Transcription
SAS Synchronization AgentFAQSContentsDescription . 2Frequently Asked Questions . 2Recommended Best Practices. 6Advisory Notes. 6Managing Synchronized User Account Updates . 6Enable Delayed Sync Removal . 6Enable Sync Notifications. 7Minimal DN Scope for LDAP Scanning . 11Synchronizing Users and Groups with Multiple LDAP or SQL User Stores . 11Product Documentation . 12Support Contacts . 12FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 1 of 12
DescriptionThis document answers frequently asked questions about the new SafeNet Authentication Service (SAS)Synchronization Agent v3.4, for use with SAS v3.4 or later, and addresses the most common information needs forusing the new agent.The SAS Synchronization Agent allows you to sync users in LDAP or SQL user groups to a SAS user store. Withthe Synchronization Agent configured, LDAP or SQL user groups are monitored for membership changes and userinformation updates are automatically made in SAS to reflect these changes.In earlier versions of SAS, up to v3.3.2, a full sync of all user records was performed for each and every sync event.With the new SAS Synchronization Agent, only “changed” user records (including additions and deletions) aresynchronized, resulting in less network traffic and reduced sync time. This is referred to as “differentialsynchronization.” This also reduces system load, helping to increase the reliability of sync services.Frequently Asked QuestionsQ. What are the changes in the new SAS Synchronization Agent compared to v3.3.2?A. The changes include the “differential synchronization” functionality, nested group support, and changes to theSync History Report.Q. What exactly is “differential synchronization”?A. In previous versions of SAS, a full sync of all user records was performed for each and every sync event. Withdifferential synchronization, only “changed” user records, including additions and deletions, are synchronizedsince the last successful sync, resulting in less network traffic and reduced sync time. This also reduces systemload, helping to increase the reliability of sync services.User records are sent in “batches” to the SAS User Store. With differential synchronization, the initial sync maytake longer to complete as it builds up its local information store, but subsequent syncs typically complete muchfaster.Differential syncing occurs in parallel with scanning the User Store. This means that new users can typicallystart using authentication before all users are synchronized. If the agent cannot connect to the server, the syncis retried with the next User Store scan.Q. What are the benefits of differential synchronization?A. As mentioned previously, only “changed” user records, including additions and deletions, are synchronizedsince the last successful sync, resulting in less network traffic and reduced sync time. Reduced system loadalso increases the reliability of sync services. Refer to the next question for additional benefit information.Q: Does differential synchronization allow 20-minute frequency, and does stopping and starting servicetrigger synchronization again?A: SAS Cloud and SAS PCE/SPE v3.4 and later limit syncing to once every 60 minutes with older versions ofthe Synchronization Agent that don’t use differential synchronization. The new agent recognizes the ScanInterval setting, and restarting the sync service in the agent initiates scanning and synchronization.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 2 of 12
Q. What changes have been made to the Sync History Report?A. In support of differential synchronization, the User’s Total column heading has been changed to ProcessedUsers and the Group’s Total column heading has been changed to Processed Groups. The ProcessedGroups column displays the number of changed groups that were processed during the sync batch. TheProcessed Users column displays only the number of users in this batch sent to be synced since the lastsuccessful sync. Each batch contains up to 40 users or groups.The Sync History Report is viewed by clicking COMMS Authentication Processing LDAP Sync AgentHosts. Click the View Sync History link. User changes appear in the report incrementally as they occur.Q. What is nested group support?A. The Synchronization Agent has been enhanced to sync LDAP users within nested groups, where users may bemembers of a group that is a member of another group.SAS synchronizes all users in nested groups that are visible in LDAP. SAS is not directly aware of trustrelationships in Active Directory. For additional information, refer to the question on page 4 regarding the ADGlobal Catalog.Additional information can be found in the SafeNet Authentication Service Synchronization Agent ConfigurationGuide.Q: What preparation is needed before upgrading the Synchronization Agent?A. Before updating the Synchronization Agent, it is recommended to verify that LDAP groups configured forsyncing do not contain nested groups with users you do not intend to sync. After upgrading, all users of nestedgroups will be synced automatically.Q. What is required to use these new features?A. These new features require SAS Cloud v3.3.3 or later or SAS PCE/SPE v3.4 or later, and SAS SynchronizationAgent v3.3.30140 or later. No other configuration changes are required.Note that this agent version supports only server variants of Windows, as stated in the SAS SynchronizationAgent Configuration Guide.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 3 of 12
