It’s time to move to RSA SecurID Authentication Manager 8

Not long time ago, EMC released the brand new version of Authentication Manager (AM). There is a major shift in this release – it is now a virtual appliance based on SLES11. This appliance can be deployed in our vSphere infrastructure.

Beside this, we now have something called a “Web Tier“. It is placed in the DMZ and is used for accessing the AM from the Internet and hence providing additional layer of security for our AM infrastructure. This way an AM provides a new way of authentication called RBA (“Risk-Based Authentication“).

Hardware and software tokens, seed records, authentication agents, realms, … It’s all more or less the same.

To migrate our 7.x AM to 8.0, follow these steps:

  1. Download the installation and license files
  2. Deploy and set up the primary appliance
  3. Deploy and set up the replica appliance
  4. Migrate our 7.x or 6.x data

Before we move on, here are some system requirements that need to be met:

  • Hypervisor can be ESXi 4.1 or above
  • For virtual appliance we need to have: 8GB vRAM, 2vCPU, 100GB thick provisioned vHDD
  1. Download the installation and license files

For starters, we need to download our virtual appliance and a license files from RSA/EMC site. We can use an evaluation license or have our present license converted to a new format. For this we need to have a valid SCOL account.

2. Deploying and setting the primary appliance

Same as with previous version, we can have one primary instance and up to fifteen replicas. I believe those are correct numbers. To begin our deployment we start a “Deploy OVF Template” wizard:

deploy1

And then locate an OVA file:

deploy2

deploy3

deploy4

deploy5

deploy6

After reviewing an EULA, we select a location to power a deployed template on. We can specify a cluster and a host within a cluster:

deploy7

deploy8

Now we specify a datastore to hold virtual machine. Have in mind that the appliance has two disks. One of 4 GB and one of 100GB in size. Both are thick provisioned, so we need to make sure that we have enough free space on a datastore:

deploy9

This appliance uses only one virtual network adapter. We choose appropriate port group for our deployment:

deploy10

Next, we need to specify standard IP parameters: IP address and mask, default gateway and DNS servers:

deploy11

After making sure all settings are ok, we can finish this wizard and power on a virtual machine.

deploy12

In the “Recent Tasks” pane we can watch a deployment progress.

deploy13

Now in the console windows we can watch a setup progress:

setup1

setup2

Please note a white-squared hash value. This value is a SHA1 hash of the certificate used for SSL connection between our browser and the appliance. This hash value is presented to us in a so called out of band way. First time we connect to our appliance, using our browser, we should compare a certificate hash value sent by the appliance to that presented to us in the console:

setup4

Because this is our primary instance, we select “Start Primary Quick Setup“:

setup3

Then simply click “Start Step 1“:

setup5

Now we select a ZIP file containing our license and click Upload:

setup6

Because it is a critical that the time on the appliances is synchronized with the token time, we must synchronize time in some way. Way have an option to sync with the ESXi host, or use the time servers:

setup7

The rsaadmin account is used to access the operating system itself. In this case it’s SLES Linux 11 SP1. Please remember this password:

setup9

The “Security Console Super Admin” and “Operations Console (OC) Administrator” have the same roles as in previous version of AM. Also, don’t forget these passwords:

setup10

Before starting a deployment, we can quickly review our settings and click “Start Configuration“:

setup11

This is our progress window:

setup12

And this is what we would like to see:

setup14

At this point we have our primary replica deployed.

