There are 3 main drivers to consider when contemplating an update of RSA SecurID Access Prime software in your environment:

1. Compatibility:
   Does your Prime software need to be updated for compatibility with the RSA-supported version of RSA Authentication Manager and/or RSA Cloud Authentication Service that you are upgrading to? Is your Prime version compatible with your underlying system infrastructure (e.g., Java, Tomcat, OS, etc.)?
   
   
2. Security:
   Is there a critical Prime software security fix that needs to be applied? Is there a required security improvement/fix in an underlying system (e.g., Java, Tomcat, OS) that needs to be accounted for?  
   
   
3. Feature/Functionality:
   Is there a new Prime software feature or functionality that you require that is included in a more recent Prime software release? Is your Prime deployment based on the PrimeKit installation methodology from RSA Professional Services?
   
   

If none of the drivers above are in play, then it is recommended to apply a "if it ain't broke, don't fix it" philosophy. Continue to review on a periodic basis for any upcoming events that might trigger one or more of the drivers above, such as AM upgrades, underlying platform refreshes, or RSA solution expansion.

Below are specific guidelines around Prime compatibility and requirements for updates:
 

1. From AM 8.x to 8.2 there were underlying changes to the AM CT-KIP provisioning implementation. If you are upgrading AM from a version prior to AM 8.2 or later, then you must ensure that you are running a Prime build from June 2017 or later. If not, you will need to include a Prime update as part of your overall AM environment upgrade plan.  
   
   
2. From AM 8.2 onward Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment. Underlying Java and Tomcat must support TLS 1.2. If you are upgrading AM from a version prior to AM 8.2 or later, then you must ensure that you are running a Prime build from June 2017 or later. If not, you will need to include a Prime update as part of your overall AM environment upgrade plan.
   
   
3. If you are moving to AM 8.4 to better leverage integration with the RSA Cloud Authentication Service then you should be running a Prime build from January 2019 or later to maximize Prime integration with the Cloud Authentication Service APIs and features for supporting RSA SecurID Authenticate.
   
   
4. If you are running a Prime build that is older than June 2017, you should strongly consider an environment refresh that redeploys Prime components based on the PrimeKit installation methodology.
   
   

In all cases, it is advised that you engage with RSA Professional Services to ensure that you are optimizing your Prime deployment and properly planning your Prime software update.

Note that you must have an active RSA support agreement for Prime in order to be eligible for Prime software updates.