UNIX (AIX, HP-UX, Solaris)
|Issue||Troubleshooting X-Windows for SecurID protection|
|Resolution||The following documentation errors should be considered prior to the X-Windows configuration.|
a. Installation guide, RSA ACE/Server 4.1 for UNIX, page 153, item 4, The file name Xprompt should be read as XPrompt.
Prior to ACE/Server v5.0, the file name should be read as XPrompt.
b. Installation guide, RSA ACE/Server 4.1 for UNIX, page 153, item 5. It should be read as /usr/dt/bin/Xsession.
c. Installation guide, RSA ACE/Server 4.1 for UNIX, page 154, item 6. The lines mentioned in the documentation should
be added to the usr/dt/bin/Xsession file, on the next line after the #!bin/sh and not at the beginning of the file as
mentioned in the documentation.
d. Installation guide, RSA ACE/Server 5.0 and 5.0.1 for UNIX, page 167, item 5. It should be read as /usr/dt/bin/Xsession.
e. Installation guide, RSA ACE/Server 5.0 and 5.0.1 for UNIX, page 168, item 6. The lines mentioned in the documentation
should be added to the usr/dt/bin/Xsession file, on the next line after the #!bin/sh and not at the beginning of the file as
mentioned in the documentation.
This solution presumes that there is an ACE/Agent installed on the system which is going to be accessed via X-Windows, and that local ACE authentication has been configured and tested to work for the same user.
Using the AIX authentication method.
There are three files to be modified to protect X-Windows with SecurID authentication:
On Solaris, HP-UX and AIX the default path for the files:
Note: The path for above listed files might vary in other operating systems but the files to be modified are same.
1. Edit the file usr/dt/bin/Xsession
Add the following script at the beginning of the script directly under the line #!/bin/sh
if [ -n "$TESTSHELL" ] ; then
SHELL=$TESTSHELL ; export SHELL
#The single quotes in the first line of the above script are back quotes. These are on ~ key on the key board.
# Where ACEPROG is the path to ace/server installation. eg: /opt/ace/prog
2. Edit the file usr/dt/config/Xstartup
Copy the ace/prog/XPrompt script at the end of the Xstartup file by following command.
#cat /opt/ace/prog/XPrompt >> /usr/dt/config/Xstartup
Note: Notice the first two letters in XPrompt are in upper case in ACE/Server v3.3.1, 4.0, and 4.1. In ACE/Server 5.0,
the file name is Xprompt with lower case p.
3. Edit usr/dt/config/Xconfig
Uncomment the following line:
#This will disable R4 MIT-MAGIC-COOKIE-1 per-user authorization.
4. If there is no etc/dt directory on the machine ignore the step 5.
5. If there is a directory etc/dt:
a. Create etc/dt/config
b. Create etc/dt/bin
c. Copy the files Xconfig and Xstartup into etc/dt/config.
d. Copy the file usr/dt/bin/Xsession to etc/dt/bin/Xsession.
This eliminates the possibility of X-Windows failing after OS upgrade.
6. Verify the varibles in XPrompt file are set to correct path.
7. Run /usr/dt/bin/dtconfig -reset
See for additional information: How to set up XWindows for RSA SecurID authentication
8. For additional troubleshooting see var/dt/Xerrors file.
9. If the securid authentication from a HP VUE client is not working, edit the file .vueprofile. This file must exist in the user's
Add the following line:
SHELL=destinationshell; export SHELL
where the destination shell is the shell which runs after the user's successful authentication.
For additional information on configuring HP VUE refer to HP VUE Configuration
For additional information on configuring AIX client see Configuring AIX Client for X-windows authentication
|Legacy Article ID||a3150|