Skip navigation
All Places > Products > RSA SecurID Access > RSA SecurID Access Prime > Blog

Each Authentication Manager token type has a unique numeric designation. Following is the list of those in use today (some archaic references exist in the lexicon but are not longer relevant)


4=SOFTWARE (can be distributed to a variety of platforms)
12=Mobile Auth Token


SID700s are standard hardware tokens.

SID800s are USB enabled SmartCard hardware tokens


The Mobile Auth tokens, aka. remote tokens, allow Mobile Authenticate tokencodes to be used with AM agents.

Welcome to the new RSA Link Community for RSA SecurID Access Prime (formerly known as AM Prime)!!!


We will use this space to keep customers of our RSA SecurID Access Prime offering from RSA Professional Services better informed, providing insight to MFA solutions built with Prime, implementation & troubleshooting tips, the latest available Prime software updates, and previews of what is to come.


But more than that, we want this space to serve as a valuable resource for exchanging information and innovative ideas on how to optimize the power of the RSA SecurID Access product platform and its ever expanding multi-factor authentication options and rapidly evolving contextual, risk-based authentication capabilities to solve business challenges.


Over the years, RSA Professional Services has provided some of RSA's largest SecurID customers with advanced solutions enabling them to address their needs with quicker Time-to-Value (TTV) and to reduce Total Cost of Ownership (TCO) through automation and operational efficiencies.  Working in collaboration with the RSA SecurID Access product team we've now incorporated Prime tools and functionalities to span across the RSA Cloud Authentication Service and mobile MFA as well as Authentication Manager and traditional SecurID tokens.


We hope that you find this RSA SecurID Access Prime space helpful and welcome any inputs or suggestions!

There are 3 main drivers to consider when contemplating an update of RSA SecurID Access Prime software in your environment:


  1. Compatibility:
    Does your Prime software need to be updated for compatibility with the RSA-supported version of RSA Authentication Manager and/or RSA Cloud Authentication Service that you are upgrading to? Is your Prime version compatible with your underlying system infrastructure (e.g., Java, Tomcat, OS, etc.)?

  2. Security:
    Is there a critical Prime software security fix that needs to be applied? Is there a required security improvement/fix in an underlying system (e.g., Java, Tomcat, OS) that needs to be accounted for? 

  3. Feature/Functionality:
    Is there a new Prime software feature or functionality that you require that is included in a more recent Prime software release? Is your Prime deployment based on the PrimeKit installation methodology from RSA Professional Services?

If none of the drivers above are in play, then it is recommended to apply a "if it ain't broke, don't fix it" philosophy. Continue to review on a periodic basis for any upcoming events that might trigger one or more of the drivers above, such as AM upgrades, underlying platform refreshes, or RSA solution expansion.


Below are specific guidelines around Prime compatibility and requirements for updates:

  1. From AM 8.x to 8.2 there were underlying changes to the AM CT-KIP provisioning implementation. If you are upgrading AM from a version prior to AM 8.2 or later, then you must ensure that you are running a Prime build from June 2017 or later. If not, you will need to include a Prime update as part of your overall AM environment upgrade plan.  

  2. From AM 8.2 onward Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment. Underlying Java and Tomcat must support TLS 1.2. If you are upgrading AM from a version prior to AM 8.2 or later, then you must ensure that you are running a Prime build from June 2017 or later. If not, you will need to include a Prime update as part of your overall AM environment upgrade plan.

  3. If you are moving to AM 8.4 to better leverage integration with the RSA Cloud Authentication Service then you should be running a Prime build from January 2019 or later to maximize Prime integration with the Cloud Authentication Service APIs and features for supporting RSA SecurID Authenticate.

  4. If you are running a Prime build that is older than June 2017, you should strongly consider an environment refresh that redeploys Prime components based on the PrimeKit installation methodology.

In all cases, it is advised that you engage with RSA Professional Services to ensure that you are optimizing your Prime deployment and properly planning your Prime software update.


Note that you must have an active RSA support agreement for Prime in order to be eligible for Prime software updates.

The overall RSA SecurID Access Prime solution architecture topology, across all Prime components and running against RSA Authentication Manager, is illustrated in the diagram below:


Under this Prime architecture configuration:

  • Multiple, load balanced Prime Services servers co-host the AMIS, SSP, and HDAP components.
    • The Internal Self-Service Portal instances are accessible only to end-users on the enterprise's internal network.
    • The Help Desk Admin Portal is accessed by help desk personnel and token administrators (who also may have RSA AM Security Console access).
    • The AMIS component provides REST web services that the Prime portals leverage to interface with the Authentication Manager servers.  AMIS also provides ancillary services such as workflow, e-mail invitation and user notification services.
      (Although not depicted above, the AMIS REST web services can be also be used by the enterprise to integrate its own in-house applications and systems with the RSA AM platform.)
  • A set of multiple, load-balanced External Self-Service servers co-host externally accessible instances of Prime Self-Service as well as RSA AM Web-Tiers.
    • The External Self-Service Portal instances can be configured with different authentication methods and to serve a more constrained set of self-service functions, based on the enterprise's security practices.
    • The Web-Tier component is utilized strictly to support proxying of CT-KIP communications for secure, dynamic soft token provisioning.


As of January 2019, Prime also provides for integration with the RSA Cloud Authentication Service and management of RSA SecurID Authenticate mobile devices.  This expanded RSA SecurID Access solution footprint and additional technical details are captured in the following diagram:

Why Does RSA SecurID Access Prime (formerly AM Prime) Exist?

In today’s consumer-experience driven IT world, the flexibility and extensibility to meet unique, new, and emerging use cases, as well as to provide for tailored end-user experience, are critical.


The RSA Professional Services Prime offering is designed to complement and augment RSA’s SecurID Access product platform, providing customers with an extensible framework to adopt, adapt, and extend usage and administration of RSA multifactor authentication (MFA) and to accelerate customer Time-to-Value (TTV) with RSA Identity solution deployments.


What is RSA SecurID Access Prime?

Prime is an RSA Professional Services software package add-on that provides RSA SecurID Access customers with a framework and tools to achieve additional levels of efficiency, extensibility, and flexibility with their RSA SecurID Access 2FA/MFA deployments.  Ultimately, Prime enables large-scale customers to realize a higher Return on Investment (ROI) through a tailored-fit RSA SecurID Access solution and a lower Total Cost of Ownership (TCO) by way of operational savings. 


The highly adaptable but common framework that Prime delivers ensures RSA supportability without sacrificing the ability to provide customer unique solutions for authenticator lifecycle management (e.g., joiner/mover/leaver use cases), 3rd party system integrations, and RSA authentication application development.


The current Prime package encompasses the components outlined in the table below:


Prime ComponentDescriptionKey Differentiators
Prime Authentication Integration Services (AMIS)

RSA PS software kit that facilitates & simplifies integration with RSA SecurID Access platform (both AM & Cloud).

  • Web services integration layer for administration and authentication integrations
  • Supporting services and utilities (invitation system, workflow engine, email notification system
  • Set of simple, stateless REST web service calls to support all RSA authentication methods -- with abstraction from underlying RSA product versions
  • Fat client and web solutions can integrate authentication without needing to maintain individual agent records, sdconf.rec details, etc.
  • Supports central, load balanced, redundant auth hub architectures
  • Supports integration with other authentication systems, i.e. external challenge question providers
Prime Self-Service web portal framework (SSP)

Highly-configurable end-user web portal supporting self-service functionality across all RSA authenticator types, including Cloud MFA:

  • Authenticate Enrollment
  • Request SecurID token
  • Replace SecurID token
  • Change/Set SecurID PIN
  • Resync SecurID token
  • Clear Security Questions
  • Test Authenticator
  • Report Lost Authenticator
  • Reset AD Password
  • All RSA authentication options available for self-service portal access
  • Branding and tailoring of communications (HTML emails and web pages)
  • Enhanced security controls including: step-up auth challenges, white-lists, group controls, end user notifications, etc.
  • Bulk on-boarding with invitation
  • Deployment flexibility
  • Readily customizable by RSA PS for additional features/functionality
Prime Help Desk web portal framework (HDAP)

Provides web interface for front line help desk personnel, particularly for customers that may have hundreds of globally distributed help desk staff.  Streamlined UI for SecurID token user look up and troubleshooting.


Often used in combination with Prime Self-Service.

  • Do not need to extend AM Security Console access to broad help desk staff
  • Operates on single-user (e.g., no bulk operations)
  • Branding and tailoring of web pages, including language and localization
  • Deployment options (multi-tenant)
  • Initiate end-to-end user enrollment process with HDAP triggered invitation
  • Identity Verification via Help Desk initiated MFA or SMS challenge


Note that, on the surface and from a very high-level, there appear to be many overlaps in functionality with RSA SecurID Access product components.  The “differentiators” column highlights specific key differences.  RSA SecurID Access Prime is only for those customers that have requirements that drive into one or more of these areas of differentiation.


For overview diagrams of the RSA SecurID Access Prime solution, refer to Prime 101: Prime in Pictures.


Who is RSA SecurID Access Prime Intended For?

RSA SecurID Access Prime is particularly geared towards customers with large-scale or otherwise customer-specific 2FA/MFA solution requirements.  As with RSA SecurID Access itself, Prime applicability cuts across all vertical segments but is especially relevant for Financial Services, Health Care, and Technology Services sectors.


How is RSA SecurID Access Prime Delivered?

RSA SecurID Access Prime is delivered as an RSA Professional Services offering which has 3 elements:

  1. The Prime software package itself
  2. Annual support and maintenance on the Prime software package
  3. RSA Professional Services to assist with customer-specific Prime solution design, installation and configuration


How Can I Learn More?

Follow the RSA Link Prime Community page to stay informed on RSA SecurID Access Prime and solutions enabled by RSA SecurID Access.


If you would like more details on purchasing RSA SecurID Access Prime from RSA Professional Services, please contact your RSA sales representative.