Embed Size (px)
Citation preview
M-Tech Information Technology Inc. P-Synch/ID-Synch
RSA SecurID Ready Implementation Guide Last Modified: April 4, 2008
Partner Information Product Information Partner Name M-Tech Information Technology Inc Web Site www.mtechit.comProduct Name P-Synch / ID-Synch Version & Platform P-Synch Version 6.X, ID-Synch 4.X (Windows 2003) Product Description P-Synch is a total password management solution that includes password
synchronization, self-service reset, security policy enforcement, profile builders, and more. ID-Synch is an account provisioning extension that provides automated workflow and centralized control.
Product Category Provisioning
1
Solution Summary
Partner Integration Overview Authentication Methods Supported Native RSA SecurID Authentication List Library Version Used 7.1 RSA Authentication Manager Name Locking * Yes RSA Authentication Manager Replica Support * Full Replica Support Secondary RADIUS Server Support No Location of Node Secret on Agent \winnt\system32 RSA Authentication Agent Host Type Standard Agent RSA SecurID User Specification All Users RSA SecurID Protection of Administrative Users No RSA Software Token and SD800 Automation No Use of Cached Domain Credentials No
* = Mandatory Function when using Native SecurID Protocols
P-Synch and ID-Synch integrate with RSA Authentication Server to provide a unified console to automate token provisioning, administration, and support processes. P-Synch enables users who experience a token-related problem, such as a forgotten PIN, clock drift or misplaced token to resolve their problem with self service. With P-Synch, users can reset their PIN, resynchronize their tokens and obtain emergency access codes. This functionality is available from a web browser, from the workstation login prompt, or from a telephone. ID-Synch consolidates the token administration processes. The product:
allows users or managers to requisition tokens; routes authorization requests tracks approvals; manages physical inventories of tokens; allocates tokens to new users; enables newly assigned tokens; sends delivery instructions to the users that physically manage tokens.
All of this administration functionality is integrated into a larger user provisioning, management and de-provisioning system for RSA SecurID tokens.
2
Product Requirements
Partner Product Requirements: P-Synch Server CPU Pentium IV class or better x86 Memory Minimum 256 MB RAM Storage Minimum 10GB SCSI Disk Operating System Platform Required Patches Microsoft Windows 2000 All Patch Levels Supported Microsoft Windows 2003 All Patch Levels Supported
Partner Product Requirements: ID-Synch Server CPU Pentium IV class or better x86 Memory Minimum 256 MB RAM Storage Minimum 10GB SCSI Disk Operating System Platform Required Patches Microsoft Windows 2000 All Patch Levels Supported Microsoft Windows 2003 All Patch Levels Supported
Partner Product Requirements: Optional Proxy Server CPU Pentium IV class or better x86 Memory Minimum 256 MB RAM Storage Minimum 10GB SCSI Disk Operating System Platform Required Patches Microsoft Windows 2000 All Patch Levels Supported Microsoft Windows 2003 All Patch Levels Supported
Additional Software Requirements Application Additional Patches RSA Authentication Agent 6.1 for Microsoft Windows 6.1
Java 2 Standard Edition 1.5 IIS, Sun One, or Apache Web Server
3
Agent Host Configuration To facilitate communication between the P-Synch / ID-Synch server(s) and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the P-Synch / ID-Synch server(s) within its database and contains information about communication and encryption.
To create the Agent Host record, you will need the following information:
• Hostname • IP Addresses for all network interfaces
When adding the Agent Host Record, you should configure the P-Synch / ID-Synch server(s) as Standard Agent. This setting is used by the RSA Authentication Manager to determine how communication with the P-Synch / ID-Synch server(s) will occur.
Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.
4
Partner Authentication Agent Configuration
Before You Begin This section provides instructions for integrating the partners’ product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.
Installation Prerequisites • Before attempting the integration, you should have a fully working installation of P-Synch / ID-Synch
& RSA Authentication Manager.
• An administrative account should be created within the RSA Authentication Manager. It will be used as the administrative ID when you configure the target on the P-Synch / ID-Synch server(s) (for example: psadmin).
