000018710 - Troubleshooting X-Windows for SecurID protection

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000018710
Applies ToXWindows
UNIX (AIX, HP-UX, Solaris)
RSA ACE/Server
IssueTroubleshooting X-Windows for SecurID protection
ResolutionThe following documentation errors should be considered prior to the X-Windows configuration.

    a. Installation guide, RSA ACE/Server 4.1 for UNIX, page 153, item 4, The file name Xprompt should be read as XPrompt.
        Prior to ACE/Server v5.0, the file name should be read as XPrompt.
    b. Installation guide, RSA ACE/Server 4.1 for UNIX, page 153, item 5. It should be read as /usr/dt/bin/Xsession.
    c. Installation guide, RSA ACE/Server 4.1 for UNIX, page 154, item 6. The lines mentioned in the documentation should
        be added to the usr/dt/bin/Xsession file, on the next line after the #!bin/sh and not at the beginning of the file as
        mentioned in the documentation.
    d. Installation guide, RSA ACE/Server 5.0 and 5.0.1 for UNIX, page 167, item 5. It should be read as /usr/dt/bin/Xsession.
    e. Installation guide, RSA ACE/Server 5.0 and 5.0.1 for UNIX, page 168, item 6. The lines mentioned in the documentation
        should be added to the usr/dt/bin/Xsession file, on the next line after the #!bin/sh and not at the beginning of the file as
        mentioned in the documentation.

This solution presumes that there is an ACE/Agent installed on the system which is going to be accessed via X-Windows, and that local ACE authentication has been configured and tested to work for the same user.
Using the AIX authentication method.

Configuring X-Windows:
There are three files to be modified to protect X-Windows with SecurID authentication:

   On Solaris, HP-UX and AIX the default path for the files:

    usr/dt/bin/Xsession
    usr/dt/config/Xstartup
    usr/dt/config/Xconfig

  Note: The path for above listed files might vary in other operating systems but the files to be modified are same.  

1. Edit the file usr/dt/bin/Xsession
  Add the following script at the beginning of the script directly under the line #!/bin/sh
   
        TESTSHELL=`ACEPROG/sdfindshell`
        if [ -n "$TESTSHELL" ] ; then
                SHELL=$TESTSHELL ; export SHELL
        fi
 #The single quotes in the first line of the above script are back quotes. These are on ~ key on the key board.
 # Where ACEPROG is the path to ace/server installation. eg: /opt/ace/prog

2. Edit the file usr/dt/config/Xstartup
  Copy the ace/prog/XPrompt script at the end of the Xstartup file by following command.

  #cat /opt/ace/prog/XPrompt >> /usr/dt/config/Xstartup
 
  Note: Notice the first two letters in XPrompt are in upper case in ACE/Server v3.3.1, 4.0, and 4.1. In ACE/Server 5.0,
           the file name is Xprompt with lower case p.

3. Edit usr/dt/config/Xconfig

  Uncomment the following line:
  Dtlogin*authorize:    False

 #This will disable R4 MIT-MAGIC-COOKIE-1 per-user authorization.

4. If there is no etc/dt directory on the machine ignore the step 5.
5. If there is a directory etc/dt:

   a. Create etc/dt/config
   b. Create etc/dt/bin
   c. Copy the files Xconfig and Xstartup into etc/dt/config.
   d. Copy the file usr/dt/bin/Xsession to etc/dt/bin/Xsession.

   This eliminates the possibility of X-Windows failing after OS upgrade.

6. Verify the varibles in XPrompt file are set to correct path.
  
   DEFVARACE= "PATH/ace/data"
   DEFUSRACE= "PATH/ace/prog"
   
7. Run /usr/dt/bin/dtconfig -reset
   See for additional information: How to set up XWindows for RSA SecurID authentication

8. For additional troubleshooting see var/dt/Xerrors file.

9. If the securid authentication from a HP VUE client is not working, edit the file .vueprofile. This file must exist in the user's
   home directory.
  Add the following line:
  SHELL=destinationshell; export SHELL
  where the destination shell is the shell which runs after the user's successful authentication.
  For additional information on configuring HP VUE refer to HP VUE Configuration
  For additional information on configuring AIX client see Configuring AIX Client for X-windows authentication
  
Legacy Article IDa3150

Attachments

    Outcomes