Set Up Your Trial Environment

Document created by RSA Information Design and Development on Feb 17, 2020
Version 1Show Document
  • View in full screen mode

After you complete the planning, you are ready to set up your trial environment. Complete the following tasks.

Procedure 

  1. (SSO Agent only) Configure Company Information and Certificates
  2. (SSO Agent only) Enable SSO Agent on the Cluster
  3. Add an Identity Router
  4. Install or Create the Identity Router Virtual Appliance or Machine
  5. Configure Initial Network Settings Using the Identity Router VM Console
  6. Connect Identity Router to Cloud Administration Console
  7. Add a Connection to LDAP Directory
  8. Synchronize LDAP Directory to the Cloud Authentication Service
  9. (SSO Agent only) Configure the Standard Web Application Portal
  10. Add an Application

Configure Company Information and Certificates

If you are using the SSO Agent, complete the following.

Before you begin 

Obtain the certificates described in Step 3: Test with Your Identity Source and All Applications .

 

Procedure 

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Company Information tab.
  2. Enter the Protected Domain Name.
  3. Upload the following files:  
    • The Private Key that matches the public certificate. Ensure that the private key is not password protected.
    • The Public Certificate that was issued from the certificate authority (CA) for your domain. Use a wildcard certificate.
    • The Certificate Chain that was provided by the CA, which is valid for your public certificate.
  4. Click Save Settings.

Enable SSO Agent on the Cluster

If you are using the SSO Agent, complete the following.

 

Procedure 

  1. In the Cloud Administration Console, click Platform > Clusters.
  2. Select Edit from the drop-down menu next to the cluster.
  3. Select the Enable the SSO Agent on all identity routers in the cluster checkbox.

  4. Click Save and Finish.

  5. Click Publish Changes.

Add an Identity Router

Procedure 

 
  1. Sign into the Cloud Administration Console using the URL and credentials that RSA emailed to you.
  2. Click Platform > Identity Routers.
  3. On the Identity Routers page, click Add an Identity Router, and follow the instructions.

    Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them later on.

  4. Click Close.

Install or Create the Identity Router Virtual Appliance or Machine

You can install the virtual appliance image using a VMware administration client such as vSphere, by either connecting to the VMware vCenter Server, or connecting directly to the VMware ESXi host.

Or you can use Hyper-V Manager or Amazon Web Services EC2 to create a virtual machine for the identity router.

  1. In the Cloud Administration Console, click Platform > Identity Routers.
  2. Click Download Identity Router Image and do one of the following:
    • For VMware, click Download OVA Image for VMware, and save the image to a location accessible by VMware.
    • For Hyper-V, click Download VHD Image for Hyper-V, and save the image to a location accessible by Hyper-V.
    • For Amazon Web Services:
      1. Click Access AMI Image for Amazon.
      2. Enter your AWS Account ID.
      3. Click Update AMI Access.
      4. Note the values in the Identity Router AMI Name and AWS Regions with AMI Access fields. You can search the AWS private images catalog using these value to quickly locate the AMI.

    Note:  If you do not see the options to download an identity router image, the images are not yet available. RSA will send you an email when these images are available for download.

  3. Do one of the following:

    • To use VMware, sign into the VMware client, do the following:

      1. Follow the VMware client documentation to install the virtual appliance from the image. When prompted, enter the following data:

        • Name to use for the virtual appliance
        • VMware host or cluster for the virtual appliance
        • Resource pool for the virtual appliance
        • Storage location or data store to use for the virtual appliance
        • Format for storing virtual disks
        • Networks to be used for the virtual appliance
      2. If you are not using the SSO Agent, delete the second network interface.

      3. Power on the virtual machine.

    • To use Hyper-V Manager, sign into Hyper-V Manager, and do the following:

      1. Click Hyper-V Host > New > Virtual Machine.
      2. Follow the wizard. In each dialog box, provide the following information.

                                           
        Dialog BoxRequired Information
        Specify Name and LocationName of the identity router virtual machine.
        Specify GenerationSelect Generation 1.
        Assign MemoryStartup memory = 8192 MB (recommended).
        Configure NetworkingSelect the network for the management network adaptor.
        Connect Virtual Hard DiskSelect Use an existing virtual hard disk and browse to the location where the identity router VHD image is available.
        Completing the New Virtual Machine WizardReview and click Finish.
      3. Perform these steps only for deployments with two network interfaces:
        • To configure the second network, select the new virtual machine, right-click, and select Settings .

        • On the Add Hardware page, select Network Adapter and click Add.

        • Select the network for your proxy interface, then click Apply and OK.

      4. Select the new virtual machine from the list of virtual machines. Right-click and select Start.

      5. With the virtual machine selected, right-click again and select Connect.

    • To use Amazon Web Services, sign into Amazon EC2 and follow the documentation provided by Amazon to do the following:
      1. Make sure your AWS environment includes a VPC which meets the following requirements:
        • Private and public subnets are configured according to your deployment requirements.
        • Route tables, security groups, and network ACLs are configured to allow necessary traffic to and from the other network resources in your deployment, such as users and identity sources.
        • All DNS servers required for your deployment are specified in the DHCP options set.
      2. Launch the virtual instance using the AMI.
        When prompted, specify the following:
      3. SettingDescription
        AMI templateThe AMI template image provided by RSA.
        Instance typeDetermines presets for the virtual instance. The identity router requires a t2.large instance or greater.
        Virtual Private Cloud (VPC)The section of your Amazon environment where you will deploy the identity router.
        SubnetA subnetwork within your VPC where you will deploy the identity router. The subnet can be either public or private, depending on how resources and users will connect to the identity router.
        Auto-assign Public IPDetermines whether Amazon issues dynamic public IP addresses for the identity router, or the IP address is determined by the subnet settings. If your organization manages its own DNS service, RSA recommends allocating a persistent Elastic IP address through Amazon Web Services, and assigning it to the identity router instance after you complete the launch process.
        StorageVirtual storage space. The identity router requires 54 GB General Purpose SSD (GP2) storage.
        TagsOptional labels that describe this identity router. RSA recommends adding a tag specifying the Fully Qualified Domain Name, which acts as a unique identifier to differentiate this identity router from others in your deployment.
        Security groupsFirewall rules that control traffic to and from the identity router. Add security groups that allow necessary traffic from other network resources according to your deployment model.
      4. Review the configuration and launch the instance.
      5. If prompted to select a key pair, select Proceed without a keypair.
      6. Use the Get instance screenshot feature to monitor instance deployment status. When deployment is complete, refresh the screenshot and write down the URL displayed for the Identity Router Setup Console.

       

 

Configure Initial Network Settings Using the Identity Router VM Console

You use the Identity Router VM Console to configure IP addresses and static routes for on-premises identity routers deployed in your VMware or Hyper-V environment.

Note:  This procedure is not required for identity routers in the Amazon Web Services cloud.

Procedure 

  1. Connect to the identity router using your VMware or Hyper-V management client.
  2. Sign into the Identity Router VM Console:

    Username: idradmin

    Password: s1mp13

    You are prompted to change these credentials the first time you sign in.

  3. Refer to the planning worksheet for the values to complete the Management sections.  

    Use the Up and Down arrows to navigate the main menu. Press Enter to select a menu option or configure its settings. Use Tab and Shift + Tab to navigate between settings and back to the main menu. When the cursor is in the settings panel, press F10 to save or Esc to revert. Press F10 after you complete each section to save your values.

  4. Select Commit in the left-hand frame to save the network configuration settings.
  5. Write down the URL that appears.

Connect Identity Router to Cloud Administration Console

Procedure 

 
  1. Open a web browser and go to the URL that you wrote down in the previous section.
  2. Sign into the Identity Router Setup Console:

    Username: idradmin

    Password: s1mp13

    You are prompted to change these credentials the first time you sign in.

  3. Add any DNS servers from the planning worksheet that you did not add in the Identity Router VM Console.

    Note:  These DNS server settings do not apply for identity routers in the Amazon cloud. Edit the DHCP option set in your Amazon Web Services environment if you need to add DNS servers for an Amazon cloud-based identity router.

  4. Enter the Network Time Protocol (NTP) server hostname or IP address from the planning worksheet.

  5. If you enabled two network interfaces in the Identity Router VM Console, update the IDR Proxy Information section with appropriate details.
  6. Click Update IDR Setup Configuration.

  7. Click Connect Administration Console.

  8. In the Registration Code field, enter the Registration Code displayed when you added the identity router in the Cloud Administration Console. See Add an Identity Router.

  9. In the Authentication Service Domain field, enter the Authentication Service Domain displayed when you added the identity router in the Cloud Administration Console. See Add an Identity Router.

  10. Click Submit.

    A confirmation message appears when the identity router is connected to the Cloud Administration Console. Also, note that the Identity Router Setup Console contains other pages that provide network diagnostics and detailed logs for the identity router.

  11. Sign into the Cloud Administration Console to check the status of the identity router (Platform > Identity Routers).

    When the identity router is connected to the Cloud Administration Console, the status reads Active. This process usually takes up to five minutes.

  12. C lick Publish Changes to apply the configuration settings for the new identity router.

Add a Connection to LDAP Directory

If you want to add your own identity source, do the following.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Click Add an Identity Source > Select next to the directory to add.
  3. Enter the identity source name and root (the base DN for users from the planning worksheet).
  4. In the SSL Certificates section:
    1. Select Use SSL encryption to connect to the directory servers.
    2. Click Add and select the SSL certificate.
  5. In the Directory Servers section, add each directory server in the identity source, and test the connection.
  6. Click Next Step.
  7. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
  8. Select Use selected policy attributes with the Cloud Authentication Service.

  9. In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.

  10. Click Next Step.
  11. In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:

    (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))

    Where <yourgroup_distinguishedName> is the name of your test administrator group.

    For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))

  12. Click Save and Finish.
  13. Click Publish Changes.

Synchronize LDAP Directory to the Cloud Authentication Service

If you added your own identity source, synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.

During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Next to your identity source, select Synchronization from the drop-down menu.
  3. In the Identity Source Details section, click Synchronize Now.

    Depending on the number of users you are synching, this process can take a number of minutes.

Configure the Standard Web Application Portal

If you are using the SSO Agent, RSA SecurID Access provides an out-of-the-box, web-based portal that allows users to access available web applications. Users access the portal using the load balancer public IP address.

Procedure 

  1. In the Cloud Administration Console, click Access > Portal Settings.
  2. Click Standard, and follow the instructions.
  3. Click Save.
  4. Click Publish Changes.

Add an Application

Now that you have the trial system set up, you are ready to add all supported applications. For instructions for all supported applications, see the RSA SecurID Access category on RSA Ready.

If you set up the SSO Agent, you can use the Application Catalog in the Cloud Administration Console to enable single sign-on through the application portal with minimal configuration. The catalog provides connection templates for popular web applications, such as Cisco WebEx and Microsoft Outlook Web Access. To view the Application Catalog, click Applications > Application Catalog.

Next Steps

Congratulations! You have now completed the trial. For more information about purchasing the product, contact your RSA Sales representative, or call 800-995-5095 or 1-781-515-7700 and option 1 (Sales).

 

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Contents > Step 3: Test with Your Identity Source and All Applications > Set Up Your Trial Environment

Attachments

    Outcomes