Connecting the world…

7.1

RSA 7.1 with On-Demand

RSA token security provides a way to strengthen the security on public services. Token authentication is most often implemented with hardware tokens. RSA 7.1 has additional methods of token authentication besides the hardware tokens:

  • Token delivery by SMS;
  • Token delivery by e-mail;

To enable the above features you have to install at least RSA 7.1 and obtain a On-Demand license, like shown below:

rsa-od-lic

Next I will show you how to configure token authentication for the delivery of tokens through SMS and e-mail. My test environment contains a RSA Authentication Manager 7.1 with RADIUS server installed on a Windows 2003 R2 server under VMware. The RSA server has a LDAP mapping to Active Directory for authenticating users.

E-MAIL

The first method explained is configuring RSA to deliver tokens to an e-mail address. The first step is configuring a SMTP server on the RSA server. In this scenario I create a SMTP connection to a Windows Exchange 2003 server. rsa-od-mailIn the Security Console, navigate to Setup – Instances and edit the instance you would like to use for the SMTP connection.

In the SMTP setup you need to configure the Hostname of the SMTP server and a “from” e-mail address. Some SMTP servers require authentication to use them as relay server. If your SMTP server requires authentication you can configure the appropriate user credentials. In my situation I only need to deliver mail to the @booches.nl domain, so I don’t need to configure authentication or assign relay rights to the RSA server on the Exchange server. If you would like to deliver e-mail to domains outside your mail environment, you have to configure authentication or relay access for the RSA server.

rsa-od-ena-mail After configuring the SMTP server you have to enable the ability to deliver token codes by e-mail. Navigate to Setup – Component Configuration – Authentication Manager – On-Demand Tokencodes in the Security Console. Enable the option “Delivery by E-mail” and choose the User Attribute to Provide E-mail Destination. This User Attribute is obtained by default through LDAP. In my scenario I use the e-mail field within Active Directory to obtain the specific e-mail address from a user.

rsa-od-user-mail From now on you can enable the usage of e-mail token delivery to your users. To accomplish this navigate to Identity – Users – Manage Existing and search for a specific user. Go to Security Tokens for the specific user and enable “On-Demand Tokencodes” and the specific settings, like shown in the picture. I configured an initial PIN for the user. The user should be able to obtain a token code through SMS via the Self-Service console. This portal can be reach via the URL: https://<ip address / FQDN RSA server>:7004/console-selfservice.

On-Demand token codes have a PIN code associated to the delivered token code. This PIN code is different from the PIN code of normal hardware tokens. I normally enable the On-Demand feature for a user and specify the first initial PIN code. After the user logs in with this PIN code, the PIN code needs to be changes. There are two ways of doing this:

  1. The user automatically receives a new PIN code, which is generated by the RSA server;
  2. The user has the option to manually specify a new PIN code;

rsa-od-token-policy Most often system engineers let the customers choose there own PIN code. Toggling between both settings is possible by changing the Token Policy. Changing the Token Policy is possible by navigating to Authentication – Policies – Token Policies.

SMS

To configure SMS token delivery you need some kind of method to send SMS messages. RSA and Clickatell have partnered to enable delivery of SecurID tokencodes to mobile devices via SMS/text. RSA Authentication 7.1 has a build-in method for delivering SMS messages through Clickatell. Click here to obtain more info about the partnership between RSA and Clickatell and how to register a (trial) Clickatell account.

The first step is to link a User Attribute from the Active Directory to RSA. This User Attribute contains the phone number for delivering the SMS. To such link navigate to Identity – Identity Attribute Definition – Add New.

rsa-od-mobile-link

Within Active Directory you can configure multiple Telephone numbers for a user. Because the SMS is sent to the users mobile phone, I enter the appropriate phone number under the mobile Telephone number of the users.

The picture shows how to configure the the User Attribute mapping. The Attribute Name is a user friendly name to identify the mapping. I choose Personal as Category and the Entry Type is optional. The users mobile phone number is displayed under Personal when editing the user.

The Identity Source Mapping defines the LDAP attribute to use for obtaining the mobile phone number from the user. This value has to be exactly the same as the LDAP value for the mobile phone number in Active Directory. I use Softerra’s LDAP browser to obtain this value from Active Directory. Softerra LDAP browser is a useful tool for browsing LDAP directories.

rsa-od-sms

The configuration of the SMS service provider can be found under Setup – Component Configuration – Authentication Manager – On-Demand Tokencodes.

You need to enable the option “Delivery by SMS”, choose the previously configured User Attribute, select your country code and provide the credentials for your Service Provider.

You can now switch between token code delivery by e-mail and SMS. A user has the option to choose the preferred delivery method via the Self-Service console. Users need access to the Self-Service console to request a token code. The Self-Service portal needs to be securely published to the internet. This can be achieved by using a reverse proxy or some comparable solution. The following PDF contains a quick howto for publishing the RSA environment securely to the internet.

eSafe Gateway 7.1 Forwarding Proxy with squid

My colleague over at PBSPlaza wrote a nice article about enabling squid on eSafe Gateway 7.1 Forwarding Proxy. Today I had to configure an extra step to enable squid. I followed the instructions from my colleague, but when I tried to start squid I received the following error message.

FATAL: Could not determine fully qualified hostname.  Please set ‘visible_hostname’

Squid Cache (Version 2.6.STABLE18): Terminated abnormally.
CPU Usage: 0.030 seconds = 0.000 user + 0.030 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 244
Aborted

I added the following line to /opt/eproxy/etc/squid.conf:

visible_hostname mail.booches.nl

Now squid starts perfectly

RSA 7.1 supported under ESX 3.5

More and more people would like to implement OTP (One Time Password) solutions. RSA is one of multiple vendors for OTP solutions. I also notice the wish to implement and support OTP with on-demand tokens, like SMS and e-mail.

RSA supports on-demand tokens, but the minimum RSA Authentication Manager version required is 7.1. Not only on-demand tokens, but also virtualization (like VMware) is very hot. For a long time, RSA 7.1 was only supported on physical servers. Running RSA 7.1 on a physical server doesn’t always perform very well, especially compared to RSA 6.1. This version performs well on a physical server as well on a virtual server.

RSA Authentication Manager 7.1 is now supported under VMware ESX server, hosting 3.5. You can check all supported platforms on the RSA website.

I guess I have to install this version under ESX to see how it performs, but maybe someone can tell me their own experience….

RSA Authentication Manager 7.1 on VMware

I had to install and configure RSA Authentication Manager 7.1. Looking at the Supported Platforms I couldn’t find VMware ESX as supported platform. VMware ESX was supported for RSA AU6.1. So I thought by myself, let’s give it a try. What I noticed first was the size of the installer. The installation file for RSA AM 7.1 is about 2.5Gb, which I think is a lot compared to the 300Mb for RSA AM 6.1.

I installed a server with the following specs:

  • 2 x Intel Xeon 2.0 Ghz processor
  • 2Gb of RAM
  • 60 Gb partition, solely for RSA
  • 2Gb Paging file

The installation of RSA Authentication Manager 7.1 took 1,5 hours to install, so I really started doubting the installation under VMware. After the installation I wasn’t able to open the management console, which runs webbased in this new version. To be sure, I restarted the server after the installation. Now it took 45 minutes to pass the Applying computer settings and Applying personal settings.

I called RSA and the engineer told me that there are no known issues for running RSA Authentication Manager 7.1 under VMware. The only important thing he told me was the usage of 4Gb RAM and a 4GB Paging file, when running under VMware. I upgraded the memory from 2Gb RAM to 4GB RAM and I configured two 4Gb paging files.

You maybe already guess the following lines of text, but the upgrade didn’t work out. The boot process still took approximately 45 minutes. After booting the server, the performance was really bad. The memory usage was steadily running on 4.2 Gb!!!!

I called RSA a second time and the next engineer took my doubts away. The told that RSA Authentication Manager 7.1 is NOT OFFICIALE supported by RSA. The performance problems are probably caused by the new Oracle database and the different Java instances, which are running on the server. Because RSA had to run in a virtual environment, I downloaded RSA AM 6.1. The installation AND configuration of the complete environment took about 2 hours.

So at the time of writing this blog post:

DO NOT INSTALL RSA AUTHENTICATION MANAGER 7.1 UNDER VMWARE!!!!

ADD ON August 15th 2009

RSA 7.1 is now supported under ESX 3.5. Check the updated article on this matter.

Maybe you also want to check this article about configuring On-Demand with RSA 7.1.