Change the Primary Instance IPv4 Network SettingsChange the Primary Instance IPv4 Network Settings

You can change the IPv4 network settings that were created during Quick Setup, such as the subnet mask, default gateway, hostname or IP address. There are several reasons why you might need to change the network settings. For example, you might need to change the IP address to resolve an IP address conflict with another resource, you might need to change the subnet mask when the network is reorganized, or you might need to change network settings when you move an appliance from one data center to another.

Before you begin

• Users are unable to authenticate on this instance while you perform this procedure, and some administrative features are not available. Plan to perform this procedure at a time when the absence of authentication service is minimally disruptive.

• Changing the hostname for a single primary instance in a deployment with a web tier requires you to reinstall the web tier. In a replicated deployment, the web tier automatically obtains the updated hostname.

• You must be an Operations Console administrator.

• If you change the primary instance hostname or IP address in a replicated deployment, Super Admin credentials are required for the Next Steps.

• If the primary instance is deployed in Amazon Web Services (AWS), you must first change the IP address on the AWS instance. For instructions, see Change the IP Address of a Primary or Replica Instance in Amazon Web Services.

• If the primary instance is deployed in Azure, check for an available private IP address. For instructions, see your Azure documentation.

Procedure

1. On the primary instance, log on to the Operations Console.

2. Click Administration > Network > Appliance Network Settings.

3. Under Global Settings, configure the following:

   • In the Fully Qualified Domain Name field, modify the fully qualified domain name (FQDN).

   • For DNS Servers, add, update or remove an IP address from the list of IP addresses for DNS servers.

     • To add an IP address, enter the IP address in the DNS Server IP Address field and click Add.

     • To update an IP address, select the IP address from the list, modify the IP address in the DNS Server IP Address field and click Update.

     • To remove an IP address, select the IP address form the list and click Remove.

     • To change the order in which the DNS servers are used, select an IP address and click the up or down arrow.

     You may enter multiple IP addresses, and specify the order.Authentication Manager submits DNS lookup queries to the DNS servers in the order listed.

   • For DNS Search Domains, add, update or remove a domain from the list of DNS search domains.

     • To add a search domain, enter the name of the domain in the DNS Search Domain field and click Add.

     • To update a search domain, select the name of the domain from the list, modify the name in the DNS Search Domain field and click Update.

     • To remove a search domain, select the domain from the list and click Remove.

     • To change the order in which the domains are searched, select the domain and click the up or down arrow.

     You may enter multiple search domains, and specify the order. Authentication Manager uses the search domains in the order listed.

4. For each network interface card (NIC) that you want to use, configure the following:

   1. In the IPv4 Address field, modify the IP address. Each NIC supports one IP address.

   2. In the IPv4 Subnet Mask field, modify the subnet mask.

   3. In the IPv4 Default Gateway field, modify the IP address.

   Note: Configure IPv6 Settings only if your deployment contains authentication agents that use the IPv6 protocol. The IPv6 settings contain an additional field, IPv6 Prefix Length, instead of the Subnet Mask field.

5. To configure an additional NIC, select the Enabled checkbox under the name of the NIC, and configure the settings. For a virtual appliance, the Appliance Network Settings page displays an additional NIC only after you add the NIC on the virtual machine hosting the appliance.

   Authentication Manager supports dual network interface card (NIC) configurations on the hardware appliance, the Amazon Web Services virtual appliance, the Hyper-V virtual appliance, and the VMware virtual appliance. The Azure virtual machine supports one NIC, and one IP address for the NIC. Features that require more than one NIC are not available on the Azure virtual machine.

   Note: Both NICs cannot share an IP address. RSA recommends using a different subnet for each NIC. If two NICs share the same subnet and one NIC becomes unavailable, then Authentication Manager services will not be available on either NIC.

   All Authentication Manager services are available on both NICs. You can configure your network to use NIC1 or NIC2 for specific types of traffic, but failover is only provided for agent authentication.

   If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Add Alternative IP Addresses for Instances.

6. Click Next. The Operations Console displays a review page.

7. Review the changes you made, highlighted in bold and italic. Click Apply Network Settings to accept the changes, click Back to make additional changes, or click Cancel.

   To apply the changes, Authentication Manager restarts the system-level networking service. If you changed the hostname or IP address, Authentication Manager restarts additional services. After the services are running, the Operations Console and the Security Console are available at the new hostname and IP address.

8. (Optional). You can download a text file that contains the updated network settings for the primary instance. You can refer to this information if you need to restore the original system image on a hardware appliance or if you need to replace a virtual appliance. Do the following:

   1. On the primary instance, log on to the Operations Console.

   2. Click Administration > Network > Appliance Network Settings.

   3. Under Download Network Settings, click Download network settings.

   4. Save the FQDN_backupOfNetworkSettings.txt file in an external location where it is available for convenient reference.

After you finish

Complete these tasks after changing your primary instance hostname or IP address. If you change both the hostname and the IP address, you must perform all of the tasks that apply to your deployment. Changes to other network settings, such as the subnet mask, do not require these additional tasks.

Task	Hostname Change Requirement	IP Address Change Requirement
For an Azure virtual appliance hostname change, perform the steps in Change the Hostname of a Primary or Replica Instance in Azure.	Yes	No
For an Azure virtual appliance IP address change, make sure to update the IP address on the Azure virtual machine: Log on to the Azure Portal. On the Services tab, search for Virtual Machines. Navigate to the RSA Authentication Manager virtual machine. Stop the virtual machine. Create a new NIC that uses the new IP address that was configured in the Operations Console. Attach the new NIC to the Authentication Manager virtual machine. Remove the original NIC. Start the virtual machine.	No	Yes
Update the DNS server with the new hostname or IP address. The Azure appliance requires you to configure a DNS server in the virtual network or use the DNS server provided by Azure. Any on-premises Authentication Manager primary instance or replica instances must use the DNS server that is configured in the virtual network.	Yes	Yes
Verify that the hostname used to access the RSA Consoles (Operations Console, Security Console, and Self-Service Console) resolves to the new IP address.	No	Yes
For the Azure virtual appliance, in a replicated deployment, make sure the primary instance can communicate with each replica instance. After changing the primary instance IP address, edit the hosts file on each replica instance. For instructions, see Edit the Appliance Hosts File.	No	Yes
In a replicated deployment, after updating your DNS server, you must log on to the replica instance Operations Console and update the primary instance hostname and IP address on the replica instance. A replica instance requires the primary instance hostname and IP address in order to communicate with the primary instance. For instructions, see Update the Primary Instance Hostname and IP Address on a Replica Instance.	Yes	Yes
If you installed an SSL certificate that is signed by a third-party certificate authority (CA), changing the hostname causes the deployment to revert to the SSL certificate signed by the Authentication Manager CA that is enabled when the instance is deployed. To install a new SSL certificate, import a new SSL certificate that is signed by the third-party certificate authority and whose common name (CN) is the new hostname. For instructions, see Replacing the Console Certificate.	Yes	No
Configure authentication agents to communicate with the new IP address. Generate a new configuration file, sdconf.rec, and deploy it to all authentication agents. For instructions see Generate the Authentication Manager Configuration File. If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Edit an Authentication Agent.	No	Yes
Repair any trusted realm relationships. For instructions, see Repair a Trust Relationship with a Version 8.0 or Later Realm.	Yes	No
If you changed that hostname in a replicated deployment that includes a web tier, the web tier obtains the primary instance hostname from a replica instance. After you update the primary instance hostname on every replica instance, wait five minutes for the web tier to update. You can then make additional replica instance hostname changes as needed.	Required in a replicated deployment.	No
If you changed the hostname for a single primary instance and your deployment includes a web tier but no replica instances, you must reinstall the web tier. Perform the following procedure to retain all existing web-tier configuration and customization settings: Uninstall the web tier. For instructions, see Uninstall a Web Tier on Linux or Uninstall a Web Tier on Windows. Run the web tier installer for your platform. For instructions, see the RSA Authentication Manager Setup and Configuration Guide. Update the web tier. For instructions, see Update the Web-Tier.	Required if there is only one Authentication Manager instance	No
Update any other external clients, such as RADIUS and SNMP, to use the new IP address. Changing the IP address for the primary instance also updates the RADIUS IP address. Reconfigure RADIUS clients so that they send requests to the new IP address.	No	Yes
Update any external clients, such as RADIUS clients and SNMP, to use the new hostname.	Yes	No
If your deployment includes a replica instance, check the replication status for the primary instance. Synchronize the replica instance if necessary. For instructions, see Synchronize a Replica Instance.	Yes	Yes