RSA Release Notes for RSA Authentication Manager 8.8
3 months ago

RSA Authentication Manager 8.8 Patch 1 (June 2025)

New Features

  • Performance improvements and bug fixes.
  • Added AMBA DET action to delete expired and unassigned tokens.
  • Enhanced admin audit log to include Emergency Access Codes expiration dates.

 

Web-Tier New Features

  • Performance improvements and bug fixes.
  • RSA has qualified Authentication Manager 8.8 Patch 1 Web Tier for compatibility with Red Hat Enterprise Linux 9.0 Server (64-bit) and Windows Server 2025.

Note: For more information on AM 8.8 Patch, see RSA Authentication Manager 8.8 Patches and Hotfixes Readme.

 

RSA Authentication Manager 8.8 Release Notes (April 2025)

RSA Authentication Manager 8.8 delivers compelling features that make it faster and easier to take the journey to the Cloud and use modern multifactor authentication. It includes the following new features and enhancements:

 

New Features and Enhancements

Deprecated and Removed Features

Additional information

For a complete list of product documentation, see the RSA Authentication Manager Documentation page.

 

New Features and Enhancements

Authentication Settings for RADIUS Client

RSA Authentication Manager (AM) now supports advanced authentication settings for RADIUS clients, enabling seamless integration with Cloud Multi-Factor Authentication (MFA) when connected to Cloud Authentication Service (CAS). Note that this allows administrators to manage authentication flows effectively across global and local deployment scenarios, enhancing both security and user experience.

To configure this, go to RADIUS > RADIUS Clients > Add New > Authentication Settings in the Security Console.  

 

  • Enhanced MFA Experience
    AM now supports a more flexible MFA experience. Users can now authenticate using various methods such as Push Notifications, Device Biometrics, and more, ensuring a seamless and secure authentication process.
  • Per-Client Code Matching Toggle for RADIUS Client
    AM now supports code matching for Approve and Device Biometric authentication methods. Some older RADIUS clients are not compatible with the required features for code matching. To maintain compatibility, administrators can enable or disable this feature on a per-client basis, ensuring flexibility across different client environments.
  • Password-Based Authentication Support for RADIUS Clients
    AM now supports password-based authentication as the primary method for RADIUS clients. You can configure Password + Step-up and Step-up modes, with Step-up set as the default. This ensures secure handling of password authentication, with lockout policies applied to protect against invalid attempts.
    In Password + Step-up mode, users authenticate with a password and then enter a Tokencode without needing additional MFA options. RADIUS clients that do not support password challenges will not be impacted.
  • Hybrid High Availability for RADIUS Clients with MFA Support
    AM supports Hybrid High Availability, providing seamless failover capabilities to ensure continuous access to critical systems. If the CAS becomes unreachable, cloud-based MFA methods are unavailable. However, users can still authenticate using methods supported by AM. No changes to the existing infrastructure are required.

For more information, refer to the 'Administering RSA RADIUS' chapter in the RSA Authentication Manager 8.8 Administrator's Guide.

 

Support Ping Directory as an Identity Source

RSA Authentication Manager now supports PingDirectory (10.0.0.2) as a new identity source. This enables organizations and enterprises to leverage the PingDirectory as an identity source. It provides centralized identity management, high availability, and seamless integration with existing security ecosystems, ensuring a future-proof solution for identity and access management.

 

Administrators can add PingDirectory by navigating to Operations Console, Deployment Configuration > Identity Sources > Add New.

 

For more information, see Add an Identity Source.

 

Supports Deployment on Nutanix Acropolis Hypervisor

RSA Authentication Manager can now be deployed on Nutanix Acropolis Hypervisor (AHV) using Prism Central. For more information about deployment, see the RSA Authentication Manager 8.8 Setup and Configuration Guide.

 

Install Web Tier on a Virtual Machine with UEFI Firmware

RSA Authentication Manager Web Tier can now be installed on a virtual machine with Unified Extensible Firmware Interface (UEFI) firmware. Deploying a Web Tier on UEFI-enabled devices ensures better security, faster performance, and easier manageability while aligning with modern IT and compliance standards. For enterprises looking to enhance their web infrastructure with secure and efficient technology, this new capability offers flexibility and choice.

