000020180 - How to safely patch RSA ACE/Server 5.0.x to the latest patch

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020180
Applies ToRemote Administration
RSA ACE/Server 5.0.x (no longer supported as of 8-15-2004)
IssueHow to safely patch RSA ACE/Server 5.0.x to the latest patch
What are the best steps when patching RSA ACE/Server?
Problem:
- Large companies have large numbers of ACE/Server administrators using Remote Administration on their distributed (globally) workstations.
- Patching ACE/Server and then not patching Remote Administration application boxes that communicate to the Primary ACE/Server can cause the following:
*        Database instability
*        Delta records mismatch issues
*        Inability to update replicas
*        Crashing of the sdadmind service
ResolutionSolution:
Take following steps just prior to installing patch:

1. Use the service sdadmind port number to lock out un-patched versions of Remote Administration:
        a. sdadmind service is by default 5550

        b. For each patch level add a number (patch 1 port number = 5551 and patch 3 would = 5553)

2. NOTE additional changes would be required:
        a. %system root%\system32\drivers\etc\services:
          i. First step required for change in the second step
          ii. The services file must be edited. Change the port number for service sdadmind to
                (5553 for patch 3) the new number, save changed file
          iii. Insure name of file did not change I.E. services.txt

        b. sdconf.rec
          i. Change the sdconf.rec by editing / changing configuration mgmt services? block port
                number for administration. If you get an error message when you click [OK] check the
                services file.
          ii. The file ?\ace\data\sdconf.rec would need to be repopulated throughout the primary
                and replica servers. locations to replace the file include:
                1. %systemroot%\system32\sdconf.rec
                2. ?\ace\data\realms\{primary server name}\sdconf.rec

        c. Server will have to be restarted for changes to take effect

3. Install patch 3
        a. After successful install of patch 3:
          i. Stop Replicas >> Restart Primary >> test functionality
          ii. Edit %system root%\system32\drivers\etc\services file on all replicas
          iii. Run the patch on replicas
          iv. On primary Copy from ?/ace/data/sdconf.rec & aceserver_50_p03_ra.exe
          v. Distribute these two files to all authorized remote administration installations
                1. Replace the sdconf.rec file in ?\ace\data\realms\{primary name}\ with the new file
                2. Run the aceserver_50_p03_ra.exe file as administrator on the workstations
        b. Now only authorized and patched workstations with the new port configuration will
                function. You will have avoided potential database corruption.

NOTE: Firewall port lockouts may also have to be modified to allow remote administration communication on the new port numbers (added security by changing the port numbers periodically).
Legacy Article IDa15282

Attachments

    Outcomes