Skip to main content

Preparation

The agtrsaam connector integrates using two different methods depending on the operations you want to run on the target:

  • The RSA Authentication Agent API (C Authentication API) is used for SecurID token challenge response authentication of RSA SecurID Authenticators and for extended token authentication support such as for the new pin or next token code mode.

    See Installing and configuring the C Authentication API for the C Authentication API requirements and installation information.

  • The RSA Authentication Manager SDK (Java Administrative API) is used update and retrieve information from the RSA Authentication Manager 7.1/8.2 command server. It is required for administrative operations such as for listing users, token provisioning, enable/disable account, group management, etc.

    See Installing and configuring the Java Admin API for the Java requirements and for installation of the Java Administrative API.

Installing and configuring the C Authentication API

The challenge response authentication operation for agtrsaam prompts users to enter their RSA SecurID Authenticator passcode and interfaces with the RSA Authentication Server to determine if the user should be granted access to Bravura Security Fabric .

The RSA SecurID Authenticator state is determined by agtrsaam . For example, if a PIN or next code is required, agtrsaam can prompt the user accordingly.

To allow authentication from the Bravura Security Fabric server:

Configuring the RSA Authentication Manager server

If Bravura Security Fabric will authenticate users with accounts on an RSA Authentication Manager using the challenge response authentication operation for agtrsaam , you must configure the RSA Authentication Manager server to permit authentication requests from the Bravura Security Fabric server, and install the RSA Authentication Agent client software on the Bravura Security Fabric server.

The following details may vary depending on your version of RSA Authentication Manager. Consult the documentation included with your version of RSA Authentication Manager 7.1/8.2 for more information.

Configure the RSA Authentication Manager server to permit authentication requests from the Bravura Security Fabric servers. In a replicated instance, all application nodes have to be registered with the RSA service. To do this, log into the administration console on the RSA Authentication Manager server.

On RSA Authentication Manager 7.1/8.2:

  1. Click Access > Authentication Agents > Add new.

  2. Type the name of the Bravura Security Fabric server in the Hostname field.

  3. Type the network address in the IP Address field of the Bravura Security Fabric server.

  4. Click Save to add Bravura Security Fabric as a client to the RSA service.

Limiting the RSA authentication to users who have a token

If the Admin RSA API is not installed so it can list users from the RSA application itself, use a synthetic target to provide the list of users who have RSA tokens.

To prevent the RSA authentication from failing for users who don't have RSA accounts, add a user class that contains the list of users with tokens and add a rule to Manage external data store> hid_authchain_select , matching that userclass to add the RSA authentication option only for those users.

Setting up the C Authentication API

This section details how to configure the execution of the challenge response authentication operation from agtrsaam .

RSA Authentication Manager accounts can be listed one of three ways:

  1. A specific RSA Authentication Manager target. This will require installing the Java Admin API in addition to C Authentication API if you want to run administrative operations like listing users and managing tokens. See Installing and configuring the Java Admin API for information on on installing the Java Admin API.

  2. Another target system in Bravura Security Fabric . This method only requires the short ID to be passed in. For example, users can be managed on Microsoft Active Directory, provided the short IDs are the same. ^In this case an authentication chain would be set for all users on an Active Directory target system.

  3. If you do not want to install Java or the SA Authentication Manager SDK (Java Admin API) to fully configure a RSA Authentication Manager 7.1/8.2 target, and only want to use the agtrsaam connector for the challenge response authentication operation, you can add a target (usually a NULL type) with default values for the target address parameters. These address parameters are left unused when authenticating with challenge response authentication. The target will then only be used for the configuration of the authentication chain.

    If the connection to the RSA target system is going to be run through a proxy, then the RSA Authentication Agent client software must be installed on all Bravura Security Fabric application nodes as well as on the proxy.

    In this case the target will then only be used for the configuration of the authentication chain for the challenge response authentication operation using the agtrsaam connector.

    See Add RSA Authentication via connector authentication chain module for more information on the configuration of this custom authentication chain.

In order to set up the RSA Authentication Agent API (C Authentication API) and configure authentication for the Bravura Security Fabric server:

  1. Locate the RSA Authentication Agent API, which may be obtained from the RSA Link Community web site. The following may be used:

    RSA SecurID Authentication Agent SDK 8.6.1 Download for C

    Note

    The keywords to pay attention to when selecting the RSA C API are "Authentication Agent" and "C" to avoid using an agent for the wrong programming language.

  2. From the RSA Authentication Agent API, copy the following files:

    lib\64bit\nt\Release\aceclnt.dll

    lib\64bit\nt\Release\sdmsg.dll

    Also copy the following sample configuration file:

    samples\rsa_api.properties

    to the Bravura Security Fabric server here:

    c:\Windows\System32

    Note

    Ensure that aceclnt.dll is copied from the above noted location. There are other files with the same name for other RSA client software or APIs and those will not be suitable.

  3. Edit the rsa_api.properties file and add the following to the end of the file:

      SDCONF_LOC = C:\Windows\System32\sdconf.rec
  SDNDSCRT_LOC = C:\Windows\System32\securid
  RSA_LOG_FILE_LOC = C:\Windows\Temp
  RSA_BSAFE_LIBRARY_PATH=.
  RSA_AGENT_NAME = <rsa agent hostname>

  4. Ensure that <rsa agent hostname> is the Bravura Security Fabric server that is configured on the RSA Authentication Manager server to permit authentication requests.

  5. Start the newly installed RSA Agent software to ensure that you are able to connect to the RSA Authentication Manager server with the agent. A RSA administrator can help with that.

  6. To allow the RSA client to authenticate into the RSA Server, a "node secret" file is established in one of two ways:

    • Authenticate a user to establish the node secret which is the simplest option and recommended by RSA Support: Use the client itself, on every node and proxy to authenticate into the RSA Server.

      or

    • Manually generate the node secret if RSA Administrators do not allow RSA configuration to be pulled from the RSA Agents: Copy the files manually from the RSA Server admin console and place them on every application node and proxy; each server will have to have a different file, containing a different node secret.

    If the node secret is ever cleared for the Authentication Agent for the Bravura Security Fabric server in the RSA Security Console, a new node secret will need to be created, exported to a node secret file, and imported onto the Bravura Security Fabric server using one of the two options above.

Authenticate a user to establish the node secret

To use the client itself to authenticate, follow these steps from where Bravura Security Fabric or proxy is installed:

  1. Open the RSA Control Center client.

  2. Click the Advanced Tools link.

  3. Click Test Authentication.

  4. Enter the User Name for a user with a SecurID authenticator.

  5. Enter SecurID Passcode for the SecurID authenticator.

  6. Once the SecurID authenticator has been successfully authenticated, the node secret will be created for the Bravura Security Fabric server.

  7. The following files must then be manually copied to c:\Windows\System32:

    c:\program files\common files\rsa shared\auth api\failover.dat

    c:\program files\common files\rsa shared\auth data\sdconf.rec

    c:\program files\common files\rsa shared\auth data\securid

    If the RSA Agent does not create failover.dat it can be generated manually:

    1. Click Access from the menu.

    2. Click Authentication Agents from the sub-menu.

    3. Click Generate Configuration File from the sub-menu.

    4. Click the Generate Configuration File button to generate the failover.dat file.

    5. Copy the failover.dat file to c:\Windows\System32.

Manually generate the node secret file

To manually generate the node secret file on RSA Authentication Manager 7.1/8.2 and import using agent_nsload :

  1. Select Access from the menu.

  2. Select Authentication Agents from the sub-menu.

  3. Select Manage Existing from the sub-menu.

  4. Select the Authentication Agent from the list and then click on Manage Node Secret... from the drop-down list.

  5. If a node secret file had previously been generated for this Authentication Agent, click the checkbox for Clear the node secret.

  6. Select the checkbox for Create a new random node secret, and export the node secret to a file.

  7. Enter a password for the node secret.

  8. Click Save to generate the node secret file.

  9. Copy the node secret file to a temporary location on the Bravura Security Fabric server.

  10. From the RSA Authentication Agent API, copy the following files to the Bravura Security Fabric server to the same location as the node secret file:

    util\64bit\nt\Release_MT\agent_nsload.exe

    util\64bit\nt\Release_MT\sdmsg.dll

  11. On the Bravura Security Fabric server, manually load the node secret:

    agent_nsload.exe -f nodesecret.rec

    Enter the password for the node secret when prompted if one was specified when it was generated on the RSA Authentication Manager server.

    A securiid file will be generated.

  12. Copy the secureid file to c:\Windows\System32.

    Note

    Ensure you clear the sensitive files from the temp directory after the configuration is tested; you may need to keep the binaries in case the node secrets are cleared at the server. Keep the config files and the secret ones.

  13. Ensure that the RSA client configuration file sdconf.rec file has been generated for the Authentication Agent of the Bravura Security Fabric server from the RSA Authentication Manager server and optionally failover.dat .

    See Failover to determine if you need failover.dat .

    To generate the sdconf.rec and failover.dat files on RSA Authentication Manager 7.1/8.2:

    1. Select Access from the menu.

    2. Select Authentication Agents from the sub-menu.

    3. Select Generate Configuration File from the sub-menu.

    4. Click the Generate Configuration File button to generate the sdconf.rec and failover.dat files.

    5. Copy sdconf.rec and optionally failover.dat to the Bravura Security Fabric server here:

      c:\Windows\System32

After the agtrsaam agent is set up, configure and test the C Authentication API.

Configure and test the C Authentication API

Consult the vendor’s documentation for specific configuration information and test the C Authentication API.

Failover

Note the following in regard to failover authentication requests:

  • Failover authentication requests from a primary RSA Authentication Manager to a replica server are supported natively by RSA with the RSA Authentication Agent API and use of the sdconf.rec and failover.dat.

  • The replica RSA Authentication Manager servers only provide failover for the SecurID token challenge response authentication.

  • Failover support for administrative operations is not supported from the replica servers. Administrative operations may only be performed on the primary servers.

  • If a primary server is unavailable, promote a replica server as a primary server in order to perform administrative operations. The Bravura Security Fabric instance will also need to be reconfigured to make use of the new primary server for the target and sdconf.re c configuration.

Installing and configuring the Java Admin API

Carry out the following steps before targeting an RSA Authentication Manager 7.1/8.2 system in Bravura Security Fabric :

Note

The Java, RSA Authentication Manager SDK (Java Admin API), and target address parameters for the RSA Authentication Manager 7.1/8.2 target are not required if only authentication is required that makes use of the challenge response authentication operation for the agtrsaam connector.

  1. Copy the RSA Authentication Manager 7.1/8.2 SDK software to the Bravura Security Fabric server. See Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software .

  2. Set up the Command Client user name and password for connection from the Bravura Security Fabric server. See Setting the Command Client credentials .

  3. Ensure that Java RunTime 1.5.x is installed on the Bravura Security Fabric server for RSA Authentication Manager 7.1 and Java RunTime 1.6.x, 1.7.x, or 1.8.x 64-bit for RSA Authentication Manager 8.x.

    Caution

    Bravura Security Fabric uses the Java libraries provided with 32-bit Java 1.5.x for RSA Authentication Manager 7.1. Other versions, including those later than 1.5.x or 64-bit, are not suitable.

    Bravura Security Fabric uses the Java libraries provided with 64-bit Java 1.6.x, 1.7.x, or 1.8.x for RSA Authentication Manager 8.x. Other versions, including 64-bit, are not suitable.

  4. Enable SSL if required for RSA Authentication Manager 7.1. SSL is currently recommended and required for RSA Authentication Manager 8.x. See Enabling SSL .

  5. Add the server as an RSA Authentication Manager 7.1/8.2 target system. See Targeting an RSA Authentication Manager 7.1/8.x server .

  6. Optionally, set up RSA token authentication as an authentication method in Bravura Security Fabric . See Add RSA Authentication via connector authentication chain module .

  7. Enable and configure the Manage tokens (PSP) module to allow users to manage their own tokens.

  8. Optionally, configure the Help users (IDA) module to allow help desk users to manage tokens on users’ behalf.

Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software

To target RSA Authentication Manager 7.1/8.2, you must copy over the RSA Authentication Manager SDK required files to the Bravura Security Fabric server and configure the RSA Authentication Manager 7.1/8.2 server to set the Command Client credentials to allow connections from the Bravura Security Fabric server.

