Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

80 posts

The October release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This release focuses on expanding the integration options for protecting SAML-based cloud applications for RSA customers.

SAML application protection - expanding integration options

   You can integrate RSA SecurID® Access into your environment to protect cloud-based applications using the Security Assertion Markup Language (SAML).  RSA supports multiple ways to achieve this, but often the simplest approach is “direct to cloud” using the Cloud Authentication Service Identity Provider (IdP).  Using this approach, these applications can be configured without setting up the Single Sign-on (SSO) Agent on the Identity Router (IDR).

   This month, we are releasing enhancements to the Cloud Authentication Service that will enable some of the most popular Software as a Service (SaaS) applications to support the above simplified configuration.These applications are:  Microsoft Office365, ServiceNow and Workday. These additional applications join VMWare and Salesforce in the ability to configure this direct cloud protection. For customers who want to use RSA’s SSO portal for these applications, they can continue to do so. This new capability is aimed at customers who do not use RSA’s SSO portal and prefer to configure a direct CAS-to-application connection for using RSA SecurID® Access multi-factor authentication.

   Note that although the new SAML cloud IdP integration option removes the necessity of configuring the SSO Agent, the IDR’s Enterprise Connector component is still required for accessing your on-premises identity source(s).

Partner Integration Guides for these updated capabilities are now available. Read on for more on our application connectors and reference locations.

 

 

                Fig.1  Configuring cloud IdP SAML applications

 

Expanding MFA reach: monthly connector updates

   RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

   We recently released these new and updated connectors: Bitglass, Dell (Boomi) , Domo, Netmotion Mobility, One Identity, Third Light, Watchguard Fireware XTM and Yardi (Voyager 7S). Additionally, later this week, these new connectors are planned: Cisco ISE Portal, Igloo, Inspired eLearning iLMS. We will also be releasing the updates for Workday, Service Now and Microsoft Office 365 as mentioned previously.

   Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

   For further details on all the new and updated capabilities of the October release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

 

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

   As a well-informed security professional today, you’ve recognized the need for continuous combat against the increasingly perilous threat landscape, populated by highly skilled and persistent intruders. You’ve known that simple password protection is insufficient to protect “crown jewel” data and want to incorporate multifactor authentication (MFA) for your critical digital assets into your defenses.

So now that you recognize the need to implement multifactor authentication for your organization, where to start?

   Choosing an appropriate set of access policies to fit all your target resources, across all your user populations, can be challenging given all the possible choices available.  Today, there is a wide variety of password alternatives to help deter infiltration, and more are emerging. RSA SecurID Access supports many such methods across hundreds of digital resources from “ground to cloud” - basic VPN protection to latest SaaS cloud applications such as Microsoft Office365.

   To help you navigate the process of selecting the most appropriate authentication methods and policies for your organization, RSA has developed a white paper which discusses RSA Security’s recommended approach for developing multifactor authentication policies for your organization. The key considerations include:

  • Setting clear business goals, to guide tradeoffs between cost, convenience (usability), protection strength and implementation complexity
  • Taking a phased approach to deployment - think big but start small with a limited pilot
  • Assessing your user population, understanding both the risk profile of their resource access and their tolerance for authentication complexity
  • Evaluating the target resources you need to protect, understanding the risk exposure of your business should they be breached
  • Investigate the array of authentication methods available to you, and consider the tradeoffs between security strength, convenience, cost and administrative complexity
  • Taking into account all the above, formulate your access policies, adding in context-based risk analysis to both security and convenience
  • Remembering to include end user education as part of your rollout plan.
  • Formulating your MFA implementation as part of a larger Identity and Access Management (IAM) strategy within your overall Enterprise Security foundation.

   Please see: https://community.rsa.com/docs/DOC-97431

 

   Furthermore, to supplement this guidance, expert assistance is available.  RSA’s highly experienced Professional Services team and certified partners can help you navigate the myriad of access security choices available, following these best practices.

 

   For more on RSA Security’s solutions and services, please visit:  www.rsasecurity.com or consult with your RSA Security representative.

September 2018 Cloud Authentication Service Release Highlights

The September release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to raise the bar to help customers improve their security posture while still supporting convenient access for end users and administrators.

Providing End Users with Device Registration Self-Service

To provide end users with more autonomy during the device registration process and reduce Help Desk call volume, we are introducing this month a new self-service portal, called “My Page”.  RSA understands, however, that while user self-service can dramatically improve the efficiency of your multi-factor authentication program, it cannot become the weak link in your security chain. As such, “My Page” not only provides convenient self-service for your end users, but also provides the security you need to safeguard your digital assets.

 

Using this portal, an end user can begin the registration process by following the step-by-step instructions displayed on screen that guide them to download the RSA SecurID Authenticate App (from the Apple App Store, Google Play or Microsoft Store). Then, using the installed app, the user can capture a displayed single use QR code containing information for easy app registration. Finally, the user can perform a test authentication to make sure that everything is working as expected. Device Registration in My Page also includes this easy-to-follow video guiding users through this process: https://www.youtube.com/watch?v=mx2c_4p7qo4&feature=youtu.be

 

Administrators can further increase the security of device registration by requiring multi-factor authentication for access to My Page. Check out this short My Page RSA SecurID Authenticate Device Registration Using RSA SecurID Access My Page, for tips and tricks on how to configure this and other features. 

 

Figure 1.  My Page

 

Supporting Broader User Activity Tracking and Governance

In July, we introduced the Log Events API, a REST-based web services interface allowing customers to retrieve administrator activity log events from the Cloud Authentication Service. This month we’ve added the ability to retrieve end user authentication logs.

 

For greater security visibility across your organization, you can leverage these REST APIs to share this authentication information with your security information and event management (SIEM) solution, such as RSA NetWitness.

In this way, RSA provides you with improved visibility into the activities of both privileged, administrative users and end users for forensic security, governance auditing and troubleshooting purposes.

For more information on these capabilities, refer to  Improved Logging for Security and Audit Compliance

 

Improved Protection of Windows Login:  RSA SecurID® Authentication Agent for Windows v7.4

This month, RSA released a new version of the Windows Agent designed to secure Windows machines when  with our award winning RSA SecurID® tokens, and when offline, with our industry leading unique solution that is trusted by many Fortune 500 companies globally. All this to ensure security from the start - allow users and administrators to securely and conveniently access their workstations and servers no matter what the situation calls for.

This new agent framework (architecture)  provides a path so customers can adopt future releases supporting the use of MFA and updated Authentication Manager capabilities for secure and convenient Windows protection.

Specific to this release are new capabilities which:

  • Expose customers to the updated authentication user interface supported by the latest Microsoft Credential Provider framework as seen natively in the latest versions of Windows and Windows Server, that is more intuitive and friendlier for users trying to authenticate to their machines
  • Provide customizable user authentication prompts and help texts so end users can securely authenticate to desktop with minimal friction
  • Provide administrators with several high value agent improvements aimed at boosting overall user productivity during machine login.

 

Faster Time to Value: Expanded Preconfigured Policies

Last month, RSA SecurID® Access introduced predefined access policy templates in all new cloud accounts to help new customers protect their resources faster. Using these policies, new customers need not create custom access policies before configuring their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  This month, we add an additional preconfigured access policy to the initial three delivered in August. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium licensed customers.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414  

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

RSA SecurID® Access Now Locally Hosted for Australia and New Zealand Organizations

 

Good news for Australia and New Zealand organizations that need to keep critical identity information on-shore: RSA SecurID Access is now locally hosted inside Microsoft Azure data centers in Canberra. Local hosting comes as part of the August 2018 product release, opening the way for more organizations – especially in the areas of government, critical infrastructure and financial services, where local hosting is often a requirement – to benefit from RSA SecurID Access authentication capabilities.

 

RSA SecurID Access Cloud Authentication Service delivers secure access to the extended enterprise as an on-shore SaaS service, rather than having it hosted outside the region. Local hosting enables organizations to comply with legislation governing data privacy in the region, including the Australian Privacy Principles (APPs), as well as with related industry or corporate guidelines. The Microsoft Azure “protected”-level data centers that will provide hosting in Canberra are certified to meet federal security standards and accredited to handle classified defense data.

 

Any organization based anywhere in the world that has operations in the region can benefit from this development – not just Australia- or New Zealand-based organizations, and not just companies in critical sectors. Hosting locally not only keeps critical identity data on-shore, but also improves network latency locally for faster access to cloud applications.

Whatever the reason for adopting RSA SecurID Access Cloud Authentication Service – regulatory compliance, local control, faster application access – organizations that do will be using the most widely deployed multi-factor authentication solution in the world. RSA SecurID Access multi-factor authentication improves security by thwarting attempts to use stolen credentials while still keeping access convenient for legitimate users. This implementation brings those authentication advantages specifically to cloud application access.

 

With the addition of local hosting in Canberra, RSA SecurID Access Cloud Authentication Service is now available in three major regions around the globe, having been previously launched in the EU and US.

