Prepare database

SafeNet Authentication Service supports the following databases:

• PostgreSQL

• MS SQL

• MySQL

Prepare PostgreSQL database

PostgreSQL should be used only for test and proof-of-concept installations. It is not supported in HA configurations. For details, refer to Step 1 – Configuring Database in Configuring SafeNet Authentication Service section.

The default password to connect to the PostgreSQL database is 'Password$' (without quotes).

To prevent login issues on the SAS Console, ensure that the timezone provided in the postgresql.conf file matches the system time. Path to default file: C:\Program Files\PostgreSQL\9.6\data\postgresql.conf

Prepare MS SQL database

For replication, an active/active (multi-primary) configuration needs to be deployed. On MS SQL, this is transactional peer-to-peer replication. For details, refer to Step 1 – Configuring Database in Configuring SafeNet Authentication Service section.

Also, refer to the Microsoft documentation.

The MS SQL database needs to have TCP/IP enabled, and SQL port set to 1433.

The MS SQL database is recommended to be used with the Latin type collation.

If you have AOAG (Always On Availability Group) configured for MS SQL, then follow the Microsoft recommendations for upgrading your AOAG configuration, or refer to the following section to setup AOAG configuration. To upgrade SAS, please follow instructions as documented in the Upgrade section.

SAS supports peer-to-peer replication. To configure the replication, refer to (https://docs.microsoft.com/en-us/sql/relational-databases/replication/transactional/peer-to-peer-transactional-replication?view=sql-server-ver15)
Disclaimer:
• Thales Group does not directly support MSSQL 2012.
• Customer DBA is responsible for the setup.
• Support can only help in a best effort approach.

To enhance the SQL DB security, SAS supports Extended Protection and Force Encryption feature available in MS SQL Server Database.

Set up MS SQL with Windows Domain User

When configuring MS SQL with SAS server, using Windows Domain user, ensure that the connection is established with the trusted domain.

For example, if Domain A trusts Domain B and Domain B trusts Domain C, then users from Domain C can access resources in Domain A.

For the detailed information for setting up a trust relationship, refer to the Microsoft Support website.

The Windows domain user used for making a connection with SAS should have the System Admin Role in SQL server. This is also applicable for all the Failover servers.

Configure Database Settings in SafeNet Authentication Service

1. Log in to SafeNet Authentication Service system level as an administrator.

2. Click the SYSTEM tab. Then, under the Database module, click the SQL Database link.

3. In the Provider field, select MS SQL, and click Next.

4. Complete the following fields, and click Next:

   Host	Enter the IP address of the MS SQL server.
   Database	Enter the name of the MS SQL database that is to be created.
   User Name	Enter the user name to be used by SAS to connect to the primary MS SQL database. For Windows domain user, provide the Windows user credentials. For example, domain\username.
   Password	Enter the password associated with the user name.
   SSL Encryption	Select the checkbox to enable the SSL communication with the SQL server.
   Windows Authentication	Select the checkbox to enable the SQL Windows Authentication.

   

Set up MySQL database

You can configure MySQL database with or without High Availability (HA). The detailed information on setting up MySQL database with HA is given below.

Achieving high availability on database level is essential for maintaining application availability. Databases are the center of today's enterprise and web applications. Just minutes of downtime can often result in significant amounts of revenue loss and unsatisfied customers. Making database highly available is, therefore, a top priority for all organizations.

MySQL is used with many applications demanding availability and scalability. Availability refers to the ability to cope with, and if necessary recover from, failures on the host, including failures of MySQL, the operating system, or the hardware.

High Availability solution

The MySQL HA solution supported with SafeNet Authentication Service is MySQL Primary-Secondary Replication. MySQL Replication is the most popular and cost-effective HA solution.

MySQL replication

Replication enables data from one MySQL database server (the primary) to be copied to one or more MySQL secondary servers. The supported replication mode is Asynchronous; secondary do not need to be connected permanently to receive updates from the primary. The process of replication is not immediate and there might be some delay due to network latency.

A server involved in a replication setup has one of following roles:

• Primary: Primary MySQL server writes all transactions that change data to a binary log

• Secondary: Secondary MySQL server connects to a primary (on start), downloads the transactions from the primary's binary log, and applies them to the local server

Binary logs are files that contain details of every transaction that the MySQL server has executed. Secondary servers contact their primary to retrieve newer bits of the binary log, and apply the changes to their local database.

