Release Notes

RSA Adaptive Authentication (On-Premise)

7.1 SP0 P2
March 2014

Introduction
This document describes whats new and changed in RSA Adaptive Authentication (On-Premise) 7.1 P2. It includes
installation information, enhancements to the supported platforms matrix, and fixed issues, as well as workarounds for
known issues. Read this document before installing the software. This document contains the following sections:
What's New in This Release
Supported Platforms
Product Documentation
Patch Installation
Post-Installation Tasks
Java Upgrade
Upgrade to Microsoft SQL Server 2012
Fixed Issues
Fixed Documentation Issues
Known Issues
Support and Service
These Release Notes may be updated. The most current version can be found on RSA SecurCare Online at
https://knowledge.rsasecurity.com.

Note: RSA Adaptive Authentication (On-Premise) 7.1 P2 is cumulative. This patch includes new features and fixes that
were introduced in RSA Adaptive Authentication (On-Premise) 7.1 P1.

What's New in This Release

This section describes the major changes introduced in this patch release. Details are provided in these Release
Notes.
Support for VMware ESXi 5.1 running Red Hat Enterprise Linux. RSA Adaptive Authentication (On-Premise)
7.1 P2 supports VMware ESXi 5.1 running Red Hat Enterprise Linux (RHEL) operating system.
Support for Microsoft SQL Server 2012. RSA Adaptive Authentication (On-Premise) 7.1 P2 supports Microsoft SQL
Server 2012. RSA recommends that you upgrade to SQL Server 2012 before you upgrade to RSA Adaptive
Authentication (On-Premise) 7.1 P2. For upgrade information, see Upgrade to Microsoft SQL Server 2012 on page 9.
New authentication method configuration parameter. The OOB Challenge Live Time parameter is added to the
authentication method parameters that you can configure in the Administration Console. For information, see the
chapter Administration Console in the RSA Adaptive Authentication (On-Premise) 7.1 Operations Guide.

What's New in the 7.1 P1 Release

This section describes the major changes introduced in the 7.1 P1 patch release. Details are provided in these Release
Notes.
Support for Java 7. RSA Adaptive Authentication (On-Premise) 7.1 P1 supports both Oracle JDK 1.7 and IBM JDK
1.7. For instructions on upgrading to Java 7,see Java Upgrade on page 8.
New rsa.js file. A new rsa.js file is provided with this patch. For more information, see issue J-46 in Issues Fixed in the
7.1 P1 Release on page 12. For installation information, see Update Development and Maintenance Utilities on page 6.

March 2014 1
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Supported Platforms
The following sections describe the operating system and work environment requirements to upgrade to RSA Adaptive
Authentication (On-Premise) 7.1 P2:
Operating Systems
Application Servers
Databases
VMware
Supported Browser and Operating System Combinations

Operating Systems
RSA Adaptive Authentication (On-Premise) 7.1 P2 supports the following operating systems:
Microsoft Windows Server 2003 and 2008 R2
IBM AIX 6.1 and 7.1
Solaris/SPARC 10
Red Hat Enterprise Linux (RHEL) AS/ES 5.0 and AS/ES 6.0

Application Servers
RSA Adaptive Authentication (On-Premise) 7.1 P2 supports the following application servers:
Apache Tomcat 6.0 and 7.0
Because the build of Tomcat 6.0.32 has performance issues, RSA recommends that you do not install Adaptive
Authentication (On-Premise) on Tomcat 6.0.32.
IBM WebSphere 7.0, 8.0, and 8.5
In the case of WebSphere 7.0, you must apply Fix Pack version 13 or later.
Oracle WebLogic 10.3.010.3.6
JBoss Enterprise Application Platform 5.1.0 GA

Databases
RSA Adaptive Authentication (On-Premise) 7.1 P2 supports the following databases:
Oracle 10g and 11g R2
Microsoft SQL Server 2005, 2008 R2, and 2012

VMware
RSA Adaptive Authentication (On-Premise) 7.1 P2 supports:
VMware ESXi 4.1, 5.0, and 5.1
VMware is only supported for the application server, when running the Windows Server 2008 Enterprise x64
Edition or Red Hat Enterprise Linux operating system on a supported Tomcat application server.

2 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Supported Browser and Operating System Combinations

The following browser and operating system combinations are tested to ensure that RSA Adaptive Authentication
(On-Premise) retrieves distinctive device fingerprint for each combination.

RSA Adaptive Authentication (On-Premise) with JavaScript Collection Support

Windows Windows Windows Windows Windows

Browser Linux Mac9 MacX
7 Vista XP 2000 Server 2008

IE 10 X

IE 9.0 X

IE 8.0 X X X

IE 7.0 X X

Opera 15 X

Firefox 27 X X X X X X X X

Firefox 26 X X X X X X X X

Firefox 3.6 X X X X X X X X

Safari 6 X X

Safari 5 X X

Chrome 32 X X X X X

Chrome 31 X X X X X

Mobile browsers with JavaScript Collection Support

Windows
Browser iOS Android BlackBerry Symbian
Mobile

Chrome X X

Firefox Mobile X

Safari 5 X

Opera X X X

Opera Mini X X X X

Skyfire 4.0 X X X

WebKit Browser X

RIM BlackBerry X

March 2014 3
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Back Office Applications

Browser Windows 7 Windows XP

IE 8.0 X X

Firefox 27 X X

Firefox 26 X X

Firefox 3.6 X X

Supported Browser and Flash Component Combinations

The following browser and Flash component combinations are tested to ensure successful operation with Flash shared
objects.

Browser Flash 7 Flash 8 Flash 9 Flash 10 Flash 11

IE 10 X

IE 9.0 X

IE 8.0 X X

IE 7.0 X X X

Opera 15 X X X

Firefox 27 X

Firefox 26 X

Firefox 3.6 X

Safari 6 X X

Safari 5 X X

Chrome 32 X

Chrome 31 X

Product Documentation
The Release Notes are provided with this patch. The following table lists the RSA Adaptive Authentication
(On-Premise) 7.1 guides that are revised to address documentation issues as described in the Fixed Documentation
Issues on page 14.

Document Filename

Back Office Users Guide BackOffice_UserGuide.pdf

Installation and Upgrade Guide Installation_UpgradeGuide.pdf

Operations Guide OperationsGuide.pdf

The RSA Adaptive Authentication (On-Premise) 7.1 documentation set is available at RSA SecurCare Online on the
RSA Adaptive Authentication (On-Premise) 7.1 Product Documentation page. Go to
https://knowledge.rsasecurity.com, and see Product Documentation for RSA Adaptive Authentication
(On-Premise) 7.1.

4 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Patch Installation
Before You Begin
Perform the following tasks before installing the patch:
Verify that you have a working version of RSA Adaptive Authentication (On-Premise) 7.1 or 7.1 P1.
Back up your databases and configuration files.
If you are running the patch installation module in GUI or console mode and want to populate the fields in the
wizard with the values from the varfile from the previous installation, copy the varfile to the folder where the
patch installation module is located. Rename the varfile to be the same as the patch installation module.
To run in unattended mode, you must supply a varfile that was generated by another 7.1 P2 installation. For
unattended mode, the varfile generated by the previous installation is not compatible with the 7.1 P2 installer.

To install RSA Adaptive Authentication (On-Premise) 7.1 P2:

1. Extract the zipped file appropriate to your operating system.
2. Navigate to the directory to which you extracted the installation module, and begin the installation:
If you are running the installation from Windows, double-click the
AA-OnPrem.7.1.0.2.0.64_bit.Installer.exe file.
If you are running the installation using the Windows Command Prompt, at the command prompt, enter the
following command:
start AA-OnPrem.7.1.0.2.0.64_bit.Installer.exe arguments
If you are running the installation from UNIX or AIX, follow these steps:
a. Ensure that the patch installation script has execute permission. To set the permission, enter:
chmod u+x AA-OnPrem.7.1.0.2.0.Unix.Installer.sh
b. Run the command:
./AA-OnPrem.7.1.0.2.0.Unix.Installer.sh arguments
If you are using arguments for the installation, enter a value for one or more of the following arguments.

Argument Description

-c Runs the patch installation module in console mode.

-q Runs the patch installation module in unattended mode. The -varfile argument must be
used with the -q argument.

-dir directory Use this argument only if the -q argument is set. This argument sets an installation
directory other that the default installation directory for the unattended installation
mode. The next parameter must be the required installation directory.

-varfile installer-responses-file This variable specifies a property file containing the variables that you want to set. For
example, the varfile for the patch is AA-OnPrem.7.1.0.2.0.64_bit.varfile. The installer
reads the responses from the file.

3. On the Welcome screen, click Next.

4. On the RSA License Agreement screen, click I accept the agreement, and click Next.
5. On the Environment Preparation Reminder screen, read the instructions, perform the actions required, and
click Next.
6. On the Customer Information screen, enter your name in the Customer Name field, and click Next.
7. On the Installation Components screen, select the components that you want to install, and click Next.
You can select only the components affected by this patch.

March 2014 5
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

8. On the Environment screen, follow these steps:

a. Select the database type in your environment.
The JDBC driver for the selected database type appears on the screen in its respective field.
b. Enter or browse to select the JDBC driver file for all databases.
c. Select the application server in your environment.
d. Enter or browse to select the main directory.
e. Click Next.
9. On the Core Applications Database Parameters screen, enter the connection parameters for the Core
Database, and click Next.
10. On the Core Application screen, in the Core Database JNDI Name field, enter the name of the JNDI used by
the Adaptive Authentication application to connect to the Core Database, and click Next.
11. On the Back Office Applications Database Parameters screen, enter the connection parameters for the Back
Office Database, and click Next.
12. On the next screen, enter the connection parameters for the Case Management Database, and click Next.
13. On the next screen, enter the JNDI Resource Names for the Core Database, Back Office Database, and Case
Management Database, and click Next.
14. Review the Upgrade Parameters Summary screen, and do one of the following:
To change any of the parameters, click Back to return to the relevant screen.
If the parameters contained in the summary are correct, click Upgrade.
An Installation Progress screen appears showing the progress of the installation. The final screen includes
information about launching the application and a path to the location of the install.log file that logs the
patch installation process.
15. Click Finish.

Post-Installation Tasks
This section describes the post-installation tasks required to complete the patch installation:
Update Adaptive Authentication Utilities. With each patch installation, new and revised versions of
development and maintenance utilities are released. For more information, see Update Development and
Maintenance Utilities on page 6.
Deploy Web Applications. The patch installation module does not support automatic deployment of web
applications. During the installation process, the patch installation module prepares a .war file for each relevant
application, without deploying the .war file. You must manually deploy all relevant web applications. For
instructions, see Web Applications Deployment on page 7.

Update Development and Maintenance Utilities

This patch installation includes revised versions of the eFraudNetwork Agent and WebResource utilities. The other
utilities included in the patch are not revised. RSA recommends that you use the updated eFraudNetwork Agent and
WebResource utilities.
The eFraudNetwork Agent utility in this patch is tuned for performance. After you install the patch, the eFraudNetwork
Agent utility is available in the main_directory/utils_7.1.0.2.0 directory. For information on configuring the
eFraudNetwork Agent utility, see eFraudNetwork Agent in the chapter Install and Configure Maintenance Utilities in
the RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide.
The WebResource utility contains a new version of the rsa.js file. This updated file fixes issue JS-46, which is
described in Issues Fixed in the 7.1 P1 Release on page 12. After you install the patch, the WebResource utility is
available in the main_directory/dev_utils_7.1.0.2.0 directory. For information on integrating this utility into your
application, see Install Updated Web Resources Files in the chapter Install and Configure Development Utilities in
the RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide.

6 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Note: The revised utilities are deployed side-by-side with the original utilities. This deployment enables you to
implement any customization that you may have made to the original utilities in the revised utilities.

Web Applications Deployment

To deploy the web applications, follow the procedure, as provided in this section, for your specific application server.

IBM WebSphere Application Server

Note: When using the WebSphere Administrative Console, only specific component selection is supported. The
selection of a group of components results in a faulty installation.

To deploy on a WebSphere application server:

1. Before installation, via the WebSphere Administrative Console, manually undeploy the applications installed by
the console.
2. In the installation directory, in the artifacts/webapps directory, locate the configured WAR files.
3. Deploy the web application WAR files in the WebSphere Administrative Console.
4. After you install the web applications on the WebSphere application server, ensure that the class loader order
is set to Classes loaded with application class loader first.

Apache Tomcat Application Server

To deploy on a Tomcat application server:

1. Before installation, delete the application directory and the WAR file of the previously installed application.
2. In the installation directory, in the artifacts/webapps directory, locate the configured WAR files.
3. Deploy the web application WAR files to Tomcat using Tomcat Manager.

JBoss Application Server

To deploy on a JBoss application server:

1. In the upgrade directory, in the artifacts/webapps directory, locate the configured WAR files.
2. Deploy the web application WAR files to the JBoss Administration Console.

Oracle WebLogic Application Server

Note: When using the WebLogic Administrative Console, only specific component selection is supported. The
selection of a group of components results in a faulty installation.

To deploy on a WebLogic application server:

1. Before installation, via the WebLogic Administration Console, undeploy the applications installed by the
console.
2. In the installation directory, in the artifacts/webapps directory, locate the configured WAR files.
3. Deploy the web applications WAR files in the WebLogic Administration Console.
4. After you install the web applications on the WebLogic application server, ensure that the class loader order is
set to Classes loaded with application class loader first.

March 2014 7
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Java Upgrade
Follow the appropriate procedure for your application server, as provided in this section, to upgrade to JDK 1.7.

Note: JDK 1.7 is not supported on JBoss Enterprise Application Platform.

Before You Begin

Install RSA Adaptive Authentication (On-Premise) 7.1 P2, and perform the post-installation tasks. See Patch
Installation on page 5 and Post-Installation Tasks on page 6.
Verify that the application server on which RSA Adaptive Authentication (On-Premise) 7.1 P2 is running is
qualified to run on Java 7.

IBM WebSphere Application Server

To upgrade to IBM JDK 1.7:
1. Stop the WebSphere application server.
2. Set the JAVA_HOME environment variable to point to the jre7 directory.
3. Apply the Unlimited Strength Jurisdiction Policy Files patch as follows:
a. Go to https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk.
b. Click the link under IBM SDK Policy files.
c. Log in to the Unrestricted JCE policy files site using your IBM credentials.
d. Select Unrestricted JCE Policy files for SDK for all newer versions (Version 1.6).
e. Click Continue, and then click Download now to download the .zip file.
f. Extract the local_policy.jar and US_export_policy.jar files from the .zip file to the
$JAVA_HOME/jre/lib/security directory, overwriting the existing files with the same names in this
directory.
4. Follow the steps in Set Up a Trusted Certificate in the RSA Adaptive Authentication (On-Premise) 7.1
Installation and Upgrade Guide to set up a trusted certificate for the WebSphere application server.
5. Start the WebSphere application server.

