Sun Identity Manager 8.1 Resources Reference

Chapter 39 SecurID ACE/Server

Identity Manager provides resource adapters for supporting RSA SecurID ACE/Server.

Adapter Details

The following table summarizes the attributes of these adapters:

GUI Name	Class Name
SecurID ACE/Server	`com.waveset.adapter.SecurIdResourceAdapter`
SecurID ACE/Server UNIX	`com.waveset.adapter.SecurIdUnixResourceAdapter`

Resource Configuration Notes

If SecurID is installed on Windows, the adapter will interface with the apidemon that is shipped with the installed version of RSA ACE/Server. Copy the apidemon from the ACE/Server installation directory (by default, c:\ace\utils\toolkit\apidemon.exe) to c:\winnt\system32 or c:\windows\system32 Note that the RSA ACE 6.1 apidemon.exe is in the ACEInstallDir\prog directory.

The UNIX adapter uses the RSA ACE/Server Administration Toolkit TCL API. This API must be located in the ACEInstallDir/utils/tcl/bin directory. The value of ACEInstallDir is specified as a resource parameter. The toolkit must be configured as described in the Customizing Your RSA ACE/Server Administration publication provided by RSA.

In addition, ensure that the following conditions are true so that you can manage RSA Users and other ACE database objects through Identity Manager:

The SecurID user name specified in the Administrator Login (on the Windows adapter) or the Login User (on the UNIX adapter) resource parameter exists in the ACE/Server. If not, create an ACE user with the same default login name.
This SecurID user must login to the ACE/Server with a password instead of a tokencode. Set the RSA ACE Server user’s password to the same value specified on the adapter.

If the current RSA ACE Server system policy does not allow a password to be set using the characters you need (for example, an alphanumeric PIN), or if you need to change the default setting for user password expiration, edit the system parameters on the RSA ACE Server Database console.

A password changed through the RSA ACE Server administrator console is a one-time password that will expire the first time this user logs in. Use the RSA ACE Agent Test Authentication facility to login so that you can change the user’s password to one that will not expire immediately. Note that you may change it to the same value, so it’s still the same as the password specified in the resource adapter.
On Windows, an RSA ACE Agent Host must be added for the host where the Identity Manager gateway is running. This can be configured from the Database Administration - Host Mode console interface on the system where the RSA ACE Server is running. You must configure the DNS host name and network address, and you must specify which users have access. In addition, the agent type must be set to Net OS Agent.
If a SecurId group name or site name contains a comma, Identity Manager might not be able to parse the name correctly. Avoid using commas in SecurId group names and site names.

Identity Manager Installation Notes

If SecurID is installed on Windows, the Identity Manager gateway must be running on the same system where the RSA ACE/Server is installed.

Usage Notes

This section provides information related to using the SecurID ACE/Server resource adapter, which is organized into the following sections:

Enabling Pass-Through Authentication on UNIX

Because the RSA C API on UNIX is not supported, enabling pass-through authentication with the SecurID ACE/Server UNIX adapter is not a straightforward process. Performing pass-through authentication on this adapter requires the following interactions between components:

Identity Manager <--> SecurID Unix Resource Adapter <--> SecurID Windows Adapter <--> Sun Identity Manager Gateway <--> RSA ACE Agent for Windows <--> RSA UNIX Server

Note the following configuration and implementation points when enabling pass-through authentication with the SecurID ACE/Server UNIX adapter:

The Sun Identity Manager Gateway and the RSA ACE Agent Host must reside on the same Windows host. See the Resource Configuration Notes section for more information.
If the UNIX RSA server lists itself as a client, the account used to authenticate users must be defined on the UNIX resource. See the Resource Configuration Notes section for more information.
You must specify a value for the ACE Server Authentication Resource resource parameter in the SecurID ACE/Server UNIX adapter. This value must match a resource name specified in a valid SecurID ACE/Server (for Windows) adapter.
SecurID’s authentication policies require that the UNIX SecurID server must be aware of the RSA ACE Agent for Windows. The sdconf.rec file must be present and configured correctly on the Windows host.
The RSA ACE Agent for Windows must be activated for users attempting to use pass-through authentication.
Identity Manager must be configured to use the SecurID ACE/Server or SecurID ACE/Server UNIX login module.
Candidate users for authentication must be configured with an Identity Manager role and organization.