Consider a primary-secondary setup where a primary is connected with one secondary from the local network and one secondary via a VPN over the Internet.

A setup such as this results in the two secondary servers having slightly different data. The locally attached secondary may be more up to date, because of added latency and bandwidth restrictions over the VPN connection.

If your MySQL replication setup is not working, you can view some troubleshooting techniques, by clicking here.

In a MySQL HA setup with one or more SAS servers, sometimes due to known MySQL issue, an error comes up which says "Could not execute Write_rows event on table" and the status of that machine is shown as online, not replicating on the SAS console.

Say, we install and configure one SAS server (SAS1) with MySQL in HA mode (1 master, 2 slaves), then go to HA Management in the SAS Console, the status for all machines shows as Online, replicating. Now we install and configure another SAS server (SAS2) and then import SAS1 to SAS2. Now, when in HA management in the SAS Console, the status of the master shows as Online, not replicating with an error saying "Could not execute Write_rows event on table".

The slave syncs its data from the master's binlog and saves the position up to where it has read data from master. If the slave remains offline for some time, then it will resume from that saved position only (independent of if master is changed during this duration). So there is no need to do Promote to Slave in this case it will automatically join back.

A slave comes back from its offline state automatically when the database schema of the master has not changed while the slave was offline.

If the database schema has changed and the slave does not start replicating automatically, perform the following steps:

1. Export data from the Primary machine.

2. Remove existing schema from the Secondary machines.

3. Import SQL file (exported from the Primary) in the Secondary machines.

4. Configure the database.

5. Go to HA Management section in the SAS Console and manually promote to master for it to show as Online, replicating.

In the case where we manually take a server out of the replication ring, the SAS administrator is required to go the SAS Console and manually promote to master for it to show as Online, replicating.

MySQL has also provided some recommendations to keep in mind while configuring to ensure that replication does not break in such cases.

SAS High Availability Controller Service

SAS HA Controller Service is responsible for setting up and managing MySQL replication. It configures MySQL servers in primary-secondary mode. It also makes sure database is highly available to SAS.

If the primary MySQL server is not accessible to SAS, after trying 5 times to connect to the primary MySQL server the SAS HA Controller Service promotes an appropriate secondary MySQL server as a new primary.

Deployment scenario

Small-sized deployments

Scenario 1:
Server 1 (Primary MySQL DB),
Server 2 (SAS, HA Service, and Secondary MySQL DB)

Scenario 2:
Server 1 (SAS and Primary MySQL DB),
Server 2 (SAS, HA Service, and Secondary MySQL DB)

Medium-sized deployments

Scenario 1:
Server 1 (SAS and Primary MySQL DB),
Server 2 (Secondary MySQL DB)
Server 3 (SAS, HA Service, and Secondary MySQL DB)

Scenario 2:
Server 1 (SAS and Primary MySQL DB), Server 2 (SAS, HA Service, and Secondary MySQL DB)
Server 3 (SAS and Secondary MySQL DB)

Only one SAS HA Controller Service (High Availability service) should be up and running for an SAS MySQL HA installation. Also, on the server where SAS HA Controller Service is active, you need to set the firewall rule in a way such that other SAS instances can access it.

In both the small-sized and medium-sized deployment scenarios illustrated below, notice the following:

• All SAS instances on different servers interact only with the primary database to perform authentication.

• All the changes done to the primary database are replicated to all the secondary databases.

• All SAS instances on different servers are aware of all the secondary databases. When any of the secondary databases is promoted as a primary database, all SAS instances now interact with the new primary database to perform authentication.

• All SAS instances without the HA Controller Service are connected to the SAS instance with the HA Controller Service. This is required for many purposes. For example, if there is a new primary database, all SAS instances now must be informed about it so that they can perform authentication. The intimation about the new primary database is done by the HA Controller Service.

In both small-sized and medium-sized deployment scenarios, ensure that the SAS HA Controller Service is not hosted on the same server as primary DB. This is due to the fact that when the server hosting primary DB goes down, the HA server should be up and running on the other machine so that it can act in time and initiate to promote a secondary as the new primary. In case of two secondary databases, the secondary with the most recent updates will be promoted as the new primary.

