Skip navigation
All Places > Products > RSA SecurID Access > RSA SecurID Access Prime > Blog > 2019 > March > 01

Welcome to the new RSA Link Community for RSA SecurID Access Prime (formerly known as AM Prime)!!!


We will use this space to keep customers of our RSA SecurID Access Prime offering from RSA Professional Services better informed, providing insight to MFA solutions built with Prime, implementation & troubleshooting tips, the latest available Prime software updates, and previews of what is to come.


But more than that, we want this space to serve as a valuable resource for exchanging information and innovative ideas on how to optimize the power of the RSA SecurID Access product platform and its ever expanding multi-factor authentication options and rapidly evolving contextual, risk-based authentication capabilities to solve business challenges.


Over the years, RSA Professional Services has provided some of RSA's largest SecurID customers with advanced solutions enabling them to address their needs with quicker Time-to-Value (TTV) and to reduce Total Cost of Ownership (TCO) through automation and operational efficiencies.  Working in collaboration with the RSA SecurID Access product team we've now incorporated Prime tools and functionalities to span across the RSA Cloud Authentication Service and mobile MFA as well as Authentication Manager and traditional SecurID tokens.


We hope that you find this RSA SecurID Access Prime space helpful and welcome any inputs or suggestions!

There are 3 main drivers to consider when contemplating an update of RSA SecurID Access Prime software in your environment:


  1. Compatibility:
    Does your Prime software need to be updated for compatibility with the RSA-supported version of RSA Authentication Manager and/or RSA Cloud Authentication Service that you are upgrading to? Is your Prime version compatible with your underlying system infrastructure (e.g., Java, Tomcat, OS, etc.)?

  2. Security:
    Is there a critical Prime software security fix that needs to be applied? Is there a required security improvement/fix in an underlying system (e.g., Java, Tomcat, OS) that needs to be accounted for? 

  3. Feature/Functionality:
    Is there a new Prime software feature or functionality that you require that is included in a more recent Prime software release? Is your Prime deployment based on the PrimeKit installation methodology from RSA Professional Services?

If none of the drivers above are in play, then it is recommended to apply a "if it ain't broke, don't fix it" philosophy. Continue to review on a periodic basis for any upcoming events that might trigger one or more of the drivers above, such as AM upgrades, underlying platform refreshes, or RSA solution expansion.


Below are specific guidelines around Prime compatibility and requirements for updates:

  1. From AM 8.x to 8.2 there were underlying changes to the AM CT-KIP provisioning implementation. If you are upgrading AM from a version prior to AM 8.2 or later, then you must ensure that you are running a Prime build from June 2017 or later. If not, you will need to include a Prime update as part of your overall AM environment upgrade plan.  

  2. From AM 8.2 onward Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment. Underlying Java and Tomcat must support TLS 1.2. If you are upgrading AM from a version prior to AM 8.2 or later, then you must ensure that you are running a Prime build from June 2017 or later. If not, you will need to include a Prime update as part of your overall AM environment upgrade plan.

  3. If you are moving to AM 8.4 to better leverage integration with the RSA Cloud Authentication Service then you should be running a Prime build from January 2019 or later to maximize Prime integration with the Cloud Authentication Service APIs and features for supporting RSA SecurID Authenticate.

  4. If you are running a Prime build that is older than June 2017, you should strongly consider an environment refresh that redeploys Prime components based on the PrimeKit installation methodology.

In all cases, it is advised that you engage with RSA Professional Services to ensure that you are optimizing your Prime deployment and properly planning your Prime software update.


Note that you must have an active RSA support agreement for Prime in order to be eligible for Prime software updates.

The overall RSA SecurID Access Prime solution architecture topology, across all Prime components and running against RSA Authentication Manager, is illustrated in the diagram below:


Under this Prime architecture configuration:

  • Multiple, load balanced Prime Services servers co-host the AMIS, SSP, and HDAP components.
    • The Internal Self-Service Portal instances are accessible only to end-users on the enterprise's internal network.
    • The Help Desk Admin Portal is accessed by help desk personnel and token administrators (who also may have RSA AM Security Console access).
    • The AMIS component provides REST web services that the Prime portals leverage to interface with the Authentication Manager servers.  AMIS also provides ancillary services such as workflow, e-mail invitation and user notification services.
      (Although not depicted above, the AMIS REST web services can be also be used by the enterprise to integrate its own in-house applications and systems with the RSA AM platform.)
  • A set of multiple, load-balanced External Self-Service servers co-host externally accessible instances of Prime Self-Service as well as RSA AM Web-Tiers.
    • The External Self-Service Portal instances can be configured with different authentication methods and to serve a more constrained set of self-service functions, based on the enterprise's security practices.
    • The Web-Tier component is utilized strictly to support proxying of CT-KIP communications for secure, dynamic soft token provisioning.


As of January 2019, Prime also provides for integration with the RSA Cloud Authentication Service and management of RSA SecurID Authenticate mobile devices.  This expanded RSA SecurID Access solution footprint and additional technical details are captured in the following diagram: