RSA Authentication Manager Upgrade Plan and Time-line.

1. Reason for upgrade

● Current RSA Authentication Manager (AM) version 7.1 is already End Of Support by
RSA, we need to upgrade it in order to continue to have support.

2. Requirement for upgrade

● VMWare Software Requirements

Required Software Description
VMware Platforms ● VMware ESXi 4.1 or later (VMware vSphere Hypervisor 4.1 or
later)
● VMware ESXi 5.0 or later (VMware vSphere Hypervisor 4.1 or
later)
VMware vSphere Client Any version of the vSphere Client that works with supported ESXi
(Hypervisor) and vCenter Server deployments.

● Primary or Replica Instance Requirements

Description Minimum Requirement Default Value
Disk Space ● 100GB ● 100GB
● Select thin-provisioned storage ● Select thin-provisioned
when deploying the virtual storage when deploying the
appliance. virtual appliance.
Memory Requirements ● 4 GB ● 8GB
CPU Requirements ● One vCPU ● Two vCPU
Network adapter ● E1000 virtual network adapter ● E1000 virtual network
requirements adapter
● Do not change default
network adapter
Active Directory for ● Microsoft Active Directory 2008 ● Microsoft Active Directory
external users R2 2008 R2
● Microsoft Active Directory 2012 ● Microsoft Active Directory
2012
Temporary FQDN ● Registered FQDN at DNS
name at DNS server server
● Registered reverse look-up
from Ip Address to Name
Temporary Ip address ● Temporary IP Address
in the same segment
with production RSA
AM 7.1 SP4
 ● Primary or Replica Instance network Requirements

Firewall Rule for upgrade test

Source Source Port Destination Destination Port Description

Clean-room Any ● <New RSA AM 8.1 ● TCP/22 Management access
Primary Ip Address> ● TCP/443
● TCP/7004
● TCP/7072
● <New RSA AM 8.1 Any Active Directory Server ● TCP/53 Mandatory ports for
Primary Ip Address> ● UDP/53 accessing external users
> source and time
● TCP/123
synchronization
● UDP/123
● TCP/389
● UDP/389
● Regular RSA agent Any ● <New RSA AM 8.1 ● TCP/5500 Mandatory ports for agent
used for testing Primary Ip Address> ● UDP/5500 authentication
purposes
● TCP/5550
● UDP/5550
● TCP/5580

Firewall Rule after upgrade

Below port requirements need to re-check against existing firewall rule
Source Source Port Destination Destination Port Description
Clean-room Any ● a-sec-rsa078.sso.trz ● TCP/22 Management access
● a-sec-rsa079.sso.trz ● TCP/443
● TCP/7004
● TCP/7072
● a-sec-rsa078.sso.trz Any Active Directory Server ● NTP Mandatory ports for
● a-sec-rsa079.sso.trz ● LDAP accessing external users
source and time
● LDAPS
synchronization
● DNS
● Regular RSA agent for Any ● a-sec-rsa078.sso.trz ● TCP/5500 Mandatory ports for agent
servers ● a-sec-rsa079.sso.trz ● UDP/5500 authentication
● Regular RSA agent for ● TCP/5550
appliance
● UDP/5550
● RADIUS RSA agent
● TCP/5580

3. Upgrade step by step

Activity PIC Estimated
duration in
day(s)
1 Deploy virtual appliance into ESX for Primary and TBA 1
Replica instance - keep Replica instance in idle as it
will be used later after migration
2 Checking preparation for data migration from current Sahrial Rasad 1.5
RSA AM 7.1 into RSA AM 8.1
3 Update RSA AM 8.1 into last patch update SP1 P7 Sahrial Rasad 0.5
4 Import existing configuration from RSA AM 7.1 into Sahrial Rasad 0.5
RSA AM 8.1
5 Re-check all configs and settings are applied Sahrial Rasad 0.5
correctly at RSA AM 8.1
Pre-migration testing
Activity PIC Estimated duration
in day(s)
1 Servers:
1. Decide one server that previously registered at RSA AM 7.1 TBA -
to become test object - (servers or clean-room)
2. At RSA AM 8.1 generate new config file for designated Sahrial Rasad 0.5
server from #1
3. Replace existing config file at designated server #1 so it will Sahrial Rasad 0.5
pointing to RSA AM 8.1 for authentication
4. From RSA Security Center, do authentication testing to Sahrial Rasad 0.5
make sure authentication successfully carried out
5. Ask someone to login using his/her existing RSA Token to TBA 0.5
designated server #1
6. Monitor authentication activity from RSA AM 8.1 for failure or Sahrial Rasad 0.5
success
The target for above testing
● The user previously registered at RSA AM 7.1 successfully
login using his/her Passcode, no need to create new PIN.
● RSA AM 8.1 acknowledge the Server as one of its agent, no
need to register new RSA Agent anymore.
2 VPN:
1. Generate RSA config file for VPN RSA agent Sahrial Rasad 0.5
2. Create one AD group for mapping user with VPN box TBA 0.5
3. Decide to move one existing user into newly added group for TBA 0.5
VPN box testing
4. Create SecurID profile with supplied RSA config file for VPN TBA 0.5
box
5. Create or add one authentication profile mapped with user TBA 1
group from #2 and point authentication to RSA AM 8.1
6. Add resource assignment for user from #3
7. Test authenticate user into RSA AM 8.1 TBA 1
8. Monitor authentication activity from failure or success Sahrial Rasad 1
The target for above testing
● The user previously registered at RSA AM 7.1 successfully
login using his/her Passcode, no need to create new PIN.
● RSA AM 8.1 acknowledge the VPN box as one of its agent,
no need to register new RSA Agent anymore.
3 5Lake:
1. Release secondary 5Lake server from LTM TBA 0.5
2. Use secondary 5Lake web server as test object Sahrial Rasad 0.5
3. At RSA AM 8.1 generate new config file for server #1 Sahrial Rasad 0.5
4. Replace existing config file at server #1 so it will pointing Sahrial Rasad 0.5
to RSA AM 8.1 for authentication
5. From RSA Security Center, do authentication testing to Sahrial Rasad 0.5
make sure authentication successfully carried out
6. Ask someone to login using his/her existing RSA Token TBA 0.5
to designated server #1
7. Monitor authentication activity from RSA AM 8.1 for Sahrial Rasad 0.5
failure or success
The target for above testing
● The user previously registered at RSA AM 7.1 successfully
login using his/her Passcode, no need to create new PIN.
● RSA AM 8.1 acknowledge the Server as one of its agent, no
need to register new RSA Agent anymore.
4 If all above activities are passed, we can move on to migration - -
step
4. Migration Planning
Basically migration strategy will take down current RSA AM 7.1 Primary instance and let
authentication process to move to Replica instance during promoting RSA AM 8.1 to
become Primary instance and become production. By this way, no downtime occurs
when migration take place.

1) Migration plan
Activity PIC Estimated duration
in day(s)
1 At RSA AM 7.1 - Shutdown primary instance TBA 0.5
2 At RSA AM 8.1 - After RSA AM 7.1 confirmed shutdown:
1. Change the hostname and ip address with existing RSA AM Sahrial Rasad 0.5
7.1 primary instance and reboot
2. After RSA AM 8.1 successfully reboot, continue with monitoring Sahrial Rasad 0.5
RSA AM 8.1 Primary instance and RSA AM 7.1 Replica
instance for authentication activity
3. If from monitoring at RSA AM 8.1 looks ok - means users are Sahrial Rasad 1
able to authenticate without problem - we can continue to TBA
shutdown RSA AM 7.1 Replica instance
Duration for monitoring - 6 Hrs

2) Post migration activity

Activity PIC Estimated duration
in day(s)
1 Servers:
1. At RSA AM 8.1 generate new config file for the server to Sahrial Rasad 0.5
revert it back
2. Replace existing config file at server Sahrial Rasad 0.5
3. From RSA Security Center, do authentication testing to Sahrial Rasad 0.5
make sure authentication successfully carried out
4. Ask someone to login using his/her existing RSA Token to TBA 0.5
designated server
5. Monitor authentication activity from RSA AM 8.1 for failure or Sahrial Rasad 0.5
success
The target for above testing
● Revert back the config file
2 VPN:
1. Revert back the user into its original group TBA 0.5
2. Revert the VPN macro/profile into previous state TBA 0.5
3. Monitor authentication activity from failure or success Sahrial Rasad 1
The target for above testing
● Revert back the config file
3 5Lake:
1. At RSA AM 8.1 generate new config file for secondary 5L Sahrial Rasad 0.5
2. Replace existing config file at secondary 5L Sahrial Rasad 0.5
3. From RSA Security Center, do authentication testing to Sahrial Rasad 0.5
make sure authentication successfully carried out
4. Revert secondary 5Lake server to LTM TBA 0.5
5. Monitor authentication activity from RSA AM 8.1 for failure or Sahrial Rasad 0.5
success
The target for above testing
● Revert back the config file
3) Backup plan
Backup plan executed if planned migration failed resulting many authentication
failures from agent.

Activity
1 Revert back RSA AM 8.1 name into previously setup for testing
2 Turn on RSA AM 7.1 Primary instance
3 Test authentication

- FINISH -