Splitting an existing PEM server v10.2
You can split an existing PEM installation into two installations. Splitting is useful if your original PEM instance has become overloaded and you want to split the load over two servers. It can also be useful if you're restructuring your database estate and want to take a segmented approach to monitoring.
You can split an existing PEM instance into three or more instances by splitting each new instance. You can also set up a new PEM instance and move a portion of the monitored servers and agents to the new instance.
Note
The example commands are for PostgreSQL 16. Modify the service name and file paths as appropriate for your environment.
Install PEM on the new host
PEM and Postgres versions must match
Ensure the versions of Postgres and PEM in your new environment match the versions used in the existing environment.
Copy all data from your existing PEM instance
On the new PEM host:
Stop the Postgres and PEM agent services:
systemctl stop postgresql-16 systemctl stop pemagent
Delete the Postgres data directory:
rm -rf /var/lib/pgsql/16/data/*
Clone the the existing PEM data in your new instance:
su - postgres pg_basebackup -h <OLD_PEM_IP> -p <OLD_PEM_SERVER_PORT> -U postgres \ -D /var/lib/pgsql/16/data -Fp -Xs -P
Update the pg_hba.conf file on the new PEM instance
At this point, the pg_hba.conf file on the new PEM instance is a
copy of the one on the existing PEM instance. If any entries reference the
external IP of the existing PEM server (for example, host ... <old_ip> ...),
modify them to use the new PEM server IP address or
localhost/127.0.0.1, as appropriate.
You can now start the Postgres and PEM agent services. (You might need to restart them again later.)
```shell systemctl start postgresql-16 systemctl start pemagent ```
Configure SSL on the new server and reconfigure PEM agents
How you configure SSL depends on how you want to manage SSL certificates. From the four approaches, select the one that meets your needs.
All of these scenarios are viable if you're using unique agent users or a single common agent user.
External certificate authorities
If you exclusively use SSL certificates provided or signed by an external certificate authority, go to Approach 4.
Web server certificates
These instructions are for configuring SSL for connections to Postgres. For the PEM web application, generate a new self-signed certificate during server configuration. You can replace the web server certificate by following the documentation.
Approach 1 – Reuse certificates from the existing PEM instance
Use this approach if you want to use the same server certificates for both PEM instances. This approach requires no changes to any SSL settings or files.
Note
In general, we recommend Approach 2 over Approach 1 because it ensures each PEM server has a unique identity.
This is good practice and is required if you want to use stricter client SSL modes such as verify-full.
Copy the PEM agent certificates from the old PEM instance to the new PEM instance. (By default, these are located in
/root/.pemon Linux andC:\Users\\AppData\Roaming\pemon Windows.)Restart Postgres and the PEM agent services on the new system.
For all agents you want to migrate to the new PEM instance, update the
pemhostparameter in theagent.cfgfile of all agents to the address of the new PEM instance.Restart the affected PEM agents.
Approach 2 – Use different server certificates but the same CA
Use this approach if you want to have different server certificates on the two PEM servers and want to allow both PEM servers to act as a single certificate authority.
Using this approach, agent certificates issued by either PEM server will be signed identically and trusted by both servers. This is convenient as it avoids the need to replace any agent certificates while still ensuring the servers have distinct identities.
Back up the existing
server.crtandserver.keylocated in the Postgres data directory.Generate a new
server.keyand CSR for the new PEM server.openssl genrsa -out server.key 4096 openssl req -new -key server.key -out server.csr -subj '/C=your_country/ST=your_state/L=your_locality/O=your_org/CN=common_name_for_server'
Sign the CSR, and generate a server certificate with your existing CA certificate.
openssl x509 -req -days 365 -in server.csr -CA ca_certificate.crt -CAkey ca_key.key -CAcreateserial -out server.crt
Change the owner and the permissions on the generated
server.crtfile.chown postgres /var/lib/pgsql/16/data/server.crt chmod 600 /var/lib/pgsql/16/data/server.crt
Restart Postgres and PEM agent services on the new system.
For all agents you want to migrate to the new PEM instance, update the
pemhostparameter in theagent.cfgfile of all agents to the address of the new PEM instance.Restart the affected PEM agents.
Approach 3 – Replace all server and agent certificates
Use this approach if you want to have completely distinct server certificates and certificate authorities for the two servers. Using this approach, a given agent can authenticate only with its "parent" PEM server. The two PEM instances will have no SSL configuration in common.
Important
This approach requires generating new client certificates for every agent. Unless you have orchestration tooling capable of doing this or are using a common agent user, this can be a significant effort.
Follow the instructions for regenerating the server SSL certificates to regenerate the following files:
server.crtserver.keyroot.crtroot.crlca_certificate.crtca_key.key
Restart Postgres and PEM agent services on the new system.
For all agents you want to migrate to the new PEM instance, update the
pemhostparameter in theagent.cfgfile of all agents to the address of the new PEM instance.Regenerate agent certificates for each agent user and copy the new certificates and keys into place. You must also regenerate the certificate and key and for the agent on the PEM server.
Restart the affected PEM agents.
Approach 4 – Use only certificates from an external CA
Use this approach if you exclusively use SSL certificates provided or signed by an external certificate authority.
Because your existing agent certificates were issued by a trusted authority that's included in the Postgres server CA cert, both PEM servers can validate all your agent certificates, meaning all agents are already able to connect to either PEM server. You need to request a new server certificate only for the new PEM server.
Obtain a new server certificate and key from your provider, supplying the details of the new PEM instance.
Replace
server.crtandserver.key(or whatever files are currently specified byssl_server_certandssl_server_key) with your new certificate and key respectively.Restart Postgres.
Disable disconnected agents on each PEM instance
You now have two PEM instances, with your existing agents split between them. However, both instances contain records for all agents. Clean up the PEM instances to reduce wasted resources and false alerts by marking the agents that aren't connected to each instance as inactive.
In the PEM web application, delete the agent and its monitored servers. In Object Explorer, right-click each one and select Remove.
Alternatively, you can perform this action through SQL. Execute the following on the pem database:
UPDATE pem.agent SET active = false WHERE id in (list_of_ids); UPDATE pem.server SET active = false WHERE id in (list_of_ids);
Validate your PEM instances
Open the PEM monitoring dashboard of the new instance.
- Confirm that only the required servers and agents are visible.
- Verify that these servers/agents show an active status and are sending metrics.
- Check the agent logs for any connection or authentication errors.