SAS System Requirements Guide

SAS
System Requirements Guide
Powerful Authentication Management for Service Providers and Enterprises
SafeNet Authentication Service
SAS System Requirements Guide
Copyright © 2014 SafeNet, Inc. All rights reserved.
All attempts have been made to make the information in this document complete and accurate. SafeNet,
Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or
omissions. The specifications contained in this document are subject to change without notice.
SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark
Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the USA and other countries.
All other trademarks referenced in this manual are trademarks of their respective owners.
SafeNet hardware and/or software products described in this document may be protected by one or more
U.S. patents, foreign patents, or pending patent applications.
Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.
Support
If you encounter a problem while installing, registering or operating this product, please make sure that
you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet
Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access
to this service is governed by the support plan arrangements made between SafeNet and your
organization. Please consult this support plan for further information about your entitlements, including
the hours when telephone support is available to you.
Contact Method
Contact Information
Address
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Phone
United States
1-800-545-6608
International
1-410-931-7520
Email
[email protected]
Support and
Downloads
www.safenet-inc.com/Support
Provides access to the SafeNet Knowledge Base and quick downloads for various
products.
Technical Support
Customer Portal
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the SafeNet Knowledge
Base.
3
SafeNet Authentication Service
Document Part Number: 007-012409-002
SAS System Requirements Guide
Publication History
Date
Changes
Revision
2014.03.27
Updates for 3.3.2 release
2014.03.12
Changed copyright year.
Discrepancies between Installation Guide and System Requirements.
Added upgrade process.
1.2
2013.12.08
Updates to V3.3.1 to reflect SafeNet branding.
1.1
A
4
SafeNet Authentication Service
SAS System Requirements Guide
Table of Contents
Applicability ...................................................................................................................................................... 6
SafeNet Authentication Server System Requirements ..................................................................................... 7
System Sizing (Database and Bandwidth) ......................................................................................................... 8
Other Requirements ......................................................................................................................................... 9
Ports ................................................................................................................................................................. 9
Virtualization .................................................................................................................................................... 9
Internal Database ........................................................................................................................................... 10
LDAP External User Sources ............................................................................................................................ 10
Supported Browsers ....................................................................................................................................... 12
Maintaining Accurate Time Settings ............................................................................................................... 12
Installation Types ............................................................................................................................................ 12
Upgrading from Previous Versions ................................................................................................................. 13
Small, Single-Site Deployments ...................................................................................................................... 13
Medium Site Deployments ............................................................................................................................. 14
Large Deployments ......................................................................................................................................... 15
5
SafeNet Authentication Service
SAS System Requirements Guide
Applicability
The information in this document applies to:
•
SafeNet Authentication Service – Service Provider Edition (SAS-SPE)
The software used to build a SafeNet authentication service.
•
SafeNet Authentication Service – Private Cloud Edition (SAS-PCE)
A term used to describe the implementation of SAS on customer premises.
Note: references to BlackShield and CRYPTOCard reflect CRYPTOCard branding prior to acquisition
by SafeNet. Over time these references will change to reflect SafeNet branding including program
installation locations.
6
SafeNet Authentication Service
SAS System Requirements Guide
SafeNet Authentication Server System Requirements
Description
Windows
Supported Operating Systems
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
PostgreSQL 9.3 (default)
Supported Database Servers
MSSQL 2005, 2008, 2008 R2, 2012
Supported LDAP Directories
Supported Architecture
Active Directory
Novell eDirectory 8.x
SunOne 5.3
64-bit
32-bit x86
Supported RADIUS Servers
Microsoft RADIUS Server (NPS)
FreeRADIUS Server 2.1.x/2.2.x (Red Hat 5.x)
Supported SQL Servers
External SQL User Stores
Support RADIUS Authentication
Protocols
PAP
MSCHAPv2 (FreeRADIUS only)
Additional Software Components
IIS 7, or 8
ASP .Net 2.0
Note: IIS6 compatibility roles and asp.net role services must be
installed in order for the SAS website to appear.
