The estimated reading time for this post is 6 minutes
2 Days RSA Authentication Manager Consultancy – Migration from version 7.1 to version 8.1
Scope of Work
Installation of Primary RSA Authentication Manager version 8.1 Appliance on to an ESXi 4.x/5.x Environment
- Installation of Replica RSA Authentication Manager version 8.1 Appliance on to an ESXi 4.x/5.x Environment
- Integrate RSA with Active Directory
- Integrate with Juniper SSL VPN Appliance
- Integrate with VMware View
- Migrate Data from existing 7.1 Primary Appliance to new version 8.1
- Confirm migration by testing access
- Provide skills transfer
- Day 1 –
- Initial build of Primary & Replica RSA version 8 servers on VMWare
- Configure Replication between RSA version 8 Servers
- Integration to Active Directory
- Admin Console Configuration
- Basic Skills Transfer to admin staff
- Day 2 –
- Migrate Primary RSA – from version 7.1 to version 8.1
- Change IP Addresses on Virtual Appliances
- Test Authentication through Juniper SSL VPN
- Test Authentication through VMware View
- Basic Skills Transfer to operations staff
VMWare ESXi Requirements
- Full access to VMware Vsphere client to access suitable ESXi 4.x/5.x host or VCenter Server Consoles in order to install setup RSA OVA File.
- Installation of Primary RSA Authentication Manager version 8.1 already installed by customer onto an ESXi 4.x/5.x Environment
- Installation of Replica RSA Authentication Manager version 8.1 already installed by customer onto an ESXi 4.x/5.x Environment
- ESXi host to meet minimum requirements: 100 GB (Thick-provisioned storage when deploying the virtual appliance), 4 GB of memory (preferably 8GB RAM), At least one virtual CPU. Note: By default, each Authentication Manager instance is deployed with 8 GB of memory and two virtual CPUs.
- Customer is responsible for VMware host environment and any tasks related to changes on VMware.
- The virtual appliance only supports the E1000 virtual network adapter. Do not change the default network adapter or add a new virtual network adapter to the virtual appliance.
- For additional hardware requirements for the physical server hosting the virtual appliances, see your VMware documentation.
- VMware snapshots may be required at various stages in deployment – adequate disk space must be available to do this.
- Current Version must be RSA 7.1 SP4
- Customer to supply RSA version 8.1 Software, Tokens, token seed Files & licenses
- License file may need to be downloaded from RSA Download Central at https://download.rsasecurity.com if not already obtained
- Use the credentials and the license serial number that RSA e-mailed to you to log on to the site and download the license file. If you did not receive an e-mail with the logon credentials, contact the RSA Exceptions (support) Desk by sending an e-mail with your contact information and license serial number (provided in your order confirmation) to firstname.lastname@example.org or contacting 01344 781100
- Further details on the process are available in a 5 min youtube video here: http://www.youtube.com/watch?v=5e9tawZ8JfU
- The location of the license file before running the appliance Quick Setup Process
- The network information for each appliance must be provided: the fully qualified domain name (FQDN), static IP address, subnet mask, default gateway, and DNS server IP addresses
- RSA Servers will need fully qualified Hostnames configured in DNS (forward & reverse lookups)
- RSA servers will need to be synced to an NTP time source – it is assumed that this is the same time source as previous installation – differences in time can impact user authentications
- Any Firewalls must be configured to allow all RSA & other components to communicate with one another
- TCP 7004 & 7072 Ports required for Administration Consoles – these must be allowed through Firewalls from wherever administration performed on network
- TCP 7002, 1812 & 1813 Ports are required for Replication – these must be allowed through Firewalls for replication to work
- A test Agent can be installed to Windows PC to test Authentication of system prior to migration of 7.1 Data if required – the agent is freely downloaded from the RSA website here: http://uk.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm
Third Party Product integration
- Integration with Juniper SSL VPN will be configured based on supported configuration as determined by documentation at https://www.rsasecured.com
- The versions of third party agents are assumed to be versions listed in the guides on the https://www.rsasecured.com site.
- Number of 3rd party product testing post migration will be as time allows – unless exact number is determined before consultancy.
- Customer is responsible for any integrated 3rd party products.
- LDAP configuration details will be required to configure integration with Active Directory – a System Admin Account must be provided for communication.
- Current Active directory support is for Microsoft Active Directory 2008 R2 (other versions may work but will be unsupported by RSA)
Migration of 7.1 Data
- Full connectivity to 7.1 Installed RSA systems via Web pages & SSH/SCP client
- Downtime to stop each RSA 7.1 Server to take database dump files
- Migrating Log data is optional
- Migrating replica Server data is optional
- Ability to copy dump files & other required files between 7.1 & 8.1
- A Secure Copy Protocol (SCP) client (eg WinSCP) will be needed to copy 8.1 migration Export Utility & Files to/from the RSA Appliance – SSH port must be open between PC & RSA Appliance through any firewalls. WinSCP Client is a suggestion for the client
- Migration of data is assumed to be migration of agents, user accounts, tokens, PINS and associated user data only – other configuration may require manual setup post migration.
- Usernames used in 7.1 environment must match those in Active Directory in order for migration to succeed to 8.1
- The following passwords will be needed from 7.1 environment: master password, Operations Console password (& User Account), Superdamin password (& User Account)
- If the 7.1 installation is an appliance: The following passwords will also be needed: emcsrv user password, root password, rsaadmin password – normally the password for these is identical.
Juniper SSL & VMware View integration
- Juniper SSL VPN can be redirected towards new environment (small downtime window required for this) – done as per RSA documentation: https://gallery.emc.com/docs/DOC-1167?viewTab=collateral&version=30
- VMware View can be redirected towards new environment based on RSA documentation here: https://gallery.emc.com/servlet/JiveServlet/download/1971-24-4990/VMware_Horizon_View_52_AM8.0.pdf
- Note: There is a known issue in RSA documentation with regard to VMware View as documented in the doc above and here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2048335
- Based on the Above issue it is recommended to not redirect Juniper SSL VPN & VMware View to the new units but to instead use the following approach:
- Power off 7.1 Appliances
- Change the IP addresses of the 8.1 Appliances to the same IP addresses as the old 7.1 appliances
- Flush ARP MAC table entries from surrounding equipment – onsite staff must have access to equipment to perform this function
- Basic Skills transfer as time allows to Admin staff
- Basic Skills transfer as time allows to Admin staff
- New 8.1 Webtier components – for external published access to Self-Service Console, use of Risk Based Authentication, Dynamic Seed Provisioning of Software Tokens
- Self-Service Console can be used for internal use only – use by external user connections should be through the RSA web tier component – which is outside of scope.
- Self service Token Provisioning component is outside of scope
- Trusted Realm Deployments are outside of scope
- Any other RSA consultancy requirements and RSA features not discussed in scope of work & caveats are outside agreed scope of consultancy.
- Documentation is Outside of scope – Basic screenshots of installation process can be done as time allows if required