Not long time ago, EMC released the brand new version of Authentication Manager (AM). There is a major shift in this release – it is now a virtual appliance based on SLES11. This appliance can be deployed in our vSphere infrastructure.
Beside this, we now have something called a “Web Tier“. It is placed in the DMZ and is used for accessing the AM from the Internet and hence providing additional layer of security for our AM infrastructure. This way an AM provides a new way of authentication called RBA (“Risk-Based Authentication“).
Hardware and software tokens, seed records, authentication agents, realms, … It’s all more or less the same.
To migrate our 7.x AM to 8.0, follow these steps:
- Download the installation and license files
- Deploy and set up the primary appliance
- Deploy and set up the replica appliance
- Migrate our 7.x or 6.x data
Before we move on, here are some system requirements that need to be met:
- Hypervisor can be ESXi 4.1 or above
- For virtual appliance we need to have: 8GB vRAM, 2vCPU, 100GB thick provisioned vHDD
- Download the installation and license files
For starters, we need to download our virtual appliance and a license files from RSA/EMC site. We can use an evaluation license or have our present license converted to a new format. For this we need to have a valid SCOL account.
2. Deploying and setting the primary appliance
Same as with previous version, we can have one primary instance and up to fifteen replicas. I believe those are correct numbers. To begin our deployment we start a “Deploy OVF Template” wizard:
And then locate an OVA file:
After reviewing an EULA, we select a location to power a deployed template on. We can specify a cluster and a host within a cluster:
Now we specify a datastore to hold virtual machine. Have in mind that the appliance has two disks. One of 4 GB and one of 100GB in size. Both are thick provisioned, so we need to make sure that we have enough free space on a datastore:
This appliance uses only one virtual network adapter. We choose appropriate port group for our deployment:
Next, we need to specify standard IP parameters: IP address and mask, default gateway and DNS servers:
After making sure all settings are ok, we can finish this wizard and power on a virtual machine.
In the “Recent Tasks” pane we can watch a deployment progress.
Now in the console windows we can watch a setup progress:
Please note a white-squared hash value. This value is a SHA1 hash of the certificate used for SSL connection between our browser and the appliance. This hash value is presented to us in a so called out of band way. First time we connect to our appliance, using our browser, we should compare a certificate hash value sent by the appliance to that presented to us in the console:
Because this is our primary instance, we select “Start Primary Quick Setup“:
Then simply click “Start Step 1“:
Now we select a ZIP file containing our license and click Upload:
Because it is a critical that the time on the appliances is synchronized with the token time, we must synchronize time in some way. Way have an option to sync with the ESXi host, or use the time servers:
The rsaadmin account is used to access the operating system itself. In this case it’s SLES Linux 11 SP1. Please remember this password:
The “Security Console Super Admin” and “Operations Console (OC) Administrator” have the same roles as in previous version of AM. Also, don’t forget these passwords:
Before starting a deployment, we can quickly review our settings and click “Start Configuration“:
This is our progress window:
And this is what we would like to see:
At this point we have our primary replica deployed.
3. Deploying and setting the replica appliance
We start deploying our replica instance by generating a replica package. We select “Deployment Configuration->Instances->Generate Replica Package“:
And we save this package some place handy:
Now we deploy the replica appliance using the same steps as for primary appliance. When we log in to the replica appliance for the first time, we click the “Start Replica Quick Setup“:
Click “Start Step 1“:
Make sure the time is correct:
And type in the operating system password:
Review the configuration and start deployment:
And after a while this is what we want to see. Now by clicking “Begin Attach“, we start a process of joining this replica instance to the primary:
We chose a replica package file:
Then provide an “Operations Console Administrator Credentials” password:
And the attachment begins:
And after replication is performed, we have a success window opened:
Finally, from the “Replication Status Report” we can see if the attachment and replication were successful:
4. Migrate our 7.x or 6.x data
This a final step that can be broken into three sub-steps:
- Installing the export utility on our existing AM instance
- Exporting our data
- Importing the data into new AM system
First let me say that this blog is about migrating AM version 7.x to AM 8.0. Perhaps the steps for migrating from AM 6.x are the same but I actually did not perform them.
In addition to this, the version of old AM must be the latest, that is 7.4. Further more, we need to have the export utility version aligned to the version of AM we are exporting data from.
