RSA® Authentication Manager 6.1 to 8.
Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Contents Revision History .............................................................................................................. 7 Preface................................................................................................................................... 9 About This Guide................................................................................................................ 9 RSA Authentication Manager 8.1 Documentation .
RSA Authentication Manager 6.1 to 8.1 Migration Guide Customized Agents Created Using the Authentication API ...................................... 43 Determine the API Version of Installed Custom Windows Agents .......................... 43 Back Up the Version 8.1 Deployment .............................................................................. 43 Data Migration Options .................................................................................................... 44 Typical Mode ............
RSA Authentication Manager 6.1 to 8.1 Migration Guide Chapter 6: Performing Post-Migration Tasks ............................................. 87 Post-Migration Tasks ........................................................................................................ 87 Configuring Custom Ports ................................................................................................ 90 Configure Custom Ports in the Security Console ......................................................
RSA Authentication Manager 6.1 to 8.1 Migration Guide Revision History Revision Number Date Revision 1 December 2014 Updated for RSA Authentication Manager 8.1 Service Pack 1 (SP1). Added information about Hyper-V checkpoints. Removed information about unsupported characters, which are now supported in version 8.1 patch 1 or later. For more information, see the RSA Authentication Manager 8.1 SP1 Release Notes.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Preface About This Guide This guide is intended for administrators who are planning and implementing a migration of their RSA® Authentication Manager 6.1 deployment to version 8.1. RSA Authentication Manager 8.1 Documentation For information about RSA Authentication Manager 8.1, see the following documentation. RSA recommends that you store the product documentation in a location on your network that is accessible to administrators. Release Notes.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 7.1 to 8.1 Migration Guide: Migrating to a New Hardware Appliance or Virtual Appliance. Describes how to migrate from an RSA Authentication Manager 7.1 deployment to an RSA Authentication Manager 8.1 deployment on a new hardware appliance or virtual appliance. 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 on Existing Hardware. Describes how to migrate from an RSA Authentication Manager 7.1 deployment to an RSA Authentication Manager 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Support and Service RSA SecurCare Online https://knowledge.rsasecurity.com Customer Support Information www.emc.com/support/rsa/index.htm RSA Solution Gallery https://gallery.emc.com/community/ma rketplace/rsa?view=overview RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 1 Important RSA Authentication Manager 8.1 Changes Introduction to RSA Authentication Manager 8.1 RSA Authentication Manager is the authentication engine and deployment management component of the RSA SecurID two-factor authentication solution. SecurID tokens generate a series of random, ever-changing tokencodes. A tokencode is a pseudorandom number, usually six digits in length.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Version 6.1 Term Version 8.1 Term Comment Realm Deployment In version 8.1, a deployment consists of a primary instance and any associated replica instances. A deployment has one realm. In version 6.1, a realm is the physical installation of the primary Authentication Manager and its replica servers. While all objects exist within the realm, the organizational hierarchy follows a simpler model of realm, sites, and groups.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Version 6.1 Term Version 8.1 Term Comment Agent Agent In version 8.1, you do not need to specify a specific agent type (such as UNIX agent or single-transaction server) when adding an agent. As part of the migration process, you can specify whether the IP address of a self-registered agent is maintained when the agent is migrated. Administrative roles Administrative roles The scope and task lists of the Authentication Manager 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Version 6.1 Term Version 8.1 Term Comment N/A Identity source The internal database or a specified LDAP directory. User and user group data can reside in either type of identity source. Product-specific data resides in the internal database. LDAP synchronization job N/A Like version 6.1, version 8.1 enables you to use existing user and user group data. In version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Features in RSA SecurID Appliance 2.0, 2.0.1, and 2.0.2 RSA Authentication Manager 6.1, 6.1.1, Preinstalled Authentication 6.1.2, 6.1.3, or 6.1.4 depending upon the version of the Appliance. Manager Version New Features in Authentication Manager 8.1 RSA Authentication Manager 8.1 RSA RADIUS Server RSA RADIUS 8.1 is preinstalled as a RSA RADIUS Server can be downloaded and installed on RSA SecurID Appliance 2.0.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Remote Token-Key Generation (CT-KIP) Features in RSA SecurID Appliance 2.0, 2.0.1, and 2.0.2 New Features in Authentication Manager 8.1 Remote Token-Key Generation (CT-KIP) is not supported. Remote Token-Key Generation (CT-KIP) is supported. CT-KIP enables Authentication Manager and the device that hosts the software token, such as a web browser, to simultaneously and securely generate the same token file.
RSA Authentication Manager 6.1 to 8.1 Migration Guide It is important to know: • You can install multiple licenses. • The Account ID must be the same for all licenses. • The License ID, sometimes referred to as the Stack ID, must be unique for each license. You cannot install the same license twice. • Only users with assigned authenticators count against the license limit. Users with multiple authenticators only count once.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Risk-Based Authentication Risk-based authentication (RBA) identifies potentially risky or fraudulent authentication attempts by silently analyzing user behavior and the device of origin. RBA strengthens RSA SecurID authentication and traditional password-based authentication. If the assessed risk is unacceptable, the user is challenged to further confirm his or her identity by using one of the following methods: • On-demand authentication (ODA).
RSA Authentication Manager 6.1 to 8.1 Migration Guide Architectural Changes in Authentication Manager 8.1 In version 6.1, the primary server is the administrative server and contains the authoritative data source, the primary database. The primary server is responsible for: • Database administration • Replicating changes to the replica servers • Optional authentication of users In version 8.1, the primary instance can perform these functions.
RSA Authentication Manager 6.1 to 8.1 Migration Guide The following figure shows the hierarchy of RSA Authentication Manager 6.1. The following figure shows the hierarchy of RSA Authentication Manager 8.1. 22 1: Important RSA Authentication Manager 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Changes to Sites Security domains in version 8.1 are equivalent to sites in version 6.1. However, security domains can be nested within one another or hierarchically. Additionally, security domains are the only method available to scope administrators to grouped objects. You cannot scope administrators to groups. Security domains represent areas of administrative responsibility, typically business units, departments, partners, and so on.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Policies and Security Domains Security domains enforce system policies which control various aspects of a user’s interaction with Authentication Manager, such as RSA SecurID PIN lifetime and format, fixed passcode lifetime and format, password length, format, and frequency of change.
RSA Authentication Manager 6.1 to 8.1 Migration Guide You can create user groups through the Security Console, or for external data sources such as Active Directory, using the directory user interface. Version 8.1 does not permit you to scope administrators to user groups. Administrative control of groups is defined by the security domain in which the group resides, and not by administrative scoping to the group, as in version 6.1. For example, version 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide The following table describes the effect that migration has on users activated on agents. Pre-Migration Post-Migration User activated with access time restrictions An internal group containing a single user is created and activated on the agent. The group has the same access time restrictions that the user had in version 6.1.
RSA Authentication Manager 6.1 to 8.1 Migration Guide The following table shows how groups containing LDAP and non-LDAP users are migrated. Version 6.1 Version 8.1 (Post Migration) External group, for example, (EG1), contains: Users that are linked to the LDAP directory server’s external group continue to belong to the LDAP and the external group (EG1).
RSA Authentication Manager 6.1 to 8.1 Migration Guide The Replication Model The replication model in version 8.1 provides the following benefits: • Data recovery and minimal data loss in the event of a hardware disaster For more information, see the chapter “Disaster Recovery” in the RSA Authentication Manager 8.1 Administrator’s Guide.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Log data on a replica instance is not replicated in the same way as changes resulting from authentication. Log data is sent only to the primary instance, or to a designated centralized log. It is not replicated to all instances in your deployment. Authentication Manager does not replicate any user or user group data that resides in an LDAP directory. You must configure LDAP to replicate LDAP changes. Administrative Capabilities In version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Increased Administrative Scoping The version 8.1 administrative model is built on the concepts of roles, permissions, and scope. Authentication Manager includes predefined administrative roles, and you can create custom roles. For more information, see Predefined Administrative Roles on page 31. The following table describes the elements that define administrators. Element Controls Role What an administrator can manage. For example, user accounts.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Predefined Administrative Roles In version 6.1, roles are composed of a task list (what tasks can be performed by an administrator assigned the role) and a scope (which objects the administrator can administer). There are three predefined roles: realm, site, and group. Each role can be assigned to an administrator and that administrator can be scoped to the realm or to a particular site or group within the realm.
RSA Authentication Manager 6.1 to 8.1 Migration Guide • Token Distributor This role grants administrative responsibility to manage token provisioning requests. Token Distributors also determine how to assign and deliver tokens to users. This administrator can delegate the responsibilities of this role.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Group Administrators In version 8.1, it is no longer possible to scope an administrator to a group. Administrators are scoped to security domains only. To ensure that no administrators are migrated with a higher level scope than they had in version 6.1, the group administrator role is migrated, but not assigned to any version 6.1 group administrators. For example, group administrators in version 6.1 can only view and change users in their scoped groups.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Report Templates You can use the predefined report templates provided with Authentication Manager to create and run customized reports describing system events and objects (users and tokens, for example). These reports can provide detailed information on system events. Each template includes predefined variables, column headings, and other report information.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Comparison of Cross-Realm Relationships and Trusted Realms Trusted realms in version 8.1 function much like cross-realm relationships in version 6.1. They both allow access to a network by a visiting user. You can create a trust relationship between two realms, so that users from one realm can be authenticated through agents in the trusted realm. There are four main differences between cross-realm and trusted realms: • Version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide One-Way Or Two-Way Trusted Realms While cross-realm relationships in version 6.1 are always two-way, trusted realm relationships in version 8.1 can be either one-way or two-way. In a one-way trusted realm, users from realm A can authenticate in realm B, but the users from realm B cannot authenticate in realm A. In a two-way trusted realm, the users from either realm may authenticate in the other realm.
RSA Authentication Manager 6.1 to 8.1 Migration Guide The following table describes the three types of trust relationships you can establish with version 8.1. Trust Type Description How Trust is Established One-way between two Users from Realm A can version 8.1 realms authenticate to Realm B, but not vice versa. 1. The administrator in the other realm adds a trusted realm that points to your realm. 2. The administrator in the trusted realm imports a trust package from your realm.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 2 Planning For Migration Migration Planning Checklist Before you start the migration process, complete the following tasks. Perform an Authentication Manager 6.1 to 8.1 Migration Assessment. See Complete an Authentication Manager 6.1 to 8.1 Migration Assessment on page 40. Determine the migration path: – Migrate to version 8.1 using the same hostname and IP address as version 6.1. – Migrate to version 8.1 using a new hostname and IP address.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Determine how LDAP synchronization jobs map to identity sources. Determine which data you want to migrate from version 6.1. Determine if you want to migrate any data to a specific security domain. Migrating to a specific security domain can affect the administrative capabilities of some administrators. Determine if you need to map user logon names in the NTLM format to the UPN format.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Choosing a Migration Path One of the most important steps in migration is choosing the correct migration path. Choose one of these methods: • Migrate version 6.1 data to the version 8.1 deployment using the same hostnames and IP addresses as your existing version 6.1 deployment. For more information, see Migration with the Same Hostname and IP Address on page 41. • Migrate version 6.1 data to the version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide If you find it necessary to revert to RSA Authentication Manager 6.1 or RSA SecurID Appliance 2.0, you must perform these tasks: • Shut down the version 8.1 instances and restart the version 6.1 or version 2.0 servers. • Redistribute configuration (sdconf.rec) files to each authentication agent. • Delete the sdstatus.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Customized Agents Created Using the Authentication API Any custom authentication agents that were developed using version 5 of the authentication API are supported. Any custom agent developed using the authentication API prior to version 5 is no longer supported. To determine the version of these agents, see Determine the API Version of Installed Custom Windows Agents on page 43.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Data Migration Options You must choose one of three modes for data migration: • • • Typical Mode on page 44 Rolling Upgrade Mode on page 44 Custom Mode on page 44 Typical Mode A typical migration does the following: • • • • • Performs the actual migration, and not a test migration. Makes a best effort to migrate data, rather than stop the migration when a data conflict is detected. Migrates all found objects.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Test Migration Custom Mode allows you to perform a test migration. A test migration does the following: • Displays the results of a migration without actually migrating any data, or affecting the database in any way. • Processes the data in the dump file, but does not commit any changes to the database. • Generates a report that details each change that would be made during an actual migration.
RSA Authentication Manager 6.1 to 8.1 Migration Guide • A scope The scope of the job specifies the number of levels below the base DN that the job extends. If the scope of a job is just the base DN or one level below the base DN, you may have other jobs at lower levels of the directory tree that you can combine into one identity source. • An optional query filter The query filter allows you to select users that meet certain criteria.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Data Migration to a Specific Security Domain In Custom Mode, you can choose to migrate the data to a specific security domain. For example, when multiple version 6.1 realms are migrated into a single version 8.1 top level security domain, you may want to maintain some of the existing structure by creating lower-level security domains for each version 6.1 realm, and migrating the data to the lower-level security domain.
RSA Authentication Manager 6.1 to 8.1 Migration Guide SNMP Reporting In order to use the SNMP functionality included in RSA Authentication Manager version 8.1, you must configure SNMP. Earlier configuration settings are not migrated. RSA SecurID Appliance 2.0 or later supported the SNMP Plug-in for RSA SecurID Appliance 2.0. This optional software set up traps for RSA Authentication Manager 6.1 or later. Third-party SNMP tools were supported with non-Appliance RSA Authentication Manager 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 3 RADIUS Migration Migrating RADIUS Data to the Primary Instance Migrating the RADIUS data imports the version 6.1 data to the version 8.1 database. You must migrate RADIUS data before migrating data from the primary instance. The following procedure describes how to migrate the version 6.1 data to the version 8.1 primary instance. Before You Begin Back Up the Version 8.1 Deployment on page 43. Procedure 1. Install the RSA RADIUS Export Utility 2.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Procedure 1. Open a new command shell, and change directories to the directory where you unpacked the RSA Authentication Manager 6.x RADIUS Export Utility directory. Type: patchRemoteAdmin.bat and press ENTER. 2. Read the explanatory information, type y, and press ENTER. 3. Type the absolute path to the base installation directory, for example, C:\Program Files\RSA Security\RSA Authentication Manager, and press ENTER.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Copy the RADIUS Migration Package File to an Import Location If you are migrating the RSA Authentication Manager 6.1 primary server to a version 8.1 primary instance, copy the RADIUS migration package file, radiusMigration_time_stamp.pkg, from the RSA_AM_HOME/prog/radius/ Admin/ directory on the RSA Authentication Manager 6.1 primary server host to one of the following locations: • Your local machine.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Add Custom RADIUS Dictionary Attributes to Version 8.1 If the version 6.1 deployment uses a RADIUS dictionary with custom attributes, you must add these attributes to the version 8.1 RADIUS dictionary before importing the RADIUS data. Important: If you do not add the custom attributes to the version 8.1 RADIUS dictionary before importing the RADIUS data, you must re-migrate the RADIUS data from the same package file after adding the attributes.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 5. On the Manage Server Files page, do one of the following: • Click the Configuration Files tab to see the configuration files, such as .conf, .aut, and .ini. • Click the Dictionary Files tab to see the RADIUS dictionary files. 6. Select the file that you want to edit, and select Edit from the context menu. 7. Edit the text file, and click Save. 8. Click Save & Restart RADIUS Server for the changes to take effect.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 10. Add an entry for the dictionary in the vendor.ini file. a. In the Manage Server Files page, click the Configuration Files tab. b. Click the vendor.ini file, and select Edit from the context menu. c. Add an entry for the dictionary file you just added. The format the entry takes is described in the comments of the vendor.ini file. d. Click Save. 11. Add and entry for the dictionary file in the dictiona.dcm file. a. Click the dictiona.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 4. Specify the location of the RADIUS server migration package. Under Server Migration File Location, do one of the following: • Select Local Machine, and browse to locate the file on your local machine. • Select Windows Shared Folder to locate the file on a Windows shared folder. Do the following: – In the Windows Shared Folder field, enter the path to an existing Windows shared folder, for example, \\example.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 4 Primary Server Migration Migrating the Primary Server Perform these steps to migrate your existing RSA Authentication Manager server (either a non-Appliance server with RSA Authentication Manager 6.1 or later, or RSA SecurID Appliance 2.0 or later, which includes version 6.1) to RSA Authentication Manager 8.1. Before You Begin • Back up the version 8.1 database. See Back Up the Version 8.1 Deployment on page 43.
RSA Authentication Manager 6.1 to 8.1 Migration Guide RSA Authentication Manager 6.1 Database Dump You must manually collect and transfer the primary database dump file and the version 6.1 license file to one of the following locations: • Your local machine. This option allows you to upload the files through your browser. If the database dump file exceeds 2 GB, you cannot use this option. • A Network File System (NFS) • A Windows shared folder • The RSA Authentication Manager 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide The following table lists the files required for migration, their locations in RSA Authentication Manager 6.1 application directory, and a short description of the purpose of the files. Filename Location in the Application Directory Description sdserv.dmp data Data from the version 6.1 database. sdlog.dmp data Version 6.1 logs. For more information, see Migrate Log Files on page 75. license.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Stop RSA Authentication Manager 6.1 Services on a Non-Appliance Server You must stop all RSA Authentication Manager 6.1 services before dumping the database or log so that none of the processes write to the database or log. Use the following procedure to stop RSA Authentication Manager 6.1 services on a non-appliance server. Procedure Do one of the following: • • On Windows: • On the version 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 7. On the Appliance, click Start > Programs > RSA Security > RSA Authentication Manager Control Panel. 8. In the Control Panel menu, click Start & Stop RSA Authentication Manager Services. 9. Under Stop Services, click Stop All. Dump the Database and Log Files on a Non-Appliance Primary Server Version 6.1 provides a GUI-based utility for dumping the database on Windows and a command line utility for dumping the database on Windows, Linux, or Solaris.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Next Steps Manually copy the migration files to one of the following locations: • Your local machine. This option allows you to upload files through your browser. If a file exceeds 2 GB, you cannot use this option. • A Network File System (NFS) • A Windows shared folder • The RSA Authentication Manager 8.1 server in the directory /opt/rsa/am/migration. To copy the files to version 8.1, you can use a Secure Copy Protocol (SCP).
RSA Authentication Manager 6.1 to 8.1 Migration Guide 5. In Internet Explorer, scroll down to display the Start button for the Appliance. 6. On the Appliance, click Start > Run. 7. Click Browse. 8. On an RSA SecurID Appliance 1.0, navigate to the directory C:\ace\scripts. On an RSA SecurID Appliance 2.0, navigate to the directory C:\authmgr\scripts. 9. Select rotatebackup.bat, and click Open. 10. In the Run dialog box, click OK to create the backup file.
RSA Authentication Manager 6.1 to 8.1 Migration Guide If you plan to migrate these files from an NFS or Windows Shared folder, make sure the database dump file, the license file, and if applicable, the startup.pf file are stored in separate directories from other files that you may want to migrate such as the log dump file or a RADIUS migration package. If you plan to import from the 8.1 server, the /opt/rsa/am/migration location must only contain the file that you require at the time of import.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 8. Click Save. When the download is complete, all of the dialog boxes close. 9. Click Logout. 10. Exit Internet Explorer on your computer. 11. Navigate to the location that has the backupCab1.cab file, and extract the contents of the backup file into a folder. The necessary files are now available for migration to version 8.1. Next Steps Manually copy the migration files to one of the following locations: • Your local machine.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Export the LDAP Directory Certificates The LDAP directory certificate enables you to connect to your LDAP identity source using the Secure Sockets Layer (SSL) protocol. SSL ensures that communication between Authentication Manager and the LDAP directory is encrypted. If you do not have access to the certificate files for each directory server, you can export the certificates from your existing version 6.1 installation using the following procedure.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Before You Begin • You must be a Super Admin. • See Data Migration Options on page 44 and plan which data you want to migrate, which identity sources you are using, and address any other issues described in that section. • Back up the version 8.1 database. See Back Up the Version 8.1 Deployment on page 43. • Dump the Version 6.1 data. See RSA Authentication Manager 6.1 Database Dump on page 58.
RSA Authentication Manager 6.1 to 8.1 Migration Guide • Select NFS (Network File System) Shared Folder to locate the migration server files on an NFS. In the NFS Shared Folder field, enter the path to an NFS server and file directory, for example, fileserver.example.net:/migration_directory. • Select Authentication Manager 8.1 Server to locate the migration server files at the following location on RSA Authentication Manager 8.1: /opt/rsa/am/migration 4. Click Scan Dump File. 5.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 11. Click the links at the bottom of the Migration Results page to view either the migration_summary.html report or the more detailed migration_detail.zip file to learn more about the outcome of the migration. (Both of these files, and other migration information, are in the server's results directory location shown at the bottom of the Migration Results page.
RSA Authentication Manager 6.1 to 8.1 Migration Guide • Dump the Version 6.1 data. See RSA Authentication Manager 6.1 Database Dump on page 58. • Make sure that you placed the migration files in one of the following locations: – Your local machine If a file exceeds 2 GB, you cannot import a file from the local machine, the option that uploads a file through your browser. – A Windows shared folder – A Network File System (NFS) The RSA Authentication Manager 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 5. Review the Scan Results screen to verify that the data found in the dump file is the data you want to migrate. 6. Select Custom Mode, 7. (Optional) If you are attempting to migrate a version 6.1 instance that you have already migrated, you will see the Migration Retry Cleanup section on the Scan Results page. When the checkbox is enabled, the version 8 instance is prepared for a migration retry. Ensure that you have deleted the version 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 12. Select the identity source into which you want to migrate users. (If you do not have LDAP synchronization jobs in your deployment, the option Selectively migrate users to appropriate identity sources is not applicable or available.) • Migrate all users to the internal database. Select this option to migrate all users to the Authentication Manager internal database. • Migrate all users to the Identity Source.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 14. Select Merge duplicate user extensions attributes in a case insensitive way to merge any version 6.1 extension data that is the same but may use different letter cases. Only duplicate user extension data in the dump file is merged. If you previously migrated a user and you are attempting to migrate the user again, this option does not merge extension data in the dump file with data that is already migrated in version 8.1.
RSA Authentication Manager 6.1 to 8.1 Migration Guide • If a the identity source you want has not yet been defined and therefore is not in the list, select Add Identity Source from the list. The pages for the Add New Identity Source function in the Operations Console are displayed and populated with information from the LDAP synchronization job being mapped. After you have created the new identity source (or if you click Cancel during the process), you are returned to the Map LDAP to Identity Source page.
RSA Authentication Manager 6.1 to 8.1 Migration Guide The installation process creates the sdserv.dmp file in the /opt/rsa/am/utils/migration61 directory. The file is created in a folder that is sorted by date and time. For example, 080902010244, if the migration completed in 2008, on September 2nd, at 1:02:44. Next Steps Use the version 6.1 Database Administration application to fix any issues that you find in the migration report.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Before You Begin • Dump the version 6.1 log file. For more information, see Dump the Database and Log Files on a Non-Appliance Primary Server on page 61. • Make sure that you placed the dump file in one of the following locations: – Your local machine If the dump file exceeds 2 GB, you cannot import the dump file from the local machine, the option that file through your browser.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 6. Click Start Log Migration. The Log Migration Status page displays each migration task as it runs. Click Refresh to update the page. You can cancel the log migration at any time by clicking Cancel Log Migration. The Log Migration Results page is displayed when the log migration completes. 7. To view the log migration report in the browser, click migration_summary.html, or click Done to exit the page.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Version 6.1 Authentication Event Corresponding Version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide After you migrate the log files, administrative events from your version 6.1 server are mapped in the version 8.1 database, as shown in the following table. Version 6.1 Administrative Event Corresponding Version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 80 Version 6.1 Administrative Event Corresponding Version 8.1 Event Synchronized token Sync Token Enabled emergency code punct Token marked as lost. Enabled emergency access fixed token code.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 5 Replica Server Migration Migrating a Replica Server After you have migrated the primary server and shut down the version 6.1 primary server, the replica servers cannot send database changes (delta records) to the primary instance until you migrate the replica servers.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Procedure 1. On the version 6.1 machine, click Start > Programs > RSA Security > RSA Authentication Manager Database Tools > Dump. The Authentication Manager Database Dump dialog box opens. 2. Under Select Databases to dump, select Dump Server Database. 3. Under Options, select Include delta tables in dump file to dump all associated delta information. 4.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Migrate Replica Delta Records to the 8.1 Primary Instance Database changes, also known as delta records, accumulate as a result of any authentications that occur on the replica server while it is not communicating with the primary instance. You must migrate delta records from each version 6.1 replica instances to the version 8.1 primary instance.
RSA Authentication Manager 6.1 to 8.1 Migration Guide • Select Windows Shared Folder to locate the migration server files on a Windows shared folder. Do the following: – In the Windows Shared Folder field, enter the path to an existing Windows shared folder, for example, \\example.com\migration_folder – If the shared folder requires a user name, enter the user name in the Folder User Name field. – If the shared folder requires a password, enter the password in the Folder Password field.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Rebalance Contact Lists If the appliance has a new hostname and IP address, you must rebalance the contact lists on the Security Console of the primary instance. This updates references to the new replica instances. If you have migrated with the same hostname and IP address, rebalancing the contact lists is not required. If the servers are restarted, the references to the new replica instances are automatically updated. Procedure 1.
RSA Authentication Manager 6.1 to 8.1 Migration Guide 6 Performing Post-Migration Tasks Post-Migration Tasks After completing a migration, you must complete certain post-migration tasks that apply to your deployment. Task Description Reference Configure custom ports Configuring Custom Ports on page 90 If the RSA Authentication Manager 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Task Description Reference Change the instance IP address The initial IP address on the instance is specified during Quick Setup. If you have changed the instance IP address, you must do the following: See the Operations Console Help topic “Change the Primary Instance IPv4 Network Settings.” • Enter a new URL to access each of the RSA Consoles.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Task Description Reference Edit Clients to the RADIUS Server Migration changes the IP address of the RSA RADIUS server in your deployment under the following conditions: See the documentation for your RADIUS client device. • The version 6.1 RSA RADIUS server was a remote RADIUS server • The version 6.1 RADIUS server was a local RADIUS server and you migrated version 6.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Configuring Custom Ports If the RSA Authentication Manager 6.1 servers used custom ports, rather than the default ports, you can continue to use these custom ports for the following services: • Agent authentication • Agent auto-registration • Offline authentication download Procedure 1. Configure Custom Ports in the Security Console 2. Restart Authentication Manager Services 3.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Restart Authentication Manager Services The Authentication Manager services are automatically started if you reboot the system in the Operations Console. The reboot process can take approximately 10 minutes. When complete, you are redirected to the Operations Console logon page. Before You Begin You must be an Operations Console administrator. Procedure 1. On the appliance instance that you want to reboot, launch and log on to the Operations Console.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Procedure 1. In the Security Console, click Access > Authentication Agents > Generate Configuration File. 2. From the Maximum Retries drop-down menu, select the number of times you want the authentication agent to attempt to establish communication with Authentication Manager before returning the message “Cannot initialize agent server communications.” 3.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Configure TACACS+ Support Authentication Manager version 8.1 does not support the deployment of TACACS+ on the same server as Authentication Manager. If you use TACACS+ on the same machine as the Authentication Manager version 6.1 deployment, you must perform the following tasks to continue TACACS+ support after migration. 1. Install TACACS+ on a separate supported server. See your TACACS+ documentation for instructions. 2. Copy the sdtacplus.
RSA Authentication Manager 6.1 to 8.1 Migration Guide A Migration Data Conversion Conversion of Migrated Data The following table describes how different types of data are migrated. Data Migration Result LDAP synchronization jobs Records with direct LDAP associations, like users and groups, are verified to ensure they exist in the identity source. Records with no LDAP associations are created in the internal database if requested.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Data Migration Result User agent activation data Existing user-agent associations are maintained by creating a new group, adding the user to the group, and activating the group on the agent. If a user group is activated on an unrestricted agent, any migrated access time restrictions do not apply to the agent in version 8.1. In version 8.1, access time restrictions only apply to user groups that are associated with restricted agents.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Data Migration Result Client type data Agent types are not migrated. Version 8.1 recognizes the following agents types: standard agent and web agent. However, if an agent is associated with a RADIUS client, version 8.1 recognizes the agent type as a RADIUS client agent. The version 6.1 agent types currently have no impact on runtime behavior related to Next Tokencode mode. Additionally, version 8.1 does not support single transaction agents.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Data Migration Result Task lists data Task list data is migrated to version 8.1 permissions, except when there is no equivalent permission. For example, the task allowing administrators to edit System Parameters, any tasks related to LDAP synchronization jobs, or any tasks related to group administration. The following tasks related to logging configuration are not migrated, as there are no equivalent permissions in version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Data Migration Result Agent extension data Agent extension data is migrated to the notes field of the agent, and is exported to a comma-separated value (.csv) file in the migration output directory. Site extension data Site extension data is migrated to the notes field of the migrated security domain, and is exported to a comma-separated value (.csv) file in the migration output directory.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Migration Report When the migration completes, it generates a migration report that lists which data was successfully migrated, which data failed to migrate, and any changes that were made to the data to accommodate the new logical model used in RSA Authentication Manager 8.1. • Parameters and options you selected for the migration. • A summary of the dump file analysis results, including which type of data was found in the dump file.
RSA Authentication Manager 6.1 to 8.1 Migration Guide In version 8.1, there are default user attributes (such as User ID and Password), internal attributes, and custom attributes. A custom user attribute is known as an identity attribute definition. Identity attribute definitions can be mapped to the internal database or an external identity source to retrieve attribute values from users. For example, suppose that you add a “Location” attribute that represents the office location.
RSA Authentication Manager 6.1 to 8.1 Migration Guide State of Version 8.1 Migration Result A multivalued attribute that was previously migrated with values is migrated again but now includes new values. The data type has not changed. The attribute values are added to the existing attribute. Before completing migration, a multivalued Because the 6.1 user extension data differs by attribute is created on version 8.1 that has the data type, the attribute is migrated into 8.1 with the "AM61_" prefix.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Activations on Restricted Agents When LDAP Synchronization Jobs Do Not Contain Group Data LDAP users cannot authenticate through certain agents after migration, if the following conditions exist prior to migration: • The LDAP synchronization job that synchronizes the user is not configured to synchronize the LDAP group to which the user belongs. • The directory server accessed by the LDAP synchronization job is read-only.
RSA Authentication Manager 6.1 to 8.1 Migration Guide View RSA Authentication Manager 6.1 Offline Emergency Settings After migration to version 8.1, Authentication Manager applies the PIN options for version 6.1 offline emergency codes to newly generated fixed passwords and one-time password sets. You can view the version 6.1 settings that Authentication Manager applies to these passwords. Procedure 1. Open the RSA Authentication Manager 6.1 Database Administration application. 2.
RSA Authentication Manager 6.1 to 8.1 Migration Guide B Reverting RSA Authentication Manager 8.1 to Version 6.1 Reverting Migration After migration to version 8.1, all of the required version 6.1 data and application files still exist on the original Authentication Manager hardware. However, reverting to version 6.1 is not just simply stopping version 8.1 and restarting version 6.1. Consider these important issues before reverting: • Data loss All data concerning any version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Revert a Migration Using a Different Hostname and IP Address If you migrated with a new hostname or IP address, the process of reverting to version 6.1 requires that you generate new version 6.1 configuration files for any agent that authenticated to an version 8.1 instance. Procedure 1. On the version 8.1 primary instance, stop all Authentication Manager services.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Revert a Migration Using the Same Hostname and IP Address If you migrated using the same hostname or IP address, the process of reverting to version 6.1 requires that you remove the version 8.1 primary instance from the network, start the version 6.1 primary instance, and delete the sdstatus12 file from each RSA Authentication Agent. This results in each agent receiving a new server list with the version 6.1 servers. Procedure 1. On the version 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide C Glossary Active Directory The directory service that is included with Microsoft Windows Server 2003 SP2, Microsoft Windows Server 2008, and Microsoft Windows Server 2008 R2. Active Directory forest A federation of identity servers for Windows Server environments. All identity servers share a common schema, configuration, and Global Catalog. administrative role A collection of permissions and the scope within which those permissions apply.
RSA Authentication Manager 6.1 to 8.1 Migration Guide audit information Data found in the audit log representing a history of system events or activity including changes to policy or configuration, authentications, authorizations, and so on. audit log A system-generated file that is a record of system events or activity. The system includes four such files, called the Trace, Administrative, Runtime Audit, and System logs. authentication The process of reliably determining the identity of a user or process.
RSA Authentication Manager 6.1 to 8.1 Migration Guide core attributes The fixed set of attributes commonly used by all RSA products to create a user. These attributes are always part of the primary user record, whether the deployment is in an LDAP or RDBMS environment. You cannot exclude core attributes from a view, but they are available for delegation. Cryptographic Token-Key Initialization Protocol (CT-KIP) A client-server protocol for the secure initialization and configuration of software tokens.
RSA Authentication Manager 6.1 to 8.1 Migration Guide dynamic seed provisioning The automation of all the steps required to provide a token file to a device that hosts a software token, such as a web browser, using the Cryptographic Token-Key Initialization Protocol (CT-KIP). e-mail notifications Contain status information about requests for user enrollment, tokens, and user group membership that is sent to users who initiated the request.
RSA Authentication Manager 6.1 to 8.1 Migration Guide instance An installation of RSA Authentication Manager that can be set up as a primary instance or a replica instance. An instance also includes a RADIUS server. internal database The Authentication Manager proprietary data source. keystore The facility for storing keys and certificates. load balancer A deployment component used to distribute authentication requests across multiple computers to achieve optimal resource utilization.
RSA Authentication Manager 6.1 to 8.1 Migration Guide primary instance The installed deployment where authentication and all administrative actions are performed. promotion, for disaster recovery The process of configuring a replica instance to become the new primary instance. During promotion, the original primary instance is detached from the deployment. All configuration data referring to the original primary instance is removed from the new primary instance.
RSA Authentication Manager 6.1 to 8.1 Migration Guide requests Allows users to enroll, as well as request tokens, the on-demand tokencode service, and user group membership. Request Approver A predefined administrative role that grants permission to approve requests from users for user enrollment, tokens, or user group membership.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Self-Service Console A user interface through which the user can update user profiles, change passwords for the Self-Service Console, configure life questions, clear devices enabled for risk-based authentication, change e-mail addresses or phone numbers for on-demand authentication, and manage on-demand authentication PINs. Users can also request, maintain, and troubleshoot tokens on the Self-Service Console.
RSA Authentication Manager 6.1 to 8.1 Migration Guide top-level security domain The top-level security domain is the first security domain in the security domain hierarchy. The top-level security domain is unique in that it links to the identity source or sources and manages the password, locking, and authentication policy for the entire deployment. Trace log A persistable store for trace information. trusted realm A trusted realm is a realm that has a trust relationship with another realm.
RSA Authentication Manager 6.1 to 8.1 Migration Guide Index A access restrictions group, 95 post-migration, 25 time restrictions for users, 14 activity monitors, 33 administration, 29 activity monitor, 33 custom applications created using version 6.1 API, 33 administrative roles custom, 30 migrated data, 97 predefined, 31 task lists, 15 version comparison, 15 administrator migrated data, 97 predefined roles, 31 appliance enhancements, 16 authentication activity monitor, 33 mapping events from version 6.
RSA Authentication Manager 6.1 to 8.
RSA Authentication Manager 6.1 to 8.1 Migration Guide RSA Authentication Manager generate configuration file, 91 runtime changes, 28 S sdconf.
