000024898 - How to change the primary server's hostname or IP address in RSA ACE/Server 5.1/5.2 and RSA Authentication Manager 6.0/6.1 on Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024898
Applies ToMicrosoft Windows
RSA ACE/Server 5.1/5.2
RSA Authentication Manager 6.0/6.1
IssueChange the primary server's hostname or IP address in RSA ACE/Server 5.1/5.2 and RSA Authentication Manager 6.0/6.1 on Windows
 
CauseRSA ACE/Server and RSA Authentication Manager are both extremely dependent on name resolution. Forward and reverse lookups need to work with both host names and fully-qualified domain names (FQDN). The RSA SecurID database is tied to both the FQDN and the IP address of the primary ACE/Server; changing either the FQDN or IP address invalidates your replica table and locks you out of your database. In addition, since some DNS servers cannot return uppercase characters in a host name or DNS suffix, always use a lowercase FQDN.
Resolution

How to change a hostname or IP address in RSA ACE/Server 5.1/5.2 and RSA Authentication Manager 6.0/6.1 on Windows


 


To rename or change the IP address of the primary server:


  1. Stop all RSA services on the primary server and prevent automatic restarting. Do one of the following:


    For 6.1:

    a. Log on as a Local Administrator.

    b. Go to Start > Programs > RSA Security > RSA Authentication Manager > RSA Authentication Manager Control Panel.

    c. Select Start & Stop RSA Auth Mgr Services, Stop All.

    d. Under Auto-Start, select Edit, and remove the check from the box.

    e. Close and exit the Authentication Manager Control Panel.


    For versions up to 6.0.x:

    a. Open the Windows Control Panel, and click the RSA ACE/Server icon.

    b. Uncheck the auto-start option.

    c. Click the Stop button. Click OK to the ACE/Server stopping messages, and following a short delay, click OK to close window.
     
  2. Do one of the following:


    For 6.1: Go to Start > Programs > RSA Security > RSA Authentication Manager > RSA Authentication Manager Configuration Tools > RSA AM Replica Management.


    For versions up to 6.0.x: Go to Start > Programs > RSA ACE Server > Configuration Tools > Replication management.
     
  3. Change the name or IP address of the primary server:

    a. Highlight the primary server and click Details.

    b. Change the name and/or the IP addresses of the primary RSA ACE/Server.


    c. Click OK to confirm that you changed the name and must also change the system name.
     
  4. Change the primary server's name or IP address on the operating system, and reboot.
  5. Start Replication Management again. (See above for program location.)  When Replication Management runs, it detects whether or not the system name and or IP address match the Primary server identification in the database with the change you indicated in step3b.
  6. When you see the following message, click OK to confirm the change:


    Note: If you see the following message, you either did not change the system information, or you changed the system information to something other than what you specified in step 3.
  7. In most cases, you should re-enable auto-start for the RSA Services after restarting the RSA Services and testing.
  8. For versions up to 6.0.x: If you have replicas and if "Push DB" is enabled on the primary, copy only the ACEDATA\replica_package\license directory to all Replicas. If "Push DB" is disabled on the Primary, do the following:


    On UNIX-based systems:

    a. Copy the ACEDATA/replica_package directory to all UNIX-based replicas.

    b. Apply the replica package. On the replica, run the following command:
    ACEPROG/sdsetup -apply_package{pathname}
    where pathname is the location of the replica package files.


    On Windows:

    Copy and replace the replica's ace\data\sdserv.(db, bi, vrs, lg) files with the files from the ACEDATA\replica_package\database\sdserv.*. Repeat the same process with the files in the license subfolder of the replica_package.

    Note: For more information about "Push DB", see the RSA ACE/Server Windows / (UNIX) Installation Guide in the ACEDOC directory.

Additional Configuration


 


After changing the name of the Primary, you may need to perform additional tasks. Review the following items, and complete the items that apply to your deployment.


  • For all Remote Administration machines: Copy the files sdconf.rec and server.cer from the ACEDATA directory on the primary to the following directory on the Remote Administration machine:
    ace/data/realms/{ACE/Server Primary Name}/
    Rename the ACE/Server Primary Name folder to match the changed name, if applicable. Also when the IP address is changed, new sdconf.rec files must be generated for all agent hosts and delivered to those agent hosts, replacing the existing file.  If the Name did not change, be sure to delete the failover.dat file after copying the new sdconf.rec and server.cer files. For more information, see the RSA ACE/Server Windows / (UNIX) Installation Guide in the ACEDOC directory.
  • For a server specified as a Local Realm Server or a Remote Realm Server for cross-realm authentication: Edit the realm record in the local and remote realm databases to reflect the new name or IP address. For more information, see the Help topic "Edit Realm".
  • For a server specified as an RSA RADIUS server: Configure all RADIUS clients to use the new name or IP address. For specific configuration instructions, see the NAS device manual. In addition, you must modify the RSA RADIUS server's Agent Host record to reflect the new name or IP address. For instructions, see "Adding Servers as Agent Hosts to the Primary Database" in the RSA ACE/Server Windows / (UNIX) Installation Guide in the ACEDOC directory.
  • For a server specified as an Acting Server for legacy Agent Hosts: Generate new sdconf.rec files for all legacy Agent Hosts that use this Server as an Acting Master or Acting Slave Server and distribute the sdconf.rec file to those Agent Hosts. For more information, see the Help topic "Assign Acting Servers?.
  • For a server specified in any sdopts.rec files for version 5 + Agent Hosts: Edit the sdopts.rec file on the Agent Host to reflect the new name or IP address of the server.
 

To change the host name on earlier RSA ACE/Servers, see the following solutions:


NotesPrior to changing the IP address and/or hostname of the RSA Authentication Manager server, create a backup of your database by running a database dump then saving copies of the sdserv.dmp, sdlog.dmp and license.rec from ACEDATA to a location outside of the RSA Authentication Manager directory structure.  Steps to dump the databases can be found in the RSA Authentication Manager Administrator's Guide.
Legacy Article IDa19555

Attachments

    Outcomes