SecurID^® Discussions

twinturbo · ‎2022-10-10

Is there a simple way to limiting access to Authentication Manager ( Operations Console and SSH ) to a single IP of a Jump sever, and prevent the rest of the network accessing the consoles?

Thanks

Rob

EricaChalfin · ‎2022-10-10

@twinturbo,

I moved your post to the SecurID Access discussions space where it will be seen by customers, partners and our support team. Be sure to bookmark the page and come back often to see new content and ask questions.

Welcome to the RSA community!

There is not configuration on the Authentication Manager server that would restrict access to the administration consoles or to SSH by IP address. This is something you should discuss with your network team.

Edited to add*: An option would be to create additional Operations Console administrators within the Security Console. This would provide repudiation for user logins that can be tracked.

Create a home directory for a new user e.g. mkdir /home/OSadmin
Use useradd (useradd OSadmin -d /home/OSadmin -G rsaadmin)
Update /etc/ssh/shhd_config, change 'AllowUsers rsaadmin' to 'AllowUsers rsaadmin OSadmin
Update /etc/sudoers to add a user privilege specification for the user to match rsaadmin e.g. OSadmin ALL = (ALL) ALL, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.sh, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.py

* Edits thanks to @JayGuillette

Best regards,
Erica

twinturbo · ‎2022-10-10

ok , so other than putting it behind a firewall and restricting ports 7002/7004/22 there is no built in option?

No software firewall?

I could potentially use tcp.wrappers for SSH bu tdon't think that will work for the operations console.

JayGuillette · ‎2022-10-10

Authentication Manager is an appliance and it has Suse Enterprise Linux as the OS, which includes iptables, so there is the potential to modify them to accomplish what you want. Because it is a Security Appliance we recommend against manual modifications to the OS and other components. There is no guarantee that a patch would not overwrite your iptables modification, and a high likelihood that the patch would overwrite changes to iptables.

The Security philosophy is basically keep things limited and simple, so that the Security profile/surface attack area is as small as it can be. This includes not treating the AM appliance like a server, controlling modifications through the AM patch process. As Erica pointed out, we do support user ACLs on SSH (and Ops console) access via a modification to Linux with adduser and passwd for SSH (Ops Console UserIDs and Password are configurable in Security Console).

twinturbo · ‎2022-10-13

Is it possible to have a management interface separate to the one providing the authentication?

Thanks

Rob

JayGuillette · ‎2022-10-13

There is an Admin SDK which is part of the extras folder in the AM 8.x software downloads.

https://community.rsa.com/t5/securid-knowledge-base/configure-rsa-authentication-manager-8-x-software-developer-kit/ta-p/2326

You could write your own Administration console app, to customize it.

Another option is AM Prime, aka AMIS (Auth Manager Integration Server). It kind of runs on top of Authentication Manager to provide more granularity and customization in both Administration (Help Desk Admin Portal, HDAP) and Self-Service (Self-Service Portal). This product was originally developed by RSA Professional Services. Many customers use this in a variety of ways.

https://community.rsa.com/t5/securid-prime/gh-p/securid-access-prime

Prime AMIS Developer's Guide

https://community.rsa.com/t5/securid-prime/external-developer/ta-p/563103

Prime Kit quick setup guide

https://community.rsa.com/t5/securid-prime/rsa-securid-access-primekit-quick-install-guide/ta-p/522427

SecurID® Discussions

Limiting access to Authentication Manager ( operations Console and SSH )

SecurID^® Discussions