Device Encryption Server Migration

November 22, 2009

Safeboot Hard Disk Encryption 4.2.14 to McAfee End Point Encryption 5.1.9

(Server Components and New Client Sets)

MIGRATION DIARY

 

One of the most sensitive infrastructure of any organization, is clearly the IT security systems; and to make changes to this infrastructure can be an interesting affair till everything is working as expected. Many of my colleagues who have touched upon IT security systems would agree to me. Any infrasturcture change poses a challenge and the more you understand how much is at stake, the job becomes more enriching and full of challenges. Well, device encryption infrastructure would be another such example to the bundle of server and client suites.

Going from Safeboot to McAfee is only a natural choice for me, and I did not do any other evaluation for any other product. Therefore, you will notice the focus for me is always to ensure how I can fit my current operations into the new suite. Also, I did not play around too much with the ‘beautiful’ features like AutoDomain, Local Logon etc.. because they simply did not fit in my enterprize landscape.

 

PHASE 0 – Ground Work

Step 0.0 – PLAN

Step 0.1 – Migration Strategy

The following picture presents a typical architecture of hosting the infrastructure in a large enterprize. A primary server, supported by a backup server on another data center site and a console server to allow multiple connections to the database for operations by the on site technicians and service delivery persons.

 

Globally speaking, the strategy I took was to replace the existing hardware with the new one. So I planned for myself 2 rack servers that could be configured on RAID 5 for greater performance and a blade server for the console server.

The idea was to swap the servers where the blade would take over the old console server and the two servers for primary and backup would mirror with their corresponding rack mounted servers. A two day down time would allow me to switch off the service on day 1, take a full backup of the database and copy it on the safe network location so that I can swap the servers, install the suite, plug the DB, tune the object browser and change a few settings to migrate from blue to red.

 

PHASE I – Migration of Servers

The phase began once I had the servers planted in the data center; although it had its own challenges and procedural steps to be taken care of, but I would not prefer mentioning them in the current article scope. The only major thing that needs to be taken care of is that when doing a swap, get atleast one IP address in the same VLAN and have an agreement from the data center manager about the changes you are doing.

 

The follwoing now discusses the steps that were taken during the migration:

 

1. Switch off the service running on the primary server so that no new clients can communicate and the database console is un-available for public access.

2. Start the full backup of the data base with the ‘retry if object is locked’ option clicked. Take a local backup copy of the entire database.
3. Compress the backup copy of the database in a ZIP file so that it is easy to navigate. Also, note the amount of files and folders with size details of the folder. This will be necessary to compare once the DB is copied over the network.
4. Copy the database on the new server that is eligible to be the primary server.
5. Copy the McAfee EPE 5.1.9 sources on this server so that it can be used during the installation.
6. Copy the SDMCFG.INI, SERVERS.INI, cmsettings.ini, license (.SLC) file on to the temporary location on the new server.
7. Change the name of the server to oldPRIMARY and let the change reflect in the Active Directory and let this propagate to all the domain controllers.
8. Ensure that the changes have been reflected by checking to the root domain controller and the one nearest to the physical locations of the servers.
9. Change the IP Address of the server to the temporary IP that was given by the data center manager. Ensure that the IP is pingable. Now the server is de-comissioned and there is accomodation for the new server to be setup as primary.
10. Change the IP Address of the new server to the one just released by the old primary server.
11. Change the hostname of the server to PRIMARY and reboot.

12. Ping and connect this server now with the registered DNS alias for the primary server. This will ensure that the server’s network components have been correctly configured.

13. Unzip the database on a location on this server. Take note of this location.

14. Install EEPC 5.1.9 with the required features / components.
15. Place the SDMCFG.ini and Server.ini file on the installation directory of the server components. This will ensure that the database that is taken into account is the existing one. Make appropriate path changes to the ini file entries to point to the data base location on the current server.
16. Start the Object Browser.
17. This will first prompt for the services to be started. Ensure that the names of the services are the same as on the old server.
18. The application will go in a hang state. The DB is now being enumerated and this usually takes 7-10 minutes to show up the initial screen.
19. Login to the database using the same credentials as the original ones.
20. Browse through the contents of the database to ensure that all the entries are consistent* (I noticed some garbage values in some rows of machine group entries. Do not panic. They are entries that have been deleted, but due to inconsistent DB operations, were not physically reflected. Maybe marked for deletion when the service was switched off and the DB was taken for backup.)
21. Create a file group to have the new file sets. Name this EPE519 Client Files.
22. Add the client file set (clientfileset.ini) file to this file group. Ensure that the file entries have been populated.
23. Change the properties of this file group to “Client Files.”
24. Go to the Machine Groups tab and mark this file set as the default file set for this group. This will ensure that all new clients will now have 5.1.9 client file sets.
25. Create a script / make a manual change to all administrative user accounts created on this server to enable the Admin Rights as “Allow Administration.” This feature is new to the implementation of McAfee 5.1.9 End Point Encryption Suite.
26. Open the LDAP / AD connector console and ensure that the cmsettings.ini has been properly applied. All the entries should be correctly reflected.
27. The server is now up and running. Perform similar steps for the backup server as well.

