000033488 - Managing the configuration files of an RSA Authentication Agent for Windows

Document created by RSA Customer Support Employee on Jul 21, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000033488
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Agent for Windows
RSA Version/Condition: 7.2 or later
 
IssueA new Authentication Manager deployment has been built (perhaps due to a migration from an earlier version of Authentication Manager) and the administrator would like to change the configuration of the deployed RSA Authentication Agent for Windows in the production environment.
ResolutionThe RSA Authentication Agent for Windows stores its configuration files in the C:\Program Files\Common Files\RSA Shared\Auth Data folder by default.  Updating an RSA Authentication Agent for Windows to send authentications to a new Authentication Manager deployment requires the removal of the failover.dat, sdstatus.12 and securid files and changing sdconf.rec file to point to the new server(s).
 
Since the authentication agent monitors the existence of the node secret on the agent and on the server, if the node secret file is deleted from the agent it also must be deleted from the server. In the Security Console under Access > Authentication Agents > Manage Existing, use the Search Criteria to search for the authentication agent in question.  Once found,click on the agent and select Manage Node Secret… Check the option to clear the node secret and click Save.
 
NOTE: It is important the operating system hosting the RSA Authentication Agent for Windows is able to lookup the fully-qualified host names and IP addresses of the Authentication Manager instances in the Authentication Manager deployment either by DNS or local host file.

 
Changing the configuration files of an RSA Authentication Agent for Windows is a manual task. An administrator could start by making the changes to one RSA Authentication Agent for Windows to ensure the process works before changing further RSA Authentication Agent for Windows configurations.
 
For large deployments an administrator could review the RSA Authentication Agent 7.2 Installation and Administration Guide and read a section called “Deploying the Installation Package to Multiple Computers”. Using this section in the product documentation a new installation package could be created with a new configuration where something like Microsoft System Management Server (SMS) is used to remove the previous installation and replace it with the new installation package (containing the new configuration files). Where the Windows platform hosting the RSA Authentication Agent for Windows software is a member of a domain then GPO templates can be used to configure the authentication agent challenge settings. This would need testing to ensure you get desired results.
 

NOTE: There are two possible Windows restarts required with the steps above; one restart is after the removal of authentication agent software and another restart after the installation of the new installation package.

Alternatively, customers can engage RSA Professional Services to come up with a solution to change the configuration files on a large number of deployed RSA Authentication Agent for Windows.
Table showing configuration files used by an RSA Authentication Agent for Windows:
 
FilenameDescription
sdconf.recConfiguration record providing the IP addresses of the Authentication Manager instances in the deployment.
  
  • Generated in the Security Console under Access > Authentication Agents > Generation Configuration File
  • Click Generate Config File button.
  • Click the Download_Now link to obtain the AM_Config.zip that contains the sdconf.rec file.
  
failover.datThe failover.dat file allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). The file includes a list of the primary and replica instances, and their alias IP addresses.
server.cerThe server certificate used with the authentication agent auto-registration utility.
  
  • Downloadable from the Security Console under Access > Authentication Agents > Download Server Certificate File.
  • Click Download_Now link to obtain the server.cer
  
securidThe node secret file is used to encrypt communication between the authentication agent and Authentication Manager.  Created during the first successful authentication attempt between the agent and the Authentication Manager server.
sdstatus.12This file is created by the agent and contains the list of available Authentication Manager instances and time related information.
    
   If this file is deleted, the authentication agent will recreate this file on the next authentication.
sdopts.recUsed for manual load balancing an authentication agent.
    
   Appendix A: Configuring Automatic Load Balancing (page 81) of the RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide provides information on how to use the sdopts.rec file and describes a number of parameters that can be used in configuring it.


 
NotesClick the link to obtain documentation, GPO templates and more for the RSA Authentication Agent 7.2 for Windows.

Attachments

    Outcomes