Forgot VA cluster passphrase while adding new VA in SailPoint ISC — what are the options?

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi everyone,

We currently have 3 VA clusters connected with around 50+ sources in SailPoint ISC.

We are trying to add a Fourth Virtual Appliance, but we’ve realized that the passphrase used for the existing VA clusters is no longer available, so we are unable to connect the new VA.

From our understanding, this should not impact existing sources and there should be no downtime involved.

I wanted to check with the community:

  • What are the possible options in this scenario?

  • Has anyone faced a similar situation, and how did you handle it?

  • What would be the recommended approach here?

Trying to understand the best way forward.

Thanks!

2

Hi @Gxurav7 ,

Unfortunately you need to create new cluster as you lost key passphrase for the old cluster.
Thanks

3

Hey, @Gxurav7

The passphrase is used for VA-to-ISC trust establishment, not for ongoing operation. Existing VAs continue working because they already have established trust.

What are the possible options in this scenario?

  • Retrieve from existing VA (Extract passphrase from working VA config/keystore)
  • Reset via SailPoint Support (Official passphrase rotation on tenant side)
  • New Cluster (Downtime required)

Has anyone faced a similar situation, and how did you handle it?

One of my colleagues faced this exact issue with 2 VA clusters and 15 sources. SailPoint Support reset the passphrase within 24 hours. We updated VAs one by one during a Saturday window. Sources reconnected automatically. Lesson: Store passphrase in corporate vault with quarterly validation.

“We tried cloning a VA to avoid downtime. It caused certificate conflicts that took 2 days to resolve—longer than just doing the supported reset.”

What would be the recommended approach here?

  • I would recommend the Reset via SailPoint Support if possible
  • If above option not possible, go with creating new cluster and adding the new VAs

Note: Always store the passphrase in your company vault or somewhere safe.

4

You can do two things here:

  1. Create a new parallel va cluster and decommission old one once new one is ready.
  2. define a maintenance window and redo the installation of VAs on all servers
5

One further thing to be aware of as this has just caught us out.

We have needed to create new clusters to take advantage of the their new functionality.
I followed all standard protocol about migrating VAs to a new cluster only to fall foul of the fact that there is a new URL that needs to be whitelisted to allow the VA to successfully pair. This is currently with the Networks team to open up the data flows.

This won’t be a problem if your current clusters are relatively new, ours are 5+ years old.

6

Got it, thanks for confirming.

Thanks!

7

Hi,

This is really helpful, thanks for sharing in detail.

The clarification about passphrase being used only for trust establishment makes things much clearer. Also good to know that reset via SailPoint Support is a viable option — that seems much better than creating a new cluster directly.

The real example you shared also helps in understanding the practical side of it.

Just wanted to check, during the reset process, did you observe any temporary disruption for sources while updating VAs one by one?

8

Hi,

Thanks for sharing the options.

Creating a parallel cluster and then decommissioning the old one sounds like a safer approach, especially to avoid any major disruption.

Reinstalling all VAs also makes sense, but I guess that would require careful planning with a maintenance window.

9

Hi,

That’s really useful to know — thanks for calling that out.

I hadn’t considered the new URL whitelisting part, especially for older clusters. That could easily be missed during migration.

Good point about checking with the network team as well.

Thanks for sharing this, definitely something to keep in mind.