System Requirements
Environment
| Environment | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Supported Operating Systems |
> Windows Server 2016 (64-bit) (GUI only) > Windows Server 2019 (64-bit) (GUI only) > Windows Server 2022 (64-bit) (GUI only) |
||||||||
| Supported Database Servers | > PostgreSQL 9.6 (PostgreSQL 9.6.4, default) NOTE: PostgreSQL should be used only for test and proof-of-concept installations. It is not supported in HA configurations. The default database shipped with SafeNet Authentication Service is PostgreSQL. Any other supported database must be purchased separately. > MySQL 8.0.25 NOTE: The High Availability (HA) feature is supported for versions up to MySQL 8.0.25. NOTE: If you are using MySQL 5.7.x, HA support requires MySQL 5.7.x to MySQL 5.7.23. In other words, MySQL versions prior to 5.7.x (or later than MySQL 5.7.23 except MySQL 8.0.18) are not supported, and thus may not work with the SAS solution. > Microsoft SQL (MS SQL) supported database versions: • MS SQL 2012 • MS SQL 2014 • MS SQL 2016 • MS SQL 2017 • MS SQL 2019 |
||||||||
| Supported Database Servers | NOTE: • For replication, an active/active (multi-master) configuration needs to be deployed. On MS SQL, this is transactional peer-to-peer replication. In addition, peer-to-peer replication is also supported for Enterprise editions of MS SQL 2014 and MS SQL 2016. • Always On Availability Groups feature is now supported for MS SQL 2012, MS SQL 2014, MS SQL 2016, MS SQL 2017 and MS SQL 2019. • An MS Internal (SQL only) user account or an MS SQL Windows Domain User can be used to connect SAS to MS SQL Database. > MSSQL User Permissions
|
||||||||
| Supported LDAP Directories | > Active Directory > Novell eDirectory 8.x > SunOne 5.3 > Open LDAP |
||||||||
| Supported Architecture | 64-bit | ||||||||
| Supported Application Authentication Protocols | > SAML > OIDC |
||||||||
| Supported RADIUS Authentication Protocols | > PAP > CHAP > MSCHAPv2 |
||||||||
| Additional Software Components | > Internet Information Services (IIS) 8.5 > .NET 4.8 (download here) > .NET Framework 3.5 Features NOTE: IIS 6 compatibility roles and ASP.NET role services must be installed in order for the SAS website to appear. For Windows Server 2016 (64-bit), IIS 10 compatibility roles and ASP.NET role services are needed. |
||||||||
| MySQL Components | >MySQL Connector v 8.x.x NOTE: The MySQL Connector is required only if the database in use is MySQL. |
||||||||
| Processor | 2.6 GHz processor (or above) | ||||||||
| Memory | 16 GB RAM (or
greater) In case of higher number of users and expected concurrent authentications, it is recommended to use 32 GB 4 core processor and 64 GB 6 core processor machines. More details available in the Minimum Recommended Configuration section.
|
||||||||
| Disk Space | 300 MB NOTE: Minimum disk space required for installation is 300MB; additional disk space would be required if logging is enabled. |
||||||||
| Display | SVGA (1280 x 1024), 24-bit color or higher |
Windows Server 2012 – Installing Server Manager Roles
For a smooth installation of SAS with .NET 4.6.2 Framework, the administrators have to install the required server manager roles:
-
Install .NET Framework 3.5 Features.
-
Install Web Server (IIS) and select additional Role Services using Server Manager Roles and Features, as illustrated in the Internet Information Services Role Services Required section.
-
Initiate the SAS installer to continue with .NET 4.6.2 Framework installation, followed by SAS installation.
After .NET installation, a prompt to restart the system is displayed. After the restart, the installation process resumes to complete the SAS installation.
Windows Server 2012 R2 – Installing Microsoft Updates
For a smooth installation of SAS with .NET 4.6.2 Framework, the administrators have to install the following Microsoft updates.
-
Install .NET Framework 3.5 Features.
-
Install Web Server (IIS) and select additional Role Services using Server Manager Roles and Features, as illustrated in the Internet Information Services Role Services Required section.
-
Install the following Windows updates, in the following order:
-
Initiate the SAS installer to continue with .NET 4.6.2 Framework installation, followed by SAS installation.
After .NET installation, a prompt to restart the system is displayed. After the restart, the installation process resumes to complete the SAS installation.
Additional Requirements
-
The system administrator installing SAS must have administrative privileges on the local system.
-
If migrating to SAS, refer the specific SAS migration section.
-
For Push OTP functionality to work, outbound connectivity to the internet is required from SAS PCE, SafeNet Agents, and MobilePASS+ tokens.
