SafeNet Authentication Service pre-upgrade checklist

This section provides a checklist of all the required changes to be made prior to the upgrade of SAS.

SafeNet Authentication Service

This section guides you through the process of upgrading SAS from versions 3.8 (and later) to the latest version. The section also covers all the necessary steps to backup and save various installation files and databases for rollback during disaster recovery events.

Before upgrading from any previous version to SAS PCE latest version, refer the System Requirements section to check if all the required prerequisites are available.

Deployment diagram/documentation

A SAS deployment diagram, along with proper documentation, is needed after upgrading. The diagram should contain a list of all services (Console, Token Validator, BSIDCA, etc.) that each site should be running, as well as which services should be turned off since the upgrade process turns on all services.

Installer backup

Backup existing SAS installer files for disaster recovery purposes.

Download/Copy

Download and unzip the latest SAS PCE zip file, and then copy the new SafeNet Authentication Service.exe installer (provided in the .zip file) to all SAS servers.

Cipher Key export

The SAS CipherExport utility is located in the SAS installation directory. The default installation path is:

<drive>:\Program Files\CRYPTOCard\BlackShield ID\CipherExport

To run the CipherExport.exe utility:

1. Open a DOS command prompt in the CipherExport directory and enter the following command:
   CipherExport.exe export Cipher.bak.
   This command creates a file called Cipher.bak and displays the encryption key in the DOS command prompt.

2. Copy the value of Export File Key shown in the DOS prompt and save it to a text file (for example, ExportFileKey.txt).

3. Move Cipher.bak (created in the CipherExport directory) and the ExportFile.Key.txt file to a secure location.

The CipherExport tool must be run on each SAS server that is in use. Without doing so, you are not able to perform a restore on the applicable server.

Primary SafeNet Authentication Service registry export

1. On the Primary SAS server, open the Windows Registry and locate the following:
   HKEY_LOCAL_MACHINE > SOFTWARE > CRYPTOCARD > BlackShield ID > DAL

2. Right-click on DAL and export the Registry key.

3. Save the Registry key file with an appropriate name.

4. Move the Registry key file to a secure location.

License

Locate the latest SAS license file, along with the activation code, and move them to a secure location.

Monitoring utility

All SAS monitoring utilities should be disabled in the Secondary data center until all components have been upgraded.

Authentication

Authentication traffic must be routed from the Secondary data center to the Primary data center. There are two ways to achieve this: IP routing or DNS routing.

IP routing

IP routing is specifically for FreeRADIUS authentication traffic. When FreeRADIUS accepts RADIUS requests, the SAS FreeRADIUS agent takes the incoming authentication and connects to the SAS TokenValidator IP address to validate the user attempting to authenticate, with no DNS lookup required. If this is currently being utilized, go directly to the FreeRADIUS section.

DNS routing

DNS routing is applicable for Token Validator and for FreeRADIUS (optional). If DNS routing is utilized for both Token Validator and FreeRADIUS, ensure the following DNS names are configured:

• Public DNS names for token validator(s) (Port 443 TCP)

• Internal DNS names for SAS FreeRADIUS Updater Service (Port 5041 TCP)

FreeRADIUS prior to v3.x

FreeRADIUS Agent

1. Browse to the following directory:
   /usr/local/cryptocard/freeradius

2. Make a backup copy of the cryptocardFreeRadiusConfig file, and name the file cryptocardFreeRadiusConfig.<DATE>.bak

   DATE denotes the day when the command is to be executed.

3. Open the cryptocardFreeRadiusConfig file with a text editor.

4. Verify that sections 16 and 24 are set to Primary TokenValidator IP/Secondary TokenValidator DNS. If not, change accordingly.

5. If not using SSL, skip to step 6. If FreeRADIUS Agent is connecting to Token Validator via SSL, verify the following:

   • Section 17 and 25 are set to TCP port 443. If not, change accordingly.
   • Section 20 and 28 have a value of 1. If not, change accordingly.