August 2018 Cloud Authentication Service Release

The August release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting global access across a variety of traditional and cloud use cases.

Facilitating Privileged User Authentication for the Cloud Administration Console

RSA SecurID® Access administrators in your organization have extensive access privileges. Therefore, access attempts of these privileged users need to be appropriately authenticated. In this release of RSA SecurID® Access validation of the multifactor authentication policies that govern console access is improved to prevent accidental user lockout, which would require a support call to RSA to resolve.

 

The graphic below  shows how the console prevents you from selecting a policy that locks you out of the console.

 

 

      Fig.1  Warning message to clarify the problems with selected policy

 

Improved Visibility of Cloud Authentication Service User Status

Over the last few months, we have significantly improved the ability of administrators to manage the status of Cloud Authentication Service users.

Past releases delivered capabilities to:

  • Manually enable and disable Cloud Authentication Service users, independent of identity source status for improved local control over user status
  • Automatically disable Cloud Authentication Service users when they become disabled or missing (due to deletion or transfer out of relevant groups) in the identity source directory.
  • Help administrators reverse deletion errors via a two-step delete process. With two-step deletion, deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives administrators the opportunity to “Un-delete” before the users are permanently purged in case of error.
  • Streamline user maintenance with automated deletion of long-disabled users. Busy administrators who prefer more automated user maintenance, can select an option to delete long-disabled users. On by default and set to select users disabled 90 days, this option can be configured for different number of days or turned off completely. In this way, all the automated cleanup processes can work together to remove users from the cloud who no longer need access.

In the August release, we’ve improved reporting of user status.  The previously available users report now provides better visibility into user status information to help organizations better manage user populations.  By exporting the user report file and importing into a spreadsheet, administrators can quickly identify disabled or deleted (awaiting purge) users for status confirmation and follow-up where needed. In addition enabled users can be counted for license management purposes.

Below is a sample of the report in spreadsheet format, highlighting the new column.

 

 

      Fig.2  User report

 

For more information on these capabilities, refer to: https://community.rsa.com/docs/DOC-75846

Faster Time to Value: Preconfigured Policies

RSA SecurID® Access now provides predefined access policy templates with all new cloud accounts. Using these policies, new customers need not create custom access policies before they can configure their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  If further customization is desired, these policies can be cloned and modified as desired, while maintaining the original copies to use as templates for future policy definition.

The new policies are shown below.

 

 

      Figure 3.  Preconfigured Policies

Serving a Global Customer Community

The RSA SecurID® Access Cloud Authentication Service is now available in Australia!

Hosted in Microsoft Azure Australia (Canberra), RSA SecurID® Access’s new hosting location enables compliance with Australian and New Zealand Privacy Legislation.  Furthermore, local hosting means faster network performance across the wider Asia-Pacific region.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96078

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

What is Salesforce? It was the 1st Software-as-a-Service (SaaS) Customer Relationship Manager (CRM) product and currently the leader with the most market share. So what is SaaS?  It is a way of delivering centrally hosted applications over the Internet—as a service. SaaS applications are sometimes called web-based software, on-demand software, or hosted software. What type of data does a CRM contain? Customer and prospect contact information, accounts, leads, and sales opportunities in one central location.

 

Since Salesforce stores client personal data it naturally becomes a target for hackers. These hackers want your data and they will stop at nothing to get it.

 

The video showcases me creating a policy that enables a secondary authentication method within the RSA SecurID Access Cloud Authentication Service to protect Salesforce. Thank you for your time in advance!  

 

 

 Here is the link to the RSA SecurID Access Salesforce Implementation Guide: Salesforce - Technology Integrations 

Sly Gittens Website: Lovecybersecurity.com 

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

LinkedIn Profile: https://www.linkedin.com/in/slygittens/

Instagram: https://www.instagram.com/slygittens/

Twitter:  https://twitter.com/SlyGittens

Facebook Networking Group: https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

In the recent What's New in RSA SecurID® Access?  we are excited to announce the release of the RSA SecurID Access Log Events API to retrieve administrator and user event logs from the RSA SecurID Cloud Authentication Service.  You can use the Log Events REST API to import the log events into your security information and event management (SIEM) solution, such as RSA NetWitness, to ensure security and audit compliance. 

 

For more information on this feature – please check out this additional content.

 

July 2018 Cloud Authentication Service and Identity Router (IDR) Release

 

The July release for RSA SecurID Access is now available and contains updates for both the Cloud Authentication Service (CAS) and the Identity Router (IDR). In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting access across a variety of traditional and cloud use cases.

Simplifying the Multi Factor Authentication (MFA) Experience for users of RADIUS-based applications

The July release contains multiple improvements to RADIUS support:

  • Eliminating double password prompts:  If the RADIUS client (e.g., a VPN) is configured to perform primary (password) authentication, RSA SecurID Access no longer requires the user to enter their password a second (redundant) time.  Note that this can also help customers align with the latest PCI guidance for VPN logins. That’s because, under this configuration, RSA SecurID Access prompts for password and MFA in a single screen as PCI DSS 3.2 recommends, and doesn’t act on a second authentication factor sequentially, based on outcome of the primary authentication.
    You can find a video highlighting how this works on RSA Link at: https://community.rsa.com/videos/33333
  • Eliminating extra steps for push-based MFA:  When configured, the extra step of selecting an authentication method at each login is no longer required. After entering User ID and password, a push notification is sent automatically.  Note:  this Auto-Push capability is not enabled when other forms of authentication are enabled for RADIUS access instead of passwords, for primary authentication .

 

                Fig.1  Auto-push eliminates extra authentication steps

 

Improved Control and Security of Cloud Authentication Service user status

Over the last few months, we have significantly improved the ability of customer administrators to manage the status of the cloud authentication service users.

Past releases have included the ability to manually enable and disable Cloud Authentication Service users, independent of identity source status, and disable Cloud Authentication Service users when they become disabled in the identity source directory.  We have also added a two-step delete process, to help administrators reverse deletion errors. Using the two-step deletion, manually deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives the administrator the ability to “Un-delete” before the users are permanently purged.

This month, we’ve added a couple key new capabilities to help organizations address the risks associated with orphaned accounts:

  • Disable missing users: if the sync process cannot find a user in the Identity Source (out of scope or deleted), that user will be disabled in the Cloud Authentication Service.  This improves security: no one can use the Cloud Authentication Service unless they are enabled in the directory. It also supports license management by ensuring that only active Cloud Authentication Service users are enabled for license counting purposes.
  • Delete long-disabled users: for improved efficiency, Cloud Authentication Service users who have been disabled for over 90 days, will be marked for deletion automatically. This feature is configurable – it can be turned off, or set to a different time threshold (30 to 180 days). In this way, users who are unlikely to use the Cloud Authentication Service in the near future, will not appear in lists or searches, making it easier to manage the Cloud Authentication Service tenant. It also improves the efficiency of synchronizations.

 

 

Fig.2  Configurable auto-delete

 

Improving visibility: Administrator activity logs

RSA is providing a new log which records the activity of RSA SecurID Access administrators.  Examples of this type of activity are (list not exhaustive): unlocking a user, changing an authentication policy, adding a new Identity Source.

Customers can leverage the Log Events API which is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as RSA NetWitness.

 

In this way, RSA provides customers with improved visibility into the activities of these privileged users for forensic security, governance auditing and troubleshooting purposes.

 

Additional Improvements

A number of miscellaneous security and troubleshooting enhancements were added:

  • Support of HTTPS Strict Transport Security (HSTS) forces use of HTTPS secure protocol as server-browser interface for SSO web portal and the Cloud Administration Console. This helps protect transactions and login requests against threats such as protocol downgrade attacks and cookie hijacking.
  • Improved visibility of NTP status to aid in troubleshooting
  • Improved support for proxy server configurations when downloading adapter updates and IDR package updates.
  • Enhanced diagnostics for IDR registration errors

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-60102

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID Access an even more convenient and secure solution for your authentication needs.

 

Are you a visual learner? I am too! This video showcases mobile fingerprint biometric authentication. 

 

If you love my video subscribe and like my youtube channel.

 

"Static passwords are adorable, but sophisticated attackers don’t just bypass them, they utilize them to advance their attack." Verzion Data Breach 2016 Report

 

What is mobile fingerprint biometric authentication?

Fingerprint recognition refers to the automated method of identifying or confirming the identity of an individual based on the comparison of two fingerprints. Fingerprint recognition is one of the most well-known bio-metrics, and it is by far the most used bio-metric solution for authentication on computerized systems.

 

Why use mobile fingerprint biometric authentication with your Fortigate?

If you are granting remote workers to your internal environment via a FortiGate, it is critical to ensure your employee's identity. It is essential to have a Multi-factor Authentication solution that provides you convenience without compromising security. Implementing mobile fingerprint biometric authentication provides strong second-factor authentication that is needed in today's business environments.

 

Why RSA SecurID Access?

