SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Occasional Contributor
Occasional Contributor

RSA Auth Manager upgrade


I'd like to share a customer upgrade project, and choose the best strategy for such upgrade. I think it is a frequent scenario for several customers, now that some hardware appliances are reaching their EOSLs.

The customer have hardware AM appliances, one Primary and several Replicas, version 8.1.

They want to migrate to new hardware AM appliances (model 350) plus AM in virtual machines.


The idea is to preserve the IPs of all the current instances in the new ones, so that they do not need to reconfigure the agents.


The proposed strategy, begins with updating all the instances to latest version and patch, and then inserting the new instances as replicas (both hardware and virtual), with new IPs. Then at least a Replica Promotion and the IP reconfiguring of the new instances need to be done, but, what order do you think is optimal (less risky, minimizing downtime).


Thanks un advance.

1 Reply
Apprised Contributor Apprised Contributor
Apprised Contributor

Certainly updating one Primary and several Replicas, from version 8.1 to AM 8.4 is a good, supported path to take, which requires each service pack or minor version to be applied one at a time, primary first, replicas after (also one at a time), so depending on the number of replicas this could take a while.


A variation on this plan might be to only update the primary and 1 replica in this way, to speed things up but still retain some redundancy, then attach new hardware to the updated Primary, followed by promotion of the new hardware primary.

Another variation on the same theme for faster with less redundancy would be to only update the primary.


A different approach, which would depend on the number of agents, RADIUS clients, RADIUS profiles and User/Token policies you have configured would be to simply deploy a new hardware Primary at AM 8.4 plus patch then configure any external LDAP Identity Sources, then export users and tokens from AM 8.1 primary and import them into the new hardware 8.4 Primary, and recreate agents and RADIUS configuration. Attach new replicas as needed. This is a very good way to test 8.4, possibly much faster, drawback is reporting information from old AM 8.1 remains in AM 8.1 primary so might need to be archived.