Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Get started

System Requirements

search

Please Note:

System Requirements

Environment

Environment Description
Supported Operating Systems

> Windows Server 2012

> Windows Server 2012 R2

> Windows Server 2016 (64-bit) (GUI only)

> Windows Server 2019 (64-bit) (GUI only)

> Windows Server 2022 (64-bit) (GUI only)
Supported Database Servers

> PostgreSQL 9.6 (PostgreSQL 9.6.4, default)

NOTE:   PostgreSQL should be used only for test and proof-of-concept installations. It is not supported in HA configurations. The default database shipped with SafeNet Authentication Service is PostgreSQL. Any other supported database must be purchased separately.

> MySQL 8.0.33

NOTE:   The High Availability (HA) feature is supported for versions up to MySQL 8.0.33.

NOTE: If you are using MySQL 5.7.x, HA support requires MySQL 5.7.x to MySQL 5.7.23. In other words, MySQL versions prior to 5.7.x (or later than MySQL 5.7.23 except MySQL 8.0.18) are not supported, and thus may not work with the SAS solution.

> Microsoft SQL (MS SQL) supported database versions:

MS SQL 2012

MS SQL 2014

MS SQL 2016

MS SQL 2017

MS SQL 2019

MS SQL 2022
Supported Database Servers

NOTE:    

For replication, an active/active (multi-master) configuration needs to be deployed. On MS SQL, this is transactional peer-to-peer replication. In addition, peer-to-peer replication is also supported for Enterprise editions of MS SQL 2014 and MS SQL 2016.

Always On Availability Groups feature is now supported for MS SQL 2012, MS SQL 2014, MS SQL 2016, MS SQL 2017, MS SQL 2019 and MS SQL 2022.

An MS Internal (SQL only) user account or an MS SQL Windows Domain User can be used to connect SAS to MS SQL Database.

> MSSQL User Permissions

Action Permission
Installation

DB ADMIN

Or

> Create Database

> Create Table

> Create Index

> Create View
Runtime (On all SAS tables)

> Select

> Update

> Delete
Upgrade

> Create Table

> Create Index

> Create and Delete View

> Select on

    • + MSSQL

    • # INFORMATION_SCHEMA.KEY_COLUMN_USAGE

    • # INFORMATION_SCHEMA.TABLE_CONSTRAINTS

    • # sysobjects

    • # syscolumns

    • # sysindexes

    • # sysindexkeys

    • # sysconstraints
Supported LDAP Directories

> Active Directory

> Novell eDirectory 8.x

> SunOne 5.3

> Open LDAP
Supported Architecture 64-bit
Supported Application Authentication Protocols

> SAML

> OIDC
Supported RADIUS Authentication Protocols

> PAP

> CHAP

> MSCHAPv2
Additional Software Components

> Internet Information Services (IIS) 8.5

> .NET 4.8 (download here)

> .NET Framework 3.5 Features

NOTE:   IIS 6 compatibility roles and ASP.NET role services must be installed in order for the SAS website to appear. For Windows Server 2016 (64-bit), IIS 10 compatibility roles and ASP.NET role services are needed.
MySQL Components

>MySQL Connector v 8.x.x

NOTE:   The MySQL Connector is required only if the database in use is MySQL.
Processor 2.6 GHz processor (or above)
Memory

16 GB RAM (or greater)

In case of higher number of users and expected concurrent authentications, it is recommended to use 32 GB 4 core processor and 64 GB 6 core processor machines.

More details available in the Minimum Recommended Configuration section.
Disk Space

300 MB

NOTE:   Minimum disk space required for installation is 300MB; additional disk space would be required if logging is enabled.
Display SVGA (1280 x 1024), 24-bit color or higher

Windows Server 2012 – Installing Server Manager Roles

For a smooth installation of SAS with .NET 4.6.2 Framework, the administrators have to install the required server manager roles:

  1. Install .NET Framework 3.5 Features.

  2. Install Web Server (IIS) and select additional Role Services using Server Manager Roles and Features, as illustrated in the Internet Information Services Role Services Required section.

  3. Initiate the SAS installer to continue with .NET 4.6.2 Framework installation, followed by SAS installation.

    After .NET installation, a prompt to restart the system is displayed. After the restart, the installation process resumes to complete the SAS installation.

Installing Microsoft Updates

For a smooth installation of SAS with .NET 4.6.2 Framework, the administrators have to install the following Microsoft updates.

  1. Install .NET Framework 3.5 Features.

  2. Install Web Server (IIS) and select additional Role Services using Server Manager Roles and Features, as illustrated in the Internet Information Services Role Services Required section.

  3. Install the following Windows updates, in the following order:

    1. Windows8.1-KB2919442-x64.msu (64-bits) (Download here)

    2. Windows8.1-KB2919355-x64.msu (64-bits) (Download here)

  4. Initiate the SAS installer to continue with .NET 4.6.2 Framework installation, followed by SAS installation.

    After .NET installation, a prompt to restart the system is displayed. After the restart, the installation process resumes to complete the SAS installation.

