000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jun 19, 2020
Version 31Show Document
  • View in full screen mode

Article Content

Article Number000029877
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1, 8.1 SP1, 8.2, 8.2 SP1, 8.3

IssueThis article provides the step-by-step process to install a patch in Authentication Manager 8.1 via a web browser. For this article, we will be installing the Authentication Manager 8.1 SP1 Service Pack on a server running Authentication Manager 8.1 patch 5. Once the patch is installed, the system configuration will show that it is running Authentication Manager 8.1 SP1. 

New Content!  
For a follow along video of the patch process, please watch the companion video.


Prerequisites (the 'Before Installing This Patch' section in the Readme file or Release Notes)

  • If the authentication server is currently running Authentication Manager 8.0, either with a base installation without additional patches or Authentication Manager 8.0 with patches, you will need to install the Authentication Manager 8.1 upgrade patch prior to installing Authentication Manager 8.1 SP1 and any subsequent patches. 
  • If the authentication server is currently running Authentication Manager 8.1, either with a base installation or Authentication Manager 8.1 with patches prior to SP1, install the Authentication Manager 8.1 SP1 upgrade patch prior to installing the latest patch for 8.1 SP1.
  • If the authentication server is currently running Authentication Manager 8.1 SP1 or Authentication Manager 8.1 SP1 with subsequent patches, you can install the latest Authentication Manager 8.1 SP1 patch directly.  The latest patch will always be a cumulative unless specified so there is no need to install previous monthly patches.
  • Always patch the primary server first before applying the patch to the replica instances.  Failure to do so can corrupt the replication process requiring that all replicas be rebuilt and reattached to the primary.
  • Do not install the patch on multiple servers at the same time.
  • Minimum free disk space required: 4 GB.
  • Ensure that port 8443/TCP is open for HTTPS traffic.
  • Access to port 8443 TCP is required for real-time status messages when applying Authentication Manager service packs and patches.  During a product update, the appliance opens this port in its internal firewall. The appliance closes this port when the update is complete.  If an external firewall blocks this port, the browser displays an inaccessible or blank web page, but the update can successfully complete.

It is recommended to take a backup of the database prior to installing any patches.  This can be done from the Operations Console (Maintenance > Backup and Restore > Backup Now).

Next, download the Authentication Manager 8.1 SP1 upgrade patch from RSA Link,  If you have trouble logging in, contact RSA Customer Support for assistance.  Once the patch is downloaded, follow the steps below:

  1. Log in to the primary's Operations Console.  

Operations Console login


  1. Click on Maintenance > Update & Rollback. Under Version, the patch level of the server is displayed.

 Current Installed Version

  1. Click on Configure Update Source. Select Use your web browser to upload an update and click Save. Optionally, you can choose NFS, Windows Share or CD/DVD as an update source, but this article will only cover using a web browser as the update source. Note that if you have a slow network connection to the Authentication Manager server, the other update sources may be better options.

Configure Update

  1. Click Upload & Apply Update. A window will pop up. Click on Choose File in next window.

Upload and Apply Update

  1. Browse to the patch file .iso downloaded earlier. If you downloaded a .zip file, unzip the file and upload the .iso file.

Browse to iso

  1. Click Upload.

Upload and Apply Update

  1. When prompted, enter the server's operating system password and click Apply.

Apply Update

  1. Once you click the Apply button, the system will prepare for patch installation. You should see the following progress window:

Preparing to Apply Update

  1. After the system completes above tasks, it will start to apply the updates. This can take up to 20 minutes. Once the patch is installed, you will be presented with following screen. The system might reboot depending on the patch. Wait for the system to come back up. 


If a patch fails after 45 minutes or an hour, you have probably run into a network timeout problem, where your workstation and Authentication Manager server are on distant networks over slower WAN links.   The quickest workaround is to open a second browser tab to the same Operations Console when you prepare to start your patch, and periodically do something there, such as check network settings.  Be sure to open the second Operations Console instance before you start the patch update.  This keeps both Operations Console sessions alive.

  1. The system will not redirect to the Operations Console login page automatically. Wait five to ten minutes and try to access the Operations Console. Once you have the Operations Console access, you can verify the patch update by selecting Maintenance > Update & Rollback.

Post Upgrade

  1. The system is now at Authentication Manager 8.1 SP1. For any replica servers in the deployment, follow the same procedure to update those instances. Do not install patches on multiple Authentication Manager servers at the same time.  RSA releases patches for Authentication Manager on a monthly cadence.  Follow the RSA SecurID Access Advisory page to receive notifications when services packs and patches are released.
  2. Optional task:  If you have a Web Tier or Web Tiers, then you will also need to uninstall the Web Tier, generate a new Web Tier package(s) and reinstall the latest version for your Web Tier(s).  Wait until both the primary and all  replica(s) are all patched up before updating the Web Tiers to save unnecessary work.  The latest Web Tier install is for Authentication Manager 8.2 SP1 patch 4, so install that then update the status of Web Tier to patch 7 or patch 8 through the Operations Console.

  • Patches and service packs roll up, so you only need apply the latest patch, or in this case the next service pack.
  • After the upgrade from Authentication Manager 8.1 to Authentication Manager 8.1 SP1, you should plan your next upgrade to the latest Authentication Manager version. 
  • As of early 2018, the latest version of Authentication Manager is Authentication Manager 8.3.  You would follow the steps below, as the outline for patching from Authentication Manager 8.1 SP1 to  Authentication Manager 8.3:

  1. Apply Authentication Manager 8.2 to the primary. 
  2. Apply Authentication Manager 8.2 to replica(s).  
  3.  Apply Authentication Manager 8.2 Service Pack 1 to the Authentication Manager 8.2 primary.
  4. Apply Authentication Manager 8.2 Service Pack 1 to the Authentication Manager 8.2 P3 replica(s).
  5. Apply Authentication Manager 8.2 SP1 patch 6 to the primary.
  6. Apply Authentication Manager 8.2 SP1 patch 6 to replica(s).
  7. Apply Authentication Manager 8.3 to the primary.
  8. Apply Authentication Manager 8.3 to the replica(s).
  9. Uninstall any Web Tiers, generate a new Web Tier package and install with Web Tier for last patch which would be Authentication Manager 8.3 in this example.