Apache Tomcat Application Server

To upgrade to JDK 1.7:
1. Stop the Tomcat application server.
2. Set the JAVA_HOME environment variable to point to the jre7 directory.
3. For UNIX installations, follow these steps:
a. Locate the java.security file in the path_to_JRE/lib/security directory, and open the file for editing.
b. Locate the following line:
securerandom.source=file:/dev/urandom
and change the line, as follows:
securerandom.source=file:/dev/random
c. Locate the section that looks similar to the following:
security.provider.1=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/sunpkcs11-solaris.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE

8 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
d. Move the SunPKCS11 security provider to the end of the list and renumber, as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/sunpkcs11-solaris.cfg
4. Apply the Unlimited Strength Jurisdiction Policy Files patch as follows:
a. Go to www.oracle.com/technetwork/java, and download UnlimitedJCEPolicyJDK7.zip.
b. Extract the local_policy.jar and US_export_policy.jar files from the .zip file to the
$JAVA_HOME/jre/lib/security directory, overwriting the existing files with the same names in this
directory.
5. Follow the steps in Set up a Trusted Certificate in the RSA Adaptive Authentication (On-Premise) 7.1
Installation and Upgrade Guide to set up a trusted certificate for the Tomcat application server.
6. Start the Tomcat application server.

Oracle WebLogic Application Server

To upgrade to Oracle JDK 1.7:
1. Stop the WebLogic application server.
2. Set the JAVA_HOME environment variable to point to the jre7 directory.
3. Apply the Unlimited Strength Jurisdiction Policy Files patch as follows:
a. Go to www.oracle.com/technetwork/java, and download UnlimitedJCEPolicyJDK7.zip.
b. Extract the local_policy.jar and US_export_policy.jar files from the .zip file to the
$JAVA_HOME/jre/lib/security directory, overwriting the existing files with the same names in this
directory.
4. Follow the steps in Set up a Trusted Certificate in the RSA Adaptive Authentication (On-Premise) 7.1
Installation and Upgrade Guide to set up a trusted certificate for the WebLogic application server.
5. Start the WebLogic application server.

Upgrade to Microsoft SQL Server 2012

If you are running RSA Adaptive Authentication (On-Premise) on Microsoft SQL Server 2005 or 2008, you can upgrade
to Microsoft SQL Server 2012 when upgrading to RSA Adaptive Authentication (On-Premise) 7.1 P2. If you want to
upgrade to RSA Adaptive Authentication (On-Premise) 7.1 P2 and to upgrade your existing SQL Server database to
2012, RSA recommends that you upgrade to SQL Server 2012 before you upgrade to RSA Adaptive Authentication
(On-Premise) 7.1 P2.

Procedure
1. Stop the application server or servers.
2. Back up all SQL Server database files from the database instance to be upgraded, so that you can restore
them, if required.

March 2014 9
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

3. Install any prerequisites for SQL Server 2012, such as SQL Server patches and OS patches.
At the time of writing of this document, relevant links included:
http://msdn.microsoft.com/en-us/library/ms143506.aspx
http://technet.microsoft.com/en-us/library/ms143393.aspx
4. Upgrade your SQL Server installation to SQL Server 2012. For upgrade instructions, see the SQL Server
documentation.
5. Verify and ensure that the database is up and running.
6. Start the application server or servers.
7. Verify, through sanity tests, that your existing Adaptive Authentication installation is running properly.
8. Upgrade your Adaptive Authentication installation to 7.1 P2.
The driver class name for SQL Server 2012 is com.microsoft.sqlserver.jdbc.SQLServerDriver. The JDBC
driver filename is sqljdbc4.jar.

Fixed Issues
This section lists the issues that are fixed in this release.

Tracking Number Description Resolution

AA-11122 The Case Activities Per Page parameter in the
Research Activities section of the Administration
Console sets the number of events that are displayed
on the User Lookup and Process Queue pages but not
the Research Activities page.
The Case Activities Per Page parameter also sets
the number of events that are displayed on the
Research Activities page.

AA-15085 For the Man vs. Machine Detection feature of the The validation logic checks that a submitForm, blur,
Trojan Protection Solution, the validation logic checks or focus action occurs if there is input.
that there is input if a submitForm, blur, or focus action
occurs.

AA-15111 The Adaptive Authentication Administration application The Health Check Servlet link is removed from the
has a Health Check Servlet link, which is a broken link. Adaptive Authentication Administration application.

AA-15165 For deleted end users, providing two phone numbers This issue is resolved.
for SMS enrollment causes enrollment process to
crash.

AA-15180 In Case Management, on the Process Queue page This issue is resolved.
and the Lookup User page, when users click Update
Case, the columns in the Recent Account Activity are
not sortable.

AA-15196 In Case Management, filtering by Custom User Activity The prefix CLIENT_DEFINED is added to custom
works only if the custom event type is associated with a event types.
predefined event type.

AA-15214 When updating a case in Case Management, trying to This issue is resolved.
change the page of activities, either by clicking Next or
a page number, results in an error.

AA-15264 On Tomcat 7.0, the Back Office application suite does The icu4j-2.6.1.jar file is replaced with the
not start. icu4j-3.4.4.jar file, and the Back Office application
suite starts.

10 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Tracking Number Description Resolution

AA-15275 The health check report fails for the offline tasks. Healthcheck configuration files are updated to use
the list of current offline tasks.

AA-15281 When the Risk Engine offline task runs, an java.sql.timestamp is used, instead of java.sql.date,
ORA-00001: unique constraint to get the GMT date and insert the date into the
(PMSECURE.REOT_PART_KEY_DAYS_CALC_PK) relevant database table.
violated error occurs.

AA-15297 Upon user logon to Adaptive Authentication This issue is resolved. An autocomplete=off input tag
(On-Premise) web applications, a is added across all Adaptive Authentication
password-autocomplete option is prompted. (On-Premise) web applications.

