Enable SecurID Token Users to Access Resources Protected by Cloud Access Service
8 days ago

Enable SecurID Token Users to Access Resources Protected by Cloud Access Service

RSA supports two connection types between Authentication Manager (AM) and Cloud Access Service (CAS), depending on the direction of authentication:

  • Connection from AM: This connection type allows users to access on-premises, agent-protected resources using cloud-based authenticators such as the RSA Authenticator app. Configure this connection in the Security Console. For more information, see Connect Authentication Manager to the Cloud Access Service.

  • Connection to AM: This connection type allows allow users to access cloud-protected resources using SecurID authenticators that are managed in AM. You must connect the identity router to AM to enable this setup.

The configuration described below uses the second connection type, Connection to Authentication Manager, so that users with SecurID tokens that are assigned in AM can access SaaS and on-premises web applications and RADIUS clients protected by CAS. The identity router for CAS acts as an agent to AM.

For more information, see:

Authentication Process Overview

The following illustration shows the process flow for a SecurID user accessing a resource protected by a CAS IDR SSO Agent or RADIUS. AM validates the SecurID tokencode and returns information to the identity router before the user is granted access.

 

ngx_g_am_cloud_sidtoken_authflow

 

Required Components

ComponentDetails
CAS

Use the Cloud Administration Console to download the identity router software or deploy an embedded IDR in AM.

You must deploy at least one identity router and configure the required components for a minimal deployment that allows Authentication Manager users to authenticate to resources protected by CAS. See RSA Cloud Access Service Deployment Overview.

AMAny supported version of AM with at least one primary instance.

Required Tasks

The configuration consists of the following tasks.

Person ResponsibleTask
Super Admin for CAS

1. Confirm that your network allows outbound TCP traffic from the identity router to the Authentication Manager servers on port 5500.

Network administrator

2. For each identity router with two network interfaces, add an A record to the internal domain name server (DNS) that maps the identity router’s portal hostname to its portal interface IP address.

For each identity router with one network interface, add an A record to the internal DNS that maps the identity router’s portal hostname to its management interface IP address.

Super Admin for CAS

3. Configure a Static Route to AM

Super Admin for AM

4. Generate the AM Configuration File

5. Add the identity router to AM as an agent. For instructions, see the following topics:

Note:  Perform step 5 once for all identity routers in your deployment. Do not add an agent for each identity router.

Super Admin for CAS

6. Connect Your CAS Deployment to AM

Configure a Static Route to AM

For on-premises identity routers deployed in your VMware or Hyper-V environment, the Super Admin for CAS must configure static routes to restrict communication between a specific AM server or network of servers and one identity router.

You must configure a static route when you initially configure CAS to communicate with AM, as well as each time an AM instance is added or removed from the deployment.

You can configure either of the following:

  • If AM servers are on different networks, configure a static route for each identity router in your deployment to each AM server.
  • If all AM servers are on the same network, configure one static route for each identity router in your deployment going to that network to restrict the connections for the entire AM deployment.

Note:  This method for static route configuration is not available for identity routers deployed in the Amazon cloud. Instead, you must configure route tables in your Amazon Web Services environment to enable each identity router in your VPC to reach Authentication Manager. Refer to your Amazon Web Services documentation for instructions.

The following graphic shows how the example IP addresses from the procedure are used to configure a static route from an identity router to the AM appliance(s).

ngx_g_static_route_idr_to_am

Before you begin 

  • You must be a Super Admin in the Cloud Administration Console for CAS.

  • Ensure that your network allows outbound TCP traffic from the identity router to the AM server on port 5500.

Procedure 

  1. In the Cloud Administration Console, click Platform > Identity Routers.
  2. Next to the identity router name, select Edit.
  3. Click Next Step to access the Settings page.
  4. In the Static Routes section, do the following.
    • To restrict an individual AM server to the identity router management interface, enter these settings:
      • IP Address:<Authentication Manager Server IP Address>

        For example, 192.168.20.7

      • Network Mask: 255.255.255.255
      • Gateway:<Default Gateway for Identity Router Management Interface>

        For example: 10.10.10.1

        Device: Private

    • To restrict a network containing all AM servers, use these settings:
      • IP Address:<AM Server Network>

        For example, 192.168.20.0

      • Network Mask:<Network Mask for AM Server Network>

        For example, 255.255.255.128

      • Gateway:<Default Gateway for Identity Router Management Interface>

        For example: 10.10.10.1

        Device: Private

  5. Click Add.
  6. Click Next Step.
  7. Click Save and Finish.
  8. Repeat step 2 through step 6 for each identity router in your deployment.
  9. Click Publish Changes.

After you finish 

A Super Admin for AM must Generate the AM Configuration File.

A Super Admin for AM must generate the AM configuration file.

Generate the AM Configuration File

You must configure communication between the authentication agents and AM. To do this, use the Security Console to generate a zip file (AM_Config.zip) that contains the AM configuration file, sdconf.rec. To configure communication, you copy sdconf.recto each agent host. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated. The agent uses the data in the sdconf.rec file as a backup.

The generated zip file also contains a failover.dat file that can be configured on the agent. The failover.dat file allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). This file includes a list of the primary and replica instances, and their alias IP addresses.

You must configure communication between the authentication agents and AM. To do this, use the Security Console to generate a zip file (AM_Config.zip) that contains the AM configuration file, sdconf.rec. To configure communication, you copysdconf.recto each agent host. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated. The agent uses the data in the sdconf.rec file as a backup.

The generated zip file also contains a failover.dat file that can be configured on the agent. The failover.dat file allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). This file includes a list of the primary and replica instances, and their alias IP addresses.

You need the AM configuration file to configure communication between your CAS deployment and AM. The Super Admin for AM must generate the AM_Config.zip file, which contains the configuration file, sdconf.rec. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated.

Before you begin 

  • Make sure an agent is connected to AM.
  • Review the configuration settings. See Configure Agent Settings.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Generate Configuration File.
    AM_Config_File_1076x438
  2. In the Maximum Retries drop-down list, select the number of times you want the authentication agent or identity router to attempt to establish communication with AM before returning the message Cannot initialize agent - server communications.
  3. In the Maximum Time Between Each Retry drop-down list, select the number of seconds that you want to set between attempts by the authentication agent or identity router to establish communications with AM.
  4. Click Generate Config File.
  5. Click Download Now, and save AM_Config.zip to your local machine.

After you finish 

If you are configuring an agent:

  • Copy AM_Config.zip, containing the sdconf.rec file and the failover.dat file, to each agent host. The agent uses the data in the sdconf.rec file as a backup.
  • Configure the agent with the new sdconf.rec file and if necessary, the failover.dat file. For instructions, see your agent documentation.

If you are configuring an agent:

  • Copy AM_Config.zip, containing the sdconf.rec file and the failover.dat file, to each agent host. The agent uses the data in the sdconf.rec file as a backup.
  • Configure the agent with the new sdconf.rec file and if necessary, the failover.dat file. For instructions, see your agent documentation.

The Super Admin for CAS must unzip the AM_Config.zip file and upload the sdconf.rec file to the identity router. See Connect Your Cloud Access Service Deployment to Authentication Manager.

The Super Admin for CAS must unzip the AM_Config.zip file and upload the sdconf.rec file to the identity router. See the next task.

Connect Your CAS Deployment to AM

To use SecurID as an authentication method, the Super Admin for CAS must connect the CAS deployment to the AM server. These configuration settings allow all identity routers to communicate with AM.

To use SecurID as an authentication method, the Super Admin for CAS must connect the CAS deployment to the AM server. CAS supports AM versions 8.2 and higher.

These configuration settings allow all identity routers to communicate with AM.

To download complete integration instructions, see Integrating CAS and AM in Select an Integration Path for Authentication Manager and Cloud Access Service.

Before you begin

  • You must be a Super Admin in the Cloud Administration Console for CAS.
  • Confirm that your network allows outbound traffic from the identity router to the AM server on port 5500.
  • Confirm that a static route is configured to each AM server for each identity router in your deployment. For instructions, see Configure a Static Route to RSA Authentication Manager.
  • Confirm that a static route is configured to each AM server for each identity router in your deployment.
  • A person with Super Admin privileges in AM must create an agent record in AM. If you did not do this, you must obtain the agent name and the location of the sdconf.rec file from the AM Super Admin.
  • For AM versions earlier than 8.2 SP1, use the Operations Console to add the hostname and IP address for the identity router to the AM server hosts file. For identity routers in the Amazon cloud, add the private IP address. For on-premises identity routers, add the hostname and IP address of both the proxy and management interfaces. To view and modify the hosts file, sign into the Operations Console and click Administration > Network > Hosts File.
  • If your identity router is configured to communicate with AM and the IDR SSO Agent is disabled, you need to upload your own certificate using My Account > Company Settings. For instructions, see Configure Company Information and Certificates.

Procedure 

  1. In the Cloud Administration Console, click Platform > Authentication Manager.
  2. Click Configure Connection.
    CAS_Connect_to_AM_956x367
  3. In the Authentication Agent Name field, enter the exact name provided by your AM administrator.
  4. To upload the sdconf.rec file, click Choose File and select the file.
    CAS_AM_Config_Settings_427x185
  5. Click Save.
  6. Click Publish Changes to apply the settings to all identity routers in the deployment. You must publish before you test the connection, but remember that publishing applies these settings and all pending changes to all identity routers.

  7. Click Test Connection. A graphic shows the connection status for each configured identity router. If any components are not connected, investigate the cause.
    CAS_AM_Test_Connection_969x206

After you finish

The Super Admin for CAS must make sure assurance levels and access policies are configured to require SecurID Token where appropriate. For more information, see Access Policies.

Don't see what you're looking for?