Internet Information Services Role Services
Windows Server 2012 and Windows Server 2012 R2
To successfully install and run SAS 3.10.1 (and later) on Windows Server 2012 and Windows Server 2012 R2, include the IIS role services as specified in the images below:
Windows Server 2016
To successfully install and run SAS 3.10.1 (and later) with NET 4.8 Framework on Windows Server 2016, include the IIS role services as specified in the image below:
Windows Server 2019
To successfully install and run SAS 3.10.1 (and later) with NET 4.8 Framework on Windows Server 2019, include the IIS role services and features as specified in the image below:
Windows Server 2022
To successfully install and run SAS 3.10.1 (and later) with NET 4.8 Framework on Windows Server 2022, include the IIS role services and features as specified in the image below:
System Sizing
The system sizing information is provided as a general guide. It is strongly recommended that you make an assessment of your specific requirements based on your infrastructure setup before implementation.
Minimum Recommended Configuration
The information in the table below is based on the following minimum recommended configuration:
-
CPU: Intel® Xeon(R) Processor CPU E5-2650 v2.60GHz (2 core)
-
RAM: 16 GB
-
Primary measurement: Authentications per second
Under stable testing conditions, the average time to complete one authentication successfully is 15 milliseconds. Below are the comparative performance metrics differentiated on various RAM and Processor Core sizes.
The performance tests are performed on a standalone machine without any load balancer or HA setup.
Table 1: SAS-PCE MSSQL Performance Metrics
|
Total Number of Users |
25000 |
50000 |
100000 |
Number of Concurrent Users |
3500 |
13000 |
3500 |
12000 |
3500 |
11000 |
|
Number of Processor Cores and RAM |
4 Core + 32 GB |
6 Core + 64 GB |
4 Core + 32 GB |
6 Core + 64 GB |
4 Core + 32 GB |
6 Core + 64 GB |
|
Average number of authentications per second |
63.81 |
70.19 |
47.17 |
61.61 |
25.33 |
18.68 |
|
Maximum CPU Utilization - Application |
96.87% 35.6% |
72.69% 34.76% |
90.88% 14.05% |
82.72% 21.34% |
85.2% 19.1% |
70.74% 9.89% |
|
Physical Disk |
|
|
|
|||
|
Maximum CPU utilization by MSSQL process |
39.19% 14.1% |
30.33% 12.22% |
32.12% 10.26% |
23.17% 9.12% |
52.54% 21.2% |
36.54% 12.61% |
|
Average network I/O activity |
1 MB/s |
2 MB/s |
630 KB/s |
1 MB/s |
780 KB/s |
553 KB/s |
Table 2: SAS-PCE MySQL Performance Metrics
|
Total Number of Users |
25000 |
50000 |
100000 |
|||
|
Number of Concurrent Users |
68 |
80 |
66 |
80 |
67 |
80 |
|
Number of Processor Cores and RAM |
4 Core + 32 GB |
6 Core + 64 GB |
4 Core + 32 GB |
6 Core + 64 GB |
4 Core + 32 GB |
6 Core + 64 GB |
|
Average number of authentications per second |
49.82 |
59.94 |
45.50 |
50.56 |
39.94 |
48.56 |
|
Maximum CPU Utilization - Application |
93.53% 35.79% |
90.21% 32.04% |
89.48% 32.27% |
93.79% 27.76% |
87.88% 24.97% |
92.05% 29.27% |
|
Physical Disk |
|
|
|
|||
|
Maximum CPU utilization by MySQL process |
40.96% 18.36% |
31.25% 14.14% |
41.73% 18.95% |
32.55% 13.06% |
43.03% 17.08% |
31.35% 13.8% |
|
Average network I/O activity |
477 KB/s |
561 KB/s |
461 KB/s |
459 KB/s |
368 KB/s |
498 KB/s |
* Average latency – It is the latency between start and completion of
server read/write request on the physical disk, and is measured in
milliseconds.
* Throughput – It is the amount of data that the physical disk has
received from the server at any given second, and is measured in
megabytes.
