---
canonical: https://safekit.evidian.com/products/high-availability-software-for-application-clustering/safekit-release-notes-8-2/
SafeKit 8.2 Release Notes — Part 4 of 7 — Major Changes 8.2 vs 7.5: Templates, Miscellaneous, OpenSSL & Apache (sections 2.1.10–2.1.16)
---

### 2.1.10       Module templates

#### 2.1.10.1    Solution for Podman

SafeKit brings high availability to Podman
between two redundant servers. For details, see [Podman: the simplest high availability cluster between two redundant
servers](https://safekit.evidian.com/products/high-availability-software-for-application-clustering/podman-the-simplest-high-availability-cluster-between-two-redundant-servers/)

#### 2.1.10.2    hyperv.safe and kvm.safe enhancement with software error detection

A
custom checker is included in the [hyperv.safe](https://safekit.evidian.com/products/high-availability-software-for-application-clustering/hyper-v-replication-automatic-failover-load-balancing/safekit-quick-installation-guide-with-hyper-v/) and [kvm.safe](https://safekit.evidian.com/products/high-availability-software-for-application-clustering/linux-kvm-high-availability-replication-automatic-failover-load-balancing/safekit-quick-installation-guide-with-kvm/) modules to detect VM
malfunction: VM locked up, crashed, or ceased to function. In addition, you can
integrate the automatic restart of your service if it fails inside the VM.

#### 2.1.10.3    mirror.safe and farm.safe enhancement

The mirror.safe and farm.safe
delivered since SafeKit 8.2.4, has been enhanced to allow the definition
of the services list using a macro called SERVICES into the
module configuration. The module scripts utilize this value to:

·        
check that the listed services exist on the
server and disable their automatic startup at boot during module configuration

·        
automatically start and stop the listed services
when necessary, during the module runtime

Therefore, integrating a new application
using mirror.safe or farm.safe is limited to:

·        
getting the names of the relevant services

To list all
installed services on a server, use:

o    the PowerShell cmdlet Get-Service in Windows

o    the command systemctl
list-unit-files --type=service in Linux

·        
obtaining an unused IP address as the virtual IP

·        
determining the paths of the directories to
replicate for a mirror module

·        
determining the load-balancing rules

The
user no longer needs to modify the scripts to insert the start and stop
commands for each service. Indeed, you can still edit the scripts in case you
need to adapt them for specific needs. For example, milestone.safe
requires starting App pools after the IIS service has been started. It does not
present any difficulty to adapt the generic script to insert this operation.

### 2.1.11       Permanent disabling of application checkers

To avoid false error detection and
automatic failover on application maintenance, you can use the commands: safekit errd suspend|resume –m
module and safekit checker on|off –m module.

With SafeKit < 8.2, these operations
could only be run while the module is started, and the module configuration
options were restored on the next stop-start of the module.

Since SafeKit 8.2, these operations can be
run while the module is stopped and are not resetted when the module
stops-starts.

Moreover, you can now use safekit errd off|on instead of
suspend|resume.

### 2.1.12       License check

Before SafeKit 8.2, SafeKit used to check
the product license only from the file SAFE/conf/license.txt.
Since SafeKit 8.2, this control is less strict and accept any filename. If many
license files are present into SAFE/conf, the most favorable license is selected (permanent over temporary,
latest expiration date…). If only expired license is found, the product will
stop every 3 days.

### 2.1.13       SNMP monitoring

Since SafeKit 8.2, SNMP monitoring
implementation differs in Windows and Linux:

·        
in Windows, it uses its own snmp agent service.
The service is now named "Net-SNMP
Agent" instead of safeagent before
SafeKit 8.2.

·        
in Red Hat, it is based on the operating
system’s SNMP agent. Therefore, the safekit commands for installing and
controlling the SNMP agent used in previous SafeKit releases are deprecated

·        
in Ubuntu, SNMP monitoring is not supported

Refer to the section “SNMP monitoring” of
the [*SafeKit User’s Guide*](https://customercare.evidian.com/space/OPD/1208320038/SafeKit+8.2?attachment=https://customercare.evidian.com/download/attachments/1208320038/safekit82userguideen.pdf&type=application/pdf&filename=safekit82userguideen.pdf)for the new procedures to manage the SNMP agent in SafeKit 8.2.