Finally, there are many paths of going from 7.x to 8.0 but I will deal only with one here. For example, we could retain AM 7.x along side with the 8.0. In this case we must generate the new “sdconf.rec” file and reconfigure our agents. Or we could take over the AM 7.x identity and remove it from the network. In this case the new AM takes place and we don’t need to reconfigure our agents. Please refer to the documentation on specific migration option.
In the ZIP file we downloaded from the site, we can find and install the migration utility on the primary instance.
In the folder “RSA Authentication Manager 7.1 Migration Export Utility“, we will find three files: migration-installer.cmd, migration-installer.jar and migration-installer.sh. For the Windows version of AM, we only need the first two, so we place them in the folder on our Windows RSA server and start the migration-installer.cmd. Please make sure that the migration-installed.jar file has to be in the same folder.
The installation folder is straight forward. We click Next:
Accept the EULA:
Select the installation folder:
And wait for installation to complete:
Now we start the application and begin the export process:
We must know the master password to access the database:
This is where we decide if we want to export for testing and keep the existing AM or we export for production and remove the old AM. We will keep the old AM for now. We can always come back here and export for production:
We could export the logs if we consider them important. This will make our export file bigger:
This password is used to protect the exported data while the file is stored on a hard drive:
Now we begin the export process:
After a while, the process is completed:
In the following dialog we can see our next steps:
Now it’s time to log on to our new primary replica’s Operations Console and select “Deployment Configuration->Migration->From AM 7.1->Import 7.1 Migration Package“:
Then we select the migration package. We select the generated package and provide a password we used to protect the package:
Finally, we must confirm that we know what we are doing:
After a while we should see that the migration process is completed:
At this point we can start using our new AM 8.0 server the same way we used to with the 7.x version.
One final hint: after importing an AM 7.1 data, user names and passwords previously entered during installation of AM 8.0, such as Operations Administrator Console, are no longer valid and we must use the old credentials.
I hope you will enjoy using this product.
Thanks for reading!
I believe the AM version should be 7.1 SP4, not 7.4.
Other than that – great article!
“In addition to this, the version of old AM must be the latest, that is 7.4. Further more, we need to have the export utility version aligned to the version of AM we are exporting data from.”
Yes, you’re right. I meant 7.1SP4
Thank you.
Hello.
Do know something about any limitations of support RSA AM 8.0 with an Cisco ASA (9.x) and anyconnect? I’m just before an decision about which version of AM should I use 7.x or 8
Well, no 😦
I’m still on 8.4 ASA code and Anyconnect 3.x. No issues so far. You can allways try phased migration from AM 7.x to 8.x and see what you are going to ran into.
Thx for the answer
br.
Could anyone please suggest how we can generate AMConfig.zip from RSA8 console.
I was able to login to RSA8 console, but did not see the ‘authentication agents’,’Users’ tabs. Please comment.
The path towards the AM_Config.zip is: Access->Authentication Agents->Generate Config File. From here you click “Generate Config File” and the link will appear for downloading the config file.
Please note that the RSA AM has three consoles: Security Console, Operations Console and Self-Service Console. The operation of generating the config file is only available through the Security Console. This console can bee accessed via https://rsaserverIP:7004/console-ims.
Hope this helps.
Thanks.
I am able to access the https://myipaddress:7072/operations-console
But when I try to access https://myipaddress:7004/console-ims or https://myipaddress:7072/console-ims , or https://myipaddress:7004/console-am/ViewEditTokens.do
I am not able to get any webpage. It says webpage is not available.
Please note – I have been able to successfully get the config file,AMConfig.zip from RSA7.1 .
But this time I tried to install RSA8 on my laptop , using a VMware player and an RSA_Authentication_Appliance.x86_64-8.0.0.1.0.ova file
I am able to see few tabs in the https://myipaddress:7072/operations-console :-
Home :-
– Manage Identity Sources
– Create System Backup
– Flush Cache
Deployment Configuration :
– Identity Sources
– Instances
– Certificates
– Web-Tier Deplyments
– Virtual Host & Load Balancing
– Migration
– RADIUS Servers
Maintenance :
– Back up and restore
– Flush cache
– Reboot appliance
– Update & Rollback
Administration :
– Date & time
– Netwok
– Log rotation Settings
– Download Troubleshooting
– Operating System Access
Help :
– All help topics
– Replication Status Report
Please suggest, where do I see the below tabs :-
Identity -> Users
Authentication -> SecurID Tokens
Access -> Authentication Agents -> Generate Configuration File
Appreciate your help . Thanks in advance.
Thanks Sasa , there were some network issues, I was now able to see these tabs in https://myipaddress:7004/console-ims.
Many thanks .
Glad it worked 🙂
Hello Sasa,
When we add “authentication agents” , we enter the name of the agent, then we click on “Resolve IP”, and it automatically fills the next box with the IP address.
But this is not happening in this case. when I click “Resolve IP” , then it simply fills the “IP address” text box with the text “unknown”.
Could you please suggest how to avoid this issue as well.
thanks in advance.
You have to have DNS server entries populated correctly. Depending on your infrastructure and agents you are using, this can be done automaticaly (for example Windows servers as agents and Active Directory DNS servers) or you must do this manualy. For instance, if you want Cisco ASA to use as your agent, you must create an A record, for example asa1.popravak.local and a PTR record, for example 192.168.1.254 on your DNS server(s). Now if you point your RSA server to these DNS servers you should be able to resolve names to addresses properly.
Hope this helps.
If we move the RSA appliance to a different vlan and then , how do we change the replica ip on the primary instance please.
Hello Sasa,
Thanks for help.
On my windows machine where I have installed RSA8 ( using VM ), the windows/system32/drivers/etc/hosts file has the entry for RSA8 ipaddress –
1.xxx.xxx.xxx rsa8.servername.com
But am not sure if I need to do some changes on the RSA8 side as well.
Please suggest.
Hello Sasa,
The issue got resolved. Added the DNS ipaddress in the operation console . And mentioned the domain search url as well.
thanks.
Hi Sasa,
Could you please suggest how can we resolve the below error –
User attempted to authenticate using authenticator “SecirID_Native”.
The user belongs to securty domain “SystemDomain”.
Hi Sasa,
thank you for your manual.
Can you explain me, where i can download the virtual appliance? I can’t find it in the download-section.
Actually, I believe that it is not available for download. You have to make a request through your support portal. Perhaps I’m mistaking, it’s been a while 🙂
Hello,
How do i download sdconf.rec after adding a new authentication agent in RSA 8.1??/
Regards,
Anand
You open Security Console and go to Access->Authentication Agents->Generate Configuration File. Then click “Generate Config File”. You will see the file AM_Config.zip which contains sdconf.rec. Finally you click “Dowload Now” to retrieve the file.
Thanks a lot Sasa!!!
This worked.
Regards,
Anand
Thanks for such a nice document, its really informative. But once i have setup my primary and replica on 8.1 the monitoring tool stopped responding for replication status, earlier in 7.1 the port used to be 8002 but they have reserve the port for internal communication. DO you know which port i need to setup on my monitoring tool for replication status.
When attaching a replica instance to a primary, TCP/7002, TCP/1812 and TCP/1813 need to be opened along the way. Although the last two are used by RADIUS, even if we don’t use the RADIUS, those ports still need to be opened.
No you did not got the question i believe. The replication is working fine, now i want to monitor the replication status using monitoring tools. I was running a script which was using 8002 port on 7.1 but now in the new system this port is reserved
I’m migrating away from RSA and I am moving my token seeds to my new provider. I have 20K hard tokens deployed. Is there any way to export the bindings (user X -> token X) so I can avoid having to manually recreate it on the new platform? Perhaps I can connect to the database directly to export the necessary tables?
If I’m not mistaking it’s some sort of Oracle database underneath, so I guess this is possible, although I haven’t tried.
RSA server time out of sync and users prompted for next token code or authentication failing, how can i resync all tokens
Not really sure if you can resync all tokens in a batch job. You can, however, instruct your users to go to customer portal at https://rsa1.yourdomain.com:7004/console-selfservice/. They should be able to log on using their passwords instead of tokens. After logging on, they can use the “Troubleshoot Your Token” wizard to resync their tokens.
If your users don’t use passwords, perhaps the wizard will start automatically if user authenticate with the token and the token is out of sync, but I’m not sure about this.
Hi,
After “deploy the virtual appliance” not able to access the “quick setup link” to perform quick setup of the primary appliance. What may be the issue? how to check SHA1 hash of the certificate used for SSL connection between our browser and the appliance?
please help
We had setup a test lab for RSA authentiocation manager 8.1 and base OS as linux. We had virtual appliance for RSA Authentication Manager 8.1 instance requires hardware that meets the following requirements:
• 80 GB.
• 4 GB of memory.
• At least one virtual CPU.
