Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Upgrade

SafeNet Authentication Service upgrade - secondary data center

search

Please Note:

SafeNet Authentication Service upgrade - secondary data center

Once SAS has been upgraded in the Primary data center, replication has been rebuilt, and traffic has been re-enabled, SAS upgrades must be performed in the Secondary data center.

SafeNet Authentication Service upgrades

Perform the following steps on the Secondary SAS server:

  1. Run SafeNet Authentication Service.exe. Change the install path to where the existing SAS installation file is located. Select Custom during the installation wizard, and disable Salesforce and PostgreSQL.

  2. Start the installation.

  3. After installation is complete, browse to the following directory and verify that no errors appear in the SQL upgrade logs:
    \Program Files\CRYPTOCard\BlackShield ID\Log

  4. Restart the SAS server.

  5. Click Event Viewer > Application to verify that there are no BlackShield errors.

  6. Check the BlackShield log file to ensure that there are no errors. The log is located in:
    \Program Files\CRYPTOCard\BlackShield ID\Log

  7. If no errors appear, disable the components that are not utilized on this SAS Server.

If there is more than one SAS server in the Secondary data center, perform the steps above for each server.

After each SAS server upgrade, test all services components specific to each SAS server site. Disable any services (Windows or web) that the SAS servers are not servicing.

Verify that any other changes made prior to the upgrade are still configured as desired.

Authentication redirect – secondary data center

Once the SAS servers have been upgraded in the Secondary data center, authentication (RADIUS/Token Validator) must now be re-directed to the Secondary data center.

Token validator

In the public section of the DNS Routing – Changes, you were instructed to change the DNS routing of the Secondary Token Validator to route to the Primary Token Validator IP address. This change must be reverted to the original setting. To do so, login to your public DNS provider and change the IP address associated with the Secondary Token Validator DNS back to the Secondary Token Validator IP.

FreeRADIUS Agent

If the FreeRADIUS Agent is configured with DNS, navigate to the DNS Routing section below.

If configured with IP, visit IP Routing section.

DNS routing

If the FreeRADIUS agent is utilizing DNS, perform the following steps:

  1. Browse to the following directory:
    /usr/local/cryptocard/freeradius

  2. Open the cryptocardFreeRadiusConfig file with a text editor.

  3. In section 16, change the DNS to the DNS setting prior to SAS upgrade.

  4. If the FreeRADIUS Agent is not using SSL, skip this step and proceed to step 5. If FreeRADIUS Agent is connecting to the TokenValidator via SSL, verify the following:

    • Section 17 is set to TCP port 443. If not, change accordingly.
    • Section 20 has a value of 1. If not, change accordingly.

  5. In section 24, change the DNS to the DNS setting prior to SAS upgrade.

  6. If the FreeRADIUS Agent is not using SSL, skip this step and proceed to step 7. If the FreeRADIUS Agent is connecting to the TokenValidator via SSL, verify the following:

    • Section 25 is set to TCP port 443. If not, change accordingly.

    • Section 28 has a value of 1. If not, change accordingly.

  7. If any changes were made, save the file and restart the RADIUSD daemon using the following command:
    /etc/init.d/radiusd restart

  8. Use the tail command with the radiusd.log file to verify the changes are working correctly:
    tail –fv /opt/freeradius/freeradius-server-<version>/var/log/radiusd/radiusd.log

IP routing

If the FreeRADIUS agent is utilizing IP, perform the following steps:

  1. Browse to the following directory:
    /usr/local/cryptocard/freeradius

  2. Open the cryptocardFreeRadiusConfig file with a text editor.

  3. In section 16, change the IP to the IP setting prior to SAS upgrade.

  4. If the FreeRADIUS Agent is not using SSL, skip this step and proceed to step 5. If FreeRADIUS Agent is connecting to the TokenValidator via SSL, verify the following:

    • Section 17 is set to TCP port 443. If not, change accordingly.

    • Section 20 has a value of 1. If not, change accordingly.

  5. In section 24, change the IP to the IP setting prior to SAS upgrade.

  6. If the FreeRADIUS Agent is not using SSL, skip this step and proceed to step 7. If the FreeRADIUS agent is connecting to TokenValidator via SSL, verify the following:

    • Section 25 is set to TCP port 443. If not, change accordingly.

    • Section 28 has a value of 1. If not, change accordingly.

  7. If any changes were made, save the file and restart the RADIUSD daemon:
    /etc/init.d/radiusd restart

  8. Use the tail command with the radiusd.log to verify the changes are working correctly:
    tail –fv /opt/freeradius/freeradius-server-<version>/var/log/radiusd/radiusd.log

FreeRADIUS updater

If FreeRADIUS Updater is configured with DNS, continue with the Internal DNS section below, followed by “DNS Routing”. If configured with IP, visit IP Routing.

Internal DNS

In the Internal section, you were instructed to change the DNS routing of the FreeRADIUS Updater Service DNS to route to the Primary FreeRADIUS Updater Service IP. This change needs to be reverted to the original setting. Login to your internal DNS domain and revert the IPs associated with the FreeRADIUS Updater Service DNS to the original settings.

DNS routing

If FreeRADIUS Updater is utilizing DNS in the FreeRADIUS agent, perform the following steps:

  1. Browse to the following directory:
    /usr/local/cryptocard/freeradius_updater/dynamicUpdate/

  2. Open the sslConfigurationClient.txt file with a text editor.

  3. In section 20, change the two DNS settings to the DNS names prior to SAS upgrade.

  4. Once changes are made, save the file and restart the FreeRADIUS Updater daemon:
    /etc/init.d/./freerad_updaterservice restart

  5. Check the freeRadupdateClient-year-month-day.log file for any errors. The log file is located in:
    /usr/local/cryptocard/freeradius_updater/log/

  6. Verify that Auth Nodes added in SAS PCE are loading correctly in clients.conf:
    /opt/freeradius/freeradius-server-<version>/etc/raddb/

IP routing

If FreeRADIUS Updater is utilizing IP in the FreeRADIUS agent, perform the following steps:

  1. Browse to the following directory:
    /usr/local/cryptocard/freeradius_updater/dynamicUpdate/

  2. Open the sslConfigurationClient.txt file with a text editor.

  3. In section 20, change the two IPs to the IP settings prior to SAS upgrade.

  4. Once these changes are made, save the file and restart the FreeRADIUS Updater daemon:
    /etc/init.d/./freerad_updaterservice restart

  5. Check the freeRadupdateClient-year-month-day.log file for any errors. The log file is located in:
    /usr/local/cryptocard/freeradius_updater/log/

  6. Verify that the Auth Nodes added in SAS PCE are loading correctly in the clients.conf file:
    /opt/freeradius/freeradius-server-<version>/etc/raddb/

On this page