Moreover, SNMP traps are no more generated.

### 2.1.14       SafeKit package upgrade

Since 8.2.1:

·        
In Linux, third-party packages on which SafeKit
depends that were automatically installed are no longer uninstalled when
running safekit
uninstall (for upgrade). These
are only uninstalled for the full uninstall with safekit uninstall -all.

·        
In Linux and Windows, when installing the new
SafeKit package for the upgrade, previously configured modules are
automatically reconfigured. In some cases, described in the migration
instructions, it may be necessary to reconfigure modules to account for the
configuration changes introduced by the new version of SafeKit.

Starting with SafeKit version 8.2.5, on Red
Hat, RPM packages are GPG-signed. Thus, the SafeKit GPG public key is
automatically imported to allow the installation to continue.

### 2.1.15       SafeKit email notification agent

Since SafeKit 8.2.4, SafeKit offers a
notification agent that sends emails for major events on modules. These events
are extracted from the system log, which is populated by the log messages of
modules configured on the SafeKit server. Using this feature requires that your
company's IT team has set up an SMTP server that can be accessed by the agent
running on SafeKit nodes.

Below is an example of an email sent by the
SafeKit notification agent set up on node1:

![](data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20605%20184'%3E%3C/svg%3E)![](https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/safekit82releasenotes_fichiers/image010.png)

With the default agent configuration, when
a module critical or state change event occurs on node1, the agent gathers all
other events within the following minute and sends them in a single email.

To configure and enable the agent, refer to
the section “SafeKit email notification agent ” of the [*SafeKit User’s Guide*](https://customercare.evidian.com/space/OPD/1208320038/SafeKit+8.2?attachment=https://customercare.evidian.com/download/attachments/1208320038/safekit82userguideen.pdf&type=application/pdf&filename=safekit82userguideen.pdf).

### 2.1.16       Miscellaneous

·        
Linux package

Since SafeKit 8.2,
all third-party libraries and bins that can be delivered with the Linux
operating system are no more included into the SafeKit package. During SafeKit
install, these packages will be automatically installed, if necessary, with the
yum command (except the packages for the file replication or
load-balancing that must be manually installed according to your needs).

·        
Windows package

Two SafeKit
packages are available:

o   
a Windows Installer package
(safekit\_windows\_x86\_64\_8\_x\_y\_z.msi)

It depends on
the VS2022 C runtime which must be previously installed.

o   
a standalone executable bundle
(safekit\_windows\_x86\_64\_8\_x\_y\_z.exe)

It includes the
SafeKit package and the VS2022 C runtime.

Since
SafeKit 8.2.3, at the end of the SafeKit install, it is possible to proceed
with firewall setup and web service initialization (with the admin
password setup). This eliminates the need for manual calls to firewallcfg and webservercfg.

·        
Module snapshot

The structure
and content of the snapshot has slightly changed in SafeKit 8.2. For a full
description, see section “Analysis from snapshots of the module” in the [*SafeKit User’s Guide*](https://customercare.evidian.com/space/OPD/1208320038/SafeKit+8.2?attachment=https://customercare.evidian.com/download/attachments/1208320038/safekit82userguideen.pdf&type=application/pdf&filename=safekit82userguideen.pdf). See also the
new SafeKit training resources “[Support tools](https://safekit.evidian.com/products/high-availability-software-for-application-clustering/safekit-training-support-tools/)”.

Since SafeKit
8.2.4, the zips generated for snapshots are protected by the password safekit.
This allows the snapshot to be received in its entirety when sent via email.

·        
Module status

Since SafeKit 8.2,
the internal module status previously represented by the color’s red, magenta, green has
been replaced by NotReady,
Transient and Ready. These values are displayed into
the module log, module state and some module resources.

·        
User scripts dynamic reconfiguration

Since SafeKit 8.2,
dynamic re-configuration of scripts is supported except for running scripts in
Windows (such as custom checkers).

·        
SafeKit web server port change

Before SafeKit 8.2,
when changing the default value of the SafeKit web server, it was also necessary
to change its value into the internal file safeini.xml. This is
no more required.

