Professional Documents
Culture Documents
(On-Premise) 7.1
Installation and Upgrade Guide
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo, BSAFE, eFraudNetwork, SecurCare and EMC are either registered trademarks or trademarks of EMC
Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective
owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Copyright 20132014 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
Revised: November 2013, March 2014
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Contents
Preface................................................................................................................................... 9
About This Guide................................................................................................................ 9
RSA Adaptive Authentication (On-Premise) Documentation ............................................ 9
Support and Service .......................................................................................................... 10
Before You Call Customer Support........................................................................... 10
Contents 3
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
4 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Contents 5
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Configure a Separate Work Manager for RSA Risk Engine Offline Tasks.................... 125
Secure the Data Source Password for Tomcat ................................................................ 126
Change a Secure Database Password....................................................................... 127
Change the Encryption Scheme ............................................................................... 127
Configure the Web Services Author Application ........................................................... 129
Configure the log4j.properties File ................................................................................. 130
Shared Configuration Information in a Distributed Environment .................................. 131
6 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Contents 7
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Preface
Preface 9
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. It also includes the supported
platforms and work environments for platform certifications. The latest version of
the Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.
Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) Web Services API methods and parameters. This guide also
describes how to build your own Web Services clients and applications using Web
Services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in RSA Adaptive
Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise).
10 Preface
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
General Recommendations
The following are the general recommendations for the installation:
Adaptive Authentication databases should be installed by a database administrator
(DBA).
Install the Core Database on a different server than the web applications.
Install the Core applications and Back Office applications on different servers.
Guidelines for database sizing are related to the size of the customer base. See the
recommendations in the following section, Database Sizing Guidelines.
2 Installation Prerequisites
Installation Prerequisites for an Oracle Database
Installation Prerequisites for MS SQL Server
Installation Prerequisites for WebSphere
Installation Prerequisites for Tomcat
Installation Prerequisites for BSafe
Installation Prerequisites for JBoss
Installation Prerequisites for WebLogic
This chapter describes requirements that you must satisfy before installing
RSA Adaptive Authentication (On-Premise) 7.1.
Note: You can download the driver from the following URL:
http://www.oracle.com/technology/software/index.html.
Create a new buffer cache. For instructions, see the following section Creating a
New Buffer Cache in Oracle.
2: Installation Prerequisites 13
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
If you need to install Oracle on Unix and you are not the Oracle instance user, do the
following:
1. Log on to the Unix machine as the Oracle software owner.
2. Verify that the ORACLE_HOME variable is set.
Setting a system variable in Unix differs depending on the Unix shell in which
you are working.
For example:
For sh or bash export ORACLE_HOME=oracle_home_dir
For csh or tcsh setenv ORACLE_HOME oracle_home_dir
For other Unix shells, consult your Unix documentation.
3. Make sure you have the required privileges on the instance directory. From the
Oracle instance user or root user, run the following command:
chmod -R 755 $ORACLE_HOME/*
4. Run the following commands before you begin the installation:
export ORACLE_HOME=Oracle_Home_full_path
export ORACLE_SID=Oracle_SID
14 2: Installation Prerequisites
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Note: If you run the installation module without defining the BLOB tablespace block
size, you get the following error:
ORA-29339: tablespace block size 16384 does not match
configured block sizes
Note: Make sure that SQL is installed on the machine from which you are running
the installer program if you are remotely installing the database.
Install JRE version 1.6 or higher on the machine where the database setup
configuration script will run.
Install SQL Server with Mixed Mode authentication. Do not use Windows Only
authentication.
Configure the SQL Server instance to use case-insensitive collation. This is the
default setting.
Download Microsoft SQL JDBC driver 1.2 or 2.0 (sqljdbc.jar or sqljdbc4.jar).
This driver is available from http://www.microsoft.com/downloads/.
The driver class name for SQL Server 2005 and SQL Server 2008 is
com.microsoft.sqlserver.jdbc.SQLServerDriver. You must specify this driver
file location in the Environment screen of the Installation Module.
Note: If you download the JDBC drivers from Microsoft, make sure that the
version and service pack match those of the installed MS SQL Server database.
2: Installation Prerequisites 15
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
16 2: Installation Prerequisites
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
h. Using the WebSphere Console, enter the values to configure the parameters as
listed in the following snippet:
-XX:MaxPermSize=512m
-Djavax.xml.transform.TransformerFactory=org.apache.
xalan.processor.TransformerFactoryImpl
-Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.
jaxp.SAXParserFactoryImpl
-Djavax.xml.parsers.DocumentBuilderFactory=org.apache.
xerces.jaxp.DocumentBuilderFactoryImpl
-Dorg.apache.xerces.xni.parser.XMLParserConfiguration=
org.apache.xerces.parsers.XML11Configuration
The WebSphere application server enforces the highest isolation level supported
by the database. For MS SQL databases, the highest isolation level supported is
TRANSACTION_REPEATABLE_READ (4), which can cause escalation locks.
To avoid this, you must lower the isolation level by resetting the
webSphereDefaultIsolationLevel property of the datasource to
TRANSACTION_READ_COMMITTED (2).
For instructions about adding the custom property for a data source using the
WebSphere Administrative Console, go to
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21224492.
For MS SQL databases only, to ensure the database supports the non-Unicode
character set, for example, Chinese, open the WebSphere Administrative Console.
Under Resources > Data sources > custom properties >
sendStringParametersAsunicode , change the value to True and restart the
server.
2: Installation Prerequisites 17
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Note: Make sure the Tomcat Manager and Admin applications are installed.
For Unix, configure the Java memory settings in the JAVA_OPTS variable in the
tomcat-home/bin/catalina.sh file, as follows:
JAVA_OPTS="-Xms1024m -Xmx2048m -XX:MaxPermSize=512m"
18 2: Installation Prerequisites
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Copy the JDBC driver to Tomcat Home/lib and to the machine assigned to run the
installation module.
JDK 1.6 1. Go to
http://www.oracle.com/technetwork/java/javase/downloads/jce
-6-download-429243.html.
2. Download jce_policy-6.zip.
IBM JDK 6 1. Go to
https://www14.software.ibm.com/webapp/iwm/web/preLogin.d
o?source=jcesdk
2. Click the link under IBM SDK Policy files.
3. Log in to the Unrestricted JCE policy files site using your IBM
credentials.
4. Select Unrestricted JCE Policy files for SDK for all newer
versions (Version 1.6).
5. Click Continue, and then click Download now to download the
zip file.
BEA JDK 1. Go to
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-C
DS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?Pr
oductRef=jce_policy-1.5.0-oth-JPR@CDS-CDS_Developer.
2. Download jce_policy-1_5_0.zip.
2. Extract the local_policy.jar and US_export_policy.jar files in the zip file to the
$JAVA_HOME/jre/lib/security directory.
These files already exist in this directory. You must overwrite them.
3. Restart the application server, and re-invoke the secured service.
The invalidkeyException does not occur.
2: Installation Prerequisites 19
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
20 2: Installation Prerequisites
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Note: This change is mandatory for the JBoss server that hosts the Back Office
applications.
2: Installation Prerequisites 21
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
22 2: Installation Prerequisites
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Installation Module
The RSA Adaptive Authentication (On-Premise) CD contains the artifacts to install,
upgrade, and configure components in the Adaptive Authentication application
system.
The RSA Adaptive Authentication (On-Premise) 7.1 installation packet includes .zip
files for each of the platforms supported by Adaptive Authentication.
Note: RSA recommends that you install Adaptive Authentication on its own
application server. If the application server includes other software, you might
encounter an overload on your thread pool.
Note: The installer program creates a log file of the installation run environment and
all the installation actions. While the installer program is running, a log file named
i4j_log_aaop_<i4j generated number>.log is created in the temp directory. A file
named install.log is copied to the directory where the executable is available after the
installer program finishes running.
If the installer program shows an error message, copy the log file from the temp
directory to the directory of the executable, so that it is available for investigating the
problem.
Installation Varfile
At the end of the installation process, the installation module saves all of the inputs
required during the process in the installation variable file. The name of the variable
file is the same as that of the installation executable file, but with the extension
.varfile. This .varfile is created in the same folder as the installation module. It is also
copied for backup to the main folder used by Adaptive Authentication.
Important: Save the .varfile for later use. The .varfile can be useful if you want to
rerun the installation module or if you want to apply hot fixes or upgrades.
When the installation module is executed with the .varfile in the same folder, it
populates the fields in the wizard with values from the .varfile.
Note: Passwords are saved encrypted to the .varfile. If this poses a security risk, you
must manually remove the encrypted password values from the .varfile in both
locations.
Note: If you use FTP, sFTP, or SCP to send the installation module files across a
network, use binary transfer mode for the files.
On some Unix machines, the following error message appears when you run the
installation module using the -c option:
testing JVM in /usr ...
Starting Installer ...
Could not display the GUI. This application needs access to an X
Server.
*****************
If you have access there is probably an X library missing.You
can also run this application in console mode without access to
an X server by passing the argument -c
*****************
An error occurred:
java.awt.AWTError: Assistive Technology not found:
org.GNOME.Accessibility.JavaBridge
Error log: /var/tmp/install4jError20776.log
*****************
To resolve this issue, perform the following actions:
1. Log on as the root user.
2. Edit the /usr/java/jre/lib/accessibility.properties file where /usr/java/jre is the
directory in which the JRE is installed on your machine.
3. Comment out the property assistive_technologies.
4. Save the file and log out.
5. Rerun the installation module stating explicitly not to use graphics, as shown:
./AA-OnPrem.7.1.0.0.0.Unix.Installer.sh -c
-Dinstall4j.nolaf=true
This command runs the installation module without graphics. You can still use a
response file with this command.
Important: All fields are mandatory unless stated otherwise. The values displayed in
the figures in this guide are not a recommendation.
Note: If you select I dont accept the agreement, you cannot continue with the
installation.
4. Click Next.
The Environment Preparation Reminder screen appears.
5. Ensure that you meet the requirements specified in Chapter 2, Installation
Prerequisites and click Next.
Back Office Applications Installs only the Back Office applications. The databases
and core applications must already be installed.
Important: When running the installation process in command line mode, choose
Custom Installation for the installation type. Select the specific components
(applications) required for the installation.
2. Click Next.
On the Installation Components screen, you select the components for installation.
You can change the default selections.
Note: Depending on the components that you choose to install on the Installation
Components screen, the options available on the following screens will vary.
3. Click Next.
On the Environment screen, you define the environment for the installation.
4. In the Database Type section, select the database.
Once you select the database type, the JDBC Driver field is populated.
5. In the JDBC Driver File field, enter the path to the JDBC driver file. For
example, sqljdbc.jar in the case of MS SQL Server.
6. In the Application Server section, select the application server.
7. In the Main Directory field, specify the main directory where the logs, core
application configuration files, and reports are stored.
8. Click Next.
Note: If you are using a Tomcat application server, and are concerned about your
database passwords being stored in clear text in the Tomcat server.xml file, see Secure
the Data Source Password for Tomcat on page 126.
If you choose to install the databases, the relevant logs are created as *.log files in the
directory where the executable is available. You must attach the log files when you
contact RSA Support about an installation problem.
This section contains the following topics:
Configure the Core Database on Oracle
Configure the Core Database on MS SQL Server
Option Description
2. Select Run the SQL scripts if you want the installation module to run the SQL
scripts during installation.
If you do not select this option, the SQL scripts are configured with the database
parameters but are not run. You must manually run the SQL scripts following
installation. For more information, see Complete a Dry-Run Installation on
page 55.
3. In the Core Database Properties section, enter the values as described in the
following table.
Name (SID) Database system ID (SID) of the host where the Core
Database resides
4. In the Partitions section, select Enable Partitions if you want to enable partitions
for the Core Database.
5. In the Core Database Credentials section, enter the values as described in the
following table.
Note: Ensure that the password you enter complies with your company and
database password policies.
6. Click Next.
Data Tablespace File Size Size (in MB) of the data tablespace file
Data Tablespace File The maximum amount (in MB) the data tablespace file is
Growth allowed to increase in size when additional space is
required
Index Tablespace File Size (in MB) of the index tablespace file
Size
Index Tablespace File The maximum amount (in MB) the index tablespace file is
Growth allowed to increase in size when additional space is
required
BLOB Tablespace File Size (in MB) of the BLOB tablespace file
Size
BLOB Tablespace File The maximum amount (in MB) the BLOB tablespace file
Growth is allowed to increase in size when additional space is
required
BLOB Tablespace Block Block size of the new buffer cache. For more information,
Size see Creating a New Buffer Cache in Oracle on page 14.
2. Click Next.
To configure the Back Office Database on Oracle, see Configure the Back Office
Database on Oracle on page 33.
Option Description
Create a new database If you select this option, the Core Database is
created. This option is selected by default.
2. Select Run the sql scripts if you want the installation module to run the SQL
scripts during installation.
If you do not select this option, the SQL scripts will be configured with the
database parameters but will not be run. You must manually run the SQL scripts.
For more information, see Complete a Dry-Run Installation on page 55.
3. In the Core Database Properties section, enter the values, as described in the
following table.
Host Host name or IP address of the host server used by the Core Database
Note: Make an entry in this field only if you are not using the default
instance.
Note: The dbo (default) schema must be used. You cannot edit the default
entry.
4. Enter the credentials for the Core Database, as described in the following table.
Note: Ensure that the password you enter complies with your company and
database password policies.
5. Enter the application user credentials for the Core applications as described in the
following table. The application user credentials are used by the web applications
to connect to the Core Database.
6. Click Next.
On the second Core Database screen, enter the creation parameters for the Core
Database on MS SQL Server.
Note: Ensure that this directory exists. The installation module does not
create this directory.
Size Size (in MB) of the data file for the Core Database
Growth The maximum amount (in MB) the data file is allowed to increase in size
when additional space is required
2. In the Log File section, complete the fields as described in the following table.
Note: Ensure that this directory exists. The installation module does not
create this directory.
Size Size (in MB) of the log file for the Core Database
Growth The maximum amount (in MB) the log file for the Core Database is
allowed to increase in size when additional space is required
3. Click Next.
To configure the Back Office Database on MS SQL Server, see Configure the Back
Office Database on MS SQL Server on page 35.
Important: If you are using a Tomcat application server, and are concerned about your
database passwords being stored in clear text in the Tomcat server.xml file, see Secure
the Data Source Password for Tomcat on page 126.
Option Description
Option Description
2. Select Run the SQL scripts if you want the installation module to run the SQL
scripts during installation.
If you do not select this option, the SQL scripts are configured with the database
parameters but are not run. You must manually run the SQL scripts. For more
information, see Complete a Dry-Run Installation on page 55.
3. In the Back Office Database Properties section, enter the values as described in
the following table.
Name (SID) Database system ID (SID) of the host where the Back
Office Database resides
4. In the Back Office Database Credentials section, enter the values as described in
the following table.
Back Office Applications Username User name for the Back Office applications
Back Office Applications Password Password for the Back Office applications
Note: Ensure that the password you enter complies with your company and
database password policies.
5. Click Next.
On the second Back Office Database screen, enter the creation parameters for the
Back Office Database on Oracle.
Data Tablespace File Size Size (in MB) of the data tablespace file
Data Tablespace File The maximum amount (in MB) the data tablespace file is
Growth allowed to increase in size when additional space is
required
Index Tablespace File Size (in MB) of the index tablespace file
Size
Index Tablespace File The maximum amount (in MB) the index tablespace file is
growth allowed to increase in size when additional space is
required
2. Click Next.
To configure the Case Management Database on Oracle, see Configure the Case
Management Database on Oracle on page 38.
Option Description
2. Select Run the SQL scripts if you want the installation module to run the SQL
scripts during installation.
If you do not select this option, the SQL scripts will be configured with the
database parameters but will not be run. You must manually run the SQL scripts.
For more information, see Complete a Dry-Run Installation on page 55.
3. In the Back Office Database Properties section, complete the fields as described
in the following table.
Host Host name or IP address of the host server used by the Back Office
Database
Note: The dbo (default) schema must be used. You cannot edit the default
entry.
4. Enter the credentials for the Back Office Database as described in the following
table.
Administrator Username User name for the Back Office Database administrator
Note: Ensure that the password you enter complies with your company and
database password policies.
5. Enter the application user credentials for the Back Office applications, as
described in the following table. The application user credentials are used by the
web applications to connect to the Back Office Database.
Back Office Applications Username User name for the Back Office applications
Back Office Applications Password Password for the Back Office applications
6. Click Next.
On the second Back Office Database screen, enter the creation parameters for the
Back Office Database on MS SQL Server.
To specify creation parameters for the Back Office Database on MS SQL Server:
1. In the Data File section, complete the fields as described in the following table.
Note: Ensure that this directory exists. The installation module does not
create this directory.
Name Name of the data file for the Back Office Database
Size Size (in MB) of the data file for the Back Office Database
Growth The maximum amount (in MB) the data file is allowed to increase in size
when additional space is required
2. In the Log File section, complete the fields as described in the following table.
Note: Ensure that this directory exists. The installation module does not
create this directory.
Name Name of the log file for the Back Office Database
Size Size (in MB) of the log file for the Back Office Database
Growth The maximum amount (in MB) the log file for the Back Office Database
is allowed to increase in size when additional space is required
3. Click Next.
To configure the Case Management Database on MS SQL Server, see Configure the
Case Management Database on MS SQL Server on page 40.
Option Description
2. Select Run the SQL scripts if you want the installation module to run the SQL
scripts during installation.
If you do not select this option, the SQL scripts are configured with the database
parameters but are not run. You must manually run the SQL scripts. For more
information, see Complete a Dry-Run Installation on page 55.
3. In the Case Management Database Properties section, enter the values as
described in the following table.
Name (SID) Database system ID (SID) of the host where the Case
Management Database is running
Note: Ensure that the password you enter complies with your company and
database password policies.
5. Click Next.
On the second Case Management Database screen, enter the creation parameters for
the Case Management Database on Oracle.
Data Tablespace File The maximum amount (in MB) the data tablespace file
Growth is allowed to increase in size when additional space is
required
Index Tablespace File The maximum amount (in MB) the index tablespace file
Growth is allowed to increase in size when additional space is
required
2. Click Next.
To configure the Core applications, see Configure the Core Applications on page 42.
Option Description
2. Select Run the SQL scripts if you want the installation module to run the SQL
scripts during installation.
If you do not select this option, the SQL scripts are configured with the database
parameters but are not run. You must manually run the SQL scripts. For more
information, see Complete a Dry-Run Installation on page 55.
3. In the Case Management Database Properties section, complete the fields as
described in the following table.
Host Host name or IP address of the host server used by the Case Management
Database
Note: The dbo (default) schema must be used. You cannot edit the
default entry.
4. Enter the credentials for the Case Management Database in the fields, as described
in the following table.
Note: Ensure that the password you enter complies with your company and
database password policies.
5. Enter the application user credentials for the Case Management application, as
described in the following table. The application user credentials are used by the
web applications to connect to the Case Management Database.
Case Management Application Username User name for the Case Management
application
6. Click Next.
On the second Case Management Database screen, enter the creation parameters for
the Case Management Database on MS SQL Server.
Note: Ensure that this directory exists. The installation module does not
create this directory.
Name Name of the data file for the Case Management Database
Size Size (in MB) of the data file for the Case Management Database
Growth The maximum amount (in MB) the data file is allowed to increase in size
when additional space is required
2. In the Log File section, complete the fields as described in the following table.
Note: Ensure that this directory exists. The installation module does not
create this directory.
Name Name of the log file for the Case Management Database
Size Size (in MB) of the log file for the Case Management Database
Growth The maximum amount (in MB) the log file for the Case Management
Database is allowed to increase in size when additional space is required
3. Click Next.
To configure the Core applications, see Configure the Core Applications on page 42.
2. In the Web Services Credentials section, enter the credentials you want to use to
access the core applications.
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
8080.
4. Click Next.
To specify the configuration parameters for the Core applications, see Specify
Configuration Parameters for the Core Applications on page 45.
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
9080.)
3. Click Next.
To specify the configuration parameters for the core applications, see Specify
Configuration Parameters for the Core Applications on page 45.
Field Description
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
7001)
4. Click Next.
To specify the configuration parameters for the Core applications, see Specify
Configuration Parameters for the Core Applications on page 45.
Field Description
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
8080)
4. Click Next.
To specify the configuration parameters for the Core applications, see Specify
Configuration Parameters for the Core Applications on page 45.
Host Host name or IP address of the host for the application server of the Back
Office applications
Port Listening port for the application server of the Back Office applications
(usually 8080)
Note: Only select this option if you chose to install the Back Office Database on
the Installation Components screen or if the Back Office Database is already
installed.
3. In the JDBC URLs section, select the checkbox Modify the default JDBC
URLs to suit the environment if you want to modify the default JDBC URLs
that appear in the fields. The three fields include the URLs for the Core Database,
the Back Office Database, and the Case Management Database.
4. In the Application Server Properties section, complete the fields as described in
the following table.
Host Host name or IP address of the host for the application server of the Back
Office applications
Port Listening port for the application server of the Back Office applications
(usually 7001)
Administrator Username Administrator user name for the application server of the
Back Office applications
Bea Home Directory The BEA home directory that functions as a repository
for common files used by multiple BEA products
installed on the same machine. For example, on
Windows, the BEA Home directory is c:\bea.
Home Directory The directory where the WebLogic Server program files
reside. For example, on Windows, the Server Home
directory is c:\bea\wlserver_version. This directory
contains the following folders:
common
samples
server
uninstall
7. Click Next.
Note: If you chose to deploy the Back Office applications, the installer program
validates the connection details.
Field Description
Host Host name or IP address of the host for the application server of the Back
Office applications
Port Listening port for the application server of the Back Office applications
(usually 8080)
4. Click Next.
The Upgrade Parameters Summary page is displayed.
Note: There are some components that are not installed by the installation
module. For more information, see Chapter 7, Configure Adaptive Authentication
Applications.
Note: If the core applications and Back Office applications are on different
application servers, add the Back Office and Case Management JDBC data
sources to the server.xml file on the Back Office Database server and the core
JDBC data source to the server.xml file on the Core Database server.
<Resource auth="Container"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDr
iver" maxActive="100" maxIdle="30" maxWait="10000"
name="jdbc/PassmarkToolDB" password=valid_secure_password
type="javax.sql.DataSource"
url="jdbc:sqlserver://localhost:1433;databaseName=RSA_BO_
AA" username=username/>
<Resource auth="Container"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDr
iver" maxActive="100" maxIdle="30" maxWait="10000"
name="jdbc/CMDB" password=valid_secure_password
type="javax.sql.DataSource"
url="jdbc:sqlserver://localhost:1433;databaseName=RSA_CM_
AA" username=username/>
<Resource auth="Container"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDr
iver" maxActive="100" maxIdle="30" maxWait="10000"
name="jdbc/PassMarkDB" password=valid_secure_password
type="javax.sql.DataSource"
url="jdbc:sqlserver://localhost:1433;databaseName=RSA_COR
E_AA" username=username/>
Change the parameters based on your installation environment.
Note: The user name and password should be the application user name and
password you provided during installation.
2. From the META-INF/ directory for each .war file you are going to deploy:
a. Extract the context.xml file to a temporary location and open it in a text
editor.
b. Delete the antiResourceLocking=true flag.
c. Delete the Reloadable=true flag.
d. Save the file.
e. Add the file back to the .war
3. Deploy the .war files.
Note: When you install the Scheduler on the WebLogic application server,
you are asked to choose a work manager. Ensure that you select the work
manager, wm/WorkManager.
6. After you install the web applications on the WebSphere application server, ensure
that the class loader order is set to Classes loaded with local class loader first
(parent last). For more information, see Setting the Class Loader Order on
page 53.
Note: You must perform this step for the Adaptive Authentication, Adaptive
Authentication Admin, and all Back Office applications.
Enable Cookies
Note: For more information on why the obsolete Quartz version could cause
problems, see https://jira.jboss.org/browse/JBAS-6133.
Script Credential
Script Credential
You must run the SQL scripts for the Back Office database using the credentials listed
in the following table.
Script Credential
Script Credential
You must run the SQL scripts for the Case Management database using the credentials
listed in the following table.
Script Credential
Script Credential
Script Credential
You must run the SQL scripts for the Back Office database using the credentials listed
in the following table.
Script Credential
You must run the SQL scripts for the Case Management database using the credentials
listed in the following table.
Script Credential
Note: When you install the Scheduler on the WebLogic application server, you are
prompted to choose a work manager. Ensure that you select the work manager,
wm/WorkManager.
Note: When you install the Scheduler on the JBoss application server, you must
define a new thread pool with default settings dedicated to offline tasks
(OfflineTaskThreadPool). For more information, see Configure a Separate Work
Manager for RSA Risk Engine Offline Tasks on page 125.
If you manually deploy the web applications on the JBoss application server, you must
ensure that the web application directory ends with the suffix .war, for example,
server/default/deploy/AdaptiveAuthentication.war.
When you deploy the Adaptive Authentication application on the JBoss application
server, you must specify an absolute path for the CSS File and Logo File fields in the
Administration Console.
You can configure these fields by logging on to the Administration Console and
editing the following fields.
Authentication Methods > Out-Of-Band E-mail > CSS File
Authentication Methods > Out of Band E-mail > Logo File
The CSS file is available in the
JBOSS_HOME/server/default/deploy/AdaptiveAuthentication.war/css folder.
The logo file is available in the
JBOSS_HOME/server/default/deploy/AdaptiveAuthentication.war/images folder.
Note: The first time you run the Health Check Servlet immediately after the
installation, the Risk Engine Health Check task scheduled to run at midnight every
day never runs. In this case, there is a warning that there is no information on these
tasks.
Back Office
URL Check Functionality
Application
Back Office
URL Check Functionality
Application
For the Back Office applications, a load balancer is defined to distribute the workload
evenly across two or more servers to avoid overload. You can use sticky sessions,
configured by the load balancer, to improve efficiency of persistent sessions.
Sticky sessions are those sessions, residing on a single server, that received the web
request and require you to log on to the server only for the first request. All subsequent
requests are routed to the same server.
Note: After installing on WebSphere, if you get a ResultSet closed' exception in the
aa_server.log file, you must set the resultSetHoldability custom property to 1 instead
of 2.
Note: On Unix, log on as the instance user and use the drop command to delete the
databases.
4 Prepare to Upgrade
Upgrade Prerequisites
This chapter lists the prerequisites to consider and the tasks you must perform before
upgrading to RSA Adaptive Authentication (On-Premise) 7.1.
Upgrade Prerequisites
Note: For more information about hardware and operating system requirements, see
the RSA Adaptive Authentication (On-Premise) 7.1 Release Notes.
Ensure that you meet the following requirements before upgrading to RSA Adaptive
Authentication (On-Premise) 7.1.
Back up the databases.
Note: This is important if you want to roll back to the existing version of Adaptive
Authentication (On-Premise).
Note: On UNIX, if you fail to either create the v7.1_upgrade folder or copy
the required files to this folder, in some cases, the upgrade process gets stuck
and enters an endless loop. To solve this issue, you must stop the upgrade
process by force, meet all of the missing prerequisites, and run the upgrade
module again.
4: Prepare to Upgrade 65
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Note: The config.properties file is a mandatory file. The upgrade will not
proceed without this file. Depending on your specific setup, some of the other
files may not be available.
Check that the Scheduler Offline task process completed successfully for each of
the last seven days. If the Offline task process did not complete successfully, run
the Offline task process again to recover the data that was not migrated.
During the upgrade summary phase, verify that no warnings were issued during
the Core database upgrade. For more information, see Troubleshooting After the
Upgrade on page 95.
If you run the upgrade module on Solaris with JRE 1.6 or if you have used
encryption in RSA Adaptive Authentication (On-Premise) 6.0.2.1 SP2, after
upgrading to RSA Adaptive Authentication (On-Premise) 7.1, you might face
backward compatibility issues. To successfully decrypt the data in RSA Adaptive
Authentication (On-Premise) 7.1, you must make the following changes in the
JDK:
a. Locate the java.security file in the path_to_JRE/lib/security directory and
open it for editing.
b. Locate the following line:
securerandom.source=file:/dev/urandom
and change it, as follows:
securerandom.source=file:/dev/random
66 4: Prepare to Upgrade
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
4: Prepare to Upgrade 67
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
68 4: Prepare to Upgrade
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Note: You must connect to Oracle as the system user to grant this privilege to the
Core schema owner.
Grant the Case Management schema owner the privilege to create views before
you run the upgrade module. To grant the privilege, type:
grant create view to case_management_schema_owner
where case_management_schema_owner is the schema owner for the Case
Management database. This is different from the application user.
Note: You must connect to Oracle as the system user to grant this privilege to the
Case Management schema owner.
You must grant permissions to access the following package to update the risk
engine data:
grant execute on dbms_alert to <core.db.schema> ;
The permissions must be granted by the SYS user.
Set the oracle JOB_QUEUE_PROCESSES parameter to 10 before migrating the
Risk Engine.
4: Prepare to Upgrade 69
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
IBM JDK 1. Go to
https://www14.software.ibm.com/webapp/iwm/web/preLo
gin.do?source=jcesdk.
2. Select Unrestricted JCE Policy files for SDK for all newer
versions (Version 1.4.2 +), click Continue, and then click
Download now to download the zip file.
BEA JDK 1. Go to
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CD
S-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-S
tart?ProductRef=jce_policy-1.5.0-oth-JPR@CDS-CDS_De
veloper.
2. Download jce_policy-1_5_0.zip.
3. Extract the local_policy.jar and US_export_policy.jar files in the zip file to the
$JAVA_HOME/jre/lib/security directory.
These files already exist in this directory. You must overwrite them.
4. Restart the application server, and reinvoke the secured service.
Check that the invalidkeyException does not occur.
70 4: Prepare to Upgrade
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
4: Prepare to Upgrade 71
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
<user-name>cm_db_user_name</user-name>
<password>cm_db_password</password>
</local-tx-datasource>
</datasources>
Disable the CachedConnectionManager for the web server.
Disable JSP pooling.
Note: This change is mandatory for the JBoss server that hosts the Back Office
applications.
72 4: Prepare to Upgrade
RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide
Note: Before you upgrade, notify RSA Technical Support that you plan to upgrade.
This enables RSA to prepare the necessary RSAC infrastructure.
Important: The Adaptive Authentication (On-Premise) 7.1 upgrade module does not
support automatic deployment of web applications. You must deploy web applications
manually.
Note: The upgrade module creates a log file of the upgrade run environment and all
the upgrade actions. While the upgrade module is running, a log file named
i4j_log_aaop_<i4j generated number>.log is created in a folder under the user temp
directory. A file named install.log is copied to the directory where the executable is
available after the upgrade module finishes running.
If the upgrade module displays an error message, copy the log file from the temp
directory to the directory of the executable, so that it is available for investigating the
problem.
Installation Varfile
At the end of the upgrade process, the upgrade module saves all of the inputs required
during the process in the upgrade variable file. The name of the variable file is the
same as that of the upgrade executable file, but with the extension .varfile. This
.varfile is created in the same folder as the upgrade module. It is also copied as backup
to the main folder used by Adaptive Authentication.
Important: Save the .varfile for later use. The .varfile can be useful if you want to
rerun the upgrade module or if you want to apply hot fixes or upgrades.
When the upgrade module is executed with the .varfile in the same folder, it populates
the fields in the wizard with values from the .varfile.
Note: Passwords are saved encrypted to the .varfile. If this poses a security risk, you
must manually remove the encrypted password values from the .varfile in both
locations.
3. Unzip the .zip file. The .zip file contains the release folder which includes the
following files to upgrade to RSA Adaptive Authentication (On-Premise) 7.1.
Documentation. Contains the Adaptive Authentication (On-Premise) product
documentation.
AA-OnPrem.7.1.0.0.0.Unix.Upgrade.sh - to upgrade on a Unix platform
AA-OnPrem.7.1.0.0.0.64_bit.Upgrade.exe - to upgrade on a Windows
64-bit platform
After you extract the upgrade module from the CD, you are ready to run the upgrade
setup process. For information on running the setup process on Windows, see Run the
Upgrade Setup Process for Windows on page 75. For information on running the setup
process on Unix, see Run the Upgrade Setup Process for Unix on page 76.
Note: If you are upgrading from RSA Adaptive Authentication (On-Premise) 6.0.2.1
SP2, the upgrade process replaces the following validation files:
validate.emailInfo.properties
validate.phoneInfo.properties
If you have customized these files, you must manually re-apply the changes on the
replaced files. The original files are backed up to the
<RSA_Home>/configs_orig_71_upgrade_bak directory.
Run the upgrade setup process for Windows by doing one of the following procedures.
To run the upgrade setup process for the upgrade module on Windows:
1. Navigate to the Upgrade directory where the upgrade module is located.
2. Double-click the AA-OnPrem.7.1.0.0.0.64_bit.Upgrade.exe file.
The upgrade setup begins. A progress bar indicates the progress of the setup.
Note: When you run the upgrade module at the command prompt, if you do not
want the password to be displayed in the console during the upgrade, you must
install Java 6.0.
Note: If you are upgrading from RSA Adaptive Authentication (On-Premise) 6.0.2.1
SP2, the upgrade process replaces the following validation files:
validate.emailInfo.properties
validate.phoneInfo.properties
If you have customized these files, you must manually re-apply the changes on the
replaced files. The original files are backed up to the
<RSA_Home>/configs_orig_71_upgrade_bak directory.
To run the upgrade setup process for the upgrade module on Unix:
1. Navigate to the Upgrade directory where the upgrade module is located.
2. Ensure that the upgrade script has execute permission. To set the permission, type:
chmod u+x AA-OnPrem.7.1.0.0.0.Unix.Upgrade.sh
3. Type:
./AA-OnPrem.7.1.0.0.0.Unix.Upgrade.sh arguments
where arguments can be one of the following:
c: Runs the upgrade module in command prompt mode.
q: Runs the upgrade module in unattended mode. This argument must be
used with varfile.
varfile installer-responses-file: Reads the responses from a file.
The upgrade setup begins.
Note: If you use FTP, sFTP, or SCP to send the upgrade module files across a
network, use binary transfer mode for the files.
To run the upgrade setup process on UNIX with the Oracle database:
1. Log on using the Oracle user credentials.
2. Run the upgrade module, but select only the databases for upgrade.
3. When the upgrade module completes, check whether the database scripts run
correctly.
4. Log on to the system as the root user, and run the upgrade module again to
complete the upgrade for the other components.
Note: You can choose to run the entire upgrade setup as the root user. For
instructions, see Chapter 4, Prepare to Upgrade.
On a UNIX platform, when running the upgrade module using the -c option, the
following error message may appear:
testing JVM in /usr ...
Starting Upgrade Module...
Could not display the GUI. This application needs access to
an X Server.
*****************
If you have access there is probably an X library missing.You
can also run this application in console mode without access
to an X server by passing the argument -c
*****************
An error occurred:
java.awt.AWTError: Assistive Technology not found:
org.GNOME.Accessibility.JavaBridge
Error log: /var/tmp/install4jError20776.log
*****************
Note: If you select I dont accept the agreement, you cannot continue with the
upgrade.
4. Click Next.
The Environment Preparation Reminder screen provides a reminder of the
prerequisites to be met before proceeding with the upgrade.
5. Ensure that you have met the requirements specified in Upgrade Prerequisites on
page 65, and click Next.
6. On the Customer Information screen, in the Customer Name field, provide a
customer name for billing purposes, and click Next.
7. On the Upgrade Types screen, select the upgrade type that best suits your
requirements.
Back Office Applications Installs only the Back Office applications. The databases
and core applications must already be installed.
Important: When running the upgrade process in command line mode, choose
Custom Installation for the upgrade type. Select the specific components
(applications) required for the upgrade.
Note: When running the upgrade using the command line, JBOSS and
WebLogic appear as options for the application server, but cannot be selected
as they are not supported in this release.
f. In the Main Directory field, specify the main directory where the
configuration, reports, and log files will be stored.
4. Click Next.
5. On the Configuration Migration screen, you can export the current configuration
and also choose to upload the exported configuration files to the Core Database.
Note: This screen appears only if you are upgrading from RSA Adaptive
Authentication (On-Premise) 6.0.2.1 SP2 and have selected Configuration
Migration on the Upgrade Components screen.
accessmanagement\WEB-INF\config\aa-backoffice-config.xml
scheduler\WEB-INF\classes\database.properties
casemanagement\WEB-INF\config\casemanagement-config.xml
The upgrade module tries to locate the casemanagement-config.xml file in the
main_directory/bo_configs/casemanagement folder. If the
casemanagement-config.xml file does not exist in this location, the upgrade
module prompts you to copy it from the Case Management application.
Note: If the Configuration Migration tool fails, look for the following error in the
logs: Cannot find class
[com.rsa.infra.devicetype.detector.impl.wurfl.DeviceTypeResolutionStrategyImpl]
for bean with name 'deviceTypeResolutionStrategy' defined in ConfigResource.
If you find this error, in the /AdaptiveAuthentication/WEB-INF/classes/configs/
directory, delete the c-config-deviceTypeDetector.xml file. Run the Configuration
Migration tool again. After the Configuration Migration tool has run, configure the
Mobile Detector Active Data File parameter in the Administration Console.
Important: If you are using the Tomcat application server, and are concerned about
your database passwords being stored in clear text in the Tomcat server.xml file, see
Secure the Data Source Password for Tomcat on page 126.
If you choose to install the databases, the relevant logs are created as *.log files in the
directory where the executable is available. You must attach the log files when you
contact RSA Customer Support about an upgrade problem.
This section contains the following topics:
Configure the Core Database on Oracle
Configure the Core Database on MS SQL Server
Field Description
Name (SID) Database system ID (SID) of the host where the Core
Database resides
3. In the Core Database Credentials section, enter the values as described in the
following table.
Field Description
4. Click Next.
To upgrade the Back Office database, go to Configure the Back Office Database on
Oracle on page 85.
Field Description
Host Host name or IP address of the host server used by the Core Database
Note: Do not enter a value for the port if you are connecting to a database
instance.
Instance The Core Database instance. Enter the complete database instance name
you used when you created the database.
This is an optional field. You must enter a value in this field only if you
are not using the default instance.
Field Description
Note: The dbo (default) schema must be used. You cannot edit the default
entry.
3. Enter the credentials for the Core Database as described in the following table.
Field Description
4. Enter the application user credentials for the Core applications, as described in the
following table. The application user credentials are used by the web applications
to connect to the Core Database.
Field Description
5. Click Next.
To upgrade the Back Office database, go to Configure the Back Office Database on
MS SQL Server on page 86.
Important: If you are using the Tomcat application server, and are concerned about
your database passwords being stored in clear text in the Tomcat server.xml file, see
Secure the Data Source Password for Tomcat on page 126.
Field Description
Name (SID) Database system ID (SID) of the host where the Back
Office Database resides
3. In the Back Office Database Credentials section, enter the values as described in
the following table.
Field Description
Back Office Applications Username User name for the Back Office applications
Back Office Applications Password Password for the Back Office applications
4. Click Next.
To upgrade the Case Management database, go to Configure the Case Management
Database on Oracle on page 87.
Field Description
Host Host name or IP address of the host server used by the Back Office
Database
Note: Do not enter a value for the port if you are connecting to a database
instance.
Note: The dbo (default) schema must be used. You cannot edit the default
entry.
3. Enter the credentials for the Back Office Database, as described in the following
table.
Field Description
Administrator Username User name for the Back Office Database administrator
4. Enter the application user credentials for the Back Office applications, as
described in the following table. The application user credentials are used by the
web applications to connect to the Back Office Database.
Field Description
Back Office Applications Username User name for the Back Office applications
Back Office Applications Password Password for the Back Office applications
5. Click Next.
To upgrade the Case Management database, go to Configure the Case Management
Database on MS SQL Server on page 88.
Field Description
Name (SID) Database system ID (SID) of the host where the Case
Management Database resides
Field Description
Field Description
Case Management Applications Username User name for the core applications
4. Click Next.
To configure the core applications, go to Configure the Core Applications on page 89.
Field Description
Host Host name or IP address of the host server used by the Case Management
Database
Note: Do not enter a value for the port if you are connecting to a database
instance.
Field Description
Note: The dbo (default) schema must be used. You cannot edit the default
entry.
3. Enter the credentials for the Case Management Database in the fields, as described
in the following table.
Field Description
4. Enter the application user credentials for the Case Management application, as
described in the following table. The application user credentials are used by the
web applications to connect to the Case Management Database.
Field Description
Case Management Application Username User name for the Case Management
application
5. Click Next.
To configure the core applications, go to Configure the Core Applications on page 89.
