This section provides information related to using the SecurID ACE/Server resource adapter, which is organized into the following sections:
Because the RSA C API on UNIX is not supported, enabling pass-through authentication with the SecurID ACE/Server UNIX adapter is not a straightforward process. Performing pass-through authentication on this adapter requires the following interactions between components:
Identity Manager <--> SecurID Unix Resource Adapter <--> SecurID Windows Adapter <--> Sun Identity Manager Gateway <--> RSA ACE Agent for Windows <--> RSA UNIX Server
Note the following configuration and implementation points when enabling pass-through authentication with the SecurID ACE/Server UNIX adapter:
The Sun Identity Manager Gateway and the RSA ACE Agent Host must reside on the same Windows host. See the Resource Configuration Notes section for more information.
If the UNIX RSA server lists itself as a client, the account used to authenticate users must be defined on the UNIX resource. See the Resource Configuration Notes section for more information.
You must specify a value for the ACE Server Authentication Resource resource parameter in the SecurID ACE/Server UNIX adapter. This value must match a resource name specified in a valid SecurID ACE/Server (for Windows) adapter.
SecurID’s authentication policies require that the UNIX SecurID server must be aware of the RSA ACE Agent for Windows. The sdconf.rec file must be present and configured correctly on the Windows host.
The RSA ACE Agent for Windows must be activated for users attempting to use pass-through authentication.
Identity Manager must be configured to use the SecurID ACE/Server or SecurID ACE/Server UNIX login module.
Candidate users for authentication must be configured with an Identity Manager role and organization.
The default schema map for both SecurID resource adapters is set-up to allow the administrator to specify one token. If you are using the SecurID User Form provided in the InstallDir\samples\forms directory, perform the following steps to enable up to three tokens.
Edit the following section of the SecurID User Form:
<FieldLoop for=’tokenNum’> <expression> <ref>oneTokenList</ref> </expression> |
Change oneTokenList to threeTokenList.
Load the User Form into Identity Manager.
Rename the following Identity Manager User Attributes on the left side of SecurID ACE/Server schema map:
Original Identity Manager User Attribute |
Renamed Identity Manager User Attribute |
---|---|
tokenClearPin |
token1ClearPin |
tokenDisabled |
token1Disabled |
tokenLost |
token1Lost |
tokenLostPassword |
token1LostPassword |
tokenLostExpireDate |
token1LostExpireDate |
tokenLostExpireHour |
token1LostExpireHour |
tokenLostLifeTime |
token1LostLifeTime |
tokenPinToNTC |
token1PinToNTC |
tokenPinToNTCSequence |
token1PinToNTCSequence |
expirePassword |
token1NewPinMode |
password |
token1Pin |
tokenResync |
token1Resync |
tokenFirstSequence |
token1FirstSequence |
tokenNextSequence |
token1NextSequence |
tokenSerialNumber |
token1SerialNumber |
tokenUnassign |
token1Unassign |
Add the following fields to the schema map to accommodate a second token:
Identity Manager User Attribute |
Resource User Attribute |
---|---|
token2ClearPin |
token2ClearPin |
token2Disabled |
token2Disabled |
token2Lost |
token2Lost |
token2LostPassword |
token2LostPassword |
token2LostExpireDate |
token2LostExpireDate |
token2LostExpireHour |
token2LostExpireHour |
token2LostLifeTime |
token2LostLifeTime |
token2NewPinMode |
token2NewPinMode |
token2PinToNTC |
token2PinToNTC |
token2PinToNTCSequence |
token2PinToNTCSequence |
password |
token2Pin |
token2Resync |
token2Resync |
token2FirstSequence |
token2FirstSequence |
token2NextSequence |
token2NextSequence |
token2SerialNumber |
token2SerialNumber |
token2Unassign |
token2Unassign |
Add the following fields to the schema map to accommodate a third token:
Identity Manager User Attribute |
Resource User Attribute |
---|---|
token3ClearPin |
token3ClearPin |
token3Disabled |
token3Disabled |
token3Lost |
token3Lost |
token3LostPassword |
token3LostPassword |
token3LostExpireDate |
token3LostExpireDate |
token3LostExpireHour |
token3LostExpireHour |
token3LostLifeTime |
token3LostLifeTime |
token3NewPinMode |
token3NewPinMode |
token3PinToNTC |
token3PinToNTC |
token3PinToNTCSequence |
token3PinToNTCSequence |
password |
token3Pin |
token3Resync |
token3Resync |
token3FirstSequence |
token3FirstSequence |
token3NextSequence |
token3NextSequence |
token3SerialNumber |
token3SerialNumber |
token3Unassign |
token3Unassign |
The SecurId adapters can return a list of tokens that meet a specified set of characteristics, such as token type, status, or expiration. For example, the following user form snippet returns a list of all 128-bit tokens that have not been assigned.
<defvar name=’unassignedTokens’> <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’> <ref>:display.session</ref> <s>ListTokensByField</s> <ref>resource</ref> <map> <s>field</s> <s>7</s> <s>compareType</s> <s>2</s> <s>value</s> <s>128</s> <s>templateParameters</s> <ref>accounts[$(resource)].templateParameters</ref> </map> <s>false</s> </invoke> </defvar>
The values that may be assigned to the field, compareType, and value strings are defined in the documentation for the RSA Sd_ListTokensByField function. Refer to the RSA publication Customizing Your RSA ACE/Server Administration for more information.
If Identity Manager uses passwords that contain alphabet characters, and SecurID does not permit alphabet characters in a PIN, the following message will be returned:
SecurId ACE/Server: (realUpdateObject) Sd_SetPin Error Alpha characters not allowed
To correct this error, either modify the Identity Manager password policy for the resource so that it cannot contain alphabet characters, or change the PIN restrictions on the resource to permit alphabet characters.
The SecurID ACE/Server for Windows adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages: RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages: RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’> </ResourceAttribute>
The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.