Rolling Upgrade Scenario: Three OneSpan Authentication Server Instances Using Individual Databases

About this scenario

This scenario describes an environment with the following setup:

• There are three OneSpan Authentication Server instances: server A, server B, and server C.
• Each OneSpan Authentication Server instance has its own database.
• User load is distributed evenly between all OneSpan Authentication Server instances using a third-party solution.
• Two-way replication is enabled between all instances to ensure consistency of data across databases

Figure: Rolling upgrade scenario: Three servers using individual databases and replication

The servers will be upgraded in the following order:

1. Server A
2. Server B
3. Server C

Do not modify the configuration of the servers, or perform authenticator or user administration, during the rolling upgrade.

We recommend that you carefully consider the security implications of this procedure (as mentioned above).

Before you begin

• Verify that you have addressed the different usability and user load issues related to a rolling upgrade (see General considerations).

• In this scenario you will be requested to configure, break, and restore replication between different OneSpan Authentication Server instances. For more information about replication during rolling upgrades, see Replication.

Although this scenario allows live upgrading with minimal service degradation, you need to take certain security considerations into account. During this upgrade, there is a window in which OTP replay attacks are possible.

Problem

A window for a replay attack opens when one server has been upgraded and is handling authentication requests, but is not yet replicating to other servers. In the scenario above, a replay attack is made possible. A user may authenticate first on server A, then replay the exact same authentication on server B or server C.

Specifically, replay attacks are possible from step 12 until 24 in the upgrade process described below.

Workaround

If the replay attack window is not acceptable and the total load is low enough to be handled on one server, you can move all load to server A in step 12 and continue with the upgrade as specified. This makes steps 13 and 24 unnecessary; all other steps remain valid.

Walkthrough: Performing a rolling upgrade on three servers with individual databases

Performing a rolling upgrade on servers with individual databases

Upgrade Server A

1. Remove the load from server A.
2. Break replication from server B to server A.
3. Break replication from server C to server A.

4. Wait until the replication queue on server A is empty.

   You should now be in this situation:

   

   Figure: Rolling upgrade scenario: Breaking replication from other servers to server A

5. Stop the OneSpan Authentication Server service on server A.
6. Break replication from server A to server B.

7. Break replication from server A to server C.

   

   Figure: Rolling upgrade scenario: Breaking replication from server A to other servers

8. Upgrade OneSpan Authentication Server on server A.
9. Restore replication from server B to server A.

10. Restore replication from server C to server A.

    

    Figure: Rolling upgrade scenario: Restoring replication from other servers to server A

11. Wait until the replication queues on servers B and server C to server A are empty.

12. Restore the load on server A.

    

    Figure: Rolling upgrade scenario: Restoring user load to server A

Upgrade Server B

13. Remove the load on server B.

14. Break replication from server C to server B.

    

    Figure: Rolling upgrade scenario: Breaking replication from server C to server B

15. Wait until the replication queue on server B is empty.
16. Stop the OneSpan Authentication Server service on server B.
17. Break replication from server B to server A.

18. Break replication from server B to server C.

    

    Figure: Rolling upgrade scenario: Breaking replication from server B to other servers

19. Upgrade OneSpan Authentication Server on server B.
20. Restore replication from server A to server B.

21. Restore replication from server B to server A.

    

    Figure: Rolling upgrade scenario: Restoring replication from server B to server A

22. Wait until the replication queue on server A towards server B is empty.

23. Restore load on server B.

    

    Figure: Rolling upgrade scenario: Restoring user load on server B

Upgrade Server C

24. Remove load on server C.

25. Wait until the replication queue on server C to server A is empty.

    

    Figure: Rolling upgrade scenario: Removing user load on server C

26. Stop the OneSpan Authentication Server service on server C.

27. Break replication from server C to server A.

    

    Figure: Rolling upgrade scenario: Breaking replication from server C to server A

28. Upgrade OneSpan Authentication Server on server C.
29. Restore replication from server A to server C.

30. Restore replication from server B to server C

    

    Figure: Rolling upgrade scenario: Restoring replication from other servers to server C

31. Restore replication from server C to server A.
32. Restore replication from server C to server B.

33. Wait until the replication queues on server A and server B to server C are empty.

    

    Figure: Rolling upgrade scenario: Restoring replication from server C to other servers

34. Restore load to server C.