000021175 - Can RSA SecurID be added to RSA Sign-On Manager Server Administration?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021175
Applies ToRSA Sign-On Manager Server
RSA SecurID Authentication
RSA Sign-On Manager administrator authentication to the SOM Manager Interface
IssueCan RSA SecurID be added to RSA Sign-On Manager Server Administration?
Can RSA SecurID be removed from RSA Sign-On Manager Server Administration if installed?
How to update sdconf.rec file in order to point to a different RSA SecurID server for RSA Sign-On Manager Server
Resolution
1) How do you install RSA SecurID authentication after SOM Server is already installed?
It is possible to do it, but it's quite tricky.

A: Replace the value of the "rsaauthchoices" attribute in the "*System Authentication Policy: Installation Configured" authentication policy.
The value is a base64 encoding of a Java Set object that contains the authentication choices.

Go to the SOM Server LDAP datastore, find OU=rsasom, OU=rsaauthenticationpolicies where you will find three objects called RSAUUID=###################################

Find the object whose Attribute "rsaauthname" = *System Authentication Policy: Installation Configured
(Note: This is typically the last one listed)

The value of rsaauthchoices that contains all three auth methods (password, and securid) is this:

rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAABA/QAAAAAAAAnNxAH4AAHcMAAAAED9AAAAAAAABc3IAOGNvbS5yc2EuY3NmLmRvbWFpbi5hdXRoZW50aWNhdGlvbi5BdXRoZW50aWNhdGlvbk1ldGhvZElEYRmsCOgxYCcCAANMABpsaWNlbnNlRW5mb3JjZW1lbnRNZ3JDbGFzc3QAEUxqYXZhL2xhbmcvQ2xhc3M7TAAVbWV0aG9kQ29uZmlnQ2xhc3NOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAPbWV0aG9kSW1wbENsYXNzcQB+AAR4cHB0ADhjb20ucnNhLmNzZi5kb21haW4ub2JqZWN0cy5BY2VBdXRoZW50aWNhdGlvbk1ldGhvZENvbmZpZ3ZyAFBjb20ucnNhLmNzZi50ZWNoc2VydmljZS5hdXRoZW50aWNhdGlvbm1ldGhvZHMuYWNlLkFjZUF1dGhlbnRpY2F0aW9uU2VydmljZU1ldGhvZP4B3op/T6cUAgAETAADQVBJdABFTGNvbS9yc2EvY3NmL3RlY2hzZXJ2aWNlL2F1dGhlbnRpY2F0aW9ubWV0aG9kcy9hY2UvYWdlbnQvQWNlQWdlbnRBUEk7TAAFc2RQaW50AENMY29tL3JzYS9jc2YvdGVjaHNlcnZpY2UvYXV0aGVudGljYXRpb25tZXRob2RzL2FjZS9hZ2VudC9QaW5QYXJhbXM7TAAJc2Vzc2lvbklkdABDTGNvbS9yc2EvY3NmL3RlY2hzZXJ2aWNlL2F1dGhlbnRpY2F0aW9ubWV0aG9kcy9hY2UvYWdlbnQvSW50SG9sZGVyO0wABnVzZXJJZHEAfgAFeHIAVGNvbS5yc2EuY3NmLnRlY2hzZXJ2aWNlLmF1dGhlbnRpY2F0aW9ubWV0aG9kcy5jb21tb24uQXV0aGVudGljYXRpb25TZXJ2aWNlTWV0aG9kQmFzZVMhDrgM/s4gAgACWgAIaXNDbG9zZWRaAA1pc0luaXRpYWxpemVkeHB4c3EAfgAAdwwAAAAQP0AAAAAAAAFzcQB+AANwdAA9Y29tLnJzYS5jc2YuZG9tYWluLm9iamVjdHMuUGFzc3dvcmRBdXRoZW50aWNhdGlvbk1ldGhvZENvbmZpZ3ZyAFpjb20ucnNhLmNzZi50ZWNoc2VydmljZS5hdXRoZW50aWNhdGlvbm1ldGhvZHMucGFzc3dvcmQuUGFzc3dvcmRBdXRoZW50aWNhdGlvblNlcnZpY2VNZXRob2QkaBbZ0Gp+rgIAAHhxAH4ADHh4

The value of rsaauthchoices that contains all three auth methods (password, securid, and x509) is this:

rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAABA/QAAAAAAAAXNxAH4AAHcMAAAAED9AAAAAAAABc3IAOGNvbS5yc2EuY3NmLmRvbWFpbi5hdXRoZW50aWNhdGlvbi5BdXRoZW50aWNhdGlvbk1ldGhvZElEYRmsCOgxYCcCAANMABpsaWNlbnNlRW5mb3JjZW1lbnRNZ3JDbGFzc3QAEUxqYXZhL2xhbmcvQ2xhc3M7TAAVbWV0aG9kQ29uZmlnQ2xhc3NOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAPbWV0aG9kSW1wbENsYXNzcQB+AAR4cHB0ADljb20ucnNhLmNzZi5kb21haW4ub2JqZWN0cy5YNTA5QXV0aGVudGljYXRpb25NZXRob2RDb25maWd2cgBSY29tLnJzYS5jc2YudGVjaHNlcnZpY2UuYXV0aGVudGljYXRpb25tZXRob2RzLng1MDkuWDUwOUF1dGhlbnRpY2F0aW9uU2VydmljZU1ldGhvZIm7b9P3zY7PAgADWgAIaXNDbG9zZWRaAA1pc0luaXRpYWxpemVkTAALcHJpbmNpcGFsSWRxAH4ABXhweHg=

 

<NOTE>You could copy the rsaauthchoices from an installation that has the auth methods you wish to have in your already installed system rather than trying to hand craft this value.</NOTE>

 

B: There is one attribute ?ace.server.config.file.name?   in $INSTALL_DIR$/properties/csf.property that also needs to be set.

            ace.server.config.file.name=sdconf.rec

 

C: For SecurID, you need a file called sdconf.rec. That file is exported by the ACE Server, and needs to be copied to the "properties" folder of the server installation.

 
2) Can SecurID authentication be removed after install?
No. You can not do it. It will require an uninstall, re-install.

3) How do you update the sdconf.rec if you want to point to a different SecurID Server?
You can rename the old sdconf.rec located in the folder C:\Program Files\RSA Security\RSA Sign-On Manager\Server\properties and then copy the new sdconf.rec to replace the old one.
Legacy Article IDa29384

Attachments

    Outcomes