Field Description
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
8080)
3. Click Next.
Field Description
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
7001)
4. Click Next.
Field Description
Host Host name or IP address of the host for the application server of the core
applications
Port Listening port for the application server of the core applications (usually
8080)
4. Click Next.
Field Description
Host Host name or IP address of the host for the application server of the Back
Office applications
Port Listening port for the application server of the Back Office applications
(usually 8080)
3. Click Next.
The Upgrade Parameters Summary page is displayed.
Field Description
Host Host name or IP address of the host for the application server of the Back
Office applications
Port Listening port for the application server of the Back Office applications
(usually 7001)
4. Click Next.
The Upgrade Parameters Summary page is displayed.
Field Description
Host Host name or IP address of the host for the application server of the Back
Office applications
Port Listening port for the application server of the Back Office applications
(usually 8080)
4. Click Next.
The Upgrade Parameters Summary page is displayed.
Note: If there are warning messages in the install.log file, you must
investigate these messages. For more information on resolving the warning
messages, see Troubleshooting After the Upgrade on page 95.
A link to the artifacts/webapps directory that contains .war files you can
deploy at a later time.
A link to the configurationUpgradeUtil.log file if you select Configuration
Migration on the Upgrade Components screen.
2. Click Finish to close the upgrade module.
Procedure
1. Review the warning messages and their sources in the following log files:
install.log file
core_scripts2.log file
2. Check the REOT_IOT_MIGRATION_LOG table for additional information
about the causes of the warnings.
3. Take the following actions depending on the results of your investigation:
If you are not using Risk Engine data and not running the Risk Engine offline
tasks, ignore the warnings.
If you are using Risk Engine data and have not run the Risk Engine offline
tasks in the last seven days, the warnings must be resolved.
Procedure
1. Add partitions to the following tables:
ENTITY_AGGREGATIONS
REOT_EVENT_DYNAMIC_BUCKETS
REOT_EVENT_EXTRA_DATA
2. Run the Scheduler Risk Engine offline tasks. The Risk Engine offline tasks
recover the Risk Engine data not migrated in the last seven days.
For more information about the Scheduler Risk Engine offline tasks, see the
section Risk Engine Offline Tasks in chapter Scheduling RSA Adaptive
Authentication Tasks in the Operations Guide.
Note: The Risk Engine offline tasks take longer to run when recovering the data
not migrated during the last scheduled execution.
3. Activate server output, prior to running the SQL scripts, to display the messages
on the console.
4. Run the following SQL scripts:
66a_migration_offline_30.sql
66b_migration_offline_30.sql
5. Check the output of the scripts.
If no warning messages appear in the log file when running the scripts, the
recovery of the migrated data has completed successfully.
If warning messages appear in the log file, contact RSA for technical support.
To enable partitions:
Run the following SQL script:
insert into GEN_CONFIG_PARAM
(ID,NAME,SECTION,REGION_CONTEXT,VERSION,CREATED,LASTMODIFIED)
values('1d2dce7bf91e4290aaf9cec72bcd2c7d','USING_DATABASE_PARTI
TIONS',5,'dummy',1,sysdate, systimestamp);
insert into GEN_CONFIG_PARAM_VALUE
(ID,GEN_CONFIG_PARAM_ID,VALUE)
values('766832da09cd4d208d3e0c3638a7709e','1d2dce7bf91e4290aaf9
cec72bcd2c7d','true');
For more information about the Bank Region Country Code parameter, see the
section about general Risk Engine parameters in the chapter Administration
Console in the Operations Guide.
3. Restart the Adaptive Authentication system.
Set Encryption
To set the encryption after the upgrade:
1. Copy the c-config-security.xml file from backup to the encryption utility.
2. Run the encryption utility in the rotate mode using the c-config-security.xml file
restored from backup.
The encryption utility decrypts the seeds and re-encrypts them using the new
encryption algorithm that has been changed in the new software version.
3. Copy the new c-config-security.xml file generated by the encryption utility to the
following locations:
AdaptiveAuthentication/WEB-INF/classes
AdaptiveAuthenticationAdmin/WEB-INF/classes
casemanagement/WEB-INF/classes
scheduler/WEB-INF/classes
backoffice/WEB-INF/classes
aggDeviceToken/WEB-INF/classes
Note: For more information on why the obsolete Quartz version could cause
problems, see https://jira.jboss.org/browse/JBAS-6133.
identifier_query_format
identifier_value
forwarding_number
request_type
Note: While running the SQL scripts, verify that no warnings were issued during the
Core database upgrade. For more information, see Troubleshooting After the Upgrade
on page 95.
Manually run the SQL scripts in numerical order according to their filenames. For
more information about the scripts to run, refer to:
SQL Scripts for Oracle
SQL Scripts for MS SQL Server
Note: Activate server output when running the SQL scripts to display application
messages on the console.
Important: You must run a script only if you are upgrading directly from the version
of RSA Adaptive Authentication (On-Premise) specified in the Previous Version
column. Do not run a script if you are upgrading directly from a version other than the
version specified in the Previous Version column.
Previous
Sql Script Credential Database
Version
Previous
Sql Script Credential Database
Version
Important: You must run a script only if you are upgrading directly from the version
of RSA Adaptive Authentication (On-Premise) specified in the Previous Version
column. Do not run a script if you are upgrading directly from a version other than the
version specified in the Previous Version column.
Previous
Sql Script Credential Database
Version
Previous
Sql Script Credential Database
Version
Important: Do not install the Scheduler, the Back Office, and the Adaptive
Authentication applications on the same application server or web server.
Procedure
1. If your application server is running a UNIX-based operating system, set the size
of the physical memory in your application server to unlimited.
2. Update the startup scripts by adding the following command according to the
operating system running on your application server.
On AIX, add the command:
ulimit -m unlimited
On Solaris and Linux, add the command:
ulimit -v unlimited
When you deploy the Adaptive Authentication application on JBoss, you must
specify an absolute path for the CSS File and Logo File parameters in the
Administration Console.
Update the absolute path for the parameters in the Out-Of-Band E-mail section of
the Authentication Methods component in the Administration Console as follows:
The absolute path for the E-mail - CSS File parameter
JBOSS_HOME/server/default/deploy/AdaptiveAuthenticatio
n.war/css
The absolute path for the E-mail - Logo File parameter
JBOSS_HOME/server/default/deploy/AdaptiveAuthenticatio
n.war/images
Note: The first time you run the Health Check Servlet after the upgrade, the Risk
Engine Health Check task, scheduled to run daily at midnight, has not run yet. A
warning message appears to explain that there is no information on the Risk Engine
tasks.
In the password field, type the password that you configured in RSA Adaptive
Authentication (On-Premise) 6.02.1 SP2.
For a list of URLs that you can use to log on to the different Back Office applications
and the actions that you can perform to check if the applications function correctly,
refer to Checking the Installation of Back Office Applications on page 61.
The following table lists the files that you must configure for theAdaptive
Authentication application.
log4j.appender.auditor.File
log4j.appender.alarm.File
log4j.appender.forensic.File
log4j.appender.failedChallenge.File
log4j.appender.failedChallenge.Encoding
log4j.appender.HIBERNATE.File
log4j.appender.auditor.File
log4j.appender.alarm.File
Billing log4j.appender.billlogger.File=logs/CSG@RSA_
ServerName@DataCenterName_billing.log
log4j.appender.LOGFILE.File
log4j.appender.auditor.File
cm.logger.org
log4j.appender.CMEVENTSM
ARKINGLOGGER.File
2. Update the names of the log files to correspond with the names of the latest log
files generated by the Case Management application.
For example, modify the eventsmarking.log filename property according to the
following file naming format:
<OrgName>@<InstitutionName>_<ServerName>@<DataCenterName>
_eventsmarking.log
An example of the file name revised according to the naming format:
log4j.appender.CMEVENTSMARKINGLOGGER.File=SmallLakeCU@RSA
Customer_RSA1@MenloParkDC_eventsmarking.log
3. Save the modified log files.
log4j.appender.LOGIN_AUDITOR.File
log4j.appender.PM_AUDITOR.File
log4j.appender.AC_AUDITOR.File
log4j.appender.CSR_AUDITOR.File
caseSensitiveFilenames Determines if
document names are
case-sensitive.
Procedure
1. Add the IP address of the computer from which you are generating the aggregator
token to the list of authorized IP addresses in the c-config-aggregation.xml file.
Note: To allow for the initial entry of the IP address, remove this IP address from
the list prior to working in Production.