AA-15298 A potential cross-frame scripting vulnerability was This issue is resolved.

found in the web application of Adaptive Authentication
(On-Premise).

AA-15350 SDK Mobile processes invalid string 'null' values as When reading the props properties from
ERRORs. validate.*.properties, spaces before or after prop
names are removed.

AA-15387 A potential cross-site scripting vulnerability was found This issue is resolved.
in the Case Management application of Adaptive
Authentication (On-Premise).

AA-15395 Rules that use the IPAnonymizer fact do not work for This issue is resolved.
events other than SESSION_SIGNIN.

AA-15403 When users are required to answer more than one This issue is resolved.
challenge question to authenticate, the set of challenge
questions is not rotated after a failed attempt, based on
the Back Office application Attempts per Question
parameter.

AA-15413 During the SOAP Analyze request, parsing of DOM This issue is resolved.
elements fails.

AA-15434 When a user is editing a rule that contains a list in the This issue is resolved.
expression, the list name is not displayed.

AA-15455 Rules that use the IPAnonymizer fact do not work as This issue is resolved.
expected.

AA-15463 The Session Reaper is producing null pointer errors. This issue is resolved.

AA-15464 Because of an exception, in one scenario, references This issue is resolved.

to sessions are retained, leading to a memory leak.

AA-15469 The fact Device IP is Diff from Previous IP compares This issue is resolved.
only the first segment of the IP addresses.

AA-15474 The Policy Report is not generating any statistics. This issue is resolved.

AA-15480 A rule that contains the fact Payee Account Type with This issue is resolved.
the value PERSONAL_ACCOUNT does not trigger.

AA-15497 An Authenticate request removes the custom facts The database persistence logic is modified so that
inserted by an Analyze request the Authenticate call does not overwrite the custom
facts inserted by the Analyze call.

March 2014 11
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Tracking Number Description Resolution

AA-15580 When using a client-managed authentication method, if This issue is resolved.

a rule with the challenge action is triggered, Adaptive
Authentication wants the end user to enroll.

AA-15581 Users are unable to configure the notification time-out
parameter for the out-of-band (OOB) email
authentication method.
A new parameter, OOB Challenge Live Time, in the
Administration Console is used to set the notification
time-out for OOBEMAIL OTP token expiry. For more
information about the OOB Challenge Live Time
parameter, see What's New in This Release on
page 1.

AA-15598 If there are two instances of the application server,
device token decryption errors can occur because the
instances rotate an expired key in memory without
checking the database for a newer key that may have
been generated by the other instance.
If the local key in the cache expires, Adaptive
Authentication checks for a newer, unexpired key in
the database and rotates the expired key only if no
newer key is found in the database.

AA-15615 When two groups with the same group name exist in This issue is resolved.
two different organizations, createUser, analyze, and
challenge calls return an error that the group name
does not exist.

AA-15669 The display tag uses the previous action when forming This issue is resolved.
the hrefs for pagination and sorting. For example, after
a createCase action, it appends action=createCase to
the URLs.

AA-15722 Passing an invalid transaction ID in challenge calls This issue is resolved.

leads to a memory leak of active sessions.

Issues Fixed in the 7.1 P1 Release

This section lists the issues that are fixed in the 7.1 P1 release.

Tracking Number Description Resolution

AA-14159 If a SOAP request includes The EVENT_NOTIFICATION table is not updated.

runRiskType=RISK_ONLY and the action is
REVIEW, the EVENT_LOG is not updated and the
EVENT_NOTIFICATION table is updated.

AA-14642 The CurrentDayOfWeek fact is not set, and rules This issue is resolved.
that use the CurrentDayOfWeek fact are not
triggered.

AA-14662 When using the CM API and calling the getCases This issue is resolved.
method with caseTimeFilter specified, the API filters
the date and time based on the created field in the
active_case table rather than the updated field.

AA-14673 On the Research Activities page, the Risk Score This issue is resolved.
column is sorted as a string not as an integer.

AA-14725 In the log4j.properties file, the lines that you must The correct lines are contained in the
uncomment to implement logging of SOAP calls are log4j.properties file, and you can uncomment the
incorrect. lines rather than add the lines.

12 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Tracking Number Description Resolution

AA-15076 As part of Man vs. Machine Detection feature of the This issue is resolved.
Trojan Protection solution, Adaptive Authentication
identifies an input element with no event as a
parsing error.

AA-15114 If any of the health checks fail, warning messages This issue is resolved.
are logged in the SystemOut.log file.

AA-15121 The behavior of ISPGeoNotFoundForUser is This issue is resolved.

incorrect when a new IP is received.

AA-15126 After upgrading to RSA Adaptive Authentication This issue is resolved.

(On-Premise) 7.1, some users are not able to log on
to Adaptive Authentication.

AA-15157 Authentication methods that are implemented with This issue is resolved.
the Multi-Credential Framework plug-in, such as
out-of-band SMS authentication and SecurID
authentication, cause an exception when a user tries
to authenticate using the plug-in after failing one
authentication.

AA-15159 The default email template is used in challenge calls This issue is resolved.
for out-of-band email even when
organization-specific templates are configured.

