How (and why) do I enable Authentication Manager Prime multi-tenant mode?
Originally Published: 2021-06-21
Article Number
Applies To
RSA Product/Service Type: Authentication Manager SDK
RSA Version/Condition: AM 8.4, 8.5, AMIS 1.3
Platform: Linux (Windows option with Prime)
Platform (Other): AM 8.x AMIS,
O/S Version: SUSE Linux 12
Product Name: Authentication Manager, AM Prime
Product Description: Authentication Manager, AM Integration Services, AMIS
Issue
Some customers will be looking for assistance to configure multi-tenant mode on AMIS/HDAP/AMIS in \RSA\amis\am8-config.xml as a way to utilize AM security Domains in AMIS.
Customers may consider moving to this model as a way to manage users and tokens in diverse, remote business regions. These Customers will be asking for the steps needed to make to switch to multi-tenant mode.
Caution: Support should also provide related information on the implications of switching to multi-tenant mode, as well as suggesting an engagement with Professional Services to plan and implement this switch.
Tasks
- Enable so as to utilize AM Security Domains - <Multi-tenant enabled="true".
- ‘Root’ Security Domain if you want common Token area shared between all user domains - tokenRootSecurityDomain.
- Bind account will need top-level Security Domain view.
- Multi-tenant enforces AM security Domains everywhere; AMIS, SSP, and HDAP.
- Be careful before enabling Multi-tenant when existing AMIS was flat AM Security Domains, may want to engage Professional Services, PS.
- Restart AMIS services.
Resolution
- The standard AMIS configuration "flattens" Authentication Manager Security Domains, so AMIS sees ALL users and tokens regardless of AM Security Domain/hierarchy. Enable multi-tenant by changing false to true in the \RSA\amis\am8-config.xml file,
<Multi-tenant enabled="false"/>
- When multi-tenant is enabled in the AMIS am8-config.xml, <Multi-tenant enabled="true" />, AMIS enforces the Security Domain hierarchy configured in Authentication Manager. There is even special multi-tenant mode which utilizes AM Security Domains to logically separate users but allows for a shared token "pool", <Multi-tenant enabled="true" tokenRootSecurityDomain="TokenPool"/>, where communal tokens reside in the Security Domain defined by "tokenRootSecurityDomain", e.g. Security Domain TokenPool is where all users tokens are kept.
<!-- <Multi-tenant enabled="false" tokenRootSecurityDomain="TokenPool"/> -->
<Multi-tenant enabled="false" />
- Multi-tenant does have unique requirements for the "amisbind" and "sspbind" account Security Domains. For example, "amisbind" and "sspbind" likely will need to reside at the highest level, SystemDomain, to ensure appropriate access.
- When multi-tenant is enabled, AMIS enforces AM Security Domain hierarchy everywhere, including HDAP, SSP, and AMIS service accounts. For example: If an HDAP administrator resides in the "ACME" Security Domain, they will only be able to see and manage users and tokens in the ACME Security Domain or a child thereof. Customers who have been running in the default or "flat" mode should NOT enable multi-tenant blindly.
- Bind accounts, service accounts, and users may have to be restructured prior to enabling to ensure proper behavior. In this case, we would recommend consulting with Professional Services, PS to ensure proper research is done and required changes implemented in the customer's environment prior to turning on multi-tenant.
- Restart AMIS services - refer to internal KB 31316 restart AMIS services
Authentication Manager Prime has three components that each run its own Apache Tomcat instance. These are:
Authentication Manager Integration Service (AMIS);
Authentication Manager Help Desk Admin Portal (HDAP); and
Authentication Manager Self-Service Portal (SSP).
For AM Prime on Windows there will be three TomCat service stop/start icons, right-click on them to stop or start or restart. Alternately look in Windows Services for these TomCat services.
For AM Prime on Linux, SSH or access Linux console and run from the command line, any directory.
service tomcat-amis stop | start | reset
service tomcat-ssp stop | start | reset
service tomcat-hdap stop | start | reset
Related Articles
Adding an access policy to an RSA ID Plus trial tenant (Video) Number of Views Adding a user to an identity source in an RSA ID Plus trial tenant (Video) Number of Views 'Multi App Collector : 'Admin' privilege does not allow editing of the collector definition as expected in RSA Identity Go… Number of Views Adding applications to the SSO portal in an RSA ID Plus trial tenant (Video) Number of Views Which region is my SecurID Access Cloud Authentication Service tenant in? Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Supported On-Demand Authentication (ODA) SMS providers for use with RSA Authentication Manager 8.x Deploying RSA Authenticator 6.2.2 for Windows Using DISM
Don't see what you're looking for?
