How (and why) do I enable Authentication Manager Prime multi-tenant mode?
RSA Product Set: RSA SecurID RSA Product/Service Type: Authentication Manager SDK RSA Version/Condition: AM 8.4, 8.5, AMIS 1.3 Platform: Linux (Windows option with Prime) Platform (Other): AM 8.x AMIS, O/S Version: SUSE Linux 12 Product Name: Authentication Manager, AM Prime Product Description: Authentication Manager, AM Integration Services, AMIS
The standard, default AMIS configuration "flattens" Authentication Manager Security Domains, so AMIS sees ALL users and tokens regardless of AM Security Domain/hierarchy.
Some customers will be looking for assistance to configure multi-tenant mode on AMIS/HDAP/AMIS in \RSA\amis\am8-config.xml as a way to utilize AM security Domains in AMIS.
Customers may consider moving to this model as a way to manage users and tokens in diverse, remote business regions. These Customers will be asking for the steps needed to make to switch to multi-tenant mode.
Caution: Support should also provide related information on the implications of switching to multi-tenant mode, as well as suggesting an engagement with Professional Services to plan and implement this switch.
Enable so as to utilize AM Security Domains - <Multi-tenant enabled="true".
‘Root’ Security Domain if you want common Token area shared between all user domains - tokenRootSecurityDomain.
Bind account will need top-level Security Domain view.
Multi-tenant enforces AM security Domains everywhere; AMIS, SSP, and HDAP.
Be careful before enabling Multi-tenant when existing AMIS was flat AM Security Domains, may want to engage Professional Services, PS.
Restart AMIS services.
The standard AMIS configuration "flattens" Authentication Manager Security Domains, so AMIS sees ALL users and tokens regardless of AM Security Domain/hierarchy. Enable multi-tenant by changing false to true in the \RSA\amis\am8-config.xml file,
When multi-tenant is enabled in the AMIS am8-config.xml, <Multi-tenant enabled="true" />, AMIS enforces the Security Domain hierarchy configured in Authentication Manager. There is even special multi-tenant mode which utilizes AM Security Domains to logically separate users but allows for a shared token "pool", <Multi-tenant enabled="true" tokenRootSecurityDomain="TokenPool"/>, where communal tokens reside in the Security Domain defined by "tokenRootSecurityDomain", e.g. Security Domain TokenPool is where all users tokens are kept.
Multi-tenant does have unique requirements for the "amisbind" and "sspbind" account Security Domains. For example, "amisbind" and "sspbind" likely will need to reside at the highest level, SystemDomain, to ensure appropriate access.
When multi-tenant is enabled, AMIS enforces AM Security Domain hierarchy everywhere, including HDAP, SSP, and AMIS service accounts. For example: If an HDAP administrator resides in the "ACME" Security Domain, they will only be able to see and manage users and tokens in the ACME Security Domain or a child thereof. Customers who have been running in the default or "flat" mode should NOT enable multi-tenant blindly.
Bind accounts, service accounts, and users may have to be restructured prior to enabling to ensure proper behavior. In this case, we would recommend consulting with Professional Services, PS to ensure proper research is done and required changes implemented in the customer's environment prior to turning on multi-tenant.
Restart AMIS services - refer to internal KB 31316 restart AMIS services Authentication Manager Prime has three components that each run its own Apache Tomcat instance. These are: Authentication Manager Integration Service (AMIS); Authentication Manager Help Desk Admin Portal (HDAP); and Authentication Manager Self-Service Portal (SSP).
For AM Prime on Windows there will be three TomCat service stop/start icons, right-click on them to stop or start or restart. Alternately look in Windows Services for these TomCat services.
For AM Prime on Linux, SSH or access Linux console and run from the command line, any directory. service tomcat-amis stop | start | reset service tomcat-ssp stop | start | reset service tomcat-hdap stop | start | reset