Unsupported content

   

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring SecurID authentication

Use this procedure to configure the Authentication Server so it can perform SecurID authentication.

When you perform this procedure, you do not have to restart the Authentication Server if you are making changes to SecurID configuration. However, if you change the SecurID configuration, you must wait the amount of time specified by ReadConfigInterval (described below) until the new configuration values are read.

To configure SecurID authentication

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To enable SecurID authentication, enter the following:
    set AuthServer IsSecurIDAuthEnabled true
    By default, SecurID authentication is not turned on. When set to false, all SecurID logon attempts are rejected.
  3. Restart the Authentication Server.
  4. Provide the path to the RSA Authentication Manager's configuration file (sdconf.rec) by entering the following:
    set SecurID ConfigFilePath <filePath>
    where <filePath> provides a local path to the sdconf.rec file.
  5. Do any of the following to set additional configuration options for SecurID:
    • To instruct the RSA Authentication Agent which IP address to use if the Authentication Server has multiple IP addresses, enter the following:
      set SecurID AgentHost <iPAddress>
    • To specify the interval at which SecurID settings are read, enter the following:
      set SecurID ReadConfigInterval <interval>
      where <interval> is the interval in seconds for reloading the configuration file. The valid range is 0 to 86400 (24 hours). The default is 600 seconds.
    • To specify the path to the RSA Authentication Manager's server status file, enter the following:
      set SecurID StatusFilePath <filePath>
      where <filePath> is a local path to that file. If you do not provide a path, a new file is created in the BMC Server Automation /br directory. The default file name is JAStatus.1.
    • To specify the path to the RSA Authentication Manager's optional configuration file (sdopts.rec), enter the following:
      set SecurID OptionsFilePath <filePath>
      where <filePath> is a local path to that file. This configuration file is used to configure a manual authentication load balancing policy.
    • To specify the path to the RSA Authentication Manager's node secret file, enter the following:
      set SecurID NodeSecretFilePath <filePath>
      where <filePath> is a local path to the node secret file.

       More on the node secret file

      The node secret file is created automatically the first time the Authentication Service successfully connects to the RSA Authentication Manager. The default file name is securid. If you do not define a path, the file is automatically created in the BMC Server Automation /br directory. If multiple Application Servers are running on the same host, they should all use the same node secret file.
      If you are running other applications that also use RSA authentication, they might need to share the same node secret file that the Application Server is using. When multiple applications share a node secret file, you must ensure that the Application Server can access the node secret file by granting the appropriate operating system-level permissions to the file. On UNIX, you must grant permission to the bladmin user; on Windows you must grant permission to SYSTEM. Other applications might have similar access requirements.

    • To specify the path to the SecurID log file, enter the following:
      set SecurID LogFilePath <filePath>
      where <filePath> is local path to the log file.
    • To turn on logging, enter the following:
      set SecurID LogToFile true | false
      If set to true, the RSA SecurID module creates log entries in the file specified by the LogFilePath option. By default, this option is set to false.
    • To set the logging level, enter the following:
      set SecurID LogLevel OFF | DEBUG | INFO | WARN | ERROR | FATAL
      By default, this option is set to OFF.

      Note

      SecurID configuration settings are stored in <installDirectory>/br/deployments/<deploymentName>/options/securid-options.properties. You can manually edit this file to specify additional debug options, such as RSA_ENABLE_DEBUG=YES. Refer to the RSA product documentation for a description of supported settings.

  6. Cross-register users in both the SecurID user registry and the RBAC user data base.

     More on cross-registering users

    Users must be registered in both the SecurID user registry and the BMC Server Automation RBAC-based user database. Cross-registration allows users to be authorized for RBAC roles.
    Only users authorized to use BMC Server Automation should be entered into the BMC Server Automation database. Use RBAC to add users to the database. For information about adding users to RBAC, see Creating users.
    BMC Server Automation documentation assumes you know how to add users to the SecurID user registry.

  7. Set up authentication profiles using SecurID authentication on the BMC Server Automation client.
    See System capabilities related to security and the Managing authorizations.
Was this page helpful? Yes No Submitting... Thank you

Comments