Typical SecurID Configuration

This section attempts to bring together the various configuration elements described in previous sections with an example setup that illustrates the pertinent details of establishing a working SunScreen EFS 3.0 policy utilizing SecurID authentication.

The example presumes the following pre-existent state:

• screen is our SunScreen EFS 3.0 Screen (as well as localhost)

• admin is our (remote) SunScreen EFS 3.0 Administration Station

• A standard Initial policy has been created, with default names for addresses and SKIP certificates

• Address objects inside and outside have been created to declare Hosts that are within and without the protection of the Screen, respectively

• ACE/Servers acemaster and aceslave have been configured

• screen has been configured as a UNIX client in the ACE/Servers

• The (resulting) sdconf.rec file has been loaded into the /var/tmp directory on screen

A standard (non-PINPAD) SecurID token is used, which has been given a login name of ssadmin; that login has been activated on screen on the ACE/Servers; the token has been configured for user establishment of a 4- to 8-digit PIN and is in new-PIN mode.

The overall steps performed are:

• stub client configuration

• ACE/Server address object creation

• SecurID client-to-server policy rule creation

• ACE/Server server-to-server policy rule creation

• PIN server policy rule creation

• Augment the SunScreen administrative user to use SecurID

• Altered policy activation

• PIN establishment

• Screen administrative authentication through SecurID

The command-line interface (using ssadm commands) is shown here for brevity; however, except for the stub client configuration, all other steps can be performed using equivalent administration GUI operations.

The following is an example of what you type to perform the SecurID stub client configuration (while root in a shell on screen):

# cd /var/tmp# /opt/SUNWicg/SunScreen/lib/securid_stubclient_setup sdconf.rec

The following is an example of what you type to create the registry address objects to describe the ACE/Servers (while logged in to the Screen):

admin% ssadm -r screen edit Initialedit> add address acemaster HOST ....edit> add address aceslave HOST ....edit> add address aceservers GROUP { acemaster aceslave } { } ...edit> save

The following is an example of what you type to continue adding the SecurID client-to-server policy rule:

edit> add rule securid localhost aceservers ALLOW

And to add the ACE/Server server-to-server policy rule:

edit> add rule securidprop aceservers aceservers ALLOW

And the PIN server policy rule (actually, two rules are shown being created, one that allows the end-user SKIP Administration Station to access the PIN server, the other for unencrypted access for inside hosts):

edit> add rule "SecurID PIN" admin localhost SKIP_VERSION_2 remote screen.admin DES-CBC RC4-40 MD5 NONE ALLOW
edit> add rule "SecurID PIN" inside localhost ALLOW

These rules should be placed early enough in the policy to preempt other conflicting (DENY or less-secure) rules.

Now, augment the standard admin user to allow SecurID authentication (the existing value is first displayed for clarity):

edit> authuser print admin"admin" ENABLED PASSWORD={
"" CRYPT_PASSWORD="1hp1R.xm.w63Q" ENABLED } DESCRIPTION="(created
by install)" REAL_NAME="SunScreen Administrator"

edit> authuser add admin password={ "" crypt_password="1hp1R.xm.w63Q" } securid={ ssadmin } description="updated for either simple password or SecurID" real_name="SunScreen Administrator"

Save and activate the augmented policy:

edit> saveedit> quit% ssadm -r screen activate Initial

Now, perform PIN establishment of the token (from the Administration Station):

% telnet screen 3855Trying 1.2.3.4...

Connected to screen.

Escape character is '^]'.

SunScreen V3.0 SecurID PIN / Re-keying Server

Enter SecurID login: ssadminEnter PASSCODE: 6-digit-passcode-from-tokenNew PIN required; do
you wish to continue? (y/n) [n]: y

Now enter your new PIN, containing 4 to 8 digits, or press Return to
generate a new PIN and display it on the Screen, or end the connection
to cancel the New PIN procedure:

Now enter your new PIN, containing 4 to 8 digits, or press Return to
generate a new PIN and display it on the Screen, or end the connection
to cancel the New PIN procedure:

% 4-digit-PINPlease re-enter new
PIN: 4-digit-PINWait for the code on
your token to change, then connect again with the new PIN

Connection closed by foreign host.

The configuration is now complete. After the code on the token changes (up to one minute later), administrative access to the Screen can be obtained using SecurID. The SunScreen administrative user's name is still admin, but you supply as the password the 4-digit-PIN value (established above) followed immediately by the 6-digit value displayed by the token.

In the example, the simple-text password can also be allowed to establish administrator authenticity.