• Ensure that an IIS, Sun One or Apache Web server is installed on your P-Synch / ID-Synch server(s). Install the RSA Authentication Agent on the Web server.
• Ensure that the Java 2 runtime environment version 5 is installed on your P-Synch / ID-Synch server(s), and that jvm.dll in your system PATH.
• Ensure that the following jar files are installed on your P-Synch / ID-Synch server(s), and that the full path to these files are in the system CLASSPATH environment variable:
o agtrsaam.jar
o am-client.jar
o ims-client.jar
o weblogic.jar
o iScreen-ognl-1-2-0.jar
o commons-lang-2.2.jar
o ognl-2.6.9.jar
o commons-beanutils-1.7.0.jar
o commons-logging-1.1.1.jar
• Reboot the P-Synch / ID-Synch server(s) after updating the system PATH and CLASSPATH environment variables.
5
• Determine the values for the Command API Client User ID and Password.
o Run the following command (found in C:\Program Files\RSA Security\RSA Authentication Manager\utils):
rsautil.cmd manage-secrets --action list o You will be prompted for the Master password for the RSA administrator. Enter this password
when prompted. o From the list that is generated, find the following fields:
Command API Client User ID Command API Client User Password
o These values will be used when configuring the RSA Authentication Manager target is P-Synch and ID-Synch.
• Create a file called config.properties on the P-Synch or ID-Synch server. It should contain the
following information: # JNDI factory class. java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory # Server URL(s). May be a comma separated list of URLs if running against a cluster # NOTE: Replace localhost with the hostname of the managed server java.naming.provider.url=t3://localhost:7011 java.naming.provider.url=t3s://localhost:7002
Solution Documentation
RSA SecurID functions provided by P-Synch / ID-Synch: P-Synch Functions:
• Self-service password resets • Self-service RSA SecurID token management operations: enable, disable, PIN clear, PIN set,
resynchronize, toggle between Emergency Access mode and out • Administrative / help desk password resets
ID-Synch Functions: • Provision new RSA SecurID tokens • Un-assign RSA SecurID tokens • Assign another RSA SecurID token • Enable/Disable RSA SecurID tokens
Configuration Steps required to enable RSA SecurID provisioning via P-Synch / ID-Synch:
1. Create a new RSA Authentication Manager target on the P-Synch / ID-Synch server. 2. Sample target address:
C:\rsaconfig\config.properties/SystemDomain (<path_to_config.properties1 / Realm>
1 The path to the config.properties file refers to the file that was created in the Installation Prerequisite steps.
6
7
3. Set the RSA Authentication Manager administrative ID / password created in the “Before You Begin”
section. 4. The user id and password defined for the Command API Client User ID and the Command API
Client User Password that were generated from the rsautil command must also be entered as a System ID.
5. Optionally, create inventory type / location / templates / roles for provisioning new users.
8
9
Example RSA SecurID / P-Synch / ID-Synch logon screens:
ID-Synch Self-Service Login 6. Enter your RSA SecurID login ID.
7. Enter you RSA SecurID passcode.
10
8. Use the self-service interface to reset and manage your RSA SecurID tokens.
P-Synch Self-Service Interface
11
12
13
Certification Checklist Date Tested: April 4, 2008
Certification Environment Product Name Version Information Operating System
RSA Authentication Manager RSA Authentication Manager 7.1 Windows 2003 RSA Authentication Agent RSA Authentication Agent 6.1 Windows 2003 RSA Software Token RSA SecurID SID800
RSA Software Token Windows 2003
Partner Product> P-Synch 6.x and ID-Synch 4.x
Mandatory Functionality RSA Native Protocol RADIUS Protocol
New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A User Selectable User Selectable N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A PASSCODE 16 Digit PASSCODE 16 Digit PASSCODE N/A 4 Digit Password 4 Digit Password N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A Name Locking Enabled Name Locking Enabled No RSA Authentication Manager No RSA Authentication Manager N/A
PAR/MRL = Pass = Fail N/A = Non-Available Function
14