Enabling Multiple Tokens

The default schema map for both SecurID resource adapters is set-up to allow the administrator to specify one token. If you are using the SecurID User Form provided in the InstallDir\samples\forms directory, perform the following steps to enable up to three tokens.

Enabling up to Three Tokens

Edit the following section of the SecurID User Form:

<FieldLoop for=’tokenNum’>   <expression>      <ref>oneTokenList</ref>   </expression>

Change oneTokenList to threeTokenList.

Load the User Form into Identity Manager.

Rename the following Identity Manager User Attributes on the left side of SecurID ACE/Server schema map:

Original Identity Manager User Attribute	Renamed Identity Manager User Attribute
`tokenClearPin`	`token1ClearPin`
`tokenDisabled`	`token1Disabled`
`tokenLost`	`token1Lost`
`tokenLostPassword`	`token1LostPassword`
`tokenLostExpireDate`	`token1LostExpireDate`
`tokenLostExpireHour`	`token1LostExpireHour`
`tokenLostLifeTime`	`token1LostLifeTime`
`tokenPinToNTC`	`token1PinToNTC`
`tokenPinToNTCSequence`	`token1PinToNTCSequence`
`expirePassword`	`token1NewPinMode`
`password`	`token1Pin`
`tokenResync`	`token1Resync`
`tokenFirstSequence`	`token1FirstSequence`
`tokenNextSequence`	`token1NextSequence`
`tokenSerialNumber`	`token1SerialNumber`
`tokenUnassign`	`token1Unassign`

Add the following fields to the schema map to accommodate a second token:

Identity Manager User Attribute	Resource User Attribute
`token2ClearPin`	`token2ClearPin`
`token2Disabled`	`token2Disabled`
`token2Lost`	`token2Lost`
`token2LostPassword`	`token2LostPassword`
`token2LostExpireDate`	`token2LostExpireDate`
`token2LostExpireHour`	`token2LostExpireHour`
`token2LostLifeTime`	`token2LostLifeTime`
`token2NewPinMode`	`token2NewPinMode`
`token2PinToNTC`	`token2PinToNTC`
`token2PinToNTCSequence`	`token2PinToNTCSequence`
`password`	`token2Pin`
`token2Resync`	`token2Resync`
`token2FirstSequence`	`token2FirstSequence`
`token2NextSequence`	`token2NextSequence`
`token2SerialNumber`	`token2SerialNumber`
`token2Unassign`	`token2Unassign`

Add the following fields to the schema map to accommodate a third token:

Identity Manager User Attribute	Resource User Attribute
`token3ClearPin`	`token3ClearPin`
`token3Disabled`	`token3Disabled`
`token3Lost`	`token3Lost`
`token3LostPassword`	`token3LostPassword`
`token3LostExpireDate`	`token3LostExpireDate`
`token3LostExpireHour`	`token3LostExpireHour`
`token3LostLifeTime`	`token3LostLifeTime`
`token3NewPinMode`	`token3NewPinMode`
`token3PinToNTC`	`token3PinToNTC`
`token3PinToNTCSequence`	`token3PinToNTCSequence`
`password`	`token3Pin`
`token3Resync`	`token3Resync`
`token3FirstSequence`	`token3FirstSequence`
`token3NextSequence`	`token3NextSequence`
`token3SerialNumber`	`token3SerialNumber`
`token3Unassign`	`token3Unassign`

Retrieving Tokens by Status

The SecurId adapters can return a list of tokens that meet a specified set of characteristics, such as token type, status, or expiration. For example, the following user form snippet returns a list of all 128-bit tokens that have not been assigned.

<defvar name=’unassignedTokens’>
   <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
      <ref>:display.session</ref>
      <s>ListTokensByField</s>
      <ref>resource</ref>
      <map>
         <s>field</s>
         <s>7</s>
         <s>compareType</s>
         <s>2</s>
         <s>value</s>
         <s>128</s>
         <s>templateParameters</s>
         <ref>accounts[$(resource)].templateParameters</ref>
      </map>
      <s>false</s>
   </invoke>
</defvar>

The values that may be assigned to the field, compareType, and value strings are defined in the documentation for the RSA Sd_ListTokensByField function. Refer to the RSA publication Customizing Your RSA ACE/Server Administration for more information.

Password Policies

If Identity Manager uses passwords that contain alphabet characters, and SecurID does not permit alphabet characters in a PIN, the following message will be returned:

SecurId ACE/Server: (realUpdateObject) Sd_SetPin Error Alpha characters not allowed

To correct this error, either modify the Identity Manager password policy for the resource so that it cannot contain alphabet characters, or change the PIN restrictions on the resource to permit alphabet characters.

Gateway Timeouts

The SecurID ACE/Server for Windows adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:
RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:
RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’>
 </ResourceAttribute>

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager can use the following to communicate with the SecurID ACE/Server adapter:

Sun Identity Manager Gateway (Windows only)
Telnet (UNIX only)
SSH (UNIX only)
SSHPubKey (UNIX only)

For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.

Required Administrative Privileges

The user specified in the Login User resource parameter (on UNIX) or in the Administrator Login resource parameter (on Windows) must be assigned to an administrative role that has the ability to run user- and token-related tasks.

You can use a test connection to test whether

These commands exist in the administrator user’s path
The administrative user can write to /tmp
The administrative user have rights to run certain commands

A test connection can use different command options than a normal provision run.

Note –

The Resource SecurID Administrators report lists all available administrators for the SecurID resource. This report describes the properties of each administrator, including administrator name, Admin level, Admin task list, Admin site, and Admin group. You can download this report in both .csv and .pdf formats.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	Yes
Before/after actions	No
Data loading methods	Import from resource Reconciliation

Account Attributes

The following table provides information about SecurID ACE/Server account attributes. The data type for all attributes is String, unless otherwise noted.

The SecurID ACE/Server adapters do not support custom account attributes (known as User Extension Data on SecurId) that contain multiple values.