 

Use Company-Specific URLs

RSA Authentication Manager now automatically replaces non-company-specific URLs with company-specific URLs during the 8.8 upgrade. The system blocks access through non-company-specific URLs or URLs without a company subdomain, which may result in a loss of functionality.

To ensure uninterrupted access, administrators must verify that all connectivity is routed through the appropriate company-specific URLs and update configurations as needed. For more information, see Company-Specific Administrative URLs Update Instructions.

 

Configure TLS v1.3 for Secure Communications

RSA Authentication Manager (AM) now supports Transport Layer Security (TLS) protocol 1.3 for faster and more secure communications between AM components and external systems. While AM continues to support TLS 1.2, TLS 1.3 is configured as the default protocol version starting with AM 8.8 release.

 

AM 8.8 strengthens TLS security by disabling certain legacy TLS 1.2 cipher suites by default. Cipher suites that do not provide Perfect Forward Secrecy (PFS) are no longer enabled. As a result, older or deprecated authentication agents and integrated systems that rely on these cipher suites may fail to connect after upgrading. 

 

Administrators should validate TLS compatibility for all agents and integrated systems before upgrading. For more information, see Customizing TLS Protocol Version.

 

Secure Email Communication with TLS Encryption

RSA Authentication Manager now natively supports TLS for SMTP, helping meet regulatory, security, and compliance requirements. Many cloud email providers, including Google Workspace and Microsoft 365, require TLS for SMTP client submissions.

 

Previously, clients had to implement a workaround using an additional transfer server, which introduced delivery limitations such as spam filtering issues and relay restrictions. With this new extended feature, secure and email delivery to email (SMTP) server is now seamless, eliminating the need for unreliable workarounds while improving performance and reliability.

 

You can configure the SMTP(s) mail service by navigating to Security Console, Setup > System Settings > E-Mail (SMTP).

 

For more information, see Configure the SMTP(s) Mail Service.

 

Support Multiple MFA REST API Key

RSA Authentication Manager now supports the use of multiple MFA REST API keys for secure communication between the Authentication Manager and Agents. Administrators can enable this feature to manage authentication sessions more flexibly, strengthen the overall security posture, and ensure reliable authentication processes, especially in environments with high security demands or multiple agents.

 

To configure multiple MFA REST API keys, go to Access > Authentication Agents > Agent Credentials > Add New in the Security Console.

 

For more information, see Agent Credentials.

 

SLES Operating System Upgrade

RSA Authentication Manager OS is upgraded to SUSE Linux Enterprise Server (SLES) 15 SP4. For information on the SUSE product support lifecycle, refer to the SUSE documentation.

 

Deprecated and Removed Features

RSA Administrative SDK: WebLogic Bindings

Note: Deprecation means that the features are currently supported but may be removed in an upcoming release.

Starting with AM 8.8, the RSA Administrative SDK integration that uses WebLogic-based bindings is deprecated. This change affects the following command targets:

  • CommandTargetBasicAuth
  • CacheableCommandTargetBasicAuth
  • CommandTargetSSLClientAuth
  • CacheableCommandTargetSSLClientAuth

In AM 8.8, the affected command targets will continue to function using WebLogic as the underlying binding mechanism. In a future release, they will transition to a default supported binding with minimal customer impact.

 

While no immediate changes are required, customers are encouraged to prepare for the adoption of updated RSA Administrative SDK artifacts when they become available.

 

Removed CLU option for minimum TLS version

Starting with AM 8.8, both TLSv1.2 and TLSv1.3 are supported by default. As a result, the previously supported CLU option enable_min_protocol_tlsv1_2 is no longer required and has been removed from the product.

The following CLU command is no longer supported:

  • ./rsautil store -a enable_min_protocol_tlsv1_2 true restart

AM 8.8 also provides an option to disable TLSv1.3 when needed. For more information, see Customizing TLS Protocol Version.

 

Deprecated Authentication Agents and APIs

Starting with AM 8.8, the following components are deprecated and may be removed in a future release:

  • RSA Authentication Agent 7.4.x for Microsoft Windows
  • RSA Authentication Agent 8.0.x for Web for IIS
  • Custom agents built using RSA Authentication Agent API 8.x for Java and C

Deprecated components do not support TLS 1.3 and may not be compatible with the default TLS configuration and enhanced security settings introduced in AM 8.8. Administrators should validate connectivity for these deprecated agents (using the latest available agent versions) before upgrading AM in a production environment.

 

Additional Information

Upgrading RSA Authentication Manager

You can apply the Authentication Manager 8.8 upgrade to only supported hardware appliance or virtual appliance that has Authentication Manager 8.7 SP2 software installed. To upgrade any versions prior to 8.7 SP2, you must first upgrade the earlier versions to 8.7 SP2 and then to 8.8. Follow the standard steps to apply an Authentication Manager update from your web browser, a Windows shared folder, an NFS share, or a DVD or CD.

Note: The hardware image of 8.8 and hardware appliance with pre-installed 8.8 image are scheduled to be released later.

The following hardware appliance models are supported for Authentication Manager 8.8.

 

Appliance ModelHardware
RSA SecurID Appliance 230Dell PowerEdge R240
RSA SecurID Appliance 350Dell PowerEdge R640 with H740 RAID controller
RSA SecurID Appliance 350Dell PowerEdge R640 with H750 RAID controller
RSA SecurID A330 ApplianceDell PowerEdge R250
RSA SecurID A450 ApplianceDell PowerEdge R660xs
RSA SecurID A430 ApplianceDell PowerEdge R260

 

Each virtual appliance must have at least 9.5 GB of free disk space if you are upgrading through your web browser. You must have minimum 6 GB of free disk space if you are upgrading from a Windows shared folder, an NFS share, or a DVD or CD.

 

Update SourceMinimum Required Disk Space
Web browser9.5 GB
Windows shared folder6 GB
NFS share6 GB
DVD or CD6 GB

 

AM 8.8 contains the new features and enhancement from version 8.7 SP2 Patches 1, 2,3,4, and 5. For more information, see RSA Authentication Manager 8.7 SP2 Patch 1 Readme, Patch 2 ReadMe, Patch 3 ReadMe, Patch 4 ReadMe, and Patch 5 ReadMe. The fixes and enhancement from 8.7 SP2 Patch 6 onwards will be included in future 8.8 patches if they remain applicable beyond AM 8.8.

For detailed upgrade instructions, see the RSA Authentication Manager 8.8 Setup and Configuration Guide.

 

MFA API Credential Pre-Check Fails if Credentials Are Null

RSA Authentication Manager 8.8 upgrade includes a mandatory pre-check to validate MFA API credentials. If this validation fails, the upgrade is blocked. This does not indicate an upgrade failure, but rather that a required pre-check was unsuccessful.

The validation fails if the access old ID and access old key values are set to null.

Sample output showing invalid (null) values:

{{rsaadmin@am8.8:~> /opt/rsa/am/utils/rsautil manage-rest-access-credential -a list -u <admin> -p <password>
access ID: ggjo7h717yquk5m5fgnk10xf7s7ki8b6947ph6f9a8pab7s38wyx57u9820s47q0
access Key: 6u6izx437d19p8w4ot6901jn15eyq3x6f8l6o3fi77157k4u77oxv0jdwoje62ox
access old ID: null
access old Key: null
access retain days[default is 60]: 60
Successfully listed the RSA SecurID REST Access credential.}}
{{}}

To resolve this issue, contact RSA Technical Support to regenerate or update the MFA API credentials before retrying the upgrade.

 

Warning: Before upgrading to RSA Authentication Manager 8.8, verify that the access old ID and access old key are valid and within the 60-day retention period. The upgrade process uses both the current and old credentials for migration. If the old credentials are null, the upgrade is blocked.

After upgrading to version 8.8, both the current and old credentials remain valid indefinitely. The 60-day retention period no longer applies. For more information, see RSA Knowledge Base article RSA Authentication Manager fails to upgrade to version 8.8 with ERROR: auth_manager.rest_service.old_access_key_is_not_found.

 

Authentication Manager Kit for Air-Gapped Environment

If your deployment environment is air-gapped and disconnected from Cloud environments, you can download the Authentication Manage 8.8 (rsa-am-c2s-8.8.0.0.0.zip) kit from https://my.rsa.com. This image has special deployment requirements and is not commonly used. If you are unsure whether these are the right kit for your deployment, please contact Technical Support.