 

 PHASE II – New Client Readiness

Once the servers have been migrated, test the implementation by doing a simple telnet to the DNS alias of the server on port 5555. This will ensure that the services are running and responding well.

For the new clients, right click on the default machine group and create the install set. However, before doing that, ensure that all the settings are properly selected. I personally was annoyed when I left the “Do not lock computer after removal of $autoboot$ user” as unckecked. I had to make the change. Also, for managebility, make the installation directory of the new clients as the same as the old ones (I chose this option because I depend upon a lot of support automation for the installation of the clients).

Once the install set is created, publish the package to a location where the technicians / users can install it. This could either be a common resource of a resource utilized by the deployment tool like SMS.

The new clients are now installable and the implementation is now ready to be tested.

Testing

• Syncronize the existing clients with the new server implementation.
• Add new users / Remove some users from the existing clients and synchronize to check whether the configuration changes come into effect. Be Careful that the “Force Synch” feature to synchronize from the server to the old 4.2.14 clients will now be unavailable and this action has to be done by the clients only. However, this is only the case with old clients. This feature will work with the new ones. If you try to force synch to old clients, you will get an error message on the console that “Failed to convert IP to hostname.”
• Install the new client package and test if encryption is working fine.
• Execute recovery procedure of old as well as new clients.

A possitive test result to the above will ensure that the implementation is working fine and the service can be announced to the users. Servers MIGRATED!

The Next Cult is the Previous One

August 8, 2009

With some effort I managed to get hold of my parents’ old pictures. Well, you can do that too. Dating back to their college days of 70s. Seem them. Are you Shocked???

Well, dont be! Dont tell me you could’nt imagine them wearing bell bottoms with dog eared collars mounted on printed shirts where the image you have about your dad is with a white starched shirt and a black trouser neatly ironed hung in the cabinet (dont forget the polished black shoes) just before his departure for office. He is the same guy in the picture. Believe me.

I know its going to be a tough one for you, but imagine 20 years of a calender flip (not quite like a K Serial mentality where everyone stays the same).

Your jeans hanging critically low and the top getting critically high. Now, please do not misunderstand me as an activist of any kind, but i am just trying to take you through the funny part. Hippsters date back in 1970 where they introduced the concept of hip huggers (basically trousers or jeans that demarcate the contours of object in discussion). That was a brow raiser for my grand parents and they still discuss how foolish that cult was. Look at them now. Everything ‘normalized’. Can you imagine your dad or mom in that attire now? No. Well, its 2010 coming up. So lets imagine them in the attire you are in now. Can you? No. So whats the lesson?

Normalization from hip huggers took place when they were married, had children and were proportioned with responsibilities. Imagine you standing in front of your kid with this critically suspended clothline. I am sure its a dare. Not a kid of 5 years age but yes of 25 years age. Got that calendar flip effect? Yes. You are bound to.

The fact is the DPS Generation or the low waist generation is not doing anything very special. Media, our parents, colleges making this a hype. I can sense the skin show but did you ever looked at pictures from the west? Topless girls putting up a brave act wearing only a piece of Levis. This was never accepted in cultures like ours but give some room for the globalization effect. You need to.

DPS generation clothing is nothing but a third wave of cult. Psychedellic is mixed with Rock. Bright colors have become more timid but large on the mental faculty. Rock has become more metal. But, the core stays the same. The pretty low – pretty high combination has just turned critically low – critically high. But thats the evolution and the reason is globalization and agressiveness. A third wave. This guy in the mirror will wear black trousers. He is just collecting pictures to show his children who might just be the next previously followed cult in a more refined way.