SecurID ADM PDF
SecurID ADM PDF
SecurID ADM PDF
MANAGER ADMINISTRATION
Agenda
2
Objectives
To understand fundamental RSA SecurID authenticator and
RSA Authentication Manager functions and processes
To provide hands-on experience and explain Administration
options and tasks
To learn how to access the available reports and tools to assist
in end-user support and troubleshooting
To understand how to deploy and manage RSA SecurID
authentication devices and methods
3
PRODUCT & TECHNOLOGY
OVERVIEW
Module 1
4
Fundamental Purpose
An RSA SecurID-protected system identifies and authenticates
authorized users while denying access to unauthorized attempts:
At designated access points
When attempting to access to protected resources
5
Single Factor Authentication
Many user accounts are protected with a user password
Passwords are a form of ‘Single Factor’ authentication – that is,
only one factor (the password) is required as evidence of a
user’s authenticity
What are the weaknesses of
Single Factor authentication ?
6
Password Risks
Static passwords may be “hacked” or guessed given enough time and
opportunity
They may be “cracked” by using software tools designed to break into an
encrypted password file
They may be shared, making it impossible to verify who is actually
logging in
Time to attack:
▪ The longer a password is used, the more time is available to attack it, guess it,
etc.
7
Multi-Factor Authentication
Multi-Factor authentication offers pieces of evidence to assure
that a user is who they say they are:
▪ Personal Identification Number (PIN) which is secret and
known only to the user
▪ One-time code (RSA SecurID Tokencode)
▪ Fingerprint, profile or other evidence from a device that a user
has in their possession
▪ Action, pattern, or location of the user
An RSA SecurID “PASSCODE” describes the combination of the
user’s PIN and an RSA SecurID Tokencode
8
RSA SecurID Authentication Methods
Generally, Something you have:
▪ RSA SecurID Token/Software Token
▪ Registered mobile device
Something you know:
▪ Secret PIN
Something you are:
▪ Fingerprint or other biometric
Something you do:
▪ Pattern of past behavior
9
SYSTEM ARCHITECTURE
10
System Components
The RSA Authentication Manager server works in conjunction
with Authentication Agents, Authentication Methods, and a Web
Tier for Risk-Based Authentication and Self-service
RSA Authentication Manager Authentication Methods
11
Authentication Server
RSA Authentication Manager server is a virtual appliance
deployed on a VMWare platform – ESXi or vSphere
or Microsoft Hyper-V platform
PRIMARY
RSA Authentication Manager • First installation becomes
Instance
the ‘Primary’ instance
• Provides read/write
access to the database
12
Authentication Server (cont’d)
Up to 15 additional “Replica” instances can be attached for
additional load balancing, fail-over and disaster recovery
Replica servers handle authentication requests but do not allow
administrative actions
PRIMARY REPLICA
RSA Authentication Manager RSA Authentication Manager
Instance Instance
13
Authentication Server (cont’d)
Authentication Agents send requests to any, all or selected
servers within the system
Authentication
Agent
PRIMARY REPLICA
RSA Authentication Manager RSA Authentication Manager
Instance Instance
14
Authentication Server (cont’d)
Users initiate authentication transactions either through a
device with an installed Agent or via a network/internet
connection that connects to an Agent
Authentication
Agent
PRIMARY REPLICA
RSA Authentication Manager RSA Authentication Manager
Instance Instance
15
Authentication Agents
RSA Authentication Agent software is available for many applications
(e.g. UNIX, Linux, PAM, Windows, MS IIS, Apache VMS)
RSA Agent code is built in to a number of technology partner products
(“Secured by RSA” certified Partner products)
Agents can be configured to require:
▪ specific users or groups to authenticate
▪ require all users be challenged for authentication
16
System Deployment
Authentication Agents can be used at key access points to
a network or resources (a.k.a. “Perimeter Protection”)
WEB SERVER
PROTECTED Internet
RESOURCE Auth.
Auth. Auth. Agent
Auth.
Agent Agent Agent
FIREWALL INTERNET
WORKSTATIONS Auth. USER
Agent
Auth.
Auth.
Agent
Agent
REMOTE USER
REMOTE ACCESS/
VPN SERVER
17
System Deployment (cont’d)
Agents send authentication requests to an RSA
Authentication Manager server
WEB SERVER
PROTECTED Internet
RESOURCE Auth.
Auth. Auth. Agent
Auth.
Agent Agent Agent
FIREWALL INTERNET
WORKSTATIONS Auth. USER
Agent
Auth.
Auth.
Agent
Agent
REMOTE USER
19
Web Tier
Internet DMZ Internal Network
LOGIN
PAGE
SSL-VPN Protected
Resources
SecurID
Agent
Risk Engine
REDIRECT
Authentication
Service
RBA
decision
AM Web Authentication
Tier Manager Instance
Self-Service Access
20
Web Tier (cont’d)
Lightweight application installed in the DMZ that hosts services exposed to the Internet
▪ Enables secure deployment of
• Risk Based Authentication (RBA)
• Self-service
• CT-KIP
A Web Tier has these benefits:
▪ Publishes services using a single port - SSL port 443
▪ Blocks Internet access to the Security Console
▪ Supports publicly-signed TLS (SSL) certificates
▪ Ensures that RBA cookies work across both Primary and Replica servers
▪ Allows customization of the RBA/Self-Service logon pages
21
FUNCTIONAL
COMPONENTS
22
Functional Components
RSA Authentication Manager has four main functional components:
Authentication engine
Database
Risk Engine
23
Authentication Engine
Evaluates authentication request (PASSCODE) of user through
Agent
▪ Verifies tokencode or on-demand code
Returns allow/deny response or request for additional
information (new PIN, Next code)
For time-based authenticators, it is important for authentication
engine to have an accurate time setting
24
Administration Interface
RSA Security Console provides web-based GUI interface for managing
users, tokens, groups, reporting, etc.
Allows administration of database via browser
Allows administration only on Primary server instance
RSA Operations Console provides interface for system-level operations
Snap-in for Microsoft Management Console (MMC) allows direct token-
related operations for users linked to Active Directory (token assign,
resynchronize, etc.)
25
Custom Console Banner
Displays custom text prior to login – requires acceptance
Once accepted,
login fields
become active
26
Database
Dedicated relational database
▪ Integral to Authentication Manager installation
▪ Holds structural objects (Policies, Agents, Security Domains, etc.)
▪ Holds token information
▪ Contains users/groups or pointers to user data in external (LDAP)
directory
27
Risk Engine
A self learning engine that continually updates its risk model to
determine if and how much authentication is needed
For example:
Online Banking Known Computer Password OK
29
Agent / Server Communication
Communications between Agents & Server:
▪ Agent sends authentication request to Server (UDP)
▪ Initial Server IP address list in sdconf.rec file
• Automatically routes requests and chooses preferred server (sdstatus)
• Manual routing and preference (sdopts)
• Contains addresses of Primary and Replica servers
▪ Agent Host IP address in RSA database
• Returns response only to registered Agent IP (TCP)
▪ RC5 encrypted (“Node Secret” key)
30
Primary / Replica Communication
Communications between Servers
▪ Automatic update & reconciliation of databases
▪ Primary is source for all Replication
31
LICENSING
32
Authentication Manager Licensing
Base:
▪ x “Active” users
▪ One Primary and one Replica instance
▪ Self-Service
▪ RADIUS Support
▪ Offline Authentication
Enterprise:
▪ All Base license features +PLUS+
▪ Up to 15 Replica instances
▪ Provisioning via Self-Service
Evaluation
▪ 25 users, Base license features with expiration period
33
License Options and Upgrades
Add-on Options:
▪ On-Demand authentication (ODA)
▪ Risk-based authentication (RBA) Bundled as one
▪ Business Continuity Option (BCO) license package
• Temporarily increases user limit
• In an emergency, BCO allows greater number of users to access resources (e.g. VPN)
with temporary credentials (On-demand or Emergency Passcode)
▪ Add additional users
Additions stack on existing license (1000 user upgrade to a 1000 user license =
2000 users)
License additions/upgrades do not require restart
34
Licensed Active Users
Active user limit applies only to user-token assignments
If database has 1000 users and 1000 tokens but only 100 of the
tokens are assigned, only 100 license “seats” have been used
▪ User Fixed Passwords and On-Demand tokencodes are considered
“tokens” for license purposes
Users may have up to 3 authenticators assigned to them
35
Exercise: Console Login and View License
Connect to RSA Authentication Manager
Log in to Security Console
View License status
Add additional user license
Create bookmarks for Authentication
Manager consoles
Approx.
15 minutes
36
View License Status
37
Quiz
38
TERMINOLOGY
39
Terminology
Deployment
▪ All Authentication Manager hosts and entities across an enterprise
Instance
▪ Primary or Replica Authentication Manager server or RSA SecurID
Appliance
40
Terminology (cont’d)
Administrator
▪ Authentication Manager user with one or more assigned administrative
roles
Agent
▪ Software and/or device through which a user is stopped and prompted
for authentication
Authenticator (a.k.a. ‘Token’)
▪ Device (e.g. Hardware Token) or method (e.g. On-Demand) by which a
user can authenticate
Security Domain
▪ Organizational sub-division under a deployment
41
Terminology (cont’d)
User
▪ An account managed within Authentication Manager (usually a person but can
also be a device or a service)
User Group
▪ A collection of users or user groups
Member User Group
▪ A user group nested within another user group
Super Admin
▪ Administrative role that has all permissions and scope within a deployment
Identity Source
▪ Internal (Authentication Manager database) or external (LDAP) store for user
account data
42
Terminology (cont’d)
On-Demand Authentication (ODA)
▪ Authentication method where a user receives a code via email
or SMS
Risk-Based Authentication (RBA)
▪ Authentication process where user characteristics (computer,
login pattern, asset value, etc) determines the level of
authentication required
Provisioning
▪ Process to assign and supply authentication device or method
to an end user
43
RSA SECURID
AUTHENTICATION
Module 2
44
RSA SECURID
AUTHENTICATORS
45
Hardware Authenticators (Tokens)
Strength of 2 factors: PIN + Key fob
Security tokencode (SD700)
Typical Use Remote employee
access Standard
Client side None card
Requirements
(SD200)
Portability Works anywhere
Can use
Alpha-numeric PIN
Multiple use No
PINpad
User Difficulty Minimal
card
Distribution Assign & Physically (SD520)
Requirements Deliver tokens
PIN must be numeric;
System Authentication server
Requirements and Agents no leading ‘0’
46
Hybrid “USB” Tokens
Strength of 2 factors: PIN + tokencode or
Security certificate
Internal users or Remote
Typical Use
employees
Client side
Middleware for connected features Combined One Time Passcode
Requirements
with smartchip capability
Tokencode works anywhere,
Portability (SID800)
connection requires USB
File/mail encryption, Digital
Multiple use
signing & remote access
• Multiple X.509 certificates
User Difficulty Minimal • Multiple UserID/Password combinations
• Applications can access credentials
Distribution Assign & Deliver token, Client programmatically
Requirements software, Certificate delivery
System Authentication server, Agents,
Requirements Certificate Authority
47
Software Tokens
Strength of 2 factors: PIN +
Security tokencode
Typical Use Remote employee
access
Client side
Compatible PC/Device
Requirements
Multiple use No
Multiple use No
51
Security Questions
Strength of 1+ factors
Security (m of n of questions)
Typical Use New user enrollment
Emergency access/PIN reset
Client side None
Requirements
Portability Works anywhere
Multiple use No
52
RSA Cloud Tokencode
Strength of 2 factors: PIN or fingerprint +
Security tokencode
Typical Use Remote employee access or
step-up authentication
Client side
None
Requirements
55
Time-Synchronous Token Elements
Time-Synchronous Authentication
Authenticator Manager
58
Time Synchronization (cont’d)
60
Synchronization Ranges
Token Type Automatic Accept with Maximum Limit
Range Next Code (3 failures + Next Code)
Standard Tokens + 1 interval + 3 intervals + 10 intervals
Key Fobs (3 codes) (7 codes) (21 codes)
PINPad Tokens + 2 intervals + 4 intervals + 10 intervals
(5 codes) (9 codes) (21 codes)
RSA SecurID + 10 intervals + 12 intervals + 70 intervals
Software Token (21 codes) (25codes) (141 codes)
Resynchronization ———— ———— + 12 hours
(any Token) (1441 codes)
62
On Demand Authentication
Supplies a passcode to a user at the time
that the user requires it
63
On Demand Passcode Sequence
User accesses protected RSA Authentication Agent and
resource and is prompted Server identify user and create
for authentication (enters PIN) one-time passcode
64
AUTHENTICATOR RECORD
(“SEED RECORD”)
65
Authenticator Record
(Token Record or “Seed Record”)
Original record contains parameters, serial number, seed value,
expiration date
After assignment, user name is added to record
After first use, time offset value and last login date are added to
record
Records can be imported or exported through administration console
Records may be moved between Security Domains
If token is deleted and/or re-imported from original record, user
association and accumulated offset information is lost
66
Authenticator Record Distribution (from RSA)
Physical RSA SecurID tokens are supplied to a customer through shipment
from RSA or RSA authorized reseller/distributor
Token record media may be supplied separately [Encrypted]
Customer must log in to RSA Download Central to receive the token record
decryption key
Token records are decrypted and then imported into Authentication
Manager
▪ A separate password file is decrypted at the same time as the records
67
Exercise: Import Token Records
Log in to Security Console
Locate and import Token Records
“Receive” new tokens and records and import them
Approx.
10 minutes
68
Import Token Records
69
RISK-BASED
AUTHENTICATION
Module 3
70
Risk-Based Authentication
Assesses risk by evaluating:
• Information about the client device
• User behavior
71
Risk-Based Authentication Components and
Process
Identity Challenge
Factor #2:
Something You
HAVE
Factor #3:
Something You
DO
Factor #4:
Something You
KNOW or HAVE
Identity Challenge
: 73
The Risk Engine
The Authentication Manager risk engine is the same as used in RSA Adaptive
Authentication to secure more than 250 million online identities.
• A self learning engine that continually updates its risk model
• Factors used to determine a risk score include:
▪ Device matching
• Devices bound to the user account are low risk
• Positive ID = high assurance + lower risk
▪ Behavioral anomalies
• Lowers overall assurance & Raises risk level
▪ Overall assurance = device match + user behavior
74
Device Identification
For each device that interacts with Authentication Manager, the
following information is captured:
Device fingerprint
Device token
75
Device Identification – Device “Fingerprint”
Fingerprint attributes include:
User agent string
System display
Software fingerprint
Browser language
Time zone
Language
Cookies
Java-enabled
76
Device Identification – Device Token
Device Tokens are created and placed on user’s machine.
Device Token = Cookies + Flash Shared Objects
77
Behavioral Analysis
The risk engine evaluates behavioral trends:
• For each user/device
• Across the enterprise
Three categories of behavior are evaluated:
• Profile anomalies: Recent password or account changes
• Velocity anomalies: High velocity of users of a single IP/device or high
velocity of IP addresses for a single user
• IP anomalies: New or infrequently used IP addresses are considered
higher risk
78
Behavioral Analysis (cont’d)
Overall impact of behavior anomalies are based on
frequency and recentness:
• Higher velocity and/or lower statistical probability
increase the risk score
• Recent events are considered high risk, but become less
impactful over time
79
Minimum Assurance Levels
80
Selecting a Starting Assurance Level
High minimum assurance level = High challenge rate
High Assurance: BEST for the protection of sensitive assets and
when higher challenge rates are acceptable
Use Case: Ideal for corporate-owned assets and for users that regularly
authenticate from the same location
82
Silent Collection
Simplifies migrating users from password-only to
multi-factor authentication with RBA
Collects profile and behavioral data without
administrator intervention
Is enabled for all users in a security domain
Helps the risk engine build a baseline
profile for each user
83
Silent Collection (cont’d)
When Silent Collection period is over, user is:
• Informed of the new security feature
• Prompted for any missing information
84
Silent Collection and the Risk Engine
During Silent Collection, the risk engine:
▪ Passively monitors user behavior
• For a defined period
• Without challenging users based on risk
▪ Automatically registers user devices
▪ Observes behavioral patterns
85
Collection and Risk Engine Examples
Is the user authenticating from a known device that was
previously used?
86
Module 3 Quiz
: 87
DEPLOYMENT AND
ADMINISTRATIVE
STRUCTURE
Module 4
88
Default Structure
Super Deployment
Admin
Security Domain Identity Source
(“System Domain”) (Internal DB)
Tokens
Added objects
Users
Admin
Agents
User
Group(s)
89
Identity Sources
Identity Sources (“IS”) are linked at the system level
Multiple ISs can be linked to a system
A system always has a default ‘Internal Database’ IS
An IS can be defined for an external Active Directory / LDAP datastore
▪ Can encompass the entire directory tree (all users and user groups)
▪ Can be defined for one specific OU
▪ Can be defined for a specific sub-tree branch
Attributes in AD / LDAP can be mapped to user attributes in
Authentication Manager
90
Security Domains
Users, user groups, Agents, tokens, policies, etc. can be associated
with Security Domains (SD)
Administrators can be given a scope for a specific SD
SDs can be nested (parent/children)
Some objects can be moved between SDs
Useful for organizational segments where admins work with some but
not all users and separation between user sets is desired
Use care to make sure admins can view and edit appropriate objects
91
Key Questions for Deployment Planning
Where do users reside? Will they be entered into internal A.M. DB or pulled from
AD/LDAP?
What groupings make sense to the organization?
▪ Agent restrictions are designated by group –
do Agents require restrictions?
▪ Are group-scoped Admins needed?
Will Security Domains be used?
▪ Policies apply to SDs – are different policies needed for different parts of
organization?
Are SD-scoped or IS-scoped Admins needed?
92
Deployment Planning Considerations
Number and type of Administrators
▪ Varying tasks and scopes (HelpDesk, Users, Tokens, Reporting, etc.)
Polices for authentication, lockout, offline and emergency access
Token issue and deployment
▪ Secure delivery; Options for self-service and provisioning
Authentication methods
▪ Differing user types and user groups may require different methods
94
Passwords
During installation (Quick Setup), initial usernames and passwords are created
▪ Operating System – allows SSH access to Appliance OS
▪ Super Admin – access to Security Console
▪ Operations Console – access to Operations Console
Admin password expires after 90 days and forces a change; other passwords do
not expire
In the classroom – for simplicity – systems use the same username/password for
all consoles & functions
(this is not a good real-world practice)
95
Module 4 Quiz
1. What structural element can have specific policies
associated with it?
2. How wide is the time window that the server allows for a time-
synchronous tokencode?
3. What Identity Source is always a part of the Authentication Manager
Structure?
4. Administrative scope can be limited to what part
of a deployment’s structure?
5. What administrative password automatically expires 90 days after
Authentication Manager installation?
96
POLICY MANAGEMENT
Module 5
97
Policies
User Password Policy
Lockout Policy
Self-Service Troubleshooting Policy
Risk-Based Authentication Policy
Token Policy
Offline Authentication Policy
RBA Message Policy
One policy in each category exists as a default policy
Default policies are assigned to a new Security Domain
▪ Security Domain children do not automatically inherit the policies of their
parent domain
98
User Password Policy
Each Auth Mgr user account contains a password
▪ Created locally for local accounts
▪ Exists as part of external data source user record
Passwords used as a default method of authentication for the Security Console
and user logon to Self-service console
Authentication through an Agent requires “Fixed Passcode” (do not confuse with
user Password)
Password policy assigned to a Security Domain for all user accounts in that
domain
99
User Password Policy (cont’d)
Password Policy controls:
Use of system-generated passwords
Periodic expiration
▪ Minimum/Maximum lifetime
Minimum/Maximum length
Excluded characters
Excluded words dictionary
Character requirements
▪ Number & type of characters
▪ Alphabetic, numeric, upper/lower case, special
100
Exercise: Password Policy
Establish policies for both strict and less restrictive passwords
Approx.
10 minutes
101
Establishing a Password Policy
102
Establishing a Password Policy, continued
103
Password Dictionary
Password Dictionary contains character strings that can not be
used as user Passwords or PINs (same dictionary used for both)
Only one dictionary can be defined for a deployment
Can contain any number of entries
Simple text file
104
Exercise: Password Dictionary
Create a dictionary of excluded words
Approx.
10 minutes
105
Set Up a Password Dictionary
106
Set Up a Password Dictionary, continued
107
Lockout Policy
Defines what happens in case of user lockout
Lockout Policy controls:
▪ User authentication attempts
• Unlimited -or-
• Lockout after x attempts within y seconds/ minutes/hours/days
▪ Unlock condition
• Administrator unlock -or-
• Automatic unlock after z seconds/minutes/ hours/days
108
Exercise: Lockout Policy
Establish lockout policies for users
Approx.
