RSA® Authentication Manager 8.

1 Virtual Appliance
Getting Started
Thank you for purchasing RSA® Authentication Manager 8.1, the world’s leading two-factor
authentication solution. This document provides an overview of how to deploy Authentication Manager.

Step 1: Prepare for Deployment

A: Download the License File
Download the license file (.zip) from RSA Download Central at https://download.rsasecurity.com.
Do not unzip the file.
Use the credentials and the license serial number that RSA e-mailed to you to log on to the site and
download the license file. If you did not receive an e-mail with the logon credentials, contact the
License Seed Response Team by sending an e-mail with your contact information and license serial
number (provided in your order confirmation) to the regional address for your area listed below:
• Americas: [email protected]
• EMEA: [email protected].
• Asia Pacific: [email protected]
You must know the location of the license file before running the primary appliance Quick Setup. The
license file must be accessible to the browser that is used to run the primary appliance Quick Setup.
RSA recommends that you store the license file in a protected location available only to authorized
administrative personnel.

B: Locate the Documentation Set

The documentation set is available on RSA SecurCare Online at https://knowledge.rsasecurity.com.
RSA recommends that you store the user documentation in a network location that is accessible to
your administrators.

C: Plan Your Deployment

RSA recommends that you read the Planning Guide before you deploy, and refer to the Setup and
Configuration Guide for complete requirements and configuration instructions. To plan a more secure
deployment, see the Security Configuration Guide.
Collect the required network information. You need to know:
• The hostname or IP address of at least one Network Time Protocol (NTP) server. Authentication
Manager requires accurate time for authentication and replication.
• The network information for each appliance: the fully qualified domain name (FQDN), static IP
address, subnet mask, default gateway, and DNS server IP addresses.
For additional requirements, see the “Setup and Configuration Information List” in the first chapter in
the Setup and Configuration Guide.

1
 RSA Authentication Manager 8.1 Getting Started

D: Read the Release Notes

The RSA Authentication Manager 8.1 Release Notes (am_release_notes.html) are located on
RSA SecurCare Online at https://knowledge.rsasecurity.com. The Release Notes provide important
information about this release, as well as workarounds for known issues.

Step 2: Meet the Prerequisites

Meet the hardware and software requirements.

VMware Software Requirements

You must have one of the following platforms:

• VMware ESXi 4.1 or later (also known as VMware vSphere Hypervisor 4.1 or later)
• VMware ESXi 5.0 or later (also known as VMware vSphere Hypervisor 5.0 or later)

You must have any version of the VMware vSphere Client able to connect to and manage supported ESXi
(Hypervisor) and vCenter Server deployments.

VMware Software Support

(Optional) Versions of VMware vCenter Server that are compatible with the supported ESXi (Hypervisor)
versions.

Primary or Replica Instance Requirements

The virtual appliance for each RSA Authentication Manager 8.1 instance requires hardware that meets or
exceeds the following minimum requirements:
• 100 GB. Select thin-provisioned storage when deploying the virtual appliance.
• 4 GB of memory.
• At least one virtual CPU.
By default, each Authentication Manager instance is deployed with 8 GB of memory and two virtual CPUs.
Automatic tuning on the virtual appliance supports 4 GB, 8 GB, or 16 GB of memory. For example, the
appliance uses 16 GB of memory if more than 16 GB is available.
The virtual appliance only supports the E1000 virtual network adapter. Do not change the default network
adapter or add a new virtual network adapter to the virtual appliance.
For additional hardware requirements for the physical server hosting the virtual appliances, see your VMware
documentation.

Supported Browsers on a Windows Client

• Microsoft Internet Explorer 7.0 or later

• Mozilla Firefox 10.0 or later
• Google Chrome 18 or later
• Apple Safari 5.1 or later

2
 RSA Authentication Manager 8.1 Getting Started

Supported Directory Servers for User Data Storage

• Authentication Manager internal database

• Microsoft Active Directory 2008 R2
• Microsoft Active Directory 2012
• Sun Java System Directory Server 7.0
• Oracle Directory Server Enterprise Edition 11G

Step 3: Deploy the Virtual Appliance

RSA Authentication Manager 8.1 is deployed in VMware as a virtual appliance, known as the
RSA Authentication Appliance. When you run Quick Setup, you configure the virtual appliance as an
Authentication Manager primary instance or replica instance.

Before You Begin

Copy the RSA Authentication Manager OVA file from the directory in the kit to a location accessible
to the VMware vSphere Client.

Procedure
1. In the VMware vSphere Client, log on to VMware vCenter Server, or log on to the VMware ESX
or ESXi server (VMware Hypervisor). VMware vCenter Server is not required to deploy the
virtual machine.
2. Select File > Deploy OVF Template to start the wizard.
3. On the Source window, under Deploy from a file or URL, browse to the RSA Authentication
Manager OVA file.