6. If any changes were made, save the file and restart the RADIUSD daemon:
   /etc/init.d/radiusd restart

7. Use the tail command with the radiusd.log to verify that the changes are working correctly:
   tail –fv /opt/freeradius/freeradius-server-<version>/var/log/radius/radius.log

FreeRADIUS updater

1. Browse to the following directory:
   /usr/local/cryptocard/freeradius_updater/dynamicUpdate/

2. Make a backup copy of the sslConfigurationClient.txt file with the name
   sslConfigurationClient.txt.<DATE>.bak

   DATE denotes the day when the command is to be executed.

3. Open the sslConfigurationClient.txt file with a text editor.

4. In section 20, verify that both the IP and DNS are set to Primary SAS FreeRADIUS Update Service/Secondary SAS FreeRADIUS Update Service. If not, change accordingly.

5. If changes were made, save the file and restart the FreeRADIUS updater daemon:
   /etc/init.d/./freerad_updaterservice restart

6. Check the freeRadupdateClient-year-month-day.log file for any errors. The log file is located in:
   /usr/local/cryptocard/freeradius_updater/log/

7. Verify that Auth Nodes added in SAS PCE are loading correctly into clients.conf:
   /opt/freeradius/freeradius-server-<version>/etc/raddb/

DNS routing – changes

If DNS routing is utilized for any or all components, perform the following steps:

Public

1. Make note of the IP address associated with the Secondary Token Validator.

2. Login to your public DNS provider.

3. Change the IP address associated with the Secondary Token Validator DNS to the Primary Token Validator IP address.

Internal

If the FreeRADIUS Updater configuration is not using DNS to connect to the SAS FreeRADIUS Updater Service, skip to the Stopping Services section.

1. Make note of the IP address associated with the Secondary FreeRADIUS Updater Service.

2. Login to your internal DNS domain.

3. Change the IP addresses associated with the FreeRADIUS Updater Service DNS to the Primary FreeRADIUS Updater Service IP address.

   Do not route traffic to the public DNS names.

Stop services

In the Secondary data center, log on to each SAS server and stop the WWW service. This effectively renders the Secondary data center to only running FreeRADIUS; all traffic has been routed to the Primary data center.

These changes must be reverted after the upgrade is complete.

FreeRADIUS v3.x

Alternatively, if you want to deploy or upgrade to FreeRADIUS v3.x with SAS Version 3.8 GA (or later), refer the SAS FreeRADIUS Agent v3.x Documentation.

Prepare MS SQL

The following process is divided into two sections:

• SAS Configuration: Point all SAS servers in the Primary data center to a Primary MS SQL instance.

• MS SQL Replication: Break and remove MS SQL replication.

SAS configuration

In the Primary SAS data center, verify that each SAS server is pointed to the Primary MS SQL instance for both the Primary and Secondary SQL database configuration (SAS Console > Database > SQL Database).

Alternatively, if each SAS server in the Primary data center is using DNS to connect to SQL, changing DNS routing can be utilized.
For example:
DB1.acme.com > 192.168.1.2 changes to DB1.acme.com > 192.168.1.10

MS SQL Replication

The following procedure should be performed by a Microsoft DBA or someone with knowledge of Microsoft database replication. All MS SQL nodes must be removed from the peer-to-peer topology. The SAS database (by default, BlackShield) must be removed as a publication. The order of removal should be as follows:

• Remove each MS SQL database instance in the Primary and Secondary data centers

• Remove all Publication(s)

• Remove all Subscription(s)

  On the Primary MS SQL instance, create an SAS database backup, and then restore the backup to a new SAS database name. (Use a unique name to indicate that this is before replication break – for example, SASpreupgrade).

The SAS database backup and restore process to a new SAS database name is for disaster recovery purposes.

Prepare MySQL

In the current SAS PCE installation, if you have set up DBA-managed MySQL database high availability and you want to move to SAS-managed MySQL database high availability then break and remove the existing MySQL replication.

Custom branding

After the upgrade, the custom branding is set to default (by the refreshed SAS Console) and needs to be set again. Ensure you have all the necessary files for branding, as you need to redo the Customization and Branding on the SAS console.