®

RSA Authentication Manager 8.5

Web Tier Getting Started

®
Thank you for purchasing RSA Authentication Manager 8.5. This document provides an overview of how to
deploy the web tier.

Web Tier Overview

The web tier is a specialized software package included with RSA Authentication Manager, providing a secure
method to deploy the Self-Service Console, dynamic seed provisioning (CT-KIP), and risk-based authentication
(RBA) services. You can enable these three services individually to meet the needs of your deployment.

The web-tier protects the private network by receiving and managing inbound traffic from the internet. This
eliminates the need to expose Authentication Manager directly to the public network for self-service, secure
software token provisioning (CT-KIP), and risk-based authentication (RBA).

In addition to enabling services and providing network security, deploying Authentication Manager web-tier
servers in your network demilitarized zone (DMZ) offers the following benefits:

l Certificates for Self-Service Console, dynamic seed provisioning (CT-KIP), and RBA are managed in a
dedicated container.
l Provides the ability to specify the listening port for these services.
l Enables risk-based integration for web-based applications in environments licensed for this feature.

Web-tier installation requires an Authentication Manager primary instance. In production environments, it is

preferable to have at least two Authentication Manager instances located in your private network (a primary
instance and a replica instance), as well as two web-tier servers front-ended by a load balancer located in your
DMZ (one web tier for each instance). If a replica instance is promoted to the primary instance, the web-tier
servers automatically follow the promotion. An Authentication Manager realm can have up to 16 web tiers.

You need Super Admin permissions to manage Authentication Manager and the web-tier servers. Administrative
privileges are required to install the web-tier component; however, the service runs under a non-privileged
account.

Web-tiers are not required, but your deployment might need them to satisfy your network configuration and
requirements. For environments using software tokens, RSA recommends using web-tier servers to distribute
tokens through CT-KIP instead of file-based (CTF) distribution. For more information on the Authentication
Manager deployment types, see the Planning Guide.

The following diagram shows traffic flow and ports in a typical web-tier deployment.
Web-Tier Hardware and Operating System Requirements

The following table lists the minimum requirements for the web-tier server. RSA recommends that you adjust
these requirements upwards based on expected usage.

Description Requirements
Hard Drive: 2 GB for web tier installation

Hard Drive: 4 GB-20 GB free space for logs and updated component downloads
Hardware
RAM: 4 GB

CPU: At least 2 virtual CPUs.

External Firewall: 443 HTTPS (TCP)

Ports DMZ: 443 HTTPS (TCP)

Internal Firewall: 7022 T3S (TCP)

Red Hat Enterprise Linux 5 Server (64-bit)

Red Hat Enterprise Linux 6 Server (64-bit)

Red Hat Enterprise Linux 7.4 Server (64-bit)

Red Hat Enterprise Linux 7.6 Server (64-bit)

Red Hat Enterprise Linux 7.9 Server (64-bit)

Red Hat Enterprise Linux 8.1 Server (64-bit)

Operating Red Hat Enterprise Linux 8.3 Server (64-bit)

Systems
Note: The System Management BIOS (SMBIOS) is required.

Windows Server 2012 (64-bit)

Windows Server 2012 R2 (64-bit)

Windows Server 2016 Standard

Windows Server 2019

Note: The Microsoft Visual C++ 2015 Redistributable package is required on Windows Server
platforms.

2
Setting Up the Web-Tier Environment

Before installing a web tier, perform the following tasks to set up the web-tier environment.

Procedure 
1. Verify that you have Super Admin permissions, and permissions to install software.

2. Verify that you have access to the Operations Console.

3. On Linux systems, verify that the open files hard limit for the local user is at least 16384.

4. On Linux systems, if you do not plan to use the default installation directory, then you must use the
following command to set the proper permissions on your custom directory:

chmod -R 755 <Custom_directory_with_a_relative_path>

5. Make sure that your web-tier servers meet the recommended hardware and operating system
requirements. For more information, see Web-Tier Hardware and Operating System Requirements on
the previous page.

6. Set up the web-tier servers where you plan to install the web tier, for example, in the network DMZ.

7. Confirm that the date and time on the server where you plan to install the web tier matches the date and
time on the instance with which the web tier will be associated (primary or replica) within one minute.
The time zones do not have to be the same. For example, the web-tier server time can be 7:00 am
(GMT), and the associated instance time can be 9:00 am (GMT + 2).

8. Configure the virtual host. The virtual hostname can be a loadbalancer hostname or a round-robin
Domain Name System (DNS). For instructions, see the Setup and Configuration Guide.

9. (Optional) On the virtual host, replace the default certificate..

10. On the load balancer and on the firewall, replace the certificate with the virtual host certificate. For
instructions, see your load balancer and firewall documentation.

11. Configure a Domain Name System (DNS) server with the Fully Qualified Hostname (FQHN) of the web
tier. The web-tier FQHN must resolve from the RSA Authentication Manager primary instance, and the
FQHN of the primary instance must resolve from the web tier.

If you cannot configure a DNS server, update the appliance hosts file with the web-tier FQHN. Click
Administration > Network > Hosts File, and follow the instructions in the Help topic Edit the
Appliance Hosts File.

Install the Web Tier

RSA Authentication Manager includes web-tier installers for Windows and Linux, which are located in the RSA
Authentication Manager8.5 Extras download kit. After a web tier is installed, the Authentication Manager
Operations Console can be used to apply version updates.

Before you begin 

l Obtain the RSA Authentication Manager 8.5 Extras download kit from https://my.rsa.com.

l Confirm that the virtual host and load balancer are configured.

3
 l Know the following information:

l Directory name and location where you want the web-tier software installed

l Fully qualified hostname of the web-tier server

l Primary NIC IP address (IPv4) of the web-tier server

l Web-tier deployment package name, location, and web-tier package password

l For Linux, local user name (do not use root)

Procedure 
1. On the public and private DNS servers, enter the web-tier hostname and IP address.

2. On the primary instance, add a web-tier deployment record and generate a web-tier deployment
package. For instructions, see Add a Web-Tier Deployment Record below.

3. On the web-tier server associated with the primary instance, run the RSA Authentication Web-Tier
Installer for your platform. For instructions, see the following:

l Install a Web Tier on Windows Using the Graphical User Interface on the facing page.

l Install a Web Tier on Linux Using the Command Line on page 6.

4. Modify the Self-Service Console URL to point to the virtual host and virtual host port. For instructions,
see the Help topic Configure E-mail Notifications for Self-Service User Account Changes.

5. If your deployment uses dynamic seed provisioning, modify the token-key generation URL to point to the
virtual hostname, virtual host port, and self-service console. For instructions, see the Help topic
Configure Token Settings.

6. On each web-tier server, run the RSA Authentication Web-Tier Installer for your platform.

Add a Web-Tier Deployment Record

A web-tier deployment record must exist in the database on the primary instance before you can install a web
tier. The web-tier deployment record establishes communication from the primary instance to web tier.

An instance can have up to 16 web tiers. Each web tier requires a web-tier deployment record.

In the last step of this procedure you can either generate the web-tier deployment package now or generate it at
a later date. The web-tier deployment package contains the information that RSA Authentication Manager uses
to connect a web tier to the associated instance. The web-tier deployment package is required prior to installing
the web tier. If you generate the web-tier package now, you can install the web tier now.

Before you begin 

l You must be a Super Admin.

l If you are installing a new web-tier deployment, configure a virtual hostname, listening port, and load
balancer. For instructions, see the Setup and Configuration Guide.

Procedure 
1. On the primary instance, in the Operations Console, click Deployment Configuration > Web-Tier
Deployments > Add New.

2. If prompted, enter your Super Admin User ID and password.

4
 3. On the Add New Web-Tier Deployment page, in the Details section, enter the following information:

l Deployment name. The name you want for the web-tier deployment (0-255 characters. The &
% > < ’ and ” characters are not allowed).

l Hostname. Fully qualified hostname of the web-tier server where you are installing the web-tier
deployment.

l Preferred RBA Instance. The instance connected to this web-tier deployment to which risk-
based authentication (RBA) traffic is directed.

4. In the Web-Tier Service Options section, turn any of the following services on or off.

l Self-Service Console

l Risk-based authentication

l Dynamic seed provisioning

5. In the Virtual Host section, confirm the following information.

l Virtual Hostname. Must be the fully qualified name of the virtual host.

l Port Number. The default is 443.

6. Do one of the following:

l Click Save. The system saves the record in the database on the associated primary instance. The
trust certificate is updated when you generate a web-tier deployment package.

l Click Save & Generate Web-Tier Package. The Generate Web-Tier Deployment Package
screen is displayed.

Note: If the web-tier hostname is not resolved, a confirmation screen displays. Follow the
instructions on the screen.

After you finish 

l Confirm the details of this web-tier deployment record. For instructions, see the Help topic “View Web
Tier Deployments.”

l If you chose to save the web-tier deployment record without generating the web-tier deployment
package, generate the web-tier deployment package before installing the web tier.

l Install the web tier.

Install a Web Tier on Windows Using the Graphical User Interface

During installation, you run the RSA Authentication Web-Tier Installer on the web-tier server. This installs
dynamic seed provisioning, the Self-Service Console and risk-based authentication (RBA) service.

Use only numbers and English characters when specifying paths and filenames. Single-byte and double-byte
characters are not supported.

Before you begin 

l Complete the steps to Install the Web Tier on page 3.

l Copy the Webtier folder from the RSA Authentication Manager 8.5 Extras download kit to the supported
Windows platform. The linux-x86_64 folder is not needed.

5
Procedure 
1. In the location where you copied the RSA Authentication Manager 8.5 Extras download kit, go to
Webtier/windows-x86_64 and locate install_webtier.bat.

2. Do one of the following:

l If User Access Control (UAC) is on, right click install_webtier.bat and select Run As
Administrator.

l If User Access Control (UAC) is off, double-click install_webtier.bat.

