Migrate SafeNet authentication servers
The settings in this section allow the STA server to migrate users and tokens from legacy SafeNet products, such as SafeWord and CRYPTOCard.
-
On the STA Token Management console, select Comms > Authentication Processing > Migrate SafeNet Authentication Servers.
-
From the Server list, select the server you want users and tokens to migrate from.
-
For CryptoServer 5.32 or CryptoServer 6.4, the prerequisites are:
-
Ensure that the capacity of the account in STA supports an equal or greater number of tokens as the CRYPTO-Server license, to ensure that all tokens are imported and activated for all users. If the capacity of this account is smaller, the import will not take place for any users, operator, token, or group.
-
An existing ODBC data source should be configured in STA to connect to the corresponding CRYPTO-Server database (MySQL ODBC data source configured in STA to connect to a MySQL database on the CRYPTOAdmin server). In STA, install the ODBC driver required to connect to the 6.x or 5.32 CRYPTO-Server database (MySQL, MS SQL, or Oracle). Configure the ODBC driver to connect to the 6.x or 5.32 CRYPTO-Server database.
-
-
If using MySQL, a grant statement must be added to allow a connection from STA. Add the following SQL statements to the MySQL server used by CRYPTO-Server:
-
grant all privileges on *.* to root@IP_Address_of_ STA identified by 'password';
-
grant all privileges on *.* to root@DNS_Name_of_STA identified by 'password';
-
grant all privileges on *.* to root@Hostname_of_STA identified by 'password';
-
flush privileges;
-
-
RADIUS attributes and clients from a 6.4 server will not be imported; these must be manually created in the STA Agent-enabled IAS/NPS or Steel-Belted RADIUS software.
-
6.4 CAP Protocol-enabled agents are not supported in STA (CRYPTO-Logon, CRYPTO-Web, CAP PAM, and certain Citrix Web Interface agents); they must be updated to STA agents.
-
CRYPTO-Server software tokens are imported and marked as legacy tokens in the database. Users with old versions of CRYPTOCard Software Tools installed can authenticate against STA without changing their client-side software. This does not include CRYPTO-Server agents such as CRYPTO-Logon.
-
RADIUS attributes and clients from a 6.4 server will not be imported. These must be manually created in the STA Agent-enabled IAS/NPS or Steel-Belted RADIUS software.
-
6.4 CAP Protocol-enabled agents are not supported in STA (CRYPTO-Logon, CRYPTO-Web, CAP PAM and certain Citrix Web Interface agents); they must be updated to STA Agents.
-
CRYPTO-Server software tokens are imported and marked as legacy tokens in the database. Users with old versions of CRYPTOCard Software Tools installed can authenticate against STA without changing their client-side software. This does not include CRYPTO-Server agents such as CRYPTO-Logon.
-
If during the migration a duplicate serial number is detected, a new serial number will be assigned to the token, which can then be assigned to the user. This change in the serial number does not affect a migrated user’s ability to authenticate against STA.
-
If STA is configured to use LDAP, tokens are assigned and activated during the migration when it finds a match between the CRYPTOCard server token name and the LDAP user logon name. If a match is not found, the token is imported but placed into inventory. Static-password-enabled users will not be enabled as static password users in STA.
-
KT-1 tokens with a serial number 3120xxxxx or earlier and RB-1 tokens with a serial number 2020xxxxx or earlier will be migrated into STA but it might not be possible to reinitialize these tokens. These older tokens may need to be replaced with more recent models due to firmware compatibility issues.
-
Serial initializers are not supported in STA. Serial token initializers must be upgraded to USB token initializers. Installing STA on an existing 6.x CRYPTO-Server is not recommended due to RADIUS Port conflicts between the CRYPTO-Protocol (CAP and RADIUS) service and IAS/NPS.
-
Parameters for CryptoServer 5.32 or CryptoServer 6.4 migrations:
-
ODBC Name—the name of the ODBC data source as configured in the ODBC configuration of the Administrator tools section of the Control Panel.(REQUIRED FOR CryptoServer 5.32 or CryptoServer 6.4)
-
Secret—(CryptoServer 5.32 only) This is the text contained in the 'ccsecret' file on the 5.32 CRYPTO-Server
-
Oracle—Forces alternate SQL syntax to migrate from Oracle databases
-
User Name—Optional user name if the ODBC connection settings do not specify one.
-
Password—Optional password if the ODBC connection settings do not specify one.
The Add Parameter button can be used to add optional custom ODBC attributes to pass to the ODBC data source if required for them to connect.
-
-
SafeWord requirements are as follows:
-
A valid license must have been imported.
-
An empty account must exist to migrate into with enough capacity for the tokens that will be migrated.
-
Parameters for SafeWord migration:
Ldif file—The path to the decrypted SafeWord export LDIF to migrate.
Database Password—An optional password that was used to encrypt the contents of the database. This password is 8 to 16 characters long.
Sccsigners file—A required file used to decrypt the ldif database file
User CSV file—An optional file containing additional user information.
-
-