2. Remove any device tokens or cookies from the browser in use on your system.
The GetDeviceTokenServlet servlet attempts to verify if the device tokens or
cookies are aggregator tokens.
Procedure
1. Locate the WEB-INF/Classes/configs directory of the installation.
2. Open the file c-config-aggregation.xml in a text editor.
3. In the file c-config-aggregation.xml, specify the IP address used by the supported
aggregator as follows:
a. Find the entry in c-config-aggregation.xml.
<property name="deviceIps">
<list>
<value>IP address1</value>
<value>IP address2</value>
</list>
</property>
b. Create entries for each IP address under the property deviceIPs. Use the
following format to specify a single IP address or a range of addresses.
<property name="deviceIps">
<list>
<value>IP address1</value>
<value>IP address2</value>
</list>
</property>
c. Specify the aggregator tokens assigned to your supported aggregators.
d. Find the entry in c-config-aggregation.xml.
<property name="deviceId">
<value>IP address group name</value>
</property>
where IP address group name is the name of the list of authorized IP
addresses you want to associate with the aggregator token for the device.
e. Create an entry for the device token that is assigned to the IP addresses
specified using in this procedure.
4. Repeat the previous steps in this procedure for the c-config-aggregation.xml files
located in the installation directory. The default installation directory is
c:/rsa/configs.
Procedure
1. In your web browser, enter the following URL:
http://server:port/aggDeviceToken/getDeviceToken?deviceID
=aggregator_alias&
username=your_username&password=your_password
where:
deviceID is the identification of the device to be associated with the
aggregator token.
aggregator_alias is the list of authorized IP addresses.
your_username and your_password are your user credentials.
Note: If the URL is entered without an aggregator alias, the device token returned
is associated with all the IP addresses in the aggregation configuration file.
2. When you enter the aggregator alias, an error or null message may appear in the
following cases:
If the aggregator alias you entered is not defined in the configuration file,
check the spelling of the aggregator alias.
If there is an invalid parameter in the URL command line, a null message
appears.
You must set the name of the Work Manager in the WebSphere and WebLogic
application server to be wm/offlineTask.
For WebLogic, you must generate a new minimum threads constraint and
associate it with the wm/offlineTask Work Manager.
For more information on configuring the Work Manager for your application
server, see the appropriate application server manual.
For JBoss, you must define a new thread pool OfflineTaskThreadPool with
default settings dedicated to offline tasks.
For example, the JBOSS_HOME\server\default\deploy\jca-jboss-beans.xml
file is as follows:
Important: The initialSize parameter is not supported if you are using the data source
password obfuscation package for Tomcat.
Note: If you are using Tomcat shell scripts to start Tomcat, you must run the
scripts from the CATALINA_HOME directory and not from the
CATALINA_HOME\bin directory. For example, on Windows you must run
bin\startup.bat from the CATALINA_HOME directory.
After you have secured the data source password, the password appears in the
server.xml file, as shown:
<Resource ... name="jdbc/PassmarkDB"
factory="com.rsa.aaop.security.ObfuscatedPasswordDataSourceFact
ory" ...
password="{PBE}nc5dEYCat865ftI4LExmb+ioxSZLSu3I".../>
----ARGUMENTS-------------------
input: This is my message to be encrypted
password: password
----OUTPUT----------------------
k1AwOd5XuW4VfPQtEXEdVlMnaNn19hivMbn1G4JQgq/jArjtKqryXksYX4Hl
6A0e
Note: You can choose to customize the log4j.properties file or retain the default
settings in the file.
The Offline task is a Scheduler task and is enabled by default. If you want to use the
Batch Loader utility, you must disable the execution of the Offline task until the batch
loading is completed.
c-config-aa-batch-data-analyzer.xml
In the common.rsaaa.callerid field, enter the name of the Adaptive
Authentication Admin user.
In the common.rsaaa.callercredential field, enter the password for the
Adaptive Authentication Admin user.
Fact Files
In the c-config-cre-batch-data-field-mapping.xml configuration file, there is a new
fact that you should use to send the device ID to the batch loader. The device ID is
obtained from the cookie.
You should add the following line in the batch loader input files to use the new fact:
deviceSourceCookieId=cookieID
For example, to use the MS SQL entries, delete the XML comments around that
entry, and add comments around the unused entries.
<!-- Oracle config-->
<!--
<property name="driverClassName">
<value>oracle.jdbc.OracleDriver</value>
</property>
<property name="url">
<value>jdbc:oracle:thin:@<ipaddress>:<port>:<dbname></val
ue>
</property>
<property name="username">
<value><db user name></value>
</property>
-->
<!-- End Oracle config-->
<!-- MS SQL 2000 config -->
<property name="driverClassName">
<value>com.microsoft.jdbc.sqlserver.SQLServerDriver</valu
e>
</property>
<property name="url">
<value>jdbc:microsoft:sqlserver://<ipaddress>:<port>;data
base=<dbname></value>
</property>
<property name="username">
<value><db user name></value>
</property>
<!-- End MSSQL config-->=
<!-- 2005 driver
<property name="driverClassName">
<value>com.microsoft.sqlserver.jdbc.SQLServerDriver</valu
e>
</property>
<property name="url">
<value>jdbc:sqlserver://server_name:<port>[;databaseName=
<dbname>][; selectMethod=cursor]</value>
</property>
<property name="username">
<value>pmsecure6021</value>
</property>
-->
<!-- End MSSQL config-->
4. Add the following for the database entry that you are using:
The IP address (or host name)
Port number
Database name information for the URL value
5. Enter an appropriate user name value for the database entry. The database user
account must have the appropriate administrative level permissions for your
database.
The tool also requires a password for the database user account. The password is
entered on the command line when you run the tool.
6. Modify the DAO information so that it is specific to the database that you are
using. By default, the XML file is configured to use an Oracle database. If you are
not using Oracle, you must modify the entries. For example, to use the MS SQL
entries, delete the XML comments around that entry, and add comments around
the unused entries.
<!-- This is for Oracle configuration with database
images -->
<!--
<bean id="daoConfig"
class="com.passmarksecurity.dao.config.DAOConfigOracle"/>
-->
<!-- This is for MicroSoft SQL Server configuration with
database images -->
<!--
<bean id="daoConfig"
class="com.passmarksecurity.dao.config.DAOConfigMSSQL"/>
-->
7. Save the file.
8. Make any modifications to the tool, depending on the action you want to take. For
more information, see:
Add a Configuration Tree to the Database on page 140.
Export the Configuration Space Tree to a File on page 142.
configTreePath Path of
configuration folder
to upload
outputPath Path of
configuration folder
to download
class="com.passmarksecurity.config.admin.BootstrapConfigs
">
<property name="action">
<value>save</value>
</property>
<property name="configTreeName">
<value>PMDefaultConfigs</value>
</property>
<property name="configTreePath">
<value>C:\configurationDir</value>
</property>
</bean>
Note: You can use this function to save changes to your existing Configuration Tree in
the database. However, this function overwrites the entire Configuration Tree.
Important: This function deletes an existing Configuration Tree from the database. If
a Configuration Tree is deleted, it is the responsibility of each application server to
pick up the new changes, either directly or through the use of a JMX. Before deleting
a Configuration Tree, make sure that no PassMark instance is using it.
advancedGroups. Denotes the files are to have Spring 2.5 header. You must
not change the values of this property.
<bean id="bootstrapConfigs"
class="com.passmarksecurity.config.admin.BootstrapConfigs
">
<!-- valid actions are tofile and save -->
<property name="action">
<value>tofile</value>
</property>
<list>
<value>d-config-configService</value>
<value>d-config-reporting</value>
</list>
</property>
eFraudNetwork Agent
The eFraudNetwork is a collaboration of organizations that share information on
fraudulent activity. This information is used as a factor in the risk analysis of a given
transaction.
You can install the eFraudNetwork agent in the following ways:
As a scheduled task (recommended). In this case, the Scheduler configures the
eFraudNetwork agent. For more information, see the Operations Guide.
As a standalone component. In this case, you must manually configure the agent
in the efnagent-context.xml file because the Scheduler does not have access to
the Internet or DMZ for security reasons. If you want to install the eFraudNetwork
agent as a standalone component, you must install one agent in the DMZ and
another agent in the internal network.
You need to manually transfer the new eFraudNetwork file from the agent in the
DMZ to the agent in the internal server. The agent in the internal server loads the
new eFraudNetwork file to the Adaptive Authentication system.
For more information on configuring the eFraudNetwork files, see Configure
eFraudNetwork Files on page 145.
efnagent/agentcmd.bat, efnagent/agentcmd.sh
efnagent/bin/efnagent-context.xml
lastLocalVersion Indicates the version of the local file for the Yes
following entities:
IP
Device
Payee
If the local file version is lower than the
version available on the eFraudNetwork
server, the eFraudNetwork agent updates the
file for the respective entity.
Encryption Utility
The Adaptive Authentication (On-Premise) system stores the list of seeds, questions,
answers, and phrases that can be encrypted. The system also stores customized fields
that are part of user-implemented Authentication Plug-ins that can also be encrypted.
You can use the Encryption utility to manage all administrator activities related to key
management and to perform the following tasks:
Generating a new master key. If the encryption feature is enabled, you must
generate a master key seed.
Rotating the master key. If the encryption feature is enabled and you want to
change the master key for security considerations, use this utility to rotate the
master key.
Dumping the plain seeds to file. Extracts all plain key seeds values and writes
them to a file. This is required if you lose the master key.
Loading plain seed from backup. This is required if you lose the master key and
you want to recover the key from backup.
For more information about the Encryption utility, refer to the section about
encrypting user data in the Operations Guide.
Note: Run the script on UNIX as root or any other user who has the required
permissions.
On Windows:
w_RunRiskModelManagerTool.bat -U
Note: You are prompted for the application user password when you run the
script. If the JAVA_HOME variable is not set up, you are prompted to set it up.
Log Files
The log files for the Configuration Migration tool are available in the
utils_7.1\configuration-upgrade-7.1\logs directory.
Install rsa-auth-plugin-tools
To install the rsa-auth-plugin-tools.zip utility:
1. In the config.properties file, set the database vendor as shown:
db.vendor=Oracle/MSSQL
2. In the pmBootstrapConfigs.xml file, set the database connection settings as
shown:
<property name="driverClassName">
<value>value_of_property</value>
</property>
<property name="url">
<value>value_of_property</value>
</property>
<property name="username">
<value>value_of_property</value>
</property>
<property name="password">
<value>value_of_property</value>
</property>
3. In the acsp-tools-context, set the output file directory as shown:
<property name="outputFileDir">
<value>value_of_property</value>
</property>
4. In the log4j.properties file, configure the location of the log file, as shown:
log4j.appender.LOGFILE.File=logs/acspTools.log
log4j.appender.alarm.File=logs/acspTools.alarm.log
5. Copy the database driver library for your database vendor to the lib directory.
To install rsa.js:
1. In the online site code, back up the existing rsa.js JavaScript file.
Note: When you back up the file, do not rename it, for example, pm_fp-old.js or
pm_fp.old. Remove the file completely from the directory.
2. Copy the rsa.js file from the WebResources.zip folder and paste it into the online
site directory.
To install pmfso.swf:
1. In the online site code, back up the existing pmfso.swf file.
Note: When you back up the file, do not rename it, for example, pm_fp-old.js or
pm_fp.old. Remove the file completely from the directory.
2. Copy the pmfso.swf file from the WebResources.zip folder and paste it into the
online site directory.
To prevent caching of the Flash file by the Flash player on your browser:
Send an additional parameter with a volatile value, such as a timestamp, to the Flash
file. For example, see the nocache parameter in the following code.
var d=new Date().getTime();
var out = "";
out = out + "<object
classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'" +"\n";
out = out + "width='500' height='500'>" + "\n";
out = out + "<param name='movie' value='pmfso.swf?nocache="
+ d + "'>" + "\n";
out = out + "<param name='quality' value='high'>" + "\n";
out = out + "<param name='bgcolor' value=#FFFFFF>" + "\n";
out = out + "<param name='FlashVars'
value='gotoUrl=<%=gotoUrlEnc%>&sendUrl=<%=sendUrlEnc
%>&browserType=" +BrowserDetect.browser + "'>" +
"\n";
out = out + "<embed src='pmfso.swf?nocache=" + d + "'" +"\n";
out = out + "FlashVars='gotoUrl=<%=gotoUrlEnc%>&sendUrl=<%=
sendUrlEnc%>&browserType="
+BrowserDetect.browser+"'"+ "\n";
out = out + "quality='high' bgcolor='#FFFFFF' width='1'
height='1' " + "\n";
out = out + "type='application/x-shockwave-flash'>" + "\n";
out = out + "<noembed>" + "\n";
out = out + "<script>" + "\n";
out = out + "navigateToUrl('<%=gotoUrl%>');" + "\n";
out = out + "</script>" + "\n";
out = out + "</noembed>" + "\n";
out = out + "<noobject></noobject>" + "\n";
out = out + "</embed>" + "\n";
out = out + "<noobject></noobject>" + "\n";
out = out + "</object>" + "\n";
document.write(out);
In the WebSphere application server, connections are shared by default. The use of
shareable connections implies that different connection requests by the application,
made within the same business transaction, actually receive a handle for the same
physical connection to the resource. The benefit of this is a reduction in the number of
physical connections that need to be managed.
When the application closes a shareable connection, the connection is not truly closed,
nor is it returned to the free pool. Rather, it remains in the Shared connection pool,
ready for another request within the default transaction context for a connection to the
same resource.
RSA recommends that you set the connection pool sharing parameter to "unshared".
If you must use shared connections, ensure that you set the maximum size of the
connection pool to be greater than the maximum number of threads plus the number of
concurrent Scheduler tasks plus one for the session reaper.
Procedure
Set connection pool configurations as per the following recommended values:
Connection timeout = 60 sec
Reap time = 30 sec
Unused timeout = 30 sec
Aged timeout = 0 (remains in the pool indefinitely)
Procedure
1. Create a J2C authentication alias.
2. Create the data source.
3. Test the database connection.
c. Click OK.
d. Click Finish to save the changes to the master configuration.
3. On the Create a new JDBC provider page, select the following from the
drop-down menus:
Database type: Oracle
Provider type: Oracle JDBC Driver.
Implementation type: Connection pool data source
In the Name field, enter a name for the JDBC provider, for example,
RSADatabase, or use the default.
4. Click Next.
5. On the Enter database class path information page, in the Class path field, enter
the absolute path to the directory location for the JDBC driver file ojdbc14.jar,
for example, C:\releases\PMDB.oracle.
If you do not change the absolute path to the driver files, the following error
message appears:
The classpath attribute contains a variable that begins with
a dollar sign ($). Verify that this variable is defined, by
Important: You must use a JDBC driver that is appropriate for your database
server and compatible with JVM 1.6. An incompatible driver can reduce the
performance of the system.
6. Click Next.
2. Click Next.
2. The Summary page for your configuration is displayed. Verify that the
information is correct and click Finish.
7. From the Database Type menu, select the appropriate database type (Oracle, MS
SQL Server).
8. From the Database Driver list, select one of the following:
For MS SQL Server, select
MS SQL Server Driver (Type 4) Version:2005
MS SQL Server Driver (Type 4) Version:2008
For Oracle, select Oracle Driver (Thin) Versions:
Oracle 10g - ojdbc14.jar
Oracle 11g - ojdbc6.jar
You must copy the appropriate JDBC driver files for your database vendor to the
lib directory in WebLogic, for example,
C:\bea\weblogic10_3\samples\domains\wl_server\lib.
Make sure to select the appropriate driver based on the database vendor.
9. Click Next.
10. Under Transaction Options, leave all of the default selections, and click Next.
11. On the Connection Properties page, define the properties for the data source that
you are creating:
a. Enter the Database Name. This is the name of the Core Database.
b. Enter the Host Name of the Core Database.
c. Enter the Port number for the Core Database.
d. Enter the Database User Name. The user must have administrative access to
the database.
e. In the Password and Confirm Password fields, enter the database users
password.
f. Click Next.
12. Under Test Database Connection, review the connection properties that you
have provided, and click Test Configuration.
13. Do one of the following:
If you receive a message that the connection test succeeded, click Next.
If you receive an error message, verify that:
The correct data source options are selected
The database connection properties are correct
The Core Database is up and running.
14. Under Select Targets, select the checkbox for your application server.
15. Click Finish.
The data source that you created is listed on the Summary of JDBC Data
Sources page.
Note: The Adaptive Authentication system should not be active during the
execution process.