 

3. Deploying and setting the replica appliance

We start deploying our replica instance by generating a replica package. We select “Deployment Configuration->Instances->Generate Replica Package“:

repl1

And we save this package some place handy:

repl2

Now we deploy the replica appliance using the same steps as for primary appliance. When we log in to the replica appliance for the first time, we click the “Start Replica Quick Setup“:

repl3

Click “Start Step 1“:

repl4

Make sure the time is correct:

repl5

And type in the operating system password:

repl6

Review the configuration and start deployment:

repl7

And after a while this is what we want to see. Now by clicking “Begin Attach“, we start a process of joining this replica instance to the primary:

repl9

We chose a replica package file:

repl10

Then provide an “Operations Console Administrator Credentials” password:

repl11

And the attachment begins:

repl12

And after replication is performed, we have a success window opened:

repl14

Finally, from the “Replication Status Report” we can see if the attachment and replication were successful:

repl15

 

4. Migrate our 7.x or 6.x data

This a final step that can be broken into three sub-steps:

  • Installing the export utility on our existing AM instance
  • Exporting our data
  • Importing the data into new AM system

First let me say that this blog is about migrating AM version 7.x to AM 8.0. Perhaps the steps for migrating from AM 6.x are the same but I actually did not perform them.

In addition to this, the version of old AM must be the latest, that is 7.4. Further more, we need to have the export utility version aligned to the version of AM we are exporting data from.

Finally, there are many paths of going from 7.x to 8.0 but I will deal only with one here. For example, we could retain AM 7.x along side with the 8.0. In this case we must generate the new “sdconf.rec” file and reconfigure our agents. Or we could take over the AM 7.x identity and remove it from the network. In this case the new AM takes place and we don’t need to reconfigure our agents. Please refer to the documentation on specific migration option.

In the ZIP file we downloaded from the site, we can find and install the migration utility on the primary instance.

In the folder “RSA Authentication Manager 7.1 Migration Export Utility“, we will find three files: migration-installer.cmd, migration-installer.jar and migration-installer.sh. For the Windows version of AM, we only need the first two, so we place them in the folder on our Windows RSA server and start the migration-installer.cmd. Please make sure that the migration-installed.jar file has to be in the same folder.

The installation folder is straight forward. We click Next:

exp1

Accept the EULA:

exp2

Select the installation folder:

exp3

And wait for installation to complete:

exp4

Now we start the application and begin the export process:

exp5

We must know the master password to access the database:

exp6

This is where we decide if we want to export for testing and keep the existing AM or we export for production and remove the old AM. We will keep the old AM for now. We can always come back here and export for production:

exp7

We could export the logs if we consider them important. This will make our export file bigger:

exp8

This password is used to protect the exported data while the file is stored on a hard drive:

exp9

Now we begin the export process:

exp10

After a while, the process is completed:

exp11

In the following dialog we can see our next steps:

exp12

Now it’s time to log on to our new primary replica’s Operations Console and select “Deployment Configuration->Migration->From AM 7.1->Import 7.1 Migration Package“:

imp1

Then we select the migration package. We select the generated package and provide a password we used to protect the package:

imp2

Finally, we must confirm that we know what we are doing:

imp3

After a while we should see that the migration process is completed:

imp4

At this point we can start using our new AM 8.0 server the same way we used to with the 7.x version.

One final hint: after importing an AM 7.1 data, user names and passwords previously entered during installation of AM 8.0, such as Operations Administrator Console, are no longer valid and we must use the old credentials.

I hope you will enjoy using this product.

Thanks for reading!

Advertisements
This entry was posted in RSA, Security and tagged , , , . Bookmark the permalink.

47 Responses to It’s time to move to RSA SecurID Authentication Manager 8

  1. mccannjake says:

    I believe the AM version should be 7.1 SP4, not 7.4.
    Other than that – great article!

    “In addition to this, the version of old AM must be the latest, that is 7.4. Further more, we need to have the export utility version aligned to the version of AM we are exporting data from.”

  2. Hello.
    Do know something about any limitations of support RSA AM 8.0 with an Cisco ASA (9.x) and anyconnect? I’m just before an decision about which version of AM should I use 7.x or 8

  3. kuma799 says:

    Could anyone please suggest how we can generate AMConfig.zip from RSA8 console.
    I was able to login to RSA8 console, but did not see the ‘authentication agents’,’Users’ tabs. Please comment.

    • Sasa says:

      The path towards the AM_Config.zip is: Access->Authentication Agents->Generate Config File. From here you click “Generate Config File” and the link will appear for downloading the config file.

      Please note that the RSA AM has three consoles: Security Console, Operations Console and Self-Service Console. The operation of generating the config file is only available through the Security Console. This console can bee accessed via https://rsaserverIP:7004/console-ims.

      Hope this helps.

      • kuma799 says:

        Thanks.
        I am able to access the https://myipaddress:7072/operations-console

        But when I try to access https://myipaddress:7004/console-ims or https://myipaddress:7072/console-ims , or https://myipaddress:7004/console-am/ViewEditTokens.do

        I am not able to get any webpage. It says webpage is not available.

        Please note – I have been able to successfully get the config file,AMConfig.zip from RSA7.1 .
        But this time I tried to install RSA8 on my laptop , using a VMware player and an RSA_Authentication_Appliance.x86_64-8.0.0.1.0.ova file

        I am able to see few tabs in the https://myipaddress:7072/operations-console :-
        Home :-
        – Manage Identity Sources
        – Create System Backup
        – Flush Cache

        Deployment Configuration :
        – Identity Sources
        – Instances
        – Certificates
        – Web-Tier Deplyments
        – Virtual Host & Load Balancing
        – Migration
        – RADIUS Servers

        Maintenance :
        – Back up and restore
        – Flush cache
        – Reboot appliance
        – Update & Rollback

        Administration :
        – Date & time
        – Netwok
        – Log rotation Settings
        – Download Troubleshooting
        – Operating System Access

        Help :
        – All help topics
        – Replication Status Report

        Please suggest, where do I see the below tabs :-
        Identity -> Users
        Authentication -> SecurID Tokens
        Access -> Authentication Agents -> Generate Configuration File

        Appreciate your help . Thanks in advance.

  4. kuma799 says:

    Thanks Sasa , there were some network issues, I was now able to see these tabs in https://myipaddress:7004/console-ims.

    Many thanks .

    • Sasa says:

      Glad it worked 🙂

      • kuma799 says:

        Hello Sasa,

        When we add “authentication agents” , we enter the name of the agent, then we click on “Resolve IP”, and it automatically fills the next box with the IP address.

        But this is not happening in this case. when I click “Resolve IP” , then it simply fills the “IP address” text box with the text “unknown”.

        Could you please suggest how to avoid this issue as well.

        thanks in advance.

      • Sasa says:

        You have to have DNS server entries populated correctly. Depending on your infrastructure and agents you are using, this can be done automaticaly (for example Windows servers as agents and Active Directory DNS servers) or you must do this manualy. For instance, if you want Cisco ASA to use as your agent, you must create an A record, for example asa1.popravak.local and a PTR record, for example 192.168.1.254 on your DNS server(s). Now if you point your RSA server to these DNS servers you should be able to resolve names to addresses properly.

        Hope this helps.

  5. kumar says:

    If we move the RSA appliance to a different vlan and then , how do we change the replica ip on the primary instance please.

  6. kuma799 says:

    Hello Sasa,

    Thanks for help.
    On my windows machine where I have installed RSA8 ( using VM ), the windows/system32/drivers/etc/hosts file has the entry for RSA8 ipaddress –
    1.xxx.xxx.xxx rsa8.servername.com

    But am not sure if I need to do some changes on the RSA8 side as well.

    Please suggest.

  7. kuma799 says:

    Hello Sasa,

    The issue got resolved. Added the DNS ipaddress in the operation console . And mentioned the domain search url as well.

    thanks.

  8. Charu Bashiyan says:

    Hi Sasa,

    Could you please suggest how can we resolve the below error –

    User attempted to authenticate using authenticator “SecirID_Native”.
    The user belongs to securty domain “SystemDomain”.

  9. Steve says:

    Hi Sasa,

    thank you for your manual.
    Can you explain me, where i can download the virtual appliance? I can’t find it in the download-section.

    • Sasa says:

      Actually, I believe that it is not available for download. You have to make a request through your support portal. Perhaps I’m mistaking, it’s been a while 🙂

  10. Anand Thakur says:

    Hello,

    How do i download sdconf.rec after adding a new authentication agent in RSA 8.1??/

    Regards,

    Anand

    • Sasa says:

      You open Security Console and go to Access->Authentication Agents->Generate Configuration File. Then click “Generate Config File”. You will see the file AM_Config.zip which contains sdconf.rec. Finally you click “Dowload Now” to retrieve the file.

  11. Gaurav Sharm says:

    Thanks for such a nice document, its really informative. But once i have setup my primary and replica on 8.1 the monitoring tool stopped responding for replication status, earlier in 7.1 the port used to be 8002 but they have reserve the port for internal communication. DO you know which port i need to setup on my monitoring tool for replication status.

    • Sasa says:

      When attaching a replica instance to a primary, TCP/7002, TCP/1812 and TCP/1813 need to be opened along the way. Although the last two are used by RADIUS, even if we don’t use the RADIUS, those ports still need to be opened.

      • Gaurav Sharm says:

        No you did not got the question i believe. The replication is working fine, now i want to monitor the replication status using monitoring tools. I was running a script which was using 8002 port on 7.1 but now in the new system this port is reserved

  12. Myles says:

    I’m migrating away from RSA and I am moving my token seeds to my new provider. I have 20K hard tokens deployed. Is there any way to export the bindings (user X -> token X) so I can avoid having to manually recreate it on the new platform? Perhaps I can connect to the database directly to export the necessary tables?

    • Sasa says:

      If I’m not mistaking it’s some sort of Oracle database underneath, so I guess this is possible, although I haven’t tried.

  13. rob says:

    RSA server time out of sync and users prompted for next token code or authentication failing, how can i resync all tokens

    • Sasa says:

      Not really sure if you can resync all tokens in a batch job. You can, however, instruct your users to go to customer portal at https://rsa1.yourdomain.com:7004/console-selfservice/. They should be able to log on using their passwords instead of tokens. After logging on, they can use the “Troubleshoot Your Token” wizard to resync their tokens.

      If your users don’t use passwords, perhaps the wizard will start automatically if user authenticate with the token and the token is out of sync, but I’m not sure about this.

  14. Sabitha says:

    Hi,

    After “deploy the virtual appliance” not able to access the “quick setup link” to perform quick setup of the primary appliance. What may be the issue? how to check SHA1 hash of the certificate used for SSL connection between our browser and the appliance?

    please help

    We had setup a test lab for RSA authentiocation manager 8.1 and base OS as linux. We had virtual appliance for RSA Authentication Manager 8.1 instance requires hardware that meets the following requirements:

    • 80 GB.
    • 4 GB of memory.
    • At least one virtual CPU.
    VMware ESXi 5.0 or later

    And we had completed the Deployment steps that is “to deploy virtual appliance”. Quick setup URL and Access code we got. But we cannot able to access the Quick setup URL from our test lab getting error message “Page cannot be displayed”. Please confirm what will be the issue.

    • Sasa says:

      I don’t think the certificate is an issue here. In cases such as this one, I always suggest another browser. Among IE/Firefox/Chrome one should work. In some browsers a some sort of loop occurs from time to time.

  15. Sabitha says:

    Thank for your reply. Tried in different browser but same issue (mozilla, chrome). What may the cause. whether port issue, need to open any port to access quick setup link

  16. Sabitha says:

    HI

    Able to access quick setup link. After the primary quick setup got completed not able to access security console, but able to access operations console and SSH only through IP address but not by fully qualified domain name. tried to resolve the IP from test lab not able to resolve it. please help what may the cause

    • Sasa says:

      It’s a must that SecurID servers are able to resolve and be resolved both ways: a name to an IP and vice versa. Please make sure that you have both A record and PTR record in your DNS server(s) and that your DNS infrastructure is set up correctly. Also make sure hat the time is correct in the network. This is also a must.

  17. Sabitha says:

    thanks for checking. It’s worked able to access security console. DNS issue. Please confirm which IP address we need to add when we deploy the RSA ova file as NTP server IP. whether it default gateway or primary server ip or dns server ip. all the 3 server showing different date and timings. Please confirm

    • Sasa says:

      Well NTP server can be any server, router, L3 switch, … Does not matter as long as the server serves accurate time and is reachable by RSA servers. For example, if your default gateway is L3 switch, you could set that switch as a NTP server and point RSA to it (in this case NTP server IP and default GW IP would be the same). Like I said, it’s at most importance that this switch servers correct time to RSA servers.

  18. ross says:

    Great write up. I am going through the same thing now but for the life of me cant find the migration utility files. Where exactly did you download them from?

    • ross says:

      Found it! rsa-am-extras08.1.0.0.0.zip is the file you want to download from the RSA secure care site. To get to the download: Login to RSA Secure Care (Knowledge.rsasecurity.com) -> My Support -> My Products -> Upgrade (its a link under the column labeled “Version Upgrade”) -> Continue -> Software for Authentication Manager 8.1 (Click submit) -> Download Software -> RSA Authentication Manager Virtual Appliance Version Upgrade -> RSA Authentication Manager Virtual Appliance Version Upgrade V8.1 -> the row labeled “RSA Authentication Manager 8.1 – Extras” will have a download link and MD5 checksum on the right hand side.

      Once you have the file downloaded open the zip file and extract the migration utility. Both 6.1 & 7.1 are in the same file.

      What a pain in the neck to find.

  19. Cahm says:

    Hi,

    We upgraded the RSA AM form 6.1 to 8.1 and been running in Primary and replica. Recently a lot of users having issues with nexttoken request mode? Some users have the issue on daily baisis with hard token. We re-synch and update everything we can but problem still exists with 20 odd users on daily basis. Any idea what could be?

    • Sasa says:

      According to documentation, this could happen if users are assigned more than one token. You may try real time monitor within Security Console in order to pin the issue down.

  20. Cahm says:

    Thanks for the reply, the users who are experiencing this issue have not got more than one token, what I found on the system is that the time is more that 2 min than the NTP (our domain controller) I tried adjusting it by re sync to NTP but still the same. I wonder whether this causing the issue when the user is bit slow to respond and it goes over the allowed time (3min?). is there way we can adjust this and more importantly why it is not suncing the time with NTP? Your help would be much appreciated. I ran a tool with SSH connection to the appliance bulk sunc tool but having trouble obtaing the log file of it)!

  21. Mahmood says:

    i simply want RSA authentication 8.1 for testing can anyone tell me the link?

    • Sasa says:

      I think you have to contact either RSA/EMC directly, or request a demo through your partner. I don’t think it can be downloaded just like that.

  22. misdemeanor says:

    Excellent walkthrough, Sasa – the whole process works like a charm and finally a software-driven migration process that works. Perhaps you should mention that a replica instance is not _require_ (though it makes sense), so you don’t need it when migrating. We just ran it and can say all is fine, after implementing it in the VDI configuration we can log to the environment without any problems or interruption. Thank you!

  23. Nehru says:

    I am looking for RSA -AM -8.1 OVA file –Trail version
    Can i get the location from where can i download it ?

  24. Ahmed Tarek says:

    hi im trying to integrate Authentication manager 8.1 with cisco ASA 8.4 its working fine for the normal OTP but when trying RBA it’s not working, so do u know if there is any limitation in the integration between AM 8.1 and ASA 8.4, as in the documentation they are mentioning only integration with Cisco ASA 9.3

    Thanks,,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s