RSA Authentication Manager 8.5 delivers compelling features that makes it faster and easier to take the journey to modern multifactor authentication and the Cloud. RSA Authentication Manager 8.5 includes the following new features and enhancements:
- Highly Available Hybrid Cloud
- Simple and Fast Identity Router Deployment
- Authenticating to the Cloud Authentication Service Just Got Easier
- Accelerate the Journey to Modern Multifactor Authentication and the Cloud
- RSA Collecting Usage Data to Improve Customer Satisfaction
- Additional Improvements
- Planning the Upgrade from RSA Authentication Manager 8.2 SP1, 8.3, or 8.4
- RSA Authentication Agent Support
- Fixed Issues
- Known Issues
For a complete list of product documentation, see the RSA Authentication Manager 8.5 Documentation Page.
The Cloud Authentication Service and RSA SecurID Authenticate App Release Notes are available here.
To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow. To view this page as a PDF, click Actions and select View as PDF.
RSA Authentication Manager 8.5 can be easily deployed as a secure proxy server and failover node for the Cloud Authentication Service. Authentication Manager validates RSA SecurID Tokens and forwards other multifactor authentication requests to the Cloud Authentication Service. If the Cloud Authentication Service cannot be reached because the connection is temporarily slow or unavailable, Authentication Manager can use downloaded High Availability Tokencode records to prompt users for Authenticate Tokencode. This feature ensures high availability to SecurID agent-protected mission-critical resources, and creates a compelling and unmatched hybrid cloud solution.
RSA has made it even easier to take the cloud journey by embedding the identity router directly into your RSA Authentication Manager primary and replica instances allowing for faster setup and connection to the Cloud Authentication Service without a separate identity router install. Simple, fast, and no additional virtual machines to requisition and manage. For instructions, see Configure an Embedded Identity Router.
By using Authentication Manager 8.5 as a secure proxy server, you can eliminate multiple on-premise REST protocol agent connections to the Cloud Authentication Service. Simply configure the authentication agents to direct authentication requests to Authentication Manager. Authentication Manager always validates RSA SecurID tokens and and on-demand authentication, but sends other multifactor authentication requests directly to the Cloud Authentication Service. Simple and secure.
RSA Authentication Manager 8.5 allows you to bypass multiple, time-consuming, serial upgrades and upgrade directly to version 8.5. It utilizes the same well-known in-place upgrade process, so there is no additional training and will significantly reduce the time and effort to deploy the current shipping release. You can upgrade to RSA Authentication Manager 8.5 directly from version 8.2 SP1, 8.3, or 8.4. This capability significantly accelerates the time-to-value to take the journey to modern multifactor authentication and the cloud.
For more information, see Planning the Upgrade from RSA Authentication Manager 8.2 SP1, 8.3, or 8.4.
Important: Additional Information About Upgrading to RSA Authentication Manager 8.5
Upgrading to RSA Authentication Manager 8.5 requires a hotfix. The hotfix allows the primary instance to replicate authentication data that was collected before the replica instances were upgraded. Perform these steps:
- Download the hotfix.
- Upgrade your primary instance to RSA Authentication Manager 8.5.
- Apply the hotfix to your primary instance.
- Upgrade your replica instances. You do not need to apply the hotfix to replica instances.
By the end of September, RSA will provide a new RSA Authentication Manager 8.5 upgrade kit that fully fixes this issue.
RSA is collecting data that will help RSA better understand product configuration and usage, improve support, and focus development efforts to dramatically improve customer satisfaction. No personal identifiable information (PII) or sensitive information is collected.
The Telemetry service is automatically enabled and configured when you install or upgrade to RSA Authentication Manager 8.5. Telemetry data is collected for the primary instance and each replica instance, and stored offline for the number of days that you configure. RSA assigns each customer deployment a time to send the data that is between 1:00 AM and 5:00 AM local time.
To view the data that is sent to RSA, you can download the telemetry log files. For instructions, see Download Troubleshooting Files.
For information on the system data collection and usage policy, see "RSA’s right to collect System Data" in Product Usage Rights: https://www.rsa.com/content/dam/en/terms/units-of-measure.pdf.
RSA Authentication Manager contains the following additional improvements.
|Updated VMware or Hyper-V virtual machine minimum hardware requirements|
For version 8.5, the VMware virtual machine and the Hyper-V virtual machine require hardware that meets or exceeds the following minimum requirements:
Version 8.5 does not support less than these default values.
New features and enhancements from RSA Authentication Manager 8.4 Patch 1 through Patch 13.
Version 8.5 includes new features and enhancements from cumulative RSA Authentication Manager 8.4 Patch 13, including:
For more information, see the RSA Authentication Manager 8.4 Patch 13 Readme.
Note: RSA has not yet qualified the RSA Authentication Manager 8.5 web tier for compatibility with Red Hat Enterprise Linux 7.7 Server (64-bit).
RSA Authentication Manager 8.2 SP1, 8.3, or 8.4 can be upgraded directly to version 8.5. From earlier versions, you can upgrade to version 8.2 SP1 and then upgrade directly to version 8.5. For instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.5” in the RSA Authentication Manager 8.5 Setup and Configuration Guide.