Processor
Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)
Recommended: 2 GHz or faster
Memory
Minimum: 1 GB RAM
Recommended: 2 GB RAM or greater
Disk Space
Minimum: 300 MB
Recommended: 100 GB or greater with logging enabled
Display
SVGA (1280 x 1024), 24-bit color or higher
Note: The default database shipped with SafeNet Authentication Service on Windows is PostgreSQL.
Any other supported database must be downloaded and/or purchased separately.
7
SafeNet Authentication Service
SAS System Requirements Guide
System Sizing (Database and Bandwidth)
To determine the disk requirements and database growth, you can use the following guidelines:
Users (user records)
@ Peak auth/sec
10,000 users
300,000 users 500,000
users
1 million
users
15
80
130
300
@ Average auth/sec
1
20
32
75
Authentications / year
31.5 million
631 million
1,009 million 2,365 million
Auth/user/day (average)
8
6
6
6
Peak concurrent management
sessions
8
250
400
950
Average concurrent management
sessions
3
80
128
300
Authentication Bandwidth (with
RADIUS accounting)
500 B/authentication
LDAP Synchronization bandwidth
1Kbps
24Kbps
38.4Kbps
75Kbps
Average reporting data replication
bandwidth
20 Kbps
200 Kbps
320 Kbps
75 Kbps
User records
Auth.History
Operator History
0.3 GB
32 GB/ year
Variable
1.8 GB
3.0 GB
630 GB / year 1001 GB / year
Variable
Variable
RAM (authentication)
RAM (Management session)
Aprox. 15 MB/50 auths/sec
Approx. 2 MB/session
CPU (x64 – one core)
Approx. 90% at 100 auths/second
Disk Capacity:
6.0 GB
2365 GB / year
Variable
8
SafeNet Authentication Service
SAS System Requirements Guide
Other Requirements
•
Installation requires that the Security Administrator installing SafeNet Authentication Service have
administrator or root privileges on the localhost.
•
If upgrading SafeNet Authentication Service, refer the SafeNet Authentication Service server specific
migration guide.
•
SafeNet Authentication Service is designed for virtualization and has been extensively tested with
VMware®
Ports
SafeNet Authentication Service may require the following ports, depending upon the location of external
directories, databases or RADIUS servers. The following is a list of default port values. SafeNet
Authentication Service can be configured to use alternate ports. SSL requires that a valid certificate be
installed on the SafeNet Authentication Service.
Port (TCP/UDP)
Usage
80 / 443
Port 80 and/or 443 can be used for management sessions, provisioning,
Self-enrollment, Self-service and to service encrypted authentication
requests from configured Agents. For security purposes port 443 (SSL)
is recommended.
1812/1813
Ports 1812/1813 are standard ports for RADIUS authentication and
RADIUS accounting respectively.
389/636
Ports 389/636 are standard ports for LDAP and LDAPs connections
respectively. For security purposes port 636 (SSL) is recommended.
5432
The port number for connection to the default PostgreSQL database.
1433
The default port number for connection to a MS-SQL database.
3306
The default port number for connection to a MySQL database.
25
The default port for SMTP email.
8456
The default port number for LDAP Sync traffic to/from SAS and LDAP.
8458 (Ingress)
The default incoming port number for the Logging Agent.
8459 (Egress)
The default outgoing port number for the Logging Agent.
Virtualization
SafeNet Authentication Service is designed for virtualization and has been extensively tested with
VMware®.
9
SafeNet Authentication Service
SAS System Requirements Guide
Internal Database
The internal database contains all system configuration, application and policy data, token, history and
activity information used by SafeNet Authentication Service. If configured as a User Source, it will also
contain user specific information such as UserIDs and coordinates. Where LDAP/AD integration is
configured, the unique “GUID” property of the LDAP user account is stored in the database, providing a
consistent link between the user’s LDAP account and tokens associated with the user in SafeNet
Authentication Service. The UserID is stored with authentication activity for reporting purposes. This
allows SafeNet Authentication Service to provide audit trails and authentication activity reports even after
a User (and therefore the GUID) has been deleted from LDAP.
The database can be installed on the machine hosting SafeNet Authentication Service, on a separate
machine or as a cluster. Every SafeNet Authentication Service can be configured for a primary database
instance with failover to an alternate instance. In addition, multiple SafeNet Authentication Services can
use the same database.
