Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Server and agent settings

Migrate SafeNet authentication servers

search

Please Note:

Migrate SafeNet authentication servers

The settings in this section allow the SAS server to migrate users and tokens from legacy SafeNet products, such as SafeWord and CRYPTOCard.

  1. On the SAS Token Management console, select Comms > Authentication Processing > Migrate SafeNet Authentication Servers.

    alt_text

  2. From the Server list, select the server you want users and tokens to migrate from.

    • For CryptoServer 5.32 or CryptoServer 6.4, the prerequisites are:

      • Ensure that the capacity of the account in SAS supports an equal or greater number of tokens as the CRYPTO-Server license, to ensure that all tokens are imported and activated for all users. If the capacity of this account is smaller, the import will not take place for any users, operator, token, or group.

      • An existing ODBC data source should be configured in SAS to connect to the corresponding CRYPTO-Server database (MySQL ODBC data source configured in SAS to connect to a MySQL database on the CRYPTOAdmin server). In SAS, install the ODBC driver required to connect to the 6.x or 5.32 CRYPTO-Server database (MySQL, MS SQL, or Oracle). Configure the ODBC driver to connect to the 6.x or 5.32 CRYPTO-Server database.

    • If using MySQL, a grant statement must be added to allow a connection from SAS. Add the following SQL statements to the MySQL server used by CRYPTO-Server:

      • grant all privileges on *.* to root@IP_Address_of_ SAS identified by 'password';

      • grant all privileges on *.* to root@DNS_Name_of_SAS identified by 'password';

      • grant all privileges on *.* to root@Hostname_of_SAS identified by 'password';

      • flush privileges;

    • RADIUS attributes and clients from a 6.4 server will not be imported; these must be manually created in the SAS Agent-enabled IAS/NPS or Steel-Belted RADIUS software.

    • 6.4 CAP Protocol-enabled agents are not supported in SAS (CRYPTO-Logon, CRYPTO-Web, CAP PAM, and certain Citrix Web Interface agents); they must be updated to SAS agents.

    • CRYPTO-Server software tokens are imported and marked as legacy tokens in the database. Users with old versions of CRYPTOCard Software Tools installed can authenticate against SAS without changing their client-side software. This does not include CRYPTO-Server agents such as CRYPTO-Logon.

    • RADIUS attributes and clients from a 6.4 server will not be imported. These must be manually created in the SAS Agent-enabled IAS/NPS or Steel-Belted RADIUS software.

    • 6.4 CAP Protocol-enabled agents are not supported in SAS (CRYPTO-Logon, CRYPTO-Web, CAP PAM and certain Citrix Web Interface agents); they must be updated to SAS Agents.

    • CRYPTO-Server software tokens are imported and marked as legacy tokens in the database. Users with old versions of CRYPTOCard Software Tools installed can authenticate against SAS without changing their client-side software. This does not include CRYPTO-Server agents such as CRYPTO-Logon.

    • If during the migration a duplicate serial number is detected, a new serial number will be assigned to the token, which can then be assigned to the user. This change in the serial number does not affect a migrated user’s ability to authenticate against SAS.

    • If SAS is configured to use LDAP, tokens are assigned and activated during the migration when it finds a match between the CRYPTOCard server token name and the LDAP user logon name. If a match is not found, the token is imported but placed into inventory. Static-password-enabled users will not be enabled as static password users in SAS.

    • KT-1 tokens with a serial number 3120xxxxx or earlier and RB-1 tokens with a serial number 2020xxxxx or earlier will be migrated into SAS but it might not be possible to reinitialize these tokens. These older tokens may need to be replaced with more recent models due to firmware compatibility issues.

    • Serial initializers are not supported in SAS. Serial token initializers must be upgraded to USB token initializers. Installing SAS on an existing 6.x CRYPTO-Server is not recommended due to RADIUS Port conflicts between the CRYPTO-Protocol (CAP and RADIUS) service and IAS/NPS.

    • Parameters for CryptoServer 5.32 or CryptoServer 6.4 migrations:

      • ODBC Name—the name of the ODBC data source as configured in the ODBC configuration of the Administrator tools section of the Control Panel.(REQUIRED FOR CryptoServer 5.32 or CryptoServer 6.4)

      • Secret—(CryptoServer 5.32 only) This is the text contained in the 'ccsecret' file on the 5.32 CRYPTO-Server

      • Oracle—Forces alternate SQL syntax to migrate from Oracle databases

      • User Name—Optional user name if the ODBC connection settings do not specify one.

      • Password—Optional password if the ODBC connection settings do not specify one.

      The Add Parameter button can be used to add optional custom ODBC attributes to pass to the ODBC data source if required for them to connect.

    • SafeWord requirements are as follows:

      • A valid license must have been imported.

      • An empty account must exist to migrate into with enough capacity for the tokens that will be migrated.

      • Parameters for SafeWord migration:

        Ldif file—The path to the decrypted SafeWord export LDIF to migrate.

        Database Password—An optional password that was used to encrypt the contents of the database. This password is 8 to 16 characters long.

        Sccsigners file—A required file used to decrypt the ldif database file

        User CSV file—An optional file containing additional user information.

On this page