Additional Requirements

  • The system administrator installing SAS must have administrative privileges on the local system.

  • If migrating to SAS, refer the specific SAS migration section.

  • For Push OTP functionality to work, outbound connectivity to the internet is required from SAS PCE, SafeNet Agents, and MobilePASS+ tokens.

Internet Information Services Role Services

Windows Server 2012

To successfully install and run SAS 3.10.1 (and later) on Windows Server 2012, include the IIS role services as specified in the images below:

IIS Role Services

IIS Role Services

IIS Role Services

IIS Role Services

Windows Server 2016

To successfully install and run SAS 3.10.1 (and later) with NET 4.8 Framework on Windows Server 2016, include the IIS role services as specified in the image below:

Add Roles and Features Wizard

Windows Server 2019

To successfully install and run SAS 3.10.1 (and later) with NET 4.8 Framework on Windows Server 2019, include the IIS role services and features as specified in the image below:

Add Roles and Features Wizard

Windows Server 2022

To successfully install and run SAS 3.10.1 (and later) with NET 4.8 Framework on Windows Server 2022, include the IIS role services and features as specified in the image below:

Add Roles and Features Wizard

System Sizing

The system sizing information is provided as a general guide. It is strongly recommended that you make an assessment of your specific requirements based on your infrastructure setup before implementation.

The information in the table below is based on the following minimum recommended configuration:

  • CPU: Intel® Xeon(R) Processor CPU E5-2650 v2.60GHz (2 core)

  • RAM: 16 GB

  • Primary measurement: Authentications per second

Under stable testing conditions, the average time to complete one authentication successfully is 15 milliseconds. Below are the comparative performance metrics differentiated on various RAM and Processor Core sizes.

The performance tests are performed on a standalone machine without any load balancer or HA setup.

Table 1: SAS-PCE MSSQL Performance Metrics

Total Number of Users

25000

50000

100000

Number of Concurrent Users

3500

13000

3500

12000

3500

11000

Number of Processor Cores and RAM

4 Core + 32 GB

6 Core + 64 GB

4 Core + 32 GB

6 Core + 64 GB

4 Core + 32 GB

6 Core + 64 GB

Average number of authentications per second

63.81

70.19

47.17

61.61

25.33

18.68

Maximum CPU Utilization - Application

96.87%

35.6%

72.69%

34.76%

90.88%

14.05%

82.72%

21.34%

85.2%

19.1%

70.74%

9.89%

Physical Disk

 

 

 

Maximum CPU utilization by MSSQL process

39.19%

14.1%

30.33%

12.22%

32.12%

10.26%

23.17%

9.12%

52.54%

21.2%

36.54%

12.61%

Average network I/O activity

1 MB/s

2 MB/s

630 KB/s

1 MB/s

780 KB/s

553 KB/s

Table 2: SAS-PCE MySQL Performance Metrics

Total Number of Users

25000

50000

100000

Number of Concurrent Users

68

80

66

80

67

80

Number of Processor Cores and RAM

4 Core + 32 GB

6 Core + 64 GB

4 Core + 32 GB

6 Core + 64 GB

4 Core + 32 GB

6 Core + 64 GB

Average number of authentications per second

49.82

59.94

45.50

50.56

39.94

48.56

Maximum CPU Utilization - Application

93.53%

35.79%

90.21%

32.04%

89.48%

32.27%

93.79%

27.76%

87.88%

24.97%

92.05%

29.27%

Physical Disk

 

 

 

Maximum CPU utilization by MySQL process

40.96%

18.36%

31.25%

14.14%

41.73%

18.95%

32.55%

13.06%

43.03%

17.08%

31.35%

13.8%

Average network I/O activity

477 KB/s

561 KB/s

461 KB/s

459 KB/s

368 KB/s

498 KB/s

* Average latency – It is the latency between start and completion of server read/write request on the physical disk, and is measured in milliseconds.
* Throughput – It is the amount of data that the physical disk has received from the server at any given second, and is measured in megabytes.

SafeNet Authentication Service Ports

SAS may require the use of several ports, depending upon the location of external directories, databases, or RADIUS servers. The following is a list of default port values. SAS can be configured to use alternate ports. SSL requires that a valid certificate is installed on the SAS server.