Figure 1 - Site Replication and Failover Examples
LDAP External User Sources
SafeNet Authentication Service supports the use of one or more LDAP directories for User, Account Status
and Group Membership data. Each LDAP must be configured for a specific virtual server.
10
SafeNet Authentication Service
SAS System Requirements Guide
Figure 2 – LDAP External User Sources
By default SafeNet Authentication Service connects to LDAP over ports 389 or 636 (LDAPs / SSL). While SSL
is recommended, SafeNet Authentication Service does not send sensitive data to LDAP in the clear. The
primary reason for SSL is to protect account information and group membership data transmitted to
SafeNet Authentication Service.
SafeNet Authentication Service includes a default Active Directory, Novell eDirectory 8.x and Sun One 5.3
object mapping template.
SafeNet Authentication Service does not write to or modify the LDAP schema.
11
SafeNet Authentication Service
SAS System Requirements Guide
Supported Browsers
The standard interface with SafeNet Authentication Service or components such as self-enrollment and
user self-service is a browser. The following browsers are supported:
•
Internet Explorer 8, 9, 10, 11
•
Firefox 3+
•
Chrome
Certain functions may require ActiveX controls and/or JavaScript.
Maintaining Accurate Time Settings
SafeNet Authentication Service operation and authentication services are not dependant on accurate time
settings. However best practices recommend that accurate time be maintained to achieve reliable and
consistent reporting and audit trails. In some cases SafeNet Authentication Service licensing may restrict
certain functions based on dates or date ranges. Modifying the server date after license installation may
cause these functions to become unavailable.
SafeNet recommends that the SafeNet Authentication Service time be set to the local zone and that the
server time be UTC coordinated. For more information go to http://www.time.gov.
Installation Types
A SafeNet Authentication Service site is defined as an instance of the SafeNet Authentication Service
authentication engine. The number of sites and configuration options are determined by licensing,
redundancy and performance requirements. Assuming SafeNet Authentication Service is installed on
recommended hardware, the factor that has the largest bearing on performance is database I/O, primarily
determined by the amount and frequency with which authentication history is written. In most cases it is
acceptable to have the database and SafeNet Authentication Service installed on the same server.
The following scenarios are provided as guidelines and examples. Many different configurations are
possible. For example, it is perfectly acceptable to install the database, enrollment, self-service and
directory components on separate machines. Contact SafeNet or your local supplier for recommendations
on a configuration that would best meet your performance, availability and maintenance requirements.
12
SafeNet Authentication Service
SAS System Requirements Guide
Upgrading from Previous Versions
SafeNet Authentication Service supports upgrading from previous versions. For more details on how to
upgrade from previous versions, see the SAS Installation Guide.
Description
Windows
Database
•
•
•
Peer to Peer replication is deployed as the replication model
All SAS Servers are pointed towards Primary MSSQL Instance
SAS DB backed up
SAS
•
•
•
•
Cipher keys from all SAS Servers are backed up
Most recent SAS licensing is backed up
Current and new version of SAS installers are backed up
Snapshot SAS Systems (If VM) before upgrade
Small, Single-Site Deployments
Single-site deployments may choose to install all SafeNet Authentication Service components on a single
server with a secondary instance providing redundancy and failover.
Figure 3 – Small Deployments with Failover
Authentication and management functions can be distributed across the sites if necessary. Agents can
failover to the alternate site.
13
SafeNet Authentication Service
SAS System Requirements Guide
The connections between LDAP and SafeNet Authentication Service can be local or remote. In the event
that there is a primary and secondary LDAP server, each SafeNet Authentication Service instance would
normally be configured for LDAP failover.
Medium Site Deployments
The medium site deployments are typically required for organizations that have dedicated LDAP, Web and
RADIUS servers. In this scenario, the database replication is handled between SafeNet Authentication
Service instances.
Figure 4 – Medium Deployments
14
SafeNet Authentication Service
SAS System Requirements Guide
Large Deployments
For sites requiring support for up to 250,000 users and several hundred authentications/second, use of a
database cluster fronted by multiple SafeNet Authentication Service sites is recommended.
Figure 5 –Large Deployments
15

Download Report