Whether you need two-factor authentication (2FA), multi-factor authentication (MFA) or mobile MFA, RSA offers a wide range of authentication methods including push notifications, SMS, OTP, biometrics, and hardware, software and FIDO tokens. And whether you want to deploy on-premises or go with a SaaS option, RSA SecurID Access has you covered.

 

Follow me on Social Media 

✦ Sly Gittens Website: Lovecybersecurity.com

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

✦ LinkedIn Profile ➜ https://www.linkedin.com/in/slygittens/

✦ Instagram ➜https://www.instagram.com/slygittens/

✦ Twitter ➜ https://twitter.com/SlyGittens

✦ Facebook Networking Group ➜https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

Amazon Web Services #AWS is a subsidiary of Amazon.com, which offers a suite of cloud computing services that make up an on-demand computing platform. AWS has more than 90 services that span a wide range including compute, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools and tools for the Internet of things. Amazon markets AWS as a service to provide large computing capacity quicker and cheaper than a client company building an actual physical server farm. RSA SecurID Access, the world’s most widely deployed multi-factor authentication #MFA solution, helps to secure access in a world without boundaries.

 

RSA SecurID Access provides convenient, secure access to on-premises, #web#mobile and #cloudapplications, and eliminates access blind spots by giving you visibility into and control over access across your organization. RSA SecurID Access offers a broad range of authentication methods including modern mobile multi-factor authenticators (e.g., push notification, one-time password, SMS, and biometrics) as well as traditional hard and soft tokens for secure access to all applications regardless of whether they live on premises or in the cloud.

 

✦ RSA Ready Amazon Technology Integrations: https://community.rsa.com/docs/DOC-72995 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you’ll be connecting to your Identity Source securely, using LDAPS, you’ll need the SSL certificate from your LDAP directory server when configuring the connection in the Cloud Administration Console. Not sure how to get it? We’ve seen our customers use a few different ways to get this certificate. Here are just a couple:

 

  1. Ask your directory server administrator for the certificate chain. Really, it can be that easy. When you add your connection to the LDAP directory (following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.
  2. Can’t ask your directory server admin or don’t want to? OpenSSL can be an easy way to do it. Here’s how:
    1. After you add your identity router (following the steps in your Quick Setup Guide), access SSH on your identity router using these instructions: https://community.rsa.com/docs/DOC-75833 
    2. From the identity router command line, query the directory server to obtain the certificate chain using the following command:

       

      openssl s_client -showcerts -connect LDAP.SERVER:636

       

      where LDAP.SERVER is the LDAP directory server that has the full certificate chain loaded on it. (You might have to ask your directory server admin to know which directory server to query.)

    3. From the output, copy the sections starting from and including the BEGIN CERTIFICATE line to (and including) the last END CERTIFICATE line. Paste these lines into a local file on your desktop and call it something like ldaps.pem.
    4. When you add your Identity Source connection to the LDAP directory (again following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.

Do you have other easy ways to get your LDAPS certificate?  If so, please share your tips and tricks in the comments!

For part two of our multi-part training video series Jay Guillette returns to present the sequel to his video guide on how to install patches on an RSA Authentication Manager 8.1 server via web browser

 

Our new topic is . . . Super Administrator Password Reset (see article 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin for the text base version).

 

We've all had that experience when you try to login to the Security Console with the password you know worked earlier in the day and it. is.just. not. working.  You try again and again.  You try your Gmail login password or your bank PIN, your network login password, your mom's maiden name, the name of your favorite pet . . . anything you think it might be but still your login fails.

 

Fear not, intrepid SecurID admin!  We can help!  Jay's video is a great overview of how to access the Security Console by creating a temporary user who can gain access to the Security Console.  Once in, your temp admin can reset your super admin user's password.  Easy peazy lemon squeezy!

 

Watch 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin  the video and let us know what you think!

PLEASE  NOTE:  An RSA Authentication Manager 8.x  Web Tier server installed on CentOS is NOT supported by RSA.

 

This UNOFFICIAL GUIDE is intended only for non-production lab testing for partners, customers and RSA employees.

 

For more information on RSA's position on using CentOS with RSA Authentication Manager and RSA Authentication Agents, please see 000016848 - RSA support for Authentication Manager and/or RSA Authentication Agents installed on CentOS.

        

Introduction

An RSA Authentication Manager Web Tier server has three functions:

  • Secure CT-KIP RSA SecurID software token provisioning across untrusted networks (usually the internet).
  • Allowing Self-Service Console (SSC) access to untrusted networks or the internet.
  • Legacy Risk-Based Authentication (RBA) feature in Authentication Manager 8.x. This function has been superseded by SecurID Access Cloud Authentication Service Risk-Based Identity Confidence in the Premium edition.

