This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
NareshJagernaut
Beginner
Beginner
‎2017-08-11 11:49 AM

Migrating from hardware appliances to Virtual

Jump to solution

We currently have 2 hardware appliances and want to migrate to virtual appliances. Can we simply add the virtual appliances as replicas and then when we're ready switch the virtual to primary and shutdown the hardware appliances? We would also be changing the hostname and IP to match the shutdown hardware appliance.

Reply
1 Solution

Accepted Solutions
JayGuillette
Contributor Contributor
Contributor
‎2017-08-11 12:08 PM

Jump to solution

Since Hardware and virtual appliances inter-operate (if same of close software versions) then there are a couple different ways to do this, including attaching a virtual replica to a physical primary and promoting.  Then you could change the name and IP of the newly promoted virtual to the shutdown original physical primary.

You could also backup the database from the physical and restore it to the virtual, either an isolated virtual with the same name and IP or a virtual that you change to the same name and IP as the original hardware appliance after original is offline (which would make all agents think they were communicating to the original hardware primary and you would not need to update their sdconf.rec files 

View solution in original post

Reply
8 Replies
JayGuillette
Contributor Contributor
Contributor
‎2017-08-11 12:08 PM

Jump to solution

Since Hardware and virtual appliances inter-operate (if same of close software versions) then there are a couple different ways to do this, including attaching a virtual replica to a physical primary and promoting.  Then you could change the name and IP of the newly promoted virtual to the shutdown original physical primary.

You could also backup the database from the physical and restore it to the virtual, either an isolated virtual with the same name and IP or a virtual that you change to the same name and IP as the original hardware appliance after original is offline (which would make all agents think they were communicating to the original hardware primary and you would not need to update their sdconf.rec files 

View solution in original post

Reply
GregHowley
Beginner
Beginner
‎2020-03-11 09:12 AM

Jump to solution

similar question.  We have 4 appliances, 2 virtual & 2 physical.  Primary is virtual.  To migrate the physical replicas, is it simply a matter of backing them up, shutting them down & installing to virtual with the same name & IP?

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to GregHowley
‎2020-03-11 09:34 AM

Jump to solution

You don't have to migrate replicas, you simply deploy a new virtual replica then remove the original hardware replica from the Primary Operations console and shut it down.  You can then rename the new virtual replica to the name of the now decommissioned HW appliance, likewise you  could also re-IP the new virtual to use to IP of the old HW appliance.

 

A replica is kind of a real time, mostly read-only backup or copy of the primary database, so you do not backup the replica database, nor do you migrate it.

 

Optionally you could delete the HW replica first, then deploy the new virtual replica with the original name and IP of the hardware, so that DNS would not need modifications

0 Likes
Reply
GregHowley
Beginner
Beginner
In response to JayGuillette
‎2020-03-11 09:36 AM

Jump to solution

Excellent, thanks very much.

0 Likes
Reply
GregHowley
Beginner
Beginner
In response to JayGuillette
‎2020-04-27 04:48 PM

Jump to solution

Hi Jay,

 

Further to this question: my VM team is asking if there is an ova file they need to create the new VM.

Am I wrong in assuming that they just stand up a standard Windows Server and I push the replication to it?

 

Thanks

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to GregHowley
‎2020-04-27 05:04 PM

Jump to solution

Am servers can be deployed as a VM .ova file that you would download from RSA Link, which you would need a valid license to do.

You Navigate to the AM Authentication Manager Downloads...

https://community.rsa.com/community/products/securid/authentication-manager/downloads 

where you will see patches and updates, but there is also a link to [Full Product Downloads]  which is where the .ova files to deploy a new VM are located.

RSA_Link_Downloads_Full-Prod.png

1. Deploy a VM .ova as a replica to your currently deployed Primary, then

2. when ready promote that replica to be the new Primary. 

3. Optionally you can shut down the original primary and rename and /or Re-IP the new VM primary to be the same as the original.

0 Likes
Reply
GregHowley
Beginner
Beginner
In response to JayGuillette
‎2020-04-30 12:20 PM

Jump to solution

Jay,

 

Thanks so much for your help. I have successfully configured & attached

the new VM replicas.

 

Before I do the official cutover, my ISP and Network teams have asked me to

"confirm that the key has been also replicated to the new RSA"

Is this done in the replication?

 

Thanks

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
‎2020-04-30 01:42 PM

Jump to solution

Short answer is yes.

The Primary generates a unique private key when deployed, from a unique Self Signed Root CA that was generated when RSA created your company's AM license.  This Cert is primarily used as the console certificate, which is why your browser complains that it is an un-trusted, unknown CA Certificate Authority (because RSA is not a Certificate Authority like Verisign, Go Daddy, Comodo, etc...)  That same Root CA signs the Certs for all replicas deployed from this primary.

 

But these keys are not stored in the AM database, therefore they are not "replicated" through replication.  They are stored in .jks files local to the AM server, primary or replica.  so the replica has its key, but it got there through deployment not through replication.

 

Many customer replace the RSA self-signed Console Certificate with a cert signed either by their own internal CA or from a public CA.

000030016 - How to replace the RSA Authentication Manager 8.1 SP1 self-signed console certificate w... 

You can also replace Virtual host Web Tier RSA self signed certificate in a similiar manner.

https://community.rsa.com/docs/DOC-64670  

A few customers copy the Root CA self signed certificate and import it into their browsers because they "trust" this certificate because they verified the SHA2 signature on the RSA software when they downloaded from RSA Link Download Central, and they installed the Primary, so they have 1st hand trust instead of asserted trust through a CA.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.