A deployment of Authentication Manager that began life at 8.4 or earlier and has been upgraded over time to 8.6 then to 8.7 with or without service packs and patches has a lot of extraneous files and data data cruft that can affect system performance. This article provides steps to create a new 8.7 replica, promote it to primary then add new 8.7 replica servers and remove the old ones. In addition this article will cover h0ow to handle web tiers, CT-KIP URLs an REST agent URLs.

Steps to take

1. Download the appropriate .ova file(s) from my.rsa.com and Authentication Manager Setup and Configuration Guides for Authentication Manager. You must install every version and service pack (but not patches). See this article for a quick overview of upgrading Authentication Manager and a deeper step-by-step walk through in the .pdf attached to the article on the RSA Authentication Manager Upgrade Process. 
2. Confirm that replication is healthy.
3. Stand up new virtual server, either with the current FQDN and IP of old primary or create new FQDN and IP address.
4. Generate a new replica package from the current primary.
5. Run Authentication Manager Quick Setup to create a new replica.
6. Attach the new replica server to the current primary.
7. Promote the new replica to primary.
8. Update your web tier, CT-KIP strings, and servers for your REST agents.
9. Remove the old primary server. See notes below about reusing the server's name and IP address before deleting this server.
10. Check replication health again. Follow the steps to manually resynchronize the servers if you see an internal replication failure.
11. Repeat steps 2 through 10 until all old servers are replaced.

Download installation software

1. Go to https://my.rsa.com.
2. Enter your user ID and password. Note: To download the files, you must log in to myRSA as the user whose name is on the purchase order. If you log in as another user, you cannot see the files.
3. Next to the myRSA logo, there is a search bar/dropdown menu that has company information, including address and site ID. Select the correct account.
4. Click on hyperlink under the RSA SecurID Suite icon.
5. Click on the hyperlink for the RSA SID Access Virtual Appliance.
6. From the Select Version dropdown, select the correct software version.
7. A list of available files appears. Select the correct file(s). For example, for Authentication Manager 8.7 SP1, download the rsa-am-vmware-virtual-appliance-8.7.1.0.0.ova for VMware or rsa-am-hyper-v-virtual-appliance-8.7.1.0.0.zip for Hyper-V. If you need the AWS SecurID AMI files, please create a case with Support and the files will be made available to you.
8. Check the box in front of the End User License Agreement. 
9. Click Download on the bottom-right corner of the page.
10. Download the file and extract the contents.

Confirm replication is healthy

1. From the Home tab on the Operations Console, click Replication Status Report.

Stand up new virtual server

1. Review steps in the RSA Authentication Manager Setup and Configuration Guide for the your version for information on standing up a new replica server. If you are currently at Authentication Manager 8.7 for example, review the RSA Authentication Manager 8.7 Setup and Configuration Guide.
2. Follow the steps in the RSA Authentication Manager 8.7 Setup and Configuration Guide to deploy a new replica. This includes:

• Generating and downloading a replica package.
• Configuring the appliance with Quick Setup.
• Attaching the replica instance to the primary.
• Confirming replication is working. It is expected that there may be issues with replication as you attach new servers or upgrade software. If that is the case, please contact Technical Support for assistance.

To use the FQDN and IP address of the current primary on the new primary

Reusing the old primary's FQDN and IP address means than you do not need to update CT-KIP configuration or REST agent URLs.

1. Promote the new replica to be the primary server.
2. From the primary's Operations Console, navigate to Deployment Configuration > Web Tier Deployments > Manage Existing.
3. Reselect the preferred RBA instance to be itself. Click Save. You must do this before removing the old primary from the deployment.

To use a different FQDN and IP address for the new primary

1. Promote an existing replica to be the temporary primary server.
2. From the primary's Operations Console, navigate to Deployment Configuration > Web Tier Deployments > Manage Existing.
3. Update the preferred RBA instance. You must do this before removing the old primary from the deployment.
4. From the Security Console, navigate to Settings > System Settings.
   • Update settings for E-Mail (SMTP),
   • Click Tokens to update token provisioning information.
   • Click RSA SecurID Authentication API and click Apply Settings.
5. Follow the steps in the online help available in the Security and Operations Console on tasks to complete after changing the name and/or IP address of the primary server.

Remove the former primary

1. From the primary's Operations Console, navigate to Deployment Configuration > Instances > Status Report.
2. Click on the drop down next to the old replica and choose Delete.
3. Go back to the Status report and confirm that replication is healthy amongst all servers in the deployment.
4. Delete the virtual machine, if needed.