Preview only show first 10 pages with watermark. For full document please download

Password Safe Enterprise Server

   EMBED


Share

Transcript

Manual Password Safe Enterprise Server © 2012 MATESO GmbH Inhalt 3 Contents Preface 5 Questions and answers 5 Introduction 6 1 Client/server concept .............................................................................................................................................. 6 2 Server.............................................................................................................................................. service 7 3 Setup user interface .............................................................................................................................................. 7 First steps 7 1 System.............................................................................................................................................. preconditions 7 2 Folder.............................................................................................................................................. structure 8 3 Quickstart .............................................................................................................................................. 9 4 Download and installation .............................................................................................................................................. 10 Services ............................................................................................................................................................................ 10 5 Setup assistant .............................................................................................................................................. 11 6 Activation .............................................................................................................................................. 15 Licence certificate ............................................................................................................................................................................ 15 Licence file (*.lic) ............................................................................................................................................................................ 16 Autom atische............................................................................................................................................................................ Freischaltung 17 7 Create.............................................................................................................................................. new database 19 Create new m............................................................................................................................................................................ aster database 21 Configure existing ............................................................................................................................................................................ m aster database 26 Create new slave ............................................................................................................................................................................ database 29 8 Import.............................................................................................................................................. of PSX backups (v5, v5, v6) 29 9 Start server service .............................................................................................................................................. 30 10 Connect clients .............................................................................................................................................. 30 Configuration 31 1 Configuration user interface .............................................................................................................................................. 31 2 Client-server configuration example .............................................................................................................................................. 32 3 Configuration file .............................................................................................................................................. 33 4 Network Logon .............................................................................................................................................. 34 5 Databases .............................................................................................................................................. 36 Create database ............................................................................................................................................................................ 37 Add existing database ............................................................................................................................................................................ 43 Change database ............................................................................................................................................................................ settings 43 Deposit / change ............................................................................................................................................................................ database passw ord 44 Update patchlevel ............................................................................................................................................................................ 45 Start / Stop database ............................................................................................................................................................................ 45 © 2012 MATESO GmbH 3 4 Password Safe Enterprise Server Database sessions ............................................................................................................................................................................ 45 Database Firew ............................................................................................................................................................................ all (rules) 46 Locked users............................................................................................................................................................................ 47 6 Backup.............................................................................................................................................. (automatic backup) 49 Backup concept ............................................................................................................................................................................ 49 RSA-Key ............................................................................................................................................................................ 50 Manage backup ............................................................................................................................................................................ tim e schedules 52 Start/change backup ............................................................................................................................................................................ tim e schedule 53 Carry out backup ............................................................................................................................................................................ tim e schedule m anually 54 Revertive backup ............................................................................................................................................................................ 54 7 High availability .............................................................................................................................................. 55 Preconditions............................................................................................................................................................................ 56 Creating the m ............................................................................................................................................................................ aster and slave databases 57 Configuration............................................................................................................................................................................ 61 Case of disaster ............................................................................................................................................................................ 63 Recreation of ............................................................................................................................................................................ high availabilty 66 8 Task service .............................................................................................................................................. 67 9 Server.............................................................................................................................................. options 68 Server param............................................................................................................................................................................ eter 68 Security param ............................................................................................................................................................................ eter 69 Hacker protection ............................................................................................................................................................................ 71 Passw ord ............................................................................................................................................................................ 74 Server log ............................................................................................................................................................................ 75 Certificate ............................................................................................................................................................................ 76 Error m essages ............................................................................................................................................................................ 77 Miscellaneous 78 1 Updates .............................................................................................................................................. 78 2 Upgrade v5 to v6 .............................................................................................................................................. 79 3 Problem solving .............................................................................................................................................. 81 4 Error codes .............................................................................................................................................. 82 5 Support .............................................................................................................................................. 85 6 Licensing agreement .............................................................................................................................................. 86 7 Move to another server .............................................................................................................................................. 87 © 2012 MATESO GmbH Preface 1 5 Preface Welcome to Password Safe and Repository Enterprise Server The Enterprise Server, together with the Enterprise Edition Client, offers an optimal package for your company. The database file(s) are administrated with the Password Safe Enterprise Server. Therefore a user has no longer direct access to the database file and can not abstract it from the company. At this the users can only access the server via a encrypted TCP/IP connection, which is configured at the setup of the databases. Furthermore the Enterprise Server offers the best performance with larger amounts of data. The server runs as a service in the background and the administrator can set many server parameters arbitrarily via the comfortable administration console. Main features of the Password Safe Enterprise Server: Real SQL databases The database concept is designed for mulituser (several users) at coeval access Network-compatible The TCP/IP communication with the clients is completely encrypted and can be configured Automated backup schedules for an optimal backup configuration Automatically carries out database actions with the task service Users have no direct access to the database file Offline availability controlled by privileges Scalable 2 Questions and answers What file endings are used in Password Safe? In Password Safe there are several file endings. At the server the following come up: *.ps6 files with the ending ps6 are databases. These are made available to the server via a database account. *.psx With the ending psx backups are saved. These can be read in at the creation of a new database. Please notice that for this the accordant private key (*.prvkey) is necessary. *.prvkey This file is necessary to decrypt a backup when it should be read in to a database. sds.pc6 This file is the configuration file of the Enterprise server. It can be found in the Windows server 2003 in the folder C:/documents and settings/all users/application data/PasswordSafe/sds.pc6. If you use Windows server 2008 you can find the file under C:/programdata/PasswordSafe/sds.pc6 psr6.lic is the license file and therefore contains the license information. Please notice that you need write access for that file. © 2012 MATESO GmbH 6 Password Safe Enterprise Server psr.nlc This is