test

SunScreen 3.1 Reference Manual

Typical SecurID Configuration

This section attempts to bring together the various configuration elements described in previous sections with an example setup that illustrates the pertinent details of establishing a working SunScreen policy utilizing SecurID authentication.

The example presumes the following preexistent state:

A standard (non-PINPAD) SecurID token is used, which has been given a login name of ssadmin; that login has been activated on screen on the ACE/Servers; the token has been configured for user establishment of a 4- to 8-digit PIN and is in new-PIN mode.

The overall steps performed are:

The command-line interface (using ssadm commands) is shown here for brevity; however, except for the stub client configuration, all other steps can be performed using equivalent administration GUI operations.

The following is an example of what you type to perform the SecurID stub client configuration (while root in a shell on screen):


# cd /var/tmp
# /opt/SUNWicg/SunScreen/lib/securid_stubclient_setup sdconf.rec

The following is an example of what you type to create the registry address objects to describe the ACE/Servers (while logged in to the Screen):


admin% ssadm -r screen edit Initial
edit> add address acemaster HOST ....
edit> add address aceslave HOST ....
edit> add address aceservers GROUP { acemaster aceslave } { } ...
edit> save

The following is an example of what you type to continue adding the SecurID client-to-server policy rule:


edit> add rule securid localhost aceservers ALLOW

And to add the ACE/Server server-to-server policy rule:


edit> add rule securidprop aceservers aceservers ALLOW

And the PIN server policy rule (actually, two rules are shown being created, one that allows the end-user SKIP Administration Station to access the PIN server, the other for unencrypted access for inside hosts):


edit> add rule "SecurID PIN" admin localhost SKIP_VERSION_2 
remote screen.admin DES-CBC RC4-40 MD5 NONE ALLOW
edit> add rule "SecurID PIN" inside localhost ALLOW
Note -

These rules should be placed early enough in the policy to preempt other conflicting (DENY or less-secure) rules.

Now, augment the standard admin user to allow SecurID authentication (the existing value is first displayed for clarity):


edit> authuser print admin"admin" ENABLED PASSWORD={ "" CRYPT_PASSWORD="1hp1R.xm.w63Q" 
ENABLED } DESCRIPTION="(created by install)"  REAL_NAME="SunScreen Administrator" 
edit> authuser add admin password={ "" crypt_password="1hp1R.xm.w63Q" }  \
securid={ ssadmin }  description="updated for either simple password or SecurID" \
real_name="SunScreen  Administrator"

Save and activate the augmented policy:


edit> save
edit> quit
% ssadm -r screen activate Initial

Now, perform PIN establishment of the token (from the Administration Station):


% telnet screen 3855
Trying 1.2.3.4... Connected to screen. 
Escape character is '^]'. SunScreen V3.1 SecurID PIN / 
Re-keying Server Enter SecurID login: ssadmin
Enter PASSCODE: 6-digit-passcode-from-token
New PIN required; do you wish to continue? (y/n) [n]: y 
Now enter your new PIN, containing 4 to 8 digits, or press 
Return to generate a new PIN and display it on the Screen, or 
end the connection to cancel the New PIN procedure: 4-digit-PIN
Please reenter new PIN: 4-digit-PIN
Wait for the code on your token to change, then connect again 
with the new PIN Connection closed by foreign host.

The configuration is now complete. After the code on the token changes (up to one minute later), administrative access to the Screen can be obtained using SecurID. The SunScreen administrative user's name is still admin, but you supply as the password the 4-digit-PIN value (established above) followed immediately by the 6-digit value displayed by the token.

In the example, the simple-text password can also be allowed to establish administrator authenticity.