10 minutes
109
Establishing a Lockout Policy
110
Self-service Troubleshooting Policy
Policy for accessing Self-service console
Sets authentication method if user has trouble with their primary
authentication method
Establishes separate lockout policy just for
Self-service Console
▪ x attempts within y time period
▪ Unlock condition
111
Exercise: Self-Service Policy
Establish policy for Self-Service access
Approx.
10 minutes
112
Establishing a Self-service Troubleshooting Policy
113
Token Policy
Defines authentication through an Agent with token
Includes “Fixed Passcode” (do not confuse with user
Password)
▪ Fixed Passcode treated as a PIN without a token
Token policy assigned to a Security Domain for all token
holders in that domain
114
Token Policy (cont’d)
Token Policy controls:
Handling incorrect passcode entries
▪ Allow unlimited attempts
▪ Put user into Next Tokencode Mode after x attempts
Event-based Token range
▪ Use default from token records
▪ Limit for one code acceptance (default = 3)
▪ Limit for Next Code acceptance (default = 7)
115
Token Policy (cont’d)
Require periodic PIN expiration (and min/max lifetime)
Restrict PIN reuse
• Cannot reuse x PINs
• Can reuse any PIN
PIN Format
▪ User-generated or System-generated
▪ Min/Max length (4-8)
▪ Excluded words dictionary
▪ Character requirements
• alpha, numeric, alphanumeric
• require x alpha characters/ y numeric characters
116
Token Policy (cont’d)
Fixed Passcode
▪ Option to use same settings as for PINs or define different settings
• Lifetime, reuse, format
Emergency Access Code Format
▪ Options to include any or all of:
• Numeric characters
• Alpha characters
• Special characters
▪ Consider security policy and ease of use for Emergency Codes – e.g. if
provided over phone, are randomly generated special characters easy to
communicate
117
Exercise: Token Policy
Establish policies for Token parameters
Approx.
10 minutes
118
Establishing a Token Policy
119
Establishing a Token Policy, continued
120
Offline Authentication and
Windows Password Integration
121
Offline Authentication Policy
Offline Authentication Policy defines:
If Offline Authentication is enabled
If Windows Password Integration is enabled
Minimum Online passcode length (PIN + tokencode)
If override is allowed for Offline authentication for certain authenticator
types
▪ PINPad or software tokens
▪ “PIN-less” Tokens
▪ Fixed Passcodes
122
Offline Authentication Policy (cont’d)
If Offline Emergency Codes are allowed
▪ Offline Emergency Tokencodes – used with PIN
▪ Offline Emergency Passcodes – Replaces passcode
Emergency Code lifetime
Maximum # of days of offline data
# of days for offline data warning
Maximum offline failures (before user requires use of an emergency code)
Enable offline logging – uploaded to Auth. Mgr when user reconnects to network
123
Exercise: Offline Authentication Policy
Establish a policy for Offline Authentication
Approx.
10 minutes
124
Establishing an Offline Authentication Policy
125
Risk-Based Authentication Policy
Defines settings for:
▪ Enablement
▪ Assurance
▪ Identity confirmation
▪ Device registration
126
Risk-Based Authentication Policy (cont’d)
Enablement:
▪ User must be enabled for RBA for the system to collect device information
▪ Option to allow system to automatically enable users for RBA during
authentication
Minimum Assurance level:
▪ High | Medium-High | Medium | Low
▪ Default = ‘Medium’
▪ Probably requires security policy discussion, objectives for identity assurance,
and experience to set the “correct” level
127
Risk-Based Authentication Policy (cont’d)
Device Registration:
▪ Establish Silent Collection period (default is 14 days after first successful authentication)
▪ Option to not allow Silent Collection (users always need to authenticate on an
unregistered device)
Identity Confirmation:
▪ Sets confirmation method as Security Questions
and/or On-Demand Authentication
• User must have email/mobile phone in profile to receive ODA
New Device Registration
▪ Can register user device automatically after authentication
▪ Or--- Prompt the user to allow device registration
128
Risk-Based Authentication Policy (cont’d)
Device Administration:
▪ Sets maximum number of devices (per user)
• Default = 20
Unregister a device:
▪ Removes device registration if not used in x days
• Default = 60
129
Exercise: Risk-Based Authentication and RBA
Message Policy
Establish policies for Risk-Based Authentication
Approx.
10 minutes
130
Establishing Risk-Based Authentication
and RBA Message Policies
131
Edit the RBA Message Policy
132
IDENTITY SOURCES
Module 6
133
Identity Sources
Identity Sources must be defined (mapped) then linked to the System
Multiple Identity Sources can exist
Supported External Identity Source options (most recent):
▪ Microsoft Active Directory 2012 R2
▪ Oracle Directory Server Enterprise Edition 11g
▪ Sun Java System Directory Server 7.0
▪ OpenLDAP 2.4.40
LDAP Identity Sources can be configured to attach to all
or part of a directory tree
▪ Multiple Identity Source definitions can link different sub-trees
Attributes can be selectively mapped to Authentication Manager
134
Identity Source Data
Authentication Manager
instance Directory Server
136
Exercise: View an Identity Source
Approx.
15 minutes
137
Identity Attribute
An attribute associated with user records that is not provided out of the
box
Stored in either:
▪ Identity Source
▪ Internal Database (visible to all Identity Sources)
Supported data types
▪ String, Integer, Boolean, Date, Float
Single and multi-values
▪ With support for pre-defined value choices
138
Examples
Employee ID (integer)
Address (string)
139
Authentication Manager Attribute Usage
Values are mapped for each Identity Source
▪ No need to modify the schema
▪ Each Identity Source can have its own mapping
Can be restricted by role permissions
May be displayed and/or used as criteria in user searches
Can be grouped by Category
Can be selectively hidden from the console
140
Exercise: Configuring Identity Attributes
Configure Identity Attributes
Approx.
10 minutes
141
Define a New Identity Attribute
142
Define a New Identity Attribute, continued
143
SECURITY DOMAINS
Module 7
144
Security Domains
A security domain is a container that defines an area of
administrative responsibility
Security domains can be organized in a hierarchical tree
▪ For example:
145
Security Domains (cont’d)
All RSA managed objects are “stored” in security domains
Security Domains are used in conjunction with roles to limit what is
visible to an administrator and the operations they can perform on the
visible objects
Security domains “own” all RSA
managed objects that they contain
In turn, all objects are owned by some
Security Domain
146
Security Domains (cont’d)
Security Domains contain nearly everything that can be
managed through the Security Console
▪ Tokens, principals, groups, agents, admin roles themselves
They do NOT contain:
▪ System-wide settings
• Configuration data, identity sources, realm trusts, etc.
(Only accessible to super-admin)
147
Administrative Roles and Security Domains
Administrative Roles define where and what an administrator can
manage in the Security Console.
The where is defined by the role Security Domain
and Identity Source Scope
148
Security Domain Scoping
Administrator’s own security domain is unrelated to the role’s
scope
▪ Admin account could be saved at the lowest level but have role
granting scope for all levels
▪ Can even have permissions to manage self, or own admin role
149
Scenario for Security Domain Exercise
BARC£€¥$
World headquarters
Barcleys Bank International Zurich
US HQ JP HQ FR HQ GB HQ
New York Tokyo Paris London
Branch Offices
Chicago Los Angeles
150
Exercise: Structuring Security Domains
Define a Security Domain hierarchy for your Authentication
Manager deployment
Approx.
10 minutes
151
Structuring Security Domains
152
Create a Top-Level Security Domain
153
Create Security Domain Children
154
MANAGING
USERS AND USER
GROUPS
Module 8
155
Users and User Groups
User:
An account managed by the system – residing in the Internal
Database or through an Identity Source
User Group:
A collection of users, other user groups, or both. Members of the user
group must belong to the same identity source (but may cross
Security Domains).
User group membership determines access permission in some
applications (e.g. Agents).
156
Users & User Groups (cont’d)
User Groups can be defined to contain Authentication
users from various sources Manager
Internal
DB
Internal
Identity
Source LDAP
Sales
(Sales)
User Groups can be East West
nested (groups of Identity
HR Source
user groups) LDAP
(HR)
157
Users & User Groups (cont’d)
Administrators can be given group scope to
manage specific sets of users
Corp Internal
Admin
Sales
Admin Sales
East West
HR
Admin HR
158
Users & User Groups (cont’d)
Security Domains could also be used to
organize like groups of users…
Corp
Security Internal
Domain
Sales Sales
Security
Domain East West
HR HR
Security
Domain
159
Users & User Groups (cont’d)
…and Administrators assigned with scope
over the Security Domains…
Corp
Corp Security Internal
Admin Domain
Sales
Sales Sales
Admin Security
Domain
East West
HR
HR HR
Admin Security
Domain
160
Users & User Groups (cont’d)
…or groups and Security Domains used
together with admins of very specific scope
Corp
Corp Security Internal
Admin Domain
Sales
Sales Sales
Admin Security Western
Domain Region
East West
Sales
HR Admin
HR HR
Admin Security
Domain
161
Adding Users
Users can be added:
▪ Through entry in the Security Console
▪ By a mapped Identity Source
▪ Through a custom API
Each user account requires a password
▪ NOT a SecurID authentication password
(that is a “Fixed Passcode”)
▪ Used primarily for user Self-service
▪ Password can be drawn from external Identity Source (if used)
162
Adding Users (cont’d)
Users can be established with an account start and expiration
date (for example, a temporary employee)
‘Add User with Options’ allows you to perform multiple tasks
during one Add operation
(acts like a Wizard)
163
Adding Users (cont’d)
If Identity Attributes exist, data can be supplied at the time of user
creation (must be - if the attribute is ‘required’)
Username must be unique within the system
Users must reside in some Identity Source
Users exist in only one Security Domain but can be moved between
Security Domains (through Edit User function)
User record can be duplicated to attribute(s) and Security Domain
membership. Group membership and any Admin Roles will not be
duplicated.
164
User Groups
Can be used to organize users based on criteria such as geographic
location or job function.
▪ E.g. Eastern Region, Sales, Admins, etc.
Users may belong to multiple groups
▪ E.g. Eastern Region AND Sales
User Groups may contain other user groups
▪ E.g. Sales group contains Eastern Region AND Western Region groups
165
User Groups (cont’d)
User groups are stored in an Identity Source and are owned by a
Security Domain
The user group and all user group members must belong to the same
Identity Source but can cross Security Domains
User group names must be unique within an Identity Source
▪ It is possible to have multiple user groups with the same name if they
are stored in different Identity Sources
(but not a very good practice if it can be avoided)
166
User Groups (cont’d)
User groups can be used to allow access to restricted Agents
▪ Only group activation on Agent is allowed; NOT by individual user
▪ Can specify access times that a group is allowed to access the
Agent
167
Bulk Operations
Bulk Operations are available for Users and User Groups
▪ Can operate on one screen of objects at one time – select any or
all in list
▪ Examples: Add users to groups, Enable account, Delete, Move to
domain…
User User Group
Screen Screen
168
Authentication Manager Bulk Admin (AMBA)
AMBA is bundled with Authentication Manager in v8.2
Command Line Utility enables administrators to perform bulk administration
functions
▪ Can be command-driven or scripted
Implements a sub-set of common administrative functions including:
▪ ADD, CHANGE and DELETE operations using data from a CSV input file
▪ LIST tokens and users based on specified criteria
▪ Perform MULTIPLE token assignments, replacements, deployments and disablements
Requires an AM Enterprise license or standalone AMBA license
Approx.
15 minutes
170
Adding Users
171
Exercise: I’m tired of Logging in to the Security
Console
Extend Security Console lifetime
Approx.
5 minutes
172
Extending Security Console Lifetime
173
AGENT OPERATIONS
Module 9
174
Authentication Agents
User authentication is brokered through an Agent
RSA Authentication Agents are available for a variety of access points
▪ Windows workstations
▪ UNIX/LINUX servers
▪ Web Servers
Large variety of partner products employ RSA Agent software or are easily
configurable for SecurID authentication
▪ Communication Servers
▪ VPN Servers
▪ Firewalls & Routers
175
Agent Registration
Manual Registration
▪ Create (Add) Agent using Security Console
Auto-Registration
▪ Compatible Agent device can connect & establish itself in database
▪ Agent requires sdconf.rec file and Agent software
Agent initially uses default Node Secret and establishes new,
unique key upon first successful authentication
176
Adding an Agent
Agent is ‘owned’ by the security domain in which it is created
177
Exercise: Managing Agents
Add an Agent to your deployment
Assign access to a User Group
Approx.
20 minutes
178
Generating an Agent Configuration File
179
AUTHENTICATOR
OPERATIONS
Module 10
180
Authenticators
Authenticators managed by Authentication Manager include:
▪ Variety of Hardware and Software tokens
▪ Fixed Passcodes
▪ PINed and PIN-less tokens
▪ Future authentication devices
Any device or process used to authenticate via an
Authentication Agent is considered an ‘authenticator’
181
Importing Token Records
Sets of records exist for all hardware and software tokens
Must be imported into the system before token can be
assigned
Import performed as an ‘Import Tokens’ job
▪ Imported into and owned by a Security Domain
▪ Subset of tokens can be moved between domains
182
Exporting Token Records
Token records can be exported to another Authentication Manager
deployment (or used to move Users & Tokens between Identity
Sources)
183
Token Screen
Displays type, Assignment, Status & Expiration info, Last
authentication, Security Domain, etc.
184
Token States
Unassigned: Ready to be assigned to a user
Assigned: Associated with a user
Disabled: Can not be used for Authentication but could be associated with a user
Deleted: Removed from the system
▪ Can only be recovered by importing original token record
Replaced by: Readies a token for replacement – new token becomes active and
current (“old”) token is disabled when new token is first used
185
Resynchronization
Re-sets token to baseline by using two sequential token codes
from token
186
Token Statistics
Quick reporting tool to show token usage
Shows only tokens within scope of admin running statistics
Shows # of tokens, type, expiry summary, disabled, etc.
187
Token Attribute
Additional information field can be added to token record to
hold information about user, assignment, accounting info, etc.
188
MANAGING SOFTWARE
AUTHENTICATORS
189
RSA SecurID Software Tokens
Installed on a PC or other computing device
190
Hardware / Software Token Similarities
Both work with the RSA Authentication Manager
191
Hardware / Software Token Differences
Portability
Physical possession
Physical inventory maintenance
Platform compatibility
Dependence on PC/device clock
End-User software installations
192
Software Token Provisioning
“Provision Once” Model
▪ Software Tokens provisioned in v8.2 expire only on the server side
▪ When replaced (new token imported), token does not need to be re-
provisioned to the end user
If end user loses or changes device, token will need to be re-
provisioned
Life can not be extended for Software tokens:
▪ That were provisioned under earlier Authentication Manager versions
▪ If tokens have not yet expired or are not in the range configured for
replacement (15 days by default)
193
Security Concerns
PC/device carrying an RSA SecurID Software token may be out of
user’s possession more than an RSA SecurID Hardware Token
194
Software Token Deployment Steps
Issuing Software Tokens
Creating User Installation Packages
Installing RSA SecurID Software Token Program at the End User
Device
User Configuration Options
CT-KIP configuration
195
QR Code Provisioning
V8.1.1 and later allows the option of displaying a QR Code as the
token activation code for provisioning
QR code displays on the user’s Self-Service console
Back-end process is similar to pre-8.1.1 deployment
▪ Assignment, distribution via CT-KIP, end-user enrollment (if enabled), etc
QR code is supported for Android 2.x and IOS 2.x
▪ Other code readers may not function correctly – monitor RSA SCOL for any
support updates
196
QR Code Provisioning
User receives link to Self-service console via e-mail
QR Code displayed from within Self-service console
197
Exercise: Managing Authenticators
Assign various authenticators to users in your system
▪ Hardware and Software tokens
▪ Distribute Software Token
Test Authentication
Approx.
20 minutes
198
Create a Hardware Token Association
199
Create a Software Token Profile
200
Exercise
1. Software Token Provisioning
✓ Direct from Security Console
✓ From Self Service Console
201
MANAGING RISK-BASED
AUTHENTICATION
Module 11
202
Enabling Users for Risk-Based Authentication
To enable RBA, you first configure:
▪ On-Demand Authentication
parameters (if used)
▪ Security Question policy (m of n)
▪ RBA policy
Risk-Based enablement is
accessed through User screen
(right-click pop-up)
203
Enabling Users for Risk-Based Authentication (cont’d)
User is enabled via checkbox
204
Setting up On-Demand Authentication
On-Demand Authentication set up through Setup > System Settings screen: On-Demand
Tokencode Delivery link
Defines:
205
Enabling On-Demand Authentication
Users are enabled for ODA via Authentication > On-Demand
Authentication > Enable Users
206
On-Demand / Risk-Based Configuration
(Self-Service Console)
When user logs on to Self-Service Console, ODA / RBA configuration
status is displayed
207
Exercise: Configuring Risk-Based Authentication
Configure Risk-Based Authentication settings for system and
users
Approx.
20 minutes
208
Enable Risk-Based Authentication
209
Establish Security Question Answers
210
Configuring SMTP and On-Demand Authentication
211
Configure On-Demand Authentication
212
Enable On-Demand Authentication
213
Verify User Settings and Set On-Demand PIN
214
Test Risk-Based Authentication
215
Identity Confirmation Method
216
DELEGATED
ADMINISTRATION
Module 12
217
Administrative Scope
Security Domain Scope
▪ Set or subset of security domains which administrator may manage
▪ Can be one or more security domains
▪ Tied to an entire role rather than a specific permission
▪ Determined at time of creating an admin role, not at time of assignment to
an administrator
Identity Source Scope
▪ Role can be limited to Identity Source(s)
Administrator’s own Security Domain is unrelated to the scope of the
Administrator’s role
▪ Admin account could be saved at the lowest level but have role granting
scope for all levels (even Super Admin)
▪ Could have permissions to manage self, or own admin role
218
Administrative Permissions
Most permissions can be categorized into resource and type
▪ Resource: The type of object for which the permission is being granted
Example: Tokens, Agents, Users, Groups
▪ Type: What an administrator can do to the resource
Options: All, Add, Edit, View, Delete
219
Administrative Role, User and Delegation
Administrative Role:
▪ Combination of permissions and scope that determines what
administrative actions a user is allowed to execute
• Permissions = What an administrator is allowed to do
• Scope = Which objects administrator is allowed to act upon
Administrative User:
▪ Any Authentication Manager user who has been granted one or more
administrative roles
• Only Administrative users are allowed to log on to the
RSA Security Console
Delegation:
▪ An administrator can assign all or part of her permissions to another
administrator
• Permissions must be set to allow delegation
220
Pre-defined Roles
Super Admin
Security Domain Administrator
User Administrator
Token Administrator
Help Desk Administrator
Privileged Help Desk Administrator
Agent Administrator
Request Approver
Token Distributor
13 roles in total
221
Super Admin Role
Admins with this role have all permissions in all scopes
Cannot be edited, deleted, or duplicated
Can only be assigned by other Super Admins
Recommend ensuring that a strong password policy applies to
any user given this role
▪ Or protect console with SecurID and assign token to Super Admins
222
Multiple Roles
Multiple roles can be assigned to an administrative user
Admin could potentially have multiple roles – each with different scope
▪ For example, could be User admin in one role, Token admin in another
Permissions are the union of all roles, but scope for each individual
permission is maintained
Adding additional roles usually makes an admin more powerful
▪ One exception related to Identity Source attributes…
If two Roles: One allows viewing an attribute and one does not, the admin will
NOT be able to see that attribute.
223
Administrative Role Pitfalls
Associative permission
▪ Example: Admin can Edit Users, can Edit Tokens but may not have
permission to assign a token to a user
Multiple Roles
▪ Example: Admin can Edit Users & Tokens and Assign tokens in one
Security Domain but not another
Field Sales Admin Role Sales Operations Admin Role
– View/Edit users, View/Edit tokens, – View users, View tokens
Assign Tokens – For “Sales Ops” Security Domain
– For “Inside Sales” Security Domain
226
Admin Role Creation
To create admin roles, you need the following:
▪ Permission to create admin roles
▪ Permission to objects and/or operations which you want to add to
new role (Permissions must be delegatable)
▪ Scope at least as broad as the new role’s scope
227
Admin Role Delegation
You can delegate any role which you are able to create (i.e.
roles with power equal to or less than your own)
You can also assign such roles even if they are not marked
delegatable
You cannot assign a role with more permissions
than you, even if you can view it
Example:
Spiderman can delegate
web powers to the Hulk
228
(Optional) Exercise: Experiment with Delegation,
Scope, and Role
Set up scenarios where administrative accounts have various
roles and responsibilities for multiple domains
Approx.
15 minutes
229
REPORTS AND LOGS
Module 13
230
Security Console
Access Reporting via Reporting > Reports menu path
231
Reports
Provide query results of Authentication Manager system for
admin and auditing purposes, including:
▪ Administrator Activity
▪ Users & Tokens
▪ Authentication Activity
▪ System Audit Information
▪ On-Demand Authentications
▪ RADIUS Administration & Authentication
232
Reports vs. Console Search
Reports can display larger data sets
▪ Console Search has 2000 record limit
More sophisticated search criteria
Can be saved and scheduled as recurring events
Content can be viewed online or offline
Captures historical snapshots
233
Administrative Privileges
Security Console access for admin requires user id / password
Admin role with Reports access allows:
▪ Delete, Add, Edit, and View (template/query)
▪ Run & Schedule (report jobs)
Admin role with the Domain access:
▪ View Domains
Other permissions/Roles can be report-specific
234
Report Generation Work Flow
Report Template
Report Output
235
Report Template
A “canned report” that is embedded by default in Authentication
Manager
Template is a not yet parameterized query
Customizable into named queries
Defines the parameters (required/optional), database query, sorting
order, and output table
Access via Reporting > Reports > Add New menu path
236
Report Template Examples
Administrators with a Specified Role
Administrator Activity
Users with Disabled Accounts
Expired User Accounts
Token Expiration Report
Users with assigned RADIUS profile
…many more… 30+ report templates “out-of-box”
237
Report Query
A report query is a partially or fully parameterized template
User-defined name
Can be customized with a subset of the available columns
When you run a report, you are executing a report query
Create a query by selecting a template and completing Add New
Report wizard
View existing queries under Reporting > Reports > Manage
Existing
238
Report Query (cont’d)
Query can be run as the owner or administrator
▪ As owner by using the creator’s access (impersonation)
▪ As admin by using one’s own access
A report query can only be modified by the owner (name,
selection parameters, etc)
239
Report Query Parameters
Selection operators include:
▪ Starts with / Ends with
▪ Contains / Does not contain
▪ Is equal to
Others may use wildcard character (*), selection lists, etc.
240
Report Job (on request)
A submitted query becomes a report batch job
All required parameters must be completed
Report job can have a user defined name
▪ Console provides default name
• <ReportName>_<RunAsUser>_<Date>_<Time>_<TimeZone>
• Recommend making this something meaningful
All report jobs are run asynchronously
Memory & CPU intensive
• Recommend running serially
Run jobs via the Run Report Job Now control
241
Report Job (scheduled)
A report job can be set as a recurring event
(e.g. daily, weekly, etc)
A time consuming report job should be scheduled to run at an
off peak time
A scheduled report job should be a parameterized report query
– make sure all required parameters are provided
▪ Otherwise, report may prompt and wait for manual input at runtime
242
Report Job Status
Results may not be available instantaneously
Console divided into In Progress and Completed tabs
243
Report Output
Output data stored in output table on a per-job basis
Output data does not change after the job is completed
Data can be retrieved in different ways:
▪ View in browser (1st 500 rows)
▪ Download as XML
▪ Download as CSV
▪ Download as HTML
A completed job can be deleted along with its outputs
244
Customization Constraints
Reporting limited to built-in templates
Sorting order is defined by templates (not customizable)
Display columns are pre-defined (can hide but not add)
Types of search parameters are fixed
Scheduled report jobs need to be manually retrieved (no email delivery)
Possible additions/updates available through Support or Professional
Services organizations
245
SQL Queries
SQL Queries to the database are supported by Authentication
Manager developer tools
Developer tools and documentation are available in the
Authentication Manager distribution package
Use involves an SQL driver for the database and using
VBscript to execute queries
Sample VBscript files are included in the SDK
246
Exercise: Reporting
Create reports
▪ On-Demand report
▪ Scheduled report
Approx.
20 minutes
247
Create an On-Demand Report of Historical Information
248
Create an On-Demand User-Specific Report
249
Create a Scheduled Report
250
Logging
Admin, Runtime and System audit logs; trace logging
▪ Administrative audit - Admin operations
▪ Runtime audit - Login/logout/lockout
▪ System - System events
▪ Trace – Troubleshooting and debugging
Separate configuration (level) for each audit log type
Audit events are logged to database and trace log messages to a file
Option to log audit info to local or remote SysLog in addition to database
251
Logging (cont’d)
Audit logs fall back to file based logging, if logging to database fails
Audit log levels:
• Error - Failures/errors (Authentication failed; Add user failed; ...)
• Warning - Warning messages (Denial of service detected; License warnings; ...)
• Success - Success or informational messages (Authentication successful; Added
group successfully; ...)
Some system log events are always logged regardless of log level
(startup, shutdown, configuration changes)
252
Log Console
Admin console > Setup > Instances > Instance Name > Logging
253
Log Configuration
Each instance has its own log configuration
Changes to log configuration on one instance does not impact
other instances
Log configuration changes for replica instances must be
performed on primary instance (Replicas are read-only)
Log
Config
Read-only
255
Log Archiving
Database log tables can consume all available space over time
Automated archiving archives old audit log entries from DB
Only on primary (Replica logs are replicated to primary)
Archiving can be run on demand
A default archive job is scheduled to run at 1 AM (local) daily
Supports exporting and/or purging
▪ Also supports no archiving/purging for a audit log type. (Not recommended)
Log entries are verified as they are archived (if log signing is enabled)
256
Log Archiving (cont’d)
If log signing is enabled, each archived log entry will have one of the following
strings appended:
▪ VERIFIED – Log entry intact and was not modified
▪ TAMPERED – Log entry has been tampered with
▪ UNKNOWN – Cannot determine if the entry is legitimate or tampered
One archive log file is generated per audit log type per day
Archived log files cannot be imported back into the database
Each archived file is also signed
Signature for each archived file is saved in a .sig file
257
Log Archiving (cont’d)
Archived log files are simple text files; entry fields are CSV format
Can use text editor, Microsoft Excel or other reporting tools to view exported log
files
Archived log files are named after the audit log type and date:
▪ audit_admin_< yyyy-MM-dd >.log
▪ audit_runtime_<yyyy-MM-dd>.log
▪ system_< yyyy-MM-dd >.log
Log entries between 00:00:00 UTC and 23:59:59 UTC are logged to one file.
Based on UTC time, not local host time
258
Log Console
Security Console > Administration > Log Management > Recurring Log Archive Jobs
259
Log Console (cont’d)
Security Console > Administration > Log Management > Recurring Log Archive Jobs
260
verify-archive-log Command Line Utility
CLU to verify the integrity of archived log files
Each archived log file has an associated signature file
CLU prints out if the archived log file is tampered or not
Signing and verification keys are encrypted and stored in the database
Signing and verification keys are replicated from primary to replica and
vice-versa
Usage: rsautil verify-archive-log –m <master password> -f <file to verify>
261
Exercise: Log Configuration
Set Log Levels
Set archiving job for logs
Approx.
10 minutes
262
Configure Log Levels
263
Configure Log Archiving
264
Activity Monitor
Displays audit log events in real time
On primary, log events from the replicas can also be viewed in near
real time
Can limit the events displayed using filters
Automatically refreshes every second
Can open any number of activity monitor windows with different filters
265
Activity Monitor (cont’d)
Supports start/stop, pause/resume
Buffers events when paused
Inactivity timeout of 30 minutes (same as console)
Individual events can be selected for additional detailed
information
Administrator can view events in their realm
266
Activity Monitor (cont’d)
Security Console > Reporting > Real-time Activity Monitors > Administration Activity Monitor
267
Activity Monitor (cont’d)
Security Console > Reporting > Real-time Activity Monitors > Authentication Activity Monitor
268
Administration Notifications
Email to Administrators for various events
Enable Critical
System Events
269
Administration Notifications
Email to Administrators for successful report completion
▪ Link mailed to recipient – requires Admin login
▪ Does not email report because of security concerns and varying
attachment limitations
270
Instrumentation (SNMP)
Provides stats and other useful information
Disabled by default
Configuration changes are dynamically picked up by the server.
No restart required
SNMPv3 protocol supported
All stats and counters are read-only
Can send audit log events (admin, runtime or system) as
SNMP traps to configured NMS
271
Exercise: (Optional) SNMP Configuration
View the configuration screen for SNMP
Approx.
5 minutes
272
SELF-SERVICE
Module 14
273
Overview
Self-Service functions provide user self service and provisioning services
for SecurID end users
Intended to reduce burden on administrators/help desk
Provides native LDAP integration
Fully web based. API provided for customization
Is an integral part of Authentication Manager
▪ Base license allows Self-Service
▪ Enterprise license allows Provisioning
274
Self Service Features
Change passwords, Reset token PINs
Test, Troubleshoot, Resynchronize tokens
Obtain an Emergency Access Code
Request replacement for expiring token
275
Provisioning Features
End user can request hardware and software tokens
Replace expired, lost, or broken tokens
Activate/Enable tokens
Security Console provides administrative approval & distribution
workflow
276
Approval and Distribution
Using the Security Console, requests are
approved/rejected by administrators
Activation
code
277
Workflow
Self Service User Approver Distributor
User receives
token and link to
activate
278
Workflow (cont’d)
Workflow Definitions configured for self-service categories
▪ User Enrollment, Token Request, On-Demand, etc.
▪ Specifies number of approvals and/or distribution steps
Email notification templates are accessed from same screen
279
Configuration
Settings for Enrollment, Provisioning, and Customization
▪ Select Identity Sources, Security Domains, and User Groups for
Enrollment
▪ Set workflow policies, authenticator, and emergency access parameters
▪ Customize User Profiles, Self-service authentication,
Email notifications, and Self-service features
280
SELF-SERVICE
CONFIGURATION
281
Identity Source Configuration
Define which identity sources are available for enrolling users
to add their profile information
Optionally provide user-friendly names
▪ Example: Users can add themselves to the Employee directory, but not the
Partners directory
282
Security Domain Configuration
Define which security domains are available for user enrollment
Optionally provide user-friendly names for those domains
▪ Example: users can add themselves to “Headquarters” but not
branch offices
283
Group Configuration
Define which user groups are available for enrolling users to
join
Optionally provide user-friendly names for those selected
groups
284
Email Server Configuration
Setup > System Settings > E-mail (SMTP)
285
User Profile Configuration
Customize what fields are Required, Editable, Read-only or
Hidden (Make Field setting)
Similar Option to provide display label for each entry field
286
Authenticator Configuration
Define which token types can be requested
Define emergency access parameters for different conditions
(Token lost/broken, temporarily unavailable, etc)
287
Roles, Permissions
Set permission(s) for Approver/Distributor
▪ [Perform]All, View, Approve, Distribute, Cancel
288
Security Questions
Security Question registration occurs on first access to Self Service
Console or RBA authentication
Question set can be viewed through Security Console:
Setup > System Settings :: Security Questions Management
289
Security Questions (cont’d)
Imported file replaces all questions for that language set – even if only one
question is changed
Import file is the following general format:
290
Access through Web Tier
RSA Web Tier is used to protect external (“Public”) access to
self service console
291
Exercise: Self-Service
Configure Self-service for user enrollment
Enroll for, approve, and retrieve token
Approx.
30 minutes
292
Configure Self-Service
293
Configure Self-Service, continued
294
Configure Self-Service, continued
295
TROUBLESHOOTING
Module 15
296
User Dashboard
Rapid access to a specific user via “Quick Search”
Provides view into:
▪ User status (locked/unlocked, enabled/disabled)
▪ Identity Source & Security Domain
▪ Last 50 events / last 7 days’ activity
▪ Assigned Tokens & On-Demand settings
▪ Group memberships
▪ Accessible Agents
297
User Dashboard (cont’d)
Enter 3 or more characters
of user last name to display
pick list
298
User Dashboard (cont’d)
299
User Dashboard (cont’d)
300
Activity Monitor
Used to view log messages in real time
There are three different Activity Monitors:
▪ Authentication Activity Monitor - Displays authentication-specific
events such as failed or successful authentication attempts.
▪ System Activity Monitor - Displays system events such as inability
to connect to an identity source.
▪ Administrator Activity Monitor - Displays administrator activities
such as creating and updating users.
301
Activity Monitor Usage
Launch Activity Monitor (can launch several in different
windows)
302
Authentication Problems - Agent
Authenticating via an agent – IP address override
▪ Multi-homed agents – if the system uses NAT
▪ Configure Alternate IP addresses for the agent
▪ IP address override
• sdopts.rec on Windows and UNIX/Linux
• Agent console – Windows only
Node secret
▪ Synchronize the state of the node secret
• Agent configuration
303
Authentication – Manage Node Secret
Access Node Secret management from Agent screen
304
Authentication Problems - Tokens
Resynchronizing Tokens:
When Token and Authentication Manager do not match
(e.g. clocks are out of synchronization)
Clears bad authentications
Recalculates token offset
Prompts for two sequential codes
Sometimes needed when re-importing token records
Can be accessed by user via Self-service console
“Troubleshooting” link
305
Authentication – Resynchronizing Tokens
Token resync is accessed through the token record (Manage
Tokens screen)
306
Authentication - User Status
Lockout status governed by Lockout Policy
308
Clearing Disabled status, Lockout, Security
Questions
Access through User’s context menu (Authentication Settings)
309
Lost/Expired Token
Assign a new token
Provide emergency access
▪ Online authentication
• Temporary fixed tokencode – used with PIN
• One-time tokencode set – used with PIN
▪ Offline authentication
• Offline emergency access tokencode – used with PIN
• Offline emergency access passcode – used if user forgets PIN
▪ Note: An Emergency Access Tokencode cannot be assigned to an expired token
Assign fixed passcode
Can also be accessed via Self-service Console
310
Exercise: Troubleshooting Authentication Issues
Access menus and tools for end user
troubleshooting and assistance
▪ User Dashboard
▪ Activity Monitor
▪ Resynchronize Token
▪ Emergency Codes
▪ End user Self-Service
Approx.
20 minutes
311
FINAL THOUGHTS
312
RSA Link [community.rsa.com]
RSA SecurCare Online information and knowledge base has
been migrated to RSA Link
RSA Link has complete RSA Authentication Manager document
set, Q&A, and other resources
313
RSA University
RSA courses, schedules, eLearning and eLabs listed on the
RSA University pages of RSA Link
314