a network logon file What is high availability? At the high availability two Enterprise servers are used. While on one of the Enterprise servers the productive master database runs, the other Enterprise server manages a slave database. The slave database is an exact copy of the master database and is synchronized regularly. So you have got the possibility to convert the slave database to the master database in order to continue to work in the case of a crash or a server breakdown. For what is the task service needed? The task service checks in regular time intervals if there are any task to work off and then carries them out. For example the Active Directory can be synchronized via this. Why does the task service deactivate itself? The task service deactivates if no database is deposited for a check. You can find further information in the chapter task service What passwords are there? For the run three passwords are necessary: The database password which encrypts the database, the user password with which the users can log on at the database and the connection password which ist he initial password for the TCP network connection. Which ports are used by Password Safe To guarantee smooth operation must be ensured that the following TCP ports are released into the network firewall: 12008 -> Communication between server and clients 12010 -> Service Port for the communication between the server configuration and the server service (only with Enterprise Server) 12001 -> Communication between clients and browser addons 12008 bis 12018 -> Via these ports the various clients communicates in mulituser operation. The first free port will be used 3 Introduction 3.1 Client/server concept The Password Safe Enterprise Server is a program that offers a service. Within the bounds of the clientserver concept thePassword Safe and Repository Enterprise client can use this service. The communication between client and server is dependent on the service, that means the service decides which data is exchanged between both. The server is on standby to be able to react to the contacting of a client at every time. In contrast to the client that requests a service actively, the server acts passively and waits for requests. Clients and server predominantly run as programs on different computers, or also on the same computer which is rather unusual. Password Safe Enterprise Server The Password Safe Enterprise Server enables a safe communication between clients and databases via an encrypted TCP/IP connection. The connection, or rather the data, will be encrypted with an encryption algorithm and with a password. The 12 latest encryption algorithms are available. © 2012 MATESO GmbH Introduction 7 Password Safe Enterprise Client The Password Safe and Repository client receives the encrypted data stream of the server, and can decrypt it, so that the user can see and use the data. Only the data which the client or user has requested will be transmitted. 3.2 Server service A service is a program which runs in the background of the operating system and carries out a certain task on demand of a certain event. By means of Password Safe this would be to send the data which the client has requested encrypted. A service itself does not have a user interface. For the configuration and administration of the service there is, however, a separate program. Alternatively the service can also be started, stopped or also deleted with the Service Control Manager (service manager). 3.3 Setup user interface System services themselves do not have a user interface, that is why the service is configured and administrated with a separate program. For this purpose Password Safe offers a separate program (sdsconfig) with which the service can be accordingly administrated. Since administration privileges are needed for the changing of the service status (start, stop, etc.), these programs should always be processed as administrator. 4 First steps 4.1 System preconditions The Enterprise server should be installed on a Windows server operating system. This server can be a physical or a virtual server. Administrator rights are required for the installation and the configuration. Operating systems: Windows server 2000 from SP3 on (possibly install gdiplus.dll afterwards) Windows server 2003 (32Bit & 64 Bit) Windows server 2008 R2 (32Bit & 64 Bit) Main memory: The server should be operated with at least 2 GB RAM (suggested 4 GB RAM). According to working load the main memory should be increased. CPU: Password Safe is multicore capable. In order to allocate and utilize the load in an optimal way, the server should be operated with several CPU`s (at least 2; suggested Quad Core CPU). Hard disk storage: The database size acts in accordance with the saved contents in the database (documents and databsets). An empty database has around 1,5 MB. Network connection: © 2012 MATESO GmbH 8 Password Safe Enterprise Server The network connection should be at least 10MBit/s (suggested 1 GBit/s) Important: The service only starts at a valid license file. Notice that the license file "psrX.lic" of the server must not be stored in a network share. Tip: The Password Safe Enterprise server can be attached to an already existing server on which applications have already been installed. From around 100 users on it is suggested to use an own server for Password Safe. An installation is also possible under Windows XP, Windows Vista and Windows 7. However, we suggest a server environment for the productive use. 4.2 Folder structure It is recommended that before installing the server to create the folder structure accordingly, and store the files, such as the license file (psr6.lic) into the appropriate folders. The folder structure might look like this: Backup This folder contains the "local" PSX backups are stored. These files are created with the help of serverside backup service. Note: The directory should be archived or semi-annually and adjusted, in order to ensure there is always enough space available. Config file Client In this folder, the configuration file "psr.pc6" was stored. This file can be used as a "basic" configuration file. Further information can be found in the client help file Config file Server The server configuration file "sds.pc6" was copied and saved in this folder. With this file the server can be pre configured. © 2012 MATESO GmbH First steps 9 Database All database(s) will be stored in this folder. Documentary In this Folder the help files (Client and Server) was stored in PDF and CHM format. Install In the installation folder the setup files form client and server (exe and msi) were stored. Im Installationsorder wurden die Setup Dateien Client (EXE und MSI) sowie Server hinterlegt. License This folder contains the license file. Network Logon In the folder Network Logon the profil file is stored. This file can be used for the automatic database configuration. Protocols In this folder all protocols form the server will be stored. This setting can be changed at the server under "Server options -> Logbook". 4.3 Quickstart Password Safe can be integrated to a system quickly, according to the configuration. Enterprise server - Installation of the server - Activation - Setup assistant - Starting databases - Configuration of the database firewall (per database) - Configuration of the module network logon (if licensed) - Configuration of the backup time schedule - Configuration of the task service - Configuration of the hacker protection Enterprise client - Installation of the client - Release and activation - Starting the database connection Network logon module: With the module "network logon" the database connection at the client is automatically set up. The network logon profile file should be saved under the file name "psr.nlc". When starting Password Safe the client takes over the database settings of the profile and automatically makes the database available to the user for a link connection. The module can be called up under extras -> configure network logon. The module "network logon" is a chargeable additional module. If you should not have bought the module yet, you can license this module subsequently at any time. © 2012 MATESO GmbH 10 4.4 Password Safe Enterprise Server Download and installation The Enterprise server is a self-contained server, which keeps the databases for the Enterprise clients available. The server can be downloaded and installed by means of a certain link, which is specified in the order (or at the test licenses). If you already have installed a server you can download a later version via the help (help -> search for updates...). After the download of the setup you can start the installation with a double click. Afterwards follow the steps of the installer. As soon as the installation is completed start the configuration user interface and follow the instructions of the setup assistant. Afterwards you can activate the software via the license overview. Attention: The server in an Enterprise server installation can not be carried on parallel to older versions! If the server from version 6 is installed the version 5 server is automatically uninstalled. 4.4.1 Services After a successful installation the services will be automatically entered in the system services of the operating system. The administration and configurtation of the services is made via the Setup user interface "SDS Konfiguration". You can start and stop the services directly on the homepage. Via the menu extras you can install and uninstall the services as required. Notice: The server can only be started with a valid license file. Furthermore the services should be configured before the start. The Information on the server service: The server service is the "main service". With it the databases get started and made available for a encrypted connection. Service name: SDS Name displayed Password Safe Enterprise Server (list): Application: sds.exe Information on the backup service: The backup service creates database backups at configured points of time. In order to create a backup the server service has to be started. Service name: SDSBACKUP Name displayed Password Safe Enterprise Server Backup Service (list): Application: sdsbackup.exe Information on the task service: The task service fulfills so-called automated tasks, which are provided in the accordant database, like for example sending emails. In order to carry out this action, the server service has to be started. Service name: ServiceSDSTask © 2012 MATESO GmbH First steps Name displayed (list): Application: 11 Password Safe Enterprise Server System Task Service sdstask.exe Notice: The backup service as well as the task service can only be started when the server service runs. If the server service is stopped the other services will be stopped as well. 4.5 Setup assistant At the first start of the server of the configuration user interface "SDS configuration", the setup assistant guides you through the basic settings. In that assistant, please assign for example the IP address, as well as the password for the initial connection encryption between the server and the clients. When connecting a client a pair of RSA keys is exchanged and every client has an own encrypted connection with the server. The data can be changed retroactively in the "server options". Password Safe - Configuration (administrator privileges necessary) In the first step you can configure the IP address and the port. Make sure that the settings are not blocked by a Firewall. You will possibly have to accordingly configure your Firewall. In order to increase safety you now have got the possibility to link the configuration of the server with the hardware of the server. For this a unique ID is created out of the hardware components of the computer. The database can only be started on the computer with this ID. If the database is copied to another machine no access is possible. Please notice that access to the database is also locked if the hardware is changed on a virtualized machine! Important: If you should use a virtualized machine, please deactivate the hardware connection because otherwise it could happen that the configuration file can no longer be used. © 2012 MATESO GmbH 12 Password Safe Enterprise Server In the next step you define the password guidelines of the server. They say how the passwords for the upcoming databases as well as the connection password have to be designed. © 2012 MATESO GmbH First steps 13 In the further course of the setup assistant you have to set the initial connection password, which serves for the connection between server and client. You can check if your password is safe by clicking on "carry out password analysis". Via this connection a key exchange (RSA) is made, so that every client receives an own connection encryption at every new connection. Now you can define the safety parameters. They can of course still be changed after the synchronization. Please notice that you have to adapt the firewall rules when you activate the database firewall. You only have to name a domain if you use users which are taken over from the Active Directory. You can either use the Full qualified domain name or WINS here. © 2012 MATESO GmbH 14 Password Safe Enterprise Server At the end you can define if you want to open the server options after the completion of the configuration or not. © 2012 MATESO GmbH First steps 4.6 15 Activation The Enterprise server is activated via the "SDS configuration". Without activation the Enterprise server service can not be started. To do so open the configuration user interface and click on help -> license overview in the menu. According to activation key you have to proceed differently. If you have purchased the software directly via the MATESO GmbH, you will normally be sent a license file "psrX.lic". But if you order directly via our online shop, you receive a license certificate. If you own a licence file the activation is made as described in "licence file (*.lic)". If the activation is made via licence certificate (order via online shop), act as described in "licence certificate". 