AA-15166 iOS 7 deprecates the WIFI MAC address and sends
a default value of 02:00:00:00:00:00.
RSA Adaptive Authentication stores the value NULL,
rather than the default value, in the database.
During device recovery, if Adaptive Authentication
finds the default value 02:00:00:00:00:00 in the
HWID, PhoneNumber, SIMID, or OtherID field,
Adaptive Authentication ignores the value in the first
field in which the value is found.

AA-15248 RSA Central report-generation parsing fails because This issue is resolved.
RSA Adaptive Authentication 7.1 is producing log
files headers with the version as 7.0.0.0. instead of
7.1.0.0.

AA-15251 In the Authentication Plug-In, NotificationTimeout NotificationTimeout is configured in the classfree

overrides the sessionTimeOut when the bean configuration of the c-config-ccc.xml file. The
sessionTimeOut is set to greater than 10 minutes. default value for NotificationTimeout is 10 minutes.
An example of the configuration is:
<bean
class="com.passmarksecurity.config.bean.ClassFre
eBean" id="oobSMSConfiguration">
<property name="parameters">
<map>
<entry key="NotificationTimeout">
<value>3600</value>
</entry>
</map>
</property>
</bean>

AA-15258 Loading RSA eFraudNetwork data is slow. This issue is resolved.

March 2014 13
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Tracking Number Description Resolution

AA-15262 When a three-digit country code is passed in No warning message is displayed.

identification data, a warning message is displayed
in the message response.

AA-15271 Daily case logs are created with the same Start and This issue is resolved.
End dates.

AA-15283 When runRiskType is DEVICE_ONLY and the action When runRiskType=DEVICE_ONLY, no record is
is REVIEW, no case is created but there is an entry written to the EVENT_NOTIFICATION table. As a
in the EVENT_NOTIFICATION table in the database result, no case is logged, even if the policy action is
that is not deleted. REVIEW.

AA-15285 The Session Reaper scheduled task does not clean
expired sessions and transactions for non-default
organization users.
The number of records fetched is not restricted when
fetching all expired sessions. Multiple expired
sessions may result in an OutOfMemoryError error.
Expired sessions and transactions for users
belonging to non-default organizations are deleted.
The number of records fetched is limited for cases
when there are large number of expired sessions.

AA-15322 The TCTYPE event code is not listed in the forensic The TCTYPE event code is appended in the forensic
log files. log files.

AA-15324 In the Case Management application, when a user This issue is resolved.
tries to display page 4 in the Recent Account Activity
in User Lookup, ArrayIndexOutOfBoundsException
errors occur.

JS-46 The HTML Injection feature of the Trojan Protection A new rsa.js file is provided with this patch. See
solution returns an empty JSON string. Update Development and Maintenance Utilities on
page 6.

Fixed Documentation Issues

This section lists documentation issues that are addressed in the revised RSA Adaptive Authentication
(On-Premise) 7.1 guides.

Tracking Number Description

RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

AA-15467 In the appendix List of Facts, the description of the fact # of Days Since Last E-mail Change should state
the event types for which the fact is applicable.

AA-15471 In the chapter Managing Policies, in Introduction to Rules, the table of fact operators should state that
the boundary values are included when you use the Between or the Not Between operator.

RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide

AA-10528 In the chapter Configure Adaptive Authentication Applications, in Secure the Data Source Password for
Tomcat, the final step of the procedure should state to start Tomcat from the CATALINA_HOME directory if
using the command line.

AA-12702 In the chapter Installation Prerequisites, in Installation Prerequisites for Tomcat, on UNIX, the value for
XX:MaxPermSize should be set to 512m, not 256m.

14 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Tracking Number Description

AA-12838 In the chapter Install Adaptive Authentication (On-Premise), in Post-Installation Tasks, in the procedure
for deploying web applications on WebSphere application server, the step to create a work manager for
offline tasks must be done before deploying the web applications. This also applies in Deploy Web
Applications on WebSphere in the chapter Complete a Dry-Run Upgrade.

AA-14863 In the chapter Set Up the Application Servers, in Set Up a Trusted Certificate, the procedures for
downloading and importing the trusted certificate should be updated.

AA-15454 In the chapter Upgrade from a Previous Version of Adaptive Authentication (On-Premise), the section
Perform Post-Upgrade Tasks should include a procedure to enable partitions on an Oracle Database.

AA-15636 In the chapter Complete a Dry-Run Upgrade, in Run SQL Scripts, the lists of SQL scripts are missing
some scripts.

AA-15651 In the chapter Upgrade from a Previous Version of Adaptive Authentication (On-Premise), in Run the
Upgrade Setup Process for Windows and in Run the Upgrade Setup Process for Unix, the note that files
are backed up to the <RSA_Home>/configs_orig_71_upgrade_bak directory should state that this
backup happens only if you upgrade from RSA Adaptive Authentication (On-Premise) 6.0.2.1 SP2.

AA-15729 In the chapter Installation Prerequisites, in Installation Prerequisites for WebLogic, the supported
versions of WebLogic are incorrect.

AA-15751 In the chapter Install and Configure Maintenance Utilities, in Switch to the New RSA Risk Engine Model,
when upgrading from RSA Adaptive Authentication (On-Premise) 6.0.2.1, the recommended time to train
the new Risk Engine model should be 45 days.

RSA Adaptive Authentication (On-Premise) 7.1 Operations Guide

AA-13650 In the chapter Installing Authentication Plug-Ins, in Configure Template Files, the procedure needs to be
clarified.

