Product Documentation
Step 2: On the Same Machine after Installing Rocky 9.3
Now that you have replaced the operating system on the machine, you can begin the process of restoring all of the data.
- Insert the external storage device that has the backups on it into the machine and copy over the backups to /usr/local/software.
shell> cp -r backups/ /usr/local/software - Set up the network of the machine to match the original network settings from before the OS upgrade.
- Open the ifcfg files from the backup and compare them to the nmconnection files in Rocky 9.
- The following is an example of opening the ifcfg-eno1 file in the backup as well as its contents.
shell> vi /usr/local/software/backups/ifcfg-eno1
# Generated by parse-kickstart
TYPE=Ethernet
DEVICE=eno1
UUID=43bd7267-dd20-4843-8520-66f71e53f42c
ONBOOT=no
BOOTPROTO=none
IPV6INIT=no
PROXY_METHOD=none
BROWSER_ONLY=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME="System eno1"
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPADDR=10.0.1.50
PREFIX=24
GATEWAY=10.0.1.1
DNS1=10.0.1.1 - The following is an example of opening the eno1.nmconnection file in Rocky Linux 9 as well as its contents.
shell> vi /etc/NetworkManager/system-connections/eno1.nmconnection
[connection]
id=eno1
uuid=46af48df-a0f6-4327-ae3b-8c530ad94e23
type=ethernet
interface-name=eno1
timestamp=1692292957
[ethernet]
[ipv4]
address1=10.0.2.241/24,10.0.2.1
dns=10.0.2.1;
method=manual
[ipv6]
addr-gen-mode=eui64
method=disabled
[proxy] - Check the Interface name (IFNAME) by running below command and then enable autoconnect to automatically connect to the network after reboot.
shell> nmcli device shell> nmcli device set <IFNAME> autoconnect yes
NOTE: Please do NOT restart NetworkManager to bring up the networking as this might affect replication during the restoration of the software stack.
- Confirm the time and timezone are configured as per the location of the server.
shell> date
If the time or timezone is not configured as expected, run below commands to update time and timezone in respective order.
shell> timedatectl set-timezone <time-zone> shell> timedatectl set-time <curret-time>
NOTE: Run 'shell> timedatectl list-timezones' command to list all the possible timezones.
- Confirm if the hostname of the appliance is as expected:
shell> hostname
If the hostname is not configured as expected, run below command to update the hostname.
shell> hostnamectl set-hostname <FQDN>
- Update the new server with any changes that might have been made on the old server to /etc/hosts.
shell> cat /usr/local/software/backups/hosts
shell> vi /etc/hosts - Install the same version of SAKA that was on the machine before the upgrade. First start by unzipping the saka.zip file into /usr/local/software.
shell> cd /usr/local/software
shell> unzip backups/saka.zip -d /usr/local/software - Now use a text editor such as gedit or vi to edit the following section of the install-saka.sh script to customize IP address, passwords, database size, etc.
shell> vi saka/install-saka.sh
- The first section of the install script will look like this
##########################################
# Company name for self signed certificate
COMPANY="StrongAuth Inc"
# Server Passwords
GLASSFISH_PASSWORD=adminadmin
LINUX_PASSWORD=ShaZam123
MARIA_ROOT_PASSWORD=BigKahuna
MARIA_SKLES_PASSWORD=AbracaDabra
# Batch Request user
BR1_LINUX_USERNAME=domain1
BR1_LINUX_PASSWORD=Prest099
BR1_LINUX_LOCK='Y' # Lock Batch request user?
# Servers in cluster. For larger clusters, add more lines like 'SERVER#=<FQDN>' where # = SID
SERVER1='saka01.strongkey.com'
#SERVER2='saka02.strongkey.com'
#SERVER3='saka03.strongkey.com'
#SERVER4='saka04.strongkey.com'
TPM_MFR='nuvoton' # 'nuvoton' for Dell R6414,
# 'nuvoton gen2' for Dell R7525
# 'infineon' or 'infineon gen2' for legacy HP EliteDesk mini,
# 'infineon gen3' for current HP EliteDesk mini
SAKA_PROFILE=SAKA
FIPS_MODE=N
##### CCS Domains #####
CCS_DOMAINS=0
##### Replication Module #####
HELPER_THREADS=10
########################################## - Replace the COMPANY variable with the name of the company.
- The GLASSFISH_PASSWORD parameter is the password for the admin user for the Payara application server. Assign the server’s GLASSFISH_PASSWORD to this variable.
- The LINUX_PASSWORD parameter is the password for the strongauth user in the Linux operating system environment. Assign the server’s LINUX_PASSWORD to this variable.
- The MARIA_ROOT_PASSWORD parameter is the password for the root user of the MariaDB database. Assign the server’s MARIA_ROOT_PASSWORD To this variable.
- The MARIA_SKLES_PASSWORD parameter is the password for the skles user of the MariaDB database. Assign the server’s MARIA_SKLES_PASSWORD to this variable.
- The BR1_LINUX_USERNAME parameter is the name of the batch request user in the Linux operating system environment. Assign the server’s BR1_LINUX_USERNAME to this variable.
- The BR1_LINUX_PASSWORD parameter is the password for the domain1 user in the Linux operating system environment. Assign the server’s BR1_LINUX_PASSWORD To this variable.
- The BR1_LINUX_LOCK parameter is to determine whether the batch request user account will be locked. Assign the server’s BR1_LINUX_LOCK to this variable.
- The SERVER# variables define the servers in the SAKA cluster. Assign the FQDN of each appliance to these variables.
- If the server is using Trusted Platform Module (TPM), then set the TPM_MFR value to the correct value for the server.
- Modify the CCS_DOMAINS variable to be a comma separated list of the server’s CCS domains.
- The first section of the install script will look like this
- In another section of the install script, you will see the following set of flags.
# Flags to indicate if a module should be installed
INSTALL_BC=Y
INSTALL_CRYPTOKI=N
INSTALL_CRYPTOSERVER=N
INSTALL_GLASSFISH=Y
INSTALL_FSO=N
INSTALL_TPM2=Y
INSTALL_MARIA=Y
INSTALL_OPENLDAP=Y
INSTALL_TOPAZ=Y- If the server is using a Hardware Security Module (HSM), then set INSTALL_TPM2=N and INSTALL_CRYPTOKI=Y.
- Run the install-saka.sh script
shell> ./saka/install-saka.sh
- Stop all services.
shell> systemctl stop glassfishd
shell> systemctl stop mysqld
shell> systemctl stop slapd Ensure that all services have been stopped using the following commands: shell> nfn 8181 shell> nfn 3306 If mysqld and glassfishd are still active, list the process ID's and force kill the processes: shell> pf mysqld shell> pf str shell> pf glassfishd shell> kill -9 (pid from the above command) - Move the strongauth folder that has been created after installation of SAKA.
shell> mv /usr/local/strongauth /usr/local/strongauth-newinstall
- Move the strongauth zip file from the backup to /usr/local and unzip it.
shell> mv /usr/local/software/backups/strongauth.zip /usr/local
shell> unzip strongauth.zip - Update permissions for new strongauth directory.
shell> chown -R strongauth:strongauth /usr/local/strongauth shell> chown -R strongauth:domain<#> /usr/local/strongauth/batchrequests/domain<#> shell> chown -R kc1:kc1 /usr/local/strongauth/strongkeylite/kc1 shell> chown -R kc2:kc2 /usr/local/strongauth/strongkeylite/kc2 shell> chown -R so:so /usr/local/strongauth/strongkeylite/so
- Update the new server with any changes that might have been made on the old server to the firewall settings.
shell> cat /usr/local/software/backups/public.xml
shell> vi /etc/firewalld/zones/public.xml - Update the new server with any changes that might have been made on the old server to the bashrc files.
shell> cat /usr/local/software/backups/bashrc
shell> vi /etc/bashrc - Update the new server with any changes that might have been made on the old server to the ssh config files.
shell> cat /usr/local/software/backups/ssh_config
shell> vi /etc/ssh/ssh_config
shell> cat /usr/local/software/backups/sshd_config
shell> vi /etc/ssh/sshd_config - Update the new server with any changes that might have been made on the old server to the my.conf file.
shell> cat /usr/local/software/backups/my.cnf
shell> vi /etc/my.cnf - Restore LDAP configurations as "root" user. Login to a terminal as "root" user:
#Make copies of the original configuration files shell> cp -r /etc/openldap/slapd.d /etc/openldap/slapd.0 shell> cp -r /var/lib/ldap /var/lib/ldap.0 #Remove the contents of /etc/openldap/slap.d and /var/lib/ldap shell> rm -r /etc/openldap/slapd.d/* shell> rm -r /var/lib/ldap/*
- Rocky 9 utilizes the MDB databases and we need to migrate the HDB databases created on centos 7 to MDB databases. Make a copy of the config.ldif file and edit the file with the following changes for Rocky9
shell> cp /usr/local/strongauth/dbdumps/config.ldif /usr/local/strongauth/dbdumps/rockyconfig.ldif # Edit the config file shell> vi /usr/local/strongauth/dbdumps/rockyconfig.ldif STEP 1: Comment out the following data #olcArgsFile: /var/run/openldap/slapd.args #olcPidFile: /var/run/openldap/slapd.pid #olcTLSCACertificatePath: /etc/openldap/certs #olcTLSCertificateFile: "OpenLDAP Server" #olcTLSCertificateKeyFile: /etc/openldap/certs/password STEP 2: Replace all instances of “hdb” with “mdb” and “Hdb” with “Mdb”. Save and exit the file
- Restore the configuration.ldif first:
shell> slapadd -F /etc/openldap/slapd.d -n 0 -l /usr/local/strongauth/dbdumps/rockyconfig.ldif # change the ownership and restart slapd shell> chown -R ldap:ldap /etc/openldap/slapd.d shell> chown -R ldap:ldap /var/lib/ldap shell> systemctl restart slapd
- Restore the database.ldif to the directory and restart slapd
shell> slapadd -F /etc/openldap/slapd.d -n 2 -l /usr/local/strongauth/dbdumps/databackup.ldif shell> systemctl restart slapd
- Reboot the machine.
shell> init 6
- Set SAKA pins.
shell> KC-SetPINTool.sh
- Test SAKA and SKFS transactions to ensure that everything is working and that the database is intact.