The following accounts provide permission to modify, maintain, and repair the Authentication Manager deployment. Quick Setup creates these accounts with information that you enter. If you plan to record the logon credentials for these accounts, be sure that the storage method and location are secure.
A valid User ID for an Operations Console administrator must be a unique identifier that uses 1 to 255 ASCII characters. The characters @ ~ are not allowed, and spaces are not allowed.
RSA recommends the following best practices for administrative accounts:
- Create a separate administrative account for each administrator, for example, create a separate Operations Console administrator account for each Operations Console user. Do not share account information, especially passwords, among multiple administrators.
- RSA does not recommend associating administrative roles with external LDAP or Active Directory user accounts. Use separate administrative accounts with their own credentials for external identity source administrators and Authentication Manager administrators.
- If you have multiple administrators, restrict the scope and permissions of Authentication Manager administrative accounts, and restrict access by dividing your deployment into security domains. Separation of privileges is especially important if you are using LDAP or Active Directory users as administrators.
- If administrative roles in Authentication Manager are associated with an external LDAP account, a specific role. with appropriate limiting controls, should be used. For instructions, see Administrative Role Scope and Permissions.
The appliance operating system account User ID is rsaadmin. This User ID cannot be changed. You specify the operating system account password during Quick Setup. You use this account to access the operating system when you perform advanced maintenance or troubleshooting tasks. The rsaadmin account is a privileged account to which access should be strictly limited and audited. Individuals who know the rsaadmin password and who are logged on as rsaadmin have sudo privileges and shell access.
Every appliance also has a root user account. This account is not needed for normal tasks. You cannot use this account to log on to the appliance.
You can access the operating system with Secure Shell (SSH) on a hardware appliance or a virtual appliance. Before you can access the appliance operating system through SSH, you must use the Operations Console to enable SSH on the appliance.
For instructions, see Enable Secure Shell on the Appliance.
On a VMware virtual appliance, you can also access the appliance operating system with the VMware vSphere Client. On a Hyper-V virtual appliance, you can also access the appliance operating system with the Hyper-V System Center Virtual Machine Manager Console or the Hyper-V Manager.
An Operations Console administrator can change the operating system account password, rsaadmin, in the Operations Console.