AA-14457 In the chapter Administration Console, in Device Management Parameters, need to clarify the behavior
of Adaptive Authentication if the Anti Cookie Theft parameter is disabled.

AA-15243 In the chapter Administration Console, in Billing Parameters, the Prefix Hierarchy parameter is specified
as optional.

AA-15274 In the chapter Administration Console, in Risk Engine Parameters, the description of the Offline Tasks
Thread Pool Size parameter should include a statement that a typical value is 20.

AA-15454 In the chapter Administration Console, in Authentication Methods Parameters, add further description of
the Alternative Action parameter.

Documentation Issues Fixed in the 7.1 P1 Release

This section lists documentation issues that are addressed in the revised RSA Adaptive Authentication
(On-Premise) 7.1 guides in the 7.1 P1 release.

Tracking Number Description

RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade Guide

AA-11659 In the chapter Configure Adaptive Authentication Applications, in Secure the Data Source Password for
Tomcat, it should be documented that, when using the data source password obfuscation package for
Tomcat, the initialSize parameter is not supported.

AA-15036 In the chapter Installation Prerequisites, in Installation Prerequisites for WebLogic, a prerequisite to set
the PERMSIZE parameters is needed.

March 2014 15
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Tracking Number Description

AA-15075 In the chapter Prepare for Installation, the heading Database Log Sizing should be changed to File
System Log Sizing.

AA-15247 In the appendix Set Up the Application Servers, in Set Up a Trusted Certificate for WebSphere, a step is
missing between steps 7 and 8.

AA-15276 In the chapter Complete a Dry-Run Upgrade, in SQL Scripts for Oracle, 55_sp3_db_changes should be
55_SP3_CRE_changes. The credential for 54_sp3_db_changes and 55_SP3_CRE_changes should be
schema user.

RSA Adaptive Authentication (On-Premise) 7.1 Operations Guide

AA-9526 The instructions on configuring domain scoping should be removed from the chapter File Configurations.
The web application of the customer is responsible for retrieving and sending the correct cookie from the
end-user device.

AA-14298 In the chapter Batch Loader Utility, the instructions for running the Batch Loader utility are incorrect.

AA-14772 In the chapter Using an External Identity Store, in Map Existing Users in Active Directory, a note is
needed regarding a fix required for WebSphere Application Server 8.0 or 8.5.

RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide

AA-7022 In the chapter API Overview, in Introduction to Web Services API, users should be reminded to
implement strict data validation on input fields before sending the data to the Web Services API, to avoid
data manipulation.

AA-13447 In the appendix Out-of-Band Phone Authentication Plug-In Web Services Messages, several minor edits
are needed.

AA-13631 The identificationData table in the chapter Web Services Response Data Structures and Types does not
document that the groupName parameter is not returned in the identificationData response when the value
is either empty or null.

AA-13672 In the chapters Web Services Request Data Structures and Types, Web Services Common Data
Structures and Types, and Web Services Response Data Structures and Types, more detail is needed
about the data structures of the out-of-band SMS and knowledge-based authentication methods.

AA-15015 In the chapters Web Services Request Data Structures and Types, Web Services Common Data
Structures and Types, and Case Management API Methods, and in Generic Requests for All Methods in
the chapter AdminService API Methods, a clarification of the Required column in tables of parameters is
needed.

AA-15190 In the appendix Knowledge-based Authentication Credential, in the personInfo Values, ssnInfo Values,
NameInfo Values, addressInfo Values, and birthdayInfo Values tables, the Data Element columns are
erroneously labelled Action.

16 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Known Issues
This section describes issues that remain unresolved in this release. Wherever a workaround or fix is available, it has
been noted or referenced in detail. For many of the workarounds in this section, you must have administrative
privileges. If you do not have the required privileges, contact your administrator.

Installation
When running the installer or the upgrade module in a command line mode, if the overall category is selected,
the installation process results in a faulty installation.
Tracking Number: AA-14550
Problem: The installation wizard utility is based on the install4j utility. The install4j infrastructure is not able to
translate the categories into specific components (applications). When running the installation or upgrade process in
command line mode, if the overall option is used, the installation is not successful.
Workaround: When running the installation or upgrade process in command line mode, select the specific
components (applications) required for the installation.
For the list of available applications affected by this release, see the RSA Adaptive Authentication (On-Premise) 7.1
Installation and Upgrade Guide.

Upgrade
Configuration migration fails if a previous security hotfix pertaining to Device Recovery capability and Device
Identification was applied. The failure could occur either when running upgrade installation or when running
the Configuration Migration utility.
Tracking Number: AA-15500
Problem: When you run the Configuration Migration tool, either as part of the upgrade or after the upgrade completes,
the following error may appear in the logs:
Cannot find class [com.rsa.infra.devicetype.detector.impl.wurfl.DeviceTypeResolutionStrategyImpl] for bean with name
'deviceTypeResolutionStrategy' defined in ConfigResource.
Workaround: Follow these steps:
1. In the /AdaptiveAuthentication/WEB-INF/classes/configs/ directory, delete the
c-config-deviceTypeDetector.xml file.
2. Run the Configuration Migration tool again.
3. After the Configuration Migration tool has run, configure the Mobile Detector Active Data File parameter in the
Administration Console.

Note: This workaround is also provided in the RSA Adaptive Authentication (On-Premise) 7.1 Installation and Upgrade
Guide that was revised March 2014.

Policy Management
Problems occur when using the Rule Wizard in simultaneous browser sessions.
Tracking Number: AA-10278
Problem: Problems occur when using the Rule Wizard more than once in simultaneous browsers sharing the same
session.
Workaround: Open the simultaneous sessions in different browsers, for example, Internet Explorer and Firefox.

In the Policy Management module, when creating rules with the same order simultaneously, one of the rules
cannot be created.
Tracking Number: AA-12482
Problem: In the Policy Management module, when creating rules with the same order simultaneously, one of the rules
cannot be created.

March 2014 17
RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Operations
In the Authentication Methods component of the Administration Console, the Alternative Action Type
parameter is organization sensitive. The Adaptive Authentication (On-Premise) system ignores the value
selected for the organization and selects the value for the Default organization.
Tracking Number: AA-11237
Problem: In the Authentication Methods component of the Administration Console, the Alternative Action Type
parameter is organization sensitive. The Adaptive Authentication (On-Premise) system ignores the value selected for
the organization and selects the value for the Default organization.

The healthCheckJobDetail job fails.

Tracking Number: AA-12229
Problem: The healthCheckJobDetail job fails. This occurs because the c:/rsa destination folder for the healthcheck
report file does not exist.
Workaround: Manually create the healthcheckreport.txt file in c:/rsa.

When retrieving the credentials for an unenrolled user using a query request with
GET_SYSTEM_CREDENTIAL_EXTENDED, the credentials returned are not configured for the users
organization.
Tracking Number: AA-12291
Problem: When retrieving the credentials for an unenrolled user by issuing an analyze request for an unenrolled user
(without autoCreateUserFlag set to true), the credentials retrieved are configured for the users organization.
When using a query request with GET_SYSTEM_CREDENTIAL_EXTENDED for the same purpose, the credentials
returned are not configured for the users organization.

Risk Engine
When sending a SOAP analyze request for a mobile application, the cookie is not sent to the Risk Engine and
does not appear in the event_log table.
Tracking Number: AA-12220
Problem: When sending a SOAP analyze request for the mobile channel, and the hardwareId data element is
populated, the request originates from a mobile application. The application does not send cookies to the CRE for
mobile applications. The following error occurs and is written to the aa_server.log file:
2012-03-15 20:20:09,296 ERROR [http-8080-1] [-7c9eb884:13615b52626:-4cdf] []
[com.rsa.csd.mcf.acsp.device.DeviceRecoveryHelper] - <analyzer returned an empty list of scores for candidates;
could not recover device.>

When using IBM WebSphere 8.0, score normalization fails.

Tracking Number: AA-14828
Problem: When using IBM WebSphere 8.0, the score normalization process fails.
Workaround: Install the IBM WebSphere 8.0.0.6 patch.

Case Management
The value in the Old Status column is New for new cases.
Tracking Number: AA-7647
Problem: In the Case Management module, the Old Status column has a value of New for new cases. The value in this
column should be Null because the case did not previously exist.

Manually reopened cases do not appear at the top of the queue.

Tracking Number: AA-8862
Problem: Due to the way the sorting functionality works in the Case Management module, manually reopened cases
do not appear at the top of the queue.

18 March 2014
 RSA Adaptive Authentication 7.1 SP0 P2 Release Notes

Terminate Authentication Sessions does not work.

Tracking Number: AA-15661
Problem: In the Case Management module, Terminate Authentication Sessions does not work. Consequently, the
Open Case for Events on Session Termination parameter does not work either.

Authentication Method
Adaptive Authentication (On-Premise) incorrectly maps an event type configuration to a customer-specific
SESSION_SIGNIN event type.
Tracking Number: AA-13718
Problem: Adaptive Authentication (On-Premise) maps the event_type=eventType configuration, in the
session-signin-authentify-request.properties file, to the SESSION_SIGNIN event type as Authentify's
SESSION_SIGNIN, which is reserved for one specific customer.
Workaround: If the event-type is SESSION-SIGNIN:
For the out-of-band phone authentication method SOAP calls, use the Generic Action application.
For the other authentication method SOAP calls, use the Login Verify application.

Back Office
On JBoss, the ws credentials for AdaptiveAuthentication and AdaptiveAuthenticationAdmin cannot be saved
for the Administration Console application.
Tracking Number: AA-15315
Problem: Because of an issue with JBoss application server, the ws credentials for AdaptiveAuthentication and
AdaptiveAuthenticationAdmin cannot be saved for the Administration Console application. The error Failed to initialize
the context: unable to generate key for seed: is logged.
Workaround: Run the server with the jboss.vfs.forceVfsJar property set to true. For more information, see the issue
JBAS-7882, Wrong provider code base for security provider included in packed ear on the JBoss web site.

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.emc.com/support/rsa/index.htm

RSA Solution Gallery https://gallery.emc.com/community/marketplace/rsa?view=overview

Copyright 2014 EMC Corporation. All Rights Reserved. Published in the USA.

Trademarks
RSA, the RSA Logo, BSAFE, eFraudNetwork, SecurID and EMC are either registered trademarks or trademarks of
EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

March 2014 19