Set up Highly Available MS SQL Database on Windows

Prerequisite:

Enable TCP/IP Configuration in SQL Server Network Configuration.

Steps:

1. Verify if Always On High Availability is available on all the nodes. If not, see failover cluster configuration.

2. Ensure the MS SQL Server Enterprise Edition is installed.

   

3. Select Enable Always On Availability Groups, if not already selected.

   

4. Ensure the Full Recovery Model is set for the selected database.

   

5. Take Full backup of the database.

   

6. Select New Availability Group Wizard.

   

7. The New Availability Group wizard starts.

   

8. Provide an availability group name. This is the hostname to connect later on.

   

9. Select the database(s). Perform actions as indicated in the Status column.

   

10. Add all replicas (in case of any issues, turn off the firewall).

    

    

11. Check all Endpoints, note that firewalls should not block the used ports.

    

12. Configure backup preferences.

    

13. Specify a listener. This is the IP address used for the database connection (Do not use the cluster failover IP).

    

14. Go to Select Initial Data Synchronization. If you are starting with an empty database on the new cluster nodes select Full database and log backup so that all nodes are brought in a sync.

    

15. Check that validation passes.

    

16. Review the summary.

    

17. Check the progress.

    

18. Check that replicas are now available.

    

19. Connect to the AG Listener configured in step 6 & 11.

    

Troubleshoot for AOAG (failover cluster)

In case, one of the nodes are not synchronizing in MS SQL, even when SQL Server is up and running, and shows critical errors or warnings (as shown below):

This error occurs when the node is unstable while making connections. So the failover cluster does not allow the node to be available to availability groups/cluster so as to protect the cluster's availability. This could also cause the node to go under quarantine in Failover Cluster Manager.

To allow the node back into the cluster and to the synchronizing state, follow the below steps:

1. Go to the Failover Cluster Manager.

   

2. Select Roles.

   

3. Select Properties, then Failover tab.

   

4. Select the appropriate maximum failures in the particular time period (hours) and click OK.
   Refresh the Dashboard and verify it is working.

   

Set up highly available MySQL database on Windows

If a setup is running a primary-secondary configuration and a new secondary needs to be entered later, the whole setup can be done again.

Prepare MySQL servers

It is assumed that one primary and two secondary MySQL database servers will be on separate machines, and the MySQL database server is installed on each of these machines.

On each of the MySQL server, perform the following steps:

1. From the Windows Services application, stop the MySQL service.

2. From %ProgramData%\MySQL\MySQL Server <version>\, open the my.ini file and add the below lines:

   ######### START ##########
binlog-format=ROW
log-slave-updates=true
enforce-gtid-consistency=true
gtid-mode=on
#disable-gtid-unsafe-statements=true # Use enforce-gtid-consistency from 5.6.9+
master-info-repository=TABLE
relay-log-info-repository=TABLE
sync-master-info=1
#datadir=/home/billy/mysql/data1
server-id=100
log-bin=utilBINLog-bin.log
relay-log=RELAYLog.log
report-host=10.164.44.246
binlog-do-db= BlackShield
replicate-do-db= BlackShield
########## End ##########

   Specify the values for the following parameters:

   server-id: It is already specified in the my.ini file. You need to specify your own server IDs. Each server in replication must have a unique server ID.

   log-bin: Name of a file that will be used as a log file.

   relay-log: Name of the file that will be used as a relay log file.

   report-host: IP address of the machine where the my.ini file exists.

   binlog-do-db: Name of the database for which bin log is to be created.

   replicate-do-db: Name of the database that is to be replicated (here, replicate-do-db and binlog-do-db are same).

3. From %ProgramData%\MySQL\MySQL Server <version>\Data, delete the auto.cnf file. This will result in generating a unique GTID for the MySQL server.
   All MySQL servers in replication must have a unique GTID.

