Enable SecurID Token Users to Access Resources Protected by Cloud Access Service
RSA supports two connection types between Authentication Manager (AM) and Cloud Access Service (CAS), depending on the direction of authentication:
Connection from AM: This connection type allows users to access on-premises, agent-protected resources using cloud-based authenticators such as the RSA Authenticator app. Configure this connection in the Security Console. For more information, see Connect Authentication Manager to the Cloud Access Service.
Connection to AM: This connection type allows allow users to access cloud-protected resources using SecurID authenticators that are managed in AM. You must connect the identity router to AM to enable this setup.
The configuration described below uses the second connection type, Connection to Authentication Manager, so that users with SecurID tokens that are assigned in AM can access SaaS and on-premises web applications and RADIUS clients protected by CAS. The identity router for CAS acts as an agent to AM.
For more information, see:
- Authentication Process Overview
- Required Components
- Required Tasks
- Configure a Static Route to AM
- Generate the AM Configuration File
- Connect Your CAS Deployment to AM
Authentication Process Overview
The following illustration shows the process flow for a SecurID user accessing a resource protected by a CAS IDR SSO Agent or RADIUS. AM validates the SecurID tokencode and returns information to the identity router before the user is granted access.
Required Components
| Component | Details |
|---|---|
| CAS | Use the Cloud Administration Console to download the identity router software or deploy an embedded IDR in AM. You must deploy at least one identity router and configure the required components for a minimal deployment that allows Authentication Manager users to authenticate to resources protected by CAS. See RSA Cloud Access Service Deployment Overview. |
| AM | Any supported version of AM with at least one primary instance. |
Required Tasks
The configuration consists of the following tasks.
| Person Responsible | Task |
|---|---|
| Super Admin for CAS | 1. Confirm that your network allows outbound TCP traffic from the identity router to the Authentication Manager servers on port 5500. |
| Network administrator | 2. For each identity router with two network interfaces, add an A record to the internal domain name server (DNS) that maps the identity router’s portal hostname to its portal interface IP address. For each identity router with one network interface, add an A record to the internal DNS that maps the identity router’s portal hostname to its management interface IP address. |
| Super Admin for CAS | |
| Super Admin for AM | 4. Generate the AM Configuration File 5. Add the identity router to AM as an agent. For instructions, see the following topics:
Note: Perform step 5 once for all identity routers in your deployment. Do not add an agent for each identity router. |
| Super Admin for CAS |
Configure a Static Route to AM
For on-premises identity routers deployed in your VMware or Hyper-V environment, the Super Admin for CAS must configure static routes to restrict communication between a specific AM server or network of servers and one identity router.
You must configure a static route when you initially configure CAS to communicate with AM, as well as each time an AM instance is added or removed from the deployment.
You can configure either of the following:
- If AM servers are on different networks, configure a static route for each identity router in your deployment to each AM server.
- If all AM servers are on the same network, configure one static route for each identity router in your deployment going to that network to restrict the connections for the entire AM deployment.
Note: This method for static route configuration is not available for identity routers deployed in the Amazon cloud. Instead, you must configure route tables in your Amazon Web Services environment to enable each identity router in your VPC to reach Authentication Manager. Refer to your Amazon Web Services documentation for instructions.
The following graphic shows how the example IP addresses from the procedure are used to configure a static route from an identity router to the AM appliance(s).
Before you begin
- You must be a Super Admin in the Cloud Administration Console for CAS.
Ensure that your network allows outbound TCP traffic from the identity router to the AM server on port 5500.
Procedure
- In the Cloud Administration Console, click Platform > Identity Routers.
- Next to the identity router name, select Edit.
- Click Next Step to access the Settings page.
- In the Static Routes section, do the following.
- To restrict an individual AM server to the identity router management interface, enter these settings:
- IP Address:<Authentication Manager Server IP Address>
For example, 192.168.20.7
- Network Mask: 255.255.255.255
- Gateway:<Default Gateway for Identity Router Management Interface>
For example: 10.10.10.1
Device: Private
- IP Address:<Authentication Manager Server IP Address>
-
To restrict a network containing all AM servers, use these settings:
- IP Address:<AM Server Network>
For example, 192.168.20.0
- Network Mask:<Network Mask for AM Server Network>
For example, 255.255.255.128
- Gateway:<Default Gateway for Identity Router Management Interface>
For example: 10.10.10.1
Device: Private
- IP Address:<AM Server Network>
- To restrict an individual AM server to the identity router management interface, enter these settings:
- Click Add.
- Click Next Step.
- Click Save and Finish.
- Repeat step 2 through step 6 for each identity router in your deployment.
- Click Publish Changes.
After you finish
A Super Admin for AM must Generate the AM Configuration File.
A Super Admin for AM must generate the AM configuration file.
Generate the AM Configuration File
You must configure communication between the authentication agents and AM. To do this, use the Security Console to generate a zip file (AM_Config.zip) that contains the AM configuration file, sdconf.rec. To configure communication, you copy sdconf.recto each agent host. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated. The agent uses the data in the sdconf.rec file as a backup.
The generated zip file also contains a failover.dat file that can be configured on the agent. The failover.dat file allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). This file includes a list of the primary and replica instances, and their alias IP addresses.
You must configure communication between the authentication agents and AM. To do this, use the Security Console to generate a zip file (AM_Config.zip) that contains the AM configuration file, sdconf.rec. To configure communication, you copysdconf.recto each agent host. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated. The agent uses the data in the sdconf.rec file as a backup.
The generated zip file also contains a failover.dat file that can be configured on the agent. The failover.dat file allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). This file includes a list of the primary and replica instances, and their alias IP addresses.
You need the AM configuration file to configure communication between your CAS deployment and AM. The Super Admin for AM must generate the AM_Config.zip file, which contains the configuration file, sdconf.rec. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated.
Before you begin
- Make sure an agent is connected to AM.
- Review the configuration settings. See Configure Agent Settings.
Procedure
- In the Security Console, click Access > Authentication Agents > Generate Configuration File.
- In the Maximum Retries drop-down list, select the number of times you want the authentication agent or identity router to attempt to establish communication with AM before returning the message Cannot initialize agent - server communications.
- In the Maximum Time Between Each Retry drop-down list, select the number of seconds that you want to set between attempts by the authentication agent or identity router to establish communications with AM.
- Click Generate Config File.
- Click Download Now, and save AM_Config.zip to your local machine.
After you finish
If you are configuring an agent:
- Copy AM_Config.zip, containing the sdconf.rec file and the failover.dat file, to each agent host. The agent uses the data in the sdconf.rec file as a backup.
- Configure the agent with the new sdconf.rec file and if necessary, the failover.dat file. For instructions, see your agent documentation.
If you are configuring an agent:
- Copy AM_Config.zip, containing the sdconf.rec file and the failover.dat file, to each agent host. The agent uses the data in the sdconf.rec file as a backup.
- Configure the agent with the new sdconf.rec file and if necessary, the failover.dat file. For instructions, see your agent documentation.
The Super Admin for CAS must unzip the AM_Config.zip file and upload the sdconf.rec file to the identity router. See Connect Your Cloud Access Service Deployment to Authentication Manager.
The Super Admin for CAS must unzip the AM_Config.zip file and upload the sdconf.rec file to the identity router. See the next task.
Connect Your CAS Deployment to AM
To use SecurID as an authentication method, the Super Admin for CAS must connect the CAS deployment to the AM server. These configuration settings allow all identity routers to communicate with AM. CAS supports AM versions 8.2 and higher.
Based on your IDR environment and AM deployment configuration, select one of the following connection methods:
REST Connection (recommended)
TCP Connection
Users can access cloud-protected resources using RSA authenticators managed in Authentication Manager (AM). The Identity Router (IDR) can use a REST-based MFA agent, rather than a TCP agent, to verify authentication with AM. As part of the transition to a REST agent, you can configure the connection to AM based on your current IDR environment and configuration state as follows:
If all IDRs are upgraded to version 12.24.0.0.0 or later and a TCP agent connection exists, both TCP and REST agent configuration options are available. In this case, it is recommended to reconfigure the connection using the REST agent option.
If one or more IDRs are not upgraded to version 12.24.0.0.0 or later and have an existing TCP agent connection, only the TCP agent configuration option is available. Therefore, upgrade the IDR to the latest version to enable transition to the REST agent.
If no IDR is present or there is no existing TCP agent connection, only the REST agent option is available. You can configure the connection without an identity router; however, the Test Connection will fail unless at least one identity router is available.
These configuration settings allow all identity routers to communicate with AM. To download complete integration instructions, see Integrating CAS and AM in Select an Integration Path for Authentication Manager and Cloud Access Service.
Before you begin
- You must be a Super Admin in the Cloud Administration Console for CAS.
- Confirm that your network allows outbound traffic from the identity router to the AM server on port 5500.
- Confirm that a static route is configured to each AM server for each identity router in your deployment. For instructions, see Configure a Static Route to RSA Authentication Manager.
- A person with Super Admin privileges in AM must create an agent record in AM. If you did not do this, you must obtain the agent name and the location of the sdconf.rec file from the AM Super Admin.
- For AM versions earlier than 8.2 SP1, use the Operations Console to add the hostname and IP address for the identity router to the AM server hosts file. For identity routers in the Amazon cloud, add the private IP address. For on-premises identity routers, add the hostname and IP address of both the proxy and management interfaces. To view and modify the hosts file, sign into the Operations Console and click Administration > Network > Hosts File.
- If your identity router is configured to communicate with AM and the IDR SSO Agent is disabled, you need to upload your own certificate using My Account > Company Settings. For instructions, see Configure Company Information and Certificates.
- Deploy at least one identity router. For information, see Planning Your Identity Router Deployment and Installing and Configuring Identity Routers.
Obtain the AM Root Certificate. For information, see Certificate for REST Agent Connection to Authentication Manager in Cloud Access Service Certificates.
Your AM Administrator must ensure the SecurID Authentication API is enabled in the AM Security Console. See Configure the RSA SecurID Authentication API for Authentication Agents.
You need to obtain the following details from your AM administrator:
AM primary instance hostname: The host name is the Fully Qualified Domain Name specified in the AM primary's Operations Console in Administration > Network > Appliance Network Settings. See Change the Primary Instance IPv4 Network Settings.
The AM SecurID Authentication API port number: This is the Communication Port specified in the Security Console in Setup > System Settings > RSA SecurID Authentication API. See Configure the RSA SecurID Authentication API for Authentication Agents.
AM replica instance hostnames: The hostname is the Fully Qualified Domain Name specified in each AM replica's Operations Console in Administration > Network > Appliance Network Settings. See Change the Replica Instance IPv4 Network Settings.
The Authentication Agent Name: This is a case-sensitive value. This is the Hostname of the agent configured for CAS in the AM Security Console in Access > Authentication Agents. See Deploying an Authentication Agent That Uses the REST Protocol.
Choose the following configuration options:
For Hostname, set a logical name for the agent.
IP address must not be set.
Agent type is Standard Agent.
Other settings can be left at their defaults.
Procedure
- In the Cloud Administration Console, click Platform > Authentication Manager.
- Click Configure Connection.
Based on your IDR environment, select the appropriate connection option and complete the required fields in the Configuration Settings dialog box:
REST Agent (recommended option)
Authentication Agent Name: Enter the exact name your Authentication Manager (AM) administrator provides. It is case-sensitive.
Primary URL: Enter the URL in the format https://<AM_PRIMARY_INSTANCE_HOSTNAME>:<PORT>.
Replica URL(s) (optional): Click Add to enter a replica AM instance URL, if available, in the format https://<AM_REPLICA_INSTANCE_HOSTNAME>:<PORT>. Use the same PORT as the primary URL's port.
Access Key: Enter the access key your AM administrator provides.
Click Choose file and upload the DER-format certificate file provided by your AM administrator.
TCP Agent
In the Authentication Agent Name field, enter the exact name provided by your AM administrator.
To upload the sdconf.rec file, click Choose File and select the file.
Click Save.
Click Publish Changes to apply the settings to all identity routers in the deployment. You must publish before you test the connection, but remember that publishing applies these settings and all pending changes to all identity routers.
Click Test Connection. A graphic shows the connection status for each configured identity router. If any components are not connected, investigate the cause.
After you finish
A graphic shows the connection status for each configured identity router. If any components are not connected, investigate the cause.
The Super Admin for CAS must make sure assurance levels and access policies are configured to require SecurID Token where appropriate. For more information, see Access Policies.
