Integration RSA Netwitness with RSA SecurID
I just integrate both platforms With One customer of mine, the original idea was to add authentication stronger NetWitness GUI. I Followed the directions in Configure PAM Login Capability - RSA Security Analytics Documentation. I made the integration successful, I Achieved the first authentication success but when i start to make more test I saw a bad behavior, let me explian you:
- When the AM´s lockout policy was fired, for 3 failed auth´s, the user became to NextTokenCode but the SecurID Authorization Agent for PAM is not able to drive this flag, always send auth fails and never see the NTC box in Netwitness GUI.
- When you use a PIN mode in authentication attemps, the Netwitness console died. The jetty service goes down.
- And If you tried to reuse the same token, in theory you dont able to make a success auth, But the Netwitness console permit the authentication , although you see in Authentication Real Monitor oif SecurID this log (authj faild, token reuse)
The question´s are:
SecurID Authorization Agent for PAM will be better, in which realase of Netwitness???
Somebody knows some workaround to solve the issue?
Note. I used the versions:
- RSA AM 184.108.40.206
- RSA SA 10.6.1
I just did the PAM integration with RSA SA 10.6.1.0, it worked well for about 4 hrs and now it is crashing the website. I had to disable it in the pam.d/securityanalytics file and have submitted a ticket to RSA for assistance.
Did you ever get anymore information on the issues you were having?
Also, FWIW, I'm trying to get "stacked" authentication to work--
In my case, I started with Kerberos auth against Microsoft AD and want to add a 2nd prompt for the token code.
What I have found so far is that NetWitness (10.5.2) does not change the Security Analytics login box. If I were using only SecurID, I would expect it to change to Username and Token Code (rather than "Password"). Using both Kerberos and SecurID, it would need to either add an additional space to enter the Token Code, or pop-up another prompt once Kerberos is done.
Anything I've tried with stacked PAM modules seems to just crash the web UI.
I have a ticket open with RSA...