on Oct 7, 2016
This document contains Release Notes for RSA Authentication Manager 8.3. Additional release notes are now located here:
- RSA SecurID Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App
- RSA Authentication Manager 8.2 Service Pack 1 Release Notes
- Amazon Web Services (AWS) deployment
- Token distribution and management enhancements
- Agent reporting enhancements
- Authentication Manager Bulk Administration (AMBA) utility integrated into RSA Authentication Manager for Enterprise Server license customers
- Upgrade path from RSA Authentication Manager 8.2 Service Pack 1 (SP1)
Cumulative patches are available for Authentication Manager. For the most recent update, see RSA Authentication Manager 8.3 Downloads.
Amazon Web Services Deployment
This release adds support for an Amazon Web Services (AWS) virtual appliance. The AWS virtual appliance is deployed on AWS or AWS GovCloud (US) with an Amazon Machine Image (AMI) file that RSA provides. You must have created a Virtual Private Cloud (VPC) with a private subnet on AWS.
A mixed deployment with Cloud and on-premise appliances is supported. For example, you can deploy a primary instance on AWS and replica instances on your local network.
Token Distribution and Management Enhancements
RSA Authentication Manager 8.3 includes token distribution and management enhancements that were suggested by our customers:
- Time-saving enhancements to the User Dashboard allow Help Desk administrators to more efficiently manage tokens:
- The User Profile section on the User Dashboard displays the last authentication time and date for the selected user.
- The Assigned SecurID Tokens section of the User Dashboard displays the last logon time and date for each assigned token.
- The Quick Search field on the User Dashboard and the Security Console Home page allow you to search by token serial number. If the token is already assigned, the user dashboard is displayed for the user. If the token is not assigned, the SecurID Tokens View page displays.
- You can prevent the system from assigning tokens that are expiring soon. When tokens are automatically assigned or used as replacement tokens, the system only selects unassigned tokens that have more than the configured number of days remaining. This enhancement applies when a user requests a new or replacement token in the Self-Service Console and when an administrator assigns the next available token.
Agent Reporting Enhancements
Two new report templates allow you to generate reports with information on the authentication agents in your Authentication Manager deployment:
- The List All Authentication Agent Records report provides information on the authentication agents that have been added to Authentication Manager. For example, you can view the user groups and security domains assigned to each agent, how many times each authentication agent is installed in your deployment, and whether each agent is enabled or disabled.
- The List All Installed Agents report provides details for all of the installed authentication agents in your deployment that have a corresponding record in Authentication Manager. For each installed authentication agent, this report displays the version number and platform, the hostname and IP address that was last used, the time and date of the last authentication, the security domain, and the name of the corresponding authentication agent record in Authentication Manager. Some newer authentication agents provide a unique Software Identifier for each installed agent. An agent might have one record in Authentication Manager, but the agent can be installed on multiple machines with a unique identifier for each installation.
Some of the agent reporting parameters require newer authentication agents that use the REST protocol. Authentication agents that use the UDP protocol cannot provide the version number, platform, or installed agent count parameters. Some REST protocol agents require additional configuration steps to send agent details to Authentication Manager.
RSA Authentication Manager Bulk Administration (AMBA) Utility Included with RSA Authentication Manager
Enterprise Edition and Premium Edition license customers receive the ability to use the RSA Authentication Manager Bulk Administration (AMBA) utility. AMBA is no longer offered as an add-on option to the Base Server license. Existing AMBA customers with a Base Server license can continue to use AMBA after upgrading to version 8.3.
AMBA is installed by Quick Setup, instead of being included as a separate installation from the Extras download kit. The sample templates are located in the /opt/rsa/am/utils/resources/amba_template_files directory.
Additional Improvements
RSA Authentication Manager contains the following additional improvements.
| Improvement | Description |
|---|---|
| Support for Red Hat Enterprise Linux 7.4 Server (64-bit) on the web tier. | Version 8.2 SP1 Patch 3 or later adds support for installing the web tier on Red Hat Enterprise Linux 7.4 Server (64-bit). You can install the web tier on the following Linux operating systems:
The following Windows operating systems are also supported:
|
| Apply administrative roles to specific lower-level security domains. | When you add or edit administrative roles in your deployment, you can assign the administrative role to specific security domains. By default, selecting a security domain automatically includes the subdomains. You can change this behavior, and only assign administrative roles to the security domains that you select. |
| Ability to hide menu items in the Security Console from administrators (except for Super Admins). | Instead of restricting access to menu items through administrative roles and security domains, you can hide menu items. For instructions, see the Help topic "Hide Security Console Menu Items from Administrators." |
| Generate a text-based report that lists all current configuration and policy settings for Authentication Manager. | You can analyze the CSV or XML report with third-party tools to monitor your Authentication Manager configuration over time. For instructions on generating the report, see the Help topic "Generate a Text-Based Report of the Current Configuration Settings." |
| Certificate signing requests can include more than one fully qualified domain name (FQDN) and an encryption key size that you select. | To replace a console certificate or an RSA virtual host certificate, you must generate a certificate signing request (CSR) and submit it to a third-party certificate authority (CA). Version 8.3 provides two new fields for these requests:
For instructions, see the Help topics "Generate a Certificate Signing Request Using the Operations Console" and "Generate a Certificate Signing Request for the Web Tier." |
| Updated the Help system format used for the RSA Token Management Snap-in. | The Token Management Snap-In Help system has been updated to the same HTML5 format used in the Operations Console and Security Console Help. After upgrading to RSA Authentication Manager 8.3, you must re-install the Token Management Snap-In to use the new Help system. For instructions, see Appendix E, "Installing the RSA Authentication Manager Token Management Snap-In" in the RSA Authentication Manager 8.3 Setup and Configuration Guide. |
Note: The Developer’s Guide and the software development kit (SDK) are located in the Extras download kit, rsa-am-extras-8.3.0.0.zip, on Download Central.
Upgrading from RSA Authentication Manager 8.2 Service Pack 1
RSA Authentication Manager 8.2 Service Pack 1 (SP1) can be upgraded to version 8.3. A direct upgrade from earlier releases is not supported. Instead, do the following:
| Deployment | Upgrade Path |
|---|---|
| Amazon Web Service (AWS) virtual appliance | Version 8.3 introduces the AWS virtual appliance with support for a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment:
|
| VMware virtual appliance |
|
| Hyper-V virtual appliance |
|
| Hardware appliance |
|
RSA Authentication Manager 8.3 includes the software fixes in the cumulative Patch 5 for version 8.2 SP1 and additional Patch 6 and Patch 7 fixes that are listed in "Fixed Issues." Most Patch 6 and Patch 7 fixes are not included in version 8.3. Patch 8 is not included in version 8.3. Applying version 8.3 removes any software fixes that are not included in the cumulative Patch 5 for version 8.2 SP1 or listed in "Fixed Issues." To obtain these fixes, you must apply version 8.3 patches as they become available.
For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.3” in the RSA Authentication Manager 8.3 Setup and Configuration Guide. Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.
Note: The upgrade to RSA Authentication Manager 8.3 is not reversible. If version 8.3 is not applied successfully, you cannot roll back to version 8.2 SP1. Before applying version 8.3, RSA strongly recommends backing up your deployment in one of the following ways: using the Back Up Now feature in the Operations Console of the primary instance, backing up a hardware appliance with PING, taking a VMware snapshot, or creating a Hyper-V checkpoint.
Fixed Issues
RSA Authentication Manager 8.3 includes the fixes that were provided in Patches 1 through 5 for RSA Authentication Manager 8.2 Service Pack 1 (SP1). For the complete list of resolved issues, see the RSA Authentication Manager 8.2 SP1 Patch 5 Readme.
This release also includes the following fixes from RSA Authentication Manager 8.2 SP1 Patch 6 and Patch 7:
| Version 8.2 SP1 Tracking Number | Version 8.3 Tracking Number | Description |
|---|---|---|
| AM-31484 | AM-31613 | X-Frame-Options, X-Content-Type, and X-XSS-Protection header options for some parts of the Self-Service Console were either missing or incorrect. |
| AM-31285 | AM-31612 | HTTP Strict-Transport-Security headers were not included in responses sent between the web tier and the curl command-line interface tool. |
| AM-31427 | AM-31615 | Input fields on the Dashboard page of the Security Console were vulnerable to Cross-Site Scripting (XSS) attacks. |
| AM-31403 | AM-31614 | Administrators lacked an option to manually transfer the dump file from a primary instance to a replica instance to facilitate replica synchronization in environments where network latency and packet transmission problems interfered with the automated transfer process. Contact RSA Customer Support if you need to perform a manual dump file transfer. |
| AM-31236 | AM-31640 | Special characters in reports caused problems when the reports were exported in CSV format and viewed using Microsoft Excel. |
| AM-31585 | AM-31643 | A serious security issue existed in the Security Console. |
RSA Authentication Manager 8.3 Patch 1 will include the additional fixes in the cumulative Patches 6 and 7. For the complete list of resolved issues, see the RSA Authentication Manager 8.2 SP1 Patch 7 Readme.
In addition, the following issue was resolved:
AM-31499. The Token Management Snap-In Help system was not working. To resolve the issue, the Help is updated to the same HTML5 format used in the Operations Console and Security Console Help.
After upgrading to RSA Authentication Manager 8.3, you must re-install the Token Management Snap-In to use the new Help system. For instructions, see Appendix E, "Installing the RSA Authentication Manager Token Management Snap-In" in the RSA Authentication Manager 8.3 Setup and Configuration Guide.
Known Issues
For a list of known issues for RSA Authentication Manager 8.3, see RSA Authentication Manager 8.3 Known Issues