Many customers have asked for documentation from RSA for best practices for operations that includes performance monitoring. While we do not have that, we do have the RSA Performance and Scalability Guides for most versions are available on the RSA Community.

RSA does not have a Best Practices Guide for Authentication Manager, but we do have planning and configuration guides, and this knowledge base article was created to address this need.

Principles

1. Good principles begin with watching for scope creep, keeping jobs manageable and using manageable sub-processes as building blocks for larger processes or jobs.
2. Stay up to date with versions and patches.  Not only are new features included in newer versions, but bug and vulnerability fixes are always targeted for the latest releases.  Be aware that your support contract mandates staying current with versions, and that asking RSA apply new fixes to older versions of the product results in exponentially more complex Quality Engineering test scenarios, especially in the area of upgrades or updates.  Applying a hot fix to an older version of Authentication Manager means QE has to go back and test previous version updates.
3. Authentication is the act of verifying the authenticity of someone or something; in other words, to make sure someone is who they claim to be.  Authentication is the foundation of all access control, and all access controls are only as sound as the authentication system under girding them.  Authentication Manager two factor authentication (2FA) is the integration of something you have (the tokencode) and something you know (the PIN) into the passcode.
4. If your tokens do not require PINs (that is, PINless tokens), then you do not have 2FA configured. and have an inherently less secure authentication mechanism.
5. If you configure PINless tokens with passwords, you have multi-factor authentication (MFA), which may (or may not) be a strong as 2FA, depending on the degree of integration and the protection of token seeds. 
6. There is an an ongoing debate that revolves around the concept that one eight-foot high fence is considered more secure than two four-foot high fences.  Your risk analysis team needs to determine if your MFA is sufficient to mitigate your risk concerns in according to your business principles.

Technical Principles

1. As documented in the RSA Authentication Manager 8.7 SP1 Setup and Configuration Guide, you cannot extend the size of the RSA Authentication Manager appliance disk drive on a virtual machine after it has been deployed.  To resolve this, you will need to deploy a new instance, probably a replica that you will promote.  The Setup and Configuration Guide states that:

By default, an upgraded VMware virtual appliance has 100 GB of disk space for storage and a 4 GB swap file. When you
deploy a new 8.7 SP1 VMware virtual appliance, the default size is 500 GB of disk space for storage and 4 GB for
a swap file.

You can deploy the 500 GB VMware appliance in a deployment with upgraded 100 GB VMware appliances. Make sure that you have sufficient disk space before restoring an Authentication Manager backup file from a new 500 GB appliance on a 100 GB appliance or promoting a 100 GB replica instance to replace a 500 GB primary instance.

2. Authentication Manager is an authentication system first, and only secondarily a reporting system; therefore you need to understand several database concepts, such as managing log archival maintenance, which lets you understand how long authentication and administration data is maintained in the database for your authentication and administration reports.
3. Log archival management is closely related to database management.  As authentication and administrative activity is logged into or added to the database, the database grows in size. As this information grows older there is a point where is should be archived out and purged from the database, so that the database does not grow infinitely.  However, most databases do not automatically compress the space allocated to this information as it is archived, so the database does not instantaneously shrink, instead the database marks this space as writeable so newer logged data can use this space, so that the rate of growth of the database is slowed.  If you want or need to compress the the Authentication Manager internal database, you need to run the postgres vacuumdb utility.  For information on how to run this utility, please contact RSA Technical Support and open a case.  
4. If your Authentication Manager primary runs on VMware you may have deployed this server with the default disk size of 100GB.  If you also have thousands of users, there may be circumstances where due to logging and archiving your disk could be at risk for filling up.  Therefore, it is wise to configure a Critical System Event Notification in the Security Console (Setup > System Setup), and enable an email for Low disk space events.  Optionally modify the warning threshold from the default setting of 5GB to something larger to give you an earlier warning.  See this article on how to modify the low disk space critical event email warning threshold from 5 GB to 10 GB free in RSA Authentication Manager 8.2.1 and higher for more information.

Recommended KBs

• DSA-2019-117: RSA® Authentication Manager Security Update for Multiple Embedded Component Vulnerabilities recommends AM 8.4 P5 for CVE-2019-2729.  If you are unable to update to RSA Authentication Manager 8.4 patch 5, please contact Technical Support and open a case to discuss workarounds.
• For issues related to RSA Authentication Manager 8.3 and 8.4 security vulnerabilities for Oracle WebLogic (CVE-2019-2729), please contact Technical Support and open a case.  
• For issues related to Oracle WebLogic vulnerabilities CVE-2019-2725, and others* in RSA Authentication Manager 8.3 and 8.4 (CVE-2019-2725 and CVE-2019-2729), please contact Technical Support and open a case.  

Server consoles

• RSA Authentication Manager 8.2 Service Pack 1 patch 6 introduces manual synchronization
• How to increase biztier and console heapsizes for RSA Authentication Manager to address console memory allocation errors 

Agent and Authentication Knowledge

• How to troubleshoot and fix most invalid proof and failed to send day data errors on the RSA Authentication Agent 7.x for Windows (agent version no longer supported)
• Troubleshooting failed offline authentication on an RSA Authentication Agent 7.3 or 7.4 for Windows (agent version no longer supported)
• How to troubleshoot On-Demand Authentication (ODA) login failures in RSA Authentication Manager 8.1 (server version no longer supported)
• Using an IP address override to fix an initial authentication failures with RSA Authentication Manager when the error Authentication Method Failed displays

Linux and certificate knowledge

• How to export Web Tier Virtual Host Key Pair to a PFX file for RSA Authentication Manager 8.x 
• How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replacement certificates.
• For information on how to reset the operating system user password for RSA Authentication Manager 8.x, please contact Technical Support and open a case. 

Authentication Manager Integration Service (AMIS) articles

• 000031000 - Collecting troubleshooting logs for Authentication Manager Prime/Authentication Manager Integration Service (AMIS), please contact Technical Support and open a case.  
• To collect logs, go to the primekit home directory and navigate to scripts/tools, and there are two scripts: ./gather_logs.sh and ./gather_configs.sh.

Hardware appliance knowledge

• How to factory reset an RSA Authentication Manager 8.2 hardware appliance without a factory reset button from the Operations Console