Secure Computing Corporate Homepage SafeWord for Check Point Homepage



View a detailed demonstration on how SafeWord for Check Point works.



Request an evaluation package.


How it Works
Get contact information for Secure Computing Corporation.



Back to SafeWord for Check Point Home Page.
   Home -> Product Info -> App Note

SafeWord® server synchronization in SafeWord for Check Point

PDF icon
Download the app note - 267 KB, 6 pages 		Get Acrobat Reader

Table of Contents

About SafeWord for Check Point
About SafeWord server synchronization
Functionality of SafeWord server synchronization
Architecture of a synchronized system
Implementing SafeWord server synchronization
Verifying SafeWord server synchronization
Importing tokens
Checking synchronization state
Restoring records and settings with SafeWord server synchronization

About SafeWord for Check Point

SafeWord® for Check Point delivers two-factor authentication security. Users carry hardware tokens that generate passcodes, which they use with their PIN. When a Check Point VPN user pushes the button on the SafeWord token, it immediately generates and displays a single-use passcode (via a unique secret key and an advanced encryption algorithm that is contained inside). The user enters the single-use passcode, followed by the user's unique PIN (if desired), to gain access.

The authentication server (also called the SafeWord server) keeps each user's token records on file. Using a secret key and an event counter, it confirms the authenticity of each passcode presented by each user. After being used once, a passcode is then useless and thrown away by the system. If someone steals it and tries to use it again, the passcode is denied by the authentication server and access is denied. This virtually eliminates threats from outsiders stealing, copying, or reusing passwords.

About SafeWord server synchronization

The SafeWord server component of SafeWord for Check Point can be installed on multiple Windows 2000 machines in order to provide the following:

  1. Automatic failover in the event of failure of one of the servers or machines
  2. Basic load-balancing capabilities
  3. Automatic backup of token records and administrative settings
This allows SafeWord authentication to continue despite the failure or overload of any machine in the system.

When SafeWord for Check Point is installed on multiple machines, SafeWord server synchronization must be set up in order to keep users' token records and the built-in administrative account synchronized across multiple SafeWord servers. Record and account synchronization is done in real time. If SafeWord server synchronization is not set up in an environment including multiple SafeWord for Check Point servers, then failover, load balancing, and automatic backup will not work, and the out-of-sync records can lead to problems with the use of the system.

Important note: user information is contained, stored, and managed in either the Check Point User Management system or Microsoft Active Directory. Because of this, SafeWord for Check Point provides no backup or failover method for Check Point database or Active Directory user information. The Check Point User Management and Active Directory provide their own backup and failover methods; please see Check Point User Management or Active Directory documentation for details.

SafeWord server synchronization is different from the manual backup of token records that is detailed in the SafeWord for Check Point Product Guide. Manual backup and restore can be done without requiring SafeWord server synchronization (and vice versa).

Functionality of SafeWord server synchronization

Automatic failover: when a SafeWord server or machine fails, authentication requests will be forwarded to another active server (specified per your synchronization architecture, discussed below).

Basic load-balancing capibilities: if your organization's authentication load is high, installing SafeWord for Check Point on two or more machines can help reduce the authentication load on each machine. If one SafeWord server cannot accept an authentication request because it is too busy, the request will be sent to another available machine (specified per your synchronization architecture, discussed below).

Backing up token records: In the absence of SafeWord server synchronization, if the SafeWord server either fails, needs to be reinstalled, or needs to be restored from the last manual backup, then all token records will reset to the event number at your last manual backup. Users who have utilized their tokens more than 16 times since the last backup will be "out of range" and will not gain access with their first authentication attempt. But this is no problem and is easily remedied. To resynchronize and get back in range, users simply authenticate twice with two consecutive one-time passcodes.

In addition to the above, without SafeWord server synchronization in place, any changes to users' PINs since the last manual backup will be lost.

Architecture of a synchronized system

SafeWord for Check Point implements a SafeWord server synchronization architecture based on a ring topology. SafeWord server synchronization is implemented inside the Administration Service and therefore, the Administration Service must be running in order for SafeWord server synchronization to work.

Each server in the ring has up to two neighbors: a logical 'next' server in the ring, and a logical 'previous' server (see figure 1). In the case of only two servers in the ring, each server is only configured to have a 'next' neighbor (see figure 2).



Implementing SafeWord server synchronization

To implement SafeWord server synchronization, follow these steps and repeat them on all Windows 2000 servers that will participate in SafeWord server synchronization. (Because SafeWord Server synchronization traffic is not encrypted, it is strongly recommended that synchronization of geographically disparate peers be performed over a VPN link.)

  1. Install SafeWord for Check Point and install the SafeWord server component of SafeWord for Check Point on at least one additional machine. The additional server installation(s) must use the same database keys, but do not need to use the same ports. Follow the instructions in the SafeWord for Check Point Product Guide to perform the installation, to allow the RADIUS agent to point to multiple machines, and to allow the management console to connect to different SafeWord servers.

  2. Stop the SafeWord Administration Service and SafeWord Authentication Engine. Do NOT stop the SafeWord Database Server.

  3. Edit {Install_Directory}/SERVERS/Shared/sccservers.ini file:

    1. Locate and uncomment the line starting with "DBActionListenerClass" (by removing the first "#" character).

    2. Locate and uncomment the line starting with "ReplNext_JDBC_URL"

    3. Replace "NEXT_HOST" on that line with the IP address of the node that will serve as the logical 'next' node in the replication ring.

      The following two steps apply only to SafeWord server synchronization rings consisting of more than two nodes.

    4. Locate and uncomment the line starting with "ReplPrev_JDBC_URL"

    5. Replace "PREV_HOST" on that line with the IP address of the node that will serve as the logical 'previous' node in the replication ring.

  4. Save the file.

  5. Open a command window and change to directory {Install_Directory}/SERVERS/Database/bin.

  6. For each neighbor of this host, run batch file AddReplPeer.bat with the parameter specifying the IP address of the neighbor. Do this for each node in the ring.

    This tells the database to accept connections from the neighbor nodes whose names or IP addresses you specify in the command line arguments.

  7. Start the SafeWord Administration service and SafeWord Authentication engine services.

Important note: if installing SafeWord for Check Point for the first time, follow the above steps. However, if you have been using a single SafeWord server and are adding a second (or other additional) server, you must first perform a manual backup of the first server and manually restore it to the machine(s) with the additional SafeWord server(s). See the SafeWord for Check Point Product Guide for more information on manual backup and restore.

Verifying SafeWord server synchronization

To verify that SafeWord server synchronization is working in your implementation of SafeWord for Check Point, perform the following test on any system in the SafeWord server synchronization ring.

Importing tokens

Insert your Token Data CD. Select the Import/Backup/Restore feature under SafeWord folder. Browse to or specify a path to the import file located on your Token Data CD and press the Import button.

To verify that the import has completed successfully, select Tokens feature under SafeWord folder. Verify that the list of Token IDs imported appears in the right-hand pane.

Verify that the change is reflected on the other server(s) in the synchronization ring. To do this you will need to either set up a separate SafeWord Active Directory Management console configured to access the Administration service on the other server, or to reconfigure your existing console to access this other server. Please see the SafeWord for Check Point Product Guide for further details.

Checking synchronization state

To check if SafeWord server synchronization is in a steady state (i.e., a state in which all changes are propagated to other SafeWord servers):

  1. Open a command window and change to directory {Install_Directory}/SERVERS/Database/bin.

  2. Run the batch file called "QueryChangeLog." This check should be performed on all servers in the ring.

  3. The system has reached steady state once the output says: "Empty set."

  4. Repeat steps 1-3 for all nodes in the ring.

Restoring records and settings with SafeWord server synchronization

If a machine or server fails in this architecture, authentication requests will be diverted (per the previously-described architecture) to the next available machine. As all token records and database information have been copied in real-time to all machines, there will be no disparity in records and no failed authentications for users. Once the failed machine is back online, SafeWord server synchronization will automatically replicate the token records and administrative information to the restored machine. (If the neighbor nodes were up when the failed node went down, the neighbor nodes need to be restarted.)

A manual restore is necessary only if the failed machine requires a clean reinstall of the SafeWord for Check Point software. In this case, manually backup one of your online servers and manually restore the information to the machine with the clean reinstall. See the SafeWord for Check Point Product Guide for more information on manual backup and restore.

 
© 2003 Secure Computing Corporation. All Rights Reserved.  Contact Us: 800.379.4944 opt. 3 or 408.979.6572