·        
Catalog files for internationalizing backend and
frontend messages have changed format

·        
Since SafeKit 8.2.4:

o   
the Linux Secure boot setup has been simplified

o   
the webservercfg command allows to setup a
custom username, to access the web console, instead of using the default one,
which is admin

o   
in Windows, the demonstration module vhost.safe
includes the example of setting and testing the virtual hostname for a service

o   
SafeKit includes a configurable mechanism for
encrypting and decrypting sensitive data used within its components. See
section “Encryption of sensitive files in SafeKit” in the [*SafeKit User’s Guide*](https://customercare.evidian.com/space/OPD/1208320038/SafeKit+8.2?attachment=https://customercare.evidian.com/download/attachments/1208320038/safekit82userguideen.pdf&type=application/pdf&filename=safekit82userguideen.pdf)

·        
Since SafeKit 8.2.5

o    in Linux, the firewallcfg
add command also automatically activates firewall
configuration for modules as soon as they are set up. Prior to this version, it
was necessary to run the command firewallcfg add *AM* (where *AM* is
the name of the module)

o    japanese translation is now available in the module logs and the web
console

o    add the command safekit
prim fullsync to trigger a full reintegration of all
replicated directories on the secondary when it is started

#### OpenSSL

All communication flows between SafeKit nodes within a cluster can be encrypted using OpenSSL.

- **On Windows**, SafeKit 8.2.5 embeds the following OpenSSL library in the installation package: OpenSSL 3.5.1 (1 Jul 2025)

- **On Linux**, SafeKit relies on the OpenSSL library provided by the operating system.

##### SafeKit Processes, Ports, and Encryption

| Process / Service | Default Port (or Formula) | Protocol | Encryption / Notes |
|------------------|--------------------------|----------|--------------------|
| **safeadmin** (`safeadmin`) | UDP 4800 (default) | UDP | Internal control messages; Symmetric encryption AES-128-CBC  + SHA256. |
| **safewebserver** (Apache httpd / Web Console) | TCP 9010 (HTTP) or TCP 9453 (HTTPS) | TCP (HTTP / HTTPS) | HTTP: no encryption; HTTPS: TLS 1.3 (TLS 1.2 in option). Used by the console, module checkers, and distributed CLI. |
| **safecaserv** (optional Apache) | TCP 9001 (default) | TCP (HTTPS for PKI wizard) | Secures the Web Console PKI wizard; HTTPS (TLS 1.3) when configured. |
| **Net‑SNMP Agent** (`safeagent`, Windows optional) | UDP 3600 (default) | UDP (SNMP v2) | SNMP v2 is not encrypted; `safeagent` is optional. |
| **heart** (mirror heartbeat) | UDP 8888 + (id‑1) | UDP | Heartbeat channel between mirror nodes; Symmetric encryption AES-128-CBC  + SHA256. |
| **rfs / safenfs** (file replication) | TCP `safenfs_port` = 5600 + (id‑1)×4 | TCP | File replication channel used by `nfsadmin` / `nfsbox` / `reintegre`; number of parallel TCP connections is configurable (`nbremconn`). Module PKI (TLS 1.3) can secure replication if enabled. |
| **reintegre** (file reintegration) | Uses rfs `safenfs_port` (no separate port) | TCP (over rfs channel) | Reintegration runs over the rfs replication channel. If module encryption is enabled, traffic is secured with TLS 1.3; otherwise not encrypted by default. |
| **farm** (farm module communications) | UDP 4803 + (id‑1)×3 (e.g. id=2 → UDP 4806) | UDP | Farm inter‑node communications; Symmetric encryption AES-128-CBC  + SHA256. |
| **vipd / arpreroute** | — (operates via ARP / kernel virtual IP) | ARP / local networking | Virtual IP and ARP handling; no TCP/UDP listener. |
| **splitbraincheck** | ICMP (ping) | ICMP | Uses ICMP for split‑brain detection; no encryption. |
| **modulecheck** | Connects to node web service on TCP 9010 (or configured web port) | TCP / HTTP / HTTPS (TLS 1.3) | Uses the SafeKit web service protocol; encryption depends on HTTP or HTTPS configuration. |
| **tcpcheck** (checker) | User‑configured port | TCP | Tests a user‑defined TCP service; no encryption (tests the connection only). |
| **pingcheck / intfcheck / ipcheck** | ICMP / local interface checks | ICMP / local | No encryption (ICMP or local checks). |
| **ready.txt** (module health probe) | Exposed via HTTP / HTTPS on SafeKit web service: `/var/modules/<module>/ready.txt` (TCP 9010 or 9453) | HTTP / HTTPS (TLS 1.3) | Used by cloud or load‑balancer health probes. |

#### Apache Server

SafeKit ships a lightweight Apache-based web service (`safewebserver`) and uses it as the built-in HTTP(S) server for the Web Console, the distributed CLI, and several module checkers. An Apache HTTP server is therefore required to support these management and control features.

