Template: RSA Authentication Manager 7.1 to 8.1 Consultancy

The estimated reading time for this post is 6 minutes

RSA Token

Consultancy

2 Days RSA Authentication Manager Consultancy – Migration from version 7.1 to version 8.1

 Scope of Work

Installation of Primary RSA Authentication Manager version 8.1 Appliance on to an ESXi 4.x/5.x Environment

  • Installation of Replica RSA Authentication Manager version 8.1 Appliance on to an ESXi 4.x/5.x Environment
  • Integrate RSA with Active Directory
  • Integrate with Juniper SSL VPN Appliance
  • Integrate with VMware View
  • Migrate Data from existing 7.1 Primary Appliance to new version 8.1
  • Confirm migration by testing access
  • Provide skills transfer
 Timeline
  • Day 1 –
  1. Initial build of Primary & Replica RSA version 8 servers on VMWare
  2. Configure Replication between RSA version 8 Servers
  3. Integration to Active Directory
  4. Admin Console Configuration
  5. Basic Skills Transfer to admin staff
  • Day 2 –
  1. Migrate Primary RSA – from version 7.1 to version 8.1
  2. Change IP Addresses on Virtual Appliances
  3. Test Authentication through Juniper SSL VPN
  4. Test Authentication through VMware View
  5. Basic Skills Transfer to operations staff
 Caveats
 VMWare ESXi Requirements
  • Full access to VMware Vsphere client to access suitable ESXi 4.x/5.x host or VCenter Server Consoles in order to install setup RSA OVA File.
  • Installation of Primary RSA Authentication Manager version 8.1 already installed  by customer onto an ESXi 4.x/5.x Environment
  • Installation of Replica RSA Authentication Manager version 8.1 already installed  by customer onto an ESXi 4.x/5.x Environment
  • ESXi host to meet minimum requirements: 100 GB (Thick-provisioned storage when deploying the virtual appliance), 4 GB of memory (preferably 8GB RAM), At least one virtual CPU. Note: By default, each Authentication Manager instance is deployed with 8 GB of memory and two virtual CPUs.
  • Customer is responsible for VMware host environment and any tasks related to changes on VMware.
  • The virtual appliance only supports the E1000 virtual network adapter. Do not change the default network adapter or add a new virtual network adapter to the virtual appliance.
  • For additional hardware requirements for the physical server hosting the virtual appliances, see your VMware documentation.
  • VMware snapshots may be required at various stages in deployment – adequate disk space must be available to do this.
RSA Installation
  • Current Version must be RSA 7.1 SP4
  • Customer to supply RSA version 8.1 Software, Tokens, token seed Files & licenses
  • License file may need to be downloaded from RSA Download Central at https://download.rsasecurity.com if not already obtained
  • Use the credentials and the license serial number that RSA e-mailed to you to log on to the site and download the license file. If you did not receive an e-mail with the logon credentials, contact the RSA Exceptions (support) Desk by sending an e-mail with your contact information and license serial number (provided in your order confirmation) to support@rsa.com or contacting 01344 781100
  • Further details on the process are available in a 5 min youtube video here: http://www.youtube.com/watch?v=5e9tawZ8JfU
  • The location of the license file before running the appliance Quick Setup Process
  • The network information for each appliance must be provided: the fully qualified domain name (FQDN), static IP address, subnet mask, default gateway, and DNS server IP addresses
  • RSA Servers will need fully qualified Hostnames configured in DNS (forward & reverse lookups)
  • RSA servers will need to be synced to an NTP time source – it is assumed that this is the same time source as previous installation – differences in time can impact user authentications
  • Any Firewalls must be configured to allow all RSA & other components to communicate with one another
    • TCP 7004 & 7072 Ports required for Administration Consoles – these must be allowed through Firewalls from wherever administration performed on network
    • TCP 7002, 1812 & 1813 Ports are required for Replication  – these must be allowed through Firewalls for replication to work
  • A test Agent can be installed to Windows PC to test Authentication of system prior to migration of 7.1 Data if required – the agent is freely downloaded from the RSA website here: http://uk.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm
Third Party Product integration
  • Integration with Juniper SSL VPN will be configured based on supported configuration as determined by documentation at https://www.rsasecured.com
  • The versions of third party agents are assumed to be versions listed in the guides on the https://www.rsasecured.com site.
  • Number of 3rd party product testing post migration will be as time allows – unless exact number is determined before consultancy.
  • Customer is responsible for any integrated 3rd party products.
  • LDAP configuration details will be required to configure integration with Active Directory – a System Admin Account must be provided for communication.
  • Current Active directory support is for Microsoft Active Directory 2008 R2 (other versions may work but will be unsupported by RSA)
Migration of 7.1 Data
  • Full connectivity to 7.1 Installed RSA systems via Web pages & SSH/SCP client
  • Downtime to stop each RSA 7.1 Server to take database dump files
    • Migrating Log data is optional
    • Migrating replica Server data is optional
  • Ability to copy dump files & other required files between 7.1 & 8.1
  • A Secure Copy Protocol (SCP) client (eg WinSCP) will be needed to copy 8.1 migration Export Utility & Files to/from the RSA Appliance – SSH port must be open between PC & RSA Appliance through any firewalls. WinSCP Client is a suggestion for the  client
  • Migration of data is assumed to be migration of agents, user accounts, tokens, PINS and associated user data only – other configuration may require manual setup post migration.
  • Usernames used in 7.1 environment must match those in Active Directory in order for migration to succeed to 8.1
  • The following passwords will be needed from 7.1 environment: master password, Operations Console password (& User Account), Superdamin password (& User Account)
  • If the 7.1 installation is an appliance: The following passwords will also be needed: emcsrv user password, root password, rsaadmin password – normally the password for these is identical.
Juniper SSL & VMware View integration
Post Implementation
  • Basic Skills transfer as time allows to Admin staff
  • Basic Skills transfer as time allows to Admin staff
Outside Scope
  • New 8.1 Webtier components – for external published access to Self-Service Console, use of Risk Based Authentication, Dynamic Seed Provisioning of Software Tokens
    • Self-Service Console can be used for internal use only – use by external user connections should be through the RSA web tier component – which is outside of scope.
    • Self service Token Provisioning component is outside of scope
  • Trusted Realm Deployments are outside of scope
  • Any other RSA consultancy requirements and RSA features not discussed in scope of work & caveats are outside agreed scope of consultancy.
  • Documentation is Outside of scope – Basic screenshots of installation process can be done as time allows if required