Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2018 > May

If you’ll be connecting to your Identity Source securely, using LDAPS, you’ll need the SSL certificate from your LDAP directory server when configuring the connection in the Cloud Administration Console. Not sure how to get it? We’ve seen our customers use a few different ways to get this certificate. Here are just a couple:


  1. Ask your directory server administrator for the certificate chain. Really, it can be that easy. When you add your connection to the LDAP directory (following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.
  2. Can’t ask your directory server admin or don’t want to? OpenSSL can be an easy way to do it. Here’s how:
    1. After you add your identity router (following the steps in your Quick Setup Guide), access SSH on your identity router using these instructions: 
    2. From the identity router command line, query the directory server to obtain the certificate chain using the following command:


      openssl s_client -showcerts -connect LDAP.SERVER:636


      where LDAP.SERVER is the LDAP directory server that has the full certificate chain loaded on it. (You might have to ask your directory server admin to know which directory server to query.)

    3. From the output, copy the sections starting from and including the BEGIN CERTIFICATE line to (and including) the last END CERTIFICATE line. Paste these lines into a local file on your desktop and call it something like ldaps.pem.
    4. When you add your Identity Source connection to the LDAP directory (again following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.

Do you have other easy ways to get your LDAPS certificate?  If so, please share your tips and tricks in the comments!

For part two of our multi-part training video series Jay Guillette returns to present the sequel to his video guide on how to install patches on an RSA Authentication Manager 8.1 server via web browser


Our new topic is . . . Super Administrator Password Reset (see article 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin for the text base version).


We've all had that experience when you try to login to the Security Console with the password you know worked earlier in the day and it. is.just. not. working.  You try again and again.  You try your Gmail login password or your bank PIN, your network login password, your mom's maiden name, the name of your favorite pet . . . anything you think it might be but still your login fails.


Fear not, intrepid SecurID admin!  We can help!  Jay's video is a great overview of how to access the Security Console by creating a temporary user who can gain access to the Security Console.  Once in, your temp admin can reset your super admin user's password.  Easy peazy lemon squeezy!


Watch 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin  the video and let us know what you think!

PLEASE  NOTE:  An RSA Authentication Manager 8.x  Web Tier server installed on CentOS is NOT supported by RSA.


This UNOFFICIAL GUIDE is intended only for non-production lab testing for partners, customers and RSA employees.


For more information on RSA's position on using CentOS with RSA Authentication Manager and RSA Authentication Agents, please see 000016848 - RSA support for Authentication Manager and/or RSA Authentication Agents installed on CentOS.



An RSA Authentication Manager Web Tier server has three functions:

  • Secure CT-KIP RSA SecurID software token provisioning across untrusted networks (usually the internet).
  • Allowing Self-Service Console (SSC) access to untrusted networks or the internet.
  • Legacy Risk-Based Authentication (RBA) feature in Authentication Manager 8.x. This function has been superseded by SecurID Access Cloud Authentication Service Risk-Based Identity Confidence in the Premium edition.

Of these functions, the first is most important for a secure Authentication Manager 8.3 deployment. The  Web Tier is currently provided as Microsoft Windows or Linux software packages that install on a customer-provided server typically deployed in a DMZ. Lab deployments usually operate inside a secured network zone.

It is strongly recommended that customers and partners maintain a non-production lab testing environment to test new versions and configuration changes.


Please see the RSA Authentication Manager 8.3 Setup and Configuration Guide, Chapter 5: Installing Web Tiers, Web-Tier Hardware and Operating System Requirements for more details on supported versions of Windows and Red Hat Enterprise Linux (RHEL).  Here are the requirements:

HardwareHard Drive: 2 GB for Web Tier installation
Hard Drive: 4 GB, with 20 GB free space for logs and updated component downloads
CPU: A CPU with a dual-core processor or better, or 2 or more CPUs.

External Firewall: 443 HTTPS (TCP)

Internal Firewall: 7022 T3S (TCP)

Operating SystemsRed Hat Enterprise Linux 5 Server (64-bit)
Red Hat Enterprise Linux 6 Server (64-bit)
Red Hat Enterprise Linux 7.4 Server (64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2012 R2 (64-bit)


While these are the officially supported servers, it's often difficult for lab/demo usage to get a licensed copy of Microsoft Windows Server or Red Hat Enterprise Linux. CentOS is the free and open source version of RHEL which is nearly 100% compatible. In my testing I have found it's possible to deploy the RSA Web Tier package on a CentOS host after a very trivial modification of the OS. 

This guide is intended to allow a SecurID administrator to configure a CentOS 7 Web Tier in a non-production lab or demo environment based on VMware workstation or ESXi virtualization infrastructure.


Task 1: Configuring the CentOS 7 Operating System

Since CentOS is highly configurable with several different distributions, this section will provide step-by-step guidance.

  1. Download the DVD ISO from CentOS. The Everything ISO is too bloated and the Minimal ISO leaves out important tools, so the DVD release is the right one which allows you to configure your server at install.
  2. Build your virtual machine in VMware Workstation or ESXi, or your hypervisor platform of choice. Note that the Web Tier can even be installed on a physical server which may make sense for some environments, as it typically sits in the DMZ on a network. The VMware step-by-step instructions are beyond the scope of this article. Create the VM with 20 GB of disk, 2 GB of RAM and a single network adapter. (See Web Tier hardware requirements in the RSA Authentication Manager 8.3 Setup and Configuration Guide) I did customize the virtual hardware and remove the printer and sound card defaults since we don't need that for a server. Change the CD/DVD virtual drive to use the CentOS 7 ISO image you downloaded above and increase the memory to 2 GB. I find 2 vCPUs to be overkill for a lab so I kept the single CPU default. Once everything looks good, power on the VM and enter the virtual console.
    VMware create VM customized hardware and ISO image
  3. At this point I find it easiest to get the DNS for the server configured. In my lab network router interface, here I have entered an A DNS record and will fill in the static IP address in my lab router admin interface, which also is my local DNS resolver:
    Adding of Web Tier DNS entry
  4. Now we're ready to proceed with the VMware console install of the CentOS 7 Web Tier. The following screen shots are based on the ESXi web client but it should be similar for workstation. On boot you should see the CentOS Linux 7 installer boot screen, select the first option Install CentOS Linux 7. Follow the screen prompts from there including typing Enter.
    CentOS 7 boot install first option
  5. A bunch of booting events happen and then you'll get to a language selection screen, defaulted to US English. Select the default and then move to the main installation GUI screen. Note anything that's red needs to be selected before the installation can proceed. You have to be careful because it's a lot easier to configure some optional items here rather than later after installation is complete.
    1. First complete the mandatory Installation Destination. Don't forget to also fix the Date & Time time zone to match the Web Tier location. Then highlight the Software Selection option and select it:
      CentOS 7 main installer mandatory selections
    2. Choose the server type. I've found Minimal too bare bones, so Compute Node has more useful utilities. You may be wondering why I didn't select Basic Web Server. I don't want that because the RSA Authentication Manager 8.3 Web Tier package has it's own web app server and web server so we don't want an unneeded web server in the OS.
      CentOS 7 software selection
    3. The last step, which is an important one, is configuring the Web Tier server network connection. Select the Network & Host Name option and configure the network. Note the Ethernet connection is defaulted to off. Before you switch it on, click the lower left Configure button:
      Network and Host Name configuration main screen
      Go through the various tabs.  Most settings are left as the default but I turned off IPv6 by choosing Ignore and configured IPv4 as Manual with my static IP configuration that I already set up on my DNS server. Set the IP address, subnet mask and gateway as well as Host name and Search domains. Note all the fields are not shown completed below:
      IPv4 detailed configuration
      Finally turn the network on with the top right graphical switch. You should see the connection details and then be able to ping the Web Tier from another host on the network by hostname. Note that the Web Tier installer process requires the Web Tier to be resolvable by host name.
      Network and Host Name configuration completed
      Successful DNS resolution and ping from another host on the LAN
    4. You're finally ready to begin the installation, so select that option on the main installer screen. You'll see the installer starts installing packages from the DVD ISO. In the meantime, you can set the root password and create the Web Tier user. Set a strong root password and note you should really create the Web Tier user now and set it up as non-root with another strong password. This will be required for the Web Tier installer later.
      Web Tier passwords set
      Finally, the install will complete and you'll be prompted to reboot. You will come to the login bash prompt. Login as root, then logout again. You can proceed to get the Web Tier software install going. This is a lab environment so all security procedures and Security Enhanced Linux (SELinux) were not selected, but certainly follow best practices for your environment as they apply.


