Installing and configuring the Java Admin API
Carry out the following steps before targeting an RSA Authentication Manager 7.1/8.2 system in Bravura Security Fabric :
Note
The Java, RSA Authentication Manager SDK (Java Admin API), and target address parameters for the RSA Authentication Manager 7.1/8.2 target are not required if only authentication is required that makes use of the challenge response authentication operation for the agtrsaam connector.
Copy the RSA Authentication Manager 7.1/8.2 SDK software to the Bravura Security Fabric server. See Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software .
Set up the Command Client user name and password for connection from the Bravura Security Fabric server. See Setting the Command Client credentials .
Ensure that Java RunTime 1.5.x is installed on the Bravura Security Fabric server for RSA Authentication Manager 7.1 and Java RunTime 1.6.x, 1.7.x, or 1.8.x 64-bit for RSA Authentication Manager 8.x.
Caution
Bravura Security Fabric uses the Java libraries provided with 32-bit Java 1.5.x for RSA Authentication Manager 7.1. Other versions, including those later than 1.5.x or 64-bit, are not suitable.
Bravura Security Fabric uses the Java libraries provided with 64-bit Java 1.6.x, 1.7.x, or 1.8.x for RSA Authentication Manager 8.x. Other versions, including 64-bit, are not suitable.
Enable SSL if required for RSA Authentication Manager 7.1. SSL is currently recommended and required for RSA Authentication Manager 8.x. See Enabling SSL .
Add the server as an RSA Authentication Manager 7.1/8.2 target system. See Targeting an RSA Authentication Manager 7.1/8.x server .
Optionally, set up RSA token authentication as an authentication method in Bravura Security Fabric . See Add RSA Authentication via connector authentication chain module .
Enable and configure the Manage tokens (PSP) module to allow users to manage their own tokens.
Optionally, configure the Help users (IDA) module to allow help desk users to manage tokens on users’ behalf.
Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software
To target RSA Authentication Manager 7.1/8.2, you must copy over the RSA Authentication Manager SDK required files to the Bravura Security Fabric server and configure the RSA Authentication Manager 7.1/8.2 server to set the Command Client credentials to allow connections from the Bravura Security Fabric server.
RSA Authentication Manager SDK 7.1 (Java Administrative API)
Before you can target RSA Authentication Manager 7.1, you must locate and copy the RSA Authentication Manager 7.1 SDK and install Java RunTime 1.5.x 32-bit on the Bravura Security Fabric server.
To set up the RSA Authentication Manager 7.1 SDK:
Locate the RSA Authentication Manager 7.1 SDK.
Copy files required to run the client to the <SDK_HOME>\lib\java directory, where <SDK_HOME> is the home directory of the RSA Authentication Manager 7.1 SDK.
From a command prompt on your Authentication Manager server, change directories to <RSA_AM_HOME>\appserver\weblogic\server\lib\, where <RSA_AM_HOME> is the directory in which you installed RSA Authentication Manager 7.1/8.2.
Type:
java -jar ..\..\..\modules\com.bea.core.jarbuilder_1.0.0.0.jar -profile wlfullclient
Copy the following files from your Authentication Manager server installation directories to the <SDK_HOME>\lib\java directory:
RSA_AM_HOME\appserver\license.bea
RSA_AM_HOME\appserver\modules\com.bea.core.process_5.3.0.0.jar
RSA_AM_HOME\appserver\weblogic\server\lib\wlfullclient.jar
RSA_AM_HOME\appserver\weblogic\server\lib\wlcipher.jar
RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoAsn1.jar
RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoCore.jar
RSA_AM_HOME\appserver\weblogic\server\lib\EccpressoJcae.jar
Ensure that the following files are located within the SDK installation directory, for example, in this location:
C:\rsa.sdk
SDK_HOME\lib\java\axis-1.3.jar;
SDK_HOME\lib\java\commons-beanutils-1.7.0.jar;
SDK_HOME\lib\java\commons-discovery-0.2.jar;
SDK_HOME\lib\java\commons-lang-2.2.jar;
SDK_HOME\lib\java\commons-logging-1.0.4.jar;
SDK_HOME\lib\java\iScreen-1-1-0rsa-2.jar;
SDK_HOME\lib\java\iScreen-ognl-1-1-0rsa-2.jar;
SDK_HOME\lib\java\ims-client.jar;
SDK_HOME\lib\java\jdom-1.0.jar;
SDK_HOME\lib\java\jsafe-3.6.jar;
SDK_HOME\lib\java\jsafeJCE-3.6.jar;
SDK_HOME\lib\java\log4j-1.2.11rsa-3.jar;
SDK_HOME\lib\java\ognl-2.6.7.jar;
SDK_HOME\lib\java\spring-2.0.7.jar;
SDK_HOME\lib\java\systemfields-o.jar;
SDK_HOME\lib\java\ucm-client.jar;
SDK_HOME\lib\java\wlfullclient.jar;
SDK_HOME\lib\java\com.bea.core.process_5.3.0.0.jar
SDK_HOME\lib\java\am-client.jar
This .jar file will be located in the Bravura Security agent directory:
<Bravura Security agent dir>\agtrsaam.jar
The Bravura Security agent directory is:
<Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ agent
or
<Program Files path>\Bravura Security\Connector Packs\global\ agent
The SDK installation directory will be used when configuring the RSA Authentication Manager 7.1/8.2 target system address.
Copy the updated am-client.jar file from the Authentication Manager server to the <SDK_HOME>\lib\java directory on the Bravura Security Fabric server.
RSA Authentication Manager SDK 8.x (Java Administrative API)
Before you can target RSA Authentication Manager 8.x, you must copy the required files for the RSA Authentication Manager 8.x SDK and install Java RunTime 1.6.x, 1.7.x, or 1.8.x 64-bit on the Bravura Security Fabric server.
To set up the RSA Authentication Manager 8.x SDK:
Copy the RSA Authentication Manager 8.x SDK (Java Admin API) to the Bravura Security Fabric server. The RSA Authentication Manager SDK can be obtained from the RSA Link Community web site within the am-8.0-SDK.zip and am-8.1-SDK.zip files or in the RSA Authentication Manager 8.x Extras zip files available from Download Central.
The set of .jar files for the SDK can be found within the lib\java directory.
Copy files required to run the client to the <SDK_HOME>\lib\java directory, where <SDK_HOME> is the home directory of the RSA Authentication Manager 8.x SDK.
The <SDK_HOME> SDK installation directory will be used when configuring the RSA Authentication Manager 7.1/8.2 target system address.
Setting the Command Client credentials
RSA Authentication Manager 7.1/8.2 uses a command client user name and password for secure connections to its command server. Use the RSA Authentication Manager 7.1/8.2 Manage Secrets utility to get these values. They are used for the System credentials when adding an RSA Authentication Manager 7.1/8.2 target system to Bravura Security Fabric .
To obtain the command client user name and password:
Connect to your RSA Authentication Manager server virtual appliance using an SCP or SSH client.
Navigate to the <RSA_AM_HOME>/utils directory and enter the following command:
rsautil manage-secrets --action list
Enter the RSA Authentication Manager super user’s master password when you are prompted.
The system will display a list of internal system credentials.
Locate the command client user name and password in the list of credentials, and copy them for later use. For example:
Command Client User Name .................: CmdClient_1dckyzfx Command Client User Password .............: e9SHbK0W4i
For more information, see "Setting the Command Client User Name and Password" in the "RSA Authentication Manager 8.x Developer’s Guide", which is installed with the RSA Authentication Manager 7.1/8.2 SDK as described in Configuring the RSA Authentication Manager 7.1/8.x Command Client credentials and software .
Enabling SSL
SSL for RSA Authentication Manager 7.1
To enable SSL communication between the Bravura Security Fabric server and the RSA Authentication Manager 7.1 server when using the Java Admin API:
Import the Server Root Certificate.
RSA Authentication Manager 7.1 stores a self-signed root certificate in:
RSA_AM_HOME\server\security\server_name.jks. You must export the root certificate out of that file, copy the export file to the Bravura Security Fabric server, and then finally import it into the keystore of the Bravura Security Fabric server.
See "Importing the Server Root Certificate" in the "RSA Authentication Manager 7.1 Developer’s Guide" for details.
Copy the license.bea file from RSA_AM_HOME\appserver\ to the <SDK_HOME> directory.
SSL for RSA Authentication Manager 8.x
To enable SSL communication between the Bravura Security Fabric server and the RSA Authentication Manager 8.x server when using the Java Admin API:
Generate the Server Root Certificate:
Open Internet Explorer using the "Run as administrator" option.
Browse to the web address for the SSL port of the RSA Authentication Manager 8.x server; for example: https://<servername>:7002
A 404 not found web page opens.
Right click anywhere on the page and select Properties to open the page’s properties dialog box.
Click Certificates to open the certificate dialog box.
Click the Certification Path tab, select the tree’s root certification path, and then click View Certificate.
The RSA Authentication Manager server’s root certificate dialog box will open.
Click the Details tab and then the Copy to File button.
Windows will open the Certificate Export Wizard.
Click the Next button on the Welcome page.
Select the DER encoded binary X.509 (.CER) radio button for the format on the Export File Format page and click the Next button.
Save the certificate file to a location on the Bravura Security Fabric server.
Once you have the server root certificate file, you must import it into the keystore of the Bravura Security Fabric server.
Change directories to <JAVA_HOME>/jre/bin and execute the following sample command to import the certificate file:
keytool.exe -import -keystore <RSA_SDK_HOME>/lib/java/trust.jks -storepass <CACERTS_KEYSTORE_PWD> -file <RSA_AM_ROOT_CERT> -alias rsa_am_ca -trustcacerts
See "Importing the Server Root Certificate" in the "RSA Authentication Manager 8.0, 8.1, or 8.2 Developer’s Guide" for details.
If the ssl certificate has changed on the RSA Authentication Manager 7.1/8.2 server, a new server root certificate file will need to be generated and then imported again to create a new trust.jks certificate keystore file.