will remain desynchronized until it is processed.

Randomization is implemented on top of replication. A provisional password is generated within the Privileged Access Manager Service (idarch) , encrypted, and inserted into the database using a stored procedure (thus creating replication messages for replicas). Once stored in the database, a connector is launched to set the password on the target system. The status of the provisional password in the database is then updated via a second stored procedure run, depending on the return code from the connector. The mechanics of this process are discussed more in Schema - tables used for randomization .