Q: Do I have to upgrade the Synchronization Agent in order to continue using SAS?A: Earlier versions of the Synchronization Agent will continue to work with SAS, but the new and all future versionswill use differential synchronization with SAS 3.3.3 or later. It is recommended to update the agent in order toenjoy the benefits of differential synchronization. It is also recommended as a best practice to run the latestversion of the agent.Q: I am running Synchronization Agent v3.3.3. Should I upgrade to v3.4?A: Yes. Synchronization Agent v3.4 is a maintenance release to v3.3.3 that fixes several defects, and isrecommended for all customers. It is generally recommended as a best practice to run the latest version of theagent.Q. What is the upgrade procedure for the new Synchronization Agent?A. Launch the installer to upgrade the agent. It is not necessary to stop the service or uninstall the agent.Q: How do I upgrade multiple redundant agents?A: SAS supports syncing a Virtual Server through multiple agents that are configured with the same groups andattribute mappings. All agents must be upgraded at the same time. To upgrade, stop all agents except one.Upgrade this agent (which can still be running) and start, upgrade another agent and start, until all agents havebeen upgraded.Q. What if I have a mixed environment of different versions of the Synchronization Agent configuredagainst the same LDAP server and the same authentication virtual server?A. This is not supported. Mixing newer agents that use differential synchronization with older agents that don’tnegates the benefits of differential synchronization. All older agent versions should be upgraded to the latestversion, as described in previous answer.Q: Can the Synchronization Agent sync multiple domains to SAS using Active Directory Global Catalog?A: Yes. Although the Synchronization Agent does not directly support Active Directory, it can be configured tosync with a Global Catalog for LDAP searches. To enable this functionality in the Synchronization Agent, youmust set the Port field on the User Source Configuration window to 3268, which is the port to which GlobalCatalog queries are directed.In addition to the above configuration changes, note the following additional steps that may need to beperformed: The selected Synch Groups must be set as “universal” groups. In SAS, under Authentication Processing LDAP Sync Agent Settings, it is recommended to enablethe Use Delayed Sync Removal option. In the Synchronization Agent, under User Source Configuration, select the option Manually editsearched containers, and then add the containers from the sub-domains.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 4 of 12
In order for the Synchronization Agent to scan and sync Global Catalog groups to SAS, you must bind toDC root ,DC domain to search over all sub-domains. Then, you will need to do one of the following: In the Synchronization Agent, under User Source Configuration, select the option Manually editsearched containers, and then add the containers from the sub-domains. If the above procedure does not produce the intended results (all domain groups are not displayed),enter a NULL value (" ") for Manually edit searched Containers to instruct the Agent to search theentire Active Directory tree.The Microsoft TechNet article entitled Global Catalog and LDAP Searches provides additional information andcan be found at the following 978012.aspxQ: How can I test differential synchronization before placing it into use?A: Testing should normally not be necessary since differential synchronization does not change scanning or whatis synchronized. Testing the new agent version is possible with a separate virtual subscriber that can becreated under Service Provider accounts. It is not possible to use the new and old agent versions together inthe same virtual subscriber.Q: Can I revert back to not using differential synchronization?A: Differential synchronization does not introduce new functionality and results in the same user data in SAS. Incase of unforeseen issues, it is possible to revert to the last agent version (3.03.20178) that does not usedifferential synchronization.Stop all agents, except one. Launch the installer for version 3.03.20178 to upgrade this agent (which can stillbe running), and start the service. Continue upgrading additional agents.For information on backup and restore procedures, refer to the SAS Synchronization Agent ConfigurationGuide.Q: Can the new Synchronization Agent version be used with earlier versions of SAS PCE/SPE?A: No. Synchronization Agent v3.4 (or later) is only supported with SAS v3.4 or later. The Synchronization Agentv3.03.20178 continues to be provided and supported for SAS v3.3.2, as well as earlier versions of SAS that arestill under full support.Q: What is the upgrade path for SAS PCE/SPE?A: The SAS server should be upgraded first to v3.4. Existing Synchronization Agents will continue to work but thescan interval is limited now to once every 60 minutes (instead of every 20 minutes), even if the agent ismanually stopped and restarted.It is recommended to upgrade the Synchronization Agent to v3.4 in order to obtain the benefits of differentialsynchronization and regain a scan interval of every 20 minutes. Restarting the sync service in the agentinitiates scanning and synchronization.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 5 of 12
Recommended Best Practices Deployment of a single SAS Synchronization Agent ensures reliable synchronization and is recommended formost organizations. Deployment of two agents is recommended to meet redundancy or resiliency requirements.Each agent must be identically configured except that they may point to different LDAP servers (of the samedirectory), which is recommended for better resiliency towards LDAP. It is recommended to run the latest version of the agent.Advisory NotesManaging Synchronized User Account UpdatesWhen synchronizing users from LDAP to SAS, a recovery mechanism called Delayed Sync Removal is enabled inSAS by default that provides a 24-hour window during which user accounts flagged for deletion can be restored.Conversely, if this option is disabled, accounts deleted in the LDAP directory are removed immediately andpermanently from the SAS user database upon synchronization, along with all user/token associations.The Delayed Sync Removal function provides a “safety net” that protects against accidental or erroneous deletions,and saves the time and effort of re-establishing valid user accounts. The deleted user accounts will be marked as“disabled” during the 24-hour period, and these users will not be able to authenticate. However, Operators will havethe ability to either re-enable the account or expedite the deletion manually if they are certain the removal is valid.When used in conjunction with the delayed removal option, enabling sync notifications provides the opportunity toreview synchronization activities and determine the validity of user account changes and deletions.Implementing this functionality consists of the following steps: Enable Delayed Sync Removal – see below Enable Sync Notifications – see page 7Enable Delayed Sync RemovalThe Use Delayed Sync Removal option in SAS delays the removal of synchronized LDAP user accounts flaggedfor deletion from the SAS Virtual Server for 24 hours. Combined with LDAP Sync Notification, if a sync event isdetected, the Virtual Server will send an alert to Operators indicating that all detected changes will occur in 24hours unless they intervene.This option is enabled by default; however, if this option has been disabled, the steps below describe how to reenable the function.1. In the SAS Management Console, click Virtual Servers Comms Authentication Processing LDAPSync Agent Settings.2. Enable the Use Delayed Sync Removal option.3. Click Apply.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 6 of 12
Enable Sync NotificationsEnable LDAP Sync Notification in SASNotification is enabled individually for each Operator group in the Role Management module. Enabling this functionin SAS will generate an email to Operators specifically related to user account actions, such as additions anddeletions, which occurred during synchronization.1. In the SAS Management Console, click Virtual Servers Policy Role Management.2. Click Alert Management.3. Click the Edit link for the Operator role.4. Under Alert Settings, in the Email column, enable the LDAP Sync Notification option.5. Click Apply.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 7 of 12
Notification Email ExampleThe following is an example of the LDAP Sync Notification email that will be sent to all Operators when used inconjunction with the Delayed Sync Removal option.Enable LDAP Sync Notification in the Synchronization AgentThe Synchronization Agent can be configured to send email alerts if it is unable to connect to SAS, or to the LDAPdirectory server or SQL server. An email alert can also be sent if an expected group is not found. The text can becustomized for each alert.NOTE: Email alerts can only be configured if the service is stopped.1. In the Synchronization Agent, click the Notification tab.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 8 of 12
