Skip to main content

File synchronization architecture

Bravura Security Fabric ’s native file synchronization does not synchronize in the true sense of the term. It only copies files and registry entries from the Primary node to all others nodes, regardless of how it's triggered. Any changes made on the other nodes, unless blacklisted, are going to be overwritten. Therefore, in this article, the process is referred to as propagation.

Bravura Security Fabric ’s file propagation sends:

  • Files inside the instance’s folders.

  • Registry entries of the instance.

Caution

Check that the servicelist:address field values in the backend database are FQDN. This is especially important for Bravura Privilege.

All of this propagated data contains mostly configuration.

Files deleted on the primary node are deleted by the file replication service idfilerep on the secondaries and proxies. When idfilerep cannot delete files on secondaries (because they are locked by some process), psupdate sends email to the configured administrative email (Manage the system > Workflow > Email configuration > RECIPIENT EMAIL)

From the primary node, files are sent using various utilities:

  • updinst The file replication service idfilerep on the secondary node sends the primary node a list of files and registry entries. The updinst utility on the primary node sends changes back to the secondary nodes.

  • updproxy The psproxy service on the application proxy server sends the primary node a list of files and registry entries. The updproxy utility on the primary node sends changes back to the proxy server.

The Bravura Security external database replicator, which is enabled by default on each node installation, should be disabled on secondaries and in single-node instances.

Encryption

Like data replication, file/registry replication is encrypted using a shared-key handshake. It is a batch process that typically takes just under a minute to complete, in a typical scenario, there is relatively little daily-changed configuration data to forward.

Port

The file replication port (by default 2380) has to be reachable from the primary application node to all other application nodes. The file replication port must also be reachable from all other application nodes to the primary node.

See all Port requirements.

Distribution of application proxies in the network

Application proxies do not have a backend database. They are added to a solution in order to run agents in environments without VPN tunnels configured between their sites, where all Bravura Security Fabric nodes cannot reach all target systems.

An application proxy allows for a single port to be open in firewalls (any port), even different for different proxies. For security reasons it is useful to add an application proxy which makes a single obscure port between subnets and data centers, instead of opening the many ports required for integration with target systems. Actual application ports are known to hackers and often targeted to penetrate network security.

In this section: