RSA SecurID Ready Implementation Guide Partner Information Last Modified: May 15 th, 2014 Product Information Partner Name Cyber Ark Software Ltd Web Site www.cyberark.com Product Name Version & Platform 7.9 Product Description CyberArk Sensitive Information Management Solution is a complete platform for sharing and distributing information to users across systems using web, desktop, mobile and e-mail. Developed with a focus on security, the solution includes patented digital vault technology, militarygrade encryption and tamper-proof auditing designed to meet compliance requirements.
Solution Summary Cyber Ark enables organizations to address the needs of individuals sharing and accessing information as well as business processes requiring information collection, distribution and access. When implemented with RSA SecurID Authentication, the customer benefits from highly secure authentication to the CyberArk File Exchange. The CyberArk Privileged Account Security Solution integrates with the RSA Web Agent to protect its Secure File Exchange (SFE) and with RSA Authentication Manager via RADIUS for its Private Ark client. RSA Authentication Manager supported features Cyber Ark RSA SecurID Authentication via Native RSA SecurID UDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurID UDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface - 2 -
Agent Host Configuration To facilitate communication between the Cyber Ark and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Cyber Ark Cyber Ark Sensitive Information Management Suite and contains information about communication and encryption. RSA Authentication Manager 8.0 introduced a new TCP-based authentication protocol and corresponding agent API. RSA Authentication Manager 8.0 and newer also maintains support for the existing UDPbased authentication protocol and agents. The agent host records for TCP and UDP agents are configured similarly, but there are some important differences. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interfaces te: The UDP-based authentication agent s hostname must resolve to the IP address specified. Include the following information when configuring a TCP-based agent host record. RSA agent name (in the hostname field) te: The RSA agent name is specified in the rsa_api.properties file. Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Cyber Ark Cyber Ark Sensitive Information Management Suite will occur. If Cyber Ark Cyber Ark will be communicating with RSA Authentication Manager via RADIUS, then a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console. The following information is required to create a RADIUS client: Hostname IP Addresses for network interfaces RADIUS Secret te: The RADIUS client s hostname must resolve to the IP address specified. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients. - 3 -
Partner Product Configuration Before You Begin This section provides instructions for configuring the Cyber Ark Cyber Ark Sensitive Information Management Suite with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Cyber Ark Cyber Ark components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configure SFE Web interface for RSA SecurID Authentication 1. Download and install the latest RSA Web Agent on the SFE machine. 2. Run RSA Authentication Agent and perform a manual authentication test to verify agent and server are configured correctly. te: Refer to RSA Web Agent Installation and Configuration Guide for more information. 3. Open the IIS Manager MMC Snap-In and browse to Default Web Site > Password Vault. 4. Open the Basic Settings menu. 5. Select RSA SecurID Pool from the Application pool drop-down menu and click OK. Configure CyberArk Vault Server for RSA SecurID Authentication 1. Prepare and install a Vault certificate and private key on the Vault machine: te: For security reasons, it is highly recommended not to use a self-signed certificate for RADIUS authentication. The Vault certificate enables the Server to authenticate to a client. You can obtain a certificate from a Certificate Authority (CA). For more information refer to CyberArk Privileged Account Security Solution Installation Guide document. 2. Stop the Vault server. 3. Run the CAVaultManager command using the following switches from the Vault installation folder: Example: SecretType: Set the SecretType to Radius Secret: Specify the secret to encrypt the traffic SecuredFileName Specify the full path of the file that will contain the encrypted secret and the secret itself. The file may be in dat, ini or txt format. CAVaultManager SecreSecretFiles /SecretType Radius /Secret MyVaultSecret /SecuredFileName c:\myradiusecret.txt - 4 -
4. Open the DBParm.ini and add the following parameters on a single line, separated by semicolons. RadiusServersInfo RADIUS Server IP address RADIUS Server Authentication Port RADIUS Client Name (Vault machine as entered in the RADIUS server) Path to SecuredFileName Example: RadiusServersInfo=1.1.1.250;1812;vaulthostname;C:\MyRadiusSecret.txt 5. Start the Vault Server. te: You can specify more than one RADIUS server, for high availability, by separating the details of each server with a comma. Use the following link to authenticate to the SFE using RSA: https://passwordvaultwebsite/passwordvault/auth/radius Configure Private Ark Client for RADIUS Authentication 1. Log onto the PrivateArk Web as an Administrative user. 2. In the Advanced Vault Properties window, select RADIUS authentication and click OK. 3. Log off of the Private Ark Client. Configure a User Account for RADIUS Authentication 1. Log on to the Vault using an Administrative user. 2. Open the User Properties for the user account(s) for which you are enabling RADIUS authentication. 3. Open the Authentication tab. 4. Select RADIUS Authentication from the Authentication method drop-down menu and click OK. 5. Log off the Vault. - 5 -
RSA SecurID Login Screens Login screen: User-defined New PIN: Next Tokencode: - 6 -
Certification Test Checklist for RSA Authentication Manager Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.1 Virtual Appliance RSA Web Agent 7.0 Windows Server 2008 R2 Cyber Ark Sensitive Information Management Suite 7.9.1 Windows Server 2012 R2 RSA SecurID Authentication Date Tested: April 1, 2014 Mandatory Functionality RSA Native RSA Native RADIUS UDP Agent TCP Agent Client New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode On-Demand Authentication On-Demand Authentication On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) RSA Authentication Manager PEW / PAR = Pass = Fail = t Applicable to Integration - 7 -
Appendix RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec de secret sdstatus.12 / jastatus.12 Location TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec de secret Location Partner Integration Details Partner Integration Details RSA SecurID UDP API RSA SecurID TCP API RSA Authentication Agent Type RSA SecurID User Specification Display RSA Server Info Perform Test Authentication Agent Tracing Web Agent, RADIUS Client Designated users ; using RSA Web Agent ; using RSA Web Agent de Secret: Refer to RSA Web Agent documentation for information about how to manage the node secret file. sdconf.rec: Refer to RSA Web Agent documentation for information about how to manage the sdconf.rec configuration file. sdopts.rec: Refer to RSA Web Agent documentation for information about how to manage the sdopts.rec configuration file. - 8 -
sdstatus.12: Refer to RSA Web Agent documentation for information about how to manage the sdstatus.12 file. Agent Tracing: Refer to RSA Web Agent documentation for information about how to enable agent tracing. - 9 -