2. Under SMTP Configuration, click Configure.3. The SMTP Configuration window is displayed. These settings define the mail server (SMTP) used by the SASserver to send out notifications to the operator/administrator who manages the Virtual Server, and providesLDAP sync process notifications (for example, failed or succeeded).From e-mail addressEnter the email address from which notifications are sent.Hostname/IP AddressEnter the IP address or host name of the SMTP server (mail server) used forsending out notifications.PortEnter the port used by the specific mail server to send and receive emails.Username (if required)If credentials are required to log on to the SMTP server, enter the usernameand password of the account from which the notifications are sent.Password (if required)FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 9 of 12
4. Click OK.5. Under E-mail Test, in the Enter e-mail Address field, enter a recipient email address. Click Test to test theSMTP configuration.6. To customize the email alerts that are sent, under E-mail Message Templates, click Customize.7. On the Email Templates window, enter the following information, and then click OK:MessageSubjectSelect the message type: LDAP Connection Issues User Source Server Connection Issues Sync Server Connection Issues Missing GroupModify the Subject and Body text as required.Body8. Under Event Recipient Lists, click Add to add an email address to which alerts are sent.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 10 of 12
9. On the Mailing List window, enter the following information:List NameEnter a name for the email list.Recipient E-mailRecipient E-mail ListFor each address to be added to the Recipient Email List, enter a valid emailaddress into the Recipient Email field, and then click Add.EventsSelect the appropriate events for which the recipient will receive an alert: Sync Server Connection Issues User Source Connection Issues Missing Group10. Click OK. The List Name is displayed in the Event Recipient Lists box.Minimal DN Scope for LDAP ScanningTo ensure optimal synchronization performance, it is advised to limit LDAP scanning to Distinguished Names (DN)that encompass all sync groups. With an overly broad scanning scope for very large LDAP Directories, LDAPscanning may not always report all users to the Synchronization Agent, which can lead to users being marked inSAS for delayed removal, and then deleted after 24 hours.Note that the Synchronization Agent will not allow modifications to be made to the DN scope for Active Directory ifthe default settings are used. Search containers cannot be specified if the LDAP user source is Active Directorycheckbox is selected. This option allows the Synchronization Agent to determine if the custom schema is for anActive Directory (AD) implementation of LDAP. If this option is enabled, the agent will always target all LDAPqueries against the Base DN and use Active Directory optimized search queries.In addition, it is recommended to keep the Use Delayed Sync Removal feature enabled in the SAS ManagementConsole under COMMS Authentication Processing LDAP Sync Agent Settings.Synchronizing Users and Groups with Multiple LDAP or SQL User StoresA single Virtual Server can synchronize only to a single User Store. Note that this is currently not enforced. It isstrongly advised to verify that all agents are configured for exactly the same groups and attributes; otherwise,synchronization conflicts and inconsistencies can arise. Differing synchronization configurations for the sameVirtual Server are not supported.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 11 of 12
Product DocumentationThe following documentation supports the SAS Synchronization Agent: SAS Synchronization Agent Customer Release Notes SAS Synchronization Agent Configuration GuideThese documents can be found at the following link on the SafeNet tion-guides.htmlSupport ContactsIf you encounter a problem while installing, registering, or operating this product, please make sure that you haveread the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service isgoverned by the support plan arrangements made between Gemalto and your organization. Please consult thissupport plan for further information about your entitlements, including the hours when telephone support isavailable to you.Contact MethodContact InformationAddressGemalto, Inc.4690 Millennium DriveBelcamp, Maryland 21017, USAPhoneTechnical SupportCustomer ttps://serviceportal.safenet-inc.comExisting customers with a Technical Support Customer Portal account can log in tomanage incidents, get the latest software upgrades, and access the Gemalto KnowledgeBase.FAQs: SAS Synchronization AgentDocument PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright 2015 Gemalto, Inc., All rights reserved.Page 12 of 12
Synchronization Agent v3.4, for use with SAS v3.4 or later, and addresses the most common information needs for using the new agent. The SAS Synchronization Agent allows you to sync users in LDAP or SQL user groups to a SAS user store. With the Synchronization Agent configured, LDAP or SQL user groups are monitored for membership changes and user