To use some version 8.5 features, such as the embedded identity router and high availability when the connection to the Cloud Authentication Service is not available, an Authentication Manager deployment that is already connected to the Cloud Authentication Service must connect again after upgrading to version 8.5. To re-establish your connection, see Edit the Cloud Authentication Service Connection.
Before you upgrade, note the following:
- A backup is strongly recommended. RSA Authentication Manager 8.5 is not reversible. If the upgrade patch is not applied successfully, you must restore from a backup file, an Amazon Web Services snapshot, an Azure snapshot or Azure Backup, a VMware snapshot, or a Hyper-V checkpoint. Trying to apply version 8.5 again is not recommended.
- You can apply the version 8.5 update from a Windows shared folder, an NFS share, or a DVD or CD. Applying the version 8.5 upgrade through your local web browser is not supported.
- Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.
Certificate Requirements Introduced in Version 8.4
- Before upgrading from RSA Authentication Manager 8.2 SP1 or 8.3, you must replace any 1024-bit certificates for the LDAPS protocol or custom console certificates. Certificates that are at least 2048 bits are required. RSA Authentication Manager 8.4 already uses the required certificates.
This security upgrade affects openLDAP connections in Authentication Manager with a default keysize of 1024. For example, if you add an Oracle Directory Server as an identity source, you must replace the default 1024-bit Oracle Directory Server certificate with an LDAPS protocol certificate that is at least 2048 bits.
You must also regenerate and replace any custom console certificates that are 1024 bits.
Web Tier Hardware Requirements Introduced in Version 8.4
Version 8.4 increased the minimum hardware requirements for the web-tier server:
- 2 GB for web tier installation and 4 GB to 20 GB free space for logs and updated component downloads
- 4 GB of memory
- At least two virtual CPUs
Upgrading an Existing Deployment that Does Not Yet Use Azure or Amazon Web Services
You can upgrade an existing RSA Authentication Manager deployment that is not yet using the Azure Cloud or Amazon Web Services (AWS) Cloud.
The Azure virtual appliance supports a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment that is not yet using the Azure virtual appliance, do the following:
- From earlier releases, upgrade to RSA Authentication Manager 8.5.
- Deploy new RSA Authentication Manager 8.5 replica instances in Azure.
- To move your primary instance into Azure, promote a replica instance, and delete your existing primary instance. If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.
- The Amazon Web Services (AWS) virtual appliance supports a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment that is not yet using the AWS virtual appliance, do the following:
- From earlier releases, upgrade to RSA Authentication Manager 8.5.
- Deploy new RSA Authentication Manager 8.5 replica instances in AWS.
- To move your primary instance into AWS, promote a replica instance, and delete your existing primary instance. If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.
RSA authentication agent software is available at https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-authentication-agents.html and on the RSA Link RSA SecurID Access Product Versions page.
RSA Authentication Manager 8.5 continues to support your authentication agents that use the UDP protocol.
REST protocol authentication agents, such as RSA Authentication Agent 2.0 or later for Microsoft AD FS, RSA Authentication Agent 8.0 or later for PAM, and RSA MFA Agent 2.0 for Microsoft Windows, can use RSA Authentication Manager 8.5 as a secure proxy server for the Cloud Authentication Service.
RSA Authentication Agent for Citrix StoreFront requires version 2.0.1 to use RSA Authentication Manager 8.5 features. You can download the version 2.0.1 upgrade.
RSA MFA Agent 2.0 for Microsoft Windows adds support for a direct connection to RSA Authentication Manager 8.5 and support for version 8.5 features. For more information, see the RSA Link page for RSA MFA Agent for Microsoft Windows.
You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at www.rsaready.com.
RSA Authentication Manager 8.5 includes the software fixes in the cumulative Patch 13 for version 8.4. Applying version 8.5 removes any software fixes that are not included in the cumulative Patch 13. To obtain these all of the software fixes in Patch 14 and later version 8.4 patches, you mustRSA Authentication Manager 8.4 Patch 13 Readme apply version 8.5 patches as they become available. For the complete list of resolved issues, see the .
Copyright 1994-2020 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates. For a list of RSA trademarks, https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners.
Revised: September 2020
Intellectual Property Notice
This software contains the intellectual property of RSA or is licensed to RSA from third parties. Use of this software and the intellectual property contained therein is expressly limited to the terms and conditions of the License Agreement under which it is provided by or on behalf of RSA.
Open Source License
This product may be distributed with open source code, licensed to you in accordance with the applicable open source license. If you would like a copy of any such source code, RSA or its affiliates will provide a copy of the source code that is required to be made available in accordance with the applicable open source license. RSA or its affiliates may charge reasonable shipping and handling charges for such distribution. Please direct requests in writing to RSA Legal, 174 Middlesex Turnpike, Bedford, MA 01730, ATTN: Open Source Program Office.
System Data Collection and Usage Policy
In certain circumstances, RSA collects data from customer installations of RSA products for purposes including but not limited to accurate billing of product usage and to maintain and improve RSA products. For details see "RSA’s right to collect System Data" in Product Usage Rights: https://www.rsa.com/content/dam/en/terms/units-of-measure.pdf.
RSA SecurID Access Release Notes for RSA Authentication Manager 8.5