Secure Computing Corporate Homepage SafeWord for Nortel Homepage



View a presentation on how SafeWord for Nortel Networks works.



Request an evaluation package.


How it Works
Get contact information for Secure Computing Corporation.



Back to SafeWord for Nortel Home Page.
   Home -> Product Info -> App Note

SafeWord® server synchronization in SafeWord for Nortel Networks

PDF icon
Download the app note - 213 KB, 6 pages 		Get Acrobat Reader

Table of Contents

About SafeWord for Nortel Networks
About SafeWord server synchronization
Functionality of SafeWord server synchronization
Architecture of a synchronized system
Implementing SafeWord server synchronization
Verifying SafeWord server synchronization
Importing tokens
Checking synchronization state
Restoring records and settings with SafeWord server synchronization

About SafeWord for Nortel

SafeWord® for Nortel Networks delivers two-factor authentication security. Users carry hardware tokens that generate passcodes, which they use with their PIN. When a Alteon or Contivity user pushes the button on the SafeWord token, it immediately generates and displays a single-use passcode (via a unique secret key and an advanced encryption algorithm that is contained inside). The user enters the single-use passcode, followed by the user's unique PIN (if desired), to gain access.

The authentication server (also called the SafeWord server) keeps each user's token records on file. Using a secret key and an event counter, it confirms the authenticity of each passcode presented by each user. After being used once, a passcode is then useless and thrown away by the system. If someone steals it and tries to use it again, the passcode is denied by the authentication server and access is denied. This virtually eliminates threats from outsiders stealing, copying, or reusing passwords.

About SafeWord server synchronization

The SafeWord server component of SafeWord for Nortel Networks can be installed on multiple Windows 2000 machines in order to provide the following:

  1. Automatic failover in the event of failure of one of the servers or machines
  2. Basic load-balancing capabilities
  3. Automatic backup of token records and administrative settings
This allows SafeWord authentication to continue despite the failure or overload of any machine in the system.

When SafeWord for Nortel Networks is installed on multiple machines, SafeWord server synchronization must be set up in order to keep users' token records and the built-in administrative account synchronized across multiple SafeWord servers. Record and account synchronization is done in real time. If SafeWord server synchronization is not set up in an environment including multiple SafeWord for Nortel servers, then failover, load balancing, and automatic backup will not work, and the out-of-sync records can lead to problems with the use of the system.

Important note: user information is contained, stored, and managed in Active Directory. Because of this, SafeWord for Nortel provides no backup or failover method for Active Directory user information. Active Directory provides its own backup and failover methods; please see Active Directory documentation for details.

SafeWord server synchronization is different from the manual backup of token records that is detailed in the SafeWord for Nortel Networks Product Guide. Manual backup and restore can be done without requiring SafeWord server synchronization (and vice versa).

Functionality of SafeWord server synchronization

Automatic failover: when a SafeWord server or machine fails, authentication requests will be forwarded to another active server (specified per your synchronization architecture, discussed below).

Basic load-balancing capibilities: if your organization's authentication load is high, installing SafeWord for Nortel on two or more machines can help reduce the authentication load on each machine. If one SafeWord server cannot accept an authentication request because it is too busy, the request will be sent to another available machine (specified per your synchronization architecture, discussed below).

Backing up token records: In the absence of SafeWord server synchronization, if the SafeWord server either fails, needs to be reinstalled, or needs to be restored from the last manual backup, then all token records will reset to the event number at your last manual backup. Users who have utilized their tokens more than 16 times since the last backup will be "out of range" and will not gain access with their first authentication attempt. But this is no problem and is easily remedied. To resynchronize and get back in range, users simply authenticate twice with two consecutive one-time passcodes.

In addition to the above, any changes to users' PINs since the last manual backup will be lost, without SafeWord server synchronization in place.

Architecture of a synchronized system

SafeWord for Nortel Networks implements a SafeWord server synchronization architecture based on a ring topology. SafeWord server synchronization is implemented inside the Administration Service and therefore, the Administration Service must be running in order for SafeWord server synchronization to work.

Each server in the ring has up to two neighbors: a logical 'next' server in the ring, and a logical 'previous' server (see figure 1). In the case of only two servers in the ring, each server is only configured to have a 'next' neighbor (see figure 2).



Implementing SafeWord server synchronization

To implement SafeWord server synchronization, follow these steps and repeat them on all Windows 2000 servers that will participate in SafeWord server synchronization:

  1. Install SafeWord for Nortel Networks and install the SafeWord server component of SafeWord for Nortel on at least one additional machine. The additional server installation(s) must use the same database keys, but do not need to use the same ports. Follow the instructions in the SafeWord for Nortel Networks Product Guide to perform the installation, to allow the RADIUS agent to point to multiple machines, and to allow the management console to connect to different SafeWord servers.

  2. Stop the SafeWord Administration Service and SafeWord Authentication Engine. Do NOT stop the SafeWord Database Server.

  3. Edit {Install_Directory}/SERVERS/Shared/sccservers.ini file:

    1. Locate and uncomment the line starting with "DBActionListenerClass" (by removing the first "#" character).

    2. Locate and uncomment the line starting with "ReplNext_JDBC_URL"

    3. Replace "NEXT_HOST" on that line with the IP address of the node that will serve as the logical 'next' node in the replication ring.

      The following two steps apply only to SafeWord server synchronization rings consisting of more than two nodes.

    4. Locate and uncomment the line starting with "ReplPrev_JDBC_URL"

    5. Replace "PREV_HOST" on that line with the IP address of the node that will serve as the logical 'previous' node in the replication ring.

  4. Save the file.

  5. Open a command window and change to directory {Install_Directory}/SERVERS/Database/bin.

  6. For each neighbor of this host, run batch file AddReplPeer.bat with the parameter specifying the IP address of the neighbor. Do this for each node in the ring.

    This tells the database to accept connections from the neighbor nodes whose names or IP addresses you specify in the command line arguments.

  7. Start the SafeWord Administration service and SafeWord Authentication engine services.

Important note: if installing SafeWord for Nortel for the first time, follow the above steps. However, if you have been using a single SafeWord server and are adding a second (or other additional) server, you must first perform a manual backup of the first server and manually restore it to the machine(s) with the additional SafeWord server(s). See the SafeWord for Nortel Networks Program Guide for more information on manual backup and restore.

Verifying SafeWord server synchronization

To verify that SafeWord server synchronization is working in your implementation of SafeWord for Nortel Networks, perform the following test on any system in the SafeWord server synchronization ring.

Importing tokens

Insert your Token Data CD. Select the Import/Backup/Restore feature under SafeWord folder. Browse to or specify a path to the import file located on your Token Data CD and press the Import button.

To verify that the import has completed successfully, select Tokens feature under SafeWord folder. Verify that the list of Token IDs imported appears in the right-hand pane.

Verify that the change is reflected on the other server(s) in the synchronization ring. To do this you will need to either set up a separate SafeWord Active Directory Management console configured to access the Administration service on the other server, or to reconfigure your existing console to access this other server. Please see the SafeWord for Nortel Networks Product Guide for further details.

Checking synchronization state

To check if SafeWord server synchronization is in a steady state (i.e., a state in which all changes are propagated to other SafeWord servers):

  1. Open a command window and change to directory {Install_Directory}/SERVERS/Database/bin.

  2. Run the batch file called "QueryChangeLog." This check should be performed on all servers in the ring.

  3. The system has reached steady state once the output says: "Empty set."

  4. Repeat steps 1-3 for all nodes in the ring.

Restoring records and settings with SafeWord server synchronization

If a machine or server fails in this architecture, authentication requests will be diverted (per the previouslydescribed architecture) to the next available machine. As all token records and database information have been copied in real-time to all machines, there will be no disparity in records and no failed authentications for users. Once the failed machine is back online, SafeWord server synchronization will automatically replicate the token records and administrative information to the restored machine. (If the neighbor nodes were up when the failed node when down, the neighbor nodes need to be restarted.)

A manual restore is necessary only if the failed machine requires a clean reinstall of the SafeWord for Nortel software. In this case, manually backup one of your online servers and manually restore the information to the machine with the clean reinstall. See the SafeWord for Nortel Networks Program Guide for more information on manual backup and restore.

 
© 2003 Secure Computing Corporation. All Rights Reserved.  Contact Us: 800.379.4944 opt. 3 or 408.979.6572