4. From the Windows Services application, start the MySQL service.

5. Ensure that the SAS database user is created on all the MySQL servers. If not created yet, run the following SQL commands on all the MySQL servers.
   CREATE USER 'SAS DB User'@'IP address of the SAS server' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'SAS DB User'@'IP address of the SAS server';

6. Now you need to create a replication user on all the MySQL database servers. This replication user will be responsible for communication between primary and secondary MySQL database servers. Note that username must NOT be same as you provided for the SAS database user in the previous step.

   Note

   • On all the MySQL servers, a MySQL user (termed as replication user) is required. This user must have the replication privileges and access to the mysql.users table.
   • Each secondary MySQL database requires a MySQL user to connect to the primary MySQL database. So if you have three MySQL databases (one primary and two secondary) on separate machines then each database requires MySQL users associated with the other two machines. The user name and password of must be same as the replication user.

   On the primary MySQL database server, run the following SQL commands.

   CREATE USER 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' WITH GRANT OPTION;
   

   CREATE USER 'ReplicationUser'@'IP address of the first secondary MySQL server' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the first secondary MySQL server';
   

   CREATE USER 'ReplicationUser'@'IP address of the second secondary MySQL server' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the second secondary MySQL server';

7. On the first secondary MySQL database server, run the following SQL commands. Note that username and password must be same as you provided in the previous step.

   CREATE USER 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' WITH GRANT OPTION;
   

   CREATE USER 'ReplicationUser'@'IP address of the primary MySQL server ' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the primary MySQL server';
   

   CREATE USER 'ReplicationUser'@'IP address of the second secondary MySQL server' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the second secondary MySQL server';

8. On the second secondary MySQL database server, run the following SQL commands. Note that username and password must be same as you provided in the previous step.

   CREATE USER 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' WITH GRANT OPTION;
   

   CREATE USER 'ReplicationUser'@'IP address of the primary MySQL server' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the primary MySQL server';
   

   CREATE USER 'ReplicationUser'@'IP address of the first secondary MySQL server ' IDENTIFIED BY 'password';
   

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the first secondary MySQL server';

Set up highly available MySQL database on Linux

Perform the following steps to set up MySQL HA with Linux environment:

1. Using the Terminal, stop the MySQL service by running the following command:
   ]# service mysqld stop

2. Open the /etc/my.cnf file and add the below lines within [mysqld]:

   ######### START ##########
binlog-format=ROW
log-slave-updates=trueenforce-
gtid-consistency=truegtid-mode=on
#disable-gtid-unsafe-statements=true # Use enforce-gtid-consistency from 5.6.9+
master-info-repository=TABLE
relay-log-info-repository=TABLE
sync-master-info=1#
datadir=/home/billy/mysql/data1
server-id=100
log_bin=/var/lib/mysql/mysql-bin.log#
relay-log=RELAYLog.log
report-host=10.164.44.246
binlog_do_db= BlackShield
replicate_do_db= BlackShield
report-port=3306
########## End ##########

   Specify the values for the following parameters:

   server-id: It is already specified in the my.ini file. You need to specify your own server IDs. Each server in replication must have a unique server ID.

   log_bin: Name of a file that will be used as a log file.

   relay-log: Name of the file that will be used as a relay log file.

   report-host: IP address of the machine where the my.ini file exists.

   binlog_do_db: Name of the database for which bin log is to be created.

   replicate_do_db: Name of the database that is to be replicated (here, replicate_do_db and binlog_do_db are same).

3. Delete the auto.cnf file available at the following location:
   /var/lib/mysql
   This will result in generation of a unique GTID for the MySQL server. All MySQL servers that are in replication must have a unique GTID.

4. Using the Terminal, start the MySQL service by running the following command:
   ]# service mysqld start

5. Ensure that the SAS database user is created on all the MySQL servers. If not created yet, run the following SQL commands on all the MySQL servers.
   CREATE USER 'SAS DB User'@'IP address of the SAS server' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'SAS DB User'@'IP address of the SAS server';

6. Now you need to create a replication user on all the MySQL database servers. This replication user will be responsible for communication between primary and secondary MySQL database servers. Note that username must NOT be same as you provided for the SAS database user in the previous step.

   Note

   • On all the MySQL servers, a MySQL user (termed as replication user) is required. This user must have the replication privileges and access to the mysql.users table.
   • Each secondary MySQL database requires a MySQL user to connect to the primary MySQL database. So if you have three MySQL databases (one primary and two secondary) on separate machines then each database requires MySQL users associated with the other two machines. The user name and password of must be same as the replication user.

