Category Archives: RSA Security

Template SoW: RSA 6.1 to 8.1 Single Hardware Appliance Migration with Citrix Access Gateway

Scope of works:


1 Days RSA Authentication Manager Consultancy

  • Installation RSA 130 Appliance
  • Migration of data from version 6.1 to version 8.1

 Scope of Work

 Installation of Primary RSA 130 Appliance

  • Integrate with Citrix Access Gateway – 4.5
  • Confirm migration by testing authentication
  • Provide skills transfer as time allows


RSA Installation

  • Customer to supply RSA version 8.1 Appliance, Tokens, token seed Files & licenses
  • 8.1 License file may need to be downloaded from RSA Download Central at if not already obtained
  • Use the credentials and the license serial number  that RSA e-provided to you to log on to the site and download the license file. If you did not receive an e-mail with the logon credentials, contact the RSA Exceptions (support) Desk by sending an e-mail with your contact information and license serial number (provided in your order confirmation) to or contacting 01344 781100
  • Further details on the process are available in a 5 min youtube video here:
  • The location of the license file before running the appliance Quick Setup Process
  • The network information for each appliance must be provided: the fully qualified domain name (FQDN), static IP address, subnet mask, default gateway, and DNS server IP addresses
  • RSA Servers will need fully qualified Hostnames configured in DNS (forward & reverse lookups)
  • RSA server will need to be synced to an NTP time source – it is assumed that this is the same time source as previous installation – differences in time can impact user authentications
  • Any Firewalls must be configured to allow all RSA & other components to communicate with one another
    • HTTPS, TCP 7004 & 7072 Ports required for Administration Consoles – these must be allowed through Firewalls from wherever administration performed on network
    • UDP 5500, 1812, 1813 required for RSA Authentication from Citrix
  • A test Agent can also optionally be installed to Windows PC to test Authentication of system prior to migration of 6.1 Data if required – the agent is freely downloaded from the RSA website here:

Third Party Product integration

  • Integration with Citrix Access Gateway will be configured based on supported configuration as determined by documentation at
  • The versions of third party agents are assumed to be versions listed in the guides on the site.
  • Number of 3rd party product testing post migration will be as time allows – unless exact number is determined before consultancy.
  • Customer is responsible for any integrated 3rd party products.

Migration of 6.1 Data

  • Current RSA version is Authentication Manager 6.1.2 with a Primary & Replica – version 8.1 will only be installed on single purchased appliance
  • Existing version must be already installed & working correctly
  • Full connectivity to 6.1 Installed RSA systems and Administrative Access to be supplied
  • Downtime to stop RSA 6.1 Server to take database dump files – 15minutes
    • Migrating Log data is optional
    • Migrating any replica Server data is optional
  • Ability to copy dump files & other required files between 6.1 & 8.1
  • Migration of data is assumed to be migration of agents, user accounts, tokens, PINS and associated user data only – other configuration may require manual setup post migration.
  • If integrated with Active Directory – Usernames used in 6.1 environment must match those in Active Directory in order for migration to succeed to 8.1 if transferring a static user list to an Active Directory user list

Citrix Access Gateway integration

  • New Appliance to be integrated with Citrix Access Gateway Appliance via either a change to Citrix Access Gateway Configuration or by using previous RSA Appliance IP addresses

Post Implementation

  • Basic Skills transfer as time allows

Outside Scope

  • Advanced features such as:
    • 8.1 Webtier components – for external published access to Self-Service Console, use of Risk Based Authentication, Dynamic Seed Provisioning of Software Tokens (Most customers rarely use/need these components)
    • Self-Service Console can be used for internal use only
    • User Self service Token Provisioning component
    • Trusted Realm Deployments
    • Any other RSA consultancy requirements and RSA features not discussed in scope of work & caveats are outside agreed scope of consultancy.
    • Documentation
      • Basic screenshots of installation process can be done as time allows if required


  • 1 Day consultancy
  • All work done as time allows and assumed no time consuming change control process on the days involved impacting changes

RSA Authentication Manager 8: Move users across Identity Sources

AM8.x—Migrating users across Identity Sources

1.-In this example I have 10 users (test1-10) in an external Identity Source pointing to a Windows 2003 AD server. All 10 users have tokens assigned and PINs created. One of the users also has a replacement token assigned (but haven’t used it yet).

2.-To make things easier I create a group in AM called export. I assigned the users from the 2003 AD that I wanted to migrate (test1-test10) to a different Identity Source and placed them in this group. It is possible to just export all users with tokens as well.

3.-To Export the users we first need to download the encryption key: go to Administration—Export/ Import Tokens and Users—Download Encryption Key.

Save the file to a desired location.

4.-Now to actually export the users: go to Administration—Import/Export Tokens and Users—Export Tokens and Users (refer to screenshot from above).

5.-Browse to the encryption key you downloaded and select Users with Tokens (Users without tokens will not be exported) for the Export option and Click Next:

6.-On the next screen under Filter User with Tokens By Group I selected Narrow the selection by group membership. I typed the group, export, that I created for this which has the desired users and hit Search.

Select the group and then hit the > bring the group over on the right side under the Selected Groups section. Check the box next to the group and click Export:

7.-This brings you to the Import/Export Status screen. Once it’s complete download the file. I saved it in the same directory that I saved the encryption file.

8.-Now we have to remove the users that we exported and cleanup the database. Since I no longer need the 2003 Identity Source I’m going to unlink it.

Security Console—Setup—Identity Sources– Link Identity Source to System. I unlinked the 2003 ID source and clicked Save:

9.-Confirm that you want to unlink the Identity Source on the subsequent screen and make sure to check the box, then click on Unlink:

10.-Now we want to run the Scheduled cleanup job. Security Console—Setup—Identity Sources—Scheduled cleanup:

I set mine to run a few minutes from now and click Save:

11.-You can monitor the progress using the real-time system monitor or under Administration Batch jobs. Once the cleanup has completed login to the Operations Console and delete the Identity Source you just unlinked.

Deployment Configuration—Identity Sources—Manage Existing. Enter your Superadmin credentials when prompted. Now click the little arrow next to the ID source you wish to remove and select Delete:

12.-On the following screen check the box for Yes, delete the identity source and click Delete Identity Source.

13.-I’m going to be importing the users that were exported into a 2008 domain. The first name, last name, and default login all match what was in 2003. The 2008 Identity Source is already setup in AM8 and linked via the Security Console.

14.-Now to import the users that were exported. Security Console–Administration—Import/Export Tokens and Users—Import Tokens and Users. Select the .pkg file that you created during the export and click Next.

15.-For Security Domain I’m keeping the default of System Domain and clicking Next:

16.-On the subsequent screen you select the Identity Source that you wish to import to and then click Next:

17.-Review the summary which should match the export summary and click Import:

18.-Once it completes you should get something like the following:

***FYI, You will get the Done with Warning status as well.

19.-The imported users should now show up in the new Identity Source with their tokens/PINs intact. I was able to login successfully with the migrated accounts and Pins were retained.