According to the CyberArk Sentry Secrets Manager documentation1, the steps to failback to the primary site after a manual failover to the disaster recovery site are as follows:
On the DR site, stop the Conjur Leader node using the command docker stop .
On the primary site, generate a seed for the new Leader node using the command evoke seed leader . This will create a file named .tar in the current directory.
On the primary site, copy the Leader seed file to the new Leader server using the command scp .tar :.tar
On the new Leader server, create a new container using the same name as the one you just stopped, and load the Leader seed file using the command docker run --name -d --restart=always -v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432" -p "1999:1999" cyberark/conjur:latest seed fetch .tar
On the new Leader server, configure the Conjur Leader node using the command evoke configure leader -h -p
On the new Leader server, reconfigure the Vault Conjur Synchronizer to point to the new Conjur Leader using the command evoke vault sync set
On the DR site, generate a seed for the new Standby node using the command evoke seed standby . This will create a file named .tar in the current directory.
On the DR site, copy the Standby seed file to the new Standby server using the command scp .tar :.tar
On the new Standby server, create a new container using the same name as the one you just stopped, and load the Standby seed file using the command docker run --name -d --restart=always -v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432" -p "1999:1999" cyberark/conjur:latest seed fetch .tar
On the new Standby server, re-enroll the node to the cluster using the command evoke cluster enroll
The other options are not correct, as they are either unnecessary or incorrect. Contacting CyberArk for a new license file is not required, as the license is valid for both sites. Reconfiguring the Vault Conjur Synchronizer to point to the new Conjur Leader is a step that should be done on the new Leader server, not on the DR site. Triggering autofailover to promote the Standby in Site A to Leader is not possible, as the Standby node is not aware of the manual failover and will not accept the promotion request.
