Product Documentation

Step 2: On the Same Machine after Installing Rocky 9.3

Now that you have replaced the operating system on the machine, you can begin the process of restoring all of the data.

 

  1. Insert the external storage device that has the backups on it into the machine and copy over the backups to /usr/local/software.
    shell> cp -r backups/ /usr/local/software
  2. Set up the network of the machine to match the original network settings from before the OS upgrade.
    1. Open the ifcfg files from the backup and compare them to the nmconnection files in Rocky 9.
    2. The following is an example of opening the ifcfg-eno1 file in the backup as well as its contents.
      shell> vi /usr/local/software/backups/ifcfg-eno1

      # Generated by parse-kickstart
      TYPE=Ethernet
      DEVICE=eno1
      UUID=43bd7267-dd20-4843-8520-66f71e53f42c
      ONBOOT=no
      BOOTPROTO=none
      IPV6INIT=no
      PROXY_METHOD=none
      BROWSER_ONLY=no
      DEFROUTE=yes
      IPV4_FAILURE_FATAL=no
      NAME="System eno1"
      IPV6_DEFROUTE=yes
      IPV6_FAILURE_FATAL=no
      IPADDR=10.0.1.50
      PREFIX=24
      GATEWAY=10.0.1.1
      DNS1=10.0.1.1
    3. The following is an example of opening the eno1.nmconnection file in Rocky Linux 9 as well as its contents.
      shell> vi /etc/NetworkManager/system-connections/eno1.nmconnection

      [connection]
      id=eno1
      uuid=46af48df-a0f6-4327-ae3b-8c530ad94e23
      type=ethernet
      interface-name=eno1
      timestamp=1692292957

      [ethernet]

      [ipv4]
      address1=10.0.2.241/24,10.0.2.1
      dns=10.0.2.1;
      method=manual

      [ipv6]
      addr-gen-mode=eui64
      method=disabled

      [proxy]
    4. Check the Interface name (IFNAME) by running below command and then enable autoconnect to automatically connect to the network after reboot.
      shell> nmcli device
      shell> nmcli device set <IFNAME> autoconnect yes
      
    NOTE: Please do NOT restart NetworkManager to bring up the networking as this might affect replication during the restoration of the software stack.
  3. Confirm the time and timezone are configured as per the location of the server.
    shell> date

    If the time or timezone is not configured as expected, run below commands to update time and timezone in respective order.

    shell> timedatectl set-timezone <time-zone>
    shell> timedatectl set-time <curret-time>
    NOTE: Run 'shell> timedatectl list-timezones' command to list all the possible timezones.
  4. Confirm if the hostname of the appliance is as expected:
    shell> hostname

    If the hostname is not configured as expected, run below command to update the hostname.

    shell> hostnamectl set-hostname <FQDN>
  5. Update the new server with any changes that might have been made on the old server to /etc/hosts.
    shell> cat /usr/local/software/backups/hosts
    shell> vi /etc/hosts
  6. Install the same version of SAKA that was on the machine before the upgrade. First start by unzipping the saka.zip file into /usr/local/software.
    shell> cd /usr/local/software
    shell> unzip backups/saka.zip -d /usr/local/software
  7. Now use a text editor such as gedit or vi to edit the following section of the install-saka.sh script to customize IP address, passwords, database size, etc.
    shell> vi saka/install-saka.sh
    1. The first section of the install script will look like this
      ##########################################
      # Company name for self signed certificate
      COMPANY="StrongAuth Inc"

      # Server Passwords
      GLASSFISH_PASSWORD=adminadmin
      LINUX_PASSWORD=ShaZam123
      MARIA_ROOT_PASSWORD=BigKahuna
      MARIA_SKLES_PASSWORD=AbracaDabra

      # Batch Request user
      BR1_LINUX_USERNAME=domain1
      BR1_LINUX_PASSWORD=Prest099
      BR1_LINUX_LOCK='Y'                      # Lock Batch request user?

      # Servers in cluster. For larger clusters, add more lines like 'SERVER#=<FQDN>' where # = SID
      SERVER1='saka01.strongkey.com'
      #SERVER2='saka02.strongkey.com'
      #SERVER3='saka03.strongkey.com'
      #SERVER4='saka04.strongkey.com'

      TPM_MFR='nuvoton'                       # 'nuvoton' for Dell R6414,
                                              # 'nuvoton gen2' for Dell R7525
                                              # 'infineon' or 'infineon gen2'                                     for legacy HP EliteDesk mini,
                                              # 'infineon gen3' for current HP                                 EliteDesk mini

      SAKA_PROFILE=SAKA

      FIPS_MODE=N

      ##### CCS Domains #####
      CCS_DOMAINS=0

      ##### Replication Module #####
      HELPER_THREADS=10

      ##########################################
    2. Replace the COMPANY variable with the name of the company.
    3. The GLASSFISH_PASSWORD parameter is the password for the admin user for the Payara application server. Assign the server’s GLASSFISH_PASSWORD to this variable.
    4. The LINUX_PASSWORD parameter is the password for the strongauth user in the Linux operating system environment. Assign the server’s LINUX_PASSWORD to this variable.
    5. The MARIA_ROOT_PASSWORD parameter is the password for the root user of the MariaDB database. Assign the server’s MARIA_ROOT_PASSWORD To this variable.
    6. The MARIA_SKLES_PASSWORD parameter is the password for the skles user of the MariaDB database. Assign the server’s MARIA_SKLES_PASSWORD to this variable.
    7. The BR1_LINUX_USERNAME parameter is the name of the batch request user in the Linux operating system environment. Assign the server’s BR1_LINUX_USERNAME to this variable.
    8. The BR1_LINUX_PASSWORD parameter is the password for the domain1 user in the Linux operating system environment. Assign the server’s BR1_LINUX_PASSWORD To this variable.
    9. The BR1_LINUX_LOCK parameter is to determine whether the batch request user account will be locked. Assign the server’s BR1_LINUX_LOCK to this variable.
    10. The SERVER# variables define the servers in the SAKA cluster. Assign the FQDN of each appliance to these variables.
    11. If the server is using Trusted Platform Module (TPM), then set the TPM_MFR value to the correct value for the server.
    12. Modify the CCS_DOMAINS variable to be a comma separated list of the server’s CCS domains.
  8. In another section of the install script, you will see the following set of flags.
    # Flags to indicate if a module should be installed
    INSTALL_BC=Y
    INSTALL_CRYPTOKI=N
    INSTALL_CRYPTOSERVER=N
    INSTALL_GLASSFISH=Y
    INSTALL_FSO=N
    INSTALL_TPM2=Y
    INSTALL_MARIA=Y
    INSTALL_OPENLDAP=Y
    INSTALL_TOPAZ=Y
    1. If the server is using Eracom Hardware Security Module (HSM), then set INSTALL_TPM2=N and INSTALL_CRYPTOKI=Y.
    2. If the server is using Utimaco Hardware Security Module (HSM), then set INSTALL_TPM2=N and INSTALL_CRYPTOSERVER=Y.
  9. Run the install-saka.sh script
    shell> ./saka/install-saka.sh
  10. Stop all services. <
    shell> systemctl stop glassfishd
    shell> systemctl stop mysqld
    shell> systemctl stop slapd Ensure that all services have been stopped using the following commands: shell> nfn 8181 shell> nfn 3306 If mysqld and glassfishd are still active, list the process ID's and force kill the processes: shell> pf mysqld shell> pf str shell> pf glassfishd shell> kill -9 (pid from the above command)
  11. Move the strongauth folder that has been created after installation of SAKA.
    shell> mv /usr/local/strongauth /usr/local/strongauth-newinstall
  12. Move the strongauth zip file from the backup to /usr/local and unzip it.
    shell> mv /usr/local/software/backups/strongauth.zip /usr/local
    shell> unzip strongauth.zip
  13. Update permissions for new strongauth directory.
    shell> chown -R strongauth:strongauth /usr/local/strongauth
    shell> chown -R strongauth:domain<#> /usr/local/strongauth/batchrequests/domain<#>
    shell> chown -R kc1:kc1 /usr/local/strongauth/strongkeylite/kc1
    shell> chown -R kc2:kc2 /usr/local/strongauth/strongkeylite/kc2
    shell> chown -R so:so /usr/local/strongauth/strongkeylite/so
    
  14. Update the new server with any changes that might have been made on the old server to the firewall settings.
    shell> cat /usr/local/software/backups/public.xml
    shell> vi /etc/firewalld/zones/public.xml
  15. Update the new server with any changes that might have been made on the old server to the bashrc files.
    shell> cat /usr/local/software/backups/bashrc
    shell> vi /etc/bashrc
  16. Update the new server with any changes that might have been made on the old server to the ssh config files.
    shell> cat /usr/local/software/backups/ssh_config
    shell> vi /etc/ssh/ssh_config
    shell> cat /usr/local/software/backups/sshd_config
    shell> vi /etc/ssh/sshd_config
  17. Update the new server with any changes that might have been made on the old server to the my.conf file.
    shell> cat /usr/local/software/backups/my.cnf
    shell> vi /etc/my.cnf
  18. Restore LDAP configurations as "root" user. Login to a terminal as "root" user:
    #Make copies of the original configuration files
    shell> cp -r /etc/openldap/slapd.d /etc/openldap/slapd.0
    shell> cp -r /var/lib/ldap /var/lib/ldap.0
    
    #Remove the contents of /etc/openldap/slap.d and /var/lib/ldap
    shell> rm -r /etc/openldap/slapd.d/*
    shell> rm -r /var/lib/ldap/*
    
  19. Rocky 9 utilizes the MDB databases and we need to migrate the HDB databases created on centos 7 to MDB databases. Make a copy of the config.ldif file and edit the file with the following changes for Rocky9
    shell>  cp /usr/local/strongauth/dbdumps/config.ldif /usr/local/strongauth/dbdumps/rockyconfig.ldif
    
    # Edit the config file
    shell>  vi /usr/local/strongauth/dbdumps/rockyconfig.ldif
    
    STEP 1: Comment out the following data
    #olcArgsFile: /var/run/openldap/slapd.args
    #olcPidFile: /var/run/openldap/slapd.pid
    #olcTLSCACertificatePath: /etc/openldap/certs
    #olcTLSCertificateFile: "OpenLDAP Server"
    #olcTLSCertificateKeyFile: /etc/openldap/certs/password
    
    STEP 2: Replace all instances of “hdb” with “mdb” and “Hdb” with “Mdb”.
    Save and exit the file
  20. Restore the configuration.ldif first:
    shell> slapadd -F /etc/openldap/slapd.d -n 0 -l /usr/local/strongauth/dbdumps/rockyconfig.ldif
    
    # change the ownership and restart slapd
    shell> chown -R ldap:ldap /etc/openldap/slapd.d
    shell> chown -R ldap:ldap /var/lib/ldap
    shell> systemctl restart slapd
    
  21. Restore the database.ldif to the directory and restart slapd
    shell>  slapadd -F /etc/openldap/slapd.d -n 2 -l /usr/local/strongauth/dbdumps/databackup.ldif
    shell> systemctl restart slapd
    
  22. Reboot the machine.
    shell> init 6
  23. Set SAKA pins.
    shell> KC-SetPINTool.sh
  24. Test SAKA and SKFS transactions to ensure that everything is working and that the database is intact.