000034091 - Integrating Vormetric Data Security Manager with RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034091
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 or later
 
IssueThere is a requirement to use SecurID two-factor authentication on the Vormetric Data Security Manager (DSM) administrative web console.
The real-time authentication activity monitor is reporting "Authentication Method Failed" when performing a SecurID authentication with correct credentials on the Vormetric administrative web console .
ResolutionRSA has a certification program to assure customers on leading products and their interoperability with RSA products. Customers can search the EMC Technology Partner Program called RSA Ready to look at what third-party products have gone through certification.
RSA has posted a Vormetric Data Security Manager(DSM) integration guide, however this is in reference to RSA Authentication Manager 7.1 and Vormetric Data Security Manager 5. The Vormetric Data Security Manager 5.x uses the RSA Authentication Agent 8.1 API/SDK for Java and the SecurID configuration files are located in the /opt/vormetric/coreguard/server/config/rsa directory.
File permissions of the files found in the /opt/vormetric/coreguard/server/config/rsa directory are as follows:
-rw-r--r--  1 voradmin db2grp1    nnn mmm dd hh:mm rsa_api.properties
-rw-r--r--  1 voradmin db2grp1    nnn mmm dd hh:mm sdconf.rec
-rw-r--r--  1 voradmin db2grp1    nnn mmm dd hh:mm securid

where,

nnn refers to the file size
mmm represents the month e.g. Sep 

dd represents the day

hh:mm represents the time in hours and minutes 

Vormetric Technical Support has a procedure to generate a one time dynamic root password to access the operating system hosting the Vormetric DSM which allows an administrator to update the /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file so an additional configuration file called sdopts.rec that is used by Authentication Manager can be used.
Vormetric Technical Support can also be contacted for information on how to use the CLI commands to manage the node secret (securid) file; for those times where a node secret mismatch occurs.
Contents of the default /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file:
SDNDSCRT_TYPE=FILE
RSA_LOG_TO_CONSOLE=YES
SDOPTS_TYPE=FILE
RSA_DEBUG_FLOW=YES
RSA_CONFIG_READ_INTERVAL=600
RSA_DEBUG_LOCATION=YES
RSA_DEBUG_NORMAL=YES
RSA_AGENT_HOST=n.n.n.n
SDOPTS_LOC=
SDSTATUS_TYPE=FILE
RSA_DEBUG_TO_FILE=NO
RSA_LOG_TO_FILE=NO
RSA_ENABLE_DEBUG=YES
SDCONF_TYPE=FILE
RSA_DEBUG_EXIT=YES
RSA_DEBUG_TO_CONSOLE=YES
RSA_LOG_LEVEL=DEBUG
SDCONF_LOC=/opt/vormetric/coreguard/server/config/rsa/sdconf.rec
SDSTATUS_LOC=JAStatus.1
RSA_DEBUG_ENTRY=YES
RSA_LOG_FILE=/tmp/rsa_api_event.log
RSA_DEBUG_FILE=/tmp/rsa_api_debug.log
SDNDSCRT_LOC=/opt/vormetric/coreguard/server/config/rsa/securid

where,
 n.n.n.n is the IP address of the Vormetric DSM (e. g., the IP address of eth0).

An administrator with the root access can update the /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file to use an sdopts.rec file (highlighted below in the SDOPTS_LOC line).
SDNDSCRT_TYPE=FILE
RSA_LOG_TO_CONSOLE=YES
SDOPTS_TYPE=FILE
RSA_DEBUG_FLOW=YES
RSA_CONFIG_READ_INTERVAL=600
RSA_DEBUG_LOCATION=YES
RSA_DEBUG_NORMAL=YES
RSA_AGENT_HOST=n.n.n.n
SDOPTS_LOC=/opt/vormetric/coreguard/server/config/rsa/sdopts.rec
SDSTATUS_TYPE=FILE
RSA_DEBUG_TO_FILE=NO
RSA_LOG_TO_FILE=NO
RSA_ENABLE_DEBUG=YES
SDCONF_TYPE=FILE
RSA_DEBUG_EXIT=YES
RSA_DEBUG_TO_CONSOLE=YES
RSA_LOG_LEVEL=DEBUG
SDCONF_LOC=/opt/vormetric/coreguard/server/config/rsa/sdconf.rec
SDSTATUS_LOC=JAStatus.1
RSA_DEBUG_ENTRY=YES
RSA_LOG_FILE=/tmp/rsa_api_event.log
RSA_DEBUG_FILE=/tmp/rsa_api_debug.log
SDNDSCRT_LOC=/opt/vormetric/coreguard/server/config/rsa/securid

 

where,
the contents of the /opt/vormetric/coreguard/server/config/rsa/sdopts.rec file is:

CLIENT_IP=n.n.n.n

where,
n.n.n.n is the IP address of the Vormetric DSM (e.g., the IP address of eth0) and matches the IP address used in the authentication agent record that was created in the Security Console.


A restart of the Vormetric Data Security Manager is required to read the updated /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file and make use of the sdopts.rec.
NotesTable showing the SecurID configuration files used by an authentication agent
 
FilenameDescription
sdconf.recConfiguration record providing the IP addresses of the Authentication Manager instances in the deployment.  Generated in the Security Console. 
  
  1. Select Access > Authentication Agents > Generation Configuration File.  
  2. Click the Generate Config File button.
  3. Click the Download_Now link to obtain the AM_Config.zip that contains the sdconf.rec.
  
securid The ode secret file used to encrypt communication between the authentication agent and Authentication Manager.  This is created dynamically during the first authentication attempt.
JAStatus.1Created by the agent and contains the list of available Authentication Manager instances and time response related information.
    
   Should this file get deleted, the authentication agent will recreate this file on the next authentication
sdopts.recContains the value of CLIENT_IP=<IP address>, used as the IP address override.
  
   Page 82 of the RSA Authentication Agent 7.3.1 for Microsoft Windows Installation and Administration Guide provides some information on the CLIENT_IP parameter used in the sdopts.rec file.

Attachments

    Outcomes