VMware ESX 3.5 RSA SecurID Ready Implementation Guide Partner Information Last Modified: November 19, 2009 Product Information Partner Name VMware Web Site www.vmware.com Product Name ESX Version & Platform 3.5 Product Description VMware ESX is an enterprise level virtualized infrastructure. ESX provides a virtual server environment from which many operating systems can be installed and run simultaneously in either a single server or clustered environment. Product Category Operating System
Solution Summary VMware ESX leverages the RSA Authentication Agent 6.0 for PAM (Pluggable Authentication Module) enabling RSA SecurID authentication using either standard or OpenSSH connection tools. Partner Integration Overview Authentication Methods Supported Native RSA SecurID Authentication RSA SecurID Library Version Used Library Version #6.1 RSA Authentication Manager Replica Support Full Replica Support RSA Authentication Agent Host Type for 6.1 Net OS RSA Authentication Agent Host Type for 7.1 Standard Agent RSA SecurID User Specification Designated Users RSA SecurID Protection of Administrative Users Yes RSA Software Token and RSA SecurID 800 Automation No Product Requirements Partner Product Requirements Version ESX 3.5 See VMware product documentation for recommended hardware. 2
Agent Host Configuration Important: Agent Host and Authentication Agent are synonymous. Agent Host is a term used with the RSA Authentication Manager 6.x servers and below. RSA Authentication Manager 7.1 uses the term Authentication Agent. Important: All Authentication Agent types for 7.1 should be set to Standard Agent. To facilitate communication between the VMware ESX and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the VMware ESX within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information. Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol) When adding the Agent Host Record, you should configure the VMware ESX as Net OS agent. This setting is used by the RSA Authentication Manager to determine how communication with the VMware ESX will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records. RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location /var/ace /var/ace /var/ace Not implemented 3
Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating VMware ESX with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Installing the PAM Agent Installing the PAM Agent involves setting up your environment and running an installation script. Setting Up Your Environment Before you perform the installation, verify that: You have root permissions on the Agent Host. You have created an installation directory on the machine on which you are installing the PAM Agent. You have the most up-to-date version of the sdconf.rec from the RSA Authentication Manager stored in an accessible directory, such as /var/ace, on the Agent Host. Note: The root administrator on the Host must have write permission to the directory in which the sdconf.rec is stored. You have created an Agent Host record for the PAM Agent in the RSA Authentication Manager database. For more information, see the RSA Authentication Manager documentation. Create a corresponding account on both the ESX and RSA Authentication Manager servers. To install the PAM Agent: 1. Change to the directory you created when you downloaded the software, and untar the file. Type: tar -xvf filename.tar 2. Run the install script. Type:./install_pam.sh 3. Follow the prompts until you are prompted for the sdconf.rec directory. If the path is correct, press ENTER. If the path is incorrect, provide the appropriate path to the file. 4. For each of the remaining installation prompt, press ENTER to accept the default value, or type in a different path if required. 4
Performing a Test Authentication RSA recommends that you perform a simple test authentication to ensure that the PAM Agent is functioning properly. You must use a token with a PIN that is already registered in the Authentication Manager database. Follow the New PIN procedure for proper registration. For additional information, contact your Authentication Manager administrator. To perform a test authentication: 1. Change to the /opt/pam/bin directory. Type:./acetest 2. Enter your user name and passcode. Note: If you fail to authenticate, contact your Authentication Manager administrator. Configuring the PAM Agent Before you make any configuration changes, make backup copies of the original configuration files. Note: Open a new SSH session using an a standard user account to test SecurID authentication. Leave the first SSH connection open into the ESX server to prevent being locked out of the console. Configuration File Names and Locations Multiple configuration files are located in the /etc/pam.d directory. Each file uses the name of the connection tool. 1. Change to the /etc/pam.d directory. 2. Open the sshd file. The following text is displayed: auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so2: Installation and Configuration 3. Comment out the following line: auth required pam_stack.so service=system-auth 4. Enable sshd to point to the PAM Agent module. Add the following text to the sshd file: auth required pam_securid.so 5
Configuring OpenSSH To display passcode authentication messages: 1. Open the sshd_config file located in the /etc/ssh folder. 2. Edit the file and make the following changes ; #PAMAuthenticationViaKbdInt no Make the following changes to the text; PAMAuthenticationViaKbdInt yes 3. Locate and modify the setting below; #PasswordAuthentication yes Make the following changes to the text; PasswordAuthentication no Note: Setting the PasswordAuthentication parameter to no disables the OpenSSH password prompt so that the PAM Agent prompts for authentication. As a result, the user is prompted for an RSA SecurID passcode only. 4. Locate and modify the setting below; #UsePrivilegeSeparation yes Make the following changes to the text; UsePrivilegeSeparation no 5. Locate and modify the setting below; #ChallengeResponseAuthentication yes Make the following changes to the text; ChallengeResponseAuthentication yes Note: Setting the ChallengeResponseAuthentication parameter to no causes authentication to fail. Make sure that this parameter is always set to yes. 6. Restart the SSHD process. /etc/init.d/sshd restart 6
Certification Checklist For RSA Authentication Manager v6.x Date Tested: May 15, 2009 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 6.1 Windows 2003 RSA PAM Agent 6.0 VMware ESX 3.5 ESX 3.5 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A User Selectable User Selectable N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Password 4 Digit Password N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A Name Locking Enabled Name Locking Enabled No RSA Authentication Manager No RSA Authentication Manager N/A Additional Functionality RSA Software Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A User Selectable N/A User Selectable N/A Next Tokencode Mode N/A Next Tokencode Mode N/A RSA SecurID 800 Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A User Selectable N/A User Selectable N/A Next Tokencode Mode N/A Next Tokencode Mode N/A Credential Functionality Determine Cached Credential State N/A Determine Cached Credential State Set Credential N/A Set Credential Retrieve Credential N/A Retrieve Credential DRP = Pass = Fail N/A = Non-Available Function 7
Certification Checklist For RSA Authentication Manager 7.x Date Tested: May 15, 2009 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 7.1 Windows 2003 RSA PAM Agent 6.0 VMware ESX 3.5 ESX 3.5 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A PIN Reuse PIN Reuse N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A No RSA Authentication Manager No RSA Authentication Manager N/A Additional Functionality RSA Software Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A Next Tokencode Mode N/A Next Tokencode Mode N/A RSA SecurID 800 Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A Next Tokencode Mode N/A Next Tokencode Mode N/A DRP = Pass = Fail N/A = Non-Available Function 8