   On the primary MySQL database server, run the following SQL commands.

   CREATE USER 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' WITH GRANT OPTION;

   CREATE USER 'ReplicationUser'@'IP address of the first secondary MySQL server' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the first secondary MySQL server';

   CREATE USER 'ReplicationUser'@'IP address of the second secondary MySQL server' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the second secondary MySQL server';

7. On the first secondary MySQL database server, run the following SQL commands. Note that username and password must be same as you provided in the previous step.

   CREATE USER 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' WITH GRANT OPTION;

   CREATE USER 'ReplicationUser'@'IP address of the primary MySQL server ' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the primary MySQL server';

   CREATE USER 'ReplicationUser'@'IP address of the second secondary MySQL server' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the second secondary MySQL server';

8. On the second secondary MySQL database server, run the following SQL commands. Note that username and password must be same as you provided in the previous step.

   CREATE USER 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the machine where SAS HA Controller service is hosted' WITH GRANT OPTION;

   CREATE USER 'ReplicationUser'@'IP address of the primary MySQL server' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the primary MySQL server';

   CREATE USER 'ReplicationUser'@'IP address of the first secondary MySQL server ' IDENTIFIED BY 'password';

   GRANT ALL PRIVILEGES ON *.* TO 'ReplicationUser'@'IP address of the first secondary MySQL server';

   The procedure help is provided to support SAS setup with MySQL HA on Linux (machines) and should primarily be managed by customer's database administrators. Since Linux is not an officially supported operating system with SAS, best effort support can be provided from the application end, in case of any issues.

Configure database settings in SafeNet Authentication Service

Ensure that in the registry HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\BlackShield ID\DAL\HA Service\HAModeEnable key is set to FALSE.

1. Log in to SafeNet Authentication Service system level as an administrator.

2. Click the SYSTEM tab. Then, under the Database module, click the SQL Database link.

   

3. In the Provider field, select MySQL, and click Next.

   Note

   • For PostgreSQL database, ensure that the default port is set to 5432.
   • To connect MySQL database, you will require MySQL Connector. If it is already not installed on your system, the following screen (with a download link and installation steps) is displayed. During installation, ensure that you choose either Typical or Complete installation.

   

   If any version of the MySQL Connector is already installed, you have to manually remove it before installing MySQL Connector 8.0.32. On installing the MySQL Connector, the Administrator will be logged out of the application, and will have to login again to complete the rest of the configurations.

4. Complete the following fields, and click Next.

   Server 2	Enter the IP address of the first secondary MySQL server.
   Server 3	Enter the IP address of the second secondary MySQL server.
   HA Mode	Select SAS Managed (Master-Slave) option.

   The SafeNet Authentication Service will use the same credentials given in the previous step to connect to the secondary MySQL servers.

   

5. Complete the following fields, and click Next:

   HA Service IP	Enter the IP address of the machine where SAS HA Controller Service is installed.
   HA Service Port	Enter the port number on which SAS HA Controller Service is listening.
   User	Enter the name of the user that will be used by SAS HA Controller Service for replication setup.
   Password	Enter the password associated with the user.

   

   Generally, the machine where SAS HA Controller Service is installed is the primary SAS server. While adding additional SAS sites, when you export and import the primary SAS server, the information regarding the MySQL HA Service URL is also copied.

6. A success message is displayed. Click Next.

   

7. Database configuration is complete. Click Done.

   

Automatic switching Primaries During Failover

When the primary MySQL database becomes unavailable, one of the secondary MySQL databases (the one that is most updated) is automatically promoted to primary. You need to manually troubleshoot the previous primary database. Once it is online, you can add it as a secondary (see Promoting MySQL Server to Secondary).

If the MySQL server is in the Online, Non-Replicating status and you want to add it to the replication topology, you need to promote it to secondary.

1. Click the SYSTEM tab. In the Database module, click the HA Management link. The details of the primary and secondary databases are displayed.
   
2. This secondary MySQL server will now be shown as online but not replicating. Click the Promote to Slave link for this server.

