Configure an RSA one-time password mechanism

A one-time password is valid for one session or login. To use RSA as a mechanism, we must own RSA Authentication Manager. The server and the client generate the passwords with the same algorithm.

Complete the following steps.

  1. On your RSA server, generate the following files:

      sdconf.rec
      The configuration file for connecting to the RSA Authentication server.

      sdopts.rec
      The configuration properties file that contains optional configurations for load balancing.

  2. See your RSA Authentication server documentation for details on creating these files and use the following guidelines:

    • On the appliance, specify an Agent Network Interface. See Agent Network Interface in step 8. If you connect the RSA server to the appliance using an application network interface with multiple IP addresses, list all the IP addresses in the Alternate IPs box on the RSA server.
    • For Agent type, choose Standard.
    • Agent Auto-Registration must be enabled when the first RSA one-time password authentication is performed. We can disable it after the first successful authentication is completed.

    The RSA one-time password mechanism does not support replication of the RSA session information through the cluster environment. The session information is local to each cluster node and the environment must be configured to enforce session affinity between the client and the cluster node.

  3. Move or copy the generated files from the RSA server to the appliance.

This task describes the steps and properties for configuring an RSA mechanism. For information about configuring other providers, see:

Steps

  1. Log in to the local management interface.

  2. Click AAC.

  3. Under Policy, click Authentication.

  4. Click Mechanisms.

  5. Click RSA One-time Password.

  6. Click Modify.

  7. Click the Properties tab.

    1. Select a property to configure.

    2. Click Modify.

    3. Enter the value for that property.

    4. Click OK.

  8. Take note of the properties for the mechanism.

      Agent Network Interface
      The name of the network interface the RSA Agent is using to connect to the RSA server.

      Required: Yes

      Data type: String Valid interface values:

      • 1.1
      • 1.2
      • 1.3
      • 1.4

      If we are using the RSA mechanism in a cluster environment and use an application interface with multiple IP addresses defined for that interface, use the RSA console to add all of those IP addresses to the whitelist. See the RSA documentation for information about adding IP addresses to the whitelist.

      Example: 1.1

      Server Exchange Initial Timeout
      The initial timeout coefficient in milliseconds used to calculate the timeout of the request.

      Required: No

      Data type: Integer

      Example: 1000

      Server Exchange Timeout Offset
      The offset timeout coefficient in milliseconds used to calculate the timeout of the request.

      Required: No

      Data type: Integer

      Example: 200

      Server Exchange Timeout Increment
      The increment coefficient in milliseconds used to calculate the timeout of the request.

      Required: No

      Data type: Integer

      Example: 100

      Event Log Level
      The minimum event level to be logged. Events below the level specified in this property are not logged.The events in order from lowest level to highest are:

      1. OFF
      2. DEBUG
      3. INFO
      4. WARN
      5. ERROR
      6. FATAL

      Required:

      Data type: String

      Example: INFO. If this property is set to INFO, the DEBUG errors are not logged.

      Enable Debug Tracing
      The property that enables debug tracing.

      Required: No

      Data type: Boolean

      Example: FALSE. If set to FALSE, debug tracing is not enabled.

      Trace Function Entries
      The property that enables tracing of function entries.

      Required: No

      Data type: Boolean

      Example: FALSE. If set to FALSE, function entries are not traced.

      Trace Function Exits
      The property that enables tracing of exits.

      Required: No

      Data type: Boolean

      Example: FALSE. If set to FALSE, exits are not traced.

      Trace Flow Statements
      The property that enables tracing of flow statements.

      Required: No

      Data type: Boolean

      Example: FALSE. If set to FALSE, flow statements are not traced.

      Trace Regular Statements
      The property that enables tracing of regular statements.

      Required: No

      Data type: Boolean

      Example: FALSE. If set to FALSE, regular statements are not traced.

      Trace Location
      The property that enables the class name and line number to be displayed in the trace.

      Required: No

      Data type: Boolean

      Example: FALSE. If set to FALSE, class name and line number are not displayed.

      Session Timeout
      The length of time, in seconds, that a connection to the RSA Authentication Manager server remains open before it times out when a user attempts to authenticate.

      Required: No

      Data type: Integer

      Example: 1800

  9. Click the Agent Files tab.

  10. Select a file in the table the corresponds to the file you generated on the RSA server.

  11. Click Upload to upload the file or Clear to remove the contents of the selected file. The status area indicates one of three statuses:

      Not uploaded
      Upload is not completed.

      Last upload date
      Upload was completed on date indicated.

      Auto-generated
      The SecurID was automatically generated instead of uploaded.

    Repeat this step until all of your files have been uploaded to the appliance.

  12. Click Save.


What to do next

When configuring the mechanism, a message indicates that changes are not deployed. Deploy changes when we are finished. For information, see Deploying pending changes.

Parent topic: Authentication