RSA^® Authentication Manager Documentation

For more information, see Planning the Upgrade from RSA Authentication Manager 8.2 SP1, 8.3, or 8.4.

Note: The current RSA Authentication Manager 8.5 upgrade kit prevents an internal replication error that sometimes occurred immediately after the upgrade completed. For more information, see the RSA Authentication Manager 8.5 Known Issues. 

RSA Collecting Usage Data to Improve Customer Satisfaction

RSA is collecting data that will help RSA better understand product configuration and usage, improve support, and focus development efforts to dramatically improve customer satisfaction. No personal identifiable information (PII) or sensitive information is collected.

The Telemetry service is automatically enabled and configured when you install or upgrade to RSA Authentication Manager 8.5. Telemetry data is collected for the primary instance and each replica instance, and stored offline for the number of days that you configure. RSA assigns each customer deployment a time to send the data that is between 1:00 AM and 5:00 AM local time.

To view the data that is sent to RSA, you can download the telemetry log files. For instructions, see Download Troubleshooting Files.

For information on the system data collection and usage policy, see "RSA’s right to collect System Data" in Product Usage Rights: https://www.rsa.com/content/dam/en/terms/units-of-measure.pdf.

Additional Improvements

RSA Authentication Manager contains the following additional improvements.

Planning the Upgrade from RSA Authentication Manager 8.2 SP1, 8.3, or 8.4

RSA Authentication Manager 8.2 SP1, 8.3, or 8.4 can be upgraded directly to version 8.5. From earlier versions, you can upgrade to version 8.2 SP1 and then upgrade directly to version 8.5. For instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.5” in the RSA Authentication Manager 8.5 Setup and Configuration Guide.

To use some version 8.5 features, such as the embedded identity router and high availability when the connection to the Cloud Authentication Service is not available, an Authentication Manager deployment that is already connected to the Cloud Authentication Service must connect again after upgrading to version 8.5. To re-establish your connection, see Edit the Cloud Authentication Service Connection.

Before you upgrade, note the following:

• A backup is strongly recommended. RSA Authentication Manager 8.5 is not reversible. If the upgrade patch is not applied successfully, you must restore from a backup file, an Amazon Web Services snapshot, an Azure snapshot or Azure Backup, a VMware snapshot, or a Hyper-V checkpoint. Trying to apply version 8.5 again is not recommended.
• You can apply the version 8.5 update from a Windows shared folder, an NFS share, or a DVD or CD. Applying the version 8.5 upgrade through your local web browser is not supported.
• Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.

Certificate Requirements for Version 8.5

RSA Authentication Manager 8.5 requires LDAPS protocol and custom console certificates that are at least 2048 bits. Before upgrading from RSA Authentication Manager 8.2 SP1 or 8.3, you must replace any 1024-bit certificates with the required 2048 bits certificates. RSA Authentication Manager 8.4 already uses the required certificates.

This security upgrade affects openLDAP connections in Authentication Manager with a default keysize of 1024. For example, if you add an Oracle Directory Server as an identity source, you must replace the default 1024-bit Oracle Directory Server certificate with an LDAPS protocol certificate that is at least 2048 bits.
You must also regenerate and replace any custom console certificates that are 1024 bits.

Web Tier Hardware Requirements for Version 8.5

RSA Authentication Manager 8.5 has the following minimum hardware requirements for the web-tier server:

• 2 GB for web tier installation and 4 GB to 20 GB free space for logs and updated component downloads
• 4 GB of memory
• At least two virtual CPUs

Upgrading an Existing Deployment that Does Not Yet Use Azure or Amazon Web Services

You can upgrade an existing RSA Authentication Manager deployment that is not yet using the Azure Cloud or Amazon Web Services (AWS) Cloud.

The Azure virtual appliance supports a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment that is not yet using the Azure virtual appliance, do the following:

1. From earlier releases, upgrade to RSA Authentication Manager 8.5.
2. Deploy new RSA Authentication Manager 8.5 replica instances in Azure.
3. To move your primary instance into Azure, promote a replica instance, and delete your existing primary instance. If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.

The Amazon Web Services (AWS) virtual appliance supports a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment that is not yet using the AWS virtual appliance, do the following:

1. From earlier releases, upgrade to RSA Authentication Manager 8.5.
2. Deploy new RSA Authentication Manager 8.5 replica instances in AWS.
3. To move your primary instance into AWS, promote a replica instance, and delete your existing primary instance. If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.

RSA Authentication Agent Support

RSA authentication agent software is available at https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-authentication-agents.html and on the RSA Link RSA SecurID Access Product Versions page.

RSA Authentication Manager 8.5 continues to support your authentication agents that use the UDP protocol.

REST protocol authentication agents, such as RSA Authentication Agent 2.0 or later for Microsoft AD FS, RSA Authentication Agent 8.0 or later for PAM, and RSA MFA Agent 2.0 for Microsoft Windows, can use RSA Authentication Manager 8.5 as a secure proxy server for the Cloud Authentication Service.

RSA Authentication Agent for Citrix StoreFront requires version 2.0.1 to use RSA Authentication Manager 8.5 features. You can download the version 2.0.1 upgrade.

RSA MFA Agent 2.0 for Microsoft Windows adds support for a direct connection to RSA Authentication Manager 8.5 and support for version 8.5 features. For more information, see the RSA Link page for RSA MFA Agent for Microsoft Windows.

You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at www.rsaready.com.

Fixed Issues

RSA Authentication Manager 8.5 includes the software fixes in the cumulative Patch 13 for version 8.4. Applying version 8.5 removes any software fixes that are not included in the cumulative Patch 13. To obtain these all of the software fixes in Patch 14 and later version 8.4 patches, you must apply version 8.5 patches as they become available. For the complete list of resolved issues, see the RSA Authentication Manager 8.4 Patch 13 Readme.

Known Issues

See RSA Authentication Manager 8.5 Known Issues.

Copyright 1994-2020 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates. For a list of RSA trademarks, https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners.

July 2020

Revised: September 2020

Intellectual Property Notice

This software contains the intellectual property of RSA or is licensed to RSA from third parties. Use of this software and the intellectual property contained therein is expressly limited to the terms and conditions of the License Agreement under which it is provided by or on behalf of RSA.

Open Source License

This product may be distributed with open source code, licensed to you in accordance with the applicable open source license. If you would like a copy of any such source code, RSA or its affiliates will provide a copy of the source code that is required to be made available in accordance with the applicable open source license. RSA or its affiliates may charge reasonable shipping and handling charges for such distribution. Please direct requests in writing to RSA Legal, 174 Middlesex Turnpike, Bedford, MA 01730, ATTN: Open Source Program Office.

System Data Collection and Usage Policy

In certain circumstances, RSA collects data from customer installations of RSA products for purposes including but not limited to accurate billing of product usage and to maintain and improve RSA products. For details see "RSA’s right to collect System Data" in Product Usage Rights: https://www.rsa.com/content/dam/en/terms/units-of-measure.pdf.