SafeNet Authentication Service Ports
SAS may require the use of several ports, depending upon the location of external directories, databases, or RADIUS servers. The following is a list of default port values. SAS can be configured to use alternate ports. SSL requires that a valid certificate is installed on the SAS server.
| Port (TCP/UDP) | Usage |
|---|---|
| 80/443 | Port 80 and/or 443 can be used for management sessions, provisioning, self-enrollment, self-service, and for servicing of encrypted authentication requests from configured agents. For security purposes, port 443 (SSL) is recommended. |
| 1812/1813 | Ports 1812/1813 are standard ports for RADIUS authentication and RADIUS accounting respectively. |
| 389/636 | Ports 389/636 are standard ports for LDAP and LDAPs connections respectively. For security purposes, port 636 (SSL) is recommended. |
| 5432 | The port number for connection to the default PostgreSQL database. |
| 1433 | The default port number for connection to an MS SQL database. |
| 25 | The default port for SMTP email. |
| 8456 | The default port number for LDAP synchronization traffic to/from SAS and LDAP. |
| 8458 (Inbound) | The default incoming port number for the Logging Agent. |
| 8459 (Outbound) | The default outgoing port number for the Logging Agent. |
| 11012 | The default port for communication between SAS and SAS HA Controller Service. |
SAS Synchronization Agent Ports
-
TCP Port 8456 – Incoming on the SAS server
-
TCP Port 389
-
TCP Port 636 (optional) – Outgoing from the SAS Synchronization Agent
SAS Logging Agent Ports
-
Agent > SAS TCP Port 8459
-
SAS > Agent TCP Port 8458
-
Agent -> Syslog UDP Port 514
FreeRadius Agent Ports
-
1812
-
1813
Virtualization
SAS is designed for virtualization and has been extensively tested with VMWare®.
Internal Database
The internal database contains all system configuration, application and policy data, token information, and history and activity information used by SAS. User-specific information, such as user IDs and coordinates are also stored in the database (possibly synchronized from an original user source).
Where LDAP/AD integration is configured, the unique GUID property of the LDAP user account is stored in the database, providing a consistent link between the user’s LDAP account and tokens associated with the user in SAS. The UserID is stored with authentication activity for reporting purposes. This allows SAS to provide audit trails and authentication activity reports even after a user (and therefore the GUID) has been deleted from LDAP.
The database can be installed on the machine hosting SAS, on a separate machine, or as a cluster. Every SAS implementation can be configured for a primary database instance with failover to an alternate instance. In addition, multiple SAS servers can use the same database.
LDAP External User Sources
SAS supports the use of one or more LDAP directories for the user, account status, and group membership data. Each LDAP must be configured for a specific Virtual Server. Alternatively, an LDAP forest can be connected to one Virtual Server if needed. When there are multiple domains within one Virtual Server, SAS must be able to read the LDAP forest via the Global Catalog Server (port 3268), and all domains in a forest must be fully trusted (AD only).
LDAP External User Sources
Supported Browsers
A browser is the standard interface for use with SAS or components such as self-enrollment or user self-service.
The following browsers are supported:
-
Microsoft Edge Chromium
-
Chrome™
-
Firefox®
-
Safari 5 and later on iOS
-
Safari 10.1 and later on Mac OS
Certain functions may require ActiveX controls and/or JavaScript.
Maintaining Accurate Time Settings
SAS operation and authentication services are not dependent on accurate time settings. However, it is recommended to maintain accurate time to enable reliable and consistent reporting and audit trails. In some cases, SAS licensing may restrict certain functions based on dates or date ranges. Modifying the server date after license installation may cause these functions to become unavailable.
It is recommended that the SAS time is set to the local time zone and that the server time is UTC coordinated.
Installation Types
An SAS site is defined as an instance of the SAS authentication engine. The number of sites and configuration options are determined by licensing, redundancy, and performance requirements. Assuming that SAS is installed on the recommended hardware, the factor that has the largest bearing on performance is the database I/O, primarily determined by the amount and frequency by which authentication history is written. In most cases, it is acceptable to have SAS and the database installed on the same server.
The scenarios described in the following sections are provided as guidelines and examples. Many different configurations are possible. For example, it is perfectly acceptable to install the database, enrollment, self-service, and directory components on separate computers.
In the following diagrams, “site” refers to an SAS instance that connects to the same database or database cluster. This can be at the same physical location or spread across different data centers.
Small Deployments
You may choose to install all SAS components on a single server, with a secondary instance providing redundancy and failover.
Small Deployments with Failover
You may choose to install all SAS components on a single server, with a secondary instance providing redundancy and failover.
Small Deployments with Failover and Site Specific Database
Authentication and management functions can be distributed across sites if necessary. SAS agents can failover to the alternate site. The connections between LDAP and SAS can be local or remote. If there is a primary and secondary LDAP server, each SAS instance would typically be configured for LDAP failover.
Medium Deployments
Medium site deployments are typically required for organizations with dedicated LDAP, web, and RADIUS servers.
Medium Deployments with Failover
Medium Deployments with Failover and Site Specific Database
Large Deployments
For sites requiring support for up to 250,000 users and several hundred authentications per second, a database cluster fronted by multiple SAS sites is recommended.
Large Deployments with Failover
If your MySQL replication setup is not working, you can view some troubleshooting techniques, by clicking here.