Template: RSA Authentication Manager 6.1 to 8.1 Consultancy

The estimated reading time for this post is 5 minutes

RSA Token

Scope of Work

4 Days RSA Authentication Manager Consultancy – Migration from version 6 to version 7.1 Appliance

Day 3 may require out of hours – so might be a Thur/Fri/Sat/Mon

  • Installation of Primary RSA Authentication Manager version 8.1 Appliance
  • Installation of Replica RSA Authentication Manager version 8.1 Appliance
  • Integrate RSA with Active Directory
    • Migrate Data from existing 6.1 Software to new version 8.1 Appliance
    • Confirm migration by testing access
    • Complete any other configuration changes for new system (based on similar features that were used in version 6 – Admin Roles etc)
    • Document the build of the solution
    • Provide Basic skills transfer

Caveats

Suggested Timeline

  1. Day 1 –
    1. Initial build of Primary & Replica RSA version 8.1 server – no configuration
    2. Start Build Documentation
    3. Configuration of Primary RSA version 8.1 Appliance with integration to Active Directory
    4. Continue Build Documentation – AD Integration
    5. Test Migration
    6. Day 2 –
      1. Configure Replication between RSA version 8.1 Servers
      2. Basic Skills Transfer to admin staff
      3. Continue Build Documentation – RSA Replica Integration
    7. Day 3 –
      1. Migrate Primary RSA – from version 6.1 to version 8.1
      2. Test
      3. Migrate Replica RSA – from version 6.1 to version 8.1
      4. Test
    8. Day 4 –
      1. Complete any other configuration changes for new system – Role Based Admin setup etc
      2. Finalize Build Documentation
      3. Final Skills Transfer

RSA Installation

  1. RSA version 8.1 will be installed on to new IP addresses initially and then changed to existing version 6 IP addresses once version 6 is powered off. Hostnames will remain unchanged.
  2. Customer to supply RSA version 8.1 Appliances, Tokens, token seed Files & licenses
  3. License file may need to be downloaded from RSA Download Central at https://download.rsasecurity.com if not already obtained
  4. Use the credentials and the license serial number that RSA e-mailed to you to log on to the site and download the license file. If you did not receive an e-mail with the logon credentials, contact the Exceptions Desk by sending an e-mail with your contact information and license serial number (provided in your order confirmation) to support@rsa.com
  5. The location of the license file is needed before running the appliance Quick Setup Process
  6. The License File must support the number of tokens & users with fixed passwords added/migrated to the system
  7. The network information for each appliance must be provided: the fully qualified domain name (FQDN), static IP address, subnet mask, default gateway, and DNS server IP addresses
  8. RSA Servers will need fully qualified Hostnames configured in DNS
  9. RSA servers will need to be synced to an NTP time source
  10. Any Firewalls must be configured to allow all RSA & other components to communicate with one another
  11. It is recommended that a test Agent is installed to Windows PC to test Authentication of system prior to migration of 6.1 Data
  12. Initial RSA Admin Password used on system to be specified by customer –Password provided will be used in super, operations console, radius & master password unless otherwise specified. If this needs to be changed at a later date – procedures are within the documentation.

Third Party Product integration

  1. Any Integration with 3rd party products will be configured based on supported configuration as determined by documentation at https://www.rsasecured.com
  2. With regard to above – existing products should migrate across to new system without any changes on existing systems – above procedures will only be applied where migration of a particular agent has not successfully migrated – yet all other agents have. In the case where no of agents migrate – system will be reverted back to existing version 6.1
  3. Customer is responsible for 3rd party products and other components.
  4. LDAP configuration details will be required to configure integration with Active Directory – a System Admin Account must be provided for communication.
  5. Current Active directory support is for Microsoft Active Directory 2008 R2
  6. As RSA servers will retain IP addresses of existing units – ARP tables may need to be cleared of surrounding equipment (if this doesn’t happen automatically) so that traffic can be redirected to new MAC addresses of new servers.

Migration of 6.1 Data

  1. Full connectivity to 6.1 Installed RSA systems (RDP or direct connection)
  2. Downtime to stop Primary RSA 6.1 Server to take database dump files
  3. 2 migrations to be performed –
    1. initial test migration on day 1 with dumped data taken from live 6.1 RSA primary server and imported to check for any issues with import. A Report can also be run that highlights any potential issues with migration – system will be reverted after this migration to a clean VMware snapshot to continue with build of server ready for final migration
    2. final migration – downtime needed of RSA 6.1 Primary Server after this stage initiated
    3. Once 6.1 primary server is stopped and data copied off during final migration – 6.1 server will be powered off. Version 8.1 Primary server will have IP Address changed to that of existing system.
    4. Ability to copy dump files & other required files between 6.1 & 8.1
    5. Migration of data is assumed to be migration of agents, user accounts, tokens, PINS and associated user data only – other configuration may require manual setup post migration.
    6. Confirmed testing to new version 8 server – will confirm successful migration of data and continuation of below steps.
    7. Downtime to stop Replica RSA 6.1 Server to take database dump delta records
    8. Once 6.1 primary server is stopped and data copied off – 6.1 server will be powered off. Version 8.1 Replica server will have IP Address changed to that of existing system.
    9. Ability to copy dump files & other required files between 6.1 & 8.1
    10. Confirmed testing to new version 8.1 replica server – will confirm successful migration of data

Outside Scope

  1. Self-Service Console is assumed to be for admin use only.
  2. On Demand Authentication is outside of scope
  3. Provisioning component of Self service is outside of scope
  4. Trusted Realm Deployments are outside of scope
  5. Any other RSA consultancy requirements and RSA features not discussed in scope of work & caveats are outside agreed scope of consultancy.

Documentation

  1. Documentation of build of system will be provided- other documentation is outside of scope

Skills Transfer

  1. Basic Skills transfer will be given as time allows to admin staff using system after initial build and prior to migration.
  2. Another basic skills transfer can be given post migration to admin staff using system
  3. Skills transfer will cover basic admin tasks and how system built.