4. Follow the wizard to deploy the template.

3
 RSA Authentication Manager 8.1 Getting Started

5. On the Ready to Complete window, review your settings, and click Finish. VMware requires
approximately five minutes to deploy the virtual appliance.
6. Power on the virtual machine.
7. Select the virtual appliance, and click the Console tab. The VMware OS Console tab displays the
progress of the virtual appliance deployment.
8. Wait for 30 seconds to select the default keyboard layout, English (United States). To choose
another keyboard layout, click any key and follow the instructions on the screen.
9. If you are deploying the virtual appliance directly on the ESXi platform, the OS Console prompts
you to enter and verify the virtual appliance network settings.
If you are deploying the virtual appliance through VMware vCenter, you already entered the
network settings in the wizard.
10. When the virtual appliance is deployed, the OS Console displays the Quick Setup URL and the
Quick Setup Access Code. Record this required information:
• The Quick Setup URL includes the IP address you provided earlier in this procedure.
https://<IP Address>/
Quick Setup uses an IP address. The administrative consoles that are available after Quick
Setup completes use a fully qualified domain name (FQDN).
• The Quick Setup Access Code is required to initiate Quick Setup.

Step 4: Set Up the Primary Instance

Quick Setup configures the virtual appliance as the primary instance.

Administrative Accounts
Before running Quick Setup, you should understand the three administrative accounts that are created
when you configure your virtual appliance as a primary instance:
• Super Admin. Super Admins can perform all Authentication Manager administrative tasks. Any
Super Admin can create a new administrator in the Security Console.
• Operations Console administrator. Operations Console administrators can perform
administrative tasks in the Operations Console.
• Appliance Operating System Administrator. Use the rsaadmin account if you need to access the
appliance operating system for advanced maintenance or troubleshooting tasks.
For more information, see the appendix “Administrative Accounts” in the Setup and Configuration
Guide.

Run Quick Setup on the Primary Instance

Keep the virtual appliance on a trusted network until Quick Setup is complete. The client computer and
browser used to run Quick Setup should also be on a trusted network.

Before You Begin

Copy the license file into a location that is accessible to the browser that is used to run the primary
appliance Quick Setup. Do not unzip the file.

4
 RSA Authentication Manager 8.1 Getting Started

Procedure
1. Deploy the virtual appliance. For instructions, see Step 3: Deploy the Virtual Appliance.
2. Launch Quick Setup with the URL provided at the end of virtual appliance deployment. Enter the
Quick Setup URL in the browser, including https, and press ENTER:
https://<IP Address>/
where <IP Address> is the IP address of the appliance.
If your web browser is configured for an enhanced security level, a warning states that this URL is
not on the list of allowed or trusted sites. To continue, click the option that your browser presents
that allows you to connect to an untrusted site.
3. When prompted, enter the Quick Setup Access Code, and click Next. The Primary and Replica
Quick Setup window displays.

4. Click Start Primary Quick Setup, and follow the instructions on the screen.

5. Record all of the passwords to the administrative accounts that you create during Quick Setup.
The operating system password is required to access the primary instance. For security reasons,
RSA does not provide a utility for recovering the operating system password.

5
 RSA Authentication Manager 8.1 Getting Started

6. After the instance is configured, you can click the Security Console or Operations Console URL
links to open those consoles. The Security Console or Operations Console URL links require a
fully qualified domain name (FQDN).

Note: The fully qualified domain name must resolve to your appliance. If you are having trouble
connecting to the Consoles, verify the DNS configuration.

The first time you access the Security Console or the Operations Console, a warning displays
because the default self-signed certificate created after Quick Setup is not trusted by your browser.
7. Accept the certificate to access the console and prevent the warning from occurring again. For
more information, see the chapter “Deploying a Primary Appliance” in the Setup and
Configuration Guide.

Note: If you plan to migrate from RSA Authentication Manager 7.1, the first import you complete
on RSA Authentication Manager 8.1 overwrites all existing data in the deployment and removes
attached replica instances. For more information, see the RSA Authentication Manager 7.1 to 8.1
Migration Guide.

Log On to the Consoles

After you have completed Quick Setup, you can use the following links.

