Sun[TM] Identity Manager 8.0 Resources Reference |
SecurID ACE/ServerIdentity Manager provides resource adapters for supporting RSA SecurID ACE/Server. The following table summarizes the attributes of these adapters:
GUI Name
Class Name
SecurID ACE/Server
com.waveset.adapter.SecurIdResourceAdapter
SecurID ACE/Server UNIX
com.waveset.adapter.SecurIdUnixResourceAdapter
Resource Configuration Notes
If SecurID is installed on Windows, the adapter will interface with the apidemon that is shipped with the installed version of RSA ACE/Server. Copy the apidemon from the ACE/Server installation directory (by default, c:\ace\utils\toolkit\apidemon.exe) to c:\winnt\system32 or c:\windows\system32.
The UNIX adapter uses the RSA ACE/Server Administration Toolkit TCL API. This API must be located in the ACEInstallDir/utils/tcl/bin directory. The value of ACEInstallDir is specified as a resource parameter. The toolkit must be configured as described in the Customizing Your RSA ACE/Server Administration publication provided by RSA.
In addition, ensure that the following conditions are true so that you can manage RSA Users and other ACE database objects via Identity Manager:
- The SecurID user name specified in the Administrator Login (on the Windows adapter) or the Login User (on the UNIX adapter) resource parameter exists in the ACE/Server. If not, create an ACE user with the same default login name.
- This SecurID user must login to the ACE/Server with a password instead of a tokencode. Set the RSA ACE Server user’s password to the same value specified on the adapter.
If the current RSA ACE Server system policy does not allow a password to be set using the characters you need (for example, an alphanumeric PIN), or if you need to change the default setting for user password expiration, edit the system parameters on the RSA ACE Server Database console.
A password changed via the RSA ACE Server administrator console is a one-time password that will expire the first time this user logs in. Use the RSA ACE Agent Test Authentication facility to login so that you can change the user's password to one that will not expire immediately. Note that you may change it to the same value, so it's still the same as the password specified in the resource adapter.
- On Windows, an RSA ACE Agent Host must be added for the host where the Identity Manager gateway is running. This can be configured from the Database Administration - Host Mode console interface on the system where the RSA ACE Server is running. You must configure the DNS host name and network address, and you must specify which users have access. In addition, the agent type must be set to Net OS Agent.
- If a SecurId group name or site name contains a comma, Identity Manager might not be able to parse the name correctly. Avoid using commas in SecurId group names and site names.
Identity Manager Installation Notes
If SecurID is installed on Windows, the Identity Manager gateway must be running on the same system where the RSA ACE/Server is installed.
Usage Notes
This section provides information related to using the SecurID ACE/Server resource adapter, which is organized into the following sections:
Enabling Pass-Through Authentication on UNIX
Because the RSA C API on UNIX is not supported, enabling pass-through authentication with the SecurID ACE/Server UNIX adapter is not a straightforward process. Performing pass-through authentication on this adapter requires the following interactions between components:
Identity Manager <--> SecurID Unix Resource Adapter <--> SecurID Windows Adapter <--> Sun Identity Manager Gateway <--> RSA ACE Agent for Windows <--> RSA Unix Server
Note the following configuration and implementation points when enabling pass-through authentication with the SecurID ACE/Server UNIX adapter:
- The Sun Identity Manager Gateway and the RSA ACE Agent Host must reside on the same Windows host. See the Resource Configuration Notes section for more information.
- If the UNIX RSA server lists itself as a client, the account used to authenticate users must be defined on the UNIX resource. See the Resource Configuration Notes section for more information.
- You must specify a value for the ACE Server Authentication Resource resource parameter in the SecurID ACE/Server UNIX adapter. This value must match a resource name specified in a valid SecurID ACE/Server (for Windows) adapter.
- SecurID’s authentication policies require that the UNIX SecurID server must be aware of the RSA ACE Agent for Windows. The sdconf.rec file must be present and configured correctly on the Windows host.
- The RSA ACE Agent for Windows must be activated for users attempting to use pass-through authentication.
- Identity Manager must be configured to use the SecurID ACE/Server or SecurID ACE/Server UNIX login module.
- Candidate users for authentication must be configured with an Identity Manager role and organization.
Enabling Multiple Tokens
The default schema map for both SecurID resource adapters is set-up to allow the administrator to specify one token. If you are using the SecurID User Form provided in the InstallDir\samples\forms directory, perform the following steps to enable up to three tokens.
- Edit the following section of the SecurID User Form:
<FieldLoop for='tokenNum'>
<expression>
<ref>oneTokenList</ref>
</expression>Change oneTokenList to threeTokenList.
- Load the User Form into Identity Manager.
- Rename the following Identity Manager User Attributes on the left side of SecurID ACE/Server schema map:
- Add the following fields to the schema map to accommodate a second token:
- Add the following fields to the schema map to accommodate a third token:
Retrieving Tokens by Status
The SecurId adapters can return a list of tokens that meet a specified set of characteristics, such as token type, status, or expiration. For example, the following user form snippet returns a list of all 128-bit tokens that have not been assigned.
<defvar name='unassignedTokens'>
<invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>:display.session</ref>
<s>ListTokensByField</s>
<ref>resource</ref>
<map>
<s>field</s>
<s>7</s>
<s>compareType</s>
<s>2</s>
<s>value</s>
<s>128</s>
<s>templateParameters</s>
<ref>accounts[$(resource)].templateParameters</ref>
</map>
<s>false</s>
</invoke>
</defvar>The values that may be assigned to the field, compareType, and value strings are defined in the documentation for the RSA Sd_ListTokensByField function. Refer to the RSA publication Customizing Your RSA ACE/Server Administration for more information.
Password Policies
If Identity Manager uses passwords that contain alphabet characters, and SecurID does not permit alphabet characters in a PIN, the following message will be returned:
SecurId ACE/Server: (realUpdateObject) Sd_SetPin Error Alpha characters not allowed
To correct this error, either modify the Identity Manager password policy for the resource so that it cannot contain alphabet characters, or change the PIN restrictions on the resource to permit alphabet characters.
Gateway Timeouts
The SecurID ACE/Server for Windows adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
<ResourceAttribute name='Hang Timeout' displayName='com.waveset.adapter.RAMessages:RESATTR_HANGTIMEOUT' type='int' description='com.waveset.adapter.RAMessages:RESATTR_HANGTIMEOUT_HELP' value='NewValue'>
</ResourceAttribute>The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use the following to communicate with the SecurID ACE/Server adapter:
For SSHPubKey connections, the private key must be specified on the Resource Parameters page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the server.
Required Administrative Privileges
The user specified in the Login User resource parameter (on UNIX) or in the Administrator Login resource parameter (on Windows) must be assigned to an administrative role that has the ability to run user- and token-related tasks.
You can use a test connection to test whether
A test connection can use different command options than a normal provision run.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
Yes
Before/after actions
No
Data loading methods
Account Attributes
The following table provides information about SecurID ACE/Server account attributes. The data type for all attributes is String, unless otherwise noted.
The SecurID ACE/Server adapters do not support custom account attributes (known as User Extension Data on SecurId) that contain multiple values.
Resource Object Management
None
Identity Template
$accountId$
Sample Forms
SecurID User Form
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
Tracing can also be enabled on the following methods to diagnose problems connecting to the gateway on Windows systems: