Configuring an RSA one-time password mechanism

A one-time password is valid for one session or login. To use RSA as a mechanism, you must own RSA Authentication Manager. The server and the client generate the passwords with the same algorithm.

Before you begin

Complete the following steps.
  1. On your RSA server, generate the following files:
    sdconf.rec
    The configuration file for connecting to the RSA Authentication server.
    sdopts.rec
    The configuration properties file that contains optional configurations for load balancing.
    securid
    The secret key file for connecting to the RSA Authentication server.
  2. See your RSA Authentication server documentation for details on creating these files and use the following guidelines:
    • On the appliance, you must specify an Agent Network Interface. See Agent Network Interface in step 8. If you connect the RSA server to the appliance by using an application network interface with multiple IP addresses, list all the IP addresses in the Alternate IPs box on the RSA server.
    • For Agent type, choose Standard.
    • Agent Auto-Registration must be enabled when the first RSA one-time password authentication is performed. You can disable it after the first successful authentication is completed.
    Note: The RSA one-time password mechanism does not support replication of the RSA session information through the cluster environment. The session information is local to each cluster node and the environment must be configured to enforce session affinity between the client and the cluster node.
  3. Move or copy the generated files from the RSA server to the appliance.

About this task

This task describes the steps and properties for configuring an RSA mechanism. For information about configuring other providers, see:

Procedure

  1. Log in to the local management interface.
  2. Click Secure Access Control.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click RSA One-time Password.
  6. Click Modify.
  7. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify.
    3. Enter the value for that property.
    4. Click OK.
  8. Take note of the properties for the mechanism.
    Agent Network Interface
    The name of the network interface that the RSA Agent is using to connect to the RSA server.

    Required: Yes

    Data type: String

    Valid values:
    Management network interface values
    • M.1
    • M.2
    Application network interface values
    • P.1
    • P.2
    • P.3
    • P.4
    Note: If you are using the RSA mechanism in a cluster environment and use an application interface with multiple IP addresses defined for that interface, use the RSA console to add all of those IP addresses to the whitelist. See the RSA documentation for information about adding IP addresses to the whitelist.

    Example: M.1

    Server Exchange Initial Timeout
    The initial timeout coefficient in milliseconds used to calculate the timeout of the request.

    Required: No

    Data type: Integer

    Example: 1000

    Server Exchange Timeout Offset
    The offset timeout coefficient in milliseconds used to calculate the timeout of the request.

    Required: No

    Data type: Integer

    Example: 200

    Server Exchange Timeout Increment
    The increment coefficient in milliseconds used to calculate the timeout of the request.

    Required: No

    Data type: Integer

    Example: 100

    Event Log Level
    The minimum event level to be logged. Events below the level that is specified in this property are not logged.
    The events in order from lowest level to highest are:
    1. OFF
    2. DEBUG
    3. INFO
    4. WARN
    5. ERROR
    6. FATAL

    Required:

    Data type: String

    Example: INFO. If this property is set to INFO, the DEBUG errors are not logged.

    Enable Debug Tracing
    The property that enables debug tracing.

    Required: No

    Data type: Boolean

    Example: FALSE. If set to FALSE, debug tracing is not enabled.

    Trace Function Entries
    The property that enables tracing of function entries.

    Required: No

    Data type: Boolean

    Example: FALSE. If set to FALSE, function entries are not traced.

    Trace Function Exits
    The property that enables tracing of exits.

    Required: No

    Data type: Boolean

    Example: FALSE. If set to FALSE, exits are not traced.

    Trace Flow Statements
    The property that enables tracing of flow statements.

    Required: No

    Data type: Boolean

    Example: FALSE. If set to FALSE, flow statements are not traced.

    Trace Regular Statements
    The property that enables tracing of regular statements.

    Required: No

    Data type: Boolean

    Example: FALSE. If set to FALSE, regular statements are not traced.

    Trace Location
    The property that enables the class name and line number to be displayed in the trace.

    Required: No

    Data type: Boolean

    Example: FALSE. If set to FALSE, class name and line number are not displayed.

    Session Timeout
    The length of time, in seconds, that a connection to the RSA Authentication Manager server remains open before it times out when a user attempts to authenticate.

    Required: No

    Data type: Integer

    Example: 1800

  9. Click the Agent Files tab.
  10. Select a file in the table the corresponds to the file you generated on the RSA server.
  11. Click Upload to upload the file or Clear to remove the contents of the selected file. The status area indicates one of three statuses:
    Not uploaded
    Upload is not completed.
    Last upload date
    Upload was completed on date indicated.
    Auto-generated
    The SecurID was automatically generated instead of uploaded.
    Repeat this step until all of your files have been uploaded to the appliance.
  12. Click Save.

What to do next

When you configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.
Parent topic: Authentication