This document lists what’s new and changed in RSA Authentication Agent 7.0 P2 for Web for Apache Web Server on Red Hat Linux (referred to as the "RSA Authentication Agent" in this document). Read this document before installing RSA Authentication Agent 7.0 P2. This document contains the following sections:
This Readme may be updated. The most current version can be found on RSA Link at https://community.rsa.com/. Or, you can print this Readme.
What's Included in This Release
RSA Authentication Agent 7.0 P2 includes the enhanced RSA SecurID cookie protection (issue 125836) that was developed and provided in RSA Authentication Agent 7.0 P1. For your convenience, we have provided the documentation for that enhancement in this Readme. This release also provides a fix for issue AAGENT-2449. See Fixed Issues for more information.
Enhanced RSA SecurID cookie protection includes the following:
The Common Gateway Interface (CGI) command permanently invalidates the RSA SecurID cookie after a user logs off. This prevents an unauthorized user from using a copied cookie to access protected web pages.
An HTML template (RSASecurID_Logoff_UNIX_Web.htm) provides a web developer with an example of how to link to the CGI command through a Log Off link. The template also contains code that shows how to invoke the CGI command even if the user closes the browser without clicking the Log Off link. During the installation process, RSA Authentication Agent automatically installs the HTML template file in the install_dir/Templates directory.
For more information on how to configure and use the enhanced cookie protection features, see Enabling Enhanced Cookie Protection.
The following documentation for RSA Authentication Agent 7.0 P2 for Web for Apache Web Server on Red Hat Linux is in the /doc directory.
Installation and Configuration Guide
You can install RSA Authentication Agent 7.0 P2 as a full installation or as a patch to RSA Authentication Agent 7.0 or RSA Authentication Agent 7.0 P1. For example, if your computer does not have RSA Authentication Agent 7.0 installed, the full product installs on the computer. If you do have either RSA Authentication Agent 7.0 or RSA Authentication Agent 7.0 P1 installed, this patch upgrades the product and saves your current settings.
Important: Before you install RSA Authentication Agent, perform the tasks described in the Workarounds for the following Known Issues: AAGENT-2283 and AAGENT-2284.
To install RSA Authentication Agent 7.0 P2 as a full installation or as a patch:
Copy the kit contents to a local directory.
Log on to the computer with an account that has write permissions to the web server root directory.
Change to the directory you created when you downloaded the software, and run the installation script. Type:
Follow the prompts to install the software.
For details on testing or configuring RSA Authentication Agent, see the RSA Authentication Agent 7.0 for Web for Apache Web Server on Red Hat Linux Installation and Configuration Guide.
Important: The installation process installs the RSA Cookie Server and starts it. This server provides protection against using copied cookies. Without the RSA Cookie Server (for example, if it stops), you see prompts to authenticate each time you access pages within the application. If you see authentication prompts for each URL you access, you must restart the web server.
Enabling Enhanced Cookie Protection
To use the enhanced cookie protection, a web developer can choose to do one or both of the following to permanently invalidate the RSA SecurID cookie and end the session on the web page:
Invoke the CGI command from the Log Off link in the web page protected by SecurID. For example, you could specify http://www.server.domain.com/webauthentication?logoff?referrer=/sample.html, where server.domain.com is the fully qualified name of the web server. When the user clicks the Log Off link, it permanently invalidates the cookie and ends the session for that page. (For more information, see "Using the Log Off URL to Invalidate Web Access Authentication Cookies" in the RSA Authentication Agent 7.0 for Web for Apache Web Server Installation and Configuration Guide.)
To turn off the cookie protection, you can set the following environment variable:
RSA_NO_LOGOFF_COOKIE_CHECKING = 1
Enabling Enhanced Cookie Protection in Multiserver and Multidomain Environments
To ensure that enhanced cookie protection works across multiple web servers in a single or multidomain environment, you must perform additional domain configuration for all servers in all domains. For example, if you have two domains, domain A and domain B (Figure 1), and two web servers in each domain, you must configure each web server in both domain A and B.
For each server that you configure, list all the servers in all domains in your environment using the hyphen symbol as explained in the following table.
Hyphen Symbol Usage in URL
Server representing a domain other than the domain of the server being configured. This one server is the domain server for the other domain.
No hyphen before the URL. http://www.domainserver.com
Servers that do not represent a different domain than the server being configured. These can be servers in the same domain as the server being configured, as well as servers in different domains that do not serve as the domain server. Only one server from a different domain serves as the domain server, and therefore it is the only server from the different domain not to have the hyphen in the URL.
Precede the URL with a hyphen. -http://www.allotherservers.com
The following are sample configurations for each server in domain A and domain B.
This section describes issues that have been resolved in this release.
In certain circumstances, a user could traverse the directory structure inappropriately, and have read access to certain file types. Tracking number: AAGENT-2449 This issue has been addressed so that this type of unauthorized read access to certain file types is no longer allowed.
This section describes issues that remain unresolved in this release. Wherever a workaround or fix is available, it has been noted or referenced in detail. For many of the workarounds in this section, you must have administrative privileges. If you do not have the required privileges, contact your administrator.
Unable to compile new C language CGI for RSA cookie API using the included rsacookieapi.h file Tracking Number:115729 Problem: When you try to compile a new C language CGI to use RSA cookie API using the included rsacookieapi.h file, an error is displayed. This references an undeclared variable. Workaround: Compile the RSA cookie API by running the build.sh script available in the RSA cookie API sample. If you have any problems, refer to the ReadMe.txt file inside the C samples.
Unable to install RSA Authentication Agent on the UNIX operating system, as the installation script does not have execute permission. Tracking Number: AAGENT-2283 Problem: When you try to install RSA Authentication Agent on the UNIX operating system, it fails because the installation script does not have the required execute permission. Workaround: Before installing RSA Authentication Agent, add the execute permission to the installation script with the command chmod +X install.
After installation of RSA Authentication Agent on a UNIX platform, the first access of a web page protected by RSA SecurID can fail after the user enters a valid user name and passcode. Tracking Number: AAGENT-2284 Problem: The failure on first access of a web page protected by RSA SecurID can occur due to insufficient privileges for RSA Authentication Agent to write to the VAR_ACE directory. Workaround: Before installing RSA Authentication Agent, add read and write permissions to the VAR_ACE directory, /var/ace, with the command chmod +rw /var/ace.
RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies.