RSA® SecurID Access Release Notes for RSA Authentication Manager 8.4

Document created by RSA Information Design and Development on Oct 25, 2018Last modified by RSA Product Team on Jun 24, 2019
Version 21Show Document
  • View in full screen mode

 

RSA Authentication Manager 8.4 includes the following new features and enhancements:

For a complete list of product documentation, see the RSA Authentication Manager 8.4 Documentation Page.

The Cloud Authentication Service and RSA SecurID Authenticate App Release Notes are available here.

Note:  Before upgrading to RSA Authentication Manager 8.4, you must replace any 1024-bit certificates for the LDAPS protocol or custom console certificates. For more information, see 1024-Bit Certificates are No Longer Supported.

(Patch 4) Easily Connect RSA Authentication Manager 8.4 Patch 4 to the Cloud Authentication Service and Deploy Modern MFA

RSA Authentication Manager 8.4 Patch 4 allows you to more easily connect RSA Authentication Manager to the Cloud Authentication Service and quickly roll out modern MFA to your users. You use a Security Console wizard to configure the connection and invite users to authenticate to the Cloud.

You can authenticate to the cloud with your existing RSA authentication agents, including older authentication agents that use the UDP or TCP protocol:

  • Users can access agent-protected resources by entering their existing RSA SecurID PINs and tapping Approve on the RSA SecurID Authenticate app. You do not need to replace or update your existing agents or RSA Ready products, and users do not need to memorize a new PIN.
  • As in previous integrations, Authentication Manager accepts tokencodes generated by the RSA SecurID Authenticate app. Users install the Authenticate app on a supported device to generate tokencodes. Authentication Manager does not support PINs for Authenticate Tokencode.

REST protocol authentication agents can authenticate to the cloud with any form of multifactor authentication that is supported by the Cloud Authentication Service, such as Approve authentication, biometric methods such as fingerprint verification, hardware devices such as RSA SecurID Token and FIDO Token, and context-based authentication using factors such as the user's location and network.

The new integration also allows your Help Desk Admins to manage Authenticate app users through the Authentication Manager User Dashboard:

  • Manage Authenticate app users:
    • Enable or disable a user in the Cloud Authentication Service
    • Synchronize a user in the Cloud Authentication Service
    • Delete or undelete a user from the Cloud Authentication Service
  • Unlock a user's SMS Tokencode, Voice Tokencode, and Authenticate Tokencode
  • Change a user's SMS Tokencode or Voice Tokencode phone number
  • Delete a user's registered device or browser

The earlier approaches that connected Authentication Manager to an identity router do not support this feature.

For information on how to use these important new features, see Connect RSA Authentication Manager to the Cloud Authentication Service.

See the Readme for more information about Patch 4 (available here). An updated web-tier server (available here) is also available with Patch 4. See the web-tier server Readme for information on the updates to the web-tier server.

Obtain the Azure Virtual Appliance from the Azure Marketplace

This release adds support for the Azure virtual appliance. The Azure virtual appliance is deployed with an Azure Virtual Machine image file that RSA provides in the Azure Marketplace. You must create a virtual network on Azure with a private subnet. U.S. government agencies at the federal, state, and local level, and other security-sensitive entities can utilize the Azure Government Cloud.

You can deploy your Authentication Manager primary instance and all of your replica instances in the Azure cloud, or you can deploy a primary instance on your local network and your replica instances in Azure.

Easier Access to RSA SecurID-Protected Resources for Multifactor Authentication Users

New multifactor authentication users, who do not have RSA SecurID hardware or software tokens, are automatically registered in RSA Authentication Manager and able to access RSA SecurID-protected resources. You and a Super Admin for the Cloud Administration Console must configure communication between an identity router and Authentication Manager, but you no longer need to establish a trusted realm or run CLUs, simplifying this integration and dramatically reducing the time you spend on administration.

These same multifactor authentication users can use Authentication Manager services, such as emergency access to RSA SecurID agent-protected resources. For example, users who lose their mobile devices can request emergency access tokencodes by logging on to the Self-Service Console or by contacting an Authentication Manager Help Desk administrator.

Major Platform Upgrade Enhances Best-In-Class Enterprise Grade Security

The overall security profile has been improved with platform updates to Java 8, Weblogic v12.2, RSA BSAFE Crypto Library J 6.2.4.0.1 and an RSA-hardened SUSE Linux Enterprise Server (SLES) 12 Service Pack 3.

Secure Syslog to multiple external servers and Secure Backup to Windows Servers utilizing SMB v2/SMB v3 greatly improves the data in-transit security model. Version 8.4 no longer supports using the Server Message Block (SMB) version 1 (SMBv1) protocol on the Windows operating system. Instead, you must use SMBv2 or SMBv3 for tasks such as upgrading Authentication Manager, saving and restoring backup files, and backing up system log files.

Upgrades to FIPS Compliance for Cryptographic Operations

RSA Authentication Manager 8.4 has “FIPS-inside” by incorporating FIPS-compliant cryptographic library module RSA BSAFE® Crypto-J 6.2.4.0.1 (NIST Certificate # 3184). Authentication Manager uses a version of the Crypto-J 6.2.4 library that inherits its FIPS 140-2 status from the RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.4. For more information, see the RSA BSAFE Crypto-J 6.2.4 Security Policy Level 1 document (Crypto-J_6.24_SecurityPolicyLevel1.pdf) at https://community.rsa.com/docs/DOC-86255.

Federal Information Processing Standards Publication 140-2 - Security Requirements for Cryptographic Modules (FIPS 140-2) details the U.S. Government requirements for cryptographic modules. For more information about the FIPS 140-2 standard and validation program, see the NIST website: http://www.nist.gov/.

Authentication Manager incorporates libraries that were independently audited by the NIST certified laboratory Gossamer laboratories Inc., an independent accredited lab under the National Voluntary Laboratory Accreditation Program (NVLAP Lab Code 200997-0). The base version of the cryptographic library incorporated into Authentication Manager was certified as FIPS compliant. This covers all algorithms that were required to be tested at the time of the certification.

The following items use FIPS-certified cryptographic implementations on the server side:

  • Internal Authentication Manager communication between the primary instance, the replica instances, and Authentication Manager deployed on the web-tier servers.
  • Sensitive database records, such as password hashes, PINs, and token seeds, are encrypted and decrypted with FIPs-compliant algorithms.
  • Web Console interfaces, such as the Operations Console, Security Console, and the Self-Service Console.
  • Risk-based authentication (RBA).
  • Dynamic seed provisioning information that is exchanged with the four-pass CT-KIP protocol.
  • Authentication Manager backup and restore feature encryption.
  • LDAP connections between Authentication Manager and identity sources.
  • TCP-protocol network connections, such as an IPv4/IPv6 network connection.
  • RSA Authentication Manager SDK using a FIPS-compliant Java Runtime Environment (JRE).

Other components may use non-FIPS-compliant algorithms as needed to support backward compatibility.

1024-Bit Certificates are No Longer Supported

As part of the stronger security profile, Authentication Manager no longer supports 1024-bit certificates for the LDAPS protocol or custom console certificates. Before upgrading to RSA Authentication Manager 8.4, certificates that are at least 2048 bits are required.

This security upgrade affects openLDAP connections in Authentication Manager with a default keysize of 1024. For example, if you add an Oracle Directory Server as an identity source, you must replace the default 1024-bit Oracle Directory Server certificate with an LDAPS protocol certificate that is at least 2048 bits.

You must also regenerate and replace any custom console certificates that are 1024 bits.

Ability to Delete a Console or Virtual Host Certificate

You can delete a console or virtual host certificate that is no longer required, for example, when the certificate has expired and a new one has been issued. The certificate that you are deleting must not be the active certificate. The default certificate that is signed by an internal RSA certificate authority (CA) cannot be deleted.

Deleting the console or virtual host certificate removes it from your deployment. The certificate authority is also removed, unless it is used by other certificates.

Additional Improvements

RSA Authentication Manager contains the following additional improvements.

ImprovementDescription
Clonezilla supported for the version 8.4 hardware appliance

RSA supports using Clonezilla Release 2018-08-12 (clonezilla-live-20180812-bionic-amd64.iso) to back up and restore RSA Authentication Manager 8.4 on the hardware appliance.

For version 8.4, PING is not supported. Earlier versions of Authentication Manager can continue to use PING.

For the latest Clonezilla software and documentation, go to https://clonezilla.org/downloads.php.

For instructions, see “Using Clonezilla to Back Up and Restore the RSA Authentication Manager 8.4 Hardware Appliance” on RSA Link at https://community.rsa.com/docs/DOC-97375.

Amazon Web Services virtual appliance evaluation kitYou can now evaluate RSA Authentication Manager on either an VMware virtual appliance or an Amazon Web Services virtual appliance.
Updated the web-tier server minimum hardware requirements

The web-tier server requires hardware that meets or exceeds the following minimum requirements:

  • 2 GB for web tier installation and 4 GB to 20 GB free space for logs and updated component downloads
  • 4 GB of memory
  • At least two virtual CPUs
Updated the Help system format for the RSA Authentication Manager 8.4 Developer's Guide

The Developer's Guide Help system has been updated to the same HTML5 format used in the Operations Console and Security Console Help. You can open the new guide with any supported browser.

Note:  The Developer’s Guide and the software development kit (SDK) are in the Extras download kit, rsa-am-extras-8.4.0.0.zip.

New features and enhancements from RSA Authentication Manager 8.3 Patch 1 and Patch 2

These new features and enhancements are included:

  • The web tier is compatible with Windows Server 2016 Standard.
  • You can configure the maximum lifetime for new emergency access tokencodes.

For more information, see the RSA Authentication Manager 8.3 Patch 2 Readme.

RSA Authentication Agent Support

RSA authentication agent software is available on the RSA website at https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-authentication-agents.html and on the RSA Link RSA SecurID Access Product Versions page.

Note:  RSA Authentication Manager 8.4 supports RSA Authentication Agent 7.3 or later for Microsoft Windows. For upgrade instructions, see the RSA Authentication Agent for Microsoft Windows documentation page.

You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at www.rsaready.com.

Upgrading from RSA Authentication Manager 8.3

RSA Authentication Manager 8.3 can be upgraded to version 8.4. A direct upgrade from earlier releases is not supported.

From version 8.3 Patch 5, you must apply version 8.3 Patch 6 before upgrading to version 8.4. From earlier patches, you can apply Patch 4 or Patch 6 to obtain the fix that allows you to upgrade to version 8.4 through your browser.

The following table shows the upgrade paths.

Note:  Before upgrading, a backup is strongly recommended. RSA Authentication Manager 8.4 is not reversible. If the upgrade patch is not applied successfully, you must restore from a backup file, an Amazon Web Services snapshot, a VMware snapshot, or a Hyper-V checkpoint. Trying to apply version 8.4 again is not recommended.

In addition, you must replace any 1024-bit certificates for the LDAPS protocol or custom console certificates. For more information, see 1024-Bit Certificates are No Longer Supported.

DeploymentUpgrade Path
Azure virtual appliance

Version 8.4 introduces the Azure virtual appliance with support for a mixed deployment of Cloud and on-premises appliances.

To upgrade an existing deployment:

  1. From earlier releases, upgrade to RSA Authentication Manager 8.3.
  2. Upgrade to RSA Authentication Manager 8.4.
  3. Deploy new RSA Authentication Manager 8.4 replica instances in Azure.

    To move your primary instance into Azure, promote a replica instance, and delete your existing primary instance. If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.

Amazon Web Service (AWS) virtual appliance

Version 8.3 introduced the AWS virtual appliance with support for a mixed deployment of Cloud and on-premises appliances. After upgrading to RSA Authentication Manager 8.3 or 8.4, you can deploy the AWS virtual appliance.

To upgrade:

  1. From earlier releases, upgrade to RSA Authentication Manager 8.3.
  2. Upgrade to RSA Authentication Manager 8.4.
  3. Deploy new RSA Authentication Manager 8.4 replica instances in AWS.

    To move your primary instance into AWS, promote a replica instance, and delete your existing primary instance. If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.

VMware virtual appliance
  1. From earlier releases, upgrade to RSA Authentication Manager 8.3.
  2. Upgrade to RSA Authentication Manager 8.4
Hyper-V virtual appliance
  1. From earlier releases, upgrade to RSA Authentication Manager 8.3
  2. Upgrade to RSA Authentication Manager 8.4
Hardware appliance
  1. From earlier releases, upgrade to RSA Authentication Manager 8.3
  2. Upgrade to RSA Authentication Manager 8.4

    Note:  Some RSA SecurID Appliance 3.0 hardware appliances can be upgraded and do not require new hardware. To determine if you can upgrade a particular appliance, see RSA Authentication Manager 7.1 to 8.1 - Upgrading an Existing Hardware Appliance 3.0.

RSA Authentication Manager 8.4 includes the software fixes in the cumulative Patch 2 for version 8.3, and additional Patch 3 security fixes that are listed in Fixed Issues. Applying version 8.4 removes any software fixes that are not included in the cumulative Patch 2 for version 8.3 or listed in Fixed Issues. To obtain these all of the software fixes in Patch 3 and later version 8.3 patches, you must apply version 8.4 patches as they become available.

You can apply the version 8.4 update from a Windows shared folder, an NFS share, or a DVD or CD. Version 8.3 Patch 4 is required to upload version 8.4 with a web browser from your local machine.

For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.4” in the RSA Authentication Manager 8.3 Setup and Configuration Guide. Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.

Fixed Issues

RSA Authentication Manager 8.4 includes the fixes that were provided in Patch 1 and Patch 2 for RSA Authentication Manager 8.3. For the complete list of resolved issues, see the RSA Authentication Manager 8.3 Patch 2 Readme.

Version 8.4 also includes the following security-related fixes from version 8.3 Patch 3:

Version 8.3 Tracking NumberDescription
AM-32194

The versions of Oracle Java SE and WebLogic used by RSA Authentication Manager 8.3 and the web tier were potentially vulnerable to security exploits.

AM-32132

Operating system components used by Authentication Manager were vulnerable to several security exploits.

AM-31981, AM-31982Elements of the Operations Console were vulnerable to Cross-Site Scripting (XSS) attacks
AM-31978Upgraded RSA Authentication Manager 8.3 instances allowed anonymous and weak ciphers on ports for internal RADIUS operations.
AM-31947Some Authentication Manager console pages which previously included only the "no-cache" value in the HTTP cache-control response header will now also include "no-store."
AM-31745, AM-31677

The Help documentation built into the Authentication Manager console pages was vulnerable to XSS attacks.

AM-18462Elements of the Security Console were vulnerable to XSS attacks.

Known Issues

 

 

 

 

 

Attachments

    Outcomes