SecurID^® Governance & Lifecycle Product Advisories

Summary:
The RSA Via Lifecycle and Governance (RSA Via L&G) product team continues to work hard to complete the next major release for this product.  As originally communicated back in May, in preparation for this release we wanted to ensure our customer base is aware of product changes that may impact your current deployment.  This message identifies actions you can take to assess potential impacts as well as tools that we are making available to assist with this assessment and get a jump on data cleanup prior to upgrading.

Customers should review the details provided below on the following changes that are coming as part of this major RSA Via L&G release:

   -  Migration Utility available
   -  Database upgrade from Oracle 11.x Standard Edition(SE) to Oracle 12c Enterprise Edition (EE)
   -  Deprecation of support for earlier Internet Explorer (IE) versions
   -  Deprecation of support for original Aveksa Security Model
   -  Deprecation of Identity Collector (IDC) groups
   -  Rejection of duplicate entitlements
   -  Rejection of cyclic groups
   -  Significant role data collector changes


Details:

Migration Utility Available

RSA provides a migration utility which enables you to generate reports that list issues with your current configuration and provide guidance on how to resolve those issues.  You must use the migration utility to assess the impact to your system and, if necessary, modify collectors and data before you perform an upgrade.  If no action is taken the migration will then remove all problem data that is found in these areas.

The Migration Utility is available on SCOL at the RSA Via Lifecycle & Governance 7.0 Migration Utility page (https://knowledge.rsasecurity.com/scolcms/set.aspx?id=10844 ).  Also posted at that location is a document providing instructions on installation and use of the migration report.

Database Upgrade from Oracle 11.x SE to Oracle 12c EE

In order to better support existing and future memory utilization, our 7.0.0 release will require you to upgrade to Oracle 12c EE.  We will be shipping version 12.1.0.2 of the Oracle 12c EE database with the appliance form factors of the RSA VIA L&G 7.0.0 release.  During installation, you will be prompted to create a valid backup of your most recent data before proceeding.  Additionally, please note that if you are using a remote database, you will not be permitted to upgrade to RSA VIA L&G 7.0.0 unless that database is Oracle 12.1.0.2. (Oracle has announced end-of-support for their 11.x database - http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf).

Deprecation of Support for Older Versions of Windows Internet Explorer (IE)

If you use IE to access your RSA VIA L&G 7.0.0 application, you will be required to use IE 10 or higher.  There are numerous reasons for this, but a central one remains security.  Microsoft has announced end-of-life for IE8 and security support will end in January 2016.  Moreover, Chrome, Firefox and IE10 forward are considered ""evergreen browsers"" - thus, browser providers will auto-update their respective browsers on a regular basis.

Dropping Support for Original Security Model

The pre-6.5 version of our security model will no longer function - it has been replaced by an updated model.  6.5 systems and newer already use the new security model unless you explicitly changed the configuration to the older model.  When you start the 7.0.0 system, it will check if the pre-6.5 security model has been migrated to the current security model - if it has not, it will migrate what it can of the previous security model to the current model.  Please note that you will no longer be permitted to re-invoke the pre-6.5 security model.

Deprecation of Identity Collector (IDC) Groups

IDC Groups have been deprecated since the 6.0 release, although we did grandfather in existing configurations, we are now changing the system so that it will no longer collect IDC Groups.  In order to still have the groups in the system a similarly configured Account Data Collector will have to be configured to collect the groups and its members.  Any Entitlement Data collector will have to then be reconfigured to resolve its collected group information to the new ADC.

Duplicate Entitlement Rejection

Multiple collectors can be configured to collect objects for an Application (account, entitlements, application roles, etc.), previously if more than one collector collected an application role it would show up twice in the system causing confusion among users.  Now when a subsequent collector collects a duplicate name within an application it will be rejected.

Cyclic Group Rejection

Previously we allowed cycles in groups to be collected and stored in the system.  We will no longer allow cycles to be collected.  If we now collect a group to sub-group relationship and find that it causes a loop with any other group data in the system we will reject the collected group relationship.

Significant Changes to Role Data Collector (RDC)

   -  There is a new configuration wizard to make the RDC consistent with the other collectors.
   -  We will no longer allow for the collection of Groups as members of a role, but still allow groups to be part of the role definition.
   -  We have also broken the relationship between the RDC and the Entitlement Data Collector (EDC).  The new EDC will no longer collect any entitlements for an RDC.  The RDC is now responsible for collecting all of its members and its entire definition.  This will require a reconfiguration of the RDC and the EDC as well as a change in the order of their execution.  Now an RDC will need to run last after all the other collections have occurred.
   -  The RDC no longer has an application mapping, instead we advise you collect a reference to the application for any entitlements in the Roles definition and then specify which attribute of an application is used for the translation.


Recommendation:

We strongly recommend that customers review the information and actions identified above to assist with preparations for the upcoming major release of the RSA Via L&G platform (V7.0.0).

As noted in the recently published message on branding changes (https://knowledge.rsasecurity.com/scolcms/set.aspx?id=10849), RSA Identity Management and Governance (IMG) has been rebranded to RSA Via Lifecycle and Governance (RSA Via L&G).  In April RSA rolled out RSA Via (http://rsavia.com/), the smart identity solution that protects from endpoint to cloud.   RSA Via L&G are crucial pillars of this solution.  And, as an IMG  customer (now RSA Via L&G customer), you are already a part of the  RSA Via family.


Join the RSA Via Lifecycle and Governance (RSA Via L&G) Community

Use the RSA Via L&G Community to interact with your peers, other RSA Via L&G users, implementation partners and RSA consultants. You can post comments, ask questions, or answer questions that others have posted.  Whether you are a brand new customer of RSA Via L&G, or have been using the product for years, we believe that youÕll find this private community to be valuable.

The RSA Via L&G Community is a private community and is only available to RSA Via L&G clients, partners and internal RSA staff.  To join the RSA Via L&G Community, please complete the following steps:
1.  Register an account on the EMC Community Network (ECN): https://developer-content.emc.com/login/register.asp
2. Complete the RSA Via L&G Access Request form. This is a one-time only event that allows your account to access the RSA Via L&G Community. Please ensure you add in your partner or client name, so we can confirm who you are. https://developer-content.emc.com/email/request-rsa-img.htm

Link: https://community.emc.com/community/connect/rsaxchange/rsa-img