3. On the Welcome screen, read the overview and navigation instructions. Click Next.

4. On the License Agreement screen, read the license agreement, and click Next.

5. On the Installation Folder screen, specify the installation folder and click Next.

6. On the Choose Web-Tier Package File screen, do the following:

a. Select the Web-Tier Package for the instance to which this web-tier server is associated.

b. Type the Password.

c. Click Next.

7. On the Summary screen, do one of the following:

l If the summary is correct, click Next.

l If the summary is incorrect, click Previous, and correct the information.

8. On the Installation Progress screen, wait for the progress bar to indicate that the installation is
finished and click Next.

9. On the Run Configuration screen, wait for the configuration to complete and click Next.

10. On the Installation Summary screen, click Done.

After you finish 

After you exit the web-tier installer, the Web-Tier Update Service connects to the primary server to install the
necessary services. Use the Operations Console to check the status of this process.

In the Operations Console, click Deployment Configurations > Web-Tier Deployments > Manage
Existing to see the web tier installation status.

Install a Web Tier on Linux Using the Command Line

During installation, you run the RSA Authentication Web-Tier Installer on the web-tier server. This installs
dynamic seed provisioning, the Self-Service Console and risk-based authentication (RBA) service.

l Use only numbers and English characters when specifying paths and filenames. Single-byte and double-
byte characters are not supported.

l The install user must have execute permission for the folder into which the web tier is installed.

l Do not save the web-tier installer and the web-tier package under the /root directory.

l Do not use spaces in the installation path.

6
Before you begin 

l Verify that the open files hard limit for the local user is at least 4096.

l Complete the steps to Install the Web Tier on page 3.

l Copy the Webtier folder from the RSA Authentication Manager 8.5 Extras download kit to the /tmp
directory on the supported Linux platform. You can exclude the windows-x86_64 folder.

Procedure 
1. Log on as root.

2. On the command line, change directories to the location where you copied the Webtier folder from the
RSA Authentication Manager 8.5 Extras download kit. Type the following and press ENTER:

cd /tmp/Webtier/linux-x86_64

3. Specify read, write, and execute access for the installation files. On the command line, do the following:

l For the install_webtier.sh file, type the following, and press ENTER:

chmod 777 ./install_webtier.sh

l For the /tmp/Webtier/linux-x86_64/jdk/bin directory, type the following, and press

ENTER:

chmod 777 ./*

4. On the command line, type the following and press ENTER.

./install_webtier.sh -console

5. On the Welcome screen, type 1 to continue and press ENTER.

6. On the License Agreement screen, press ENTER to continue.

7. On each successive License Agreement screen, you can do the following:

l Press ENTER to continue to the next page of the License Agreement.

On the last screen, type YES and press ENTER to accept the terms of the license agreement.

l Type Q to quit the License Agreement.

Type YES and press ENTER to accept the terms of the license agreement.

8. On the Installation Folder screen, do the following:

a. Enter the location of the installation folder.

b. Press ENTER.

9. On the Choose Web Tier screen, do the following:

a. Enter the web-tier package location and file name, and press ENTER.

b. Enter the web-tier package password, and press ENTER.

c. Press ENTER.

10. On the Installation User screen, do the following:

7
 a. Enter the installation user, and press ENTER.

b. Press ENTER.

11. On the Summary screen, review the summary and do one of the following:

a. If the summary is correct, type 1 to continue and press ENTER.

The installation begins and the Finish screen displays when the installation is successful.

b. If the summary is incorrect, type 2 and press ENTER to quit.

The installation terminates and you must begin again.

12. On the Finish screen, press ENTER to exit.

13. Delete the Webtier folder from the /tmp directory.

After you finish 

After you exit the web tier installer, the Web-Tier Update Service connects to the primary server to install the
necessary services. Use the Operations Console to check the status of this process.

In the Operations Console, click Deployment Configurations > Web-Tier Deployments > Manage
Existing to view the web tier installation status.

8
Support and Service

You can access community and support information on RSA Link at https://community.rsa.com. RSA Link
contains a knowledgebase that answers common questions and provides solutions to known problems, product
documentation, community discussions, and case management.

The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardware
and software products that have been certified to work with RSA products. The website includes Implementation
Guides with step-by-step instructions and other information on how RSA products work with third-party
products.

© 1994-2021 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other
trademarks are trademarks of RSA Security LLC or its affiliates. For a list of RSA trademarks,
https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective
owners.

July 2020

Revised: May 2021

Intellectual Property Notice

This software contains the intellectual property of RSA or is licensed to RSA from third parties. Use of this
software and the intellectual property contained therein is expressly limited to the terms and conditions of the
License Agreement under which it is provided by or on behalf of RSA.

Open Source License

This product may be distributed with open source code, licensed to you in accordance with the applicable open
source license. If you would like a copy of any such source code, RSA or its affiliates will provide a copy of the
source code that is required to be made available in accordance with the applicable open source license. RSA or
its affiliates may charge reasonable shipping and handling charges for such distribution. Please direct requests
in writing to RSA Legal, 174 Middlesex Turnpike, Bedford, MA 01730, ATTN: Open Source Program Office.