The second step of the process continues on the New SAKA server. This step restores the database, verifies the credentials of the three Key Custodians, initializes the cryptographic hardware module and starts the process of migrating the appliance's master key to an existing appliance.
- On the New SAKA server, follow steps P-1-1 through P-1-8 from Chapter 2 of the SAKA-2.0-Reference-Rev01.pdf as though starting a new installation. Ensure the correct properties are set in the install-saka.sh script for SERVERS and IPADDRESS_RANGES
- While the new appliance is being configured, it is necessary to block webservices in the unlikely event that transactions are mistakenly sent into it. Using a text editor (gedit or vi), edit the firewall settings to block port 8181 by adding a comment (#) to the beginning of the line with the rule for port 8181. Once the changes have been saved, restart the firewall
shell> service iptables restart
- Log out of the SAKA
- Login as 'strongauth' into the SAKA
- Startup 2 shell windows
- In Window 1, copy the the database dump created in step E-1-12 onto the new appliance
shell> scp saka01.<domain-name>:/usr/local/strongauth/dbdumps/strongkeylite-newserver.db /usr/local/strongauth/dbdumps
- In Window 1, log into mysql database 'strongkeylite' as the 'skles' user
shell> mysql -u skles -p strongkeylite
- Source the database dump to bring the new server up to date with the others in the cluster
mysql> source /usr/local/strongauth/dbdumps/strongkeylite-newserver.db
When the dump has finished sourcing, log out of mysql.
- If any custom configurations have been added to the existing appliances in the /usr/local/strongauth/strongkeylite/etc/strongkeylite-configuration.properties file, these should be duplicated on the new server.
- In Window 1, restart the Glassfish application server
shell> sudo /sbin/service glassfishd restart
- In Window2, go the /usr/local/strongauth/glassfish/domains/domain1/logs directory
shell> cd /usr/local/strongauth/glassfish/domains/domain1/logs
- In Window2, run the tail -f command on the server.log file
shell> tail -f server.log
-
In Window1, change directory to /usr/local/strongauth/bin
shell> cd ~/bin
- In Window1, execute the Secondary-SAKA-Setup-Wizard.sh
shell> ./Secondary-SAKA-Setup-Wizard.sh
-
Follow the wizard steps to completion, ensuring there are no errors in Window1 or Window2. If there are any errors, determine the cause of the error, log out of the session, log back in as root and execute the cleanup.sh script to clean out the installation. Fix the cause of the error and start the installation process with Step 2.
NOTE: You will need the MASK from one of the exisiting SAKA during this step. This would have been created on the Black USB Token during the original cluster installation. If the Black USB is unavailable, a copy of the MASK file can be located at /usr/local/strongauth/strongkeylite/etc/FQDN-mask.xml on any existing SAKA.
|
- In Window1, restart the Glassfish application server
shell> sudo /sbin/service glassfishd restart
- In Window1, execute the KC-SetPINTool.sh
shell> ./KC-SetPINTool.sh
- Using the Red, Green and Blue flash-drives, set the PINs for the three Key Custodians to activate the cryptographic hardware module on the appliance, ensuring there are no errors in Window1 or Window2