4.6.1 Licence certificate After you have received the license certificate, you can activate the software via the license overview. Copy the whole licence certificate from -----BEGIN LICENCE CERTIFICATE----to © 2012 MATESO GmbH 16 Password Safe Enterprise Server ----- END LICENCE CERTIFICATE ----into your clipboard. By clicking on the button "add licence certificate" the licence certificate will be automatically inserted. Now open the licence overview and click on "add licence certificate" in the below array of the licence overview. If the licence certificate already is in the clipboard, the certificate will be automatically recognized and inserted. Otherwise you have to copy the licence certificate to the clipboard again and paste it in manually here. Afterwards confirm with "add". Confirm the message with "Ok". Afterwards your licence will be displayed in the licence overview. In the licence overview you will then see all the data to your licence. Close the licence overview and reboot the setup user interface, so that the settings take effect. 4.6.2 Licence file (*.lic) If you have been sent the licence file as a ZIP file you have to unpack it first. Afterwards store the file in an accordant directory which you can choose (off line on the server). Make sure that you have you have got the privilege to write in that directory. © 2012 MATESO GmbH First steps 17 Start the "SDS configuration" and now open the license overview ("help" -> "license overview") and click on "file" -> "open license file", to load the licence file out of a directory. Afterwards go to the directory in which the license file is, choose the license file and confirm with "open". In the license overview you can now see all data to your license. Close the license overview and reboot the setup user interface, so that the settings take effect. Notice: If you should need the license file on another server, you have to deactivate the old computer name under "Number of licenses per computer" (click with the right mouse button -> deactivate), so that the new computer name can be entered 4.6.3 Automatische Freischaltung At installations of several clients we suggest the automatic activation. For this you have got different possibilities. © 2012 MATESO GmbH 18 Password Safe Enterprise Server License files in the installation directory For this just copy the license file psr6.lic to the installation directory of PASSWORD SAFE. At the start the license is then found and used automatically. Notice: Since Password Safe writes the names of the single computers into the license file, it is necessary that all users have got writing access to the file psr6.lic. In the standard installation folders (e.g.: C:/ programs/) there is no writing access. Allocate license files via environment variables There is the possibility to make the license file available in a network share. In order that the clients can find the file, it is pointed out per environment variable PSR_LICENCE_FILE. Enter the complete path including file name here. Then the license file is loaded from that place. How to configure the Windows environment variables: - Open the system properties (Advanced system settings) - Click on „environment variables…“ (below) © 2012 MATESO GmbH First steps 19 - Configure the necessary variable in the next step. Click on “new” to start the variable. Allocate license files via the configuration file If the license file lies on a network share it can also be pointed to it via an adaption of the configuration file. That makes sense if you can distribute the configuration file to the individual clients per software distribution. You can find out in the chapter configuration file how to adapt the configuration file accordingly. 4.7 Create new database You can create databases directly via the homepage by clicking on the link Create new database or also via the menu item edit -> database overview -> add database. Afterwards a wizard appears that guides you through the single steps. The assistant offers you several options: © 2012 MATESO GmbH 20 Password Safe Enterprise Server Create new master database Via this item you create a new, empty database. Use this option as well if you want to restore a backup (PSX file). Configure existing master database This menu item gives you the possibility to create a database account and to link it with an existing database. Create new slave database Via this a slave database for the use of high availability is created. This is described in detail in the chapter high availability. What is the difference between master and slave database? The master databases are the productive databases. You can directly work on master databases. A slave database is only necessary for high availability run (only configurable with second server). This is a “copy” of the master database which is synchronized regularly. If the master database should be damaged or if the accordant computer should drop out therefore an alternative database is available. You can find further information in the chapter high availability. Configuration firewall and reboot of the server If a database has been created successfully the server has to be started again at first and afterwards the database firewall (rules) have to be created. The firewall is valid per database and can be configured in the database overview with a click with your right mouse button on the database “database firewall”. Important: Please note down the passwords (database password, administrator password), which are entered in © 2012 MATESO GmbH First steps 21 the assistant and store them in a safe (secured area). Additionally save the „private“ RSA key „*prvkey“ after the creation of the database on a medium of your choice (CD, USB stick, etc.) and put them in a safe as well. This key file is needed for the decryption of the backup at the restoration. Without this file the backup cannot be restored. Alternatively you can also store the data outside, e.g. at a notary or at a bank for the case of emergency. 4.7.1 Create new master database You can create databases directly via the homepage by clicking on the link start new database, or also via the menu item edit -> database management -> add database. Afterwards a wizard appears, which guides you through the single steps. The assistant offers you several options: After you have decided for the creation of a new database please give away a name: © 2012 MATESO GmbH 22 Password Safe Enterprise Server In the next window please enter the storage location of the database and the storage location of the socalled RSA Private Key. This key is necessary if you want to restore a created backup in the future. © 2012 MATESO GmbH First steps Afterwards you define how the database should be saved: Normally the databases are saved with a password. This can be assigned in the next dialogue: © 2012 MATESO GmbH 23 24 Password Safe Enterprise Server Every database has an administrator account for the management and configuration. The password for this user account is assigned in another dialogue: © 2012 MATESO GmbH First steps 25 In order to increase the safety you have got the possibility to bind the database to the hardware of the server, now. For this a unique ID is created out of the hardware components of the computer. The database can be started only on the computer with this ID. If the database will be copied to another machine, there is no possibility to access. Please notice that database access is also locked if the hardware is changed on a virtualized machine! Now you have got the possibility to define the language of the database. Alternatively you can also select a backup file for import. In this case the language of the original database is adapted: © 2012 MATESO GmbH 26 Password Safe Enterprise Server In the next window the creation of the database is completed. Important: If you store the database on a virtual machine you have to deactivate the hardware linking necessarily! On virtual machines it can happen that hardware IDs changes, what causes that the database can no longer be opened. 4.7.2 Configure existing master database In order to configure an already existing database, open the database assistant with a click on start new database, or also via the menu item edit -> database management -> add database. There you select the item set up existing master database: © 2012 MATESO GmbH First steps 27 After a click on continue you select the database file that you be linked: In the next step you give the database account a name. The name does not have to correspond with the name of the database, it can be changed however you want: © 2012 MATESO GmbH 28 Password Safe Enterprise Server Now you can define if you want to encrypt the database with a password, a password file or a combination of both. Here it is not important how the original database is encrypted: © 2012 MATESO GmbH First steps 29 In order to increase safety you have got the possibility to link the database with the hardware of the server, now. For this a unique ID is created out of the hardware components of the computer. The database can only be started on the computer with this ID. If the database is copied to another machine no access is possible. Please notice that access to the database is also locked if the hardware is changed on a virtualized machine! Via a click on complete in the last window the database is now created and the backup imported. Important: If you should store the database on a virtual machine you necessarily need to deactivate the hardware linking! On virtual machines it can happen that hardware IDs change, what causes that the database can no longer be opened. 4.7.3 Create new slave database To use the high availability, it is necessary to create a so-called slave database. This is an exact copy of the master database. You can find a detailed instruction and much more information about high availability under the following links: High availability Preconditions Creating the master and slave databases 4.8 Import of PSX backups (v5, v5, v6) The import of a backup can basically only be made to a new database. In order to import a backup you have to start a new database. © 2012 MATESO GmbH 30 Password Safe Enterprise Server How is a PSX backup created? Export a backup in PSX format in v4, v5 or v6 via the menu item file -> export. Alternatively, if you already run an Enterprise server, a backup can be created via the automatic backup. How is a PSX backup imported? Create a new database in version 6 and directly import the backup in the database assistant. The data is then directly imported and migrated to the new database. Afterwards you can log on the newly created database. Due to the new data structure and the new application recognition (autom. password entry from standard edition on) the existing applications have to be converted. You can find information about converting applications in the help of the client. 4.9 Start server service You can start and stop the server via several buttons. For example via the toolbar or also via the homepage (online/offline, reboot). With changes that need a server reboot you will be advised on the homepage in the below array. Notice: If active client sessions should still exist at a reboot or a shutdown, they will be disconnected. At this information which is not saved gets lost. 4.10 Connect clients The following preconditions have to be fulfilled for a successful client connection: The Password Safe Enterprise Server has been configured properly At least one database is active The server has to be online The database firewall admits a connction (or is deactivated in the settings) The user is not contained in the database as a "locked user" enthalten The firewall of the server admits a connection build-up The connection password has to be known The database password has to be known At the use of databases on a network share the service has to be accordingly configured Configuration of the Enterprise client: 1. Start the database wizard via the accordant symbol (database symbol with a green plus) 2. Choose "set up existing databases" in the wizard and confirm with "continue". 3. Choose "Enterprise (client-/server, database server)" as a database kind, and afterwards click on "continue". 4. Accordingly enter the connection data. Notice: The database can only be added if the database connection test has been carried out successfully. Please notice that the databases are only accessible if the server is "online" and if the database is active. You can see the database status via "edit" -> "database overview", or also via the homepage "database overview". © 2012 MATESO GmbH First steps 31 No connection possible? Make sure that your Firewall admits of the connection, that the ports are not already used and that the server is accessible. Furthermore you should check if the parameters have been entered properly to exclude typing errors. You can find more information under problem solvings. 5 Configuration 5.1 Configuration user interface Start screen: The start screen informs you on the most important settings and the current server status. You can directly click on the underlined texts to start the database service for example. Configuration: You can open the server configuration by clicking directly on an accordant link on the start screen or by clicking on "edit" -> "server options". Notice for Windows server 2008 R2: The "SDS configuration" should be carried out as an administrator, because via this application services are started and stopped. Furthermore this application writes into the configuration file, which is © 2012 MATESO GmbH 32 Password Safe Enterprise Server normally filed under the "all users" profile or application data. Edit Database overview: You can directly open the database overview via the link on the start screen or via "edit" -> "database overview". In the database overview you can see which databases are active or inactive. You can call up the configuration menu of a database by clicking on a database with your right mouse button. Manage backup time schedules: Here you have got the possibility to create time schedules for recurring backups, or to start backups manually. Manage system task: The task service is a service, which runs in the background and carries out tasks in cyclic intervals, like for example sending emails. Extras Install and uninstall service: Under extras you can install and uninstall the service. ATTENTION: At this all opened client connections and not saved data get lost! Setup assistant: You can also call up the setup assistant manually under "extras" -> "setup assistant" to work the configuration over again. Configure network logon Via the network logon file the database connection is configured centrally and automatically. Help Language Set the language to German or English here. License overview Under this menu item you can see and manage your licenses. Current version: You can read out the current version on the right side below or also detailed under "help" -> "info". 5.2 Client-server configuration example In the following it is described how to create a connection to the Password Safe Enterprise Server with an Enterprise client. © 2012 MATESO GmbH Configuration 33 The following configuration has to be made at the server: 1. Configuration of the server parameters (Host, Port) as well as of the possibly existing Firewall (activate TCP port 12008) 2. Configuration of the safety parameters and the connection password 3. Create databases 4. Start the server 5. Configuration of the database firewall (per database) 6. Configuration of the module network logon (if licensed) 7. Configuration of the backup time schedule 8. Configuration of the task service 9. Configuration of the hacker protection Notice: The databases are only accessible if the server is "online" and if the database is active (see database overview) Configuration of the Enterprise Client: 1. Configuration of the Firewall at the client, if existent (enable UDP Port 12007) 1. Start the database wizard via the accordant symbol (database symbol with a green plus) 2. Choose "set up existing databases" in the wizard and confirm with "continue". 3. Choose "Enterprise (client-/server, database server)" as a database kind, and afterwards click on "continue". 4. Accordingly enter the connection data. Notice: The database can only be added if the database connection test has been carried out successfully. No connection possible? Make sure that your Firewall admits of the connection, that the ports are not already used and that the server is accessible. Furthermore you should check if the parameters have been entered properly to exclude typing errors. 5.3 Configuration file All settings which you carry out in the configuration user interface will be filed in a configuration file on the server. This can also be changed or saved manually. You can find the configuration file in the following directory: C:\documents and settings\All Users\Application data\PasswordSafe\sds.pc6 (Windows Server 2003) C:\ProgramData\PasswordSafe\sds.pc6 (Windows Server 2008) If you should use another operating system than Windows Server 2003 or Windows 2008 the path can differ. In order that the server service can access the configuration file the service account must have the accordant privileges to read and write the file. If you should change the system account for the service, please pay attention that the used user has got the privilege for that file. © 2012 MATESO GmbH 34 Password Safe Enterprise Server Notice: The content is filed as XML. Please do not use tab stops for manual editing. Indentations need to be made with blanks. 5.4 Network Logon Notice: Please note that you need a license of the module "network logon" at the client for this, also if you can carry out the configuration at the server. You can buy the module in the online shop purchase it on account. Basically Via the additional module "network logon" you can provide a database configuration centrally at the clients. To do so a profile file is created in which one or several database configurations are encrypted. Technology and safety The profile file is doubly encrypted with AES (256 bit). Here a public key and optionally a private key is used. The public array only contains information on the access rights of the file and is encrypted with the public key. The private array is only decrypted if the access rights in the public array suffice. In the private array there are all information on the accordant database configuration. Even if the network logon is already safely encrypted with the public key, we generally suggest to deposit an additional private key. This private key, however, has to be entered by the user at the run. By the additional use of a private key the private array can only be decrypted if the user knows the password for it. The public key is only known by Password Safe and can only be opened by the software and with an active module "network logon". it is also possible that you gibe away a password that is needed to edit the profile file. This password should also be set basically. So you can for example protect the profile file from editing without using a private key. What happens at the client? If the client finds the profile file "psr.nlc" it will be opened automatically and it will be automatically checked if the client owns access rights to use the profile file. If this is the case the contained database configurations will be started at the client. If only one configuration is contained, an immediate auto login at the accordant database will be made. If several databases are contained they will all be made available at the client. Then a click on OK at the login is enough to carry out the logon. Configuration In the menu "extras" you can find the menu item "configure network logon". Afterward the window opens, in which you create the profile file or edit existing ones. © 2012 MATESO GmbH Configuration 35 Create new profile Click on "add profile" -> "add database" and carry out the database assistant to do the configuration. You will probably only add databases of the type "Enterprise". But you can also configure standard and professional databases. To do so it is afterwards necessary that you set the database password in the list via the context menu. Edit profile Click on an entry in the list and choose "edit profile" in the context menu. Alternatively this is also possible via a double click on the accordant entry. If only the password of the database has changed you can reset this via the context menu in the list. Settings and access rights You can set passwords and access rights via the general profile settings. Password for whole profile file This is the private key of the profile file. If you set this password, every user that is allowed to use this profile file has to enter this password at the start of Password Safe. The private array in the profile file will then be encrypted with this password. Without this password the profile file can no longer be opened. Password for editing the profile file If you set this password the profile file can only be opened for editing if the password has been entered. Users Here you can deposit computer users who are allowed to access the profile file. For the checking the Windows login name will be used. Computer Here you can deposit computer names which are allowed to access the profile file. For the checking the Windows computer name will be used. IP Here you can deposit IP address arrays or single IP addresses which are allowed to access the profile file. Example: 192.168.0.1 or 192.168.0.100-192.168.0.120 Notice: Please not that that user- computer- and IP access restrictions are linked with AND. That means that if you deposit data in one of the arrays, also in all three arrays, the user has to be deposited in a way that all conditions are fulfilled. An OR link-up is not intended. Also the user, computer or IP array that is allowed to edit the profile file should be contained, otherwise the profile file can no longer be opened for editing. © 2012 MATESO GmbH 36 Password Safe Enterprise Server Making available at the client In order that the client can find the profile file you can deposit it in different places. In doing so the profile file should be named "psr.nlc". In the following you can see the listed order in which places the profile file is searched. 1. In the environment variable of the client (PSR_NLC_FILE). Here you can define the path including the file name yourself. 2. In the registry. Here you can define the path including the file name yourself. Leg: HKEY_CURRENT_USER\Software\MATESO\PasswordSafe\Options Entry: NetworkLogonFile 3. In the configuration file of the client (psr.pc6) under . Here you can define the path including the file name yourself. 4. In the program path of the application. The file name has to be "psr.nlc". 5. In the personal document directory. Under XP in "own files". The file name has to be "psr.nlc". 6. In the AppData directory of the user where also the configuration file of Password Safe lies. The file name has to be "psr.nlc". Windows Vista/Windows 7: C:\Users\Username\AppData\Roaming\PasswordSafe\psr.pc6 Windows XP: C:\Documentsandsettings\username\applicationdata\PasswordSafe\psr.pc6 Notice: If one of the following items changes, the network logon file has to be configured again or updated: - Database name - IP address of the server - Port of the server - Server password 5.5 Databases All databases are listed in the database overview, which you can directly call up via the homepage or via the menu ("edit" -> "database overview"). © 2012 MATESO GmbH Configuration 37 Click on a database with your right mouse button to get to the context menu. In the context menu you can choose between different operations (database parameter, delete database, etc.). Under "properties" you will be shown general information on a database and also edit it. The server has to be stopped before every database change. Add new database Change database parameter (encryption and database reorganization) Delete database Update database patchlevel See and change database properties Notice: Please note that you have to reconfigure or adapt existing clients when you change the name of the database. If the database status is set "inactive" it will not be loaded and is not accessible for the clients. 5.5.1 Create database You can start databases directly via the homepage by clicking on the link Create new database or also via the menu item edit -> database overview -> add database. Afterwards a wizard appears that guides you through the single steps. The assistant offers you several options: © 2012 MATESO GmbH 38 Password Safe Enterprise Server Create new master database Via this item you create a new, empty database. Use this option as well if you want to restore a backup (PSX file). Configure existing master database This menu item gives you the possibility to create a database account and to link it with an existing database. Create new slave database Via this a slave database for the use of high availability is created. This is described in detail in the chapter high availability. After you have decided for the creation of a new database please give away a name: © 2012 MATESO GmbH Configuration 39 In the next window please give away the storage location of the database and the storage location of the so-called RSA private key. © 2012 MATESO GmbH 40 Password Safe Enterprise Server Afterwards you decide how the database should be secured. Normally the databases are secured with a password. This can be given away in the next dialogue: © 2012 MATESO GmbH Configuration 41 Every database has an administrator account for the management and configuration. The password for this user account is given away in another dialogue: In order to increase safety you now have got the possibility to link the database with the hardware of the server. For this a unique ID is created out of the hardware components of the computer. The database can only be started on the computer with this ID. If the database is copied to another machine no access is possible. Please notice that access to the database is also locked if the hardware is changed on a virtualized machine! © 2012 MATESO GmbH 42 Password Safe Enterprise Server Now you have got the possibility to define the language of the database. Alternatively you can also select a backup file for import. In this case the language of the original database is adapted: © 2012 MATESO GmbH Configuration 43 In the next window the creation of the database is completed. What is the difference between master and slave database? The master databases are the productive databases. You can directly work on master databases. A slave database is only necessary for high availability run (only configurable with second server). This is a “copy” of the master database which is synchronized regularly. If the master database should be damaged or if the accordant computer should drop out therefore an alternative database is available. You can find further information in the chapter high availability. Configuration firewall and reboot of the server If a database has been created successfully the server has to be started again at first and afterwards the database firewall (rules) have to be created. The firewall is valid per database and can be configured in the database overview with a click with your right mouse button on the database “database firewall”. Important: Please note down the passwords (database password, administrator password), which are entered in the assistant and store them in a safe (secured area). Additionally save the „private“ RSA key „*prvkey“ after the creation of the database on a medium of your choice (CD, USB stick, etc.) and put them in a safe as well. This key file is needed for the decryption of the backup at the restoration. Without this file the backup cannot be restored. Alternatively you can also store the data outside, e.g. at a notary or at a bank for the case of emergency. 