Of these functions, the first is most important for a secure Authentication Manager 8.3 deployment. The  Web Tier is currently provided as Microsoft Windows or Linux software packages that install on a customer-provided server typically deployed in a DMZ. Lab deployments usually operate inside a secured network zone.

It is strongly recommended that customers and partners maintain a non-production lab testing environment to test new versions and configuration changes.

          

Please see the RSA Authentication Manager 8.3 Setup and Configuration Guide, Chapter 5: Installing Web Tiers, Web-Tier Hardware and Operating System Requirements for more details on supported versions of Windows and Red Hat Enterprise Linux (RHEL).  Here are the requirements:

Description
Requirements
HardwareHard Drive: 2 GB for Web Tier installation
Hard Drive: 4 GB, with 20 GB free space for logs and updated component downloads
RAM: 2 GB
CPU: A CPU with a dual-core processor or better, or 2 or more CPUs.
Ports

External Firewall: 443 HTTPS (TCP)

DMZ: 443 HTTPS (TCP)
Internal Firewall: 7022 T3S (TCP)

Operating SystemsRed Hat Enterprise Linux 5 Server (64-bit)
Red Hat Enterprise Linux 6 Server (64-bit)
Red Hat Enterprise Linux 7.4 Server (64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2012 R2 (64-bit)

 

While these are the officially supported servers, it's often difficult for lab/demo usage to get a licensed copy of Microsoft Windows Server or Red Hat Enterprise Linux. CentOS is the free and open source version of RHEL which is nearly 100% compatible. In my testing I have found it's possible to deploy the RSA Web Tier package on a CentOS host after a very trivial modification of the OS. 

This guide is intended to allow a SecurID administrator to configure a CentOS 7 Web Tier in a non-production lab or demo environment based on VMware workstation or ESXi virtualization infrastructure.

 

Task 1: Configuring the CentOS 7 Operating System

Since CentOS is highly configurable with several different distributions, this section will provide step-by-step guidance.

  1. Download the DVD ISO from CentOS. The Everything ISO is too bloated and the Minimal ISO leaves out important tools, so the DVD release is the right one which allows you to configure your server at install.
  2. Build your virtual machine in VMware Workstation or ESXi, or your hypervisor platform of choice. Note that the Web Tier can even be installed on a physical server which may make sense for some environments, as it typically sits in the DMZ on a network. The VMware step-by-step instructions are beyond the scope of this article. Create the VM with 20 GB of disk, 2 GB of RAM and a single network adapter. (See Web Tier hardware requirements in the RSA Authentication Manager 8.3 Setup and Configuration Guide) I did customize the virtual hardware and remove the printer and sound card defaults since we don't need that for a server. Change the CD/DVD virtual drive to use the CentOS 7 ISO image you downloaded above and increase the memory to 2 GB. I find 2 vCPUs to be overkill for a lab so I kept the single CPU default. Once everything looks good, power on the VM and enter the virtual console.
    VMware create VM customized hardware and ISO image
  3. At this point I find it easiest to get the DNS for the server configured. In my lab network router interface, here I have entered an A DNS record and will fill in the static IP address in my lab router admin interface, which also is my local DNS resolver:
    Adding of Web Tier DNS entry
  4. Now we're ready to proceed with the VMware console install of the CentOS 7 Web Tier. The following screen shots are based on the ESXi web client but it should be similar for workstation. On boot you should see the CentOS Linux 7 installer boot screen, select the first option Install CentOS Linux 7. Follow the screen prompts from there including typing Enter.
    CentOS 7 boot install first option
  5. A bunch of booting events happen and then you'll get to a language selection screen, defaulted to US English. Select the default and then move to the main installation GUI screen. Note anything that's red needs to be selected before the installation can proceed. You have to be careful because it's a lot easier to configure some optional items here rather than later after installation is complete.
    1. First complete the mandatory Installation Destination. Don't forget to also fix the Date & Time time zone to match the Web Tier location. Then highlight the Software Selection option and select it:
      CentOS 7 main installer mandatory selections
    2. Choose the server type. I've found Minimal too bare bones, so Compute Node has more useful utilities. You may be wondering why I didn't select Basic Web Server. I don't want that because the RSA Authentication Manager 8.3 Web Tier package has it's own web app server and web server so we don't want an unneeded web server in the OS.
      CentOS 7 software selection
    3. The last step, which is an important one, is configuring the Web Tier server network connection. Select the Network & Host Name option and configure the network. Note the Ethernet connection is defaulted to off. Before you switch it on, click the lower left Configure button:
      Network and Host Name configuration main screen
      Go through the various tabs.  Most settings are left as the default but I turned off IPv6 by choosing Ignore and configured IPv4 as Manual with my static IP configuration that I already set up on my DNS server. Set the IP address, subnet mask and gateway as well as Host name and Search domains. Note all the fields are not shown completed below:
      IPv4 detailed configuration
      Finally turn the network on with the top right graphical switch. You should see the connection details and then be able to ping the Web Tier from another host on the network by hostname. Note that the Web Tier installer process requires the Web Tier to be resolvable by host name.
      Network and Host Name configuration completed
      Successful DNS resolution and ping from another host on the LAN
    4. You're finally ready to begin the installation, so select that option on the main installer screen. You'll see the installer starts installing packages from the DVD ISO. In the meantime, you can set the root password and create the Web Tier user. Set a strong root password and note you should really create the Web Tier user now and set it up as non-root with another strong password. This will be required for the Web Tier installer later.
      Web Tier passwords set
      Finally, the install will complete and you'll be prompted to reboot. You will come to the login bash prompt. Login as root, then logout again. You can proceed to get the Web Tier software install going. This is a lab environment so all security procedures and Security Enhanced Linux (SELinux) were not selected, but certainly follow best practices for your environment as they apply.

 

Task 2: Install and Configure RSA Authentication Manager 8.3 Web Tier Package

  1. We now have a CentOS 7 server with network connectivity that is ready for the RSA Web Tier install. Use your favorite SSH client from your chosen OS and log into the Web Tier. If you haven't already by this point, download the Authentication Manager 8.3 Web Tier package from the /Webtier directory in the Extras .zip file, available from Version Upgrades on RSA Link.  See 000034558 - How to download RSA Authentication Manager 8.x full kits and service packs from RSA Link for information on how to  download the file.
    Note you must have entitlements to download this file, so contact Customer Support if you get a login or authorization error.
    Handy Tip: You only need the /common and /linux-x86_64 sub directories extracted and copied over to your local VM or PC jump host with LAN access to the Web Tier CentOS 7 server. This way you are not copying over the unneeded /windows directory to a Linux Web Tier server.
  2. Use your favorite SCP tool to copy the /common and /linux-86_64 subdirectories to a new directory named /tmp/webtier on your CentOS 7 Web Tier server. The screen shots here are based on WinSCP. It's pretty important to have GbE or faster local LAN connectivity to your Web Tier box. For 8.3 it's about 1.7 GB of install files to copy over.
    WinSCP file copy to CentOS 7 Linux server
  3. From here we will follow the steps on how to install a Web Tier on Linux using the command line from chapter 5 of the RSA Authentication Manager 8.3 Setup and Configuration Guide. The documentation for Linux Web Tier installs has been greatly improved over older 8.x versions. Make sure you look at the Web Tier Installation Checklist before you start the installer script and follow the chmod permissions instructions carefully. You'll also need the Web Tier package from the Authentication Manager 8.3 Operations Console before you start the installer script as shown here. The typical service options are selected:
    Web Tier OC configuration and package generation

Task 3: Fix Installer Script Version Check to Allow Install on CentOS 7

STOP HERE. If you just try to continue with the default Web Tier installer script, you'll run into this error:

          


Installer script prerequisites error

  1. There's an easy fix to fool the installer script OS version check, which isn't that sophisticated. At the command prompt, type cat /etc/redhat-release and you'll see this file contents refers to CentOS:
    Release file view
    If you search this subject online, you'll get links regarding Red Hat Enterprise Linux Release Dates, which will give you the contents of this file specific to RHEL 7.4; which is Red Hat Enterprise Linux Server release 7.4 (Maipo).
  2. Use a nano /etc/redhat-release command, edit the file accordingly, and save it. Here is the string that can be cut & paste:
    Red Hat Enterprise Linux server release 7.4 (Maipo)
    Editing /etc/redhat-release file
  3. Now the installer script can proceed after you answer all the questions, as it will pass the RHEL 7.4 version check:
    WT installer script proceeding successfully
    Depending on how fast your storage system is on your server the install should take 20 to 30 minutes. After this time you should see the installer script finish with this message. It does take some time.
    Your installation is complete.
    Next Step
    After you exit the Web-Tier Installer, the Web-Tier Update Service connects to the preferred server to install the necessary services. Use the RSA Operations Console to check the status of this process.
    Go to Operations Console > Deployment Configurations > Web-Tier Deployments > Manage Existing.
    The update may take up to 20 minutes to complete.

    Press Enter to exit.
  4. The other key tip I've found is to go ahead and reboot the Web Tier server with a reboot command. It seems the Web Tier bootstrapper doesn't start after the installer finishes, but will kick off on a reboot. You will know it is working because if you run a top command on the console, Java will be taking up a bunch of CPU cycles:
    Web Tier Java processes
    You also may need to open the HTTPS service using the
    firewalld command if it's not already open. Search online for the many helpful guides on this.  RSA knowledge article 000033006 - Troubleshooting an Update Issue with an RSA Authentication Manager 8.1 Web Tier Deployment is very helpful in troubleshooting Web Tier connectivity issues on Linux. Eventually you will see this happy message on your Operations Console Web Tier configuration screen:
    Web Tier online successful

  5. Finally, go ahead and browse from your lab network to the FQDN of your Web Tier. It's recommended you use Microsoft Edge or Internet Explorer, as you should get a invalid security warning that you can click past. Firefox and Chrome are much stricter (rightfully so) on security, so you probably can't open the Web Tier Self-Service Console on current versions of those browsers. This can be fixed by getting a proper SSL certificate on the Web Tier through the documented procedure. For now, we have the Web Tier up and running.  Success!
    Web Tier SSC success!

With the availability of RSA Authentication Manager (AM) v8.3, you now have the option to transition your RSA SecurID® Access deployment to the cloud and take advantage of the business agility, and economies of scale that Amazon Web Services (AWS) cloud computing offers. Create a hybrid or full Virtual Private Cloud (VPC) solution that best meet your business needs.

Create Hybrid or Full AWS Virtual Private Cloud solutions

In a Hybrid VPC model, the AM Primary instance and a Replica instance (for disaster recovery) are typically maintained in on-premise data centers for administration. Replica instances can be deployed in selected AWS regions to ensure 7x24 authentication services availability. In a full VPC deployment, all components: AM Primary, AM Replicas, Web Tiers, as well as devices protected with RSA SecurID Agents or RADIUS Clients can be moved to the cloud.

A major strength of RSA SecurID Access is the RSA Ready Partner Program where hundreds of products (VPNs, Load Balancers, Web Servers, Applications, etc.) have out-of-the-box interoperability with RSA SecurID Access. This will result in a smoother transition to the cloud. RSA strongly recommends that RSA Best Practices be maintained such as configuring Security Groups for secure connections to RSA SecurID Standard Agents or RADIUS Clients.

How to Obtain the AWS AMI

RSA has made it easy to obtain the RSA Authentication Manager AWS Machine Image (AMI). Existing RSA SecurID Access customers can simply contact RSA Customer Support. An RSA Customer Relations Desk representative will validate your RSA Support agreement and obtain your AWS Account Number (AWS Commercial or GovCloud) on your behalf. You will receive an email confirmation from RSA SaaS Operations indicating that the RSA Authentication Manager AMI located in the RSA Private AWS Community has been shared with your AWS account number. New customers can simply order the AMI at no charge. Contact your RSA account representative for more information.    

Configuring the AWS AMI

Configuring the AMI is easy. Simply login to your AWS Account EC2 console; choose AMI Private Image; search for the RSA Authentication Manager v8.3 AMI ID provided in the email notification and follow the instructions to Choose & Configure Instance Type, Add Storage, Add Tags, Review, and Launch the AMI. Be sure to keep all necessary information provided, including the RSA AM Quick Setup URL and the Quick Setup Access Code. Go to your browser, enter the URL and access code, and you’re ready to configure an AM primary or replica instance.

 

More than Just an AMI

RSA Authentication Manager v8.3 also includes a number of new features that make it easier to manage your RSA SecurID Access solution - improved agent visibility & reporting, efficient auto-assignment of tokens by expiration date and added search by token serial number capabilities in the User Dashboard.  

RSA Authentication Manager 8.3 Amazon Web Services (AWS) Virtual Appliance Getting Started

Need to know what to do to patch your RSA Authentication Manager 8.servers?  We can help!

 

RSA is excited to announce a new multi-part training video series for the RSA SecurID Access product.  Chapter 1 is a companion video to our popular knowledge article 000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser

 

In a brief training video, Jay Guillette of our Advanced Technical Support team walks you step-by-step through the things you need to know before patching your Authentication Manager primary and replica servers, such as what prerequisites must be met before installing (patch order, minimum free disk space, required ports, etc.); how to download patches and finally, how to successfully complete the install process.

 

Watch the video:   000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser.

 

We love your feedback so let us know what you think and what videos you'd like to see next.