Server Synchronization Setup

SafeWord Server Synchronization in SafeWord RemoteAccess >>

About SafeWord RemoteAccess

SafeWord® RemoteAccess™ delivers two-factor authentication security. Users carry hardware tokens that generate passcodes, which they use with their PIN. When a VPN, Citrix, or Outlook Web Access user pushes the button on the SafeWord token, it immediately generates and displays a single-use passcode (via a unique secret key and an advanced encryption algorithm that is contained inside). The user enters the single-use passcode, followed by the user's unique PIN (if desired), to gain access.

The authentication server (also called the SafeWord server) keeps each user's token records on file. Using a secret key and an event counter, it confirms the authenticity of each passcode presented by each user. After being used once, a passcode is then useless and thrown away by the system. If someone steals it and tries to use it again, the passcode is rejected by the authentication server and access is denied. This virtually eliminates threats from outsiders stealing, copying, or reusing passwords.

 

About SafeWord server synchronization

The SafeWord server component of SafeWord RemoteAccess can be installed on multiple Windows 2000 machines in order to provide the following:

  • Automatic failover in the event of failure of one of the servers or machines
  • Basic load-balancing capabilities
  • Automatic backup of token records and administrative settings

This allows SafeWord authentication to continue despite the failure or overload of any machine in the system.

When SafeWord RemoteAccess is installed on multiple machines, SafeWord server synchronization must be set up in order to keep users' token records and the built-in administrative account synchronized across multiple SafeWord servers. Record and account synchronization is done in real time. If SafeWord server synchronization is not set up in an environment including multiple SafeWord RemoteAccess servers, then failover, load balancing, and automatic backup will not work, and the out-of-sync records can lead to problems with the use of the system.

Important note: User information is contained, stored, and managed in Active Directory. Because of this, SafeWord RemoteAccess provides no backup or failover method for Active Directory user information. Active Directory provides its own backup and failover methods; please see Active Directory documentation for details.

Important note: While SafeWord server synchronization can be set up at any time, verifying synchronization will only work prior to activation of SafeWord RemoteAccess and the importing of SafeWord token records. Because of this, Aladdin Knowledge Systems (acquired by SafeNet Inc.) recommends the following:

  • Set up SafeWord server synchronization as described in this document
  • Activate SafeWord RemoteAccess and import SafeWord token records
  • Verify SafeWord server synchronization by checking for the newly imported tokens (as described in this document)

SafeWord server synchronization is different from the manual backup of token records that is detailed in the SafeWord RemoteAccess Product Guide. Manual backup and restore can be done without requiring SafeWord server synchronization (and vice versa).

 

Functionality of SafeWord server synchronization

Automatic failover: when a SafeWord server or machine fails, authentication requests will be forwarded to another active server (specified per your synchronization architecture, discussed below).

Basic load-balancing capabilities: if your organization's authentication load is high, installing SafeWord RemoteAccess on two or more machines can help reduce the authentication load on each machine. If one SafeWord server cannot accept an authentication request because it is too busy, the request will be sent to another available machine (specified per your synchronization architecture, discussed below).

Backing up token records: In the absence of SafeWord server synchronization, if the SafeWord server either fails, needs to be reinstalled, or needs to be restored from the last manual backup, then all token records will reset to the event number at your last manual backup. Users who have utilized their tokens more than 16 times since the last backup will be "out of range" and will not gain access on their first authentication attempt. But this is no problem and is easily remedied by the users. To resynchronize and get back in range, users simply authenticate twice with two consecutive one-time passcodes.

In addition to the above, without SafeWord server synchronization in place, any changes to users' PINs since the last manual backup will be lost.

SafeWord RemoteAccess implements a SafeWord server synchronization architecture based on a ring topology. SafeWord server synchronization is implemented inside the Administration Service and therefore, the Administration Service must be running in order for SafeWord server synchronization to work.

Each server in the ring has up to two neighbors: a logical 'next' server in the ring, and a logical 'previous' server (see figure 1). In the case of only two servers in the ring, each server is only configured to have a 'next' neighbor (see figure 2).