5.5.2 Add existing database If you want to administrate an already existing "*.ps6" database with the server, you can choose the database file at the start of a new database. Afterward a wizard appears that guides you through the single steps. Select the option set up existing database in the database assistant and follow the further steps of the wizard. After the completion of the assistant the database password has to be entered for determining the database state. Afterwards check in the database overview if a patchlevel update has to be carried out. You recognize this if it pointed out to a higher value in the column "patchlevel". Notice: If a database has been started successfully the server has to be started again and afterwards the database firewall (rules) have to be created. The firewall holds per database and can be configured in the database overview, with a right mouse button click on the database "database firewall". 5.5.3 Change database settings The database settings, for example the encryption parameters can be changed by hindsight. Go to the "database overview". To do so click on "edit" -> "database overview" and highlight the database you want to change. Click on the database with your right mouse button and choose the entry "database parameter" in the context menu. Afterwards a new window opens in which you can reorganize the encryption parameters and the database. Please note that you have to stop the Enterprise Server for these actions. © 2012 MATESO GmbH 44 Password Safe Enterprise Server When changing the encryption parameters a wizard supports you that leads you through the single steps. Notice: Do a backup before every change so that you can access an old functional status. 5.5.4 Deposit / change database password In the properties of a database you can find under the tab database parameter on the one hand the possibility to deposit the database password at the server and on the other hand the database password can be changed here. Deposit database password Here you have got the possibility to deposit the password of the database at the server. This can be necessary if you have for example mistyped at the setup ot the database. Change database password Via this function the password of the database is changed. The new password will be automatically deposited at the server. © 2012 MATESO GmbH Configuration 5.5.5 45 Update patchlevel For database changes so called patchlevel updates are necessary. At this the database will be updated to the current version. Stop the Enterprise server and go to the database overview ("edit" -> "database overview"). In the column patchlevel you can read out the current patchlevel of the database. If a new patchlevel is available this will be displayed by another symbol (first column) and by a change in the patchlevel column. For example at an update from patchlevel 7 to 8 this will be displayed in the patchlevel column as follows 7 -> 8 With a click on the database in the database overview with your right mouse button you can update the database to current patchlevel. Do this update for every database so that the clients can build up a connection again. If the client should not be current the user will be advised by a message. 5.5.6 Start / Stop database Right-clicking on a database opens a context menu where you among other things, the database to stop or start. 5.5.7 Database sessions Via the database sessions you can see which users are currently connected with the database at which computer. Go to the database overview. To do so click on edit -> database overview and mark the database you want to change. Click on the database with your right mouse button and choose the entry database sessions in the context menu. © 2012 MATESO GmbH 46 Password Safe Enterprise Server With a click with your right mouse button on a user you can also disconnect the session. The pushbutton session refresh loads the overview again. Via a check mark at update list automatically the refresh happens automatically every 10 seconds. 5.5.8 Database Firewall (rules) Via the firewall it is defined which IP addresses are allowed to access the server. Go to the database overview. To do so click on edit -> database overview and mark the database you want to change. Click on the database with your right mouse button and choose the entry firewall in the context menu. The following window opens With a click on add rule you can start new rules. In the following example the whole IP range of a company network has been released: © 2012 MATESO GmbH Configuration 47 You can not only activate with the help of the IP addresses, but also via host or user name. If the check mark at allow database access is deleted, the computer or the computer group is excluded from access. Therefore it is possible to release an IP range from for example 192.168.1.1 to 192.168.1.254 and to lock a single computer within that range. You can also define IP arrays which go over several subnetworks. For example from 192.168.1.1 to 255.255.255.255 Attention: Also the computer or server on which the server service operates has to be authorized in the firewall! 5.5.9 Locked users You can be shown locked users in the SDS console and lock or unlock users. Go to the database overview. To do so click on edit -> database overview and mark the accordant database. Click on the database with your right mouse button and choose the entry locked users in the context menu. The currently locked users including the reason they are locked will be shown to you: © 2012 MATESO GmbH 48 Password Safe Enterprise Server With a click with your right mouse button on a locked user you can unlock it or edit the locking: With a click with your right mouse button on a blank spot in the display range of the window locked users you also have got the possibility to set up a new lock. To do so click on lock user in the context © 2012 MATESO GmbH Configuration 49 menu. 5.6 Backup (automatic backup) The integrated backup service is a service which acts out the configured backup time schedules at a certain point of time. By means of the backup time schedules you can individually adapt the backup of the databases to your requirements. If backup time schedules should coincide they will be worked off and carried out sequentially. The backups can be carried out during the operating time, but should, however, be carried out normally in a low frequented period, for example at night. The backups can be created and managed under edit -> backup time schedules. Each backup can only be used for one or also several databases. In order to be able to set up a backup for a database, a database user is required. All backup activities will be saved in the log file of the server, so you can control when and where the backup was made. Notice: A backup of a slave-database isn not necessary and can not be configurated. Notice on the backup on a network share: If the backup is stored on a network share, the login has to be changed from "local system account" to "user account" at the backup service, because the local system service has got no write privilege on network resources. 5.6.1 Backup concept Your data is the most important property. In order that you do not have a loss of data in the case of disaster it is important to create a backup concept. A backup concept always conforms to the circumstances of the installation and your personal requirements. That is why the following concept can only be an inspiration. First of all you have to create a First of all you have to create a or a folder structure for the backups. This could look as follows: © 2012 MATESO GmbH 50 Password Safe Enterprise Server Afterwards accordant time schedules are created. Due to this configuration you receive one backup with the name of the database each in the folders „midday“ and „evening“. This file is overwritten daily. The weekly backup has been configured in a way that date and time are annexed to the name. So you receive a new backup every week. 5.6.2 RSA-Key As soon as you create a database at the server an accordant RSA Key will be automatically created. It hast he file ending *.prvkey. You define the memory location of that file yourself at the creation of the database. For what is the RSA key needed? The RSA key is needed to decrypt future backups of the database when they are restored. Which name should the RSA key have? You can name the file however you want. The name of the database is suggested by default. It is important that you can assign the RSA key to the accordant database. Furthermore it makes sense to integrate a date to the file name. Where should the RSA key be filed? It is suggested to store the RSA key in an own directory (the best would be on an own computer). Make an additional copy on a CD, a USB stick or another safe medium of your choice, which you then ideally put into the company`s safe. Why should the RSA key not lie with the database? If the RSA lies in one directory with the database and that directory is accidentally deleted, you cannot restore the backups. Therefore you should always store the RSA key separated from the database. Why should the RSA key be stored in the company`s safe? This key file is required for the decryption of the backup at the restoration. Without that file the backup © 2012 MATESO GmbH Configuration 51 cannot be restored. Alternatively you can also deposit these data outside, e.g. at a notary or at a bank for the case of emergency. How to act in the case of a loss of the RSA key? In the case of a loss of the RSA key please contact the support. In general a valid database connection has to exist © 2012 MATESO GmbH 52 5.6.3 Password Safe Enterprise Server Manage backup time schedules With an opened "Enterprise Server configuration user interface" you get to the "backup time schedules" overview via the menu item "edit" -> "manage backup time schedules". In this overview you can create new backup profiles, change existing ones, deactivate or delete them. In the left, below part of the window you can always see the current status of the backup service. Green means that the backup service is active. If the symbol is red, the backup service is not active. Then automatic backups are not carried out. You can activate and deactivate the service or the backup with the button "stop backup service" / "start backup service". With a click on any backup profile in the list with your right mouse button you get to the context menu. In the context menu you can add a new time schedule, edit the highlighted time schedule or delete it. As a further option you have got the possibility to activate or deactivate the backup profile via the menu item "status". Deactivated backup profiles are not considered by the backup service. Furthermore you can immediately start the highlighted backup profile via "carry out backup". At this the status is irrelevant. The button "start backup" starts a manual backup of all active backup profiles marked as status. With this you can quickly activate all backup profiles, not dependant on the time, for example before a server maintenance. © 2012 MATESO GmbH Configuration 5.6.4 53 Start/change backup time schedule To start or change a new backup time schedule choose Add schedule or change schedule in the backup time schedule overview. (Double click on a backup profile). Define in the settings dialogue of the time schedule in which directory the backups should be made. Activate the option "add date and time" if you want to create a new backup file for each backup. If the option is deactivated the previous backup will be overwritten. Activating the option "reboot server after backup" effects that the server service will be rebooted after the backup of the databases. At this the system will not be shut down, but current client conferences can be separated by rebooting the service. In order that the backup profile can be saved at least one "day of the week" on which a backup should be made has to be activated. That way you can individually create several backup profiles with different time schedules for different databases, which you can choose in the below array. Please note that only the databases will be saved which are accordingly highlighted/active in the below array. In order to add a backup time schedule just click on the accordant symbol. Then a window opens in which you can define the desired time interval. © 2012 MATESO GmbH 54 Password Safe Enterprise Server You can find further information on the time interval system in the client help in the chapter system tasks. 5.6.5 Carry out backup time schedule manually You can carry out a manual backup directly via the context menu of the backup profile in the "backup time schedule" overview. Highlight a backup profile, afterwards open the context menu with a click with the right mouse button and choose "carry out backup". To activate all "active" backup profiles manually you can use the button "start backup". 5.6.6 Revertive backup A backup (PSX backup file) can only be imported to a new database. Act as follows: 1. Create a new database and enter the backup file which you want to re-backup in the database assistant. 2. After the database has been created the data will be automatically reproduced in this database. © 2012 MATESO GmbH Configuration 55 3. The database server has to be rebooted that the new database is getting available. 4. Afterwards you can build up a connection to the database at the client. 