Administration activities

The administration activities that you can perform are detailed in the sections below.

Promote secondary MySQL server to primary

Due to any reason (for example, to use upgraded hardware for high performance), you may require promoting any of the secondary MySQL servers to primary.

Log in to SafeNet Authentication Service system level as an administrator.

1. Click the SYSTEM tab. In the Database module, click the HA Management link.
   The details of the primary and secondary databases are displayed.

2. To promote any of the secondary MySQL Servers to a primary, click the respective Promote to Master link.
   If a secondary MySQL server that you are trying to promote to primary is not up to date, a message is displayed and promoting to primary activity is discarded.

Promote MySQL server to secondary

If the MySQL server is in the Online, Non-Replicating status and you want to add it to the replication topology, you need to promote it to secondary.

1. Click the SYSTEM tab. In the Database module, click the HA Management link. The details of the primary and secondary databases are displayed.

2. This secondary MySQL server will now be shown as online but not replicating. Click the Promote to Slave link for this server.

Add secondary MySQL server

If you want to add a secondary MySQL server, you need to do the following:

1. In the registry, set HAModeEnable to False.

2. Turn off all services of SAS.

3. On the primary MySQL database, run this command. Then, copy the value and keep it for later use.
   show global variables like 'gtid_executed';

4. In the MySQL workbench, set the following parameter to OFF.
   set-gtid-purged – Add ‘SET @@GLOBAL.GTID_PURGED’ to the output

5. Export the primary MySQL database.

6. On the existing secondary MySQL server, delete the MySQL database. Then, run stop slave command on this MySQL server.

7. Ensure that the my.ini file settings on both the secondary servers are correct, and DB and replication users are properly created. For more information, refer to Preparing MySQL Servers.

8. Create a database with the same name as a primary database on both the MySQL servers to be added as a secondary server.

9. On both the secondary MySQL servers, import the primary MySQL database you exported earlier.

10. Run the RESET MASTER command on both the secondary servers.

11. Run the following command on both the secondary servers after replacing gtid_executed_value with the value you copied in step 3:
    set global GTID_PURGED=’gtid_executed_value’;

12. Configure database settings in SafeNet Authentication Service. For more details, refer to Configuring Database Settings in SafeNet Authentication Service.

13. Turn on all services of SAS.

Remove secondary MySQL server

If you want to remove a secondary MySQL server, you need to do the following:

1. In the registry, set HAModeEnable to False.

2. Turn off all services of SAS.

3. Configure database settings in SafeNet Authentication Service. For more details, refer to Configuring Database Settings in SafeNet Authentication Service

4. Turn on all services of SAS.

Set up FreeRADIUS API

In case of a fresh SAS installation with MySQL database, RADIUS API may encounter an issue with MySQL database (MySQL EF6 DLL in GAC missing). The issue is encountered if the MySQL Connector version is 8.0.32.

Ensure that the following steps are already performed:

After installing SAS, install MySQL 8.0.32 Connector. Configure SAS with MySQL database using the following steps.

This setting is also required to setup Agent Communication for specific SafeNet agents, such as the SAS Agent for FreeRADIUS.

For Windows Server 2008 R2 SP1

1. Copy the following text in a text file and save the file in the .ps1 file format:
   $config_text = @"
<?xml version="1.0"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0.30319"/>
<supportedRuntime version="v2.0.50727"/>
</startup>
</configuration>
"@
$config_text| Out-File $pshome\powershell.exe.config
$config_text| Out-File $pshome\powershell_ise.exe.config
   

2. Save it and rename the file extension to .ps1.

3. Run as Administrator in the PowerShell.

For Windows Server 2008 R2 SP1, the administrator also needs to follow the steps in the For Windows Server 2012, 2012 R2, 2016 and 2022 section.

For Windows Server 2012, 2012 R2, 2016 and 2022

1. Copy the following text in a text file and save the file in the .ps1 file format:
   #Note that you should be running PowerShell as an Administrator
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Program Files (x86)\MySQL\MySQL Connector Net
8.0.32\Assemblies\v4.5.2\MySql.Data.Entity.EF6.dll")
# If installing into the GAC on a server hosting web applications in IIS, you need to restart IIS for the #applications to pick up the change.
iisreset

2. Run the .ps1 file, as an Administrator in the PowerShell.

3. Reset IIS.

Points to remember

• Default location:
  System Directory:\Program Files (x86)\MySQL\MySQL Connector Net 8.0.32\Assemblies\v4.5.2
• If someone changes the directory location while installing the MySQL Connector, the above path also needs to be updated in the script.
• Open the PowerShell script and change the path to where your DLL resides.

Setting up MS SQL database

You can configure MS SQL database with or without high availability. MS SQL is used with many applications demanding availability and scalability. If you need to work with AlwaysOn Availability Groups in MS SQL, follow the steps to configure and set it up with the SAS solution.

While configuring SAS using AOAG in MS SQL, ensure to enter the listener name in the Host field.

The procedure’s help reference is provided to support SAS setup with the respective HA model and should primarily be managed by customer's database administrators. Best effort support can be provided from the application end in case of any issues.

Troubleshooting

For Hardware Failures of Machine Hosting MySQL Server / Secondary out of Replication

1. Turn off all services of SAS.

2. On the primary MySQL database, run this command. Then, copy the value and keep it for later use.
   show global variables like 'gtid_executed';

3. In the MySQL workbench, set the following parameter to OFF.
   set-gtid-purged – Add ‘SET @@GLOBAL.GTID_PURGED’ to the output

4. Export the primary MySQL database.

5. Rectify the hardware problem of the machine or get a new machine. Make sure the machine IP address is same as earlier.

6. Ensure that the my.ini file settings on the secondary machine are correct, and DB and replication users are properly created. For more information, refer Preparing MySQL Servers.

7. During report generation, if the following error message is displayed:
   *SQL ExecuteNonQuery Failed to Execute due to following error: Packets larger than max_allowed_packet are not allowed.-2147467259*
   Make the following edit: For MS SQL
   Go to Database -> Properties -> Advanced -> Max Text Replication Size = -1.
   For My SQL
   Go to C:\ProgramData\MySQL\MySQL Server <version>\my.ini
   Set max_allowed_packet in my.ini file to 1073741824.

8. Start secondary servers with the skip_slave_start option.

9. Create a database with the same name as the primary database.

10. Import the primary MySQL database you exported earlier.

11. Run the RESET MASTER command on the secondary server.

12. Run the following command on the secondary server after replacing gtid_executed_value with the value you copied earlier:
    set global GTID_PURGED=’gtid_executed_value’;

13. Turn on all services of SAS.

14. Using the HA Management User Interface (UI) in SafeNet Authentication Service, promote this machine as a secondary. For more details, refer Promoting MySQL Server to Secondary.

15. If the MySQL server is in the Online, Non-Replicating status and you want to add it to the replication topology, you need to promote it to secondary.

16. Click the SYSTEM tab. In the Database module, click the HA Management link. The details of the primary and secondary databases are displayed.

17. This secondary MySQL server will now be shown as online but not replicating. Click the Promote to Slave link for this server.

    • If you have 1 primary and 2 secondary MySQL servers. Both the secondary MySQL servers are out of replication: Add both the secondary MySQL servers in the replication topology.
      Refer Adding Secondary MySQL Server.

    • If you have 1 primary and 2 secondary MySQL servers. Now, one secondary server is replicating and the other secondary server is out of replication.

18. On the replicating secondary MySQL server, perform the following steps:

    1. Run the stop slave command.

    2. Run the following command, and then copy the value and keep it for later use:
       show global variables like 'gtid_executed'.

    3. In the MySQL workbench, set the following parameter to OFF.
       set-gtid-purged – Add ‘SET @@GLOBAL.GTID_PURGED’ to the output.

    4. Export MySQL database.

    5. Run the start slave command.

19. On the non-replicating secondary MySQL server, perform the following steps:

    1. Run the stop slave command.

    2. Delete the existing database.

    3. Create a database with the same name as the previous database.

    4. Import the MySQL database you exported.

    5. Run the RESET MASTER command on MySQL server. Run the following command on this MySQL server after replacing gtid_executed_value with the value you copied:
       set global GTID_PURGED=’gtid_executed_value’;

20. Using the HA Management UI in SafeNet Authentication Service, promote this machine as a secondary. For more details, refer Promoting MySQL Server to Secondary.