For procedures on how to create an air-gapped Authentication Manager Amazon Machine Image (AMI), see the RSA Authentication Manager Amazon Machine Image (AMI) Creation guide.

 

Technology Stack

Authentication Manager 8.8 leverages the following technologies:

  • SUSE Linux Enterprise Server 15 SP4
  • Oracle WebLogic Server 14.1.1, January 2025 CPU
  • Java 1.8.0.441 and 11.0.26
  • PostgreSQL 14.15
  • Dell BSAFE Crypto-J 6.3

RSA Agent Support

The latest RSA MFA agent software packages are available on the RSA Documentation & Downloads page.

Please note that while RSA Authentication agents using the UDP may continue to function with AM 8.8, they are no longer supported. For details on the migration path, refer to the Product Version Life Cycle page.

RSA MFA agent software may be embedded in various third-party products such as remote access servers, firewalls, and web servers. To explore supported partner products, visit the RSA Ready Partner website.

 

Fixed Issues

Patch 1, June 2025

The following table lists the issues fixed in Patch 1 (June 2025).

 

Tracking IDResolution
AM-58738Updated Oracle Weblogic and Java components to fix various defects reported in the Oracle April 2025 CPU.
AM-58739Added SUSE updates.
AM-58484Fixed an issue where AM does not send the full logs to syslog server including the full Agent name.
AM-58361Implemented fix on AM side to enable WPI and offline days data to be configured independently.
AM-58506Updated the SSHD config to use new algorithms.
AM-58873Implemented a fix for a potential security vulnerability related to Apache Tomcat.
AM-58882Fixed an issue causing an error message to appear when searching for users in the Security Console dashboard.
AM-58928Fixed the "invalid group type" error when opening the Authentication Settings/User Group Membership of a user in the Security Console.
AM-59089Added extra validation to prevent a possible security vulnerability through HQL injections.
AM-59091Fixed the issue of Java insufficient permissions.
AM-59234Fixed an issue where Radius authentication did not failover to AM in High-Availability mode during a cloud outage.
AM-59360Fixed an issue where High-Availability is delayed for MFA Agents, causing an error.
AM-59408Fixed an issue where High-Availability is delayed for Radius clients, causing an error.
AM-59538Fixed an error causing Azure upgrade to fail due to insufficient SWAP space.
AM-59539Removed frame-ancestors from the <meta> element.
AM-59090, AM-59513Some third-party updates.

 

Known Issues

See RSA Authentication Manager 8.8 Known Issues.

 

Upcoming End of Primary Support Details

The following table provides the upcoming End of Primary Support (EOPS) details:

ProductVersionEOPS DateExtended Support Level 1 / Level 2
RSA Authentication Manager8.7 SP2Jan 2027Jan 2028 / Jan 2029
8.7 SP1Jun 2026Jun 2027 / Jun 2028
8.7May 2025May 2026 / May 2027
8.6Aug 2024Aug 2025 / Aug 2026

 

 

 

©1994-2025 RSA Security LLC or its affiliates. All Rights Reserved. RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates ("RSA"). Other trademarks are trademarks of their respective owners.
Intellectual Property Notice
This software contains the intellectual property of RSA or is licensed to RSA from third parties. Use of this software and the intellectual property contained therein is expressly limited to the terms and conditions of the License Agreement under which it is provided by or on behalf of RSA.
Open Source License
This product may be distributed with open source code, licensed to you in accordance with the applicable open source license. If you would like a copy of any such source code, RSA or its affiliates will provide a digital copy of the source code that is required to be made available in accordance with the applicable open source license. Please direct requests in writing to RSA Security LLC, Attn: IP Legal Department - Copyrights, Burlington, MA 01803, and/or send email to RSA Legal, ip@rsa.com.
System Data Collection and Usage Policy
In certain circumstances, RSA collects data from customer installations of RSA products for purposes including but not limited to accurate billing of product usage and to maintain and improve RSA products. For details see "RSA’s right to collect System Data" in Product Usage Rights: https://www.rsa.com/content/dam/en/terms/units-of-measure.pdf

Don't see what you're looking for?