This section attempts to bring together the various configuration elements described in previous sections with an example setup that illustrates the pertinent details of establishing a working SunScreen policy utilizing SecurID authentication.
The example presumes the following preexistent state:
screen is the SunScreen Screen (as well as localhost)
admin is the (remote) SunScreen Administration Station
A standard Initial policy has been created, with default names for addresses and SKIP certificates
Address objects inside and outside have been created to declare hosts that are within and without the protection of the Screen, respectively
ACE/Servers acemaster and aceslave have been configured
screen has been configured as a UNIX client in the ACE/Servers
The (resulting) sdconf.rec file has been loaded into the /var/tmp directory on screen
A standard (non-PINPAD) SecurID token is used, which has been given a login name of ssadmin. That login has been activated on screen on the ACE/Servers. The token has been configured for user establishment of a 4 to 8-digit PIN and is in new-PIN mode.
The overall steps performed are:
Stub client configuration
ACE/Server address object creation
SecurID client-to-server policy rule creation
ACE/Server server-to-server policy rule creation
PIN server policy rule creation
Augment the SunScreen administrative user to use SecurID
Altered policy activation
PIN establishment
Screen administrative authentication through SecurID
The command-line interface (using ssadm commands) is shown here for brevity; however, except for the stub client configuration, all other steps can be performed using equivalent administration GUI operations.
The following are example of SecureID configurations.
To configure a SecurID stub client (while root in a shell on screen):
# cd /var/tmp # /usr/lib/sunscreen/lib/securid_stubclient_setup sdconf.rec |
To create the registry address objects to describe the ACE/Servers, while logged into the Screen:
admin% ssadm -r screen edit Initial edit> add address acemaster HOST .... edit> add address aceslave HOST .... edit> add address aceservers GROUP { acemaster aceslave } { } ... edit> save |
To continue adding the SecurID client-to-server policy rule:
edit> add rule securid localhost aceservers ALLOW |
To add the ACE/Server server-to-server policy rule:
edit> add rule securidprop aceservers aceservers ALLOW |
To add two PIN server policy rules -- one that allows the end-user SKIP Administration Station to access the PIN server, the other for unencrypted access for inside hosts:
edit> add rule "SecurID PIN" admin localhost SKIP_VERSION_2 remote screen.admin DES-CBC RC4-40 MD5 NONE ALLOW edit> add rule "SecurID PIN" inside localhost ALLOW |
You should place these rules early enough in the policy so that their action takes place before the action of other conflicting (DENY or less-secure) rules.
To augment the standard admin user to allow SecurID authentication (the existing value is first displayed for clarity):
edit> authuser print admin "admin" ENABLED PASSWORD={ "" CRYPT_PASSWORD="1hp1R.xm.w63Q" ENABLED } DESCRIPTION="(created by install)" REAL_NAME="SunScreen Administrator" edit> authuser add admin password={ "" crypt_password="1hp1R.xm.w63Q" } securid={ ssadmin } description="updated for either simple password or SecurID" real_name="SunScreen Administrator" |
To save and activate the augmented policy:
edit> save edit> quit admin% ssadm -r screen activate Initial |
To perform PIN establishment of the token (from the Administration Station):
admin% telnet screen 3855 Trying 1.2.3.4... Connected to screen. Escape character is '^]'. SunScreen V3.2 SecurID PIN / Re-keying Server Enter SecurID login: ssadmin Enter PASSCODE: 6-digit-passcode-from-token New PIN required; do you wish to continue? (y/n) [n]: y Now enter your new PIN, containing 4 to 8 digits, or press Return to generate a new PIN and display it on the Screen, or end the connection to cancel the New PIN procedure: 4-digit-PIN Please reenter new PIN: 4-digit-PIN Wait for the code on your token to change, then connect again with the new PIN Connection closed by foreign host. |
The configuration is now complete. After the code on the token changes (up to one minute later), administrative access to the Screen can be obtained using SecurID. The SunScreen administrative user's name is still admin, but you supply as the password the 4-digit-PIN value (established above) followed immediately by the 6-digit value displayed by the token.
In the example, the simple-text password can also be allowed to establish administrator authenticity.