Skip to main content

RSA Authentication Manager 7.1/8.x

Connector name

agtrsaam

Connector type

Executable

Type (UI field value)

RSA Authentication Manager 7.1/8.2

Target system versions supported/tested

RSA Authentication Manager 7.1 SP3 and later as well as 8.0, 8.1, and 8.2 for RSA Authentication Manager 8.x.

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

If you have an RSA Authentication Manager 7.1/8.2 system installed on your network, Bravura Security Fabric can:

  • List users and manage accounts

  • Manage passwords

  • Manage SecurID authenticators with a self-service web interface, the Manage tokens (PSP) module. This facility is separate from password management.

  • Manage SecurID authenticators from the help desk web interface, the Help users (IDA) module to allow help desk users to manage tokens on users’ behalf.

  • Synchronize PINs with passwords (if alpha-numeric PINs are enabled on your RSA Authentication Manager 7.1/8.2 server).

  • Authenticate users to Bravura Security Fabric using password authentication or SecurID authentication.

The following Bravura Security Fabric operations are supported by agtrsaam :

  • user verify password

  • get server information

  • user change password

  • administrator reset password

  • expire password

  • verify+reset password

  • resynchronize tokens

  • set token pin

  • challenge response authentication

  • enable account

  • disable account

  • check account enabled

  • lock account + enter emergency access mode

  • unlock account

  • check account lock

  • create account

  • delete account

  • rename account

  • update attributes

  • add user to group

  • delete user from group

  • list account attributes

  • List:

    • accounts

    • attributes

    • groups

    • members

For a full list and explanation of each connector operation, see Connector operations.

Preparation

The agtrsaam connector integrates using two different methods depending on the operations you want to run on the target:

  • The RSA Authentication Agent API (C Authentication API) is used for SecurID token challenge response authentication of RSA SecurID Authenticators and for extended token authentication support such as for the new pin or next token code mode.

    See Installing and configuring the C Authentication API for the C Authentication API requirements and installation information.

  • The RSA Authentication Manager SDK (Java Administrative API) is used update and retrieve information from the RSA Authentication Manager 7.1/8.2 command server. It is required for administrative operations such as for listing users, token provisioning, enable/disable account, group management, etc.

    See Installing and configuring the Java Admin API for the Java requirements and for installation of the Java Administrative API.

Installing and configuring the C Authentication API

The challenge response authentication operation for agtrsaam prompts users to enter their RSA SecurID Authenticator passcode and interfaces with the RSA Authentication Server to determine if the user should be granted access to Bravura Security Fabric .

The RSA SecurID Authenticator state is determined by agtrsaam . For example, if a PIN or next code is required, agtrsaam can prompt the user accordingly.

To allow authentication from the Bravura Security Fabric server:

Configuring the RSA Authentication Manager server

If Bravura Security Fabric will authenticate users with accounts on an RSA Authentication Manager using the challenge response authentication operation for agtrsaam , you must configure the RSA Authentication Manager server to permit authentication requests from the Bravura Security Fabric server, and install the RSA Authentication Agent client software on the Bravura Security Fabric server.

The following details may vary depending on your version of RSA Authentication Manager. Consult the documentation included with your version of RSA Authentication Manager 7.1/8.2 for more information.

Configure the RSA Authentication Manager server to permit authentication requests from the Bravura Security Fabric servers. In a replicated instance, all application nodes have to be registered with the RSA service. To do this, log into the administration console on the RSA Authentication Manager server.

On RSA Authentication Manager 7.1/8.2:

  1. Click Access > Authentication Agents > Add new.

  2. Type the name of the Bravura Security Fabric server in the Hostname field.

  3. Type the network address in the IP Address field of the Bravura Security Fabric server.

  4. Click Save to add Bravura Security Fabric as a client to the RSA service.

Limiting the RSA authentication to users who have a token

If the Admin RSA API is not installed so it can list users from the RSA application itself, use a synthetic target to provide the list of users who have RSA tokens.

To prevent the RSA authentication from failing for users who don't have RSA accounts, add a user class that contains the list of users with tokens and add a rule to Manage external data store> hid_authchain_select , matching that userclass to add the RSA authentication option only for those users.

Setting up the C Authentication API

This section details how to configure the execution of the challenge response authentication operation from agtrsaam .

RSA Authentication Manager accounts can be listed one of three ways:

  1. A specific RSA Authentication Manager target. This will require installing the Java Admin API in addition to C Authentication API if you want to run administrative operations like listing users and managing tokens. See Installing and configuring the Java Admin API for information on on installing the Java Admin API.

  2. Another target system in Bravura Security Fabric . This method only requires the short ID to be passed in. For example, users can be managed on Microsoft Active Directory, provided the short IDs are the same. ^In this case an authentication chain would be set for all users on an Active Directory target system.

  3. If you do not want to install Java or the SA Authentication Manager SDK (Java Admin API) to fully configure a RSA Authentication Manager 7.1/8.2 target, and only want to use the agtrsaam connector for the challenge response authentication operation, you can add a target (usually a NULL type) with default values for the target address parameters. These address parameters are left unused when authenticating with challenge response authentication. The target will then only be used for the configuration of the authentication chain.

    If the connection to the RSA target system is going to be run through a proxy, then the RSA Authentication Agent client software must be installed on all Bravura Security Fabric application nodes as well as on the proxy.

    In this case the target will then only be used for the configuration of the authentication chain for the challenge response authentication operation using the agtrsaam connector.

    See Add RSA Authentication via connector authentication chain module for more information on the configuration of this custom authentication chain.

In order to set up the RSA Authentication Agent API (C Authentication API) and configure authentication for the Bravura Security Fabric server:

  1. Locate the RSA Authentication Agent API, which may be obtained from the RSA Link Community web site. The following may be used:

    RSA SecurID Authentication Agent SDK 8.6.1 Download for C

    Note

    The keywords to pay attention to when selecting the RSA C API are "Authentication Agent" and "C" to avoid using an agent for the wrong programming language.

  2. From the RSA Authentication Agent API, copy the following files:

    lib\64bit\nt\Release\aceclnt.dll

    lib\64bit\nt\Release\sdmsg.dll

    Also copy the following sample configuration file:

    samples\rsa_api.properties

    to the Bravura Security Fabric server here:

    c:\Windows\System32

    Note

    Ensure that aceclnt.dll is copied from the above noted location. There are other files with the same name for other RSA client software or APIs and those will not be suitable.

  3. Edit the rsa_api.properties file and add the following to the end of the file:

      SDCONF_LOC = C:\Windows\System32\sdconf.rec
  SDNDSCRT_LOC = C:\Windows\System32\securid
  RSA_LOG_FILE_LOC = C:\Windows\Temp
  RSA_BSAFE_LIBRARY_PATH=.
  RSA_AGENT_NAME = <rsa agent hostname>

  4. Ensure that <rsa agent hostname> is the Bravura Security Fabric server that is configured on the RSA Authentication Manager server to permit authentication requests.

  5. Start the newly installed RSA Agent software to ensure that you are able to connect to the RSA Authentication Manager server with the agent. A RSA administrator can help with that.

  6. To allow the RSA client to authenticate into the RSA Server, a "node secret" file is established in one of two ways:

    • Authenticate a user to establish the node secret which is the simplest option and recommended by RSA Support: Use the client itself, on every node and proxy to authenticate into the RSA Server.

      or

    • Manually generate the node secret if RSA Administrators do not allow RSA configuration to be pulled from the RSA Agents: Copy the files manually from the RSA Server admin console and place them on every application node and proxy; each server will have to have a different file, containing a different node secret.

    If the node secret is ever cleared for the Authentication Agent for the Bravura Security Fabric server in the RSA Security Console, a new node secret will need to be created, exported to a node secret file, and imported onto the Bravura Security Fabric server using one of the two options above.

Authenticate a user to establish the node secret

To use the client itself to authenticate, follow these steps from where Bravura Security Fabric or proxy is installed:

  1. Open the RSA Control Center client.

  2. Click the Advanced Tools link.

  3. Click Test Authentication.

  4. Enter the User Name for a user with a SecurID authenticator.

  5. Enter SecurID Passcode for the SecurID authenticator.

  6. Once the SecurID authenticator has been successfully authenticated, the node secret will be created for the Bravura Security Fabric server.

  7. The following files must then be manually copied to c:\Windows\System32:

    c:\program files\common files\rsa shared\auth api\failover.dat

    c:\program files\common files\rsa shared\auth data\sdconf.rec

    c:\program files\common files\rsa shared\auth data\securid

    If the RSA Agent does not create failover.dat it can be generated manually:

    1. Click Access from the menu.

    2. Click Authentication Agents from the sub-menu.

    3. Click Generate Configuration File from the sub-menu.

    4. Click the Generate Configuration File button to generate the failover.dat file.

    5. Copy the failover.dat file to c:\Windows\System32.

Manually generate the node secret file

To manually generate the node secret file on RSA Authentication Manager 7.1/8.2 and import using agent_nsload :

  1. Select Access from the menu.

  2. Select Authentication Agents from the sub-menu.

  3. Select Manage Existing from the sub-menu.

  4. Select the Authentication Agent from the list and then click on Manage Node Secret... from the drop-down list.

  5. If a node secret file had previously been generated for this Authentication Agent, click the checkbox for Clear the node secret.

  6. Select the checkbox for Create a new random node secret, and export the node secret to a file.

  7. Enter a password for the node secret.

  8. Click Save to generate the node secret file.

  9. Copy the node secret file to a temporary location on the Bravura Security Fabric server.

  10. From the RSA Authentication Agent API, copy the following files to the Bravura Security Fabric server to the same location as the node secret file:

    util\64bit\nt\Release_MT\agent_nsload.exe

    util\64bit\nt\Release_MT\sdmsg.dll

  11. On the Bravura Security Fabric server, manually load the node secret:

    agent_nsload.exe -f nodesecret.rec

    Enter the password for the node secret when prompted if one was specified when it was generated on the RSA Authentication Manager server.

