8 Replies Latest reply on Jan 11, 2013 11:20 AM by SafeBoot

    Replacing a 5.2.3 server / server keys question

    datasecanalyst

      Hi there,

       

      I'll get right to the details. We have two management servers in our production environment, one cluster (we'll call it LE1) for the internal network and one server (we'll call it LE2) in an internet facing zone (primarily used by international users). The physical facility which houses LE2 is being shut down, so we are having to set up a new internet facing server in a different physical location.

       

      The current architecture involves using the \SBDATA folder from LE1 as a network share, and the Safeboot Database Server on LE2 points to that as a local drive. The original team that set this up is long gone, and now I'm trying to figure out how to set it up on my own.

       

      We're going through planning and testing now. In our test environment, we have our primary test server (Test1) and our internet facing test server (Test2). I added Test2 to the list of SafeBoot servers under  System tab > Endpoint Encryption Server Groups in EEM, created a new install-set which only points to Test2, and I deployed it to a test client. I was immediately hit with a "Error connecting to database [5c020004]: Authentication signature is not valid". To resolve this, I simply changed Authenticate=Yes to Authenticate=No on the client SDMCFG.INI, and the problem was fixed, but this is obviously not an ideal solution. I tried to no avail to follow the instructions in this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB67716&actp=search&viewlo cale=en_US&searchid=1324484661123

       

      The problem is the SDMCFG.INI on Test2 does not have a server key listed at all. Here are the contents:

       

      [Databases]

      Database1=SBFILEDB.DLL

      [Database1]

      Description=Test2

      IsLocal=Yes

      Authenticate=No

      DataPath=Z:\

      SetLocalTime=No

      [Defaults]

      DatabaseID=1

      TokenType=01000000

       

      Additionally, when I tried to connect to Test2 using EEM (installed on my workstation), I initially had to turn off authentication too. I tried turning on authentication, at which point it asked me for a server key. I connected to Test1 using EEM, exported the public key for Test2, and then I supplied that as the server key for authentication to Test2. However, when I tried connecting after that, I get the same "Authentication signature is not valid". Then, I tried using the public key for Test1 for connections to Test2, and I was able to connect without issue.

       

      Any idea on what to do on the client side? Do I need to import the SDMCFG.INI file from Test1 to Test2? Any recommendations?

       

      Thanks!

       

      Message was edited by: datasecanalyst on 1/10/13 4:39:23 PM CST
        • 1. Re: Replacing a 5.2.3 server / server keys question

          The problem is simple - when you started the sbdbserver on LE2, you picked the Test1 server object, so the key the server is using is not the ones the clients expect on that ip address.

           

          You need to make sure you use the right server object in the db, on the right IP addresses.

           

          Now you've imported (ie, overwritten) the keys though for the server by doing an export/import, the records in every client's sdmcfg.ini files are probably wrong - If you have a backup, I'd put things back how you found them, and then just restart LE2 using the right db object.

          • 2. Re: Replacing a 5.2.3 server / server keys question
            datasecanalyst

            Thank you for the quick reply!

             

            I actually haven't done anything with LE2 or LE1 - those are our prod servers. Everything I'm doing is on our test environment. Just to make sure we're on the same page, Test1 is the physical server where the \SBDATA folder is, and Test2 has a mapped network drive (Z:\) that points to \SBDATA on Test1.

             

            I went ahead and removed all the stored connections on Test2. Then I created a new connection using the following properties:

            Type: Local

            Description: LETEST

            Data path: Z:\

            Driver: SBFILEDB.DLL

             

            After that I opened up the SDMCFG.INI and I have only the following, no server key:

            [Databases]

            Database1=SBFILEDB.DLL

            [Defaults]

            DatabaseID=1

            TokenType=01000000

            [Database1]

            Description=LETEST

            IsLocal=Yes

            Authenticate=No

            DataPath=Z:\

            SetLocalTime=No

             

            Do I have the connection configured wrong? Should it be remote and point to Test1?

            • 3. Re: Replacing a 5.2.3 server / server keys question

              you don't need to create anything new in your DB - just start sbdbserver as an app - it will give you a choice of what DB object to use - you just need to pick the right one.

               

               

              You can't create an authenticated connection to a server which is not using authentication - so touching the ini files is all bad news.

              • 4. Re: Replacing a 5.2.3 server / server keys question
                datasecanalyst

                Was I supposed to run SbAdmin.exe on Test2 before running SbDbServer?

                 

                This is what I did (on test2):

                1) Install EEM

                2) Install EEPC

                3) Map the network drive to Test1

                4) Run SbDbServer.exe

                5) It gave me the error "No database connection is selected or it is no longer available". I selected OK.

                6) Select Edit Connections. Select Add.

                7) Create a new Database Connection Properties with the following values:
                Connection Type: Local

                Description: LETEST

                Data path: Z:\

                Driver: SBFILEDB.DLL

                8) Now I can log-in and SbDbServer loads, but there's still no server key in the SDMCFG.INI file

                 

                Sorry for the ineptness over here, and thank you, thank you, thank you for the help!!

                 

                Message was edited by: datasecanalyst on 1/10/13 5:24:29 PM CST
                • 5. Re: Replacing a 5.2.3 server / server keys question
                  datasecanalyst

                  Well, I got it to work finally. So, after creating the connection properties for the local DB (the network share), I had to create another connection property for Test2, this one as a remote connection. I had to check authenticate, and then I had to provide it with the public server key from Test1, and now I'm able to authenticate from both EEM and the client.

                   

                  Thanks again for all the help!

                  • 6. Re: Replacing a 5.2.3 server / server keys question

                    you don't have a key because you are using a local connection - when you start sbdbserver.exe you will be able to pick a server object for it to use - this defines the public/private keys the server/clients will use.

                     

                    If you want to put the server keys in the local sdmcfg.ini, you need to find the server object in sbadmin, right click them and pick "add to databases" - that will insert them into the local sdmcfg.ini

                    1 of 1 people found this helpful
                    • 7. Re: Replacing a 5.2.3 server / server keys question
                      datasecanalyst

                      The explanation is much appreciated. I have one last follow up question for you...

                       

                      Is there anyway to replicate a server key for use on a replacement server? That is, is there anyway of replacing a server currently in use as a Safeboot server with another server (same FQDN, different IP or same FQDN, same IP) without having to touch the clients (and still have authentication) without having to touch the clients?

                       

                      Message was edited by: datasecanalyst on 1/11/13 9:35:18 AM CST
                      • 8. Re: Replacing a 5.2.3 server / server keys question

                        the server key is in your database, in the server object - you should never need to touch that. When you start the server you get to pick which object to use.

                         

                        if the clients are correctly set up to use a dns name rather than an ip, you can obviously move the server around at will. if you set them to use ip, then you will need to touch every client to tell it the new server address before it will communicate.

                         

                        the files on the server have nothing to do with the auth - that all comes from the db itself, so you can reinstall servers at will and just connect them back to the original db.