If your Primary hardware fails, you can nominate an existing Replica to the Primary.
You must first select a Replica that you intend to nominate. Then, on the selected Replica, you can click the Nominate button in the Replica Management interface and automatically convert the Replica to the Primary. An updated Replica Package is created in the ACEDATA\replica_package directory of the new Primary.
RSA Authentication Manager 6.1 Administrator’s Guide
98 5: Database Maintenance (Windows)
Note: If you want to replace a functional Primary with newer hardware, you can add the new hardware as a Replica and then nominate it as the Primary. Then you can take the old Primary offline. However, you must follow a specific procedure to do this:
first, stop the current Primary, add the new machine as a Replica and generate a Replica package for the new machine. Restart the current Primary back up, and let the Replicas fully reconcile. Now you can complete the standard nominate procedure for the new Replica, as described in the following subsections.
Before Nominating a Replica
Before you nominate a Replica, you must assess the condition of the failed Primary hardware. If the failed Primary will be inoperable for a prolonged period, you will need to nominate a Replica. If the necessary repairs can be completed in a short amount of time, you may decide that you do not need to nominate a Replica, and that instead, you will repair the original Primary. In either of these scenarios, each of the Replicas continue to process authentication requests during the time that the Primary is not running. If you repair the original Primary, you will most likely want to inform all Quick Admin and remote administrators of the situation, and explain to them that neither Quick Admin nor Remote Administration of any machine in the realm will be possible until the Primary has been restored.
To nominate a Replica:
1. Select a Replica to use as a replacement for the failed Primary.
Note: RSA Security recommends that you select the Replica that contains the most up-to-date database. For more information, see “Determining Which Database is Most Up-To-Date” on page 94.
2. From the RSA Authentication Manager Control Panel on the Replica, stop the RSA Authentication Manager only.
All administrative sessions are disconnected.
3. Click Start > Programs > RSA Security > RSA Authentication Manager Configuration Tools > RSA Authentication Manager Replica Management.
4. Click Nominate.
5. Click OK to nominate this Replica.
6. Start the RSA Authentication Manager services and database brokers on the new Primary.
If your RSA Authentication Manager System Parameters are set to enable Push DB Assisted Recovery, the Replica Package is automatically distributed and applied to each Replica.
If the System Parameters are not set to enable Push DB Assisted Recovery, repeat steps 7 through 13 on each Replica.
7. Stop all services on the Replica.
5: Database Maintenance (Windows) 99 8. Copy the files in the ACEDATA\replica_package\database directory and the
ACEDATA\replica_package\license directory on the new Primary to a directory outside of ACEDATA on the Replica.
9. On the Replica, use the RSA Authentication Manager Control Panel to apply the Replica Package.
Note: If you repair the old Primary and restore it to your network, it is automatically added as a Replica. If you want to restore it as the Primary, you must nominate it.
When you replace damaged Primary hardware by either nominating a Replica or installing the Primary on a new machine, be aware that there are resulting implications for Quick Admin, RADIUS servers, Agent Hosts, LDAP synchronization and Remote Administration. In order for these features to function properly with a new Primary, perform these tasks in order of importance, referring to the appropriate instructions.
1. If Quick Admin is installed, you must reconfigure the Quick Admin settings with the name and IP address of the new Primary. For instructions, see “Reconfiguring Quick Admin” on page 51.
2. If the Authentication Manager is specified as a Local Realm Authentication Manager or a Remote Realm Authentication Manager for cross-realm
authentication, edit the realm record in the database, and in the database in the Remote realm to reflect the new name or IP address. For more information, see the Help topic “Edit Realm.”
3. If the failed Primary was specified as a RADIUS server, you can either install the RADIUS server on the new Primary, another Replica or a separate host machine.
So as not to impact the administrative capability of the new Primary,
RSA Security recommends that you enable RADIUS on another Replica. Be sure to
• Add the Authentication Manager you choose to use as the RADIUS server to the database as an Agent Host. For more information, see “Adding Servers as Agent Hosts to the Primary Database” in the Windows Installation Guide.
• If you opt to use the new Primary as the RADIUS server, update the RADIUS Server configuration settings so that they are identical to those that were on the old Primary.
• Configure all RADIUS clients to use the appropriate name and IP address of the designated RSA RADIUS server. See the NAS device manual for specific configuration instructions.
4. If the Authentication Manager is specified as an Acting Authentication Manager for legacy Agent Hosts, generate new sdconf.rec files for all legacy Agent Hosts that use this Authentication Manager as an Acting Master or Acting Slave, and distribute the sdconf.rec file to the Agent Hosts. For more information, see the Help topic “Assign Acting Servers.”
5. If the Authentication Manager is specified in any sdopts.rec files for version 5 Agent Hosts, edit the sdopts.rec file on the Agent Host to reflect the new name or IP address of the Authentication Manager.
RSA Authentication Manager 6.1 Administrator’s Guide
100 5: Database Maintenance (Windows)
6. If the Authentication Manager was previously set up with LDAP synchronization jobs that use SSL to connect to the LDAP server, make sure that the new Primary has the required cert7.db file in the ACEDATA/ldapjobs/sslcerts directory.
Otherwise, when LDAP synchronization runs, you will see the error:
LDAP connection error - Failed to initialize LDAP session For information about setting up the cert7.db file, see “Using SSL” on page 114.
7. For all Remote Administration machines, copy the sdconf.rec and the server.cer file from the ACEDATA directory on the Primary to the Remote Administration machine, remove the Primary from the Remote Administration machine and then add the Primary using the new sdconf.rec file. For more information, see the Windows Installation Guide.