RSA SecurID authentication

This topic describes the use of RSA SecurID authentication.

TrueSight Server Automation Authentication Server can authenticate users through RSA SecurID. If a user is registered in the role-based access control (RBAC) system of TrueSight Server Automation, that user can authenticate by providing a user name and passcode. The user name and passcode consist of a PIN and the current token code displayed on an RSA SecurID token. In some situations, the user might be prompted for a new PIN before authentication can occur. If the user enters valid information, the Authentication Service issues session credentials to the user.

RSA Authentication Manager does not allow third parties, such as the TrueSight Server Automation Authentication Service, to query the status of a user. When TrueSight Server Automation - Data Warehouse needs to refresh session credentials for a user who authenticates with RSA SecurID, the Authentication Service cannot query RSA Authentication Manager for the status of the user. The Authentication Service can only check the status of the user in the RBAC database. If the user account has not been disabled or deleted in RBAC, the session credentials for that user are always refreshed. If you want to disable or delete a RSA SecurID user, you need to disable or delete it from both the RSA Authentication Manager and RBAC database.

To use RSA SecurID authentication, do the following:

Step1 : Configure the RSA Authentication Manager

Integration of TrueSight Server Automation with SecurID requires a host configuration file, called sdconf.rec. This file provides the address of the RSA Authentication Manager Server and other parameters needed to contact it.

RSA Authentication Agents are used to protect computers and other resources. It is not mandatory to install RSA Authentication Agent on the Application Server. You might install an RSA Authentication Agent to help troubleshoot SecurID. If an RSA Authentication Agent is installed, the TrueSight Server Automation Authentication Service can share the configuration file of that Agent. In that situation, you do not need to perform the following procedure.

  1. Log in to RSA Authentication Manager and define an Authentication Agent host by using the Application Server name or IP address.
  2. Generate a configuration file (sdconf.rec) for the newly created Agent.
  3. Save the sdconf.rec file to the br directory. For example, if TrueSight Server Automation - Data Warehouse is installed in the default location, you would save the file to the following location:

    • (WindowsC:\Program Files\BMC Software\TSSA-DW\br
    • (Unix/usr/local/bmc/TSSA-DW/br

Step 2: Configure the Authentication Server

Do the following:

  1. Log in to the server where you have installed TrueSight Server Automation - Data Warehouse.
  2. Start the Application Server Administration console (the blasadmin utility).

  3. Enable the SecurID authentication by using the following command:

    set AuthServer IsSecurIDAuthEnabled true

    By default, SecurID authentication is not turned on. When set to false, all SecurID login attempts are rejected.

  4. Provide the path to the configuration file of the RSA Authentication Manager (sdconf.rec) by using the following command:

    set SecurID ConfigFilePath <filePath>

      <filePath> provides a local path to the sdconf.rec file.

  5. Do any of the following steps to set additional configuration options for SecurID:

    • If the Authentication Server has multiple IP addresses, identify the IP address to be used by the RSA Authentication Agent by using the following command:

      set SecurID AgentHost <iPAddress>

    • To specify the interval at which SecurID settings are read, enter the following command:

      set SecurID ReadConfigInterval <interval>

      <interval> is the interval in seconds for reloading the configuration file. The valid range is 0-86400 (24 hours). The default is 600 seconds.

    • To specify the path to the server status file of the RSA Authentication Manager, enter the following command:

      set SecurID StatusFilePath <filePath>

      <filePath> is a local path to that file. If you do not provide a path, a new file is created in the /br directory of TrueSight Server Automation. The default file name is JAStatus.1.

    • To specify the path to the optional configuration file (sdopts.rec) of RSA Authentication Manager, enter the following command:

      set SecurID OptionsFilePath <filePath>

      <filePath> is a local path to that file. This configuration file is used to configure a manual authentication load balancing policy.

    • To specify the path to the node secret file of RSA Authentication Manager, enter the following command:

      set SecurID NodeSecretFilePath <filePath>

      <filePath> is a local path to that file. This file is created automatically when the Authentication Service connects successfully to the RSA Authentication Manager for the first time. The default file name is securid. If you do not define a path, the file is created automatically in the /br directory of TrueSight Server Automation. If multiple application servers are running on the same host, they must all use the same node secret file. 

      About multiple applications using RSA authentication

      If you are running other applications that use RSA authentication, they might need to share the same node secret file that the Application Server is using. When multiple applications share a node secret file, you must ensure that the Application Server can access the node secret file by granting the appropriate operating system-level permissions to the file. On UNIX, you must grant permission to the bladmin user. On Microsoft Windows, you must grant permission to SYSTEM. Other applications might have similar access requirements.

    • To specify the path to the SecurID log file, enter the following command:

      set SecurID LogFilePath <filePath>

      <filePath> is local path to the log file.

    • To turn on logging, enter the following command:

      set SecurID LogToFile true | false

      If set to true, the RSA SecurID module creates log entries in the file specified by the LogFilePath option. By default, this option is set to false.

    • To set the logging level, enter the following command:

      set SecurID LogLevel OFF | DEBUG | INFO | WARN | ERROR | FATAL

      By default, this option is set to OFF.

      About SecurID configuration settings

      SecurID configuration settings are stored in the securid-options.properties file located in the <TSSA-DWInstallationDirectory>/br/deployments/deploymentName/options directory. You can manually edit this file to specify additional debug options, such as RSA_ENABLE_DEBUG. For a complete description of supported settings, refer to the RSA product documentation (https://community.rsa.com/docs/DOC-60094).

  6. Restart the Authentication Service.

    Click here to see steps to restart the Authentication Service.

    For Unix operating system, perform the following steps:

    1. Navigate to the <TSSA-DWInstallationDirectory>/br directory.

    2. Type the following command:

      ./blauthservice restart

    For Windows operating system, perform the following steps:

    1. From a command prompt, type the following command:

      services.msc
    2. In the Services window, select BMC SARA Authentication and then click Restart.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*