SecurID^® Knowledge Base

Yes

Article Number

000034091

Applies To

RSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 or later

Issue

There is a requirement to use SecurID two-factor authentication on the Vormetric Data Security Manager (DSM) administrative web console.

The real-time authentication activity monitor is reporting "Authentication Method Failed" when performing a SecurID authentication with correct credentials on the Vormetric administrative web console .

Resolution

RSA has a certification program to assure customers on leading products and their interoperability with RSA products. Customers can search the EMC Technology Partner Program called RSA Ready to look at what third-party products have gone through certification.

RSA has posted a Vormetric Data Security Manager(DSM) integration guide, however this is in reference to RSA Authentication Manager 7.1 and Vormetric Data Security Manager 5. The Vormetric Data Security Manager 5.x uses the RSA Authentication Agent 8.1 API/SDK for Java and the SecurID configuration files are located in the /opt/vormetric/coreguard/server/config/rsa directory.

File permissions of the files found in the /opt/vormetric/coreguard/server/config/rsa directory are as follows:


-rw-r--r--  1 voradmin db2grp1    nnn mmm dd hh:mm rsa_api.properties
-rw-r--r--  1 voradmin db2grp1    nnn mmm dd hh:mm sdconf.rec
-rw-r--r--  1 voradmin db2grp1    nnn mmm dd hh:mm securid

where,

nnn refers to the file size
mmm represents the month e.g. Sep

dd represents the day

hh:mm represents the time in hours and minutes

Vormetric Technical Support has a procedure to generate a one time dynamic root password to access the operating system hosting the Vormetric DSM which allows an administrator to update the /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file so an additional configuration file called sdopts.rec that is used by Authentication Manager can be used.

Vormetric Technical Support can also be contacted for information on how to use the CLI commands to manage the node secret (securid) file; for those times where a node secret mismatch occurs.

Contents of the default /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file:


SDNDSCRT_TYPE=FILE
RSA_LOG_TO_CONSOLE=YES
SDOPTS_TYPE=FILE
RSA_DEBUG_FLOW=YES
RSA_CONFIG_READ_INTERVAL=600
RSA_DEBUG_LOCATION=YES
RSA_DEBUG_NORMAL=YES
RSA_AGENT_HOST=n.n.n.n
SDOPTS_LOC=
SDSTATUS_TYPE=FILE
RSA_DEBUG_TO_FILE=NO
RSA_LOG_TO_FILE=NO
RSA_ENABLE_DEBUG=YES
SDCONF_TYPE=FILE
RSA_DEBUG_EXIT=YES
RSA_DEBUG_TO_CONSOLE=YES
RSA_LOG_LEVEL=DEBUG
SDCONF_LOC=/opt/vormetric/coreguard/server/config/rsa/sdconf.rec
SDSTATUS_LOC=JAStatus.1
RSA_DEBUG_ENTRY=YES
RSA_LOG_FILE=/tmp/rsa_api_event.log
RSA_DEBUG_FILE=/tmp/rsa_api_debug.log
SDNDSCRT_LOC=/opt/vormetric/coreguard/server/config/rsa/securid

where,
n.n.n.n is the IP address of the Vormetric DSM (e. g., the IP address of eth0).

An administrator with the root access can update the /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file to use an sdopts.rec file (highlighted below in the SDOPTS_LOC line).


SDNDSCRT_TYPE=FILE
RSA_LOG_TO_CONSOLE=YES
SDOPTS_TYPE=FILE
RSA_DEBUG_FLOW=YES
RSA_CONFIG_READ_INTERVAL=600
RSA_DEBUG_LOCATION=YES
RSA_DEBUG_NORMAL=YES
RSA_AGENT_HOST=n.n.n.n
SDOPTS_LOC=/opt/vormetric/coreguard/server/config/rsa/sdopts.rec
SDSTATUS_TYPE=FILE
RSA_DEBUG_TO_FILE=NO
RSA_LOG_TO_FILE=NO
RSA_ENABLE_DEBUG=YES
SDCONF_TYPE=FILE
RSA_DEBUG_EXIT=YES
RSA_DEBUG_TO_CONSOLE=YES
RSA_LOG_LEVEL=DEBUG
SDCONF_LOC=/opt/vormetric/coreguard/server/config/rsa/sdconf.rec
SDSTATUS_LOC=JAStatus.1
RSA_DEBUG_ENTRY=YES
RSA_LOG_FILE=/tmp/rsa_api_event.log
RSA_DEBUG_FILE=/tmp/rsa_api_debug.log
SDNDSCRT_LOC=/opt/vormetric/coreguard/server/config/rsa/securid

where,
the contents of the /opt/vormetric/coreguard/server/config/rsa/sdopts.rec file is:


CLIENT_IP=n.n.n.n

where,
n.n.n.n is the IP address of the Vormetric DSM (e.g., the IP address of eth0) and matches the IP address used in the authentication agent record that was created in the Security Console.

A restart of the Vormetric Data Security Manager is required to read the updated /opt/vormetric/coreguard/server/config/rsa/rsa_api.properties file and make use of the sdopts.rec.

Notes

Table showing the SecurID configuration files used by an authentication agent

Filename	Description
sdconf.rec	Configuration record providing the IP addresses of the Authentication Manager instances in the deployment. Generated in the Security Console. Select Access > Authentication Agents > Generation Configuration File. Click the Generate Config File button. Click the Download_Now link to obtain the AM_Config.zip that contains the sdconf.rec.
securid	The ode secret file used to encrypt communication between the authentication agent and Authentication Manager. This is created dynamically during the first authentication attempt.
JAStatus.1	Created by the agent and contains the list of available Authentication Manager instances and time response related information. Should this file get deleted, the authentication agent will recreate this file on the next authentication
sdopts.rec	Contains the value of CLIENT_IP=<IP address>, used as the IP address override. Page 82 of the RSA Authentication Agent 7.3.1 for Microsoft Windows Installation and Administration Guide provides some information on the CLIENT_IP parameter used in the sdopts.rec file.

SecurID^® Knowledge Base

Integrating Vormetric Data Security Manager with RSA Authentication Manager 8.x

Article Number

Applies To

Issue

Resolution

Notes

In this article

SecurID® Knowledge Base

Integrating Vormetric Data Security Manager with RSA Authentication Manager 8.x

Article Number

Applies To

Issue

Resolution

Notes

In this article

Related Content

SecurID^® Knowledge Base