RSA Authentication Manager 7.0 Installation and Configuration Guide

(1)

(2)

Trademarks

RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, see www.rsasecurity.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. License agreement

This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-party licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Limit distribution of this document to trusted personnel. RSA notice

The RC5™ Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600.]

(3)

Contents 3

Preface

... 9

About This Guide... 9

RSA Authentication Manager Documentation ... 9

Tutorials ... 9

Chapter 1: Choosing Components for Installation

...11

RSA Authentication Manager Components...11

Installation Types ...11

Primary Instance ... 12

Replica Instance ... 12

Server Node ... 14

LDAP Directory ... 16

Chapter 2: Preparing for Installation

... 17

System Requirements... 17

Supported Data Stores ... 19

Supported Browsers ... 19

Supported RSA Authentication Agents ... 20

Licensing... 20

Maintaining Accurate System Time Settings ... 20

Pre-Installation ... 21

Pre-Installation Checklist for Windows... 21

Pre-Installation Checklist for Linux ... 22

System Update Script for Linux ... 25

Chapter 3: Identifying the Installation Process for Your

Deployment Model

... 27

Planning Your Deployment ... 27

Deployment Process... 32

Example Deployments ... 34

Small Deployment ... 34

Medium Deployment ... 35

Large Deployment ... 37

Chapter 4: Installing an RSA Authentication Manager Primary

Instance

... 39

GUI-Based Installation ... 39

(4)

4 Contents

Silent Installation ... 42

Creating a Response File from the Template... 42

Launching a Silent Installation ... 43

Securing Backup Files ... 43

Verifying the Installation ... 43

Chapter 5: Installing a Replica Instance for Failover

... 45

Preparing to Install a Replica Instance... 45

Synchronizing Clocks ... 45

Creating a Replica Package File ... 46

Transferring the Replica Package File... 47

Command Line Installation... 49

Rebalancing Contact Lists ... 52

Verifying the Installation ... 52

Chapter 6: Installing a Server Node for Improved Performance

... 53

Preparing to Install a Server Node ... 53

Creating a Node Package File... 53

Transferring the Node Package File ... 54

Command Line Installation... 56

Verifying Server Node Function... 59

Chapter 7: Performing Post-Installation Tasks

... 61

Additional Linux Configuration... 61

Backing Up a Standalone Primary Instance... 61

When To Perform a Backup ... 62

Backing Up a Standalone Primary Instance on Windows ... 62

Backing Up a Standalone Primary Instance on Linux ... 63

Securing the Connection Between the Primary Instance and Replica Instances ... 63

Starting RSA Authentication Manager Services... 63

Starting and Stopping RSA Authentication Manager Services on Windows ... 64

Starting and Stopping RSA Authentication Manager Services on Linux... 65

Setting Up Automatic Start on Linux ... 66

Logging On to the RSA Security Console ... 66

Enabling JavaScript ... 66

(5)

Contents 5

System Security... 67

Passwords and Keys in systemfields.properties ... 67

Certificates and Keystores for SSL... 69

LDAP Certificates... 73

Legacy Compatibility Keystore ... 73

Optional Proxy Servers for Remote Token Key Generation ... 74

Adding a Proxy Server to Create Secure URLs... 74

Adding a Proxy Server for CT-KIP Failover... 74

Chapter 8: Accessing Users and Groups from an LDAP

Chapter 9: Installing the Authentication Manager MMC

Extension

... 91

MMC Extension Overview ... 91

System Requirements and Prerequisites ... 91

Installation Process ... 92

Installing the MMC Extension for Local Access... 92

Installing the MMC Extension for Remote Access ... 92

Post-Installation ... 93

Configuring Internet Explorer Security Settings ... 94

Starting the Active Directory User and Computer Management Console... 94

Chapter 10: Removing RSA Authentication Manager

... 95

Removing RSA Authentication Manager Servers ... 95

Removing a Server Node ... 95

GUI-Based Removal... 95

(6)

6 Contents

Removing a Replica Database Server... 97

Command Line Removal ... 98

Manual Cleanup for Unsuccessful Removal ... 98

Rebalancing Contact Lists ... 99

Removing a Primary Database Server ... 99

Command Line Removal ... 100

Appendix A: Troubleshooting

... 101

Unsuccessful Installation or Removal... 101

Viewing Installation Logs... 101

Cleanup Script for Reinstallation (Windows Only)... 101

Cleanup for Linux Systems... 101

Obscured Error Messages ... 102

Server Does Not Start ... 102

RSA Security Console Does Not Start... 102

Using the Collect Product Information Utility ... 102

LDAP Identity Source Integration Unsuccessful... 102

MMC Extension Does Not Start ... 103

Multicast Network Communication Fails ... 103

Message Indicates Node Manager Service Not Started ... 104

Appendix B: Command Line Utilities

... 105

Manage Secrets Utility... 105

Using the Manage Secrets Utility ... 105

Option Flags for manage-secrets ... 106

Collect Product Information Utility ... 108

Using the Collect Product Information Utility ... 108

Option Flags for collect-product-info ... 108

Manage SSL Certificate Utility... 109

Using the Manage SSL Certificate Utility ... 109

Option Flags for manage-ssl-certificate...111

Multicast Network Test Utility ...114

Utility Messages ...114

Examples...114

Using the Multicast Network Test Utility...115

Option Flags for test-multicast ...115

Generate Replica Package Utility ...116

Online and Offline Synchronization ...116

Using the Generate Replica Package Utility...116

Option-Flags for gen-replica-pkg ...117

Manage Nodes Utility ...117

Using the Manage Nodes Utility ...117

(7)

Contents 7

Glossary

...119

(8)

(9)

Preface 9

Preface

About This Guide

Make sure that you have a basic understanding of your server platform, operating system version, and system peripherals. This guide is intended for network and security administrators who are responsible for installing and managing the RSA Authentication Manager software.

RSA Authentication Manager Documentation

For more information about RSA Authentication Manager 7.0, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as

well as workarounds for known issues.

Getting Started. Lists what the kit includes (all media, diskettes, licenses, and

documentation), specifies the location of documentation on the DVD or download kit, and lists RSA Security Customer Support web sites.

Planning Guide. Provides a general understanding of RSA Authentication Manager,

its high-level architecture, its features, and deployment information and suggestions.

Installation and Configuration Guide. Describes detailed procedures on how to

install and configure RSA Authentication Manager.

Administrator’s Guide. Provides information about how to administer users and

security policy in RSA Authentication Manager 7.0.

Developer’s Guide. Provides information about developing custom programs using

the RSA Authentication Manager 7.0 application programming interfaces (APIs). Includes an overview of the APIs and Javadoc for Java APIs.

Authentication Manager Help. Describes day-to-day administration tasks performed

in the RSA Security Console. To view Help, click the Help tab on the RSA Security Console.

Tutorials

The following interactive tutorials are included on the RSA Authentication Manager 7.0 DVD or in the download kit:

ConsoleAdministration. Provides Overview and How-To information about the

tasks you can perform on the RSA Security Console. You can also access this tutorial from the RSA Security Console by clicking Help > Console Tutorial.

SecurIDToken_HowTo. Describes the steps to authenticate using various

RSA SecurID tokens. This tutorial can be provided to end users as a training tool. To view these tutorials, you must have Adobe Flash Player 8 or later. To download the viewer, go to http://www.adobe.com/products/flashplayer/.

(10)

10 Preface

Getting Support and Service

RSA SecurCare Online offers a Knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads.

The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA Security products. The directory includes Implementation Guides with step-by-step

instructions and other information about interoperation of RSA Security products with these third-party products.

Before You Call Customer Support

Make sure you have access to the computer running the RSA Authentication Manager software.

Please have the following information available when you call:

Your RSA Security License ID. You can find this number on your license distribution media, or in the RSA Security Console by clicking Setup >

Licenses > Manage Existing, and then clicking View Installed Licenses.

The Authentication Manager software version number. You can find this in the RSA Security Console by clicking Help > About RSA Security Console >

See Software Version Information.

The names and versions of the third-party software products that support the Authentication Manager feature on which you are requesting support (operating system, data store, web server, and browser).

The make and model of the machine on which the problem occurs.

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsasecurity.com/support

(11)

1: Choosing Components for Installation 11

1

Choosing Components for Installation

• RSA Authentication Manager Components

• Installation Types

• LDAP Directory

RSA Authentication Manager Components

Understand the Authentication Manager components before you choose an installation type.

• Authentication Server. The server that handles runtime authentication operations.

• Internal database. The database required for policy data, which can optionally contain all user and group data also.

• RSA Security Console. The web application for administering the system.

• (optional) LDAP identity source. Provides access to user and group data residing in LDAP directories.

This set of Authentication Manager components alone is not sufficient for

authentication operations. Your system must include authentication agents and other front-end components that are typically configured following the installation of Authentication Manager. See agent documentation at

https://knowledge.rsasecurity.com.

Installation Types

At installation time, you must select an installation type. The installer creates differently configured combinations of Authentication Manager components on your system depending on which type of installation you choose: primary instance, replica instance, or server node. The installer also provides an option to install only

Authentication Manager documentation and the Software Development Kit (SDK). Installation Type Authentication

Server Internal Database RSA Security Console Primary Instance X X X Replica Instance X X X Server Node X X Documentation and SDK

(12)

12 1: Choosing Components for Installation An instance is a single database server, or a database server and one or more server nodes, acting as a single cohesive processing unit.

Primary Instance

The primary instance serves as the central point for administration and data storage in the system. You can add additional server nodes to a primary instance to improve performance. Also, you can connect your primary instance with replica instances that provide redundancy and failover.

Note: You must have an Advanced license to install server nodes. Server nodes are not available with a Base license.

The following figure shows a primary instance with no additional server nodes. The components installed on your database server machine by the installation type “Authentication Manager Primary Instance” are shown on the gray background.

This installation procedure is described in Chapter 4, “Installing an RSA Authentication Manager Primary Instance.”

Replica Instance

A replica instance provides redundancy for geographical distribution and for failover. A replica instance is dependent on a primary instance and cannot perform

administrative functions independently. It can, however, connect independently to its own server nodes to provide runtime authentication.

Internal Database Authentication Server RSA Security Console Authentication Agents Authentication Clients (not installed by Authentication Manager installer)

UDP ` Database Server ` ` `

Browser-based access to RSA Security Console

HTTPS

(13)

1: Choosing Components for Installation 13 The following figure shows a replica instance together with the primary instance on which it depends. The components installed on your database server machine by the installation type “Authentication Manager Replica Instance” are shown on the gray background.

The replica instance installation creates the same components on the database server as the primary instance installation, but it configures them differently:

• The replica database server is configured to listen for administrative data replication from the primary database server. It logs its runtime operations to the primary database server.

• The Security Console installed with the replica instance is limited to read-only operations. Internal Database Authentication Server RSA Security Console Authentication Agents (not installed by Authentication Manager installer)

UDP ` Database Server ` ` `

Browser-based access to RSA Security Console HTTPS Primary Instance Internal Database Authentication Server Read-only RSA Security Console Authentication Agents (not installed by Authentication Manager installer )

UDP Database Server ` ` ` Replica Instance Data Replication

Read-only access to RSA Security Console

HTTPS

(14)

14 1: Choosing Components for Installation To link a replica instance to a primary instance, you must first install the primary instance and then gather data from it for use in the replica instance installation. This process and all other replica instance installation details are described in Chapter 5, “Installing a Replica Instance for Failover.”

Server Node

A server node is a host that depends on a primary or replica database server. It handles operations in the same LAN subnet and provides improved agent authentication performance and failover.

Note: You must have an Advanced license to install server nodes. Server nodes are not available with a Base license.

(15)

1: Choosing Components for Installation 15 The following figure shows a primary instance with two additional server nodes. You can add server nodes to a replica instance in the same way. The components installed on your server node machines by the installation type “Authentication Manager Server Node” are shown on the gray background.

The Security Consoles shown on the server nodes receive requests distributed by the proxy service on the primary database server. In a typical configuration, browser access to the Security Console is directed to this proxy service at port 7004 on the primary instance database server.

To link a server node to a primary or replica database server, you must first install the primary or replica instance and then gather data from it for use in the server node installation. This process and all other server node installation details are described in Chapter 6, “Installing a Server Node for Improved Performance.”

Internal Database

Authentication Agents (not installed by Authentication Manager installer)

UDP HTTPS Primary Instance Authentication Server RSA Security Console Server Node Authentication Server Authentication Server RSA Security Console Server Node RSA Security Console Database Server ` ` ` UDP UDP ` Browser-based access to RSA

(16)

16 1: Choosing Components for Installation

LDAP Directory

If it is part of your deployment plan, configure Authentication Manager to use your organization’s LDAP directory to access your user data. Authentication Manager modifies certain existing user data fields in the LDAP directory only if you allow it. Those data fields include a user’s first and last name, e-mail address, and password. After installation, you can run the Initialize Identity Source utility and perform certain Security Console tasks to create a data connection between your LDAP directory and Authentication Manager. You must specify a base DN that contains all users in your LDAP directory who you want to be Authentication Manager users or administrators. For instructions on how to run the utility, see Chapter 8, “Accessing Users and Groups from an LDAP Directory.”

The following examples describe how to specify the base DN and user branch to include all users for two different LDAP configurations.

Example 1

All users reside in one container in the LDAP directory. Specify

dc=company,dc=com as the base DN. Specify the container ou=People as the user

branch.

Example 2

Users reside in multiple containers within a common container. Specify

dc=company,dc=com as the base DN. Specify the container ou=NorthAmerica as

the user branch.

dc =company ,dc=com (base DN)

ou=People (user branch ) your users

dc=company ,dc =com (base DN) ou=NorthAmerica (user branch )

your users ou=Sales

ou=Research your users

(17)

2: Preparing for Installation 17

2

Preparing for Installation

• System Requirements

• Pre-Installation

System Requirements

Make sure your system meets these requirements for supported platform and system components.

Note: Machines hosting the primary instance, replica instances, and server nodes must all use the same operating system.

Important: In a multi-node deployment, performance and scalability are affected by the hardware on which the database server and server nodes are installed. The database server handles authentication requests from the server nodes, as well as administration connections through the server nodes. The primary instance database server has the additional burden of handling all replication to and from the replica instances.

In terms of CPU speed, memory, and disk speed, RSA Security recommends that the database server be significantly more powerful than the server nodes, and that the primary instance database server be the most powerful machine in your deployment.

Windows System Requirements

Operating System Microsoft Windows Server 2003 Enterprise, SP1 (32-bit)

Hardware Intel Xeon 2.8 GHz or equivalent

Disk Space 60 GB free space recommended

20 GB free space minimum

Disk space usage depends on the scale of your deployment. With high numbers in excess of 1,000,000 token users, logging and archiving may take up greater amounts of space. Important: Do not allow all disk space to become consumed. At that point, Authentication Manager may stop operating and be difficult to restore.

Memory Requirements 2 GB

(18)

18 2: Preparing for Installation

Linux System Requirements

Operating System Red Hat Enterprise Linux 4.0-1 ES (32-bit x86)

Hardware Intel Xeon 2.8 GHz or equivalent

Disk Space 60 GB free space recommended

20 GB free space minimum

Disk space usage depends on the scale of your deployment. With high numbers in excess of 1,000,000 token users, logging and archiving may take up greater amounts of space. Important: Do not allow all disk space to become

consumed. At that point, Authentication Manager may stop operating and be difficult to restore.

Memory Requirements 2 GB

Swap Space 2 GB

Kernel Version 2.6.9-22.EL and later

Kernel Parameters Maximum shared memory must be at least 256 MB

Packages (RPM) The following packages (or later versions) must be installed: binutils-2.15.92.0.2-12 compat-db-4.1.29-5 compat-libstdc++-296.2.9.6-132.7.2 coreutils 5.2.1-31.2 or later control-center-2.8.0-12 gcc-3.4.3-22.1 gcc-c++-3.4.3-22.1 gnome-libs-1.4.1.2.90-44.1 glibc-common-3.4.3-22.1 glibc-2.3.2-95.20 initscripts 7.93.20 or later libstc++-3.4.3-22.1 libaio-0.3.96 make-3.80-5 libstc++-devel-3.4.3-22.1 pdksh-5.2.14-30 setarch-1.6-1 sysstat-5.0.5-1 xscreensaver-4.18-5

Note: To check your RPM versions on Linux, use the command, rpm -q package name.

(19)

Supported Data Stores

Authentication Manager uses two categories of data:

• Policy data

• User and group data

For Authentication Manager, data can be stored in:

• The internal database

• One or more LDAP directories (called an identity source within Authentication Manager)

If you use only the internal database, both the policy data and the user and group data is stored there. If you integrate Authentication Manager with identity sources that hold your existing user and group data, only the policy data is stored in the internal database.

Internal Database

Authentication Manager is installed with an internal database. The internal database contains all application and policy data, and you may choose to store user and group data in it.

Identity Sources

Authentication Manager supports the use of an external LDAP directory for user and group data.

Supported LDAP directories are:

• Sun Java System Directory Server 5.2, SP 3

• Microsoft Active Directory 2003, SP 1

Note: Active Directory Application Mode (ADAM) is not supported. Sun Java System Directory Server can be located on the same machine as

Authentication Manager or on a different machine. However, both machines must be on the same network. Active Directory must be located on a different machine. Authentication Manager LDAP integration does not modify your existing LDAP schema, but rathercreates a map to your data that Authentication Manager uses. The use of SSL-LDAP requires that the appropriate certificate and key are accessible by Authentication Manager.

Supported Browsers

This section describes the browsers supported for the RSA Security Console. Browser support differs between Windows and Linux platforms.

On Windows

• Internet Explorer 6.0 with SP2

(20)

On Linux

• Firefox 1.0.7 and later

Note: On all browsers, JavaScript must be enabled. Internet Explorer may require configuration depending on your security level.

For instructions on enabling JavaScript, see “Logging On to the RSA Security Console” on page 66.

Supported RSA Authentication Agents

You install RSA Authentication Agents on the resources that you want to protect, such as local computers, terminal servers, and web servers.

RSA Authentication Agents receive authentication requests and forward them to Authentication Manager through a secure channel. Based on the response from Authentication Manager, agents either allow the user to log on or deny the user access. Authentication Manager is compatible with these RSA Authentication Agents:

• RSA Authentication Agent 6.1.1 Special Edition for Microsoft Windows

• RSA Authentication Agent 5.3 for Web for Internet Information Services

• RSA Authentication Agent 5.3 for Web for Apache

• RSA Authentication Agent 5.3 for Web for Sun Java System

• RSA Authentication Agent 5.3.4 for PAM

• RSA ACE/Agent 5.2 for UNIX

You can download Agents from the RSA Authentication Agent software page at

https://www.rsasecurity.com/node.asp?id=1174.

Licensing

Before you install Authentication Manager, make sure you have a valid

Authentication Manager license close at hand. RSA Security provides the license files separately from your RSA Authentication Manager 7.0 DVD or download kit.

The license allows you access to certain functionality and limits the number of users that can be registered. The license file is accompanied by a server key and certificate that are used to verify (authenticate) the identity of the server.

Maintaining Accurate System Time Settings

Authentication Manager relies on standard time settings known as Coordinated Universal Time (UTC). The time, date, and time zone settings on computers running Authentication Manager must always be correct in relation to UTC.

(21)

2: Preparing for Installation 21 Make sure that the time on the computer on which you are installing Authentication Manager is set to the local time and corresponds to the UTC. For example, if UTC is 11:43 a.m. and Authentication Manager is installed on a computer in the Eastern Standard Time Zone in the United States, make sure the computer clock is set to 6:43 a.m. This differs during daylight savings time.

To get the correct UTC, see www.time.gov.

Note: If you employ an NTP service, enable it on the primary instance database server only. This database server typically maintains the replica instance time

synchronization automatically.

Pre-Installation

This section describes important pre-installation tasks required to prepare your system for installation. Carefully review the pre-installation checklist for your platform.

• “Pre-Installation Checklist for Windows” on page 21

• “Pre-Installation Checklist for Linux” on page 22

• “System Update Script for Linux” on page 25

Pre-Installation Checklist for Windows

Before installing Authentication Manager, review the Release Notes, which contain important configuration and installation information.

You must have:

A machine that meets all the hardware, disk space, memory, and platform requirements described in “Windows System Requirements” on page 17. Local administrator privileges on the machine.

A static IP address. DHCP is not supported.

Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify.

A password between 8 and 32 characters including at least six alphabetic characters and one non-alphanumeric character. “@” and “~” are excluded. This case-sensitive password is used in Authentication Manager for the Super Admin password as well as the master password for initial access to protect the vault containing important system passwords. You can change both passwords after installation if desired. See “Passwords and Keys in systemfields.properties” on page 67.

A temporary directory defined on the host machine. The TEMP variable must be defined, or the installer fails. Installation logs are copied to this directory.

(22)

22 2: Preparing for Installation  The following entry in %WINDIR%\system32\drivers\etc\hosts:

127.0.0.1 localhost.localdomain localhost

If this entry does not exist, you must add it before installing Authentication Manager. Enter the entire line exactly as shown.

You must:

Verify that the host machine does not have an existing installation of

RSA Authentication Manager or RSA ACE/Server. An existing installation of any version of these products must be uninstalled before you proceed with the new installation.

Verify that the host does not have an existing installation of Oracle. An existing Oracle database server must be uninstalled before you proceed with the new installation, which includes an internal database.

Verify that these TCP ports are available for the installed Authentication Manager components:

• 5550 - agent auto-registration

• 5580 - offline authentication

• 2334 - internal database

• 7002 - RSA Security Console (secure connection)

• 7004 - RSA Security Console proxy server (secure connection)

• 7006 - WebLogic administration console/SSL

• 7012 - RSA Security Console/SSL

• 7014 - RSA Security Console proxy server/SSL

Verify that these UDP ports are available for the installed Authentication Manager components:

• 1161 - SNMP Agent

• 5500 - agent authentication

Perform a reverse lookup on the IP address where you will install Authentication Manager. Make sure the IP address maps to one hostname. If it maps to more than one hostname, you must modify your DNS server configuration settings.

If you are using network storage, make sure the disk is mounted at the same location on all nodes in the cluster.

Back up your Windows registry settings prior to installation.

Pre-Installation Checklist for Linux

You must perform these Linux pre-installation tasks prior to proceeding with the installation.

(23)

2: Preparing for Installation 23 You must have:

A machine that meets all the hardware, disk space, memory, and platform requirements described in “Linux System Requirements” on page 18. Local administrator privileges on the machine.

A static IP address. DHCP is not supported.

A password between 8 and 32 characters including at least six alphabetic characters and one non-alphanumeric character. “@” and “~” are excluded. This case-sensitive password is used in Authentication Manager for the Super Admin password as well as the master password for initial access to protect the vault containing important system passwords. You can change both passwords after installation if desired. See “Passwords and Keys in systemfields.properties” on page 67.

 The following entry in your /etc/hosts file:

127.0.0.1 localhost.localdomain localhost

If this entry does not exist, you must add it before installing Authentication Manager. Enter the entire line exactly as shown.

Note: This entry must not contain the hostname that will be used for Authentication Manager configuration. Make sure it only contains localhost and localhost.localdomain.

You must:

Create a new user with write permission to the installation location. The default installation location is /usr/local/RSASecurity/RSAAuthenticationManager. Do not run the installation as root user.

Verify that the host machine does not have an existing installation of

RSA Authentication Manager or RSA ACE/Server. An existing installation of any version of these products must be uninstalled before you proceed with the new installation.

Verify that the host does not have an existing installation of Oracle. An existing Oracle database server must be uninstalled before you proceed with the new installation, which includes an internal database.

Verify that these TCP ports are available for the installed Authentication Manager components:

• 5550 - agent auto-registration

• 5580 - offline authentication

• 2334 - internal database

(24)

• 7004 - RSA Security Console proxy server (secure connection)

• 7008 - WebLogic administration console override/SSL

• 7012 - RSA Security Console/SSL

• 7014 - RSA Security Console proxy server/SSL

Verify that these UDP ports are available for the installed Authentication Manager components:

• 5500 - agent authentication

Set or verify the following configuration attributes in your configuration files prior to installation. You may find it more convenient to make these changes as root user and reboot once before beginning the installation process. If any of these parameters are not set properly, the Linux installer dynamically creates a script to correct them and prompts you to run the script as root user before proceeding with the installation.

• In /etc/sysctl.conf, add:

'kernel.sem' is set to: '250 32000 32 128'

Note: These kernel semaphore parameters are minimum values. If you have already set them to a higher value, they do not need to be changed.

• In /etc/security/limits.conf, add: user soft nproc 2047 user hard nproc 16384 user soft nofile 1024 user hard nofile 65536

where user is the User ID for the user installing Authentication Manager.

• In /etc/pam.d/login, add:

session required /lib/security/pam_limits.so

Perform a reverse lookup on the IP address where you will install Authentication Manager. Make sure the IP address maps to one hostname. If it maps to more than one hostname, you must modify your DNS server configuration settings.

If running the GUI-based installer on Linux, you must set the DISPLAY environment variable to point to a valid X Windows server, for example: export DISPLAY=..etc

If you are using network storage, make sure the disk is mounted at the same location on all server nodes in the cluster.

(25)

System Update Script for Linux

On Linux, the installer checks your system for issues that can block a successful installation. If the installer determines that any system parameters require updating, it creates a script to update the parameters in /tmp/rsa_am_timestamp/.

If your system requires updating, the installer presents you with the following options:

• Exit the installer, and run the system update script as root. If the script instructs you to do so, log off and log on again before you proceed with the installation.

• Continue anyway, without running the script or doing updates. Select this option to enable the Next button, and proceed with the installation.

Important: Select the option to continue anyway only if you are certain the installation will not fail. This option is best used under consultation with RSA Customer Support or Professional Services.

(26)

(27)

3: Identifying the Installation Process for Your Deployment Model 27

3

Identifying the Installation Process for Your

Deployment Model

• Planning Your Deployment

• Deployment Process

• Example Deployments

Planning Your Deployment

Before installing any Authentication Manager component, make sure you know the details of your overall deployment. RSA Security strongly recommends that you read the Planning Guide and complete a planning checklist, as shown below, before beginning your installation.

Pre-Installation

Element Description Your Plan

License type • Base

• Advanced

Platform • Windows

• Linux Master password

Installation

Primary instance Physical location

Name and IP address of the database server

(28)

28 3: Identifying the Installation Process for Your Deployment Model Name and IP address of any

server nodes

Replica instances Number of instances Physical location(s)

Name and IP address of the database server

Name and IP address of any server nodes

Identity Source Configuration

(29)

3: Identifying the Installation Process for Your Deployment Model 29 Identity source(s) Number and type

For example:

• RSA Authentication Manager internal database

• Active Directory • Active Directory forests • Sun Java System Directory

Server

LDAP URL of the LDAP identity

source

User defined unique identity source name

LDAP server user name LDAP server password URL of the failover identity source (optional)

Authentication Manager administrator user name Authentication Manager administrator password Administrative Configuration

Realm Number

Names

Security domains Top-level name Lower-level names

(30)

30 3: Identifying the Installation Process for Your Deployment Model

Token(s) Number and type

For example:

• RSA SecurID token • RSA Smart Card • RSA SecurID Software

Toolbar Token • RSA USB token

Contact person for obtaining token seed records

Policies Number of custom policies Names of security domains requiring custom policies

Method of PIN creation For example:

• System-generated • User-generated

Length of PINs (4-8 characters) Character restrictions on PINs Number of failed authentication attempts allowed before user lockout

Method of unlocking locked user.

For example: • Automatically • Manually Password lifetime Maximum and minimum password length

(31)

3: Identifying the Installation Process for Your Deployment Model 31 Number of restricted old

passwords

Excluded words dictionary Character restrictions on password

Lifetime of Emergency Access Tokencodes

Behavior of Emergency Access Tokencode when token is recovered

For example:

• Deny authentication with the token

• Allow authentication with the token and disable the Emergency Access Tokencode

• Allow authentication with the token only after the

Emergency Access Tokencode expires Post-Installation

Resources to protect For example: • File servers • Databases • Identity sources Agents Number

(32)

Deployment Process

Make sure you understand the decision points and tasks required by the Authentication Manager deployment process. Depending on your needs, your deployment may require multiple replica instance or server node installation tasks. The following figure is only a general guide.

Note: You must have an Advanced license if you need to install more than one replica instance.

(33)

Add Server Nodes? (Advanced License

Required) Install Primary Instance

Chapter 4 Install Replicas? Add Server Nodes? (Advanced License Required) Install Server Node(s)

Chapter 6 No Yes Install Replica(s) Chapter 5 No No Yes Yes

Install Server Node(s) Chapter 6

Add Users from LDAP?

Adding Users and Groups from an LDAP

Directory Chapter 8

No Yes

Start

(34)

Example Deployments

Review theses example deployments, choose the deployment that best fits your company’s requirements, and refer to the related sections.

The examples in the following sections provide a high-level view of the steps required to install different types of deployments. Your specific deployment may combine aspects of more than one example.

• Small Deployment

• Medium Deployment

• Large Deployment

Note: These examples are based on detailed planning scenarios described in the

Planning Guide.

Small Deployment

This example deployment illustrates the installation of a primary instance with a replica instance for failover.

Database

Server DatabaseServer

Primary Instance

Internal Database

Replica Instance

Internal Database (Data Replication) Task See

1. Verify that all Authentication Manager machines meet the system requirements.

Chapter 2, “Preparing for Installation”

2. Install the primary instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation.

Chapter 4, “Installing an RSA Authentication Manager Primary Instance”

3. Install the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation.

Chapter 5, “Installing a Replica Instance for Failover”

(35)

Medium Deployment

This example deployment illustrates installing a primary instance with an additional server node and LDAP integration, and then a replica instance with an additional server node for failover.

4. Perform post-installation tasks to prepare the RSA Security Console for administration.

Chapter 7, “Performing Post-Installation Tasks”

Task See

Database

Server DatabaseServer

Primary Instance

Replica Instance

(Data Replication)

Active Directory Server

Node ServerNode

Internal

Database DatabaseInternal

Task See

3. Install a server node. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation.

Note: Repeat this process for each server node you want to install.

Chapter 6, “Installing a Server Node for Improved Performance”

(36)

36 3: Identifying the Installation Process for Your Deployment Model 4. Install the replica instance. Be sure to secure backup

files, and verify that the installation was successful by performing a test authentication after completing the installation.

5. Install a server node on the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation.

6. Perform post-installation tasks to prepare the Security Console for administration.

7. Integrate your existing LDAP directory as the authoritative user and group identity source.

Chapter 8, “Accessing Users and Groups from an LDAP Directory”

(37)

Large Deployment

This example deployment extends the medium business deployment by adding replica instances at additional sites as well as a heterogeneous LDAP environment that includes Sun Java System Directory Server and Microsoft Active Directory.

.

Task See

3. Install a server node. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation.

4. Install the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation.

Database

Server DatabaseServer Database Server Database Server

Site 1

Site 2

Server Node

Site 3

Server Node Primary

Instance InstanceReplica InstanceReplica InstanceReplica

Active

Directory DirectoryActive Server

Node ServerNode

Sun Java System Directory Server Active Directory Global Catalog (Data Replication Among All Internal Databases) Internal

(38)

38 3: Identifying the Installation Process for Your Deployment Model 5. Install a server node on the replica instance. Be sure to

secure backup files and verify that the installation was successful by performing a test authentication after completing the installation.

6. Perform post-installation tasks to prepare the Security Console for administration.

7. Integrate your existing LDAP directory as the authoritative user and group identity source.

Chapter 8, “Accessing Users and Groups from an LDAP Directory”

(39)

4: Installing an RSA Authentication Manager Primary Instance 39

4

Installing an RSA Authentication Manager

Primary Instance

• GUI-Based Installation

• Command Line Installation

• Silent Installation

• Securing Backup Files

• Verifying the Installation

GUI-Based Installation

Use the GUI-based installer if you prefer standard graphical screens to assist you through the process.

Installation time varies depending on system speed and memory. Make sure you allow at least one hour to perform the installation.

To install Authentication Manager using the GUI-based installer: 1. Locate and launch the installer for your platform:

• auth_mgr\win32-x86\setup.exe (Windows)

• auth_mgr/linux-x86/setup.sh (Linux)

2. Respond to the prompts for Welcome, Select Region, License Agreement, and

Choose Destination Location.

3. Select Authentication Manager Primary Instance.

Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See “System Update Script for Linux” on page 25.

Note: If you want to change the installation type at a later date, you must uninstall the existing Authentication Manager and reinstall it using the new installation type. Installation types are described in “Installation Types” on page 11.

(40)

40 4: Installing an RSA Authentication Manager Primary Instance 4. The installer displays the hostname and IP address that will be used for

installation. Check this information. Click OK > Next if it is the expected hostname and IP address.

5. Locate the folder that contains your Authentication Manager license file, server key, and certificate files. Click Browse to find and select this folder on the installation host (the files in the folder are not displayed). Click Next, and verify the license information.

The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server.

6. At the prompt, enter and confirm a Super Admin and master password. The value you enter is used for both the initial Super Admin password and the password for operations such as installing a replica instance or handling security certificates.

The password must be between 8 and 32 characters and include at least six alphabetic characters and one non-alphanumeric character. “@” and “~” are excluded.

7. Review the summary screen, verifying the features you have selected and the disk space required.

8. To begin copying Authentication Manager files, click Install. The installer begins copying files and displays a progress indicator. 9. Click Finish to close the installer.

Unless you clear the checkboxes for opening the Release Notes and Security Console, these will open in your default browser after you click Finish.

10. When prompted by your browser, accept the certificate for the Security Console. As part of the normal installation, the installer creates a certificate authority and uses it to sign the Security Console browser certificate.

11. Continue to “Securing Backup Files” on page 43 to perform important post-installation tasks.

If you encounter any problems installing Authentication Manager, see Appendix A, “Troubleshooting.”

Command Line Installation

Use the command line installation if you prefer a command interface or if you intend to run the installation through a script. The prompts for command line installation are displayed with instructions on how to proceed or select options. Enter 1 to proceed, 3 to cancel, and 5 to redisplay.

(41)

4: Installing an RSA Authentication Manager Primary Instance 41 To install Authentication Manager using the command line installer:

1. From a command prompt, change to the directory containing the installer:

2. Enter the appropriate command for your platform: For Windows, type:

setup.exe -console For Linux, type:

./setup.sh -console

3. Respond to the prompts for Select Region, License Agreement, and Choose

Destination Location.

Note: If you are not automatically taken to the next prompt, type 0. 4. Select Authentication Manager Primary Instance.

Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select “Continue anyway” only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See “System Update Script for Linux” on page 25.

5. The installer displays the hostname and IP address that will be used for

installation. Check this information, and select 1 if it is the expected hostname and IP address.

6. Enter the name of the folder that contains your Authentication Manager license file, server key, and certificate files.

7. At the prompt, enter and confirm a Super Admin and master password. The value you enter is used for both the initial Super Admin password and the password for operations such as installing a replica instance or handling security certificates. The password must be between 8 and 32 characters and include at least six alphabetic characters and one non-alphanumeric character. “@” and “~” are excluded.

(42)

42 4: Installing an RSA Authentication Manager Primary Instance 8. Review the summary screen, verifying the features you have selected and the disk

space required.

Once you proceed from this screen, the installer begins copying files and displays a progress indicator. To cancel the installation, enter 3, and respond 1 (Yes) to the prompts to remove installer files.

9. When the installer displays a message indicating successful installation, continue to “Securing Backup Files” on page 43 to perform important post-installation tasks.

Silent Installation

For a silent installation, you must:

• Locate the appropriate response file template for your installation type (primary instance, replica instance, or server node), edit it with your actual values, and save it as a response file.

• Launch the installer with arguments that specify ‘silent’ and point to the response file.

These tasks are described in the following sections.

Creating a Response File from the Template

Locate the following response file templates in resource/silent_install/:

• primary_template.txt

• replica_template.txt

• node_template.txt

To create a response file from the template:

1. Open the appropriate template file for your installation type.

2. Enable settings in the template by removing the leading ### characters from each line of text (search to find the settings you can change).

3. Specify values for enabled settings by replacing the characters '<value>' with the actual value for that setting.

See the manual installation chapter for your installation type. For example, refer to Chapter 4, “Installing an RSA Authentication Manager Primary Instance” when editing primary_template.txt.

4. Save your changes with a new filename. This filename is required in the next step, launching a silent installation.

(43)

4: Installing an RSA Authentication Manager Primary Instance 43

Launching a Silent Installation

To perform a silent installation, add -silent -options response_file to your installation command.

GUI-Based Windows Example:

setup.exe -silent -options response1.txt

Command Line Windows Example:

setup.exe -console -silent -options response1.txt

GUI-Based Linux Example:

setup.sh -silent -options response1.txt

Command Line Linux Example:

setup.sh -console -silent -options response1.txt

Note: If you use the GUI-based installer for silent installation, the screens are displayed with the response file values in place of the defaults, which may be manually overridden.

Securing Backup Files

The installer automatically backs up a list of important files to

RSA_AM_HOME/backup. Immediately after installation, move the backup directory

to a secure location.

Important: For highest security, store SYSTEM.SRK, included in your backup folder, on removable media. Retrieve this private key only for disaster recovery.

Verifying the Installation

To verify that the installation was successful:

1. Access the Security Console web application from supported browsers by entering the Security Console URL as shown:

https://fully qualified domain name:7004/console-ims/ For example, if the fully qualified domain name of your Authentication Manager installation is “host.mycompany.com”, type the following in your browser: https://host.mycompany.com:7004/console-ims

(44)

(45)

5: Installing a Replica Instance for Failover 45

5

Installing a Replica Instance for Failover

• Preparing to Install a Replica Instance

• GUI-Based Installation

• Command Line Installation

• Silent Installation

• Rebalancing Contact Lists

• Securing Backup Files

• Verifying the Installation

Preparing to Install a Replica Instance

Gather information from the primary database server, and make it available to the replica database server host. Perform these steps:

1. Synchronize the clocks between the machines hosting the primary and replica instances. See the following section, “Synchronizing Clocks.”

2. Create a replica package file from the primary database server using the Generate Replica utility. Optionally, your replica package may contain data for offline synchronization. For instructions, see “Creating a Replica Package File” on page 46.

Online synchronization transfers all data from the primary instance database server to the replica instance over a network connection. Offline synchronization transfers only administrative data. The replica instance is initialized with the data from the replica package. You can use this method only if you generated a primary data file.

3. Transfer the replica package file to the target host. Each package file is unique, functioning properly only on the host specified during its creation. For

instructions, see “Transferring the Replica Package File” on page 47.

Synchronizing Clocks

You must ensure that the clocks for the primary instance and replica instance are synchronized.

For Windows systems, type the following command at all replica instances: NET time \\primarycomputername /set

For Linux systems, type the following command at all replica instances: net time set -S primarycomputername

(46)

46 5: Installing a Replica Instance for Failover

Creating a Replica Package File

For complete detail on replica utility commands, run rsautil gen-replica-pkg --help from a command prompt in RSA_AM_HOME/utils/.

With the optional argument -- generate-data, or -g, you can include, in the package, a data file containing all the relevant data from the primary instance database server offline synchronization. If your system has been active long enough to accumulate a large amount of data, and the connection speed between your primary instance database server and replica instance database server host is limited, you might decide to use offline synchronization to speed up your replica instance deployment.

Important: Generating a data file requires up to two times the disk space used by the data.

Important: You must use the replica package within seven days after it is created. If you do not use it within seven days, you must create a new replica package.

To create a replica package for offline synchronization:

1. From a command prompt on the host of the primary instance database server, change directories to RSA_AM_HOME/utils/.

2. Enter the command:

rsautil gen-replica-pkg -t hostname [-u admin_username][-g]

where:

• hostname is the fully qualified hostname of the replica database server host.

• admin_username is the Super Admin user name. The default is admin.

• -g indicates that you want to generate the primary data file as part of the replica package, to use for offline synchronization during installation. 3. If you did not enter -g, when prompted, indicate if you will use offline

synchronization.

4. Enter the Super Admin password when prompted.

5. Enter your master password when prompted. By default, this is the same as the Super Admin password, unless the Super Admin password was changed after installation.

The message “Successfully generated hostname-replica.pkg” appears.

The replica package will be output to the current directory as hostname-replica.pkg. For more information on the Generate Replica Package utility, see Appendix B, “Command Line Utilities.”

(47)

5: Installing a Replica Instance for Failover 47

Transferring the Replica Package File

Once you have used the Generate Replica Package utility on the primary instance database server to create a replica package, transfer it to the target host. RSA Security recommends that you transfer the package through a secure network or by removable media.

Note the location on the target host where you copy the package. This information, along with the master password, is required during installation.

GUI-Based Installation

Use the GUI-based installer if you prefer standard graphical screens to assist you through the process.

Installation time varies depending on system speed and memory. Make sure you allow at least one hour to perform the installation.

Important: When you install multiple replica instances, you must install them serially. Do not attempt to install them in parallel.

To install Authentication Manager using the GUI-based installer: 1. Locate and launch the installer for your platform:

2. Respond to the prompts for Welcome, Select Region, License Agreement, and

Choose Destination Location.

3. Select Authentication Manager Replica Instance.

Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See “System Update Script for Linux” on page 25.

Note: If you want to change the installation type at a later date, you must uninstall the existing Authentication Manager and reinstall it using the new installation type. Installation types are described in “Installation Types” on page 11.

(48)

48 5: Installing a Replica Instance for Failover 4. The installer displays the hostname and IP address that will be used for

installation. Check this information. Click OK > Next if it is the expected hostname and IP address.

5. Locate the folder that contains your Authentication Manager license file, server key, and certificate files. Click Browse to find and select this folder on the installation host (the files in the folder are not displayed). Click Next, and verify the license information.

6. Review the summary screen, verifying the features you have selected and the disk space required.

7. Enter the following information at the prompts:

• The location of the replica package you created and transferred from the primary instance. If you have not finished these tasks, see “Preparing to Install a Replica Instance” on page 45.

• The master password for the primary instance, specified at primary installation time.

• The desired setting for offline or online synchronization of data. See “Creating a Replica Package File” on page 46.

8. To begin copying Authentication Manager files, click Install. The installer begins copying files and displays a progress indicator. 9. Click Finish to close the installer.

Unless you clear the checkboxes for opening the Release Notes and Security Console, these will open in your default browser after you click Finish.

10. When prompted by your browser, accept the certificate for the Security Console. As part of the normal installation, the installer creates a certificate authority and uses it to sign the Security Console browser certificate.

11. Continue to “Securing Backup Files” on page 52 to perform important post-installation tasks.

RSA Authentication Manager 7.0 Installation and Configuration Guide

Contents

Preface

Chapter 1: Choosing Components for Installation

Chapter 2: Preparing for Installation

Chapter 3: Identifying the Installation Process for Your

Deployment Model

Chapter 4: Installing an RSA Authentication Manager Primary

Instance

Chapter 5: Installing a Replica Instance for Failover

Chapter 6: Installing a Server Node for Improved Performance

Chapter 7: Performing Post-Installation Tasks

Chapter 8: Accessing Users and Groups from an LDAP

Directory

Chapter 9: Installing the Authentication Manager MMC

Extension

Chapter 10: Removing RSA Authentication Manager

Appendix A: Troubleshooting

Appendix B: Command Line Utilities

Glossary

Preface

About This Guide

RSA Authentication Manager Documentation

Tutorials

Related Documentation

Getting Support and Service

Before You Call Customer Support

1

Choosing Components for Installation

RSA Authentication Manager Components

Installation Types

Primary Instance

Replica Instance

Server Node

LDAP Directory

2

Preparing for Installation

System Requirements

Supported Data Stores

Supported Browsers

Supported RSA Authentication Agents

Licensing

Maintaining Accurate System Time Settings

Pre-Installation

Pre-Installation Checklist for Windows

Pre-Installation Checklist for Linux

System Update Script for Linux

3

Identifying the Installation Process for Your

Deployment Model

Planning Your Deployment

Deployment Process

Example Deployments

Small Deployment

Primary Instance

Replica Instance

Medium Deployment

Primary Instance

Replica Instance

Large Deployment

Site 1

Site 2

Site 3

4

Installing an RSA Authentication Manager

Primary Instance

GUI-Based Installation

Command Line Installation

Silent Installation

Creating a Response File from the Template

Launching a Silent Installation

Securing Backup Files

Verifying the Installation

5

Installing a Replica Instance for Failover

Preparing to Install a Replica Instance

Synchronizing Clocks

Creating a Replica Package File

Transferring the Replica Package File

GUI-Based Installation