RSA SecurID® Access Release Notes for RSA Authentication Manager 8.3

Document created by RSA Information Design and Development on Oct 7, 2016Last modified by Kevin Kyle on Sep 27, 2018
Version 51Show Document
  • View in full screen mode

 

This document contains Release Notes for RSA Authentication Manager 8.3. Additional release notes are now located here:

RSA Authentication Manager 8.3 includes the following new features and enhancements:
  • Amazon Web Services (AWS) deployment
  • Token distribution and management enhancements
  • Agent reporting enhancements
  • Authentication Manager Bulk Administration (AMBA) utility integrated into RSA Authentication Manager for Enterprise Server license customers
  • Upgrade path from RSA Authentication Manager 8.2 Service Pack 1 (SP1)

Cumulative patches are available for Authentication Manager. For the most recent update, see RSA Authentication Manager 8.3 Downloads.

Amazon Web Services Deployment

This release adds support for an Amazon Web Services (AWS) virtual appliance. The AWS virtual appliance is deployed on AWS or AWS GovCloud (US) with an Amazon Machine Image (AMI) file that RSA provides. You must have created a Virtual Private Cloud (VPC) with a private subnet on AWS.

A mixed deployment with Cloud and on-premise appliances is supported. For example, you can deploy a primary instance on AWS and replica instances on your local network.

Token Distribution and Management Enhancements

RSA Authentication Manager 8.3 includes token distribution and management enhancements that were suggested by our customers:

  • Time-saving enhancements to the User Dashboard allow Help Desk administrators to more efficiently manage tokens:
    • The User Profile section on the User Dashboard displays the last authentication time and date for the selected user.
    • The Assigned SecurID Tokens section of the User Dashboard displays the last logon time and date for each assigned token.
    • The Quick Search field on the User Dashboard and the Security Console Home page allow you to search by token serial number. If the token is already assigned, the user dashboard is displayed for the user. If the token is not assigned, the SecurID Tokens View page displays.
  • You can prevent the system from assigning tokens that are expiring soon. When tokens are automatically assigned or used as replacement tokens, the system only selects unassigned tokens that have more than the configured number of days remaining. This enhancement applies when a user requests a new or replacement token in the Self-Service Console and when an administrator assigns the next available token.

Agent Reporting Enhancements

Two new report templates allow you to generate reports with information on the authentication agents in your Authentication Manager deployment:

  • The List All Authentication Agent Records report provides information on the authentication agents that have been added to Authentication Manager. For example, you can view the user groups and security domains assigned to each agent, how many times each authentication agent is installed in your deployment, and whether each agent is enabled or disabled.
  • The List All Installed Agents report provides details for all of the installed authentication agents in your deployment that have a corresponding record in Authentication Manager. For each installed authentication agent, this report displays the version number and platform, the hostname and IP address that was last used, the time and date of the last authentication, the security domain, and the name of the corresponding authentication agent record in Authentication Manager. Some newer authentication agents provide a unique Software Identifier for each installed agent. An agent might have one record in Authentication Manager, but the agent can be installed on multiple machines with a unique identifier for each installation.

RSA Authentication Manager Bulk Administration (AMBA) Utility Included with RSA Authentication Manager

Enterprise Edition and Premium Edition license customers receive the ability to use the RSA Authentication Manager Bulk Administration (AMBA) utility. AMBA is no longer offered as an add-on option to the Base Server license. Existing AMBA customers with a Base Server license can continue to use AMBA after upgrading to version 8.3.

AMBA is installed by Quick Setup, instead of being included as a separate installation from the Extras download kit. The sample templates are located in the /opt/rsa/am/utils/resources/amba_template_files directory.

Additional Improvements

RSA Authentication Manager contains the following additional improvements.

                                   
ImprovementDescription
Support for Red Hat Enterprise Linux 7.4 Server (64-bit) on the web tier.

Version 8.2 SP1 Patch 3 or later adds support for installing the web tier on Red Hat Enterprise Linux 7.4 Server (64-bit).

You can install the web tier on the following Linux operating systems:

  • Red Hat Enterprise Linux 5 Server (64-bit)
  • Red Hat Enterprise Linux 5 Server (64-bit)
  • Red Hat Enterprise Linux 7.4 Server (64-bit)

The following Windows operating systems are also supported:

  • Windows Server 2008 R2 (64-bit)
  • Windows Server 2012 (64-bit)
  • Windows Server 2012 R2 (64-bit)
Apply administrative roles to specific lower-level security domains.

When you add or edit administrative roles in your deployment, you can assign the administrative role to specific security domains. By default, selecting a security domain automatically includes the subdomains. You can change this behavior, and only assign administrative roles to the security domains that you select.

Ability to hide menu items in the Security Console from administrators (except for Super Admins).

Instead of restricting access to menu items through administrative roles and security domains, you can hide menu items. For instructions, see the Help topic "Hide Security Console Menu Items from Administrators."

Generate a text-based report that lists all current configuration and policy settings for Authentication Manager.

You can analyze the CSV or XML report with third-party tools to monitor your Authentication Manager configuration over time.

For instructions on generating the report, see the Help topic "Generate a Text-Based Report of the Current Configuration Settings."

Certificate signing requests can include more than one fully qualified domain name (FQDN) and an encryption key size that you select.

To replace a console certificate or an RSA virtual host certificate, you must generate a certificate signing request (CSR) and submit it to a third-party certificate authority (CA).

Version 8.3 provides two new fields for these requests:

  • Subject Alternate Name. The Subject Alternate Name (SAN) allows you to protect multiple fully qualified domain names (FQDNs) with a single certificate. You can enter one or more FQDNs as comma-separated values, for example, authservices.corp.com,authexample.com. The default value is the FQDN used by the Authentication Manager administrative consoles.
  • Key Size. The default encryption key size is 2048.

For instructions, see the Help topics "Generate a Certificate Signing Request Using the Operations Console" and "Generate a Certificate Signing Request for the Web Tier."

Updated the Help system format used for the RSA Token Management Snap-in.

The Token Management Snap-In Help system has been updated to the same HTML5 format used in the Operations Console and Security Console Help.

After upgrading to RSA Authentication Manager 8.3, you must re-install the Token Management Snap-In to use the new Help system. For instructions, see Appendix E, "Installing the RSA Authentication Manager Token Management Snap-In" in the RSA Authentication Manager 8.3 Setup and Configuration Guide.

Note:  The Developer’s Guide and the software development kit (SDK) are located in the Extras download kit, rsa-am-extras-8.3.0.0.zip, on Download Central.

Upgrading from RSA Authentication Manager 8.2 Service Pack 1

RSA Authentication Manager 8.2 Service Pack 1 (SP1) can be upgraded to version 8.3. A direct upgrade from earlier releases is not supported. Instead, do the following:

                           
DeploymentUpgrade Path
Amazon Web Service (AWS) virtual appliance

Version 8.3 introduces the AWS virtual appliance with support for a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment:

  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
  • Deploy new version 8.3 replica instances in the AWS, and delete your existing replica instances.
  • To move your primary instance into AWS, promote a replica instance, and delete your existing primary instance.
VMware virtual appliance
  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Ugprade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
Hyper-V virtual appliance
  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
Hardware appliance
  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
  • Note:  Some RSA SecurID Appliance 3.0 hardware appliances can be upgraded and do not require new hardware. For instructions on how to determine if you can upgrade a particular appliance, see the RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 on Existing Hardware.

RSA Authentication Manager 8.3 includes the software fixes in the cumulative Patch 5 for version 8.2 SP1 and additional Patch 6 and Patch 7 fixes that are listed in "Fixed Issues." Most Patch 6 and Patch 7 fixes are not included in version 8.3. Patch 8 is not included in version 8.3. Applying version 8.3 removes any software fixes that are not included in the cumulative Patch 5 for version 8.2 SP1 or listed in "Fixed Issues." To obtain these fixes, you must apply version 8.3 patches as they become available.

For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.3” in the RSA Authentication Manager 8.3 Setup and Configuration Guide. Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.

Note:  The upgrade to RSA Authentication Manager 8.3 is not reversible. If version 8.3 is not applied successfully, you cannot roll back to version 8.2 SP1. Before applying version 8.3, RSA strongly recommends backing up your deployment in one of the following ways: using the Back Up Now feature in the Operations Console of the primary instance, backing up a hardware appliance with PING, taking a VMware snapshot, or creating a Hyper-V checkpoint.

Fixed Issues

RSA Authentication Manager 8.3 includes the fixes that were provided in Patches 1 through 5 for RSA Authentication Manager 8.2 Service Pack 1 (SP1). For the complete list of resolved issues, see the RSA Authentication Manager 8.2 SP1 Patch 5 Readme.

This release also includes the following fixes from RSA Authentication Manager 8.2 SP1 Patch 6 and Patch 7:

                                           
Version 8.2 SP1 Tracking NumberVersion 8.3
Tracking Number
Description
AM-31484AM-31613

X-Frame-Options, X-Content-Type, and X-XSS-Protection header options for some parts of the Self-Service Console were either missing or incorrect.

AM-31285AM-31612HTTP Strict-Transport-Security headers were not included in responses sent between the web tier and the curl command-line interface tool.
AM-31427AM-31615Input fields on the Dashboard page of the Security Console were vulnerable to Cross-Site Scripting (XSS) attacks.
AM-31403AM-31614Administrators lacked an option to manually transfer the dump file from a primary instance to a replica instance to facilitate replica synchronization in environments where network latency and packet transmission problems interfered with the automated transfer process. Contact RSA Customer Support if you need to perform a manual dump file transfer.
AM-31236AM-31640Special characters in reports caused problems when the reports were exported in CSV format and viewed using Microsoft Excel.
AM-31585AM-31643A serious security issue existed in the Security Console.

RSA Authentication Manager 8.3 Patch 1 will include the additional fixes in the cumulative Patches 6 and 7. For the complete list of resolved issues, see the RSA Authentication Manager 8.2 SP1 Patch 7 Readme.

In addition, the following issue was resolved:

AM-31499. The Token Management Snap-In Help system was not working. To resolve the issue, the Help is updated to the same HTML5 format used in the Operations Console and Security Console Help.

After upgrading to RSA Authentication Manager 8.3, you must re-install the Token Management Snap-In to use the new Help system. For instructions, see Appendix E, "Installing the RSA Authentication Manager Token Management Snap-In" in the RSA Authentication Manager 8.3 Setup and Configuration Guide.

Known Issues

For a list of known issues for RSA Authentication Manager 8.3, see RSA Authentication Manager 8.3 Known Issues

 

 

 

 

 

Attachments

    Outcomes