on Oct 2, 2019This section describes how to integrate RSA SecurID Access with XYPRO XYGATE UA as an authentication agent.
Architecture Diagram
Configure RSA Authentication Manager
To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).
Agent host record configuration differs slightly depending on whether you are using a UDP-based agent (using 8.1.x or earlier RSA Agent API) or TCP-based agent (using 8.5 or newer RSA Agent API).
If UDP-based agent:
- Hostname: Configure the agent host record name to match the hostname of the agent.
- IP Address: Configure the agent host record to match the IP address of the agent.
Note: Authentication Manager must be able to resolve the IP address from the hostname
If TCP-based agent:
- Hostname: Configure the agent host record name to match the agent name as specified in the agent's configuration. It does not have to match the hostname of the authentication agent.
- IP Address: Leave blank. Any input to this field will be disregarded.
Configure XYPRO XYGATE UA
Perform these steps to configure XYPRO XYGATE UA as an authentication API client to RSA Authentication Manager.
Procedure
1. Download the sdconf.rec file from RSA Authentication Manager Security Console and copy to the /rsa directory in XUA.
2. Sign into NonStop as the XUA admin, and run XUA_RSA_INSTALL macro to configure the RSA interface. You will be asked a series of questions about configuring XUA to interface with the RSA service.
> RUN XUA > XUA_RSA_INSTALL Note: Responses to the RSA install macro will be recorded into the UACONF file as keywords using the values you enter at the prompts. These values can be modified in the UACONF only after the macro run is completed.
Do you want to configure the RSA interface <Y>?
3. Enter Y to configure the service.
What is the TCP/IP process name <$ZTCP2>?
4. Enter your TCP/IP process name.
How many seconds should XUA wait for a RSA response before timeout occurs<30>?
5. Enter 30.
Do you want to use RSA authentication for all NonStop users <No>?
6. Answer according to your need.
Do you want to require a password in addition to the SecurID token for all NonStop users <NO>?
7. Answer according to your need.
Is your RSA server configured as a web service <N>?
8. Enter N.
Do you want to configure the RSA interface now <Y>?
9. Enter Y.
Configuration is complete.
Note: Authenticating with the RSA SecurID Access requires the UAACL rule, UAGROUP, which maps NonStop user accounts to RSA user accounts and invokes RSA processing by XUA. Refer to XYGATE User Authentication Reference Manual for more information.
SecurID Agent Integration Details
| RSA Authentication Agent API | 5.1 |
| RSA SecurID User Specification | All Users |
| Display RSA Server Info | No |
| Perform Test Authentication | Yes |
| Agent Tracing | Yes |
| Agent Files | Location |
|---|---|
| sdconf.rec | /rsa |
| sdopts.rec | /rsa |
| Node secret | /rsa |
| sdstatus.12 / jastatus.12 | /rsa |
Agent Tracing:
Enter the following from NonStop terminal as an administrator or as the installation owner:
> XUA_EXECUTE_RSA_PROXY TRACE
User Experience
User-defined new PIN:
System-generated new PIN
Next tokencode
Return to the main page for more certification related information.