test

Oracle Waveset 8.1.1 Resources Reference

Usage Notes

This section provides information related to using the SecurID ACE/Server resource adapter, which is organized into the following sections:

Enabling Pass-Through Authentication on UNIX

Because the RSA C API on UNIX is not supported, enabling pass-through authentication with the SecurID ACE/Server UNIX adapter is not a straightforward process. Performing pass-through authentication on this adapter requires the following interactions between components:

Waveset <--> SecurID Unix Resource Adapter <--> SecurID Windows Adapter <--> Waveset Gateway <--> RSA ACE Agent for Windows <--> RSA UNIX Server

Note the following configuration and implementation points when enabling pass-through authentication with the SecurID ACE/Server UNIX adapter:

Enabling Multiple Tokens

The default schema map for both SecurID resource adapters is set-up to allow the administrator to specify one token. If you are using the SecurID User Form provided in the InstallDir\samples\forms directory, perform the following steps to enable up to three tokens.

ProcedureEnabling up to Three Tokens

  1. Edit the following section of the SecurID User Form:


    <FieldLoop for=’tokenNum’>   <expression>      <ref>oneTokenList</ref>   </expression>

    Change oneTokenList to threeTokenList.

  2. Load the User Form into Waveset.

  3. Rename the following Waveset User Attributes on the left side of SecurID ACE/Server schema map:

    Original Waveset User Attribute

    Renamed Waveset User Attribute

    tokenClearPin

    token1ClearPin

    tokenDisabled

    token1Disabled

    tokenLost

    token1Lost

    tokenLostPassword

    token1LostPassword

    tokenLostExpireDate

    token1LostExpireDate

    tokenLostExpireHour

    token1LostExpireHour

    tokenLostLifeTime

    token1LostLifeTime

    tokenPinToNTC

    token1PinToNTC

    tokenPinToNTCSequence

    token1PinToNTCSequence

    expirePassword

    token1NewPinMode

    password

    token1Pin

    tokenResync

    token1Resync

    tokenFirstSequence

    token1FirstSequence

    tokenNextSequence

    token1NextSequence

    tokenSerialNumber

    token1SerialNumber

    tokenUnassign

    token1Unassign

  4. Add the following fields to the schema map to accommodate a second token:

    Waveset User Attribute

    Resource User Attribute

    token2ClearPin

    token2ClearPin

    token2Disabled

    token2Disabled

    token2Lost

    token2Lost

    token2LostPassword

    token2LostPassword

    token2LostExpireDate

    token2LostExpireDate

    token2LostExpireHour

    token2LostExpireHour

    token2LostLifeTime

    token2LostLifeTime

    token2NewPinMode

    token2NewPinMode

    token2PinToNTC

    token2PinToNTC

    token2PinToNTCSequence

    token2PinToNTCSequence

    password

    token2Pin

    token2Resync

    token2Resync

    token2FirstSequence

    token2FirstSequence

    token2NextSequence

    token2NextSequence

    token2SerialNumber

    token2SerialNumber

    token2Unassign

    token2Unassign

  5. Add the following fields to the schema map to accommodate a third token:

    Waveset User Attribute

    Resource User Attribute

    token3ClearPin

    token3ClearPin

    token3Disabled

    token3Disabled

    token3Lost

    token3Lost

    token3LostPassword

    token3LostPassword

    token3LostExpireDate

    token3LostExpireDate

    token3LostExpireHour

    token3LostExpireHour

    token3LostLifeTime

    token3LostLifeTime

    token3NewPinMode

    token3NewPinMode

    token3PinToNTC

    token3PinToNTC

    token3PinToNTCSequence

    token3PinToNTCSequence

    password

    token3Pin

    token3Resync

    token3Resync

    token3FirstSequence

    token3FirstSequence

    token3NextSequence

    token3NextSequence

    token3SerialNumber

    token3SerialNumber

    token3Unassign

    token3Unassign

Retrieving Tokens by Status

The SecurId adapters can return a list of tokens that meet a specified set of characteristics, such as token type, status, or expiration. For example, the following user form snippet returns a list of all 128-bit tokens that have not been assigned.

<defvar name=’unassignedTokens’>
   <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
      <ref>:display.session</ref>
      <s>ListTokensByField</s>
      <ref>resource</ref>
      <map>
         <s>field</s>
         <s>7</s>
         <s>compareType</s>
         <s>2</s>
         <s>value</s>
         <s>128</s>
         <s>templateParameters</s>
         <ref>accounts[$(resource)].templateParameters</ref>
      </map>
      <s>false</s>
   </invoke>
</defvar>

The values that may be assigned to the field, compareType, and value strings are defined in the documentation for the RSA Sd_ListTokensByField function. Refer to the RSA publication Customizing Your RSA ACE/Server Administration for more information.

Password Policies

If Waveset uses passwords that contain alphabet characters, and SecurID does not permit alphabet characters in a PIN, the following message will be returned:

SecurId ACE/Server: (realUpdateObject) Sd_SetPin Error Alpha characters not allowed

To correct this error, either modify the Waveset password policy for the resource so that it cannot contain alphabet characters, or change the PIN restrictions on the resource to permit alphabet characters.

Gateway Timeouts

The SecurID ACE/Server for Windows adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:
RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:
RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’>
 </ResourceAttribute>

The default value for this attribute is 0, indicating that Waveset will not check for a hung connection.