RSA SecureID Authentication Manager (AM), is one of those bits of software it seems I have to install once every five years or so, during which time I've lost all memory of how I did it, and anyway the product has probably evolved enough any knowledge would be out of date.
This time round OVA packaging of the appliance itself has simplified that bit of things, but the addition of a web tier for soft token distribution and user self-service added some complexity.
I don't think AM needs a lot of notes, but the complexity of licensing it and provisioning the tokens is exponentially greater than last time I did it, I'm guessing as a result of some well publicized breaches that have occurred. Follow the docs and though tedious you end up with the required files and the application to decrypt the token seeds.
The tokens came on a CD - finding a way to read it took me a while, Celeron Linux mini system from the back of the garage pressed into service for that. Then you use the codes printed on the CD to create a decryption file and password on the RSA site, then use the application to turn those plus the encrypted token seeds into something you can import into the app.
The AM web GUI is horribly unreliable for me, and I've tried Chrome, Mozilla, and IE, with IE being the least bad - though I still need to frequently mouse over a different tab in order to get menus to show up in the tab that I need - it took me a long time to realize this as first I thought it was a permissions issue, so I wasted time creating various different classes of administrator, logging in as them and finding still no luck on the menus.
The web tier install was complicated by RSA/EMC only supporting RHEL, which of course I don't have. CentOS 6.5 seems to work fine but you have to change /etc/redhat-release to
'Red Hat Enterprise Linux Server release 6.5 (Santiago)'
so the RSA installer doesn't complain and exit.
I had various permissions issues, I gave up and chown rsauser / chmod 777 all the install files and their directory - I deleted them all after the install anyhow so why mess about.
Usual Linux best practices apply, NTP is vital due to the tokens etc. open-vm-tools, and the only other thing that caught me out despite my looking for it was that iptables blocked 443 out of the box, adding a rule:
'-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'
to /etc/sysconfig/iptables solved that.
This time round OVA packaging of the appliance itself has simplified that bit of things, but the addition of a web tier for soft token distribution and user self-service added some complexity.
I don't think AM needs a lot of notes, but the complexity of licensing it and provisioning the tokens is exponentially greater than last time I did it, I'm guessing as a result of some well publicized breaches that have occurred. Follow the docs and though tedious you end up with the required files and the application to decrypt the token seeds.
The tokens came on a CD - finding a way to read it took me a while, Celeron Linux mini system from the back of the garage pressed into service for that. Then you use the codes printed on the CD to create a decryption file and password on the RSA site, then use the application to turn those plus the encrypted token seeds into something you can import into the app.
The AM web GUI is horribly unreliable for me, and I've tried Chrome, Mozilla, and IE, with IE being the least bad - though I still need to frequently mouse over a different tab in order to get menus to show up in the tab that I need - it took me a long time to realize this as first I thought it was a permissions issue, so I wasted time creating various different classes of administrator, logging in as them and finding still no luck on the menus.
The web tier install was complicated by RSA/EMC only supporting RHEL, which of course I don't have. CentOS 6.5 seems to work fine but you have to change /etc/redhat-release to
'Red Hat Enterprise Linux Server release 6.5 (Santiago)'
so the RSA installer doesn't complain and exit.
I had various permissions issues, I gave up and chown rsauser / chmod 777 all the install files and their directory - I deleted them all after the install anyhow so why mess about.
Usual Linux best practices apply, NTP is vital due to the tokens etc. open-vm-tools, and the only other thing that caught me out despite my looking for it was that iptables blocked 443 out of the box, adding a rule:
'-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'
to /etc/sysconfig/iptables solved that.
To recover the Super Admin account, run:
./rsautil restore-admin –u [tempadmin_name] –p [password]
from /opt/rsa/am/utils as the console user elevated to root.
No comments:
Post a Comment