This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How (and why) do I enable Authentication Manager Prime multi-tenant mode?

Article Number

000039763

Applies To

RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager SDK
RSA Version/Condition: AM 8.4, 8.5, AMIS 1.3
Platform: Linux (Windows option with Prime)
Platform (Other): AM 8.x AMIS, 
O/S Version: SUSE Linux 12
Product Name: Authentication Manager, AM Prime
Product Description: Authentication Manager, AM Integration Services, AMIS

Issue

The standard, default AMIS configuration "flattens" Authentication Manager Security Domains, so AMIS sees ALL users and tokens regardless of AM Security Domain/hierarchy. 

Some customers will be looking for assistance to configure multi-tenant mode on AMIS/HDAP/AMIS in \RSA\amis\am8-config.xml as a way to utilize AM security Domains in AMIS.

Customers may consider moving to this model as a way to manage users and tokens in diverse, remote business regions.  These Customers will be asking for the steps needed to make to switch to multi-tenant mode.

Caution: Support should also provide related information on the implications of switching to multi-tenant mode, as well as suggesting an engagement with Professional Services to plan and implement this switch. 
 

Task

Overview:
  1. Enable so as to utilize AM Security Domains - <Multi-tenant enabled="true".
  2. ‘Root’ Security Domain if you want common Token area shared between all user domains - tokenRootSecurityDomain.
  3. Bind account will need top-level Security Domain view.
  4. Multi-tenant enforces AM security Domains everywhere; AMIS, SSP, and HDAP.
  5. Be careful before enabling Multi-tenant when existing AMIS was flat AM Security Domains, may want to engage Professional Services, PS.
  6. Restart AMIS services.

Resolution

Details
  1. The standard AMIS configuration "flattens" Authentication Manager Security Domains, so AMIS sees ALL users and tokens regardless of AM Security Domain/hierarchy.   Enable multi-tenant by changing false to true in the \RSA\amis\am8-config.xml file,
<!-- <Multi-tenant enabled="false" tokenRootSecurityDomain="TokenPool"/> -->
<Multi-tenant enabled="false"/>
 
  1. When multi-tenant is enabled in the AMIS am8-config.xml, <Multi-tenant enabled="true" />, AMIS enforces the Security Domain hierarchy configured in Authentication Manager. There is even special multi-tenant mode which utilizes AM Security Domains to logically separate users but allows for a shared token "pool", <Multi-tenant enabled="true" tokenRootSecurityDomain="TokenPool"/>, where communal tokens reside in the Security Domain defined by "tokenRootSecurityDomain", e.g. Security Domain TokenPool is where all users tokens are kept.

                <!-- <Multi-tenant enabled="false" tokenRootSecurityDomain="TokenPool"/>   -->
                <Multi-tenant enabled="false" />
 
  1. Multi-tenant does have unique requirements for the "amisbind" and "sspbind" account Security Domains. For example, "amisbind" and "sspbind" likely will need to reside at the highest level, SystemDomain, to ensure appropriate access.
  2. When multi-tenant is enabled, AMIS enforces AM Security Domain hierarchy everywhere, including HDAP, SSP, and AMIS service accounts. For example: If an HDAP administrator resides in the "ACME" Security Domain, they will only be able to see and manage users and tokens in the ACME Security Domain or a child thereof. Customers who have been running in the default or "flat" mode should NOT enable multi-tenant blindly.
  3. Bind accounts, service accounts, and users may have to be restructured prior to enabling to ensure proper behavior. In this case, we would recommend consulting with Professional Services, PS to ensure proper research is done and required changes implemented in the customer's environment prior to turning on multi-tenant.
  4. Restart AMIS services - refer to internal KB 31316  restart AMIS services
    Authentication Manager Prime has three components that each run its own Apache Tomcat instance. These are:
    Authentication Manager Integration Service (AMIS);
    Authentication Manager Help Desk Admin Portal (HDAP); and
    Authentication Manager Self-Service Portal (SSP).

    For AM Prime on Windows there will be three TomCat service stop/start icons, right-click on them to stop or start or restart.  Alternately look in Windows Services for these TomCat services.

    For AM Prime on Linux, SSH or access Linux console and run from the command line, any directory.
    service tomcat-amis stop | start | reset
    service tomcat-ssp stop | start | reset
    service tomcat-hdap stop | start | reset
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-07-13 10:43 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.