21. If the MySQL server is in the Online, Non-Replicating status and you want to add it to the replication topology, you need to promote it to secondary.

    1. Click the SYSTEM tab. In the Database module, click the HA Management link. The details of the primary and secondary databases are displayed.
       

       This secondary MySQL server will now be shown as online but not replicating. Click the Promote to Slave link for this server.

22. When all the machines (SAS, SAS HA Controller Service, and all MySQL servers in the replicating topology) are powered off:

    1. Power on the primary MySQL machine and make sure that the MySQL service is started.

    2. Power on rest of the MySQL machines (secondary machines) and start the MySQL service on these machines.

    3. Start the SAS HA Controller Service, if it is installed on the machine other than the SAS server.

    4. Start the SAS server.

23. In the HA Management user interface, if the secondary servers are shown as online but not replicating, click the Promote to Slave link for these servers.

Restore SAS server

This section describes the steps required to migrate and restore a SAS server from one environment to the other. This includes migrating a SAS server from one operating system environment (e.g., Windows Server 2012) to a different environment (e.g., Windows Server 2016).

SAS server backup

• Cipher Key export

• SAS database backup

• SAS license backup

• SAS installer(s) backup

Exporting Cipher Key

Perform the following steps to export the Cipher key:

1. Open the command prompt and run the command to open the SAS CipherExport tool (CipherExport.exe) that is located in the SAS Server installation directory, <InstallationDrive>:\Program Files\CRYPTOCard\Blackshield ID\CipherExport

2. Run the following export command:
   CipherExport.exe export cipher-export.txt

   

   The command creates the cipher-export.txt file (in the same directory, where the CipherExport.exe tool is located) and an Export File Key.

   

3. Copy the Export File Key and paste it in a .txt file and save the file (for example, ExportFileKey.txt).

4. Place the text files (cipher-export.txt and ExportFileKey.txt) at a secured location as these files are required while restoring the SAS Server.

   You need to run the SAS CipherExport tool on all the SAS servers.

SAS Database Backup

For database backup, you need to stop the following services before initiating the database process.

• IIS Admin

• World Wide Web

• all SAS Services

For backup steps related to PostGreSQL, MySQL, and MSSQL databases, refer to the documentation provided by the respective database vendor.

SAS License Backup

Save the SAS license file and the Activation key at a secured location.

SAS Installer(s) Backup

Take a backup of the SAS installation files.

SAS Server Restore

• SAS installation

• Cipher Key import

SAS Installation

As per the requirement, install the same version SAS again to ensure that it can connect to the database(s) without any issue.

Importing Cipher Key

Perform the following steps to import the Cipher key:

1. Open the command prompt and run the command to open the SAS CipherExport tool (CipherExport.exe) that is located in the SAS Server installation directory, <InstallationDrive>:\Program Files\CRYPTOCard\Blackshield ID\CipherExport

2. Copy the cipher-export.txt file.

3. On the system where you want to restore SAS, paste the cipher-export.txt file at the same location where the CipherExport.exe tool is located.

4. Run the following import command:

   CipherExport.exe import ‘cipher-export.txt’ ‘Export File Key value’

   where, cipher-export.txt file and Export File Key value were created while exporting the Cipher key.

   After the successful execution of the import command, the Cipher Imported message is displayed that states that Cipher key is successfully imported.

   

5. Restore the database. For the restore steps related to PostGreSQL, MySQL, and MSSQL database, refer to the documentation provided by the respective database vendor.

6. On the local SAS Server, log in to the SAS Manager Console.

7. SAS will redirect you to the SQL Database configuration wizard. Run the wizard to connect to the correct database provider and configure the restored database.

8. After running the SQL Database configuration wizard, logout from the SAS console and reset the IIS by using IISRESET command.

9. Log in to the SAS Console again.

Verify the following settings and modify it accordingly:

1. Email Setting: System > Communications > Email Settings

2. Self Service Policy: Virtual Server > Self-Service > Self-Service Policy

3. Self Enrollment Policy: Virtual Server > Policy > Automation Policies > Self-Enrollment Policy

4. Operator Email Validation URL: System > Communications > Operator Email Validation URL