Port (TCP/UDP) Usage
80/443 Port 80 and/or 443 can be used for management sessions, provisioning, self-enrollment, self-service, and for servicing of encrypted authentication requests from configured agents. For security purposes, port 443 (SSL) is recommended.
1812/1813 Ports 1812/1813 are standard ports for RADIUS authentication and RADIUS accounting respectively.
389/636 Ports 389/636 are standard ports for LDAP and LDAPs connections respectively. For security purposes, port 636 (SSL) is recommended.
5432 The port number for connection to the default PostgreSQL database.
1433 The default port number for connection to an MS SQL database.
3306 The default port number for connection to a MySQL database.
25 The default port for SMTP email.
8456 The default port number for LDAP synchronization traffic to/from SAS and LDAP.
8458 (Inbound) The default incoming port number for the Logging Agent.
8459 (Outbound) The default outgoing port number for the Logging Agent.
11012 The default port for communication between SAS and SAS HA Controller Service.

SAS Synchronization Agent Ports

  • TCP Port 8456 – Incoming to the SAS server

  • TCP Port 389

  • TCP Port 636 (optional) – Outgoing from the SAS Synchronization Agent

SAS Logging Agent Ports

  • Agent > SAS TCP Port 8459

  • SAS > Agent TCP Port 8458

  • Agent -> Syslog UDP Port 514

FreeRadius Agent Ports

  • 1812 - Incoming to the FreeRADIUS agent server

  • 1813 - Outgoing from the FreeRADIUS agent server

Virtualization

SAS is designed for virtualization and has been extensively tested with VMWare®.

Internal Database

The internal database contains all system configuration, application and policy data, token information, and history and activity information used by SAS. User-specific information, such as user IDs and coordinates are also stored in the database (possibly synchronized from an original user source).

Where LDAP/AD integration is configured, the unique GUID property of the LDAP user account is stored in the database, providing a consistent link between the user’s LDAP account and tokens associated with the user in SAS. The UserID is stored with authentication activity for reporting purposes. This allows SAS to provide audit trails and authentication activity reports even after a user (and therefore the GUID) has been deleted from LDAP.

The database can be installed on the machine hosting SAS, on a separate machine, or as a cluster. Every SAS implementation can be configured for a primary database instance with failover to an alternate instance. In addition, multiple SAS servers can use the same database.

LDAP External User Sources

SAS supports the use of one or more LDAP directories for the user, account status, and group membership data. Each LDAP must be configured for a specific Virtual Server. Alternatively, an LDAP forest can be connected to one Virtual Server if needed. When there are multiple domains within one Virtual Server, SAS must be able to read the LDAP forest via the Global Catalog Server (port 3268), and all domains in a forest must be fully trusted (AD only).

LDAP External User Sources
LDAP External User Sources

Supported Browsers

A browser is the standard interface for use with SAS or components such as self-enrollment or user self-service.

The following browsers are supported:

  • Microsoft Edge Chromium

  • Chrome™

  • Firefox®

  • Safari 5 and later on iOS

  • Safari 10.1 and later on macOS

Certain functions may require ActiveX controls and/or JavaScript.

Maintaining Accurate Time Settings

SAS operation and authentication services are not dependent on accurate time settings. However, it is recommended to maintain accurate time to enable reliable and consistent reporting and audit trails. In some cases, SAS licensing may restrict certain functions based on dates or date ranges. Modifying the server date after license installation may cause these functions to become unavailable.

It is recommended that the SAS time is set to the local time zone and that the server time is UTC coordinated.

Installation Types

An SAS site is defined as an instance of the SAS authentication engine. The number of sites and configuration options are determined by licensing, redundancy, and performance requirements. Assuming that SAS is installed on the recommended hardware, the factor that has the largest bearing on performance is the database I/O, primarily determined by the amount and frequency by which authentication history is written. In most cases, it is acceptable to have SAS and the database installed on the same server.

The scenarios described in the following sections are provided as guidelines and examples. Many different configurations are possible. For example, it is perfectly acceptable to install the database, enrollment, self-service, and directory components on separate computers.

In the following diagrams, “site” refers to an SAS instance that connects to the same database or database cluster. This can be at the same physical location or spread across different data centers.

Small Deployments

You may choose to install all SAS components on a single server, with a secondary instance providing redundancy and failover.

Small Deployments with Failover
Small Deployments with Failover

You may choose to install all SAS components on a single server, with a secondary instance providing redundancy and failover.

Small Deployments with Failover and Site Specific Database
Small Deployments with Failover and Site Specific Database

Authentication and management functions can be distributed across sites if necessary. SAS agents can failover to the alternate site. The connections between LDAP and SAS can be local or remote. If there is a primary and secondary LDAP server, each SAS instance would typically be configured for LDAP failover.

Medium Deployments

Medium site deployments are typically required for organizations with dedicated LDAP, web, and RADIUS servers.

Medium Deployments with Failover
Medium Deployments with Failover

Medium Deployments with Failover and Site Specific Database
Medium Deployments with Failover & Database

Large Deployments

For sites requiring support for up to 250,000 users and several hundred authentications per second, a database cluster fronted by multiple SAS sites is recommended.

Large Deployments with Failover
Large Deploymenet with Failovers

If your MySQL replication setup is not working, you can view some troubleshooting techniques, by clicking here.

On this page