Change the Replica Instance IPv4 Network Settings

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

You can change the replica instance IPv4 network settings, such as the subnet mask, default gateway, hostname or IP address. There are several reasons why you might need to change the network settings. For example, you might need to change the IP address to resolve an IP address conflict with another resource, you might need to change the subnet mask when the network is reorganized, or you might need to change network settings when you move an appliance from one data center to another.

Before you begin 

  • Users cannot authenticate on this instance while you perform this procedure, and some administrative features are not available. Plan to perform this procedure at a time when the absence of authentication service is minimally disruptive.

  • You must be a Super Admin.

Procedure 

  1. On the replica instance, log on to the Operations Console.

  2. Click Administration > Network > Appliance Network Settings.

  3. Under Global Settings, configure the following:

    • In the Fully Qualified Domain Name field, modify the fully qualified domain name (FQDN).

    • For DNS Servers, add, update or remove an IP address from the list of IP addresses for DNS servers.

      • To add an IP address, enter the IP address in the DNS Server IP Address field and click Add.

      • To update an IP address, select the IP address from the list, modify the IP address in the DNS Server IP Address field and click Update.

      • To remove an IP address, select the IP address form the list and click Remove.

      • To change the order in which the DNS servers are used, select an IP address and click the up or down arrow.

      You may enter multiple IP addresses, and specify the order. Authentication Manager submits DNS lookup queries to the DNS servers in the order listed.

    • For DNS Search Domains, add, update or remove a a domain from the list of DNS search domains.

      • To add a search domain, enter the name of the domain in the DNS Search Domain field and click Add.

      • To update a search domain, select the name of the domain from the list, modify the name in the DNS Search Domain field and click Update.

      • To remove a search domain, select the domain from the list and click Remove.

      • To change the order in which the domains are searched, select the domain and click the up or down arrow.

      You may enter multiple search domains, and specify the order. Authentication Manager uses the search domains in the order listed.

  4. For each network interface card (NIC) that you want to use, configure the following:

    1. In the IPv4 Address field, modify the IP address. Each NIC supports one IP address.

    2. In the IPv4 Subnet Mask field, modify the subnet mask.

    3. In the IPv4 Default Gateway field, modify the IP address.

      Note:  Configure IPv6 Settings only if your deployment contains authentication agents that use the IPv6 protocol. The IPv6 settings contain an additional field, IPv6 Prefix Length, instead of the Subnet Mask field.

  5. To configure an additional NIC, select the Enabled checkbox under the name of the NIC, and configure the settings. For a virtual appliance, the Appliance Network Settings page displays an additional NIC only after you add the NIC on the virtual machine hosting the appliance.

    Note:  Both NICs cannot share an IP address. RSA recommends using a different subnet for each NIC. If two NICs share the same subnet and one NIC becomes unavailable, then Authentication Manager services will not be available on either NIC.

    All Authentication Manager services are available on both NICs. You can configure your network to use NIC1 or NIC2 for specific types of traffic, but failover is only provided for agent authentication.

    If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Add Alternate Agent IP Addresses for Servers.

  6. Click Next. The Operations Console displays a review page.

  7. Review the changes you made, highlighted in bold and italic. Click Change Network Settings to accept the changes, click Back to make additional changes, or click Cancel.

  8. Select Yes, change network settings, and click Change Network Settings.

    To apply the changes, Authentication Manager restarts the system-level networking service. If you changed the hostname or IP address, Authentication Manager restarts additional services. After the services are running, the Operations Console and the Security Console are available at the new hostname and IP address.

After you finish 

Complete these tasks after changing your replica instance hostname or IP address. If you change both the hostname and the IP address, you must perform all of the tasks that apply to your deployment. Changes to other network settings, such as the subnet mask, do not require these additional tasks.

                                                               

Task

Hostname Change Requirement

IP Address Change Requirement

Update the DNS server with the new hostname or IPv4 address.

Yes

Yes

Verify that the hostname used to access the Consoles (Operations Console, Security Console, and the Self-Service Console) resolves to the new IP address.

No

Yes

If you installed an SSL certificate that is signed by a third-party certificate authority (CA), changing the hostname causes the deployment to revert to the SSL certificate signed by the Authentication Manager CA that is enabled when the instance is deployed.

To install a new SSL certificate, import a new SSL certificate that is signed by the third-party certificate authority and whose common name (CN) is the new hostname. For instructions, see Replacing the Console Certificate.

Yes

No

Configure authentication agents to communicate with the new IP address. Generate a new configuration file, sdconf.rec, and deploy it to all authentication agents. For instructions see Generate the Authentication Manager Configuration File.

If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Add Alternate Agent IP Addresses for Servers.

No

Yes

Repair any trusted realm relationships. For instructions, see Repair a Trust Relationship with a Version 8.0 or Later Realm.

Yes

No

Wait five minutes for the web tier to update. You can then make additional hostname changes as needed.

In a replicated deployment, the web tier obtains the replica instance hostname from the primary instance. The waiting period allows the web tier to maintain communication with the Authentication Manager instances.

Yes

No

Update any other external clients, such as RADIUS and SNMP, to use the new IP address. Changing the IP address for the replica instance also updates the RADIUS IP address. Reconfigure RADIUS clients so that they send requests to the new IP address.

No

Yes

Update any external clients, such as RADIUS clients and SNMP, to use the new hostname.

Yes

No

Check the replication status for the replica instance, and synchronize the replica instance if necessary. For instructions, see Synchronize a Replica Instance.

Yes

Yes

Check the replication status for RADIUS. For instructions, see Initiate Replication to RADIUS Replica Servers.

Yes

Yes

 

 

 

 


Attachments

    Outcomes