Migrating to RSA
®Authentication Manager
Version 8.1
©2014 EMC Corporation All Rights Reserved
Why Migrate to AM 8.1?
• Solid, quality release puts your
authentication platform on excellent footing for the future
– RSA has spent many cycles ensuring the highest
quality release
– Quality validated by thousands of customers who
have migrated since March 2013
• Compelling new authentication feature set
– Risk-Based Authentication (RBA) extends strong
authentication to new audiences such as contractors, temporary workers, audit teams, customers
– Improved software token provisioning eases
implementation
• Lowers cost
– User Dashboard
– Self Service Console
– Virtual or Hardware Appliance
– Many Administrative Improvements
Authentication Manager 8 Delivers
“We did 4.8 MILLION auths in 10 hours without a single failure.”
- Global Financial Institution
“The cleanest beta we have ever been involved with”
- Large Healthcare Provider
“Congratulations on AM8: a DREAM COME TRUE…” “The AM8 testing has gone well and the product has functioned as advertised”
- Fortune 100 Customer
Learn More http://www.scmagazine.com//rsa-tokens/review/4085/
SC Magazine Blind Product Review
• No opportunity to review results
• No support: Ship software and authenticators
“RSA stated Quick Set-up takes 20 minutes. Simple not true. Our entire setup was completed in 10 minutes.” “Version 8.0 offers multiple noticeable upgrades from version 7.0. Most
noticeable is the new centralized
dashboard and the way the tool works with VMware ESX & ESXi virtualization.”
AM 6.1 & AM 7.1 End of Primary Support
•
AM v6.1
– EOPS Dec 2014
– No Extensions
– Migration Assessment Tool and Migration Training on SCOL
•
AM v7.1
– EOPS Dec 2014
– No Extensions
•
RSA SecurID Appliance 3.0
– R200 and 2950 EOPS Dec 2014
– R210 and R710 Based Appliances are Supported
SecurID Software Authenticator 2.0
Key Features
• New user friendly UI with native OS look and feel • Multi token support
• Simple QR Code token provisioning
Android Dec 2013 Blackberry 10
Aug 2013
Windows Phone Dec 2013
iOS Jun 2014
AM Prime Suite
Value Added Packaged Software Automates AM Operations AM Prime
Component
Description Customer Fit
AM Integration Services (AMIS)
•Middleware facilitates & simplifies integration with AM
•Business logic-level REST-based web services
•Integration of custom-built web portal/tools
•Integration with 3rd party Enterprise systems (AD, IVR, IDM, MDM, etc.)
AM Prime
Self-Service Portal (SSP)
•End-user web portal expands token self-service functionality
•Provides tailored end user communications
•Custom end user self-service
•Greater range of token provisioning and workflow
AM Prime Help Desk Admin Portal (HDAP)
•Simple, streamlined web-based
administrative interface for day-to-day SecurID Help Desk tasks
•Large number of Help Desk personnel •Delegated administration scenarios
AM Bulk Admin (AMBA)
•Standalone utility supports back office bulk AM operations
•Automation of AM admin tasks via scripted operations
AM Reporting Enhancement
Archer Focused Solutions for AM 8.x
Provides some of the most
commonly requested AM reports
Customers can create their
own reports easily using the Archer interface
Intuitive interface allows
administrators to use
multiple graphical formats
Can be easily integrated
Overview of AM v8.1
Architecture
System Components
Agent Devices
RSA Authentication Manager Instance
RSA SecurID Authenticators AM v6.1 / AM v7.1 AM v8.1
Current Agents function with both versions: Windows/UNIX/Linux/Web
“RSA Secured” partner
--- NG Agent Ready
AM v6.1 / AM v7.1 AM v8.1
Hardware Authenticators Software Authenticators
ODA (AM v7.1) ODA / RBA
Web Tier
New in AM8
AM v6.1 / AM v7.1 AM 8.1
Software: Windows / UNIX / Linux server Hardware Appliance
Virtual Appliance ESX/ESXi vSphere Hardware Appliance Hardened Linux OS
AM v6.1 / AM v7.1 AM 8.1
--- Self Service
Console RBA CT-KIP (SW token
Hardware Appliance Models
•
Model 130
– Single power supply, single disk
– Pre-configured bundles to support 10, 25, 50, 100, 150 or 250 users & Base license (1 Primary / 1 Replica)
– May be upgraded or ordered with different license
– Model 130 (Dell 210) can be upgraded to AM 8.1
•
Model 250
– Designed for higher availability requirements
– Dual power supply, redundant disks, RAID 1
– Can be ordered in a number of user/license configurations
– Model 250 (Dell 710) can be upgraded to AM 8.1
•
AM v8.1 allows mixing and matching of Primary and Replica
hardware appliances and virtual appliances
Virtual Machine Host
Authentication Manager v8.1
Deployment Flexibility
RSA Hardware Appliance
Virtual Machine Host
RSA Hardware Appliance
Virtual Machine Host
RSA Hardware Appliance
Replica Instance Primary Instance
or
or Best Practice: Model 250
Authentication Manager Instances
RSA Hardware Appliance
Virtual Appliance*
RSA Hardware Appliance
AM v8.1 AM v6.1 / AM v7.1
or
RSA Authentication Manager Software
Overview of the Migration
Process
• Migration: Refers to the process of moving either AM v6.1 data or AM v7.1 data directly to a AM v8.1 deployment
• “Free Upgrade / Migration1: Refers to the ability to upgrade / migrate to
AM v8.1 at no cost
• SCOL1: Refers to RSA SecurCare On-Line
Definitions & Terms
• Upgrade: Refers to upgrading an existing hardware appliance to AM v8.1 appliance
* Also termed RSA SecurID Appliance 3.0 or RSA AM 7.1 Appliance
Version Name Model Type Upgrade
AM v7.1 RSA Authentication Appliance (*) A130 200 No “ A130 210 Yes “ A250 700 No “ A250 710 Yes AM v6.1 RSA SecurID Appliance 2.0 --- --- No
Migration
•
Migration is essentially a two phase process:
–
Export the database information
from a AM v6.1 or AM 7.1 installation
The amount of planning and preparation
that you do impacts the ease or success
of a migration and can make the process
Upgrade Procedure
• Download AM v8.1 re-image files from SCOL and burn onto DVD • Attach a monitor and keyboard to the Appliance
• Insert AM v8.1 Re-imaging DVD in the CD/DVD drive • Press ALT+CTRL+DEL select Shutdown > Restart
• At the end of POST boot, appliance automatically ejects DVD. Close CD/DVD tray to complete reimage. System pauses for sixty seconds and resumes the imaging process.
• At the end of the reimaging process, appliance ejects the DVD & restarts After completion, the appliance has been upgrade to AM v8.1
• Connect Appliance via a remote PC & browser Complete the Quick Setup Process
Migration Practices & Considerations
• Upgrade of an AM v7.1 Primary appliance to AM v8.1, the disk is overwritten; Reverting back to AM 7.1 may be difficult
• Upgrade an AM v7.1 Replica appliance to AM v8.1 Primary
– Maintains AM v7.1 Primary for fallback
– After migration to a AM v8.1 Primary is verified as successful, additional appliances can be re-imaged for use as Replicas
• Utilize Appliance Model 250 or Virtual Appliance as Primary Instance
– Higher availability through hardware redundancy or via VMWare tools
– For Model 250 (Primary) and Model 130’s (Replicas) deployments, an
additional step is required to promote a Model 130 Replica to Primary in the production AM 7.1 deployment in order to use a Model 250 as the AM v8.1 Primary
AM v7.1 - General Preparations
• Determine if authentication services are required during the migration process
• Prepare AM v7.1 data by ‘cleaning’ or re-structuring as needed
– See RSA Authentication Manager AM v7.1 to AM v8.1 Data Migration
courses
• Determine hardware appliance Upgrade Strategy (if applicable) • Install and perform Quick Setup on the “new” AM v8.1 appliance • Perform data export from AM v7.1 and perform a test migration
• Make any corrections/changes or resolve conflicts and dump the data again, if needed.
– Migration does not affect the content of the AM v7.1 database
AM 6.1 - General Preparations
• Determine if authentication services are required during migration • Prepare AM v6.1 data by ‘cleaning’ or re-structuring as needed
– See RSA Authentication Manager AM v6.1 to AM v8.0 Data Migration courses
– Utilize AM v6.1 Data Migration Assessment Utility
• Physically install and perform Quick Setup on AM v8.1 appliance • Perform a data dump from AM v6.1 and perform a test migration
• Make any corrections/changes or resolve conflicts and dump the data again, if needed
Maintaining Authentication Services
• If maintaining authentication capability is important during migration, consider what resources are needed
(for example, AM v6.1 or AM 7.1 Replica server or servers)
– Remember that Replica servers are read-only: No administration is possible while Primary is off line
• During migration, Replicas process authentication transactions and each Replica database can be migrated separately after AM v8.1 Primary goes on line
Pre-Migration Planning
• Planning AM v8.1 architecture and deployment is helpful prior to migration
– An architecture plan allows you to decide what equipment is needed and how it will be utilized
• Physical vs. Virtual / Primary vs. Replica
• Web Tier (New in AM 8.1) Self Service Console
Risk Base Authentication
SW Token Provisioning via CT-KIP Server
– Create deployment strategy for the overall deployment allows you to define how the administrative structure will be created – helping to decide what changes can more easily be made prior to migration
• Goal is to reduce or eliminate authentication down time and maximize features & functions of AM 8
Pre-Migration Planning
(cont’d)
• Understand AMv8.1 Administrative Operations
– AMv6.1 and AMv8.1 have very different GUI and functionality
– You do not want a situation where data is migrated but you are still learning how to organize it
– All key administrators should have basic understanding of AMv8 • Decide on a roll-back or continuity plan if migration has problems
AM v6.1 Migration Assessment Tool
•
Available on RSA SecurCare Online
•
TCL script performs database analysis and identifies areas
for attention
Example output:
Red, Yellow, Green color key to severity Links to CSV files containing specific data
Install AM v8.1 Appliance
•
Determine secure location with networking and adequate
power
•
Connect appliance power and LAN
•
Run Quick Setup to set initial configuration
–
Time/Date
–
Initial administrator accounts
•
Use Authentication Agent to test and verify operation
More information regarding installation and deployment of v8.1
appliance can be found in the
RSA Authentication Manager 8.1
Setup and Configuration Guide
Hostname/IP Configuration
Configure local PC for a temporary IP address in the same
subnet as Appliance
Appliance initial address is 192.168.100.100
Set local PC to IP of 192.168.100.101
Appliance Configuration
Quick Setup
•
Prompts for:
–
License
• Requires license upgrade (avail through SCOL
–
Date/Time confirmation or NTP server, if used
–
OS password
–
Super Admin username/password
–
Operations Console username/password
–
Network configuration (hostname, IP, subnet,
gateway, DNS)
Migration Process Flow
AM v6.1 or AM v7.1 Primary
AM v6.1 or AM v7.1 Replica
AM v8.1 Primary
AM v8.1 Primary deployed with temporary hostname/IP
u
Primary is taken off line
v
Replica server handles auth requests
w
AM v8.1 Primary re-configured with AM v 6.1 Primary hostname/IP
& starts taking auth requests
z
Data m ov ed to v 8. 1 Prima ry & im porte dy
Data exported from Primaryx
AM v6.1 dump file
or AM v7.1 export
AM v8.1 Primary
Resources
•
RSA Authentication Manager 8.1 Documentation
•
‘Help’ information
RSA® Authentication Manager
6.1 to 8.1 Migration Guide
RSA® Authentication Manager
Setup and Configuration Guide
RSA® Authentication Manager Administrator’s Guide
RSA® Authentication Manager
Planning Guide
Release Notes
Online and Technical Support
•
RSA SecurCare Online
•
Technical Support
•
Migration Preparation Guide & Migration Assessment Tool
6.1 to 8.1
RSA Education Services
RSA offers a number of instructor-led and eLearning courses
•
RSA product training
•
Information Security
Awareness for
employees
•
Advanced Cyber
Defense
Visit the RSA Security Training and Certification web site
and access our course listings and catalog:
RSA Professional Services
RSA’s Professional Service organization offers consulting
services to assist with:
•
Architecture design
•
Migration management
•
Fixed-price engagement
packages
•
Custom-quoted solutions
•
Packaged application tools
– User administration – Integration Services