RSA Authentication Manager SDK 7.1 (Java Administrative API)

Before you can target RSA Authentication Manager 7.1, you must locate and copy the RSA Authentication Manager 7.1 SDK and install Java RunTime 1.5.x 32-bit on the Bravura Security Fabric server.

To set up the RSA Authentication Manager 7.1 SDK:

  1. Locate the RSA Authentication Manager 7.1 SDK.

  2. Copy files required to run the client to the <SDK_HOME>\lib\java directory, where <SDK_HOME> is the home directory of the RSA Authentication Manager 7.1 SDK.

    1. From a command prompt on your Authentication Manager server, change directories to <RSA_AM_HOME>\appserver\weblogic\server\lib\, where <RSA_AM_HOME> is the directory in which you installed RSA Authentication Manager 7.1/8.2.

    2. Type:

      java -jar ..\..\..\modules\com.bea.core.jarbuilder_1.0.0.0.jar -profile wlfullclient

       

    3. Copy the following files from your Authentication Manager server installation directories to the <SDK_HOME>\lib\java directory:

      RSA_AM_HOME\appserver\license.bea

      RSA_AM_HOME\appserver\modules\com.bea.core.process_5.3.0.0.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\wlfullclient.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\wlcipher.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoAsn1.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoCore.jar

      RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoJcae.jar

  3. Ensure that the following files are located within the SDK installation directory, for example, in this location:

    C:\rsa.sdk

    SDK_HOME\lib\java\axis-1.3.jar;

    SDK_HOME\lib\java\commons-beanutils-1.7.0.jar;

    SDK_HOME\lib\java\commons-discovery-0.2.jar;

    SDK_HOME\lib\java\commons-lang-2.2.jar;

    SDK_HOME\lib\java\commons-logging-1.0.4.jar;

    SDK_HOME\lib\java\iScreen-1-1-0rsa-2.jar;

    SDK_HOME\lib\java\iScreen-ognl-1-1-0rsa-2.jar;

    SDK_HOME\lib\java\ims-client.jar;

    SDK_HOME\lib\java\jdom-1.0.jar;

    SDK_HOME\lib\java\jsafe-3.6.jar;

    SDK_HOME\lib\java\jsafeJCE-3.6.jar;

    SDK_HOME\lib\java\log4j-1.2.11rsa-3.jar;

    SDK_HOME\lib\java\ognl-2.6.7.jar;

    SDK_HOME\lib\java\spring-2.0.7.jar;

    SDK_HOME\lib\java\systemfields-o.jar;

    SDK_HOME\lib\java\ucm-client.jar;

    SDK_HOME\lib\java\wlfullclient.jar;

    SDK_HOME\lib\java\com.bea.core.process_5.3.0.0.jar

    SDK_HOME\lib\java\am-client.jar

    This .jar file will be located in the Bravura Security agent directory:

    <Bravura Security agent dir>\agtrsaam.jar

    The Bravura Security agent directory is:

    <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ agent

    or

    <Program Files path>\Bravura Security\Connector Packs\global\ agent

    The SDK installation directory will be used when configuring the RSA Authentication Manager 7.1/8.2 target system address.

  4. Copy the updated am-client.jar file from the Authentication Manager server to the <SDK_HOME>\lib\java directory on the Bravura Security Fabric server.

RSA Authentication Manager SDK 8.x (Java Administrative API)

Before you can target RSA Authentication Manager 8.x, you must copy the required files for the RSA Authentication Manager 8.x SDK and install Java RunTime 1.6.x, 1.7.x, or 1.8.x 64-bit on the Bravura Security Fabric server.

To set up the RSA Authentication Manager 8.x SDK:

  1. Copy the RSA Authentication Manager 8.x SDK (Java Admin API) to the Bravura Security Fabric server. The RSA Authentication Manager SDK can be obtained from the RSA Link Community web site within the am-8.0-SDK.zip and am-8.1-SDK.zip files or in the RSA Authentication Manager 8.x Extras zip files available from Download Central.

