Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Upgrade

SafeNet Authentication Service upgrade - primary data center

search

Please Note:

SafeNet Authentication Service upgrade - primary data center

The latest SAS version introduces some new features and enhancements to its Operators, Account Managers, and end users. Due to the new features, the upgrade may take upwards of 50 minutes (depending on the amount of data in the SAS database). It is recommended that a maintenance window of two hours be allotted to ensure sufficient time is available to upgrade all SAS servers and components.

SafeNet Authentication Service backups

After completing all procedures under SafeNet Authentication Service Pre-Upgrade Checklist, the following items must be backed up and available for disaster recovery:

  • Current SAS installers

  • Database backup

  • Cipher key export (including Primary SAS Registry key export)

  • SAS License

  • SAS deployment diagram

If this has not been done, revisit and complete all sections in SafeNet Authentication Service Pre-Upgrade Checklist.

Monitoring utility

The SAS Monitoring utility must be disabled in the Primary data center from this point forward until all components are upgraded.

Disable traffic

On the Primary data center, the following traffic must be disabled (internal or external) once the maintenance window commences:

  • HTTP (80)

  • HTTPS (443)

  • RADIUS (1812)

  • LDAP Sync (8456)

Upgrade SafeNet Authentication Service

Direct upgrade from SAS 3.8 (and later versions) to the latest SAS version is supported. Install Shield Wizard

After running the SafeNet Authentication Service.exe (as listed below, in the steps), the SAS InstallShield Wizard displays a prompt to install MySQL Connector 8.0.32 (if required).

Perform the following steps on the Primary SAS server:

  1. Run SafeNet Authentication Service.exe. Change the install path to where the existing SAS installation file is located. Select Custom during the installation wizard, and disable Salesforce and PostgreSQL.

  2. Start the installation.

  3. Once the DBUpgrader DOS prompt is displayed, navigate to Windows Services and stop all BlackShield services.

    The BlackShield services cannot run while DBUpgrader is performing its upgrade. This is to prevent any new queued data from being added to the database while DBUpgrader is running. The upgrade may take up to 30 minutes.

  4. After installation is complete, browse to the following directory and verify that no errors appear in the SQL upgrade logs:
    \Program Files\CRYPTOCard\BlackShield ID\Log

  5. Restart the SAS server.

  6. Once the server is running, login to the SAS server and wait for six (6) minutes.

  7. Click Event Viewer > Application and verify that there are no BlackShield errors.

  8. Check the BlackShield log file to ensure that there are no errors. The log is located in:
    \Program Files\CRYPTOCard\BlackShield ID\Log

  9. If no errors appear, disable the components that are not utilized on this SAS server.

If there is more than one SAS server in the Primary data center, perform the steps above for each SAS server, omitting steps 3 and 6.

After each SAS server is upgraded:

  • Test each server for the components it is servicing (for example, Console, BSIDCA, etc).

  • Disable any services (Windows or Web) that the SAS servers are NOT servicing.

  • Verify that any other changes made prior to the upgrade are still configured as desired.

Recreate MS SQL peer-to-peer replication

The following should be performed by a Microsoft DBA or someone with knowledge of Microsoft database replication.

Once the SAS servers are upgraded in the Primary data center, replication must be re-established. However, replication should not start until archived and queued LDAP sync transactions have been processed. Once data has been processed, replication can be re-established.

For more information, learn how to Configure Peer-to-Peer Transactional Replication (SQL Server Management Studio).

Peer-to-peer replication must be re-established before upgrading SAS in the Secondary data center.

SafeNet Authentication Service post-upgrade changes – primary data center

After SAS is upgraded, additional post-SAS-upgrade checks must be performed prior to the SAS upgrades in the Secondary data center.

MS SQL database configuration

In the Primary SAS data center, check each SAS server (if applicable) and re-point to its respective Primary and Secondary SQL database (SAS Console > Database > SQL Database).

If DNS/IP changes were used to route both the MS SQL DNS name to a Primary SQL instance, revert the DNS/IP mapping to its pre-upgrade setting.
For example:
DB1.acme.com > 192.168.1.2 changes to DB1.acme.com > 192.168.1.10

MySQL database replication

You need to replicate the MySQL database after the SAS upgrade. SAS upgrade is configured with the MySQL database.

While performing this task, you need to ensure that no action is performed on SAS until the export or import of the database is completed.

Perform the following steps to replicate the MySQL database:

  1. Under Services, stop all the SAS services as shown in the below screen shot.

    Services

  2. Run following query on the Master MySQL server:

    show global variables like 'gtid_executed';

  3. Copy the result or value of the query that you run in the previous step and in a text editor, paste it for future use.

    Query

  4. On the MySQL Workbench window, perform the following steps:

    1. In the left pane, click Schema and select the database (for example, hadb) that you have setup while configuring MySQL HA.

    2. On the Server menu, select Data Export.

    3. In the right pane, click Advanced Options.

    4. Under Data Export, for set-gtid-purged, change the setting to OFF.

      Data Export

    5. Under Export Options, select the Export to Self-Contained File option, and then click Start Export.

    6. After the database export is complete, save the exported .sql file on your server machine.

      Exported SQL file

  5. Perform the following steps to replicate MySQL database on slave servers:

    1. Copy the exported .sql file (that you saved in step 4(f)) and paste it on the slave MySQL server machine at the same location where it is saved in the master MySQL server.

    2. Perform the following steps to import the DB dump:

      1. In the left pane, under Schema, right-click on the hadb database, and select Drop Schema to delete the old database schema.

        Schema

      2. In the right pane, run the following query to create a database with the same name (for example, hadb):

        create database <dbname>;

        The latest .sql databse file that you exported from the master MySQL server is imported in the newly created database.

      3. Refresh the schema and in the left pane, select the newly created database (for example hadb).

      4. On the Server menu, select Data Import.

      5. In the right pane, under Import Options, select the Import from Self-Contained File option.

      6. In the Default Target Schema field, select the database that you created earlier.

      7. Click Start Import.

        Data Import

  6. Run the following queries to reset the master configurations on the slave MySQL server:

    show master status;

    reset master;

  7. Run the following query to update the gtid_purged value.

    set global GTID_PURGED="gtid_executed_value";

    Where, gtid_executed_value is the value that you copied from the master MySQL server in step 3.

    Query

  8. Start all the SAS services (including the SAS HA controller service) that you stopped in step 2.

  9. On the SAS console, on the System tab, under Database, perform the following steps to reconfigure the SAS HA setup:

    1. Under Task, click on HA Management.

    2. Run the Promote to Master operation to verify that the slave server is in the Online and Replicating state.

      Query

  10. Perform an action on SAS to verify that the data is replicating. For example, you can run the following query to check if data of old users and newly created users are replicating on the slave MySQL server:

    select \* from &lt;dbname&gt;.users;

MySQL database configuration

After upgrading to SAS PCE latest version, if you want to set up SAS-managed MySQL database high availability, perform the following steps:

  1. Take backup of the existing MySQL database.

  2. Use the MySQL database backup, to create secondary MySQL databases.

  3. Set up primary and secondary databases, and configure database settings in the SAS. For details, refer Installation Section.

Enable traffic

Traffic can now be re-enabled (internal or external) to allow customers to start authenticating, synchronizing, and administering users in SAS. However, re-enabling traffic must be controlled to prevent excessive load.

RADIUS/HTTP(S)

RADIUS and HTTP(s) traffic should be the first types of traffic to be re-enabled.

  1. Login to the FreeRADIUS Server and use the tail command with the radius.log file:
    tail –fv /opt/freeradius/freeradius-server-<version>/var/log/radiusd/radiusd.log

  2. Re-enable RADIUS traffic and verify that authentication is succeeding.

  3. Re-enable HTTP(S) traffic and then browse to the public SAS Console URL. Login to SAS and verify that Token Validator authentication is succeeding. If authentication is succeeding, continue to LDAP Sync.

LDAP sync

Re-enable LDAP sync traffic and verify that LDAP sync traffic is committing correctly.

Monitoring utility

If an SAS Monitoring utility is used to monitor any SAS components in the Primary data center, re-enable it when the SAS upgrade has completed.

On this page