Task 2: Install and Configure RSA Authentication Manager 8.3 Web Tier Package

  1. We now have a CentOS 7 server with network connectivity that is ready for the RSA Web Tier install. Use your favorite SSH client from your chosen OS and log into the Web Tier. If you haven't already by this point, download the Authentication Manager 8.3 Web Tier package from the /Webtier directory in the Extras .zip file, available from Version Upgrades on RSA Link.  See 000034558 - How to download RSA Authentication Manager 8.x full kits and service packs from RSA Link for information on how to  download the file.
    Note you must have entitlements to download this file, so contact Customer Support if you get a login or authorization error.
    Handy Tip: You only need the /common and /linux-x86_64 sub directories extracted and copied over to your local VM or PC jump host with LAN access to the Web Tier CentOS 7 server. This way you are not copying over the unneeded /windows directory to a Linux Web Tier server.
  2. Use your favorite SCP tool to copy the /common and /linux-86_64 subdirectories to a new directory named /tmp/webtier on your CentOS 7 Web Tier server. The screen shots here are based on WinSCP. It's pretty important to have GbE or faster local LAN connectivity to your Web Tier box. For 8.3 it's about 1.7 GB of install files to copy over.
    WinSCP file copy to CentOS 7 Linux server
  3. From here we will follow the steps on how to install a Web Tier on Linux using the command line from chapter 5 of the RSA Authentication Manager 8.3 Setup and Configuration Guide. The documentation for Linux Web Tier installs has been greatly improved over older 8.x versions. Make sure you look at the Web Tier Installation Checklist before you start the installer script and follow the chmod permissions instructions carefully. You'll also need the Web Tier package from the Authentication Manager 8.3 Operations Console before you start the installer script as shown here. The typical service options are selected:
    Web Tier OC configuration and package generation

Task 3: Fix Installer Script Version Check to Allow Install on CentOS 7

STOP HERE. If you just try to continue with the default Web Tier installer script, you'll run into this error:


Installer script prerequisites error

  1. There's an easy fix to fool the installer script OS version check, which isn't that sophisticated. At the command prompt, type cat /etc/redhat-release and you'll see this file contents refers to CentOS:
    Release file view
    If you search this subject online, you'll get links regarding Red Hat Enterprise Linux Release Dates, which will give you the contents of this file specific to RHEL 7.4; which is Red Hat Enterprise Linux Server release 7.4 (Maipo).
  2. Use a nano /etc/redhat-release command, edit the file accordingly, and save it. Here is the string that can be cut & paste:
    Red Hat Enterprise Linux server release 7.4 (Maipo)
    Editing /etc/redhat-release file
  3. Now the installer script can proceed after you answer all the questions, as it will pass the RHEL 7.4 version check:
    WT installer script proceeding successfully
    Depending on how fast your storage system is on your server the install should take 20 to 30 minutes. After this time you should see the installer script finish with this message. It does take some time.
    Your installation is complete.
    Next Step
    After you exit the Web-Tier Installer, the Web-Tier Update Service connects to the preferred server to install the necessary services. Use the RSA Operations Console to check the status of this process.
    Go to Operations Console > Deployment Configurations > Web-Tier Deployments > Manage Existing.
    The update may take up to 20 minutes to complete.

    Press Enter to exit.
  4. The other key tip I've found is to go ahead and reboot the Web Tier server with a reboot command. It seems the Web Tier bootstrapper doesn't start after the installer finishes, but will kick off on a reboot. You will know it is working because if you run a top command on the console, Java will be taking up a bunch of CPU cycles:
    Web Tier Java processes
    You also may need to open the HTTPS service using the
    firewalld command if it's not already open. Search online for the many helpful guides on this.  RSA knowledge article 000033006 - Troubleshooting an Update Issue with an RSA Authentication Manager 8.1 Web Tier Deployment is very helpful in troubleshooting Web Tier connectivity issues on Linux. Eventually you will see this happy message on your Operations Console Web Tier configuration screen:
    Web Tier online successful

  5. Finally, go ahead and browse from your lab network to the FQDN of your Web Tier. It's recommended you use Microsoft Edge or Internet Explorer, as you should get a invalid security warning that you can click past. Firefox and Chrome are much stricter (rightfully so) on security, so you probably can't open the Web Tier Self-Service Console on current versions of those browsers. This can be fixed by getting a proper SSL certificate on the Web Tier through the documented procedure. For now, we have the Web Tier up and running.  Success!
    Web Tier SSC success!

Filter Blog

By date: By tag: