SecurID ACE/Server

Identity Manager provides resource adapters for supporting the following versions of RSA SecurID ACE/Server:

Resource Configuration Notes

GUI Name	Class Name
SecurID ACE/Server	com.waveset.adapter.SecurIdResourceAdapter
SecurID ACE/Server UNIX	com.waveset.adapter.SecurIdUnixResourceAdapter

If SecurID is installed on Windows, the adapter will interface with the apidemon that is shipped with the installed version of RSA ACE/Server. Copy the apidemon from the ACE/Server installation directory (by default, c:\ace\utils\toolkit\apidemon.exe) to c:\winnt\system32 or c:\windows\system32.

The UNIX adapter uses the RSA ACE/Server Administration Toolkit TCL API. This API must be located in the ACEInstallDir/utils/tcl/bin directory. The value of ACEInstallDir is specified as a resource parameter. The toolkit must be configured as described in the Customizing Your RSA ACE/Server Administration publication provided by RSA.

In addition, ensure that the following conditions are true so that you can manage RSA Users and other ACE database objects via Identity Manager:

The SecurID user name specified in the Administrator Login (on the Windows adapter) or the Login User (on the UNIX adapter) resource parameter exists in the ACE/Server. If not, create an ACE user with the same default login name.

This SecurID user can login to the ACE/Server with a password instead of a tokencode. Set the RSA ACE Server user’s password to the same value specified on the adapter.

If the current RSA ACE Server system policy does not allow a password to be set using the characters you need (for example, an alphanumeric PIN), or if you need to change the default setting for user password expiration, edit the system parameters on the RSA ACE Server Database console.

A password changed via the RSA ACE Server administrator console is a one-time password that will expire the first time this user logs in. Use the RSA ACE Agent Test Authentication facility to login so that you can change the user's password to one that will not expire immediately. Note that you may change it to the same value, so it's still the same as the password specified in the resource adapter.

On Windows, an RSA ACE Agent Host must be added for the host where the Identity Manager gateway is running. This can be configured from the Database Administration - Host Mode console interface on the system where the RSA ACE Server is running. You must configure the DNS host name and network address, and you must specify which users have access. In addition, the agent type must be set to Net OS Agent.

If a SecurId group name or site name contains a comma, Identity Manager might not be able to parse the name correctly. Avoid using commas in SecurId group names and site names.

Identity Manager Installation Notes

If SecurID is installed on Windows, the Identity Manager gateway must be running on the same system where the RSA ACE/Server is installed.

Usage Notes

This section provides information related to using the SecurID ACE/Server resource adapter, which is organized into the following sections:

Enabling Pass-Through Authentication on UNIX

Because the RSA C API on UNIX is not supported, enabling pass-through authentication with the SecurID ACE/Server UNIX adapter is not a straightforward process. Performing pass-through authentication on this adapter requires the following interactions between components:

Identity Manager <--> SecurID Unix Resource Adapter <--> SecurID Windows Adapter <--> Sun Identity Manager Gateway <--> RSA ACE Agent for Windows <--> RSA Unix Server

Note the following configuration and implementation points when enabling pass-through authentication with the SecurID ACE/Server UNIX adapter:

Enabling Multiple Tokens

The default schema map for both SecurID resource adapters is set-up to allow the administrator to specify one token. If you are using the SecurID User Form provided in the InstallDir\samples\forms directory, perform the following steps to enable up to three tokens.

Edit the following section of the SecurID User Form:

<ref>oneTokenList</ref>

</expression>

Change oneTokenList to threeTokenList.

Load the User Form into Identity Manager.

Rename the following Identity Manager User Attributes on the left side of SecurID ACE/Server schema map:


Original Identity Manager User Attribute	Renamed Identity Manager User Attribute
tokenClearPin	token1ClearPin
tokenDisabled	token1Disabled
tokenLost	token1Lost
expirePassword	token1NewPinMode
password	token1Pin
tokenResync	token1Resync
tokenFirstSequence	token1FirstSequence
tokenNextSequence	token1NextSequence
tokenSerialNumber	token1SerialNumber
tokenUnassign	token1Unassign

Add the following fields to the schema map to accommodate a second token:


Identity Manager User Attribute	Resource User Attribute
token2ClearPin	token2ClearPin
token2Disabled	token2Disabled
token2Lost	token2Lost
token2NewPinMode	token2NewPinMode
password	token2Pin
token2Resync	token2Resync
token2FirstSequence	token2FirstSequence
token2NextSequence	token2NextSequence
token2SerialNumber	token2SerialNumber
token2Unassign	token2Unassign

Add the following fields to the schema map to accommodate a third token:


Identity Manager User Attribute	Resource User Attribute
token3ClearPin	token3ClearPin
token3Disabled	token3Disabled
token3Lost	token3Lost
token3NewPinMode	token3NewPinMode
password	token3Pin
token3Resync	token3Resync
token3FirstSequence	token3FirstSequence
token3NextSequence	token3NextSequence
token3SerialNumber	token3SerialNumber
token3Unassign	token3Unassign

Password Policies

If Identity Manager uses passwords that contain alphabet characters, and SecurID does not permit alphabet characters in a PIN, the following message will be returned:

SecurId ACE/Server: (realUpdateObject) Sd_SetPin Error Alpha characters not allowed

To correct this error, either modify the Identity Manager password policy for the resource so that it cannot contain alphabet characters, or change the PIN restrictions on the resource to permit alphabet characters.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager can use the following to communicate with the SecurID ACE/Server adapter:

Required Administrative Privileges

The user specified in the Login User resource parameter (on UNIX) or in the Administrator Login resource parameter (on Windows) must be assigned to an administrative role that has the ability to run user- and token-related tasks.

Provisioning Notes

Account Attributes

The following table provides information about SecurID ACE/Server account attributes.

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	Yes
Before/after actions	No
Data loading methods	Import from resource Reconciliation


Identity Manager User Attribute	Resource User Attribute	Description
adminGroup	adminGroup	The group the administrator is a member of. This is a read-only attribute.
adminLevel	adminLevel	The administrative level of the user. The value can be realm, site, or group. This is a read-only attribute.
adminSite	adminSite	The sites to which the administrator has access to. This is a read-only attribute.
adminTaskList	adminTaskList	The name of the set of tasks that the administrator can perform. This is a read-only attribute.
adminTaskListTasks	adminTaskListTasks	The specific tasks the administrator can perform. This is a read-only attribute.
allowedToCreatePin	allowedToCreatePin	Read-only boolean attribute that indicates that a user is allowed to specify a PIN. If the PIN is not specified, the system will generate one for the user
clients	clients	Specifies the clients a user is a member of.
accountId	defaultLogin	The account ID for the user in ACE/Server. Maximum 48 characters.
defaultShell	defaultShell	User’s default shell. Maximum 256 characters.
expirePassword	WS_PasswordExpired	Indicates whether the password will be expired. When the password is expired, the SecurID account will be placed in New PIN Mode.
firstname	firstname	Required. The user’s first name. Maximum 24 characters.
groups	groups	Specifies the groups a user is a member of.
lastname	lastname	Required. The user’s last name. Maximum 24 characters.
remoteAlias	remoteAlias	The user’s login name in their remote realm.
remoteRealm	remoteRealm	For remote users, the realm the user is part of.
requiredToCreatePin	requiredToCreatePin	Read-only boolean attribute that indicates that a user must specify a PIN.
tempEndDate	tempEndDate	Date when temporary mode ends.
tempEndHour	tempEndHour	Hour when temporary mode ends.
tempStartDate	tempStartDate	Date when temporary mode begins.
tempStartHour	tempStartHour	Hour when temporary mode begins.
tempUser	tempUser	Sets a user in or out of temporary mode.
tokenClearPin	token1ClearPin	When set on a user update, it will cause the user’s PIN to be cleared.
tokenDisabled	token1Disabled	When set on a user update, it will cause the user’s PIN to be disabled.
tokenLost	token1Lost	When set to true on a user update, the account will be put in emergency access mode within RSA.
tokenFirstSequence	token1FirstSequence	Specifies the original token when a token needs to be resynchronized.
tokenNewPinMode	token1NewPinMode	When the users account has been placed in New PIN Mode, specifies the user’s new PIN.
tokenNextSequence	token1NextSequence	Specifies the new token when a token needs to be resynchronized.
tokenPin	token1Pin	Encrypted. The user’s PIN.
tokenResync	token1Resync	Boolean. Indicates whether to resynchronize a token. This attribute enables the tokenFirstSequence and tokenNextSequence attributes.
tokenSerialNumber	token1SerialNumber	Token serial number. Must be 12 characters. Insert leading zeros as needed to meet this requirement.
tokenUnassign	token1Unassign	Specifies a token to remove from a user.
userType	userType	Must be either Remote or Local.

Resource Object Management

Identity Template

Sample Forms

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

Previous Contents Next
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3