SecurID Access Paths

The protocol used to communicate between the SecurID client and its servers is based on UDP datagrams. This protocol typically uses port 5500, although this can be altered by changing the configuration on all client and ACE/Server systems. Awareness of this port number assignment on SunScreen is found in two places:

• /etc/inet/services

• Registry service object in the active configuration

The protocol is named securid in both locations.

In more robust SecurID configurations, a slave ACE/Server is configured to serve as a backup to the master server.

As was previously described, the SecurID client software obtains the IP addresses of the ACE/Servers from the sdconf.rec file during client installation. Additionally, the SunScreen policy must contain rules that allow the SecurID client software on the SunScreen to access the master and slave ACE/Servers. This involves:

• Address object definition for the ACE/Servers

• Rules to allow the securid protocol access to the ACE/Servers

  ---

  Tip -

  Define a single Address Group so that it collects both master and slave ACE/Servers for ease in creating server access rules.

  ---

For the master and slave ACE/Server mode to function, all SecurID clients must be able to access both servers. Additionally, the servers communicate between themselves, using an additional path through a TCP connection (typically on port 5510). You can alter this by changing the configuration on both ACE/Servers. Awareness of this port number assignment is found in the same places as that of the UDP datagram securid service. This TCP server-to-server protocol is named securidprop in both locations.

Rules are needed to allow the master and slave servers to communicate using securidprop.