Identity Manager User Attribute	Resource User Attribute	Description
`adminGroup`	`adminGroup`	The group the administrator is a member of. This is a read-only attribute.
`adminLevel`	`adminLevel`	The administrative level of the user. The value can be realm, site, or group. This is a read-only attribute.
`adminSite`	`adminSite`	The sites to which the administrator has access to. This is a read-only attribute.
`adminTaskList`	`adminTaskList`	The name of the set of tasks that the administrator can perform. This is a read-only attribute.
`adminTaskListTasks`	`adminTaskListTasks`	The specific tasks the administrator can perform. This is a read-only attribute.
`allowedToCreatePin`	`allowedToCreatePin`	Read-only Boolean attribute that indicates that a user is allowed to specify a PIN. If the PIN is not specified, the system will generate one for the user
`clients`	`clients`	Specifies the clients a user is a member of.
`accountId`	`defaultLogin`	The account ID for the user in ACE/Server. Maximum 48 characters.
`defaultShell`	`defaultShell`	User’s default shell. Maximum 256 characters.
`expirePassword`	`WS_PasswordExpired`	Indicates whether the password will be expired. When the password is expired, the SecurID account will be placed in New PIN Mode. This is a write-only attribute.
`firstname`	`firstname`	Required. The user’s first name. Maximum 24 characters.
`groups`	`groups`	Specifies the groups a user is a member of.
`lastname`	`lastname`	Required. The user’s last name. Maximum 24 characters.
`remoteAlias`	`remoteAlias`	The user’s login name in their remote realm.
`remoteRealm`	`remoteRealm`	For remote users, the realm the user is part of.
`requiredToCreatePin`	`requiredToCreatePin`	Read-only Boolean attribute that indicates that a user must specify a PIN.
`tempEndDate`	`tempEndDate`	Date when temporary mode ends.
`tempEndHour`	`tempEndHour`	Hour when temporary mode ends.
`tempStartDate`	`tempStartDate`	Date when temporary mode begins.
`tempStartHour`	`tempStartHour`	Hour when temporary mode begins.
`tempUser`	`tempUser`	Sets a user in or out of temporary mode.
`tokenClearPin`	`token1ClearPin`	When set on a user update, it will cause the user’s PIN to be cleared.
`tokenDisabled`	`token1Disabled`	When set on a user update, it will cause the user’s PIN to be disabled.
`tokenLost`	`token1Lost`	When set to true on a user update, the account will be put in emergency access mode within RSA.
`tokenLostPassword`	`token1LostPassword`	When the value is not blank, then the lost token will use the value given as the temporary passcode. If the value is blank, then the legacy behavior of having RSA assign temporary passcodes is performed. This is a write-only attribute.
`tokenLostExpireDate`	`token1LostExpireDate`	Specifies the date when the “lost token” temporary password expires. This attribute is meaningful only when tokenLostPassword is not blank and tokenLostLifeTime is either blank or zero. This is a write-only attribute. This attribute is not implemented in the sample user form.
`tokenLostExpireHour`	`token1LostExpireHour`	Specifies the hour when the “lost token” temporary password expires. (For example, use 16 to represent 4:00 P.M.) This attribute is meaningful only when tokenLostPassword is not blank and tokenLostLifeTime is either blank or zero. This is a write-only attribute. This attribute is not implemented in the sample user form.
`tokenLostLifeTime`	`token1LostLifeTime`	Specifies how long to honor, in hours, the temporary passcodes. This field can be used regardless of the value of takenLostPassword. This is a write-only attribute.
`tokenFirstSequence`	`token1FirstSequence`	Specifies the original token when a token needs to be resynchronized. This is a write-only attribute.
`tokenNewPinMode`	`token1NewPinMode`	When the users account has been placed in New PIN Mode, specifies the user’s new PIN.
`tokenNextSequence`	`token1NextSequence`	Specifies the new token when a token needs to be resynchronized. This is a write-only attribute.
`tokenPin`	`token1Pin`	Encrypted. The user’s PIN.
`tokenPinToNTC`	`token1PinToNTC`	If set to true, begins the process of setting a PIN for a specified assigned token to next tokencode.
`tokenPinToNTCSequence`	`token1PinToNTCSequence`	Specifies the user’s current tokencode.
`tokenResync`	`token1Resync`	Indicates whether to resynchronize a token. This attribute enables the tokenFirstSequence and tokenNextSequence attributes. This is a write-only attribute.
`tokenSerialNumber`	`token1SerialNumber`	Token serial number. Must be 12 characters. Insert leading zeros as needed to meet this requirement.
`tokenUnassign`	`token1Unassign`	Specifies a token to remove from a user. This is a write-only attribute.
`userType`	`userType`	Must be either Remote or Local.

Resource Object Management

Identity Manager supports the following SecurID ACE/Server objects by default.

Table 39–1 Supported SecurID ACE/Server Objects


Resource Object	Features Supported	Attributes Managed
group	List, view	Groupname, List of users assigned to this group, List of clients activated to this group
clients	List, view	Client name, List of users assigned to this client, List of groups activated to this client

Identity Template

$accountId$

Sample Forms

SecurID User Form

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

com.waveset.adapter.SecurIdResourceAdapter
com.waveset.adapter.SecurIdUnixResourceAdapter
com.waveset.adapter.SVIDResourceAdapter

Tracing can also be enabled on the following methods to diagnose problems connecting to the gateway on Windows systems:

com.waveset.adapter.AgentResourceAdapter#sendRequest
com.waveset.adapter.AgentResourceAdapter#getResponse