RSA Authentication Manager 8.4 includes the following new features and enhancements:
- Obtain the Azure Virtual Appliance from the Azure Marketplace
- Easier Access to RSA SecurID-Protected Resources for Multifactor Authentication Users
- Major Platform Upgrade Enhances Best-In-Class Enterprise Grade Security
- Upgrades to FIPS Compliance for Cryptographic Operations
- 1024-Bit Certificates are No Longer Supported
- Ability to Delete a Console or Virtual Host Certificate
- Additional Improvements
- RSA Authentication Agent Support
- Upgrading from RSA Authentication Manager 8.3
For a complete list of product documentation, see the RSA Authentication Manager 8.4 Documentation Page.
The Cloud Authentication Service and RSA SecurID Authenticate App Release Notes are available here.
Note: Before upgrading to RSA Authentication Manager 8.4, you must replace any 1024-bit certificates for the LDAPS protocol or custom console certificates. For more information, see 1024-Bit Certificates are No Longer Supported.
This release adds support for the Azure virtual appliance. The Azure virtual appliance is deployed with an Azure Virtual Machine image file that RSA provides in the Azure Marketplace. You must create a virtual network on Azure with a private subnet. U.S. government agencies at the federal, state, and local level, and other security-sensitive entities can utilize the Azure Government Cloud.
You can deploy your Authentication Manager primary instance and all of your replica instances in the Azure cloud, or you can deploy a primary instance on your local network and your replica instances in Azure.
New multifactor authentication users, who do not have RSA SecurID hardware or software tokens, are automatically registered in RSA Authentication Manager and able to access RSA SecurID-protected resources. You and a Super Admin for the Cloud Administration Console must configure communication between an identity router and Authentication Manager, but you no longer need to establish a trusted realm or run CLUs, simplifying this integration and dramatically reducing the time you spend on administration.
These same multifactor authentication users can use Authentication Manager services, such as emergency access to RSA SecurID agent-protected resources. For example, users who lose their mobile devices can request emergency access tokencodes by logging on to the Self-Service Console or by contacting an Authentication Manager Help Desk administrator.
The overall security profile has been improved with platform updates to Java 8, Weblogic v12.2, RSA BSAFE Crypto Library J 126.96.36.199.1 and an RSA-hardened SUSE Linux Enterprise Server (SLES) 12 Service Pack 3.
Secure Syslog to multiple external servers and Secure Backup to Windows Servers utilizing SMB v2/SMB v3 greatly improves the data in-transit security model. Version 8.4 no longer supports using the Server Message Block (SMB) version 1 (SMBv1) protocol on the Windows operating system. Instead, you must use SMBv2 or SMBv3 for tasks such as upgrading Authentication Manager, saving and restoring backup files, and backing up system log files.
RSA Authentication Manager 8.4 has “FIPS-inside” by incorporating FIPS-compliant cryptographic library module RSA BSAFE® Crypto-J 188.8.131.52.1 (NIST Certificate # 3184). Authentication Manager uses a version of the Crypto-J 6.2.4 library that inherits its FIPS 140-2 status from the RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.4. For more information, see the RSA BSAFE Crypto-J 6.2.4 Security Policy Level 1 document (Crypto-J_6.24_SecurityPolicyLevel1.pdf) at https://community.rsa.com/docs/DOC-86255.
Federal Information Processing Standards Publication 140-2 - Security Requirements for Cryptographic Modules (FIPS 140-2) details the U.S. Government requirements for cryptographic modules. For more information about the FIPS 140-2 standard and validation program, see the NIST website: http://www.nist.gov/.
Authentication Manager incorporates libraries that were independently audited by the NIST certified laboratory Gossamer laboratories Inc., an independent accredited lab under the National Voluntary Laboratory Accreditation Program (NVLAP Lab Code 200997-0). The base version of the cryptographic library incorporated into Authentication Manager was certified as FIPS compliant. This covers all algorithms that were required to be tested at the time of the certification.
The following items use FIPS-certified cryptographic implementations on the server side:
- Internal Authentication Manager communication between the primary instance, the replica instances, and Authentication Manager deployed on the web-tier servers.
- Sensitive database records, such as password hashes, PINs, and token seeds, are encrypted and decrypted with FIPs-compliant algorithms.
- Web Console interfaces, such as the Operations Console, Security Console, and the Self-Service Console.
- Risk-based authentication (RBA).
- Dynamic seed provisioning information that is exchanged with the four-pass CT-KIP protocol.
- Authentication Manager backup and restore feature encryption.
- LDAP connections between Authentication Manager and identity sources.
- TCP-protocol network connections, such as an IPv4/IPv6 network connection.
- RSA Authentication Manager SDK using a FIPS-compliance Java Runtime Environment (JRE).
Other components may use non-FIPS-compliant algorithms as needed to support backward compatibility.
As part of the stronger security profile, Authentication Manager no longer supports 1024-bit certificates for the LDAPS protocol or custom console certificates. Before upgrading to RSA Authentication Manager 8.4, certificates that are at least 2048 bits are required.
This security upgrade affects openLDAP connections in Authentication Manager with a default keysize of 1024. For example, if you add an Oracle Directory Server as an identity source, you must replace the default 1024-bit Oracle Directory Server certificate with an LDAPS protocol certificate that is at least 2048 bits.
You must also regenerate and replace any custom console certificates that are 1024 bits.
You can delete a console or virtual host certificate that is no longer required, for example, when the certificate has expired and a new one has been issued. The certificate that you are deleting must not be the active certificate. The default certificate that is signed by an internal RSA certificate authority (CA) cannot be deleted.
Deleting the console or virtual host certificate removes it from your deployment. The certificate authority is also removed, unless it is used by other certificates.
RSA Authentication Manager contains the following additional improvements.
|Clonezilla supported for the version 8.4 hardware appliance|
RSA supports using Clonezilla Release 2018-08-12 (clonezilla-live-20180812-bionic-amd64.iso) to back up and restore RSA Authentication Manager 8.4 on the hardware appliance.
For version 8.4, PING is not supported. Earlier versions of Authentication Manager can continue to use PING.
For the latest Clonezilla software and documentation, go to https://clonezilla.org/downloads.php.
For instructions, see “Using Clonezilla to Back Up and Restore the RSA Authentication Manager 8.4 Hardware Appliance” on RSA Link at https://community.rsa.com/docs/DOC-97375.
|Amazon Web Services virtual appliance evaluation kit.||You can now evaluate RSA Authentication Manager on either an VMware virtual appliance or an Amazon Web Services virtual appliance.|
|Updated the web-tier server minimum hardware requirements|
The web-tier server requires hardware that meets or exceeds the following minimum requirements:
|Updated the Help system format for the RSA Authentication Manager 8.4 Developer's Guide.|
The Developer's Guide Help system has been updated to the same HTML5 format used in the Operations Console and Security Console Help. You can open the new guide with any supported browser.
Note: The Developer’s Guide and the software development kit (SDK) are in the Extras download kit, rsa-am-extras-184.108.40.206.zip.
RSA authentication agent software is available on the RSA website at https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-authentication-agents.html and on the RSA Link RSA SecurID Access Product Versions page.
Note: RSA Authentication Manager 8.4 supports RSA Authentication Agent 7.3 or later for Microsoft Windows. For upgrade instructions, see the RSA Authentication Agent for Microsoft Windows documentation page.
You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at www.rsaready.com.
RSA Authentication Manager 8.3 can be upgraded to version 8.4. A direct upgrade from earlier releases is not supported.
From version 8.3 Patch 5, you must apply version 8.3 Patch 6 before upgrading to version 8.4. From earlier patches, you can apply Patch 4 or Patch 6 to obtain the fix that allows you to upgrade to version 8.4 through your browser.
The following table shows the upgrade paths.
Note: Before upgrading, a backup is strongly recommended. RSA Authentication Manager 8.4 is not reversible. If the upgrade patch is not applied successfully, you must restore from a backup file, an Amazon Web Services snapshot, a VMware snapshot, or a Hyper-V checkpoint. Trying to apply version 8.4 again is not recommended.
In addition, you must replace any 1024-bit certificates for the LDAPS protocol or custom console certificates. For more information, see 1024-Bit Certificates are No Longer Supported.
|Azure virtual appliance|
Version 8.4 introduces the Azure virtual appliance with support for a mixed deployment of Cloud and on-premises appliances.
To upgrade an existing deployment:
|Amazon Web Service (AWS) virtual appliance|
Version 8.3 introduced the AWS virtual appliance with support for a mixed deployment of Cloud and on-premises appliances. After upgrading to RSA Authentication Manager 8.3 or 8.4, you can deploy the AWS virtual appliance.
|VMware virtual appliance|
|Hyper-V virtual appliance|
RSA Authentication Manager 8.4 includes the software fixes in the cumulative Patch 2 for version 8.3, and additional Patch 3 security fixes that are listed in Fixed Issues on page 1. Applying version 8.4 removes any software fixes that are not included in the cumulative Patch 2 for version 8.3 or listed in Fixed Issues on page 1. To obtain these all of the software fixes in Patch 3 and later version 8.3 patches, you must apply version 8.4 patches as they become available.
You can apply the version 8.4 update from a Windows shared folder, an NFS share, or a DVD or CD. Version 8.3 Patch 4 is required to upload version 8.4 with a web browser from your local machine.
For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.4” in the RSA Authentication Manager 8.3 Setup and Configuration Guide. Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.
RSA Authentication Manager 8.4 includes the fixes that were provided in Patch 1 and Patch 2 for RSA Authentication Manager 8.3.
The new features and enhancements from these patches are also included:
- The web tier is compatible with Windows Server 2016 Standard.
- You can configure the maximum lifetime for new emergency access tokencodes.
For details on the enhancements and the complete list of resolved issues, see the RSA Authentication Manager 8.3 Patch 2 Readme.
Version 8.4 also includes the following security-related fixes from version 8.3 Patch 3:
|Version 8.3 Tracking Number||Version 8.4|
The versions of Oracle Java SE and WebLogic used by RSA Authentication Manager 8.3 and the web tier were potentially vulnerable to security exploits.
Operating system components used by Authentication Manager were vulnerable to several security exploits.
|AM-31981, AM-31982||AM-32304||Elements of the Operations Console were vulnerable to Cross-Site Scripting (XSS) attacks|
|AM-31978||AM-32212||Upgraded RSA Authentication Manager 8.3 instances allowed anonymous and weak ciphers on ports for internal RADIUS operations.|
|AM-31947||AM-32305||Some Authentication Manager console pages which previously included only the "no-cache" value in the HTTP cache-control response header will now also include "no-store."|
|AM-31745, AM-31677||AM-32306, AM-32307|
The Help documentation built into the Authentication Manager console pages was vulnerable to XSS attacks.
|AM-18462||AM-32308||Elements of the Security Console were vulnerable to XSS attacks.|