A one-time password is valid for one session or login.
To use RSA as a mechanism, you must own RSA Authentication Manager.
The server and the client generate the passwords with the same algorithm.
Before you begin
Complete the following steps.
- On your RSA server, generate the following files:
- sdconf.rec
- The configuration file for connecting to the RSA Authentication
server.
- sdopts.rec
- The configuration properties file that contains optional configurations
for load balancing.
- securid
- The secret key file for connecting to the RSA Authentication server.
- See your RSA Authentication server documentation for details on
creating these files and use the following guidelines:
- On the appliance, you must specify an Agent Network Interface.
See Agent Network Interface in step 8. If you connect the RSA server to
the appliance by using an application network interface with multiple
IP addresses, list all the IP addresses in the Alternate
IPs box on the RSA server.
- For Agent type, choose Standard.
- Agent Auto-Registration must be enabled
when the first RSA one-time password authentication is performed.
You can disable it after the first successful authentication is completed.
Note: The RSA one-time password mechanism does not support replication
of the RSA session information through the cluster environment. The
session information is local to each cluster node and the environment
must be configured to enforce session affinity between the client
and the cluster node.
- Move or copy the generated files from the RSA server to the appliance.
About this task
This task describes the steps and properties for configuring
an RSA mechanism. For information about configuring other providers,
see:
Procedure
- Log in to the local management interface.
- Click Secure Access Control.
- Under Policy, click Authentication.
- Click Mechanisms.
- Click RSA One-time Password.
- Click .
- Click the Properties tab.
- Select a property that you want to configure.
- Click .
- Enter the value for that property.
- Click OK.
- Take note of the properties for the
mechanism.
- Agent Network Interface
- The name of the network interface that the RSA Agent is using
to connect to the RSA server.
Required: Yes
Data type: String
Valid
values:
- Management network interface values
-
- Application network interface values
-
Note: If you are using the RSA mechanism in a cluster environment
and use an application interface with multiple IP addresses defined
for that interface, use the RSA console to add all of those IP addresses
to the whitelist. See the RSA documentation for information about
adding IP addresses to the whitelist.
Example: M.1
- Server Exchange Initial Timeout
- The initial timeout coefficient in milliseconds used to calculate
the timeout of the request.
Required: No
Data type: Integer
Example: 1000
- Server Exchange Timeout Offset
- The offset timeout coefficient in milliseconds used to calculate
the timeout of the request.
Required: No
Data type: Integer
Example: 200
- Server Exchange Timeout Increment
- The increment coefficient in milliseconds used to calculate the
timeout of the request.
Required: No
Data type: Integer
Example: 100
- Event Log Level
- The minimum event level to be logged. Events below the level that
is specified in this property are not logged.
The events in order
from lowest level to highest are:
- OFF
- DEBUG
- INFO
- WARN
- ERROR
- FATAL
Required:
Data type: String
Example: INFO.
If this property is set to INFO, the DEBUG errors
are not logged.
- Enable Debug Tracing
- The property that enables debug tracing.
Required: No
Data
type: Boolean
Example: FALSE. If set to FALSE,
debug tracing is not enabled.
- Trace Function Entries
- The property that enables tracing of function entries.
Required:
No
Data type: Boolean
Example: FALSE.
If set to FALSE, function entries are not traced.
- Trace Function Exits
- The property that enables tracing of exits.
Required: No
Data
type: Boolean
Example: FALSE. If set to FALSE,
exits are not traced.
- Trace Flow Statements
- The property that enables tracing of flow statements.
Required:
No
Data type: Boolean
Example: FALSE.
If set to FALSE, flow statements are not traced.
- Trace Regular Statements
- The property that enables tracing of regular statements.
Required:
No
Data type: Boolean
Example: FALSE.
If set to FALSE, regular statements are not traced.
- Trace Location
- The property that enables the class name and line number to be
displayed in the trace.
Required: No
Data type: Boolean
Example: FALSE.
If set to FALSE, class name and line number are not
displayed.
- Session Timeout
- The length of time, in seconds, that a connection to the RSA Authentication
Manager server remains open before it times out when a user attempts
to authenticate.
Required: No
Data type: Integer
Example: 1800
- Click the Agent Files tab.
- Select a file in the table the corresponds to the file
you generated on the RSA server.
- Click Upload to upload the file
or Clear to remove the contents of the selected
file. The status area indicates one of three statuses:
- Not uploaded
- Upload is not completed.
- Last upload date
- Upload was completed on date indicated.
- Auto-generated
- The SecurID was automatically generated instead of uploaded.
Repeat this step until all of your files have been
uploaded to the appliance.
- Click Save.
What to do next
When you configure the mechanism, a message indicates that
changes are not deployed. Deploy changes when you are
finished. For more information, see
Deploying pending changes.