5.7 High availability Password Safe can also be configured highly available. Here the possibility exists to make the functionality of Password Safe available again within a few minutes at the breakdown of a server. For this two databases (master/slave) are made available, which are kept ready on two different server systems. These databases are synchronized in a cyclic way, so that a reserve database is always available in the case of disaster. Schematic demonstration of high availability © 2012 MATESO GmbH 56 5.7.1 Password Safe Enterprise Server Preconditions The following conditions are required for the use of the high availability mode: - 2 serves with Windows server operating system 2 Enterprise servers Module network logon (suggested) Task service activated In order to provide for a highest possible safety, it is suggested to install two Enterprise servers each on an own Windows server machine. One of the servers is used productively. On that machine the master database operates. The backup server makes the slave database available. Both servers have to be activated properly before the configuration. With the "network logon" a changeover can be made possible very quickly by means of the adaption of the profile. Alternatively the network logon file can also be created before, in order to be only allocated © 2012 MATESO GmbH Configuration 57 or copied to the accordant place in the case of disaster. Schematic demonstration of the high availability 5.7.2 Creating the master and slave databases First of all set up one Enterprise server on two Windows server systems. You can find information on that in the chapter setup assistant. Afterwards create a master database on the productive server as described in the chapter start new database. For safety reasons the database should be stored on the accordant machine locally. In order to enable access on the database configure the firewall afterwards. In the next step a slave database is created on the backup server. To do so call up the database assistant on the homepage via start new database and choose the item start new slave database (high availability) here. In the following dialogue please enter the connection data of the productive © 2012 MATESO GmbH 58 Password Safe Enterprise Server server (master database), in order that Password Safe can access the master database and can create a copy of it. This could look like that: In the following window please give the slave database a significant name: © 2012 MATESO GmbH Configuration Store the slave database locally on the backup server for safety reasons: © 2012 MATESO GmbH 59 60 Password Safe Enterprise Server Please enter another password for the database in the further course of the assistant and define if the database should be connected with the hardware. In order to conclude the assistant you have to log on the master database with a valid user account, in order to enable the slave database access to the data bank. Ideally you use the administrator account for this. The slave database is now created. In the database overview it is displayed as follows: © 2012 MATESO GmbH Configuration 61 Via a click with your right mouse button on the slave database in the database overview and another click on properties you get to the configuration dialogue of the high availability: In order to conclude the setting of the slave database, please enter a time interval for the synchronization as well as the server password here. If the firewall should be activated, the firewall rules have to be configured. Here the IP address of the backup server has to be released. In order to always keep the slave database updated it is necessary to configure its synchronization. This is described in detail in the chapter configuration. IMPORTANT: The clients must not work on master and slave databases at the same time! 5.7.3 Configuration Synchronization With a click with your right mouse button on the slave database in the database overview and another click on properties you get the possibility to configure the synchronization between master and slave. © 2012 MATESO GmbH 62 Password Safe Enterprise Server In the chapter creation of the master and slave databases the configuration of the synchronization has already been dealt with briefly. Of course changes can be made at any time. In this dialogue it is defined in which intervals the synchronization should be made. Furthermore the connection data of the master database have to be entered here. With a click on synchronization user you enter a user that has got access to the database. For this we suggest an own user or the administrator user. It is important that the password of the user is not changed or only changed infrequently. If the user password should be changed the settings of the synchronization have to be checked and maybe changed. Via the pushbutton manual synchronization you can activate the synchronization manually. The action is carried out via the task service. According to the time interval of the task service the synchronization is then activated. In order to conclude you start the task service: © 2012 MATESO GmbH Configuration 63 Notice on the synchronization: For the automated synchronization it is definitely necessary that the task service runs. If the task service is not active there is no synchronization! Network logon In order to be able to react as quick as possible in the case of disaster, it is suggested to configure the access on the master database via the module network logon. Make the profile file available centrally and refer to it from the individual clients. 5.7.4 Case of disaster If the productive server should drop out for longer you can make the slave database available in a very short time. Conversion of the slave database to a master database In the first step you convert a slave database to a master database here. To do so it is enough to do a © 2012 MATESO GmbH 64 Password Safe Enterprise Server click with your right mouse button on the slave database at the server in the database overview and afterwards a click on convert to master. The conversion only takes a few seconds. The conversion has to be confirmed again in a second step: Making available the new master database After the slave database has been converted to a master database, open the network logon profile file for editing. This can be done at the server as well as at on of the clients. To do so click on extras -> configure network logon. Via the folder symbol you can now open the profile file: © 2012 MATESO GmbH Configuration Via a double click the file is opened for editing: © 2012 MATESO GmbH 65 66 Password Safe Enterprise Server Now change the access data of the database here: Now follow the assistant and save your profile file. It is suggested not to change the name of the profile file. In order to conclude the users only have to restart their client and then they have direct access to their data. 5.7.5 Recreation of high availabilty In order to be protected in future in the case of a breakdown you have got two possibilities how to recreate the high availability again. Both cases are based on the configuration described under disaster. Method 1: The original backup server becomes a productive server After the original server is ready for use again, an Enterprise server is installed and activated first. Afterwards you create a slave database on that machine. The master database on the other server persists. The original productive server becomes the backup server now and the other way around. That means the configuration conforms to the original configuration, however with exchanged servers. Method 2: Recreation of the original configuration In order to recreate the actual original state the following work steps are necessary: - On the original productive server an Enterprise server is installed and activated - At the original productive server a slave database is created - The network logon profile file is changed in a way that it now refers to the newly created slave database at the original productive server © 2012 MATESO GmbH Configuration 67 - The clients are restarted and now work on the original productive server where they are connected with the slave database at first - Make sure that no more clients are connected with the server - Carry out a manual synchronization - The original backup server is stopped - The slave database is converted to the master database. This can happen while the clients are connected with it - At the original backup server the database account is deleted - A new slave database is created on the original backup server Method 3: Recreation of the original configuration by copying the database - Both servers are stopped - The database file of the backup server is copied to the productive server - The database is linked at the productive server - If desired, now the firewall at the productive server is configured - The network logon profile file (optional) is changed in a way that it now points out to the newly linked master database at the original productive server -The clients are started again and now work on the original productive server again - The database account is deleted at the original backup server - A new slave database is created at the original backup server This method is not possible if the database has been created with hardware bonding! Method 4: Recreation of the original configuration with a backup It has been worked on the backup server and accrodant backups have been created after the case of disaster occured you can recreate high availability again with this method: - The original backup server is stopped - On the original productive server an Enterprise server is installed and activated - Create a new master database and enter the backup file which you want to restore in the database assistant - After the database has been created the data is automatically recreated in that database - The database server has to be started again in order that the new database is available - The network logon profile file (optional) is changed in a way that it now points out to the newly linked master database at the original productive server -The clients are started again and now work on the original productive server again - The database account is deleted at the original backup server - A new slave database is created at the original backup server 5.8 Task service The task service is a service which runs in the background and carries out tasks like for example sending emails. Since the task service is allocated tasks by the client, it checks in cyclic time-lags if new tasks have to be carried out. At this the accordant tasks are carried out on the server which causes less demand on the clients. On the homepage of the SDS configuration the task service can be started or stopped with a click on online / offline. Furthermore you have got the possibility here to stop the service and start it again both © 2012 MATESO GmbH 68 Password Safe Enterprise Server at the same time via a click on restart. You can find the management of the task service under edit -> manage system task. Notice for the task user: As a task user, use a local Password Safe user at which the password never expires. That user could for example be the "administrator" user. If you do not want to use the standard administrator user for this, please notice that this new user then expends a user license. Via the interval it can be defined how often the system task should be carried out. Furthermore you can define for which databases it should run. If a task could not be carried out, it will be started again at the next run. If you want to avoid this, set the check mark at delete faulty tasks. The tasks themselves will be directly configured on the client in the workflow system. You can find information on that in the help of the client. 5.9 Server options 5.9.1 Server parameter In this menu the connection parameters of the server can be set: © 2012 MATESO GmbH Configuration 69 IP address: Enter the IP address of the computer here, on which the Password Safe and Repository server runs Server port: Via this port the server communicates with the client. Normally the value set before can be retained. Service port: Via this port the server communicates with the system services. Normally the value set before can be retained. 5.9.2 Security parameter In this menu safety relevant settings can be set: © 2012 MATESO GmbH 70 Password Safe Enterprise Server Connection password. This is an initial password and it serves the safe connection from the client to the server. It is only required for the setup of a server database on the client. Database firewall: Here you can define if you want to use the database firewall or not. Windows authentication: Here it can be set up that Active Directory users can log on the database without keyword. In the first field you enter the name of your domain. Automatic Windows authentication: Here there are three options which have the following effects: None There is no automatic logon possible. RSA e ncry pt e d A special RSA key is created for the automatic login. It offers the highest security. For every user the automatic logon can only be set up at one computer. For this reason the RSA encryption is not acceptable for terminal server or citrix environments SID e ncry pt e d © 2012 MATESO GmbH Configuration 71 The login is made via a special ID. It offers a safety which is not quite as high as the RSA key, but it can be used at several computers and also in terminal server or citrix environments. Server password: This password safeguards the server console against foreign access. Before opening the SDS configuration the password entry request appears. 