    A securiid file will be generated.

  12. Copy the secureid file to c:\Windows\System32.

    Note

    Ensure you clear the sensitive files from the temp directory after the configuration is tested; you may need to keep the binaries in case the node secrets are cleared at the server. Keep the config files and the secret ones.

  13. Ensure that the RSA client configuration file sdconf.rec file has been generated for the Authentication Agent of the Bravura Security Fabric server from the RSA Authentication Manager server and optionally failover.dat .

    See Failover to determine if you need failover.dat .

    To generate the sdconf.rec and failover.dat files on RSA Authentication Manager 7.1/8.2:

    1. Select Access from the menu.

    2. Select Authentication Agents from the sub-menu.

    3. Select Generate Configuration File from the sub-menu.

    4. Click the Generate Configuration File button to generate the sdconf.rec and failover.dat files.

    5. Copy sdconf.rec and optionally failover.dat to the Bravura Security Fabric server here:

      c:\Windows\System32

After the agtrsaam agent is set up, configure and test the C Authentication API.

Configure and test the C Authentication API

Consult the vendor’s documentation for specific configuration information and test the C Authentication API.

Failover

Note the following in regard to failover authentication requests:

  • Failover authentication requests from a primary RSA Authentication Manager to a replica server are supported natively by RSA with the RSA Authentication Agent API and use of the sdconf.rec and failover.dat.

  • The replica RSA Authentication Manager servers only provide failover for the SecurID token challenge response authentication.

  • Failover support for administrative operations is not supported from the replica servers. Administrative operations may only be performed on the primary servers.

  • If a primary server is unavailable, promote a replica server as a primary server in order to perform administrative operations. The Bravura Security Fabric instance will also need to be reconfigured to make use of the new primary server for the target and sdconf.re c configuration.

Installing and configuring the Java Admin API

Carry out the following steps before targeting an RSA Authentication Manager 7.1/8.2 system in Bravura Security Fabric :

Note

The Java, RSA Authentication Manager SDK (Java Admin API), and target address parameters for the RSA Authentication Manager 7.1/8.2 target are not required if only authentication is required that makes use of the challenge response authentication operation for the agtrsaam connector.

  1. Copy the RSA Authentication Manager 7.1/8.2 SDK software to the Bravura Security Fabric server. See Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software .

  2. Set up the Command Client user name and password for connection from the Bravura Security Fabric server. See Setting the Command Client credentials .

  3. Ensure that Java RunTime 1.5.x is installed on the Bravura Security Fabric server for RSA Authentication Manager 7.1 and Java RunTime 1.6.x, 1.7.x, or 1.8.x 64-bit for RSA Authentication Manager 8.x.

    Caution

    Bravura Security Fabric uses the Java libraries provided with 32-bit Java 1.5.x for RSA Authentication Manager 7.1. Other versions, including those later than 1.5.x or 64-bit, are not suitable.

    Bravura Security Fabric uses the Java libraries provided with 64-bit Java 1.6.x, 1.7.x, or 1.8.x for RSA Authentication Manager 8.x. Other versions, including 64-bit, are not suitable.

  4. Enable SSL if required for RSA Authentication Manager 7.1. SSL is currently recommended and required for RSA Authentication Manager 8.x. See Enabling SSL .

  5. Add the server as an RSA Authentication Manager 7.1/8.2 target system. See Targeting an RSA Authentication Manager 7.1/8.x server .

  6. Optionally, set up RSA token authentication as an authentication method in Bravura Security Fabric . See Add RSA Authentication via connector authentication chain module .

  7. Enable and configure the Manage tokens (PSP) module to allow users to manage their own tokens.

  8. Optionally, configure the Help users (IDA) module to allow help desk users to manage tokens on users’ behalf.

Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software

To target RSA Authentication Manager 7.1/8.2, you must copy over the RSA Authentication Manager SDK required files to the Bravura Security Fabric server and configure the RSA Authentication Manager 7.1/8.2 server to set the Command Client credentials to allow connections from the Bravura Security Fabric server.

RSA Authentication Manager SDK 7.1 (Java Administrative API)

Before you can target RSA Authentication Manager 7.1, you must locate and copy the RSA Authentication Manager 7.1 SDK and install Java RunTime 1.5.x 32-bit on the Bravura Security Fabric server.

To set up the RSA Authentication Manager 7.1 SDK:

  1. Locate the RSA Authentication Manager 7.1 SDK.

  2. Copy files required to run the client to the <SDK_HOME>\lib\java directory, where <SDK_HOME> is the home directory of the RSA Authentication Manager 7.1 SDK.

    1. From a command prompt on your Authentication Manager server, change directories to <RSA_AM_HOME>\appserver\weblogic\server\lib\, where <RSA_AM_HOME> is the directory in which you installed RSA Authentication Manager 7.1/8.2.

    2. Type:

      java -jar ..\..\..\modules\com.bea.core.jarbuilder_1.0.0.0.jar -profile wlfullclient

       

    3. Copy the following files from your Authentication Manager server installation directories to the <SDK_HOME>\lib\java directory:

      RSA_AM_HOME\appserver\license.bea

      RSA_AM_HOME\appserver\modules\com.bea.core.process_5.3.0.0.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\wlfullclient.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\wlcipher.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoAsn1.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoCore.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoJcae.jar

  3. Ensure that the following files are located within the SDK installation directory, for example, in this location:

    C:\rsa.sdk

    SDK_HOME\lib\java\axis-1.3.jar;

    SDK_HOME\lib\java\commons-beanutils-1.7.0.jar;

    SDK_HOME\lib\java\commons-discovery-0.2.jar;

    SDK_HOME\lib\java\commons-lang-2.2.jar;

    SDK_HOME\lib\java\commons-logging-1.0.4.jar;

    SDK_HOME\lib\java\iScreen-1-1-0rsa-2.jar;

    SDK_HOME\lib\java\iScreen-ognl-1-1-0rsa-2.jar;

    SDK_HOME\lib\java\ims-client.jar;

    SDK_HOME\lib\java\jdom-1.0.jar;

    SDK_HOME\lib\java\jsafe-3.6.jar;

    SDK_HOME\lib\java\jsafeJCE-3.6.jar;

    SDK_HOME\lib\java\log4j-1.2.11rsa-3.jar;

    SDK_HOME\lib\java\ognl-2.6.7.jar;

    SDK_HOME\lib\java\spring-2.0.7.jar;

    SDK_HOME\lib\java\systemfields-o.jar;

    SDK_HOME\lib\java\ucm-client.jar;

    SDK_HOME\lib\java\wlfullclient.jar;

    SDK_HOME\lib\java\com.bea.core.process_5.3.0.0.jar

    SDK_HOME\lib\java\am-client.jar

    This .jar file will be located in the Bravura Security agent directory:

    <Bravura Security agent dir>\agtrsaam.jar

    The Bravura Security agent directory is:

    <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ agent

    or

    <Program Files path>\Bravura Security\Connector Packs\global\ agent

    The SDK installation directory will be used when configuring the RSA Authentication Manager 7.1/8.2 target system address.

  4. Copy the updated am-client.jar file from the Authentication Manager server to the <SDK_HOME>\lib\java directory on the Bravura Security Fabric server.

RSA Authentication Manager SDK 8.x (Java Administrative API)

Before you can target RSA Authentication Manager 8.x, you must copy the required files for the RSA Authentication Manager 8.x SDK and install Java RunTime 1.6.x, 1.7.x, or 1.8.x 64-bit on the Bravura Security Fabric server.

To set up the RSA Authentication Manager 8.x SDK:

  1. Copy the RSA Authentication Manager 8.x SDK (Java Admin API) to the Bravura Security Fabric server. The RSA Authentication Manager SDK can be obtained from the RSA Link Community web site within the am-8.0-SDK.zip and am-8.1-SDK.zip files or in the RSA Authentication Manager 8.x Extras zip files available from Download Central.

  2. The set of .jar files for the SDK can be found within the lib\java directory.

  3. Copy files required to run the client to the <SDK_HOME>\lib\java directory, where <SDK_HOME> is the home directory of the RSA Authentication Manager 8.x SDK.

  4. The <SDK_HOME> SDK installation directory will be used when configuring the RSA Authentication Manager 7.1/8.2 target system address.

Setting the Command Client credentials

RSA Authentication Manager 7.1/8.2 uses a command client user name and password for secure connections to its command server. Use the RSA Authentication Manager 7.1/8.2 Manage Secrets utility to get these values. They are used for the System credentials when adding an RSA Authentication Manager 7.1/8.2 target system to Bravura Security Fabric .

To obtain the command client user name and password:

  1. Connect to your RSA Authentication Manager server virtual appliance using an SCP or SSH client.

  2. Navigate to the <RSA_AM_HOME>/utils directory and enter the following command:

    rsautil manage-secrets --action list

  3. Enter the RSA Authentication Manager super user’s master password when you are prompted.

    The system will display a list of internal system credentials.

  4. Locate the command client user name and password in the list of credentials, and copy them for later use. For example:

      Command Client User Name .................: CmdClient_1dckyzfx 
  Command Client User Password .............: e9SHbK0W4i

For more information, see "Setting the Command Client User Name and Password" in the "RSA Authentication Manager 8.x Developer’s Guide", which is installed with the RSA Authentication Manager 7.1/8.2 SDK as described in Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software .

Enabling SSL

SSL for RSA Authentication Manager 7.1

To enable SSL communication between the Bravura Security Fabric server and the RSA Authentication Manager 7.1 server when using the Java Admin API:

  1. Import the Server Root Certificate.

    RSA Authentication Manager 7.1 stores a self-signed root certificate in:

    RSA_AM_HOME\server\security\server_name.jks. You must export the root certificate out of that file, copy the export file to the Bravura Security Fabric server, and then finally import it into the keystore of the Bravura Security Fabric server.

    See "Importing the Server Root Certificate" in the "RSA Authentication Manager 7.1 Developer’s Guide" for details.

  2. Copy the license.bea file from RSA_AM_HOME\appserver\ to the <SDK_HOME> directory.

SSL for RSA Authentication Manager 8.x

To enable SSL communication between the Bravura Security Fabric server and the RSA Authentication Manager 8.x server when using the Java Admin API:

  1. Generate the Server Root Certificate:

    1. Open Internet Explorer using the "Run as administrator" option.

    2. Browse to the web address for the SSL port of the RSA Authentication Manager 8.x server; for example: https://<servername>:7002

      A 404 not found web page opens.

    3. Right click anywhere on the page and select Properties to open the page’s properties dialog box.

    4. Click Certificates to open the certificate dialog box.

    5. Click the Certification Path tab, select the tree’s root certification path, and then click View Certificate.

      The RSA Authentication Manager server’s root certificate dialog box will open.

    6. Click the Details tab and then the Copy to File button.

      Windows will open the Certificate Export Wizard.

    7. Click the Next button on the Welcome page.

    8. Select the DER encoded binary X.509 (.CER) radio button for the format on the Export File Format page and click the Next button.

    9. Save the certificate file to a location on the Bravura Security Fabric server.

  2. Once you have the server root certificate file, you must import it into the keystore of the Bravura Security Fabric server.

    Change directories to <JAVA_HOME>/jre/bin and execute the following sample command to import the certificate file:

    keytool.exe -import -keystore <RSA_SDK_HOME>/lib/java/trust.jks 
  -storepass <CACERTS_KEYSTORE_PWD> -file <RSA_AM_ROOT_CERT> 
  -alias rsa_am_ca -trustcacerts

    See "Importing the Server Root Certificate" in the "RSA Authentication Manager 8.0, 8.1, or 8.2 Developer’s Guide" for details.

    If the ssl certificate has changed on the RSA Authentication Manager 7.1/8.2 server, a new server root certificate file will need to be generated and then imported again to create a new trust.jks certificate keystore file.

Configuring a target system administrator

An administrative account (usually called psadmin) is required to connect to RSA Authentication Manager 7.1/8.2.

Create a new user on the RSA Authentication Manager server and assign them an administrative role. The administrative role requires the following minimum rights to list and authenticate users:

  • In General Permissions:

    • Manage Security Domains - Security Domains View

    • Manage Users - User View

    • Manage Groups - Groups View

  • In Authentication Permissions:

    • Manage SecurID Tokens - SecurID Token s View

      Include "Edit" rights if you want to allow Bravura Security Fabric to reset and verify tokens.

See https://community.rsa.com/t5/securid-authentication-manager/tkb-p/authentication-manager-documentation for more information about RSA Authentication Manager 7.1/8.2 administrative roles.

You must enter these credentials, along with the client credentials you set up in Setting the Command Client credentials when you set up the RSA Authentication Manager 7.1/8.2 target.

Targeting an RSA Authentication Manager 7.1/8.x server

Add an entry for each RSA Authentication Manager 7.1/8.2 to the Bravura Security Fabric configuration database:

  • Type is RSA Authentication Manager 7.1/8.2 .

  • Address uses the options described in the table below.

  • Set the administrator credentials to the credentials of the the account you set up in Configuring a target system administrator ; used by Bravura Security Fabric to log into the RSA Authentication Manager 7.1/8.2 server.

    Do not select the system account checkbox for this account.

  • Add a second target system administrator using the system credentials for the Command Client user in Setting the Command Client credentials In Bravura Pass 6.x, enter the ID in the System IDs section. In Bravura Security Fabric ,including Bravura Pass 7.0 or higher, select the System account checkbox for this account.

  • Enable auto-association, or if manually associating accounts, ensure that user IDs are identical to Bravura Security Fabric profile IDs. User IDs must match Bravura Security Fabric profile IDs.

The full list of target system parameters is explained in Target System Options .

Here is a sample RSA Authentication Manager 7.1/8.2 target system address syntax:

{serverUrl=t3s://<ip address>:7002;rsaApiPath=c:\rsa.sdk;certStore=c:\rsa.sdk\lib\java\trust.jks;realm=SystemDomain;version=8;javaRuntimeVersion=1.8;pinLength=8;pinCharset=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ;}

Table 1. RSA Authentication address configuration

Option

Description

Options marked with a redstar.png are required.

URL redstar.png

The non-SSL (t3) or SSL (t3s) server URL for the RSA Authentication Manager 7.1/8.2 server.

For example:

t3://<ip address>:<port>

t3s://<ip address>:<ssl port>

The default non-SSL port is 7011. The default SSL port is 7002. You can look up the actual ports being used in the config.xml file on the RSA server.

For RSA Authentication Manager 8.x, SSL is the recommended configuration for the server URL.

(key: serverUrl)

RSA API path redstar.png

This is where the Java API files are located for the SDK installation directory for <SDK_HOME>.

For example:

C:\rsa.sdk

(key: rsaApiPath)

RSA certificate store

This is the location of the certificate keystore file that was generated when importing the server root certificate file.

For example:

C:\rsa.sdk\lib\java\trust.jks

(key: certStore)

Java Virtual Machine Properties

Provides the ability to specify additional JVM properties in order to allow changing the supported version for the weblogic security layer during SSL negotiation and for the minimum protocol version. The format is specified as a KVGroup.

For example:

{weblogic.security.SSL.minimumProtocolVersion=TLSv1.2;

weblogic.security.SSL.protocolVersion=TLSv1.2;};

{weblogic.security.SSL.minimumProtocolVersion=SSLv3;

weblogic.security.SSL.protocolVersion=TLSv1.2;};

(key: jvmProperties)

Security realm

RSA Authentication Manager 7.1 : If the security realm is not specified or is set to *, then the default is the first security realm found.

RSA Authentication Manager 8.x: Currently only SystemDomain is supported. Default value if not specified or set to * is SystemDomain.

(key: realm)

Sub-domain (defaults to entire realm)

A sub-domain under the realm or security domain may be specified.

If left blank, then the entire realm or security domain is used.

(key: domain)

List domains recursively

Check this option in order to search recursively for sub-domains within either the realm or security domain or the sub-domain if it is specified. All of the sub-domains under the specified domain will be searched.

If this option is unchecked, then only either the realm or security domain or the sub-domain if it is specified will be searched. The domain will not be searched recursively.

The Security Domain set for the SecurID tokens is what will be used when listing users for the specified realm or security domain and specified sub-domains. Ensure that this is set correctly for SecurID tokens for both existing users as well as for unassigned tokens that will added to the inventory.

(key: recursive)

Version

This is the version of the RSA Authentication Manager 7.1/8.2 server. This value can be set to 7 or 8.

(key: version)

Java runtime version

This is the version of the Java RunTime Environment to use for the target.

It should be set to 1.5 for RSA Authentication Manager 7.1 or 1.6, 1.7, or 1.8 64-bit for RSA Authentication Manager 8.x.

If left blank, then the current version of Java that is installed will be used.

(key: javaRuntimeVersion)

Generated PIN length

The token PIN length that is used when setting a PIN or when the PIN is system generated for a user’s token.

The value for Generated PIN length cannot be greater than the Maximum Length or less than the Minimum Length for the PIN Format for the Token Policy on the RSA Authentication Manager 7.1/8.2 server.

It is recommended that the PIN length be set to the Maximum Length for the PIN Format that is defined for the Token Policy on the RSA Authentication Manager 7.1/8.2 server.

If left blank, the Token Policy on the RSA Authentication Manager 7.1/8.2 server is looked up. The Minimum Length for the PIN Format is used for the Generated PIN length field.

(key: pinLength)

Generated PIN character set

The character set that is used when setting a PIN or when the PIN is system generated for a user’s token.

If the Character Requirements for the PIN Format for the Token Policy on the RSA Authentication Manager 7.1/8.2 server is set to "Allow alphanumeric PINs", then the value for this should be set to the following:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

This value can also be optionally restricted to a shorter list of alphanumeric characters.

If the Character Requirements for the PIN Format for the Token Policy on the RSA Authentication Manager 7.1/8.2 server is set to "Require numeric PINs", then the value for this must be set to the following to disallow anything that is not numeric:

0123456789

If left blank, the Token Policy on the RSA Authentication Manager 7.1/8.2 server is looked up. The Character Requirements for the PIN Format is used for the Generated PIN character set field.

(key: pinCharset)

Include expired tokens

Check this parameter to allow for users whose SecurID authenticators have expired to still be included during listing. Uncheck to only include the authenticators that are not currently expired.

Default value is for this option to be checked to list both expired as well as non-expired SecurID authentications for the users.

(key: expired)



Managing templates and tokens

The Java Admin API is required for this feature.

You do not need to set up model accounts on an RSA Authentication Manager 7.1/8.2 target in order to provision tokens. Tokens are associated with Bravura Identity inventory templates; however, the templates do not need to be linked to accounts. If a token is provisioned to a user who doesn’t already have an account on the RSA Authentication Manager server, the user account is added. Nonetheless, you should create model accounts if you want to set up user accounts with token extension data.

Document each login ID and the parameters set for the account. You will need to reference this information when you select accounts to use as templates.

See also

Provisioning inventory

Transferring token extension data

If you create token extension data associated with user defined attributes, the token’s extension data is not removed when the user is deleted. When the token is re-assigned to another user, the new user inherits the token extension data of the previous user.

Handling account attributes

The Java Admin API is required for this feature.

Bravura Identity explicitly handles the following attributes and pseudo-attributes when creating or modifying RSA Authentication Manager 7.1/8.2 accounts:

  • _deleteUserAccount Set to false by default, so that a user’s account on the RSA Authentication Manager server remains when all tokens have been removed from the user. If true, the user’s account is deleted when the user has no tokens.

    According to the RSA Authentication Manager 7.1/8.2 API documentation, a user with no tokens will be deleted only if:

    • The user is not an administrator

    • The user is not enabled on any Agent Host

    • The user does not belong to any group

    • The user record has no extension fields

  • user_account_status / user_token_status These two attributes are both set to false by default. Override and configure these attributes to be set to a specified value on create. Add a boolean-type profile attribute and map it to these target system attributes. When creating a new user, set these two attributes to true.

  • _userPassword This attribute is used to set the user password for the actual RSA user; for example, when logging in to the RSA Self-Service Console using the password authentication method.

    The password field that is normally set for a user’s account when creating a new user on the Bravura Security Fabric server, or when resetting his password, is different and is used to either set or reset the token PIN that is assigned to the RSA user.

    The user password and the token PIN are specified separately because they will generally and very likely have different password policies. The passwords will each need to be set according to the policies defined on the RSA Authentication Manager 7.1/8.2 server.

    The _userPassword target attribute should be overridden and configured to be set to the specified value on create. The profile attribute should also be set to the password type and mapped to the target attribute.

Add RSA Authentication via connector authentication chain module

You can integrate RSA Authentication Manager authentication in Bravura Security Fabric by configuring a custom authentication chain, using the agent.pss authentication module with the RSA Authentication Manager 7.1/8.2 connector agtrsaam , to perform a challenge-response operation.

The following case illustrates how to integrate RSA Authentication Manager authentication in Bravura Security Fabric :

Note

If the requirements include using this target for authentication and do not need the other administrative features from the Java Administrative API , it's simpler and less maintenance to only install the C Authentication API . If you do need administrative features and also require authentication failover, which only the C Auth API provides, it is recommended to install both APIs.

  1. Optional: Configure RSA Authentication Manager 7.1/8.2.

  2. Optional: Add the system as an RSA Authentication Manager 7.1/8.2 target system .

    Alternatively, if an actual RSA Authentication Manager 7.1/8.2 target system is not being used and only the challenge response authentication operation for the agtrsaam connector is to be used, the following steps must be taken:

    1. Add an RSA Authentication Manager 7.1/8.2 target system.

    2. Leave the target system address parameters as defaults or provide any value for each of the parameters.

    3. Uncheck the List accounts option for the target system.

    4. Check Automatically attach accounts for the target system.

    5. Manually create a <TARGETID> .db list file and copy it to the <instance>\psconfig\ directory.

      A sample targetid.db file is located in the samples directory.

      Add data for each user; or run the following queries in SQLite:

      INSERT INTO discobj (stableid, type, longid, shortid,displayid,sd) values ("1001","ACCT","rsauser1","rsauser1","RSA Userone",NULL); 
INSERT INTO discobjattr (stableid,type,attrkey,attrval,seqno) values ("1001","ACCT","@fullname","RSA Userone","0"); 
INSERT INTO discobj (stableid, type, longid, shortid,displayid,sd) values ("1002","ACCT","rsauser2","rsauser2","RSA Usertwo",NULL); 
INSERT INTO discobjattr (stableid,type,attrkey,attrval,seqno) values ("1002","ACCT","@fullname","RSA Usertwo","0");

      The value for the longid field must be the user IDs of the RSA Authentication Manager 7.1/8.2 users that will be used to authenticate with their SecurID tokens.

      See also: Creating a list file and copying data from other targets.

  3. Add a new custom authentication chain:

    1. Add the Connector package agent (agent.pss) module to the chain.

    2. In the module’s settings:

      • Set Target system to use for address and credentials to the target you created.

      • Set Password verification operation to ”Challenge response authentication”.

    3. Enable the custom authentication chain.

  4. Add the new custom authentication chain to the DEFAULT_LOGIN chain:

    1. Click Policies > Authentication chains > Front-end login .

    2. Disable the chain so that you can edit it.

    3. Edit the select_chain module to add the new custom authentication chain to the list of Available chains .

    4. Update and enable the DEFAULT_LOGIN chain.

  5. Test the authentication by logging in as an end user associated with the target system.

    You will be prompted to enter a valid passcode for the user’s SecurID token.

    There will also be additional prompts if the user’s SecurID token is in an extended mode for either the new pin or next token code modes.

Adding a question set for RSA passcode authentication

You can add RSA passcode authentication as an external question set if you want users to define questions or answers to complete their profile.

Ensure that the:

  • External program provides questions along with answers checkbox is unchecked

  • Ask user to answer questions from this set checkbox is checked

  • Number of questions to ask during authentication is set to -1

See Question sets for more information about question sets.

Customizing token login messages

If required, edit the values for the VALIACE* tags in the custom <lang>-<locale>-language.kvg file to make the messages shown to users for the SecurID token authentication prompts within Bravura Security Fabric to be more site or language specific.

Be sure to rebuild the skin files by running make.bat in the \<instance>\design\ directory for the required skin as well as locale and language.

See Altering text "Customization" in the configuration documentation for details.

Troubleshooting

RSA Authentication Agent API (C Auth API)

When authenticating users via challenge response, logs may be obtained from both the Bravura Security Fabric server as well as from the RSA Authentication Manager 7.1/8.2 server to troubleshoot authentication attempts.

Logs from the Bravura Security Fabric server are obtained using the RSA Authentication Agent client software. Instructions below are for RSA Authentication Agent 7.3.3 64-bit.

From RSA Authentication Agent 7.3.3 64-bit:

  1. Open the RSA Control Center client.

  2. Click the Advanced Tools link.

  3. Click the Tracing link.

  4. Check the checkbox for ACECLIENT.

  5. Click the OK button.

RSA Authentication Agent log files may be found here on the Bravura Security Fabric server for authentication attempts performed using the challenge response operation with the agtrsaam connector:

C:\ProgramData\RSA\LogFiles\trace.log

From the RSA Authentication Manager 7.1/8.x server:

  1. Open the RSA Security Console. By default, this is at https://<rsa am server>/sc

  2. Login as an RSA Security Console administrator.

  3. Click Reporting > Real-time Activity Monitors > Authentication Activity Monitor.

  4. Click Start Monitor.

Logs for authentication attempts performed using the challenge response operation with the agtrsaam connector will be shown on this page.

RSA Authentication Manager SDK (Java Admin API)

If you experience any errors:

  • Verify that Java version 1.5.x 32-bit is installed correctly when targeting RSA Authentication Manager 7.1, including registry settings.

  • Verify that Java version 1.5.x is in the path environment for psadmin, and it is the first version of Java in the path when targeting RSA Authentication Manager 7.1.

  • Verify that Java version 1.6.x, 1.7.x, or 1.8.x 64-bit is installed correctly when targeting RSA Authentication Manager 8.x, including registry settings and is the version that is specified for the target system address.

  • Verify that the non-SSL or SSL server URL is specified correctly for t3 or t3s as well as for the correct server name and port number.

  • Ensure that the agent directory contains the agtjava.class file.

    If the agtjava.class file is:

    • Present in the agent directory, then agtrsaam uses the version of Java defined in the .class file. However, if the defined version of Java cannot be found, then this problem is written to the idmsuite.log file.

    • Missing from the agent directory, then agtrsaam tries to use the CurrentVersion of Java, which is defined in the registry. However, if Java is not installed, then this problem is written to the idmsuite.log file.

  • Ensure that the target system address is set correctly for the intended realm or security domain as well as sub-domains. Check that the Security Domain has been set for the SecurID tokens on the RSA Authentication Manager server that will be used both for listing existing users as well as for listing unassigned tokens.

When running auto-discovery you may find the following error messages in the logs:

Info: Failed to lookup principal.
Info: Unable to find any principals for token [<token_number>] issue
      [non-existent principal] -- unexpected rsa integrity constraint
      issue when listing assigned tokens.

I

Check the target system’s list file in the \<instance>\psconfig\ directory for any token entries that are missing all user attributes and have the short id set to the token number.

If this is the case, you may have an orphaned SecurID token. This may occur if a user ID becomes invalid or is missing but the token is still assigned.

This is possible if a user is from an alternate identity source and they are removed from that source (such as from Active Directory for example). This causes the token to then be orphaned and assigned to <Unknown> in the RSA Security Console.

In this case, other error messages may also appear when attempting to manage a token:

Warning: Cannot find any principals for uid(<Unknown>).
Warning: Failed to find the resource!
Warning: Failed to list the user's attributes.

In this case, the token will need to be unassigned from the <Unknown> user from the RSA Authentication Manager 7.1/8.2 server before it will be available for assignment again.

The following are possible Java error messages that may be encountered during the configuration of the RSA Authentication Manager 7.1/8.2 target. For each error message, a suggested solution is provided.

  • java.io.IOException: Empty server reply; No available router to destination

    Ensure that t3 is specified for non-SSL or t3s for SSL for the server URL in the target system address.

  • javax.naming.ServiceUnavailableException

    Ensure that the server name has been specified correctly for the server URL in the target system address.

  • javax.naming.CommunicationException Destination unreachable; nested exception is: java.net. ConnectException: Connection refused: connect; No available router to destination

    Ensure that the port number has been specified correctly for the server URL in the target system address.

  • Destination unreachable; nested exception is: javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination

    Ensure that the certificate keystore file (example: trust.jks) has been generated correctly.

  • java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

    Ensure that the specified path to the certificate keystore file (example: trust.jks) in the target system address is valid.

  • java.lang.NoClassDefFoundError

    Ensure that the path for RSA API path has been specified correctly in the target system address.

  • javax.ejb.EJBAccessException: [EJB:010160]Security violation: User <anonymous> has insufficient permission

    Ensure that the command client credentials have been specified correctly for the RSA Authentication Manager 7.1/8.2 target and that the System password checkbox has been checked.

  • java.lang.RuntimeException: Exception occurred while reading the license file

    Ensure that the license.bea file has been somewhere copied into the path defined for RSA API path in the target system address. It might also indicate that the directory for the RSA API path is either incorrect or has inadequate permissions.

In this section: