Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

78 posts

September 2018 Cloud Authentication Service Release Highlights

The September release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to raise the bar to help customers improve their security posture while still supporting convenient access for end users and administrators.

Providing End Users with Device Registration Self-Service

To provide end users with more autonomy during the device registration process and reduce Help Desk call volume, we are introducing this month a new self-service portal, called “My Page”.  RSA understands, however, that while user self-service can dramatically improve the efficiency of your multi-factor authentication program, it cannot become the weak link in your security chain. As such, “My Page” not only provides convenient self-service for your end users, but also provides the security you need to safeguard your digital assets.

 

Using this portal, an end user can begin the registration process by following the step-by-step instructions displayed on screen that guide them to download the RSA SecurID Authenticate App (from the Apple App Store, Google Play or Microsoft Store). Then, using the installed app, the user can capture a displayed single use QR code containing information for easy app registration. Finally, the user can perform a test authentication to make sure that everything is working as expected. Device Registration in My Page also includes this easy-to-follow video guiding users through this process: https://www.youtube.com/watch?v=mx2c_4p7qo4&feature=youtu.be

 

Administrators can further increase the security of device registration by requiring multi-factor authentication for access to My Page. Check out this short My Page RSA SecurID Authenticate Device Registration Using RSA SecurID Access My Page, for tips and tricks on how to configure this and other features. 

 

Figure 1.  My Page

 

Supporting Broader User Activity Tracking and Governance

In July, we introduced the Log Events API, a REST-based web services interface allowing customers to retrieve administrator activity log events from the Cloud Authentication Service. This month we’ve added the ability to retrieve end user authentication logs.

 

For greater security visibility across your organization, you can leverage these REST APIs to share this authentication information with your security information and event management (SIEM) solution, such as RSA NetWitness.

In this way, RSA provides you with improved visibility into the activities of both privileged, administrative users and end users for forensic security, governance auditing and troubleshooting purposes.

For more information on these capabilities, refer to  Improved Logging for Security and Audit Compliance

 

Improved Protection of Windows Login:  RSA SecurID® Authentication Agent for Windows v7.4

This month, RSA released a new version of the Windows Agent designed to secure Windows machines when  with our award winning RSA SecurID® tokens, and when offline, with our industry leading unique solution that is trusted by many Fortune 500 companies globally. All this to ensure security from the start - allow users and administrators to securely and conveniently access their workstations and servers no matter what the situation calls for.

This new agent framework (architecture)  provides a path so customers can adopt future releases supporting the use of MFA and updated Authentication Manager capabilities for secure and convenient Windows protection.

Specific to this release are new capabilities which:

  • Expose customers to the updated authentication user interface supported by the latest Microsoft Credential Provider framework as seen natively in the latest versions of Windows and Windows Server, that is more intuitive and friendlier for users trying to authenticate to their machines
  • Provide customizable user authentication prompts and help texts so end users can securely authenticate to desktop with minimal friction
  • Provide administrators with several high value agent improvements aimed at boosting overall user productivity during machine login.

 

Faster Time to Value: Expanded Preconfigured Policies

Last month, RSA SecurID® Access introduced predefined access policy templates in all new cloud accounts to help new customers protect their resources faster. Using these policies, new customers need not create custom access policies before configuring their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  This month, we add an additional preconfigured access policy to the initial three delivered in August. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium licensed customers.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414  

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

RSA SecurID® Access Now Locally Hosted for Australia and New Zealand Organizations

 

Good news for Australia and New Zealand organizations that need to keep critical identity information on-shore: RSA SecurID Access is now locally hosted inside Microsoft Azure data centers in Canberra. Local hosting comes as part of the August 2018 product release, opening the way for more organizations – especially in the areas of government, critical infrastructure and financial services, where local hosting is often a requirement – to benefit from RSA SecurID Access authentication capabilities.

 

RSA SecurID Access Cloud Authentication Service delivers secure access to the extended enterprise as an on-shore SaaS service, rather than having it hosted outside the region. Local hosting enables organizations to comply with legislation governing data privacy in the region, including the Australian Privacy Principles (APPs), as well as with related industry or corporate guidelines. The Microsoft Azure “protected”-level data centers that will provide hosting in Canberra are certified to meet federal security standards and accredited to handle classified defense data.

 

Any organization based anywhere in the world that has operations in the region can benefit from this development – not just Australia- or New Zealand-based organizations, and not just companies in critical sectors. Hosting locally not only keeps critical identity data on-shore, but also improves network latency locally for faster access to cloud applications.

Whatever the reason for adopting RSA SecurID Access Cloud Authentication Service – regulatory compliance, local control, faster application access – organizations that do will be using the most widely deployed multi-factor authentication solution in the world. RSA SecurID Access multi-factor authentication improves security by thwarting attempts to use stolen credentials while still keeping access convenient for legitimate users. This implementation brings those authentication advantages specifically to cloud application access.

 

With the addition of local hosting in Canberra, RSA SecurID Access Cloud Authentication Service is now available in three major regions around the globe, having been previously launched in the EU and US.

August 2018 Cloud Authentication Service Release

The August release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting global access across a variety of traditional and cloud use cases.

Facilitating Privileged User Authentication for the Cloud Administration Console

RSA SecurID® Access administrators in your organization have extensive access privileges. Therefore, access attempts of these privileged users need to be appropriately authenticated. In this release of RSA SecurID® Access validation of the multifactor authentication policies that govern console access is improved to prevent accidental user lockout, which would require a support call to RSA to resolve.

 

The graphic below  shows how the console prevents you from selecting a policy that locks you out of the console.

 

 

      Fig.1  Warning message to clarify the problems with selected policy

 

Improved Visibility of Cloud Authentication Service User Status

Over the last few months, we have significantly improved the ability of administrators to manage the status of Cloud Authentication Service users.

Past releases delivered capabilities to:

  • Manually enable and disable Cloud Authentication Service users, independent of identity source status for improved local control over user status
  • Automatically disable Cloud Authentication Service users when they become disabled or missing (due to deletion or transfer out of relevant groups) in the identity source directory.
  • Help administrators reverse deletion errors via a two-step delete process. With two-step deletion, deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives administrators the opportunity to “Un-delete” before the users are permanently purged in case of error.
  • Streamline user maintenance with automated deletion of long-disabled users. Busy administrators who prefer more automated user maintenance, can select an option to delete long-disabled users. On by default and set to select users disabled 90 days, this option can be configured for different number of days or turned off completely. In this way, all the automated cleanup processes can work together to remove users from the cloud who no longer need access.

In the August release, we’ve improved reporting of user status.  The previously available users report now provides better visibility into user status information to help organizations better manage user populations.  By exporting the user report file and importing into a spreadsheet, administrators can quickly identify disabled or deleted (awaiting purge) users for status confirmation and follow-up where needed. In addition enabled users can be counted for license management purposes.

Below is a sample of the report in spreadsheet format, highlighting the new column.

 

 

      Fig.2  User report

 

For more information on these capabilities, refer to: https://community.rsa.com/docs/DOC-75846

Faster Time to Value: Preconfigured Policies

RSA SecurID® Access now provides predefined access policy templates with all new cloud accounts. Using these policies, new customers need not create custom access policies before they can configure their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  If further customization is desired, these policies can be cloned and modified as desired, while maintaining the original copies to use as templates for future policy definition.

The new policies are shown below.

 

 

      Figure 3.  Preconfigured Policies

Serving a Global Customer Community

The RSA SecurID® Access Cloud Authentication Service is now available in Australia!

Hosted in Microsoft Azure Australia (Canberra), RSA SecurID® Access’s new hosting location enables compliance with Australian and New Zealand Privacy Legislation.  Furthermore, local hosting means faster network performance across the wider Asia-Pacific region.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96078

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

What is Salesforce? It was the 1st Software-as-a-Service (SaaS) Customer Relationship Manager (CRM) product and currently the leader with the most market share. So what is SaaS?  It is a way of delivering centrally hosted applications over the Internet—as a service. SaaS applications are sometimes called web-based software, on-demand software, or hosted software. What type of data does a CRM contain? Customer and prospect contact information, accounts, leads, and sales opportunities in one central location.

 

Since Salesforce stores client personal data it naturally becomes a target for hackers. These hackers want your data and they will stop at nothing to get it.

 

The video showcases me creating a policy that enables a secondary authentication method within the RSA SecurID Access Cloud Authentication Service to protect Salesforce. Thank you for your time in advance!  

 

 

 Here is the link to the RSA SecurID Access Salesforce Implementation Guide: Salesforce - Technology Integrations 

Sly Gittens Website: Lovecybersecurity.com 

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

LinkedIn Profile: https://www.linkedin.com/in/slygittens/

Instagram: https://www.instagram.com/slygittens/

Twitter:  https://twitter.com/SlyGittens

Facebook Networking Group: https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

In the recent What's New in RSA SecurID® Access?  we are excited to announce the release of the RSA SecurID Access Log Events API to retrieve administrator and user event logs from the RSA SecurID Cloud Authentication Service.  You can use the Log Events REST API to import the log events into your security information and event management (SIEM) solution, such as RSA NetWitness, to ensure security and audit compliance. 

 

For more information on this feature – please check out this additional content.

 

July 2018 Cloud Authentication Service and Identity Router (IDR) Release

 

The July release for RSA SecurID Access is now available and contains updates for both the Cloud Authentication Service (CAS) and the Identity Router (IDR). In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting access across a variety of traditional and cloud use cases.

Simplifying the Multi Factor Authentication (MFA) Experience for users of RADIUS-based applications

The July release contains multiple improvements to RADIUS support:

  • Eliminating double password prompts:  If the RADIUS client (e.g., a VPN) is configured to perform primary (password) authentication, RSA SecurID Access no longer requires the user to enter their password a second (redundant) time.  Note that this can also help customers align with the latest PCI guidance for VPN logins. That’s because, under this configuration, RSA SecurID Access prompts for password and MFA in a single screen as PCI DSS 3.2 recommends, and doesn’t act on a second authentication factor sequentially, based on outcome of the primary authentication.
    You can find a video highlighting how this works on RSA Link at: https://community.rsa.com/videos/33333
  • Eliminating extra steps for push-based MFA:  When configured, the extra step of selecting an authentication method at each login is no longer required. After entering User ID and password, a push notification is sent automatically.  Note:  this Auto-Push capability is not enabled when other forms of authentication are enabled for RADIUS access instead of passwords, for primary authentication .

 

                Fig.1  Auto-push eliminates extra authentication steps

 

Improved Control and Security of Cloud Authentication Service user status

Over the last few months, we have significantly improved the ability of customer administrators to manage the status of the cloud authentication service users.

Past releases have included the ability to manually enable and disable Cloud Authentication Service users, independent of identity source status, and disable Cloud Authentication Service users when they become disabled in the identity source directory.  We have also added a two-step delete process, to help administrators reverse deletion errors. Using the two-step deletion, manually deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives the administrator the ability to “Un-delete” before the users are permanently purged.

This month, we’ve added a couple key new capabilities to help organizations address the risks associated with orphaned accounts:

  • Disable missing users: if the sync process cannot find a user in the Identity Source (out of scope or deleted), that user will be disabled in the Cloud Authentication Service.  This improves security: no one can use the Cloud Authentication Service unless they are enabled in the directory. It also supports license management by ensuring that only active Cloud Authentication Service users are enabled for license counting purposes.
  • Delete long-disabled users: for improved efficiency, Cloud Authentication Service users who have been disabled for over 90 days, will be marked for deletion automatically. This feature is configurable – it can be turned off, or set to a different time threshold (30 to 180 days). In this way, users who are unlikely to use the Cloud Authentication Service in the near future, will not appear in lists or searches, making it easier to manage the Cloud Authentication Service tenant. It also improves the efficiency of synchronizations.

 

 

Fig.2  Configurable auto-delete

 

Improving visibility: Administrator activity logs

RSA is providing a new log which records the activity of RSA SecurID Access administrators.  Examples of this type of activity are (list not exhaustive): unlocking a user, changing an authentication policy, adding a new Identity Source.

Customers can leverage the Log Events API which is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as RSA NetWitness.

 

In this way, RSA provides customers with improved visibility into the activities of these privileged users for forensic security, governance auditing and troubleshooting purposes.

 

Additional Improvements

A number of miscellaneous security and troubleshooting enhancements were added:

  • Support of HTTPS Strict Transport Security (HSTS) forces use of HTTPS secure protocol as server-browser interface for SSO web portal and the Cloud Administration Console. This helps protect transactions and login requests against threats such as protocol downgrade attacks and cookie hijacking.
  • Improved visibility of NTP status to aid in troubleshooting
  • Improved support for proxy server configurations when downloading adapter updates and IDR package updates.
  • Enhanced diagnostics for IDR registration errors

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-60102

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID Access an even more convenient and secure solution for your authentication needs.

 

Are you a visual learner? I am too! This video showcases mobile fingerprint biometric authentication. 

 

If you love my video subscribe and like my youtube channel.

 

"Static passwords are adorable, but sophisticated attackers don’t just bypass them, they utilize them to advance their attack." Verzion Data Breach 2016 Report

 

What is mobile fingerprint biometric authentication?

Fingerprint recognition refers to the automated method of identifying or confirming the identity of an individual based on the comparison of two fingerprints. Fingerprint recognition is one of the most well-known bio-metrics, and it is by far the most used bio-metric solution for authentication on computerized systems.

 

Why use mobile fingerprint biometric authentication with your Fortigate?

If you are granting remote workers to your internal environment via a FortiGate, it is critical to ensure your employee's identity. It is essential to have a Multi-factor Authentication solution that provides you convenience without compromising security. Implementing mobile fingerprint biometric authentication provides strong second-factor authentication that is needed in today's business environments.

 

Why RSA SecurID Access?

Whether you need two-factor authentication (2FA), multi-factor authentication (MFA) or mobile MFA, RSA offers a wide range of authentication methods including push notifications, SMS, OTP, biometrics, and hardware, software and FIDO tokens. And whether you want to deploy on-premises or go with a SaaS option, RSA SecurID Access has you covered.

 

Follow me on Social Media 

✦ Sly Gittens Website: Lovecybersecurity.com

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

✦ LinkedIn Profile ➜ https://www.linkedin.com/in/slygittens/

✦ Instagram ➜https://www.instagram.com/slygittens/

✦ Twitter ➜ https://twitter.com/SlyGittens

✦ Facebook Networking Group ➜https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

Amazon Web Services #AWS is a subsidiary of Amazon.com, which offers a suite of cloud computing services that make up an on-demand computing platform. AWS has more than 90 services that span a wide range including compute, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools and tools for the Internet of things. Amazon markets AWS as a service to provide large computing capacity quicker and cheaper than a client company building an actual physical server farm. RSA SecurID Access, the world’s most widely deployed multi-factor authentication #MFA solution, helps to secure access in a world without boundaries.

 

RSA SecurID Access provides convenient, secure access to on-premises, #web#mobile and #cloudapplications, and eliminates access blind spots by giving you visibility into and control over access across your organization. RSA SecurID Access offers a broad range of authentication methods including modern mobile multi-factor authenticators (e.g., push notification, one-time password, SMS, and biometrics) as well as traditional hard and soft tokens for secure access to all applications regardless of whether they live on premises or in the cloud.

 

✦ RSA Ready Amazon Technology Integrations: https://community.rsa.com/docs/DOC-72995 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you’ll be connecting to your Identity Source securely, using LDAPS, you’ll need the SSL certificate from your LDAP directory server when configuring the connection in the Cloud Administration Console. Not sure how to get it? We’ve seen our customers use a few different ways to get this certificate. Here are just a couple:

 

  1. Ask your directory server administrator for the certificate chain. Really, it can be that easy. When you add your connection to the LDAP directory (following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.
  2. Can’t ask your directory server admin or don’t want to? OpenSSL can be an easy way to do it. Here’s how:
    1. After you add your identity router (following the steps in your Quick Setup Guide), access SSH on your identity router using these instructions: https://community.rsa.com/docs/DOC-75833 
    2. From the identity router command line, query the directory server to obtain the certificate chain using the following command:

       

      openssl s_client -showcerts -connect LDAP.SERVER:636

       

      where LDAP.SERVER is the LDAP directory server that has the full certificate chain loaded on it. (You might have to ask your directory server admin to know which directory server to query.)

    3. From the output, copy the sections starting from and including the BEGIN CERTIFICATE line to (and including) the last END CERTIFICATE line. Paste these lines into a local file on your desktop and call it something like ldaps.pem.
    4. When you add your Identity Source connection to the LDAP directory (again following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.

Do you have other easy ways to get your LDAPS certificate?  If so, please share your tips and tricks in the comments!

For part two of our multi-part training video series Jay Guillette returns to present the sequel to his video guide on how to install patches on an RSA Authentication Manager 8.1 server via web browser

 

Our new topic is . . . Super Administrator Password Reset (see article 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin for the text base version).

 

We've all had that experience when you try to login to the Security Console with the password you know worked earlier in the day and it. is.just. not. working.  You try again and again.  You try your Gmail login password or your bank PIN, your network login password, your mom's maiden name, the name of your favorite pet . . . anything you think it might be but still your login fails.

 

Fear not, intrepid SecurID admin!  We can help!  Jay's video is a great overview of how to access the Security Console by creating a temporary user who can gain access to the Security Console.  Once in, your temp admin can reset your super admin user's password.  Easy peazy lemon squeezy!

 

Watch 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin  the video and let us know what you think!

PLEASE  NOTE:  An RSA Authentication Manager 8.x  Web Tier server installed on CentOS is NOT supported by RSA.

 

This UNOFFICIAL GUIDE is intended only for non-production lab testing for partners, customers and RSA employees.

 

For more information on RSA's position on using CentOS with RSA Authentication Manager and RSA Authentication Agents, please see 000016848 - RSA support for Authentication Manager and/or RSA Authentication Agents installed on CentOS.

        

Introduction

An RSA Authentication Manager Web Tier server has three functions:

  • Secure CT-KIP RSA SecurID software token provisioning across untrusted networks (usually the internet).
  • Allowing Self-Service Console (SSC) access to untrusted networks or the internet.
  • Legacy Risk-Based Authentication (RBA) feature in Authentication Manager 8.x. This function has been superseded by SecurID Access Cloud Authentication Service Risk-Based Identity Confidence in the Premium edition.

Of these functions, the first is most important for a secure Authentication Manager 8.3 deployment. The  Web Tier is currently provided as Microsoft Windows or Linux software packages that install on a customer-provided server typically deployed in a DMZ. Lab deployments usually operate inside a secured network zone.

It is strongly recommended that customers and partners maintain a non-production lab testing environment to test new versions and configuration changes.

          

Please see the RSA Authentication Manager 8.3 Setup and Configuration Guide, Chapter 5: Installing Web Tiers, Web-Tier Hardware and Operating System Requirements for more details on supported versions of Windows and Red Hat Enterprise Linux (RHEL).  Here are the requirements:

Description
Requirements
HardwareHard Drive: 2 GB for Web Tier installation
Hard Drive: 4 GB, with 20 GB free space for logs and updated component downloads
RAM: 2 GB
CPU: A CPU with a dual-core processor or better, or 2 or more CPUs.
Ports

External Firewall: 443 HTTPS (TCP)

DMZ: 443 HTTPS (TCP)
Internal Firewall: 7022 T3S (TCP)

Operating SystemsRed Hat Enterprise Linux 5 Server (64-bit)
Red Hat Enterprise Linux 6 Server (64-bit)
Red Hat Enterprise Linux 7.4 Server (64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2012 R2 (64-bit)

 

While these are the officially supported servers, it's often difficult for lab/demo usage to get a licensed copy of Microsoft Windows Server or Red Hat Enterprise Linux. CentOS is the free and open source version of RHEL which is nearly 100% compatible. In my testing I have found it's possible to deploy the RSA Web Tier package on a CentOS host after a very trivial modification of the OS. 

This guide is intended to allow a SecurID administrator to configure a CentOS 7 Web Tier in a non-production lab or demo environment based on VMware workstation or ESXi virtualization infrastructure.

 

Task 1: Configuring the CentOS 7 Operating System

Since CentOS is highly configurable with several different distributions, this section will provide step-by-step guidance.

  1. Download the DVD ISO from CentOS. The Everything ISO is too bloated and the Minimal ISO leaves out important tools, so the DVD release is the right one which allows you to configure your server at install.
  2. Build your virtual machine in VMware Workstation or ESXi, or your hypervisor platform of choice. Note that the Web Tier can even be installed on a physical server which may make sense for some environments, as it typically sits in the DMZ on a network. The VMware step-by-step instructions are beyond the scope of this article. Create the VM with 20 GB of disk, 2 GB of RAM and a single network adapter. (See Web Tier hardware requirements in the RSA Authentication Manager 8.3 Setup and Configuration Guide) I did customize the virtual hardware and remove the printer and sound card defaults since we don't need that for a server. Change the CD/DVD virtual drive to use the CentOS 7 ISO image you downloaded above and increase the memory to 2 GB. I find 2 vCPUs to be overkill for a lab so I kept the single CPU default. Once everything looks good, power on the VM and enter the virtual console.
    VMware create VM customized hardware and ISO image
  3. At this point I find it easiest to get the DNS for the server configured. In my lab network router interface, here I have entered an A DNS record and will fill in the static IP address in my lab router admin interface, which also is my local DNS resolver:
    Adding of Web Tier DNS entry
  4. Now we're ready to proceed with the VMware console install of the CentOS 7 Web Tier. The following screen shots are based on the ESXi web client but it should be similar for workstation. On boot you should see the CentOS Linux 7 installer boot screen, select the first option Install CentOS Linux 7. Follow the screen prompts from there including typing Enter.
    CentOS 7 boot install first option
  5. A bunch of booting events happen and then you'll get to a language selection screen, defaulted to US English. Select the default and then move to the main installation GUI screen. Note anything that's red needs to be selected before the installation can proceed. You have to be careful because it's a lot easier to configure some optional items here rather than later after installation is complete.
    1. First complete the mandatory Installation Destination. Don't forget to also fix the Date & Time time zone to match the Web Tier location. Then highlight the Software Selection option and select it:
      CentOS 7 main installer mandatory selections
    2. Choose the server type. I've found Minimal too bare bones, so Compute Node has more useful utilities. You may be wondering why I didn't select Basic Web Server. I don't want that because the RSA Authentication Manager 8.3 Web Tier package has it's own web app server and web server so we don't want an unneeded web server in the OS.
      CentOS 7 software selection
    3. The last step, which is an important one, is configuring the Web Tier server network connection. Select the Network & Host Name option and configure the network. Note the Ethernet connection is defaulted to off. Before you switch it on, click the lower left Configure button:
      Network and Host Name configuration main screen
      Go through the various tabs.  Most settings are left as the default but I turned off IPv6 by choosing Ignore and configured IPv4 as Manual with my static IP configuration that I already set up on my DNS server. Set the IP address, subnet mask and gateway as well as Host name and Search domains. Note all the fields are not shown completed below:
      IPv4 detailed configuration
      Finally turn the network on with the top right graphical switch. You should see the connection details and then be able to ping the Web Tier from another host on the network by hostname. Note that the Web Tier installer process requires the Web Tier to be resolvable by host name.
      Network and Host Name configuration completed
      Successful DNS resolution and ping from another host on the LAN
    4. You're finally ready to begin the installation, so select that option on the main installer screen. You'll see the installer starts installing packages from the DVD ISO. In the meantime, you can set the root password and create the Web Tier user. Set a strong root password and note you should really create the Web Tier user now and set it up as non-root with another strong password. This will be required for the Web Tier installer later.
      Web Tier passwords set
      Finally, the install will complete and you'll be prompted to reboot. You will come to the login bash prompt. Login as root, then logout again. You can proceed to get the Web Tier software install going. This is a lab environment so all security procedures and Security Enhanced Linux (SELinux) were not selected, but certainly follow best practices for your environment as they apply.

 

Task 2: Install and Configure RSA Authentication Manager 8.3 Web Tier Package

  1. We now have a CentOS 7 server with network connectivity that is ready for the RSA Web Tier install. Use your favorite SSH client from your chosen OS and log into the Web Tier. If you haven't already by this point, download the Authentication Manager 8.3 Web Tier package from the /Webtier directory in the Extras .zip file, available from Version Upgrades on RSA Link.  See 000034558 - How to download RSA Authentication Manager 8.x full kits and service packs from RSA Link for information on how to  download the file.
    Note you must have entitlements to download this file, so contact Customer Support if you get a login or authorization error.
    Handy Tip: You only need the /common and /linux-x86_64 sub directories extracted and copied over to your local VM or PC jump host with LAN access to the Web Tier CentOS 7 server. This way you are not copying over the unneeded /windows directory to a Linux Web Tier server.
  2. Use your favorite SCP tool to copy the /common and /linux-86_64 subdirectories to a new directory named /tmp/webtier on your CentOS 7 Web Tier server. The screen shots here are based on WinSCP. It's pretty important to have GbE or faster local LAN connectivity to your Web Tier box. For 8.3 it's about 1.7 GB of install files to copy over.
    WinSCP file copy to CentOS 7 Linux server
  3. From here we will follow the steps on how to install a Web Tier on Linux using the command line from chapter 5 of the RSA Authentication Manager 8.3 Setup and Configuration Guide. The documentation for Linux Web Tier installs has been greatly improved over older 8.x versions. Make sure you look at the Web Tier Installation Checklist before you start the installer script and follow the chmod permissions instructions carefully. You'll also need the Web Tier package from the Authentication Manager 8.3 Operations Console before you start the installer script as shown here. The typical service options are selected:
    Web Tier OC configuration and package generation

Task 3: Fix Installer Script Version Check to Allow Install on CentOS 7

STOP HERE. If you just try to continue with the default Web Tier installer script, you'll run into this error:

          


Installer script prerequisites error

  1. There's an easy fix to fool the installer script OS version check, which isn't that sophisticated. At the command prompt, type cat /etc/redhat-release and you'll see this file contents refers to CentOS:
    Release file view
    If you search this subject online, you'll get links regarding Red Hat Enterprise Linux Release Dates, which will give you the contents of this file specific to RHEL 7.4; which is Red Hat Enterprise Linux Server release 7.4 (Maipo).
  2. Use a nano /etc/redhat-release command, edit the file accordingly, and save it. Here is the string that can be cut & paste:
    Red Hat Enterprise Linux server release 7.4 (Maipo)
    Editing /etc/redhat-release file
  3. Now the installer script can proceed after you answer all the questions, as it will pass the RHEL 7.4 version check:
    WT installer script proceeding successfully
    Depending on how fast your storage system is on your server the install should take 20 to 30 minutes. After this time you should see the installer script finish with this message. It does take some time.
    Your installation is complete.
    Next Step
    After you exit the Web-Tier Installer, the Web-Tier Update Service connects to the preferred server to install the necessary services. Use the RSA Operations Console to check the status of this process.
    Go to Operations Console > Deployment Configurations > Web-Tier Deployments > Manage Existing.
    The update may take up to 20 minutes to complete.

    Press Enter to exit.
  4. The other key tip I've found is to go ahead and reboot the Web Tier server with a reboot command. It seems the Web Tier bootstrapper doesn't start after the installer finishes, but will kick off on a reboot. You will know it is working because if you run a top command on the console, Java will be taking up a bunch of CPU cycles:
    Web Tier Java processes
    You also may need to open the HTTPS service using the
    firewalld command if it's not already open. Search online for the many helpful guides on this.  RSA knowledge article 000033006 - Troubleshooting an Update Issue with an RSA Authentication Manager 8.1 Web Tier Deployment is very helpful in troubleshooting Web Tier connectivity issues on Linux. Eventually you will see this happy message on your Operations Console Web Tier configuration screen:
    Web Tier online successful

  5. Finally, go ahead and browse from your lab network to the FQDN of your Web Tier. It's recommended you use Microsoft Edge or Internet Explorer, as you should get a invalid security warning that you can click past. Firefox and Chrome are much stricter (rightfully so) on security, so you probably can't open the Web Tier Self-Service Console on current versions of those browsers. This can be fixed by getting a proper SSL certificate on the Web Tier through the documented procedure. For now, we have the Web Tier up and running.  Success!
    Web Tier SSC success!

With the availability of RSA Authentication Manager (AM) v8.3, you now have the option to transition your RSA SecurID® Access deployment to the cloud and take advantage of the business agility, and economies of scale that Amazon Web Services (AWS) cloud computing offers. Create a hybrid or full Virtual Private Cloud (VPC) solution that best meet your business needs.

Create Hybrid or Full AWS Virtual Private Cloud solutions

In a Hybrid VPC model, the AM Primary instance and a Replica instance (for disaster recovery) are typically maintained in on-premise data centers for administration. Replica instances can be deployed in selected AWS regions to ensure 7x24 authentication services availability. In a full VPC deployment, all components: AM Primary, AM Replicas, Web Tiers, as well as devices protected with RSA SecurID Agents or RADIUS Clients can be moved to the cloud.

A major strength of RSA SecurID Access is the RSA Ready Partner Program where hundreds of products (VPNs, Load Balancers, Web Servers, Applications, etc.) have out-of-the-box interoperability with RSA SecurID Access. This will result in a smoother transition to the cloud. RSA strongly recommends that RSA Best Practices be maintained such as configuring Security Groups for secure connections to RSA SecurID Standard Agents or RADIUS Clients.

How to Obtain the AWS AMI

RSA has made it easy to obtain the RSA Authentication Manager AWS Machine Image (AMI). Existing RSA SecurID Access customers can simply contact RSA Customer Support. An RSA Customer Relations Desk representative will validate your RSA Support agreement and obtain your AWS Account Number (AWS Commercial or GovCloud) on your behalf. You will receive an email confirmation from RSA SaaS Operations indicating that the RSA Authentication Manager AMI located in the RSA Private AWS Community has been shared with your AWS account number. New customers can simply order the AMI at no charge. Contact your RSA account representative for more information.    

Configuring the AWS AMI

Configuring the AMI is easy. Simply login to your AWS Account EC2 console; choose AMI Private Image; search for the RSA Authentication Manager v8.3 AMI ID provided in the email notification and follow the instructions to Choose & Configure Instance Type, Add Storage, Add Tags, Review, and Launch the AMI. Be sure to keep all necessary information provided, including the RSA AM Quick Setup URL and the Quick Setup Access Code. Go to your browser, enter the URL and access code, and you’re ready to configure an AM primary or replica instance.

 

More than Just an AMI

RSA Authentication Manager v8.3 also includes a number of new features that make it easier to manage your RSA SecurID Access solution - improved agent visibility & reporting, efficient auto-assignment of tokens by expiration date and added search by token serial number capabilities in the User Dashboard.  

RSA Authentication Manager 8.3 Amazon Web Services (AWS) Virtual Appliance Getting Started

Need to know what to do to patch your RSA Authentication Manager 8.servers?  We can help!

 

RSA is excited to announce a new multi-part training video series for the RSA SecurID Access product.  Chapter 1 is a companion video to our popular knowledge article 000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser

 

In a brief training video, Jay Guillette of our Advanced Technical Support team walks you step-by-step through the things you need to know before patching your Authentication Manager primary and replica servers, such as what prerequisites must be met before installing (patch order, minimum free disk space, required ports, etc.); how to download patches and finally, how to successfully complete the install process.

 

Watch the video:   000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser.

 

We love your feedback so let us know what you think and what videos you'd like to see next.

Join us for the webinar series that answers the question plaguing every identity professional today: You know the credentials are right, but how do you know the person that’s using them is really who they say they are? With cloud and mobility making it easier for users to access resources, but harder for you to authenticate those users, you need to know how to transform secure access to deliver both convenience and security. Learn all about it in three webinars led by top RSA identity experts, Wednesdays from 11:00 a.m. to 12:00 p.m., starting February 7.

February 7 – Transforming Secure Access

With 81 percent of cyber attacks today being credentials-based – up almost 20 percent over just a year – it’s time to rethink how to protect against these types of attacks. If you’re ready for a more effective approach to reducing your identity risk, join Ayelet Biger-Levin, RSA senior consultant, identity product marketing, to kick off the webinar series. You’ll find out why the old tried-and-true approaches to secure access don’t work so well in a mobile, cloud-connected world – and you’ll learn how to build a strong new foundation for convenient, secure access, using identity intelligence, business context and threat intelligence.

February 13 – Modernizing Authentication in and for the Cloud

Everybody’s moving applications and data to the cloud, but nobody’s happy about the risk of sacrificing security in the process. The good news is a modern approach to authentication – one that’s pervasive, continuous and risk-aware – can make access in the cloud just as secure as it is on-premises. In this webinar, you’ll learn from Tony Karam, RSA senior consultant, identity product marketing, about the latest resources for secure access and how to extend them seamlessly into cloud environments. It all comes down to having the assurance that people seeking access in the cloud are who they say they are, that the devices they’re using are secure and that their access isn’t putting your organization at risk.

February 21 – Delivering Authentication Your Way: Why One Size No Longer Fits all in the Access Game

Different users pose different levels of access risk, depending on who they are, what they want access to, where their requests originate and more – so you need more than one means of authenticating them. But they also all have one thing in common: They don’t need authentication to slow them down or stop their progress. So you need to offer a variety of methods that will enable them to access the resources they need, wherever they are and whatever the circumstances, without missing a beat. Join Murtaza Hafizji for this webinar on how to use modern multi-factor authentication to provide the secure access your organization needs without sacrificing users’ productivity or convenience.

Register today for any or all of the webinars in our February series, Identity Assurance for a Connected World.

We sometimes get questions regarding the scalability of the RSA SecurID Access Cloud Authentication Service.  Customers who are used to managing on-premises solutions want to know how many machines they need to set up to support their end user population during peak periods. But since the Cloud Authentication Service is a hybrid solution, the scaling considerations are a bit different.  

If you use the Cloud Authentication Service to provide primary and/or additional authentication to relying parties, scalability is simple because the cloud components are designed to scale to meet your needs.  The hybrid architecture still involves an on-premises identity router, which provides a secure connection to your identity source(s), but its role is minimal at runtime. Just make sure you deploy more than one identity router for redundancy, in case one goes down.

If you use the identity router for RADIUS-based access control, all you need to do is make sure you have redundant identity routers with RADIUS enabled. The Cloud Authentication Service handles the heavy lifting.

If you want information about scalability and you use the SSO Agent capabilities, you can read more about that in the RSA SecurID Access SSO Agent Performance and Scalability Guide.