Product Documentation

The final step of the installation replicates the CEM domain on the Secondary SAKA.

  1. In Window1, execute create-SKCE-Users.sh to setup service credentials for the CEM. Specify 2 for domain number 2 and a password for the service credentials:

    shell> ./create-SKCE-Users.sh 2 <password>

    This should be the same password as provided in Add System Users [Primary], Step 2.

  2. In Window1, change directory to /usr/local/strongauth/skce.

    shell> cd ~/skce
  3. In Window1, securely copy the keystore files directory from the primary node to this node using scp or sftp to perform this task:

    shell> scp -r strongauth@<primary-node>:skce/keystores .
  4. In Window1, change directory to /usr/local/strongauth/skce/etc.

    shell> cd ~/skce/etc
  5. Edit the skce-configuration.properties file. Update the value of the following two properties to reflect the values specified in Add System Users [Primary], Step 2:

    skce.cfg.property.saka.cluster.1.domain.1.password=skce.cfg.property.saka.cluster.1.domain.1.username=
  6. In Window1, change directory to /usr/local/strongauth/skcc/etc.

    shell> cd ~/skcc/etc
  7. Edit the skcc-configuration.properties file. Update the value of the following two properties to reflect the pinguser password specified in Create System Users [Primary], Step 3 for the property skcc.cfg.property.sakapwd and the passwords from Add System Users [Primary], Step 3:

    skcc.cfg.property.service.cc.ce.password, skcc.cfg.property.service.cc.fe.password, and skcc.cfg.property.service.cc.ce.ping.password

    skcc.cfg.property.sakapwd=
    skcc.cfg.property.service.cc.ce.password=
    skcc.cfg.property.service.cc.fe.password=
    skcc.cfg.property.service.cc.ce.ping.password=
  8. In Window1, if using a self-signed certificate for the applicationID (see Configure the SKCE domian [Primary]), import it into the Payara TrustStore using the certimport script:

    shell> certimport.sh <FQDN> -p<PORT> -kGLASSFISH
    Examples:
    certimport.sh saka01.strongauth.com -p8181 -kGLASSFISH certimport.sh www.domain.com -p443 -kGLASSFISH
  9. In Window1, use sudo and restart the Payara application server (supply the strongauth user's password when prompted):

    shell> sudo systemctl restart payara 
    
    # For SAKA version 4.12 and below, use the following command:
    shell> sudo service glassfishd restart
    
  10. In Window1, change directory to /usr/local/strongauth/bin.

    shell> cd ~/bin
  11. In Window1, execute KC-SetPINTool.sh.

    shell> ./KC-SetPINTool.sh
  12. Using the red, green, and blue flash drives, set the PINs for the three KCs to activate the cryptographic hardware module on the appliance, ensuring there are no errors in Window1 or Window2.

This concludes the installation of the SAKA cluster. If you have any questions or problems, please contact This email address is being protected from spambots. You need JavaScript enabled to view it. or call us at (408) 331-2000.

Details about how to configure the appliance for a specific environment are presented in KAM Configuration.

Detailed documentation about configuring individual components of SAKA are available at the following sites. It is strongly recommended that you make a full backup of SAKA before making any change that might affect the operations of the appliance.

https://demo4.strongkey.com/getstarted/assets/documents/HTML/images/key_strong_cyan.pngNOTE: On machines using the TPM, resetting the TPM from the BIOS setup (or any other software that interacts with the TPM directly) will permanently delete the EC keys within the module, thus invalidating all keys and encrypted data within SAKA. It is strongly recommended that the BIOS password is protected very carefully and any administration of the appliance at the BIOS level is performed very carefully.