5.9.3 Hacker protection The integrated hacker protection serves as a protection against internal attacks additionally to the high encryption. The hacker protection can be configured under edit -> server options -> hacker protection. The more options have been selected, the harder the intervention will be in case of a recognized attempt. If for example all options are activated, a logbook entry will be created at a hacker suspicion, the computer and user will be locked, an email will be sent and additionally the server service will be stopped. Bei Verdacht Logbuch-Eintrag erstellen: Diese Option bewirkt dass im Logbuch Informationen zum © 2012 MATESO GmbH 72 Password Safe Enterprise Server erkannten Hackingtool notiert werden Bei Verdacht Computer und Benutzer sperren (Datenbank-Firewall-Regel): Über diese Option werden der Rechner auf welchem das Tool gefunden wurde sowie der entsprechende Benutzer über die Firewall gesperrt. Zum Entsperren muss die Firewallregel gelöscht bzw. geändert werden Bei Verdacht Datenbankbenutzer sperren (Gesperrte Benutzer): Diese Option verhindert, dass sich der User anmelden kann. Zum Entsperren klicken Sie in der Datenbankenübersicht mit der rechten Maustaste auf die entsprechende Datenbank. Anschließend können Sie den Benutzer über den Menüpunkt gesperrte Benutzer entsperren Bei Verdacht Enterprise Server herunterfahren: Über diesen Punkt können Sie bei einem Hackingverdacht den Server Dienst beenden lassen. SMTP-Mail Sie haben die Möglichkeit, bei einem Hackkingverdacht eine Email (beispielsweise an den Administrator) versenden zu lassen. Unter dem Reiter SMTP-Mail können Sie das hierfür zu verwendende Emailkonto konfigurieren. Mit einem Klick auf , können Sie die Einstellungen zum Versenden der E-Mail testen. Hacktools Whitelist Sollten Sie Programme verwenden, welche von Password Safe als Hacktool erkannt werden, so können Sie diese über die Whitelist aus der Prüfung ausschließen. Sofern die Option Bei Verdacht LogbuchEintrag erstellen aktiviert ist, finden Sie im Logbuch alle Informationen zum erkannten Programm. Dies könnte wie folgt aussehen: Um das Programm (in diesem Fall der PowerHex Editior) aus der Erkennung auszuschließen kopieren Sie einfach die Infozeile aus dem Logfile in die Hacktool Whitelist: © 2012 MATESO GmbH Configuration 73 Mit diesem Eintrag wird das zuvor Erkannte Tool aus der Prüfung ausgeschlossen. Sie haben auch die Möglichkeit RegEx in der Whitelist zu verwenden. Folgender Eintrag führt dazu, dass alle Tools welche mit "PowerHEX" beginnen, bei der Prüfroutine übergangen werden: © 2012 MATESO GmbH 74 5.9.4 Password Safe Enterprise Server Password In this menu you define the password guidelines and the policies: © 2012 MATESO GmbH Configuration 75 According to the configured criteria the password will be created and also be checked if it conforms to the guidelines and can therefore be used. The password guideline is only valid within the database. For example for the user password. What are safety items? The safety items reflect the complexity of a password. If numbers, small and capital letters and special characters are used in a password, it is quite complex and therefore receives the required safety items more quickly. The safety items are calculated for every password. Therefore it can be assured that the passwords are complex enough when they are saved. 5.9.5 Server log In this menu the settings of the server log are defined: © 2012 MATESO GmbH 76 Password Safe Enterprise Server Enter the folders here in which the log files or error files are saved. You can also limit the file size and define if the server status should also be logged. 5.9.6 Certificate A login at Password Safe with certificates via token or smartcard is also possible. A precondition for this is a public-key-infrastructure in your company as well as the licensing of the module PKI (only available in combination with the Password Safe Enterprise server. If you have licensed the module PKI for the login per certificate you can define here how the certificates are allocated to the individual users. © 2012 MATESO GmbH Configuration 77 After certificates fingerprint If this option is activated the user has to allocate the accordant certificate manually. After certificates UPN name If this option is activated the domain as well as the user name from the certificate will be adjusted with the user name from Password Safe in order to allocate the accordant user. This option only works with users which have been taken over from the Active Directory and therefore have a domain affiliation. If both options are activated Password Safe first of all tries to allocate the users manually. If this does not work the certificate can be allocated manually. You can find further information on the configuration in the help for the Password Safe client under first steps -> user login -> login via PKI / certificate 5.9.7 Error messages If errors occur at the server like for example a backup that did not run you have got the possibility to send all error messages from the error log per SMTP mail. © 2012 MATESO GmbH 78 Password Safe Enterprise Server Just enter the necessary data for the mail sending in this dialogue. With a click on the accordant symbol you can then let a test message be sent. In the future all set up addressees receive the error message per e-mail every time an entry is written into the error log file. 6 Miscellaneous 6.1 Updates Updates are software updates and can be installed at any time. Please notice that you can only use updates if your software maintenance is still active and has not expired yet. You can check this in the license overview. If the software maintenance has expired no updates can be used and the software starts in the demo mode. So before you install an update you should make sure that the software maintenance has not yet expired and let extend it before if necessary. © 2012 MATESO GmbH Miscellaneous 79 For which updates are you authorized? Software maintenance and support: Bronze You can use updates which are published within the main version number. If you buy v6.1.0 you can use all updates within v6.x.x. This of course is only valid as long as the software maintenance is active. Software maintenance and support: Silver and gold You can use all updates, even if you change the version, for example from 6 to 7. This of course is only valid until the software maintenance is active. How does the update work? The update is very simple. Generally you should always do a backup of all databases before an update of the software. If anything should go wrong with an update you can always go back to your backup. Via the menu item "help" -> "search for update..." you can always find the current version and can directly load it down if required. Before you start the installation program you have to close the Password Safe Enterprise Server. Afterwards please follow the installation instructions. Among other things you will be asked to uninstall the current version, you only have to confirm this. You so not have to be afraid that any settings will get lost, they will all remain maintained. After the installation of the update is completed you can reboot the configuration user interface of the Password Safe Enterprise Server and activate the services again. Possibly the service account has to be set on a user again, who can also access the network share in which the databases lie, because at an updating of the services they will be reset to the off line system account by the installation program. Afterwards the clients can log on at their databases again. At a bigger update sometimes also the databases have to be updated, you have to do this in the database overview in the context menu Update Patchlevel and afterwards runs fully automated. But before a backup of the accordant database should have been made. An overview of the proceeding at an update: 1. Do a backup of the databases (*.psx). 2. A backup as a PSX format should basically be available via the backup service, provided that it is configured. 3. Download of the update via "help" -> "check for updates...". It has to be made at the server and at the client, because both need the same state of version in order that a connection between client and server is possible. 4. Check if another user account has been used for the Enterprise Server services and note the user. 5. Shut down server service and backup service via the configuration user interface. 6. Carry out installation of client and server (de-installation will be carried out automatically by the setup) . 7. Possibly set the user accounts at the services correctly, if they have been changed (see 4). 8. Check Patchlevel Update of the database and carry out if necessary. 9. Start configuration user interface of the server and start server service and backup service again. 10.Now the clients can connect to the server again. The first client that logs on has to confirm the version upgrade. 6.2 Upgrade v5 to v6 At the further development of our products we attach great importance to the update capability. Therefore it is possible to migrate also older database levels of Password Safe in a current version. The migration of the data is made by means of a PSX backup, which can be created from version 4 on. The © 2012 MATESO GmbH 80 Password Safe Enterprise Server backup can always be stated at the creation of a new database (client and server) in the database assistant. Preconditions Before you migrate your database to the current version, you should create a backup. We suggest to do a copy of the database file, as well as a "PSX backup", which you can use for the migration later as well. Make sure additionally that you have the necessary passwords (database password, administrator password, etc.). If you should already be a version 5 customer with silver or gold software maintenance, check before an update, if your software maintenance is still valid and request new licenses. If yes, you can upgrade to the current version for free. If you are a v4 customer or v5 customer with bronce support, please purchase the accordant new licenses before the update. Our sales team would be pleased to make you an offer ([email protected]). Proceeding: Make sure that you have a current PSX backup available before the upgrade. You can create a PSX backup via the automatic backup (server-side) or via the client (under file -> export). Check before, if you have the database password and the administrator password of the Password Safe database user. If the backup is stored on a network share, make sure that you have got the data of the user available. Download and install the new Enterprise server now. The Enterprise server hast to be completely new configured at the first start. Follow the instructions of the setup assistant. Afterwards add a new database by means of the database assistant. In the database assistant you have to state the PSX backup, in order that the data is migrated after the creation of the new database. After the creation of the new database you have to define the database firewall in order that the database can be accessed. To do so do a "click with your right mouse button" on the database name in the database overview and choose the accordant menu item in the context menu there. If the rules for the firewall have been defined correctly, you can now create a new "network logon" profile for the clients, if the module "network logon" has been licensed. Afterwards create new "backup time schedules" via edit -> manage backup time schedules. Please do not forget to configure the login of the service on a user at a backup on a network share. Optionally "task’s", that means automatic messages or functions can be activated in version 6 now. An example function would be an automated email at a certain event (edit password or seal unblocking). You can configure the task system under edit -> manage system task. In version 6 the automatic Active Directory login is only made if it has been activated at the server. To do so click on edit -> server options. Under "safety parameters" the automatic "windows authentication" can be activated. Enter the name of the domain in the description field. If your domain is for example called "MyCompany.local", you only have to enter "MyCompany" here. In order to increase the protection additionally, a hacker protection has been integrated, which you can also configure at the "server options". The more options you activate, the "harder/stricter" the protection mechanism is. If a user has been locked due to hacking suspicion, you have to delete it in the "database firewall" and in the "locked users ", in order that the user gets access again (according to the configuration). © 2012 MATESO GmbH Miscellaneous 6.3 81 Problem solving If you should receive an error message please pay attention to the chapter error codes. Problem: Server does not start or the service can not be started Solution: Check in the licence overview if the licence information is available and still valid. Make sure that you have not accidentally installed the licence of the client. If you should have filed the licence file on a network share, copy it to an off line directory. Afterwards reload the licence file and start the server. Problem: No access to the databases (Windows XP SP 1) Solution: If the server runs under Windows XP SP 1, databases that lie on a network share can possibly not be recognized. Update to the Windows XP Servicepack 3. Problem: No access to the databases Solution: If a connection with the database is not possible, it could be possible that the firewall has not been configured yet. Please check the database firewall or deactivate it if necessary. Problem: No access to databases in the network share Solution: Check the file and unblocking rights for the directory and for the database file. The service that accesses the database files will be run as a "off line system account" which has got no right to network resources. To be able to use databases from a network share, you have to accordingly configure the service (login). Make sure that the registered user has got enough rights (start and stop services), as well as writing access to the network share directory. Furthermore you should make sure that the database files are not "write-protected" or "hidden". Please also note that only a Windows network share is supported. Linux network shares are not supported.. Problem: No connection from client to server possible Solution: Make sure that your Firewall admits of the connection, that the ports are not used already and that the server is accessible. The protocol is based on UDP. So please unlock port 12008 (server) and port 12007 (client) for UDP in the Firewall. Furthermore you should check if the parameters have been entered correctly to exclude typing errors. With some networks the "host" can not be unlocked if it is used as the server name. Use the same descriptions at the server "host" and at the client "server IP". Problem: No connection to the server Solution: Check the connection settings, especially the server ID. These have to match exactly. Problem: Clients crash sporadically With very restrictive Firewalls it is suggestive to deactivate the option "PingClients". You can find this option under "edit" -> "server options" -> "connection parameter". Problem: The configuration user interface reports an error "gdiplus.dll not available" Solution: Under Windows Server 2000 the file "gdiplus.dll" has to be installed again possibly, provided that it is not available. You can receive the file directly from Microsoft or also via google search. Problem: No connection is possible after the software update Solution: Please check the service (login). After the reinstallation/update of the server the services will be reset to the standard login (off line system account). Therefore there is no access to databases which are filed in a network share. Problem: The server password is no longer accepted Solution: If the hardware of the server is changed (for example a second CPU is assigned to a virtualized server) all passwords (client server connection password, database password, etc.) have to be set again. Furthermore we also suggest to set the passwords again at the backup and task service. Afterwards © 2012 MATESO GmbH 82 Password Safe Enterprise Server please check if the backup is created free from errors after the change of hardware. Problem: Why is error code 17 displayed when I access the database? Solution: The error code 17 says that no communication between client and server is possible. Check your network firewall and configure it in a way that the server port (by default 12008 TCP) is activated. You can find further information in the chapter error codes Problem: The backups do not run, error code 17 is displayed, however, the clients can connect. How can this be? Solution: Check in the server parameters if the IP address of the server is entered properly. Problem: Despite the fact that obviously everything is configured properly, the client cannot log on at the database and receives the error code 17. How can this be? Solution: In this case probably a local multiuser database runs on the accordant client which blockst he server port. Close this database or change the server port at the server. Problem: When I acitvate the database firewall no login is possible and the error code 23 is displayed. What can I do? Solution: Check if the accessing computers have been adapted in the firewall rules. You can find further information in the chapter firewall Problem: Why do backups with error code 23 abort? Solution: Check if the IP address of the server is activated in the firewall rules. 6.4 Error codes If any problems should arise, against our expectations, and an error prompt is displayed, it contains an error code. By means of the list below the error codes can help you with the solution of the problem. If a problem occurs regularly, or if you can not solve the problem on your own, please contact the support and name the accordant error code for the diagnosis of the problem. Error code: 4 Error: "Error at opening the database." Proposals for solution: - Check if the databases are configured properly. - Try to connect the database again. Error code: 5 Error: "The database is not opened." Proposals for solution: - Check if the databases are configured properly. - Try to connect the database again. Error code: 6 Error: "The database could not be opened. Check the database path and the password." © 2012 MATESO GmbH Miscellaneous 83 Proposals for solution: - Check the database path and the password. - Check if the databases are configured properly. - Try to connect the database again. Error code: 10 Error: "Error at connecting with the server database." Proposals for solution: - Make sure that the server is started. - Make sure that the database configured at the client is started at the server Error code: 11 Error: "Error at open/execute." Proposals for solution: - Please contact the support Error code: 12 Error: "No database has been found." Proposals for solution: - Check via the Windows Explorer if the database actually exists. - If the database lies on a network share, make sure that there can be built up a connection with the share. - Have you got write privileges for the database? Error code: 13 Error: "Wrong database password." Proposals for solution: - Check if the caps lock key is active. - Make sure that the right password is used. The database password is required, the user password does not work here. Error code: 14 Error: "KeyFile could not be opened." Proposals for solution: - Check via the Windows Explorer if the KeyFile *.pedkey actually exists. - If the keyfile lies on a network share, make sure that there can be built up a connection with the share. - Have you got write privileges for the keyfile? © 2012 MATESO GmbH 84 Password Safe Enterprise Server Error code: 15 Error: "Error at opening the database (SQL engine)." Proposals for solution: - Please contact the support Error code: 16 Error: "Wrong password for the network protocol." Proposals for solution: - Check if the Caps Lock key is active. - Make sure that the right password is used. The connection password which is required here is given away at the server installation. Error code: 17 Error: "The database server does not react." Proposals for solution: - Make sure that the server is started. - Check the settings of the Password Safe firewall - Are the server port as well as the service port activated in the network firewall? - Check your network configuration Error code: 20 Error: "Execute could not be carried out in the time given." Proposals for solution: - Please contact the support Error code 21: Error: "The multiuser network file could not be started." Proposals for solution: - Check if you have got right privileges on the folder in which the database is. - If the database folder lies on a network share, make sure that the share is accessible. Error code: 22 Error: "The multiuser network file can not be opened." Proposals for solution: - Check if the file *.ps6n is in the database folder and if you have got right privileges for it. © 2012 MATESO GmbH Miscellaneous 85 - If the database folder lies on a network share, make sure that the share is accessible. Error code: 23 Error: "Access to this database has been denied." Proposals for solution: - Check the settings of the Password Safe firewall Error code: 24 Error: "The maximum number of sessions has been achieved. Connection with the database not possible." Proposals for solution: - Wait until another session has been closed. - Purchase further licenses. Error code: 25 Error: "The database is already opened and can therefore not be opened again." Proposals for solution: - A single user database has been opened by another user and has to be closed by that user first. Error code: 26 Error: "Error at open/execute." Proposals for solution: - This message is sent at a hacking suspicion. Therefore check imperatively if anybody wants to gain access to your data. - Check the log files of the server. 6.5 Support Contact us... MATESO GmbH Daimlerstraße 7 86368 Gersthofen Germany Telephone hotline: Germany: +49 900 5225562 (1,99 € / min. from German landline network) Austria: +43 900 511503 (2,16 € / min. from Austria landline network) Switzerland: +41 900 807020 © 2012 MATESO GmbH 86 Password Safe Enterprise Server (2,50 SFR / min. from Switzerland landline network) Mon, Tue, Wed, Thu from 9 am to 5 pm o'clock, Fri from 9 am to 3 pm o'clock Telephone office: +49 821 747 787 0 Mon, Tue, Wed, Thu from 9 am to 5 pm o'clock, Fri from 9 am to 3 pm o'clock Telefax: +49 821 747 787 11 E-mail: [email protected] Support (technical support and client service) If you need support, also questions concerning the handling of the software, please address our hotline by telephone or use our bulletin board. Alternatively you can also send an E-mail to [email protected] or use our support form. Customers with gold or platinum support package are allowed to directly call the office and they will be called back. Support with gold support package Customers with gold or platinum support package are allowed to directly call the office. Please have your customer ID ready. 6.6 Licensing agreement Effective for the demo version: Without license the software starts as a demo version which you are allowed to test for a certain time and then can buy. A period of 30 (thirty) days is granted to you in which you can test the demo version. If you continue to use the program after that test phase you are obligated by law to pay for that program and therefore buy the full version. The continuing use of the demo version after the test phase is a criminal act and can be prosecuted criminally and by civil law. After the extended copyright law comes into effect computer programs will be protected on a level that corresponds to the written word (books etc.). In terms of the drastic tightening of the legal situation everybody incurs a penalty, according to §69a in connection with §106 German Copyright Act, who exceeds the granted test time: Because after the test phaser the permission for the program run drops, so that then the matter of fact of copying the works without consent of the creator is existent. According to the German Copyright Act amendment also demo programs are copyrighted works. You are definitively allowed to give access to other PC users to the unregistered demo version of this program so that they can test the program as well. This is only valid under the condition that all files belonging to the program and the documentation are given away the unchanged original state. Notice for online services, share ware salesmen and distributors: The demo version can be offered on CD-ROM or in online services. You do not need a written acceptance from us. You can always download the current versions from our website (www.passwordsafe.de). If you should need updates and new publications from us regularly please contact us. © 2012 MATESO GmbH Miscellaneous 87 Effective for the full version: The described software becomes a full version by activating with a license key (or also license fil). The license key is personal is delivered based on these license regulations and an obligation of secrecy (the obligation not to give away the full version and the license key). With the purchase of the license key the user is authorized to activate the program as a full version with the key and to install the program on his/ her computer system and to use one bought product on one computer at the same time. For every further computer you need to buy another license key. A special case effects the right management which is not given in all versions. The number of licenses defines the number of the users that can be started for the right management as well as the number of users logged on at the same time. The buyer is allowed to make copies of the full version for backup reasons (Backup) and for the avoidance of data loss. But it is forbidden to gibe away copies of the full version or the license key or make them accessible to other users. The ownership of the registered full version or the license key is not allowed to anybody else than the registered user. Every forbidden copying of the full version or illegal circulation of the license key will be prosecuted criminally and by civil law. The owner of the rights on the software program is the MATESO GmbH. Generally: The statements contained in the program are without engagement and can be changed without further messaging. There is no guarantee on the correctness of the content of the manual/help. We are grateful for all hints, because mistakes can never be completely avoided, despite all efforts. We can not guarantee the adequacy of the program including additional programs for a certain use case or a certain hardware configuration. Furthermore we are not liable for any damages which come from the use and the disability of the use of the presented program. This includes the loss of business profits, the break of business actions, the loss of data as well as all other material and ideal loss and their consequential damages and is even effective if we have been advised on the possibility of these damages before. If an error should be noticed we try to correct it as quickly as possible. Changes on files which belong to the program are strictly forbidden! Generally forbidden is the disassembling and/or patching of the program or its help files as well as the changing or exchanging of program modules or dynamic link libraries (DLL). By the ownership and the use of the following software the user agrees on the license clauses named above and on the exclusion of guarantee and liability. 6.7 Move to another server If you want to move the Enterprise server to a new hardware, please act as follows: Preparation at the old server - Create a backup for every master database - Check if the RSA key *.prvkey for the backup exists - Make sure that you have the database password and the connection password © 2012 MATESO GmbH 88 Password Safe Enterprise Server Copying the necessary files Copy the following files from the old to the new server: - The backups of your master databases (*.psx) - The RSA keys for the databases for the decryption of the backups (*.prvkey) - The license file (psr6.lic) Installation on the new server - Please notice that the Enterprise server as well as the clients need the same version. We suggest to update to the latest version during the removal. - If it should not be possible to update the clients as well, use the accordant server version. You get the necessary download link via the support. Activation - Open the SDS console and select help -> license overview -> file -> open license file - Select the license file which you have copied from the old computer - In the license overview you can now find the old computer name. Click on it with your right mouse button and select deactivate - Start the SDS console again Configuration Now the software should be configured. Please notice the following points here: - If the setup assistant should not appear at the start, call it up via extras. Follow the assistant in order to achieve a basic configuration Import of the data - Create a new database - Import the backup via the database assistant. For this it is necessary to name the storage location of the RSA key - Start the server service - If you should use the module network logon, create a new *.nlc file for the clients Safety settings - If you should want to use the high availability, create a new slave database at the accordant server - Set up the backup time schedules - Configure the task service (if needed) © 2012 MATESO GmbH