Repair a Trust Relationship with a Realm
If you restore the RSA Authentication Manager primary instance on a machine with a new hostname, and you had a trust relationship previously with another realm, perform the following procedure to repair the trust between the two AM deployments.
Note: In an example where a New York realm is being joined to a London realm, it is important to note that the New York realm cannot be a cloned system of the London realm because the Authentication Manager database contains unique database identifiers. Trying to establish a trusted realm between two deployments with the same database identifiers will result in an error.
Note: You can also repair a trust relationship between RSA Authentication Manager and SecurID. For more information, Repair an RSA Trusted Realm.
Before you begin
The administrator of the restored deployment and the administrator of the deployment where the trust will be repaired must be able to communicate directly while they perform this procedure.
Procedure
The administrator of the restored deployment performs the following steps to generate a trust package.
In the Security Console, click Administration > Trusted Realms > Manage Existing.
Under Trusted Realm Name, click the trusted realm name to repair.
From the context menu, click Generate Trust Package, and save the file (TrustPackage.xml).
After the trust package is saved, use a secure method to send the trust package to the administrator of the deployment where the trust will be repaired.
The administrator of the deployment where the trust will be repaired performs the following steps to import the trust package.
After receiving the trust package, click Administration >Trusted Realms > Manage Existing.
Under Trusted Realm Name, click the trusted realm name to repair.
From the context menu, click Repair Trust.
In the Trust Package from Trusted Realm field, enter the path to the new trust package by browsing to the package file, and click Open.
Click Next, and contact the restored realm administrator.
The administrator of the restored deployment performs the following steps to share the confirmation code with the administrator of the deployment where the trust will be repaired.
In the Security Console, click Administration > Trusted Realms > Manage Existing.
Under Trusted Realm Name, click the trusted realm name to repair.
From the context menu, click View, locate the confirmation code under Current Realm ConfirmationCode, and read the code to the administrator of the deployment where the trust will be repaired to confirm that the trust package is valid.
The Current Realm Confirmation Code must match the administrator’s Trusted Realm Confirmation Code.
The administrator of the deployment where the trust will be repaired performs the following steps to repair the trust.
On the Update Trusted Realm page under Trusted Realm Confirmation Code, read the Trust Package Confirmation Code to the restored realm administrator to confirm that the trust package is valid.
The Trusted Realm Confirmation Code must match the restored realm administrator’s Current Realm Confirmation Code.
If the confirmation code does not match, ask the restored realm administrator to generate and send a new trust package.
Click Confirm and Next.
(Optional) For Authentication Status, select Authenticate Trusted Users if you want your realm to authenticate users from the trusted realm.
For Create Trusted Users in Security Domain, select the security domain that will own users from the trusted realm.
After your realm authenticates users from the trusted realm, the users must belong to a security domain in your realm. The security domain that you select must be configured to use the internal database as an identity source.
(Optional) In the Trusted User Name Identifier field, enter a unique identifier that your realm can recognize for the trusted user, and click Add. The unique identifier could be the user's domain name or e-mail address, such as jsmith@company.com. The value must be unique among trusted realms.
For example, suppose John Smith from Realm A is jsmith in his local realm. Your realm does not know the identity of jsmith. If you enter yourcompany.com in this field, this user will be identified within your realm as jsmith@yourcompany.com.
Click Save.
Restart the Authentication Manager services on the restored deployment to view the latest configuration in the Security Console.
Related Concepts
Related Articles
Enable RSA Authenticator App Users to Access Resources Protected by RSA Authentication Manager 8.4 Patch 3 and Earlier Number of Views Error "Unable to resolve trusted user because multiple matching trusted users exist" on RSA Authentication Manager 8.x for… Number of Views RSA Authenticator app 4.3 for Android Installation Failure Number of Views Cherry Smart Card-Reader stops working after the RSA Authentication Agent for Windows is installed Number of Views Questions on the security of offline authentication data in the RSA SecurID Authentication Agent for Microsoft Windows Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
