Change the Primary Instance IPv4 Network Settings

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

You can change the IPv4 network settings that were created during Quick Setup, such as the subnet mask, default gateway, hostname or IP address. There are several reasons why you might need to change the network settings. For example, you might need to change the IP address to resolve an IP address conflict with another resource, you might need to change the subnet mask when the network is reorganized, or you might need to change network settings when you move an appliance from one data center to another.

Before you begin 

  • Users are unable to authenticate on this instance while you perform this procedure, and some administrative features are not available. Plan to perform this procedure at a time when the absence of authentication service is minimally disruptive.

  • Changing the hostname for a single primary instance in a deployment with a web tier requires you to reinstall the web tier. In a replicated deployment, the web tier automatically obtains the updated hostname.

  • You must be an Operations Console administrator.

  • If you change the primary instance hostname or IP address in a replicated deployment, Super Admin credentials are required for the Next Steps.

Procedure 

  1. On the primary instance, log on to the Operations Console.

  2. Click Administration > Network > Appliance Network Settings.

  3. Under Global Settings, configure the following:

    • In the Fully Qualified Domain Name field, modify the fully qualified domain name (FQDN).

    • For DNS Servers, add, update or remove an IP address from the list of IP addresses for DNS servers.

      • To add an IP address, enter the IP address in the DNS Server IP Address field and click Add.

      • To update an IP address, select the IP address from the list, modify the IP address in the DNS Server IP Address field and click Update.

      • To remove an IP address, select the IP address form the list and click Remove.

      • To change the order in which the DNS servers are used, select an IP address and click the up or down arrow.

      You may enter multiple IP addresses, and specify the order.Authentication Manager submits DNS lookup queries to the DNS servers in the order listed.

    • For DNS Search Domains, add, update or remove a domain from the list of DNS search domains.

      • To add a search domain, enter the name of the domain in the DNS Search Domain field and click Add.

      • To update a search domain, select the name of the domain from the list, modify the name in the DNS Search Domain field and click Update.

      • To remove a search domain, select the domain from the list and click Remove.

      • To change the order in which the domains are searched, select the domain and click the up or down arrow.

      You may enter multiple search domains, and specify the order. Authentication Manager uses the search domains in the order listed.

  4. For each network interface card (NIC) that you want to use, configure the following:

    1. In the IPv4 Address field, modify the IP address. Each NIC supports one IP address.

    2. In the IPv4 Subnet Mask field, modify the subnet mask.

    3. In the IPv4 Default Gateway field, modify the IP address.

    Note:  Configure IPv6 Settings only if your deployment contains authentication agents that use the IPv6 protocol. The IPv6 settings contain an additional field, IPv6 Prefix Length, instead of the Subnet Mask field.

  5. To configure an additional NIC, select the Enabled checkbox under the name of the NIC, and configure the settings. For a virtual appliance, the Appliance Network Settings page displays an additional NIC only after you add the NIC on the virtual machine hosting the appliance.

    Note:  Both NICs cannot share an IP address. RSA recommends using a different subnet for each NIC. If two NICs share the same subnet and one NIC becomes unavailable, then Authentication Manager services will not be available on either NIC.

    All Authentication Manager services are available on both NICs. You can configure your network to use NIC1 or NIC2 for specific types of traffic, but failover is only provided for agent authentication.

    If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Add Alternate Agent IP Addresses for Servers.

  6. Click Next. The Operations Console displays a review page.

  7. Review the changes you made, highlighted in bold and italic. Click Apply Network Settings to accept the changes, click Back to make additional changes, or click Cancel.

    To apply the changes, Authentication Manager restarts the system-level networking service. If you changed the hostname or IP address, Authentication Manager restarts additional services. After the services are running, the Operations Console and the Security Console are available at the new hostname and IP address.

After you finish 

Complete these tasks after changing your primary instance hostname or IP address. If you change both the hostname and the IP address, you must perform all of the tasks that apply to your deployment. Changes to other network settings, such as the subnet mask, do not require these additional tasks.

                                                                         

Task

Hostname Change Requirement

IP Address Change Requirement

Update the DNS server with the new hostname or IP address.

Yes

Yes

Verify that the hostname used to access the RSA Consoles (Operations Console, Security Console, and Self-Service Console) resolves to the new IP address.

No

Yes

In a replicated deployment, after updating your DNS server, you must log on to the replica instance Operations Console and update the primary instance hostname and IP address on the replica instance. A replica instance requires the primary instance hostname and IP address in order to communicate with the primary instance.

For instructions, see Update the Primary Instance Hostname and IP Address on a Replica Instance.

Yes

Yes

If you installed an SSL certificate that is signed by a third-party certificate authority (CA), changing the hostname causes the deployment to revert to the SSL certificate signed by the Authentication Manager CA that is enabled when the instance is deployed.

To install a new SSL certificate, import a new SSL certificate that is signed by the third-party certificate authority and whose common name (CN) is the new hostname. For instructions, see Replacing the Console Certificate.

Yes

No

Configure authentication agents to communicate with the new IP address. Generate a new configuration file, sdconf.rec, and deploy it to all authentication agents. For instructions see Generate the Authentication Manager Configuration File.

If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Add Alternate Agent IP Addresses for Servers.

No

Yes

Repair any trusted realm relationships. For instructions, see Repair a Trust Relationship with a Version 8.0 or Later Realm.

Yes

No

If you changed that hostname in a replicated deployment that includes a web tier, the web tier obtains the primary instance hostname from a replica instance. After you update the primary instance hostname on every replica instance, wait five minutes for the web tier to update. You can then make additional replica instance hostname changes as needed.

Required in a replicated deployment.

No

If you changed the hostname for a single primary instance and your deployment includes a web tier but no replica instances, you must reinstall the web tier.

For instructions, see the chapter “Installing Web Tiers” in the Setup and Configuration Guide.

Required if there is only one Authentication Manager instance

No

Update any other external clients, such as RADIUS and SNMP, to use the new IP address. Changing the IP address for the primary instance also updates the RADIUS IP address. Reconfigure RADIUS clients so that they send requests to the new IP address.

No

Yes

Update any external clients, such as RADIUS clients and SNMP, to use the new hostname.

Yes

No

If your deployment includes a replica instance, check the replication status for the primary instance. Synchronize the replica instance if necessary. For instructions, see Synchronize a Replica Instance.

Yes

Yes

Check the replication status for RADIUS. For instructions, see Initiate Replication to RADIUS Replica Servers.

Yes

Yes

 

 

 

 


Attachments

    Outcomes