<Partner Name> <Partner Product> RSA SECURID ACCESS Standard Agent Implementation Guide VMware Daniel R. Pintal, RSA Partner Engineering Last Modified: August 19, 2016
Solution Summary VMware Identity Manager provides access to applications from any device, simplifying the end-user experience by combining applications into a single enterprise-class aggregated workspace, securely delivered on any device. IT has a centralized place to manage user provisioning, access policies with enterprise-class directory integration, and identity federation. RSA Authentication Manager supported features VMware Identity Manager 2.7 RSA SecurID Authentication via Native RSA SecurID UDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurID UDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes -- 2 -
RSA Authentication Manager Configuration Agent Host Configuration To facilitate communication between the VMware Identity Manager and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the VMware Identity Manager and contains information about communication and encryption. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interfaces Important: The UDP-based authentication agent s hostname must resolve to the IP address specified. Partner Product Configuration Before You Begin This section provides instructions for configuring the VMware Identity Manager with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All VMware Identity Manager components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. -- 3 -
VMware Identity Manager Configuration 1. Log in as the VMware Identity Manager administrator; select the Identity & Access Management tab to display a list of the directories. 2. Select the Setup button. -- 4 -
3. Select the domain name under the Worker column. 4. Select the Auth Adapters button and select SecurIDIdpAdapter. -- 5 -
5. After your browser is redirected, select the Enable SecurID checkbox and enter all of the information related to your installation. Then upload the RSA SecurID sdconf.rec file and select Save to complete. -- 6 -
6. After being redirected back to the Authentication Adapters page verify that the SecurIDIdpAdapter is Enabled. Select Admin Console. -- 7 -
7. At this point the IDP connector is setup and you will need to modify the default access policy to enable SecurID for your Directory. Select Policies. 8. Select Edit Default Policy to edit the Device Type Policies. 9. By default the system is setup to use the Password Authentication Method. Select the word Password for the vidm Device type, Identity Manager Client App or Web Browser to enable SecurID. -- 8 -
10. In the dropdown box for the vidm Device type select SecurID. 11. I have enabled SecurID access for both Device types. This will require SecurID login for both types of logins. 12. Select Save to complete the setup. -- 9 -
13. By default the browser directs you to the Local User login. Select Change to a different domain and select the domain you enabled SecurID access for. 14. Select your domain and then Next. -- 10 -
RSA SecurID Login Screens Login screen: User-defined New PIN: -- 11 -
System-generated New PIN: Next Tokencode: -- 12 -
Certification Checklist for RSA SecurID Access Date Tested: August 19, 2016 Certification Environment Product Name Version Operating System Information RSA Authentication Manager 8.2 Virtual Appliance VMware Identity Manager - vidm 2.7 Virtual Appliance VMware Identity Manager Desktop 2.7 Windows 10 RSA SecurID Authentication Date Tested: August 15, 2016 Mandatory Functionality New PIN Mode Native Native RADIUS UDP TCP Client Force Authentication After New PIN N/A N/A System Generated PIN N/A N/A User Defined (4-8 Alphanumeric) N/A N/A User Defined (5-7 Numeric) N/A N/A Deny 4 and 8 Digit PIN N/A N/A Deny Alphanumeric PIN N/A N/A Deny PIN Reuse N/A N/A Passcode 16 Digit Passcode N/A N/A 4 Digit Fixed Passcode N/A N/A Next Tokencode Mode Next Tokencode Mode N/A N/A On-Demand Authentication On-Demand Authentication N/A N/A On-Demand New PIN N/A N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A N/A RSA Authentication Manager N/A N/A = Pass = Fail N/A = n-available Function -- 13 -
Appendix RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec de secret sdstatus.12 / jastatus.12 Location /usr/local/horizon/conf/states/%hostname%/3001/sdconf.rec /usr/local/horizon/conf/states/%hostname%/3001/sdopts.rec /usr/local/horizon/conf/states/%hostname%/3001/securid /var/ace/jastatus.12 Partner Integration Details Partner Integration Details RSA SecurID UDP API 8.1 RSA Authentication Agent Type Standard Agent RSA SecurID User Specification Designated Users Display RSA Server Info Perform Test Authentication Agent Tracing Yes -- 14 -
de Secret: If you need to clear the node secret, use steps 1 5 of this guide to access the Authentication Adapter SecurIDIdpAdapter and Clear de Secret. Alternatively, the node secret can be cleared from the folder /usr/local/horizon/conf/states/%hostname%/3001/. sdconf.rec: If you need to clear the sdconf.rec it is stored as /usr/local/horizon/conf/states/%hostname%/3001/sdconf.rec. Refer to steps 1 5 of this guide to access the Authentication Adapter SecurIDIdpAdapter and use the Select File button when importing a new sdconf.rec file. -- 15 -
sdstatus.12: The sdstatus.12 file is not created either in the file system or within the registry. Agent Tracing: Authentication Agent Event Logging is written to /usr/local/horizon/conf/states/%hostname%/3001/ folder. The file rsa_api.log is created and used for informational event logging when debug logging is enabled a second file rsa_api_debug.log is created. To set the level of tracing, modify: /usr/local/horizon/conf/states/%hostname%/3001/rsa_api.properties # Enables debug tracing. RSA_ENABLE_DEBUG=yes # Sends tracing to a file. RSA_DEBUG_TO_FILE=yes sdopts.rec: t accessible through the vidm administrative interface but can be added, modified and deleted through the Linux file system at /usr/local/horizon/conf/states/%hostname%/3001/sdopts.rec. -- 16 -