Console URL

Security Console https://<fully qualified domain name>

https://<fully qualified domain name>/sc
https://<fully qualified domain name>:7004/console-ims

Operations Console https://<fully qualified domain name>/oc

https://<fully qualified domain name>:7072/operations-console

Self-Service Console If there is no web tier, enter:

https://<fully qualified domain name>/ssc
https://<fully qualified domain name>:7004/console-selfservice

After installing a web tier, enter:

https://<fully qualified virtual host name>
https://<fully qualified virtual host name>/ssc
https://<fully qualified virtual host name>/console-selfservice

If you change the default load balancer port, enter:

https://<fully qualified virtual host name>:<virtual host port>/
https://<fully qualified virtual host name>:<virtual host port>/ssc
https://<fully qualified virtual host name>:<virtual host port>/console-selfservice

6
 RSA Authentication Manager 8.1 Getting Started

For example, if the fully qualified domain name of your appliance installation is
“host.mycompany.com”, to access the Security Console, enter the one of the following URLs in your
web browser:
https://host.mycompany.com/
https://host.mycompany.com/sc
https://host.mycompany.com:7004/console-ims
If your web browser is configured for an enhanced security level, you must add at least one URL for
each console to the list of allowed or trusted sites. Add any additional URLs that you intend to use. See
your browser documentation for instructions about adding allowed or trusted sites.
To access the Security Console, enter the Super Admin User ID and password that you specified
during Quick Setup. To access the Operations Console, enter the Operations Console user ID and
password that were entered during Quick Setup.

Step 5: Set Up a Replica Instance

After you configure the primary instance, you can deploy another virtual appliance and set up a replica
instance.
Keep the virtual appliance on a trusted network until Quick Setup is complete. The client computer and
browser used to run Quick Setup should also be on a trusted network.

Before You Begin

A primary instance must be deployed on the network.

Procedure
1. On the primary appliance, log on to the Operations Console, and click Deployment
Configuration > Instances > Generate Replica Package. For instructions, see the Operations
Console Help topic “Generate a Replica Package.”
2. Deploy a virtual appliance. For instructions, see Step 3: Deploy the Virtual Appliance.
3. Launch Quick Setup with the URL provided at the end of the virtual appliance deployment. Enter
the Quick Setup URL in the browser, including https, and press ENTER:
https://<IP Address>/
where <IP Address> is the IP address of the appliance.
If your web browser is configured for an enhanced security level, a warning states that this URL is
not on the list of allowed or trusted sites. To continue, click the option that your browser presents
that allows you to connect to an untrusted site.
4. When prompted, enter the Quick Setup Access Code, and click Next. The Primary and Replica
Quick Setup window displays.

7
 RSA Authentication Manager 8.1 Getting Started

5. Click Start Replica Quick Setup and follow the instructions on the screen.

6. Record the operating system password that is created during Quick Setup.
The operating system password is required to access your replica instance. For security reasons,
RSA does not provide a utility for recovering the operating system password.
7. After the instance is configured, do one of the following:
• Click Begin Attach to attach the replica instance to the primary instance.
• Click Defer Attach to attach the replica instance at another time. When prompted, confirm
your choice. The replica instance powers off. You can attach the replica instance the next time
you power on the replica instance.
For instructions, see the Operations Console Help topic “Attach the Replica Instance to the
Primary Instance.”

Web Tier Installation

Web tiers are not required, but your deployment might need them to satisfy your network configuration
and requirements. Authentication Manager includes services, such as risk-based authentication,
dynamic seed provisioning, and the Self-Service Console, that may be required by users outside of
your corporate network. If your network includes a DMZ, you can use a web tier to deploy these
services inside the DMZ. For more information, see the chapter “Planning Your Deployment” in the
Planning Guide.

8
 RSA Authentication Manager 8.1 Getting Started

Next Steps
After setting up the appliance, consider which of the following tasks you want to perform for the
Authentication Manager deployment. You must perform all post-setup tasks on the primary instance.

Task Administrator’s Guide Chapter

Add Authentication Manager users To add users to the Authentication Manager internal
database, see “Administering Users.”
To link to an external identity source, see “Integrating
LDAP Directories.”

Assign authentication policies “Configuring Authentication Policies.”

Import tokens and assign users “Deploying and Administering RSA SecurID Tokens”

Set up risk-based authentication (RBA) “Deploying Risk-Based Authentication”

Set up on-demand authentication (ODA) “Deploying On-Demand Authentication”

Configure and customize end-user Self-Service “RSA Self-Service”

for maintenance and troubleshooting.

9
 RSA Authentication Manager 8.1 Getting Started

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.emc.com/support/rsa/index.htm

RSA Solution Gallery https://gallery.emc.com/community/marketplace/rsa?view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and
solutions to known problems. It also offers information on new releases, important technical news, and
software downloads.
The RSA Solution Gallery provides information about third-party hardware and software products that
have been certified to work with RSA products. The gallery includes Secured by RSA Implementation
Guides with step-by-step instructions and other information about interoperation of RSA products with
these third-party products.

Copyright © 1994-2013 EMC Corporation. All Rights Reserved. Published in the U.S.A.
December 2013

Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or
other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go
to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

10