Showing posts with label SecureID. Show all posts
Showing posts with label SecureID. Show all posts

Monday, August 29, 2016

RSA SecureID Authentication Manager 8.2

To update the notes from the 8.1 post, I had a working setup with a primary and replica 8.1 AM server, and a web server for each.

Updating the Authentication Manager's themselves was straightforward, edit the VMs to add a CD-ROM drive and mount the ISO of the 8.1SP1 update - 8.1.0 directly to 8.2 is not supported.  Take a snapshot of the working 8.1 VM.  Enter the Service Console, and navigate to updates in the maintenance menu.  Then set the CD as the update source, do a scan, then select install on the resulting option.  This got both AM servers to 8.1.1 in fairly short order.  Delete the snapshots when complete.

Repeat to go from 8.1.1 to 8.2.

In theory the web servers are similar, in practice I tried to update them to 8.1.1 and somewhere along the line things went awry and the primary one went into status 'reinstall required' while the secondary just became disconnected altogether.

I uninstalled the RSA software from each of them and reinstalled complete with a new web tier package file from the Manager, and all was well.

Update

- All wasn't well, replication was broken.  I found RSA DOC 49528 with a fix for it:

SSH to the primary as rsaadmin,

cd /opt/rsa/am/utils
./rsautil manage-secrets -a get com.rsa.db.dba.password
com.rsa.db.dba.password: blah blah long password here
cd ../pgsql/bin
./psql -h localhost -p 7050 -d db -U rsa_dba
./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: blah blah long password her
psql.bin (9.4.1)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.

 db=# select * from rsa_rep.IMS_INSTANCE_NODE;

(returns a table of your authentication manager instances)

 db=# update RSA_REP.IMS_INSTANCE set deployed_state='out_of_sync' where is_primary='FALSE';
UPDATE 1
db=# 

Then you can go back into the Operations Console and select manual sync within replication reports and things are then fixed.
Posted by at No comments:
Labels: ,

Friday, February 12, 2016

RSA SecureID Authentication Manager 8.1

RSA SecureID Authentication Manager (AM), is one of those bits of software it seems I have to install once every five years or so, during which time I've lost all memory of how I did it, and anyway the product has probably evolved enough any knowledge would be out of date.
This time round OVA packaging of the appliance itself has simplified that bit of things, but the addition of a web tier for soft token distribution and user self-service added some complexity.

I don't think AM needs a lot of notes, but the complexity of licensing it and provisioning the tokens is exponentially greater than last time I did it, I'm guessing as a result of some well publicized breaches that have occurred.  Follow the docs and though tedious you end up with the required files and the application to decrypt the token seeds.

The tokens came on a CD - finding a way to read it took me a while, Celeron Linux mini system from the back of the garage pressed into service for that.  Then you use the codes printed on the CD to create a decryption file and password on the RSA site, then use the application to turn those plus the encrypted token seeds into something you can import into the app.

The AM web GUI is horribly unreliable for me, and I've tried Chrome, Mozilla, and IE, with IE being the least bad - though I still need to frequently mouse over a different tab in order to get menus to show up in the tab that I need - it took me a long time to realize this as first I thought it was a permissions issue, so I wasted time creating various different classes of administrator, logging in as them and finding still no luck on the menus.

The web tier install was complicated by RSA/EMC only supporting RHEL, which of course I don't have.  CentOS 6.5 seems to work fine but you have to change /etc/redhat-release to
'Red Hat Enterprise Linux Server release 6.5 (Santiago)'
so the RSA installer doesn't complain and exit.

I had various permissions issues, I gave up and chown rsauser / chmod 777 all the install files and their directory - I deleted them all after the install anyhow so why mess about.

Usual Linux best practices apply, NTP is vital due to the tokens etc. open-vm-tools, and the only other thing that caught me out despite my looking for it was that iptables blocked 443 out of the box, adding a rule:
'-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'
 to /etc/sysconfig/iptables solved that.

To recover the Super Admin account, run: 
./rsautil restore-admin –u [tempadmin_name] –p [password]
from /opt/rsa/am/utils as the console user elevated to root.


Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)