- **On Windows**, SafeKit 8.2.5 embeds the following Apache server version: Server version: Apache/2.4.65 (Win64)

- **On Linux**, SafeKit relies on the Apache server provided by the operating system.

##### SafeKit Apache Modules

| Module | Status / Condition | Purpose | Primary Config |
|--------|--------------------|---------|----------------|
| alias_module | Always | URL aliasing/redirection | httpd_main.conf, httpd.caserv.conf |
| auth_basic_module | Always| HTTP Basic authentication | httpd.caserv.conf |
| auth_form_module | Always | Form-based authentication | httpd_main.conf |
| auth_openidc_module | Conditional (if useopenid is defined) | OpenID Connect SSO | httpd.webconsoleopenidauth.conf |
| authn_core_module | Always | Core authentication | httpd_main.conf, httpd.caserv.conf |
| authn_file_module | Always | File-based user authentication | httpd_main.conf, httpd.caserv.conf |
| authnz_ldap_module | Conditional (if useldap is defined) | LDAP authentication/authorization | httpd.webconsoleldap.conf |
| authz_core_module | Always | Core authorization | httpd_main.conf, httpd.caserv.conf |
| authz_groupfile_module | Always | Group file authorization | httpd_main.conf, httpd.caserv.conf |
| authz_host_module | Always | Host-based access control | httpd_main.conf, httpd.caserv.conf |
| authz_user_module | Always | User-based authorization | httpd_main.conf, httpd.caserv.conf |
| autoindex_module | Always | Automatic directory listing | httpd.caserv.conf |
| cgi_module | Always | CGI script execution | httpd_main.conf, httpd.caserv.conf |
| dir_module | Always | Directory handling | httpd_main.conf, httpd.caserv.conf |
| env_module | Always | Environment variables | httpd_main.conf, httpd.caserv.conf |
| expires_module | Always | Cache expiration headers | httpd_main.conf |
| headers_module | Always | HTTP header manipulation | httpd_main.conf, httpd.caserv.conf |
| ldap_module | Conditional (if useldap is defined) | LDAP directory connectivity | httpd.webconsoleldap.conf |
| log_config_module | Always | Logging configuration | httpd_main.conf, httpd.caserv.conf |
| lua_module | Always  | Lua scripting engine | httpd_main.conf, httpd.caserv.conf |
| macro_module | Always | Configuration macros | httpd_main.conf |
| mime_module | Always | MIME type mapping | httpd_main.conf, httpd.caserv.conf |
| mpm_event_module | Windows only | Event-driven process model | httpd.caserv.conf |
| mpm_prefork_module | Windows Only  | Pre-forking process model | httpd_main.conf |
| negotiation_module | Always | Content negotiation | httpd_main.conf, httpd.caserv.conf |
| proxy_http_module | Always | HTTP proxying | httpd_main.conf |
| proxy_module | Always | Proxy framework | httpd_main.conf |
| proxy_wstunnel_module | Always | WebSocket tunneling | httpd_main.conf |
| request_module | Always  | Request handling framework | httpd_main.conf |
| reqtimeout_module | Always | Request timeout handling | httpd_main.conf |
| rewrite_module | Always  | URL rewriting engine | httpd_main.conf |
| session_cookie_module | Always  | Cookie-based sessions | httpd_main.conf |
| session_crypto_module | Always | Session encryption | httpd_main.conf |
| session_module | Always  | Session management | httpd_main.conf |
| setenvif_module | Always | Conditional environment variables | httpd_main.conf, httpd.caserv.conf |
| ssl_module | Always | SSL/TLS support | httpd_main.conf, httpd.caserv.conf |
| unixd_module |  Linux Only  | Unix daemon functionality | httpd_main.conf, httpd.caserv.conf |