Step #1 on an EXISTING server

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

Addition of a new server starts by updating the Existing nodes to reflect changes to the cluster. Simple modifications will be made to the database and the Glassfish application server will be restarted for these changes to take effect.

Before performing any updates to the database, create a database backup

shell> mysqldump -u skles -p strongkeylite > /usr/local/strongauth/dbdumps/strongkeylite-MM-DD-YYYY.db

Log into mysql database 'strongkeylite' as the 'skles' user
```
shell> mysql -u skles -p strongkeylite
```
The new appliance to be added into the cluster must be assigned a sequential Server ID (SID). If this is to be the third appliance in the cluster, it should have an SID = 3. Add an entry to the servers table for the new server
```
mysql> insert into servers values (SID, 'FQDN', 'Active', 'Both', 'Active',null,null);
```
SID must be the numeric value of the new SID to be added to the cluster.

FQDN must be the Fully Qualified Domain Name of the new appliance that will be added to the cluster.

Adding a new server with the Fully Qualified Domain Name (FQDN) 'saka03.<domain-name>' with SID = 3, the command would be
```
mysql> insert into servers values (3,'saka03.<domain-name>','Active','Both','Active',null,null
```
A new entry must be added to the server_domains table for each Domain ID (DID) that is present in the cluster. For instance, if there exists 3 domains in the cluster, there must be a new record in the server_domains table for SID=3 DID=1, SID=3 DID=2, and SID=3 DID=3. Add an entry in the server_domains table for each domain
```
mysql> insert into server_domains values (SID, DID, 'STARTING_PSEUDONUMBER','Active',null,null); 
```
SID must be the numeric value of the new SID to be added to the cluster.

DID must be the value of one domain already existing in the cluster. You can see what domains currently exist with the mysql command
```
mysql> select * from domains\G
```
STARTING_PSEUDONUMBER is the first token to be used by the new server. This value can be any number that is the same length as the appliance configured token length (default 16 digits). This value can be reused between multiple domains. A value of '3000000000000001' is the suggested format for SID 3.

Adding a new server with SID = 3 to a cluster with DID 1 and 2, the commands would be
```
mysql> insert into server_domains values (3,1, '3000000000000001','Active',null,null); 
mysql> insert into server_domains values (3,2, '3000000000000001','Active',null,null); 
```
Log out of mysql and change to the 'root' linux account
```
shell> su -
```
Using a text editor (gedit or vi), edit the firewall settings to unblock replication between the existing appliances and the new appliance. There should be a set of rules for port 7001, 7002, and 7003 that need to the IPAddress Range modified to incorporate the new appliance's IP Address. Once the changes have been saved, restart the firewall
```
shell> service iptables restart
```
Logout of the 'root' account
```
shell> logout
```
In order for the new configurations to take effect, the application on the SAKA appliance must be restarted. All customer traffic to this appliance should be routed to one of the other appliances. Once the appliance has stopped receiving new transactions, glassfish can be restarted
```
shell> sudo /sbin/service glassfishd restart
```
The three KeyCustodians must activate cryptographic services using their USB Tokens by running the KC-SetPINTool either directly on the appliance or remotely from their own laptops/workstations. Once the KeyCustodians have completed their task, appliance functionality should be verified using the ping webservice.
```
shell> java -cp /usr/local/strongauth/topaz/sakaclient.jar ping https://saka01.<domain-name>:8181 <DID> <'pinguser' password>
```
Steps E-1-1 through E-1-10 should be repeated on all other existing nodes.
A database dump from one of the existing servers must be created to be imported into the new appliance. To ensure no records are lost during this process, it is recommended that all traffic be routed through a single appliance. Before the database dump is created, verify that any other processing appliances have completed replication to the others. An empty replication table on any appliance would indicate that it is up to date with replication
```
mysql> select * from replication where tsid!=SID;
```
SID must be the numeric value of the new SID to be added to the cluster.

With replication up to date, create the database dump on the 'primary' appliance using the --ignore-table=strongkeylite.replication, --no-create-info, and --replace options
```
shell> mysqldump -u skles -p strongkeylite --ignore-table=strongkeylite.replication --no-create-info –-insert-ignore > /usr/local/strongauth/dbdumps/strongkeylite-newserver.db
```
Once this file has been successfully generated, transactions can be sent to all appliances again.