test

SunScreen 3.2 Administrator's Overview

Typical SecurID Configuration

This section attempts to bring together the various configuration elements described in previous sections with an example setup that illustrates the pertinent details of establishing a working SunScreen policy utilizing SecurID authentication.

The example presumes the following preexistent state:

A standard (non-PINPAD) SecurID token is used, which has been given a login name of ssadmin. That login has been activated on screen on the ACE/Servers. The token has been configured for user establishment of a 4 to 8-digit PIN and is in new-PIN mode.

The overall steps performed are:

The command-line interface (using ssadm commands) is shown here for brevity; however, except for the stub client configuration, all other steps can be performed using equivalent administration GUI operations.

Examples: SecurID Configurations

The following are example of SecureID configurations.

To configure a SecurID stub client (while root in a shell on screen):


# cd /var/tmp
# /usr/lib/sunscreen/lib/securid_stubclient_setup sdconf.rec

To create the registry address objects to describe the ACE/Servers, while logged into the Screen:


admin% ssadm -r screen edit Initial
edit> add address acemaster HOST ....
edit> add address aceslave HOST ....
edit> add address aceservers GROUP { acemaster aceslave } { } ...
edit> save

To continue adding the SecurID client-to-server policy rule:


edit> add rule securid localhost aceservers ALLOW

To add the ACE/Server server-to-server policy rule:


edit> add rule securidprop aceservers aceservers ALLOW

To add two PIN server policy rules -- one that allows the end-user SKIP Administration Station to access the PIN server, the other for unencrypted access for inside hosts:


edit> add rule "SecurID PIN" admin localhost SKIP_VERSION_2 
remote screen.admin DES-CBC RC4-40 MD5 NONE ALLOW
edit> add rule "SecurID PIN" inside localhost ALLOW

You should place these rules early enough in the policy so that their action takes place before the action of other conflicting (DENY or less-secure) rules.

To augment the standard admin user to allow SecurID authentication (the existing value is first displayed for clarity):


edit> authuser print admin
"admin" ENABLED PASSWORD={ "" CRYPT_PASSWORD="1hp1R.xm.w63Q" ENABLED } 
DESCRIPTION="(created by install)"  REAL_NAME="SunScreen Administrator" 
edit> authuser add admin password={ "" crypt_password="1hp1R.xm.w63Q" }  
securid={ ssadmin }  description="updated for either simple password or SecurID" 
real_name="SunScreen  Administrator"

To save and activate the augmented policy:


edit> save
edit> quit
admin% ssadm -r screen activate Initial

To perform PIN establishment of the token (from the Administration Station):


admin% telnet screen 3855
Trying 1.2.3.4... 
Connected to screen. 
Escape character is '^]'. 
SunScreen V3.2 SecurID PIN / Re-keying Server 
Enter SecurID login: ssadmin
Enter PASSCODE: 6-digit-passcode-from-token
New PIN required; do you wish to continue? (y/n) [n]: y 
Now enter your new PIN, containing 4 to 8 digits, or press 
Return to generate a new PIN and display it on the Screen, or 
end the connection to cancel the New PIN procedure: 4-digit-PIN
Please reenter new PIN: 4-digit-PIN
Wait for the code on your token to change, then connect again 
with the new PIN 
Connection closed by foreign host.

The configuration is now complete. After the code on the token changes (up to one minute later), administrative access to the Screen can be obtained using SecurID. The SunScreen administrative user's name is still admin, but you supply as the password the 4-digit-PIN value (established above) followed immediately by the 6-digit value displayed by the token.

In the example, the simple-text password can also be allowed to establish administrator authenticity.