 

Implementing SafeWord server synchronization

To implement SafeWord server synchronization, follow these steps and repeat them on all Windows 2000 servers that will participate in SafeWord server synchronization:

  • Install SafeWord RemoteAccess and install the SafeWord server component of SafeWord RemoteAccess on at least one additional machine. The additional server installation(s) must use the same database keys, but do not need to use the same ports. Follow the instructions in the SafeWord RemoteAccess Product Guide to perform the installation, to allow the RADIUS agent to point to multiple machines, and to allow the management console to connect to different SafeWord servers.
  • Stop the SafeWord Administration Service and SafeWord Authentication Engine. Do NOT stop the SafeWord Database Server.
  • Edit {Install_Directory}/SERVERS/Shared/sccservers.ini file:
    • Locate and uncomment the line starting with "DBActionListenerClass" (by removing the first "#" character).
    • Locate and uncomment the line starting with "ReplNext_JDBC_URL"
    • Replace "NEXT_HOST" on that line with the IP address of the node that will serve as the logical ‘next’ node in the replication ring. The following two steps apply only to SafeWord server synchronization rings consisting of more than two nodes.
    • Locate and uncomment the line starting with "ReplPrev_JDBC_URL"
    • Replace "PREV_HOST" on that line with the IP address of the node that will serve as the logical 'previous' node in the replication ring.
  • Save the file.
  • Open a command window and change to directory {Install_Directory}/SERVERS/Database/bin.
  • For each neighbor of this host, run batch file AddReplPeer.bat with the parameter specifying the IP address of the neighbor. Do this for each node in the ring. This tells the database to accept connections from the neighbor nodes whose names or IP addresses you specify in the command line arguments.
  • Start the SafeWord Administration service and SafeWord Authentication engine services.

Important note: if installing SafeWord RemoteAccess for the first time, follow the above steps. However, if you have been using a single SafeWord server and are adding a second (or other additional) server, you must first perform a manual backup of the first server and manually restore it to the machine(s) with the additional SafeWord server(s). See the SafeWord RemoteAccess Program Guide for more information on manual backup and restore. As noted previously, remember that you cannot verify SafeWord server synchronization if you have already activated the product and imported token records.

 

Verifying SafeWord server synchronization

Important note: Verifying SafeWord server synchronization can only be done prior to activation of SafeWord RemoteAccess and the importing of token records.

To verify that SafeWord server synchronization is working in your implementation of SafeWord RemoteAccess, perform the following test on any system in the SafeWord server synchronization ring.

Importing tokens

Insert your Token Data CD. Select the Import/Backup/Restore feature under SafeWord folder. Browse to or specify a path to the import file located on your Token Data CD and press the Import button.

To verify that the import has completed successfully, select the Tokens feature under the SafeWord folder. Verify that the list of Token IDs imported appears in the right-hand pane.

Verify that the change is reflected on the other server(s) in the synchronization ring. To do this you will need to either 1) set up a separate SafeWord Active Directory Management console configured to access the Administration service on the other server, or 2) reconfigure your existing console to access this other server. Please see the SafeWord RemoteAccess Product Guide for further details.

 

Checking synchronization state

To check if SafeWord server synchronization is in a steady state (i.e., a state in which all changes are propagated to other SafeWord servers):

  • Open a command window and change to directory {Install_Directory}/SERVERS/Database/bin.
  • Run the batch file called "QueryChangeLog." This check should be performed on all servers in the ring.
  • The system has reached steady state once the output says: "Empty set."
  • Repeat steps 1-3 for all nodes in the ring.
 

Restoring records and settings with SafeWord server synchronization

If a machine or server fails in this architecture, authentication requests will be diverted (per the previously described architecture) to the next available machine. As all token records and database information have been copied in real-time to all machines, there will be no disparity in records and no failed authentications for users. Once the failed machine is back online, SafeWord server synchronization will automatically replicate the token records and administrative information to the restored machine. (If the neighbor nodes were up when the failed node when down, the neighbor nodes need to be restarted.) A manual restore is necessary only if the failed machine requires a clean reinstall of the SafeWord RemoteAccess software. In this case, manually backup one of your online servers and manually restore the information to the machine with the clean reinstall. See the SafeWord RemoteAccess Program Guide for more information on manual backup and restore.