RSA SecurID Ready Implementation Guide Partner Information Last Modified: June 9, 2015 Product Information Partner Name Web Site Product Name Version & Platform Product Description Avocent Corporation www.avocent.com DSView 4 Management Software Version 4.5, Windows Server 2008 R2 64 bit, Redhat Linux 6.4 64 bit and Solaris DSView 4 Management Software --- The one solution for securely managing every device in your data center now with virtual media DSView 4 management software gives you complete connectivity and control. It extends the Avocent patented KVM over IP centralized management system with a unique benefit in the KVM industry -- a hub and spoke architecture. This innovative system increases KVM switching manageability and security and gives data centers a fully redundant system with built-in backup/failover capabilities.
Solution Summary The DSView 4 Management Software integration with RSA Authentication Manager provides enhanced security for protecting DSView resources. To enable the integration, an administrator must configure an RSA SecurID authentication service, map DSView user accounts to RSA Authentication Managers users and associate the user accounts with the authentication service. Once the integration has been enabled, DSView will require these users to authenticate with their RSA SecurID credentials before they access authorized resources. RSA SecurID supported features RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol Risk-Based Authentication RSA Authentication Manager Replica Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes No Yes No Yes No No No The following diagram shows a high-level view of a typical deployment. When a user attempts to access a DSView-managed appliance or target device, the DSView web client prompts the user to submit RSA SecurID credentials to the DSView server. The server uses the RSA Authentication Agent API to forward the credentials to an RSA Authentication Manager server for validation. When RSA Authentication Manager successfully authenticates the credentials, DSView determines if the user is authorized to access the resource and allows or denies access accordingly - 2 -
Agent Host Configuration RSA Authentication Agents are custom or ready-made software applications that securely pass user authentication requests to RSA Authentication Manager. RSA provides the RSA Authentication Agent API for building custom agents, as well as a variety of out-of-the-box agents for protecting access to various operating systems and web resources. Note: DSView uses Avocent s custom RSA Authentication Agent API agent. All agents must be registered with RSA Authentication Manager in order for the server to establish secure communication channels with them. Use the RSA Security Console to register an agent for each DSView Server in your environment. You need the following information to do so: the hostname of the DSView Server IP addresses for all of the DSView Server s network interfaces When you register an Authentication Agent, set its agent type to Standard Agent. Note: Each agent hostname must resolve to one or more valid IP addresses on the local network. RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location Uploaded to the DSView 4 server. <% DSView Installation Root %>\rsaconf <% DSView Installation Root %>\rsaconf <% DSView Installation Root %>\rsaconf Note: The appendix of this document contains more detailed information regarding these files. - 3 -
Partner Product Configuration Before You Begin This document provides instructions for enabling RSA SecurID two-factor authentication for DSView users. You should have working knowledge of RSA Authentication Manager and DSView, as well as access to the appropriate administrative documentation. Ensure that that both products are running properly prior to configuring the integration. Note: This document is not intended to suggest optimal installations or configurations. Configuration Overview Complete the following steps to enable RSA SecurID two-factor authentication for DSView 4 and RSA Authentication Manager users. Add an RSA SecurID external authentication service. Add users to the RSA SecurID authentication service. Add an RSA SecurID External Authentication Service Follow the steps below to create an RSA SecurID authentication service. 1. Log in to the RSA Authentication Manager Security Console. 2. Download/copy the RSA Authentication Manager server s sdconf.rec file to a local directory. 3. Use the Avocent DSView 4 Management Software console to log in to the DSView Hub Server as an administrator. 4. Select the Users tab on the top menu bar. 5. Select the Authentication tab on the second menu bar and click the Add button. 6. Enter a name for the service in the Name field. - 4 -
7. Select RSA SecurID from the Type dropdown list and click the Next button. 8. Click the Browse button, locate and select the sdconf.rec file, and click the Next button. Important: DSView will automatically distribute the sdconf.rec file to all DSView 4 Servers in its environment. However, if your deployment requires your server to be configured separately, you will need to upload the sdconf.rec file to each server. 9. Click the Finish button. - 5 -
Add Users to the RSA SecurID Authentication Service Following the instructions below to create a DSView account for an RSA SecurID user and assign the user to the RSA SecurID authentication service. Repeat the steps for each user you want to add. Important: Each DSView user account you create in this section must have a corresponding user account in your RSA Authentication Manager server. 1. Log in to the DSView Hub Server as an administrator and select the Users tab. 2. Select the Accounts tab on the second menu bar and click the Add button. 3. Select the new RSA SecurID authentication service from the Authentication Service list and click the Next button. 4. Enter the user s username in the User Name field and click the Next button. - 6 -
5. To assign the user to one or more groups, select the group name(s) from the Available Groups list and click the Add button. 6. Select a preemption level for the user from the User Preemption Level dropdown list and click the Finish button. Consult your DSView administration documentation for information about preemption levels. Important: You must install an RSA Authentication Manager node secret on your DSView Server to enable your authentication agent. If you log in to the server using RSA SecurID, RSA Authentication Manager will automatically create the node secret after authenticating your credentials. You can also use the RSA Security Console to generate a node secret and use a command line utility to load it on your DSView Server manually. See the appendix for more information.. - 7 -
RSA SecurID Login Screens Standard Logon Prompt New PIN Mode Prompt - 8 -
New System Generated PIN Mode Prompt System Generated PIN Confirmation Prompt - 9 -
System Generated PIN Display Next Tokencode Prompt - 10 -
Certification Checklist for RSA Authentication Manager 8.1 Date Tested: June 8, 2015 Certification Environment Product Name Version Operating System RSA Authentication Manager 8.1.1 Virtual Appliance RSA Authentication Agent API 8.1 Windows 2008 DSView 4 Management Software 4.5 Windows 2008 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A Deny PIN Reuse Deny PIN Reuse N/A Passcode 16 Digit Passcode 14 Digit Passcode N/A 4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A On-Demand Authentication On-Demand Authentication On-Demand Authentication N/A On-Demand New PIN On-Demand New PIN N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A No RSA Authentication Manager No RSA Authentication Manager N/A JGS = Pass = Fail N/A = Not Applicable to Integration RSA Risk-Based Authentication Functionality RSA Native Protocol RADIUS Protocol Risk-Based Authentication Risk-Based Authentication Risk-Based Authentication N/A Risk-Based Authentication with SSO Risk-Based Authentication with SSO N/A JGS = Pass = Fail N/A = Not Applicable to Integration - 11 -
Appendix Partner Integration Details RSA SecurID API 8.1 RSA Authentication Agent Type Standard Agent RSA SecurID User Specification All Users Display RSA Server Info Yes Perform Test Authentication No Agent Tracing Yes Node Secret: RSA Authentication Manger will create a node secret for your agent on your DSView Server in response to the first successful authentication on the server. DSView 4 also supports manual node secret installation. In order to use this method, use the RSA Security Console to generate a node secret for your DSView agent, copy the secret to your DSView agent s host and use the agent_nsload utility to load it into the <% DSView Installation Root %>\rsaconf directory. sdconf.rec: Save the sdconf.rec file to a local, temporary directory and use the DSView 4 Management console to upload the file to the DSView 4 Server. sdopts.rec: If you want to use the sdopts.rec configuration file to set up manual load balancing, copy the file to the <% DSView Installation Root %>\rsaconf directory - 12 -