VMware ESXi 5.0 or later
And we had completed the Deployment steps that is “to deploy virtual appliance”. Quick setup URL and Access code we got. But we cannot able to access the Quick setup URL from our test lab getting error message “Page cannot be displayed”. Please confirm what will be the issue.
I don’t think the certificate is an issue here. In cases such as this one, I always suggest another browser. Among IE/Firefox/Chrome one should work. In some browsers a some sort of loop occurs from time to time.
Thank for your reply. Tried in different browser but same issue (mozilla, chrome). What may the cause. whether port issue, need to open any port to access quick setup link
HI
Able to access quick setup link. After the primary quick setup got completed not able to access security console, but able to access operations console and SSH only through IP address but not by fully qualified domain name. tried to resolve the IP from test lab not able to resolve it. please help what may the cause
It’s a must that SecurID servers are able to resolve and be resolved both ways: a name to an IP and vice versa. Please make sure that you have both A record and PTR record in your DNS server(s) and that your DNS infrastructure is set up correctly. Also make sure hat the time is correct in the network. This is also a must.
thanks for checking. It’s worked able to access security console. DNS issue. Please confirm which IP address we need to add when we deploy the RSA ova file as NTP server IP. whether it default gateway or primary server ip or dns server ip. all the 3 server showing different date and timings. Please confirm
Well NTP server can be any server, router, L3 switch, … Does not matter as long as the server serves accurate time and is reachable by RSA servers. For example, if your default gateway is L3 switch, you could set that switch as a NTP server and point RSA to it (in this case NTP server IP and default GW IP would be the same). Like I said, it’s at most importance that this switch servers correct time to RSA servers.
Great write up. I am going through the same thing now but for the life of me cant find the migration utility files. Where exactly did you download them from?
Found it! rsa-am-extras08.1.0.0.0.zip is the file you want to download from the RSA secure care site. To get to the download: Login to RSA Secure Care (Knowledge.rsasecurity.com) -> My Support -> My Products -> Upgrade (its a link under the column labeled “Version Upgrade”) -> Continue -> Software for Authentication Manager 8.1 (Click submit) -> Download Software -> RSA Authentication Manager Virtual Appliance Version Upgrade -> RSA Authentication Manager Virtual Appliance Version Upgrade V8.1 -> the row labeled “RSA Authentication Manager 8.1 – Extras” will have a download link and MD5 checksum on the right hand side.
Once you have the file downloaded open the zip file and extract the migration utility. Both 6.1 & 7.1 are in the same file.
What a pain in the neck to find.
Hi,
We upgraded the RSA AM form 6.1 to 8.1 and been running in Primary and replica. Recently a lot of users having issues with nexttoken request mode? Some users have the issue on daily baisis with hard token. We re-synch and update everything we can but problem still exists with 20 odd users on daily basis. Any idea what could be?
According to documentation, this could happen if users are assigned more than one token. You may try real time monitor within Security Console in order to pin the issue down.
Thanks for the reply, the users who are experiencing this issue have not got more than one token, what I found on the system is that the time is more that 2 min than the NTP (our domain controller) I tried adjusting it by re sync to NTP but still the same. I wonder whether this causing the issue when the user is bit slow to respond and it goes over the allowed time (3min?). is there way we can adjust this and more importantly why it is not suncing the time with NTP? Your help would be much appreciated. I ran a tool with SSH connection to the appliance bulk sunc tool but having trouble obtaing the log file of it)!
i simply want RSA authentication 8.1 for testing can anyone tell me the link?
I think you have to contact either RSA/EMC directly, or request a demo through your partner. I don’t think it can be downloaded just like that.
Excellent walkthrough, Sasa – the whole process works like a charm and finally a software-driven migration process that works. Perhaps you should mention that a replica instance is not _require_ (though it makes sense), so you don’t need it when migrating. We just ran it and can say all is fine, after implementing it in the VDI configuration we can log to the environment without any problems or interruption. Thank you!
Thank you for your input and sorry for approval delay. I’m very busy these days.
I am looking for RSA -AM -8.1 OVA file –Trail version
Can i get the location from where can i download it ?
I think you have to go through your EMC partner.
hi im trying to integrate Authentication manager 8.1 with cisco ASA 8.4 its working fine for the normal OTP but when trying RBA it’s not working, so do u know if there is any limitation in the integration between AM 8.1 and ASA 8.4, as in the documentation they are mentioning only integration with Cisco ASA 9.3
Thanks,,