  2. The set of .jar files for the SDK can be found within the lib\java directory.

  3. Copy files required to run the client to the <SDK_HOME>\lib\java directory, where <SDK_HOME> is the home directory of the RSA Authentication Manager 8.x SDK.

  4. The <SDK_HOME> SDK installation directory will be used when configuring the RSA Authentication Manager 7.1/8.2 target system address.

Setting the Command Client credentials

RSA Authentication Manager 7.1/8.2 uses a command client user name and password for secure connections to its command server. Use the RSA Authentication Manager 7.1/8.2 Manage Secrets utility to get these values. They are used for the System credentials when adding an RSA Authentication Manager 7.1/8.2 target system to Bravura Security Fabric .

To obtain the command client user name and password:

  1. Connect to your RSA Authentication Manager server virtual appliance using an SCP or SSH client.

  2. Navigate to the <RSA_AM_HOME>/utils directory and enter the following command:

    rsautil manage-secrets --action list

  3. Enter the RSA Authentication Manager super user’s master password when you are prompted.

    The system will display a list of internal system credentials.

  4. Locate the command client user name and password in the list of credentials, and copy them for later use. For example:

      Command Client User Name .................: CmdClient_1dckyzfx 
  Command Client User Password .............: e9SHbK0W4i

For more information, see "Setting the Command Client User Name and Password" in the "RSA Authentication Manager 8.x Developer’s Guide", which is installed with the RSA Authentication Manager 7.1/8.2 SDK as described in Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software .

Enabling SSL

SSL for RSA Authentication Manager 7.1

To enable SSL communication between the Bravura Security Fabric server and the RSA Authentication Manager 7.1 server when using the Java Admin API:

  1. Import the Server Root Certificate.

    RSA Authentication Manager 7.1 stores a self-signed root certificate in:

    RSA_AM_HOME\server\security\server_name.jks. You must export the root certificate out of that file, copy the export file to the Bravura Security Fabric server, and then finally import it into the keystore of the Bravura Security Fabric server.

    See "Importing the Server Root Certificate" in the "RSA Authentication Manager 7.1 Developer’s Guide" for details.

  2. Copy the license.bea file from RSA_AM_HOME\appserver\ to the <SDK_HOME> directory.

SSL for RSA Authentication Manager 8.x

To enable SSL communication between the Bravura Security Fabric server and the RSA Authentication Manager 8.x server when using the Java Admin API:

  1. Generate the Server Root Certificate:

    1. Open Internet Explorer using the "Run as administrator" option.

    2. Browse to the web address for the SSL port of the RSA Authentication Manager 8.x server; for example: https://<servername>:7002

      A 404 not found web page opens.

    3. Right click anywhere on the page and select Properties to open the page’s properties dialog box.

    4. Click Certificates to open the certificate dialog box.

    5. Click the Certification Path tab, select the tree’s root certification path, and then click View Certificate.

      The RSA Authentication Manager server’s root certificate dialog box will open.

    6. Click the Details tab and then the Copy to File button.

      Windows will open the Certificate Export Wizard.

    7. Click the Next button on the Welcome page.

    8. Select the DER encoded binary X.509 (.CER) radio button for the format on the Export File Format page and click the Next button.

    9. Save the certificate file to a location on the Bravura Security Fabric server.

  2. Once you have the server root certificate file, you must import it into the keystore of the Bravura Security Fabric server.

    Change directories to <JAVA_HOME>/jre/bin and execute the following sample command to import the certificate file:

    keytool.exe -import -keystore <RSA_SDK_HOME>/lib/java/trust.jks 
  -storepass <CACERTS_KEYSTORE_PWD> -file <RSA_AM_ROOT_CERT> 
  -alias rsa_am_ca -trustcacerts

    See "Importing the Server Root Certificate" in the "RSA Authentication Manager 8.0, 8.1, or 8.2 Developer’s Guide" for details.

    If the ssl certificate has changed on the RSA Authentication Manager 7.1/8.2 server, a new server root certificate file will need to be generated and then imported again to create a new trust.jks certificate keystore file.

In this section: