RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

Similar documents
RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

VMware Identity Manager vidm 2.7

Cisco Systems, Inc. Aironet Access Point

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

RSA Ready Implementation Guide for

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Citrix Systems, Inc. Web Interface

Security Access Manager 7.0

Barracuda Networks SSL VPN

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

Barracuda Networks NG Firewall 7.0.0

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

Vanguard Integrity Professionals ez/token

Attachmate Reflection for Secure IT 8.2 Server for Windows

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

SSH Communications Tectia 6.4.5

Cisco Systems, Inc. Wireless LAN Controller

Cisco Systems, Inc. Catalyst Switches

RSA SecurID Implementation

RSA SECURID ACCESS PAM Agent Implementation Guide

Cyber Ark Software Ltd Sensitive Information Management Suite

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Dell SonicWALL NSA 3600 vpn v

F-Secure SSH and OpenSHH. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Microsoft Forefront UAG 2010 SP1 DirectAccess

Cisco Systems, Inc. IOS Router

Rocket Software Strong Authentication Expert

Apple Computer, Inc. ios

Infosys Limited Finacle e-banking

RSA SecurID Ready Implementation Guide

RSA ACE/Agent 5.0 for PAM Installation and Configuration Guide

Barron McCann Technology X-Kryptor

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Pulse Secure Policy Secure

Microsoft Unified Access Gateway 2010

SecureW2 Enterprise Client

RSA SecurID Ready Implementation Guide

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

Open System Consultants Radiator RADIUS Server

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

RSA SecurID Ready Implementation Guide

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

How to Configure the RSA Authentication Manager

Fischer International Identity Fischer Identity Suite 4.2

RSA Ready Implementation Guide for

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

Technical Note: RSA SecurID /SA Integration

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

SailPoint IdentityIQ 6.4

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

Hitachi ID Systems Inc Identity Manager 8.2.6

How to RSA SecureID with Clustered NATIVE

McAfee Endpoint Encryption

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3

> Nortel Switched Firewall (NSF) SecurID Configuration Guide

RSA Ready Implementation Guide for

Intel Security/McAfee Endpoint Encryption

TalariaX sendquick Alert Plus

Pass4sure CASECURID01.70 Questions

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

RSA Ready Implementation Guide for

Vendor: RSA. Exam Code: CASECURID01. Exam Name: RSA SecurID Certified Administrator 8.0 Exam. Version: Demo

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

Symantec Encryption Desktop

RSA Authentication Manager 8.2

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Authentify SMS Gateway

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Two factor authentication for SSH using PAM RADIUS module

DirectControl and RSA SecurID

SOFTEL Communications Password Reset and Identity Management Suite

Secured by RSA Implementation Guide for Software Token Authenticators

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Remote Support Security Provider Integration: RADIUS Server

Data Structure Mapping

Data Structure Mapping

Echidna Concepts Guide

Data Structure Mapping

Thales nshield Series

Security Provider Integration RADIUS Server

Data Structure Mapping

VMware VMware View. RSA Secured Implementation Guide for RSA DLP Endpoint VDI. Partner Information. Last Modified: March 27 th, 2014

AT&T Global Smart Messaging Suite

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Horizon Air 16.6 Administration. VMware Horizon Cloud Service Horizon Cloud with Hosted Infrastructure 16.6

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

How to Secure SSH with Google Two-Factor Authentication

BMC Software BMC Provisioning Module for RSA Authentication Manager

HySecure Quick Start Guide. HySecure 5.0

Transcription:

VMware ESX 3.5 RSA SecurID Ready Implementation Guide Partner Information Last Modified: November 19, 2009 Product Information Partner Name VMware Web Site www.vmware.com Product Name ESX Version & Platform 3.5 Product Description VMware ESX is an enterprise level virtualized infrastructure. ESX provides a virtual server environment from which many operating systems can be installed and run simultaneously in either a single server or clustered environment. Product Category Operating System

Solution Summary VMware ESX leverages the RSA Authentication Agent 6.0 for PAM (Pluggable Authentication Module) enabling RSA SecurID authentication using either standard or OpenSSH connection tools. Partner Integration Overview Authentication Methods Supported Native RSA SecurID Authentication RSA SecurID Library Version Used Library Version #6.1 RSA Authentication Manager Replica Support Full Replica Support RSA Authentication Agent Host Type for 6.1 Net OS RSA Authentication Agent Host Type for 7.1 Standard Agent RSA SecurID User Specification Designated Users RSA SecurID Protection of Administrative Users Yes RSA Software Token and RSA SecurID 800 Automation No Product Requirements Partner Product Requirements Version ESX 3.5 See VMware product documentation for recommended hardware. 2

Agent Host Configuration Important: Agent Host and Authentication Agent are synonymous. Agent Host is a term used with the RSA Authentication Manager 6.x servers and below. RSA Authentication Manager 7.1 uses the term Authentication Agent. Important: All Authentication Agent types for 7.1 should be set to Standard Agent. To facilitate communication between the VMware ESX and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the VMware ESX within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information. Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol) When adding the Agent Host Record, you should configure the VMware ESX as Net OS agent. This setting is used by the RSA Authentication Manager to determine how communication with the VMware ESX will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records. RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location /var/ace /var/ace /var/ace Not implemented 3

Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating VMware ESX with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Installing the PAM Agent Installing the PAM Agent involves setting up your environment and running an installation script. Setting Up Your Environment Before you perform the installation, verify that: You have root permissions on the Agent Host. You have created an installation directory on the machine on which you are installing the PAM Agent. You have the most up-to-date version of the sdconf.rec from the RSA Authentication Manager stored in an accessible directory, such as /var/ace, on the Agent Host. Note: The root administrator on the Host must have write permission to the directory in which the sdconf.rec is stored. You have created an Agent Host record for the PAM Agent in the RSA Authentication Manager database. For more information, see the RSA Authentication Manager documentation. Create a corresponding account on both the ESX and RSA Authentication Manager servers. To install the PAM Agent: 1. Change to the directory you created when you downloaded the software, and untar the file. Type: tar -xvf filename.tar 2. Run the install script. Type:./install_pam.sh 3. Follow the prompts until you are prompted for the sdconf.rec directory. If the path is correct, press ENTER. If the path is incorrect, provide the appropriate path to the file. 4. For each of the remaining installation prompt, press ENTER to accept the default value, or type in a different path if required. 4

Performing a Test Authentication RSA recommends that you perform a simple test authentication to ensure that the PAM Agent is functioning properly. You must use a token with a PIN that is already registered in the Authentication Manager database. Follow the New PIN procedure for proper registration. For additional information, contact your Authentication Manager administrator. To perform a test authentication: 1. Change to the /opt/pam/bin directory. Type:./acetest 2. Enter your user name and passcode. Note: If you fail to authenticate, contact your Authentication Manager administrator. Configuring the PAM Agent Before you make any configuration changes, make backup copies of the original configuration files. Note: Open a new SSH session using an a standard user account to test SecurID authentication. Leave the first SSH connection open into the ESX server to prevent being locked out of the console. Configuration File Names and Locations Multiple configuration files are located in the /etc/pam.d directory. Each file uses the name of the connection tool. 1. Change to the /etc/pam.d directory. 2. Open the sshd file. The following text is displayed: auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so2: Installation and Configuration 3. Comment out the following line: auth required pam_stack.so service=system-auth 4. Enable sshd to point to the PAM Agent module. Add the following text to the sshd file: auth required pam_securid.so 5

Configuring OpenSSH To display passcode authentication messages: 1. Open the sshd_config file located in the /etc/ssh folder. 2. Edit the file and make the following changes ; #PAMAuthenticationViaKbdInt no Make the following changes to the text; PAMAuthenticationViaKbdInt yes 3. Locate and modify the setting below; #PasswordAuthentication yes Make the following changes to the text; PasswordAuthentication no Note: Setting the PasswordAuthentication parameter to no disables the OpenSSH password prompt so that the PAM Agent prompts for authentication. As a result, the user is prompted for an RSA SecurID passcode only. 4. Locate and modify the setting below; #UsePrivilegeSeparation yes Make the following changes to the text; UsePrivilegeSeparation no 5. Locate and modify the setting below; #ChallengeResponseAuthentication yes Make the following changes to the text; ChallengeResponseAuthentication yes Note: Setting the ChallengeResponseAuthentication parameter to no causes authentication to fail. Make sure that this parameter is always set to yes. 6. Restart the SSHD process. /etc/init.d/sshd restart 6

Certification Checklist For RSA Authentication Manager v6.x Date Tested: May 15, 2009 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 6.1 Windows 2003 RSA PAM Agent 6.0 VMware ESX 3.5 ESX 3.5 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A User Selectable User Selectable N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Password 4 Digit Password N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A Name Locking Enabled Name Locking Enabled No RSA Authentication Manager No RSA Authentication Manager N/A Additional Functionality RSA Software Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A User Selectable N/A User Selectable N/A Next Tokencode Mode N/A Next Tokencode Mode N/A RSA SecurID 800 Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A User Selectable N/A User Selectable N/A Next Tokencode Mode N/A Next Tokencode Mode N/A Credential Functionality Determine Cached Credential State N/A Determine Cached Credential State Set Credential N/A Set Credential Retrieve Credential N/A Retrieve Credential DRP = Pass = Fail N/A = Non-Available Function 7

Certification Checklist For RSA Authentication Manager 7.x Date Tested: May 15, 2009 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 7.1 Windows 2003 RSA PAM Agent 6.0 VMware ESX 3.5 ESX 3.5 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A PIN Reuse PIN Reuse N/A Passcode 16 Digit Passcode 16 Digit Passcode N/A 4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A No RSA Authentication Manager No RSA Authentication Manager N/A Additional Functionality RSA Software Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A Next Tokencode Mode N/A Next Tokencode Mode N/A RSA SecurID 800 Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A Next Tokencode Mode N/A Next Tokencode Mode N/A DRP = Pass = Fail N/A = Non-Available Function 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback